Temporal assessment of malicious behaviors: application to turnout field data monitoring
Sara Abdellaoui, Emil Dumitrescu, Cédric Escudero, Eric Zamaï
TL;DR
This paper addresses cyberthreats targeting railway turnout data by proposing a temporally aware authenticity check: it learns to forecast the next turnout power-curve from the past $N$ curves and flags discrepancies between the predicted and observed curves as potential cyberattacks. A two-phase framework is used: a development phase trains an $ ext{LSTM}$ forecasting model (with $N=50$) on fault-free and aging data, and an operation phase forecasts $N+1$ and compares it to the actual curve using DTW and Euclidean distance, with thresholds calibrated from non-compromised data. When discrepancies exceed thresholds, a cyberattack investigation is triggered, leveraging a prior classifier to categorize the threat scenarios (e.g., progressive aging, sudden failure) and guide decision-making. The method is demonstrated on real turnout data, showing that temporal context improves threat detection beyond single-curve analysis and highlighting practical limits, such as capturing slowly aging trends, with proposed refinements like auto-encoder/LSTM hybrids and ecosystem-wide generalization to heterogeneous turnouts for robust CSA in railway CPS.
Abstract
Monitored data collected from railway turnouts are vulnerable to cyberattacks: attackers may either conceal failures or trigger unnecessary maintenance actions. To address this issue, a cyberattack investigation method is proposed based on predictions made from the temporal evolution of the turnout behavior. These predictions are then compared to the field acquired data to detect any discrepancy. This method is illustrated on a collection of real-life data.