Hidden Markov Model-Based Attack Detection for Networked Control Systems Subject to Random Packet Dropouts

The problem of attack detection for Stuxnet in the industrial control system is discussed in this article. Different operating modes (normal and hazard modes) may occur in the nominal process. In this article, we consider that the transition between different modes follows a Markov chain model with a certain transition probability. However, when the Stuxnet attack is launched, the attack signals with random multitude and frequency will be injected to trigger more hazard modes, and finally, hasten fatigue of control devices. Under this unpredictable attack, the transition between operating modes will not follow the regular transition probabilities. Therefore, a hidden Markov model with time-varying transition probabilities is utilized to describe the Stuxnet attack. The transition probabilities are estimated based on the measurements. By recognizing operating modes and predicting the number of the occurrence of hazard modes, the Stuxnet attack can be detected earlier if the predicted value exceeds the threshold. In the operating mode recognition, the expectation maximization algorithm is used to estimate the parameters considering random packet dropouts caused by the unreliable network. A simulation is conducted to verify the effectiveness of the proposed method.

Automated summary

This article discusses the problem of detecting Stuxnet attacks in industrial control systems by utilizing a hidden Markov model with time-varying transition probabilities. The method involves identifying operating modes and predicting hazard modes to detect attacks early. The expectation maximization algorithm is used to handle random packet dropouts caused by unreliable networks.