A Two-Level Fusion Framework for Cyber-Physical Anomaly Detection

Abstract

Industrial Cyber-Physical Systems (ICPSs) generate cyber and physical data whose joint elaboration can provide insight into ICPSs' operating conditions. Cyber-Physical Anomaly Detection (CPAD) addresses the joint analysis of cyber and physical threats through multi-source and multi-modal data analysis. CPAD is often tailored to specific anomaly types and may use opaque deep learning models, impairing flexibility and explainability. In light of these challenges, we propose a two-level fusion framework for modeling and deploying CPAD in distributed ICPSs. The first detector-level fusion involves deploying CPAD detectors to several distributed ICPS segments and training them through data/decision fusion techniques with historical cyber-physical data. When the distributed ICPS is operational, thus collecting new cyber-physical data, ICPS segments' trained CPAD detectors provide pieces of evidence that go through the second ensemble-level fusion, for which we propose an explainable decision fusion technique based on Time-Varying Dynamic Bayesian networks. The evaluation involves the comprehensive application of the framework to a real hardware-in-the-loop case-study in a laboratory environment. The proposed ensemble-level fusion outperforms the state-of-the-art decision fusion techniques while providing explainable results.