LTL-based runtime verification framework for cyber-attack anomaly prediction in cyber–physical systems

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-04-03 DOI:10.1016/j.cose.2025.104455

Ayodeji James Akande, Zhe Hou, Ernest Foo, Qinyi Li

{"title":"LTL-based runtime verification framework for cyber-attack anomaly prediction in cyber–physical systems","authors":"Ayodeji James Akande, Zhe Hou, Ernest Foo, Qinyi Li","doi":"10.1016/j.cose.2025.104455","DOIUrl":null,"url":null,"abstract":"<div><div>An anomaly is any unexpected or abnormal behaviour, event, or data pattern within a network of physical and computational components caused by data errors, cyber-attacks, hardware failures, or other unforeseen events. Anomaly detection analyses events after they occur, while anomaly prediction forecasts them before they manifest. The increasing complexity of Cyber-Physical Systems (CPS) presents challenges in fault management and vulnerability to advanced attacks, highlighting the need for early intervention through anomaly prediction. Existing anomaly prediction methods often fail due to a lack of formal guarantees required for safety-critical applications. In this paper, we introduce our anomaly prediction framework which merges the advantages of data analytics and the derivation of Linear Temporal Logic (LTL) formulas. LTL-based runtime monitoring and checking is a well-established technique efficient for tackling challenges in real-time and promptly. The framework processes historical data, clusters them to extract predictive patterns, and forms data sequences that represent these trends. These sequences are fed into an LTL learning algorithm to produce a formula that represents the pattern. This formula functions as a security property programmed into a runtime checker to verify system correctness and predict the possibility of anomalies. We evaluated our framework using three datasets collected from a cyber-physical system testbed and the experimental findings demonstrate a minimum accuracy of 90% in predicting anomalies.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104455"},"PeriodicalIF":4.8000,"publicationDate":"2025-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001440","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

An anomaly is any unexpected or abnormal behaviour, event, or data pattern within a network of physical and computational components caused by data errors, cyber-attacks, hardware failures, or other unforeseen events. Anomaly detection analyses events after they occur, while anomaly prediction forecasts them before they manifest. The increasing complexity of Cyber-Physical Systems (CPS) presents challenges in fault management and vulnerability to advanced attacks, highlighting the need for early intervention through anomaly prediction. Existing anomaly prediction methods often fail due to a lack of formal guarantees required for safety-critical applications. In this paper, we introduce our anomaly prediction framework which merges the advantages of data analytics and the derivation of Linear Temporal Logic (LTL) formulas. LTL-based runtime monitoring and checking is a well-established technique efficient for tackling challenges in real-time and promptly. The framework processes historical data, clusters them to extract predictive patterns, and forms data sequences that represent these trends. These sequences are fed into an LTL learning algorithm to produce a formula that represents the pattern. This formula functions as a security property programmed into a runtime checker to verify system correctness and predict the possibility of anomalies. We evaluated our framework using three datasets collected from a cyber-physical system testbed and the experimental findings demonstrate a minimum accuracy of 90% in predicting anomalies.

查看原文本刊更多论文

基于ltl的网络物理系统网络攻击异常预测运行时验证框架

异常是由数据错误、网络攻击、硬件故障或其他不可预见事件引起的物理和计算组件网络中的任何意外或异常行为、事件或数据模式。异常检测是在事件发生后进行分析，而异常预测是在事件发生前进行预测。网络物理系统（CPS）的复杂性日益增加，在故障管理和高级攻击脆弱性方面提出了挑战，突出了通过异常预测进行早期干预的必要性。现有的异常预测方法往往由于缺乏安全关键应用所需的正式保证而失败。在本文中，我们介绍了我们的异常预测框架，它融合了数据分析的优点和线性时间逻辑（LTL）公式的推导。基于ltl的运行时监视和检查是一种成熟的技术，可以有效地实时和迅速地处理挑战。该框架处理历史数据，将它们聚类以提取预测模式，并形成代表这些趋势的数据序列。这些序列被输入到LTL学习算法中，以生成表示模式的公式。该公式的功能是将安全属性编程到运行时检查器中，以验证系统正确性并预测异常的可能性。我们使用从网络物理系统测试平台收集的三个数据集来评估我们的框架，实验结果表明预测异常的最低准确率为90%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.