Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Enhancing Network Security Management in Water Systems using FM-based Attack Attribution

Aleksandar Avdalovic, Joseph Khoury, Ahmad Taha, Elias Bou-Harb

TL;DR

Water systems face growing cyber-physical threats, and existing attribution methods fail to capture crucial sensor-actuator interactions. The authors propose a model-agnostic attack attribution framework based on Factorization Machines (FM) that jointly models linear contributions and pairwise interactions, integrated with CNN/LSTM anomaly detectors. Through perturbation-based training and L1-regularization, the FM explainer yields sparse, interpretable attributions and a combined score that can be ranked against model-agnostic baselines. Evaluations on SWaT and WADI show that FM-based attribution excels in multi-feature attack scenarios and remains competitive for single-feature attacks, enabling more accurate root-cause analysis and faster, targeted defense in real-time water system security.

Abstract

Water systems are vital components of modern infrastructure, yet they are increasingly susceptible to sophisticated cyber attacks with potentially dire consequences on public health and safety. While state-of-the-art machine learning techniques effectively detect anomalies, contemporary model-agnostic attack attribution methods using LIME, SHAP, and LEMNA are deemed impractical for large-scale, interdependent water systems. This is due to the intricate interconnectivity and dynamic interactions that define these complex environments. Such methods primarily emphasize individual feature importance while falling short of addressing the crucial sensor-actuator interactions in water systems, which limits their effectiveness in identifying root cause attacks. To this end, we propose a novel model-agnostic Factorization Machines (FM)-based approach that capitalizes on water system sensor-actuator interactions to provide granular explanations and attributions for cyber attacks. For instance, an anomaly in an actuator pump activity can be attributed to a top root cause attack candidates, a list of water pressure sensors, which is derived from the underlying linear and quadratic effects captured by our approach. We validate our method using two real-world water system specific datasets, SWaT and WADI, demonstrating its superior performance over traditional attribution methods. In multi-feature cyber attack scenarios involving intricate sensor-actuator interactions, our FM-based attack attribution method effectively ranks attack root causes, achieving approximately 20% average improvement over SHAP and LEMNA.

Enhancing Network Security Management in Water Systems using FM-based Attack Attribution

TL;DR

Water systems face growing cyber-physical threats, and existing attribution methods fail to capture crucial sensor-actuator interactions. The authors propose a model-agnostic attack attribution framework based on Factorization Machines (FM) that jointly models linear contributions and pairwise interactions, integrated with CNN/LSTM anomaly detectors. Through perturbation-based training and L1-regularization, the FM explainer yields sparse, interpretable attributions and a combined score that can be ranked against model-agnostic baselines. Evaluations on SWaT and WADI show that FM-based attribution excels in multi-feature attack scenarios and remains competitive for single-feature attacks, enabling more accurate root-cause analysis and faster, targeted defense in real-time water system security.

Abstract

Water systems are vital components of modern infrastructure, yet they are increasingly susceptible to sophisticated cyber attacks with potentially dire consequences on public health and safety. While state-of-the-art machine learning techniques effectively detect anomalies, contemporary model-agnostic attack attribution methods using LIME, SHAP, and LEMNA are deemed impractical for large-scale, interdependent water systems. This is due to the intricate interconnectivity and dynamic interactions that define these complex environments. Such methods primarily emphasize individual feature importance while falling short of addressing the crucial sensor-actuator interactions in water systems, which limits their effectiveness in identifying root cause attacks. To this end, we propose a novel model-agnostic Factorization Machines (FM)-based approach that capitalizes on water system sensor-actuator interactions to provide granular explanations and attributions for cyber attacks. For instance, an anomaly in an actuator pump activity can be attributed to a top root cause attack candidates, a list of water pressure sensors, which is derived from the underlying linear and quadratic effects captured by our approach. We validate our method using two real-world water system specific datasets, SWaT and WADI, demonstrating its superior performance over traditional attribution methods. In multi-feature cyber attack scenarios involving intricate sensor-actuator interactions, our FM-based attack attribution method effectively ranks attack root causes, achieving approximately 20% average improvement over SHAP and LEMNA.

Paper Structure

This paper contains 17 sections, 9 equations, 4 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Motivating Example
  3. Methodology
  4. Anomaly Detection with Deep Learning
  5. Factorization Machine Model
  6. Training the FM Explainer
  7. Attribution and Explanation Mechanisms
  8. Evaluation and Results
  9. Research Questions
  10. Datasets Used for Training and Evaluation
  11. Evaluation Metrics
  12. Detection Model Training and Setup
  13. Implementation Details
  14. Comparing Attribution Methods
  15. Explaining Multi-Point Attacks in Water Systems
  16. ...and 2 more sections

Figures (4)

  • Figure 1: Illustrative Scenario: (Left) Data gathering and anomaly detection in a water system, where an anomaly is detected due to a mismatch between predicted and observed values. (Upper Right) Traditional attribution methods focus on individual contributions but overlook interactions. (Lower Right) The proposed FM-based approach captures both individual contributions and interactions, providing a comprehensive understanding of the anomaly's root cause. This example is motivated by a real attack scenario further analyzed in Figure \ref{['fig:combined_weights']}.
  • Figure 2: Overview of the Water System Anomaly Detection and Attribution Process. The diagram illustrates the steps involved in anomaly detection and attribution within a water system. The system comprises interconnected sensors and actuators (e.g., pumps, pressure valves) that feed data into a deep learning model (CNN/LSTM). This model is trained to detect anomalies based on a reconstruction error threshold. Once an anomaly is detected, the FM model performs attribution by identifying the responsible sensors and actuators, capturing both individual and interaction effects between components. The process shows data collection (Step 0), attack simulation (Step 1), and anomaly detection with attribution (Step 2). The bottom part highlights how FM combines linear and interaction terms for more accurate anomaly attribution in water systems.
  • Figure 3: Overview of the SWaT System: The figure illustrates the architecture of the Secure Water Treatment (SWaT) system, highlighting the different stages along with key sensors and actuators involved in the treatment process. Here, R stands for Reject and P stands for Permeate.
  • Figure 4: (a) The Linear Weights bar plot on the left shows the individual contributions of key sensors and actuators to the anomaly. AIT402, AIT502, and FIT201 exhibit the highest weights, underscoring their critical roles in the detected anomaly. (b) The Interaction Weights heatmap on the right illustrates the relationships between components, with the attacked area clearly highlighted through the interaction between AIT402 and AIT502. This provides further insight into how component interactions contribute to the anomaly.