Mode division-based anomaly detection against integrity and availability attacks in industrial cyber-physical systems

Integrity and availability attacks can cause serious damage to modern industrial cyber-physical systems (ICPS). It is critical to detect and identify these attacks promptly and accurately. This paper investigates the anomaly detection for ICPS in the process industry. Three typical attacks, the Stuxnet-like, denial-of-service, and false data injection, are taken as specific defense targets. We propose to detect anomalies by quantifying the dynamic variations of generalized model implied by operating data, and present a mode division as the novel detection framework. The subspace technique and a quantization method for the amplitude-frequency characteristic deviation are employed to design the detector, which can be deployed independently in the active ICPS and does not cause any loss of control performance. An attack-defense experimental platform is developed to evaluate the detector under the attack scenarios of interest. The results show that the detector can detect any of the three attacks in a maximum of 28 s after the attack onset, and that these attacks can be distinguished by combining the state estimation residuals and system errors.

Automated summary

This paper investigates anomaly detection for industrial cyber-physical systems (ICPS) in the process industry, proposing a novel detection framework that quantifies dynamic variations of a generalized model implied by operating data. The detector, designed using subspace technique and quantization method, can be deployed independently in active ICPS without causing any loss of control performance. The experimental results show that the detector can detect attacks within 28 seconds and distinguish between different attack types.