Real-time Intrusion Detection of Cyber Physical Systems

Abstract

Intrusion detection problem in Industrial Control Systems(ICS), such as water treat- ment plant and power grid, is an important real-world problem. Real-time anomaly detection have been proposed to minimize the risk of cyber attack. In this study, two different kind of intrusion detection mode-based approach are learned from normal behaviour of an ICS, SWaT. One model is inspired by TABOR, a offline graphical model-based approach of CPS intrusion detection. Timed automaton, Bayesian net- work and Out of Alphabet are combined to find anomalies and localize the abnormal sensors and actuators. The other model proposed is based on two time slice Bayesian Network(2-TBN) with the motivation simplifying multi-model approach into a single model one. In this way, cost of computing power and time is reduced in order to meet the requirement of real-time operation testing.
Experimental results demonstrate the model’s close performance to TABOR and slight advantage on time. The study about difference between offline testing and real-time operation is another topic in this study. The generic underlying idea and experience is also applicable to cyber physical system in other industrial control systems.