🌙

基于递归直方图追踪的信息物理系统快速在线异常检测

Recursive Histogram Tracking-Based Rapid Online Anomaly Detection in Cyber-Physical Systems

IEEE Transactions on Systems, Man, and Cybernetics: Systems · 2022
被引 10
ABS 3

中文导读

提出一种在线快速检测方案,通过监控数据包流并估计直方图序列,在检测到直方图变化时报警并估计攻击开始时间,适用于信息物理系统中的重放和偏置注入攻击。

Abstract

Prompt online detection of anomalies induced by malicious attacks enhances the efficacy of real-time operation and mitigation of attack, an indispensable part of any cyber-physical system (CPS) management. This article proposes a novel online rapid detection scheme that continuously monitors the data packet stream and infers the sequence of probability distributions, estimated as histograms, and alerts when a change in the histogram is detected, reporting both the attack as well as an estimate of its instant of commencement. A statistical data-driven attack model is proposed and employed that is general enough to represent two ubiquitous types of attacks on CPS: 1) replay and 2) bias-injection. The proposed detection framework relies on the fact that CPSs possess well-defined dynamics that are affected by quasistationary noise, which allows the histogram sequences of the system data packets to converge (to different distributions under the presence of the attack versus the absence of attack). The proposed online scheme detects an attack, and estimates the attack commencement time by relying on the computed distance between real-time estimated histogram versus apriori learned nominal histogram. Our formulation further sheds light on two different attack initiation-time-based subcases, “early” (attack starts before sufficient data of nominal behavior was collected to allow its histogram sequence to be closer to its nominal value) versus “late.” The designed algorithm of our scheme has linear time complexities in the dimension of data packets and algorithm parameters, which makes it suited for rapid detection. The proposed algorithm is implemented and validated on two real supervisory control and data acquisition system datasets, where a low detection delay demonstrates the effectiveness of the scheme.

异常检测信息物理系统直方图攻击检测实时监控