Akademik Veri Yönetim Sistemi
INTERNATIONAL JOURNAL OF INFORMATION SECURITY, cilt.25, ss.1-18, 2026 (SCI-Expanded, Scopus)
Cyber-physical infrastructures require early and trustworthy detection of abnormal behavior caused by cyber intrusions, sensor manipulation, and operational faults. This study proposes an explainable digital twin–driven ensemble anomaly detection framework for cyber-physical infrastructure security. The core of the framework is a physics-informed, hybrid regression-based digital twin that estimates expected nominal system behavior by combining historical operational data with plant-specific process relationships. Deviations between physical measurements and digital twin outputs are transformed into anomaly-sensitive features and analyzed by a heterogeneous ensemble of unsupervised detectors, including Isolation Forest, Elliptic Envelope, One-Class Support Vector Machine, and Local Outlier Factor. Their binary outputs are fused through a weighted voting strategy to improve robustness against heterogeneous anomaly patterns and to reduce false alarms. To support transparent decision making, a SHAP-based explainability layer is integrated for global and local feature attribution and root-cause interpretation. The framework is validated on a hydroelectric power plant digital twin using controlled fault-injection scenarios. The digital twin prediction layer demonstrates low error before deviation calculation, confirming its suitability as a nominal behavioral reference. In addition, the proposed ensemble is benchmarked against deep learning baselines, including a dense autoencoder and an LSTM autoencoder, and shows a more favorable balance in terms of F1-score, false alarm rate, and accuracy. The results indicate that the proposed approach provides a robust, interpretable, and practically reliable anomaly detection framework for cybersecurity-oriented monitoring of critical cyber-physical infrastructure.