Anomaly detection in cyber-physical systems using actuator state transition model

Abstract

Cyber-physical systems (CPS) are vulnerable to cyber attacks which disrupt the operations of the associated physical process. Sensors are deployed in CPS to observe its functioning and control systems like actuators, Remote Terminal Units (RTU), programmable logic controllers (PLC), etc., are used to change the state of the CPS. Any abnormal state transitions due to cyber attack or natural fault may not be detected by the traditional Intrusion Detection System (IDS). Behavior specification-based IDS, which employs laws of physics to detect the intrusion, may be helpful in this context. However, specifying acceptable behaviors based on the laws of physics for all the installed control systems for a complex CPS like a smart grid, water treatment plant, etc., is a challenging task. Here, we employ a data-driven strategy to model the behavior of each control system installed in a CPS. Later, we use the models to predict the acceptable states of all the control systems. We utilize an AI-based classifier to model control systems such as actuators. Subsequently, we juxtapose the actual states of the actuators with their predicted states, examining how this combination correlates with the overall state of the CPS to identify anomalies. Typically, there should be a strong correlation between predicted and actual states, making the Hamming distance between them a crucial factor in our experimentation. To establish the relationship between controller states and CPS states, we employ a novel deep neural network-based approach for classification. Experimental validation of our approach leverages data from a water treatment testbed, where we achieve superior performance compared to the most state-of-the-art methods, achieving a F1-score of 0.96.