Traditional real-time anomaly detection methods suffer from high false positive rates under high-variance and class-imbalanced conditions; existing causal graph approaches are predominantly offline, ill-suited to dynamically evolving data distributions, and prone to catastrophic forgetting in unsupervised settings. To address these limitations, we propose INCADET—a novel framework for real-time cyber-physical system (CPS) attack detection—that pioneers incremental learning for causal graph construction. INCADET employs sliding-window causal discovery for dynamic structural modeling, mitigates forgetting via experience replay and edge augmentation, and integrates early-symptom detection, incremental causal learning, and GCN-based causal graph classification. Evaluated on real-world infrastructure datasets, INCADET significantly outperforms static causal and deep temporal models, achieving higher detection accuracy, lower false positive rates, superior robustness, and sustained adaptability to concept drift.

The escalating threat of cyberattacks on real-time critical infrastructures poses serious risks to public safety, demanding detection methods that effectively capture complex system interdependencies and adapt to evolving attack patterns. Traditional real-time anomaly detection techniques often suffer from excessive false positives due to their statistical sensitivity to high data variance and class imbalance. To address these limitations, recent research has explored modeling causal relationships among system components. However, prior work mainly focuses on offline causal graph-based approaches that require static historical data and fail to generalize to real-time settings. These methods are fundamentally constrained by: (1) their inability to adapt to dynamic shifts in data distribution without retraining, and (2) the risk of catastrophic forgetting when lacking timely supervision in live systems. To overcome these challenges, we propose INCADET, a novel framework for incremental causal graph learning tailored to real-time cyberattack detection. INCADET dynamically captures evolving system behavior by incrementally updating causal graphs across streaming time windows. The framework comprises three modules: 1) Early Symptom Detection: Detects transitions in system status using divergence in edge-weight distributions across sequential causal graphs. 2) Incremental Causal Graph Learning: Leverages experience replay and edge reinforcement to continually refine causal structures while preserving prior knowledge. 3) Causal Graph Classification: Employs Graph Convolutional Networks (GCNs) to classify system status using the learned causal graphs. Extensive experiments on real-world critical infrastructure datasets demonstrate that INCADET achieves superior accuracy, robustness, and adaptability compared to both static causal and deep temporal baselines in evolving attack scenarios.