AI-Driven Anomaly Detection Frameworks in Critical Infrastructure Networks for Proactive Threat Mitigation

Background: Critical infrastructure networks are increasingly interconnected cyber-physical systems, making them more vulnerable to sophisticated cyberattacks that traditional detection methods struggle to address. AI-driven approaches using machine learning and deep learning enable real-time anomaly detection, adaptive response, and predictive resilience, improving security and reliability in these systems. Aim: This study aimed to systematically to map and synthesize the available AI-based anomaly detection frameworks, which are implemented in a critical infrastructure (CI) network, with an emphasis on typologies of models, data sources and system layers, evaluation practices, and trade-offs in operations that impact the proactive threat mitigation. Method: A systematic literature review was carried out in accordance with PRISMA framework. Across major academic databases, peer-reviewed research published between 2020 and 2026 was identified. Qualified articles covered the AI/ML-based anomaly detection in the CI setting, such as SCADA, ICS, cyber-physical system, and IT/OT-integrated networks. The types of models, threats, data used, evaluation methods, and constraints in implementation were analyzed using a qualitative comparative synthesis approach. Findings: The review indicates that supervised statistical machine learning is the most prevalent, and mainly it focuses on network based cyber intrusions, including denial-of-service and malware attacks. Deep hybrid schemes also exhibit greater abilities to model complex and distributed settings but have issues with latency, explanations, and can be deployed in safety-important systems. The data sources are strongly biased towards the telemetry and logs of the IT-layers, and the integration of the SCADA and process-level information is relatively limited. Practices in evaluation are based on benchmark datasets and simulations, and little real-world deployment evidence. Some of the trade-offs that are important are the accuracy versus false alarm rate, latency versus model complexity, and predictive performance versus explainability. Conclusion and Recommendations: AI-based anomaly detection systems have good technical promise, even though there are few studies that have validated them in high-consequence CI settings. Future applications must focus on deploying in layers, edge aware architecture, human in the loop monitoring, and CI specific evaluation benchmark as well as constant model re-alignment to provide operational resilience and safety assurance.