Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Algorithmic detection of false data injection attacks in cyber-physical systems

Souvik Das, Avishek Ghosh, Debasish Chatterjee

TL;DR

This work addresses rapid detection of false data injection attacks in cyber-physical systems modeled as stochastic LTI processes with sub-Gaussian noise. It introduces AD-CPS, a threshold-based, data-driven detector that relies on a Doob-decomposition-based test signal and provable non-asymptotic guarantees on false positives and false negatives, robust to unknown attack policies. The authors provide explicit threshold expressions and discuss offline tuning, demonstrate the method on partially observed systems, and compare its performance to an optimal watermarking CUSUM detector, finding comparable results. The approach is notable for its distributional robustness, model-agnostic attack assumptions, and applicability to realistic CPS settings, including partial observability. Overall, AD-CPS offers a practical, provably reliable tool for rapid CPS anomaly detection with theoretical performance guarantees.

Abstract

This article introduces an anomaly detection based algorithm (AD-CPS) to detect false data injection attacks that fall under the category of data deception/integrity attacks, but with arbitrary information structure, in cyber-physical systems (CPSs) modeled as stochastic linear time-invariant systems. The core idea of this data-driven algorithm is based on the fact that an honest state (one not compromised by adversaries) generated by the CPS should concentrate near its weighted empirical mean of the immediate past samples. As the first theoretical result, we provide non-asymptotic guarantees on the false positive error incurred by the algorithm for attacks that are 2-step honest, referring to adversaries that act intermittently rather than successively. Moreover, we establish that for adversaries possessing a certain minimum energy, the false negative error incurred by AD-CPS is low. Extensive experiments were conducted on partially observed stochastic LTI systems to demonstrate these properties and to quantitatively compare AD-CPS with an optimal CUSUM-based test.

Algorithmic detection of false data injection attacks in cyber-physical systems

TL;DR

This work addresses rapid detection of false data injection attacks in cyber-physical systems modeled as stochastic LTI processes with sub-Gaussian noise. It introduces AD-CPS, a threshold-based, data-driven detector that relies on a Doob-decomposition-based test signal and provable non-asymptotic guarantees on false positives and false negatives, robust to unknown attack policies. The authors provide explicit threshold expressions and discuss offline tuning, demonstrate the method on partially observed systems, and compare its performance to an optimal watermarking CUSUM detector, finding comparable results. The approach is notable for its distributional robustness, model-agnostic attack assumptions, and applicability to realistic CPS settings, including partial observability. Overall, AD-CPS offers a practical, provably reliable tool for rapid CPS anomaly detection with theoretical performance guarantees.

Abstract

This article introduces an anomaly detection based algorithm (AD-CPS) to detect false data injection attacks that fall under the category of data deception/integrity attacks, but with arbitrary information structure, in cyber-physical systems (CPSs) modeled as stochastic linear time-invariant systems. The core idea of this data-driven algorithm is based on the fact that an honest state (one not compromised by adversaries) generated by the CPS should concentrate near its weighted empirical mean of the immediate past samples. As the first theoretical result, we provide non-asymptotic guarantees on the false positive error incurred by the algorithm for attacks that are 2-step honest, referring to adversaries that act intermittently rather than successively. Moreover, we establish that for adversaries possessing a certain minimum energy, the false negative error incurred by AD-CPS is low. Extensive experiments were conducted on partially observed stochastic LTI systems to demonstrate these properties and to quantitatively compare AD-CPS with an optimal CUSUM-based test.

Paper Structure

This paper contains 17 sections, 51 equations, 6 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. System description and problem statement
  4. Data available to defenders and attackers
  5. Attack detection algorithm for cyber-physical Systems (AD-CPS): intuition and discussions
  6. Some preliminary results
  7. Key intuition behind the detection test
  8. The algorithm
  9. Guarantees on false positive error
  10. Guarantees on false negative error
  11. Numerical experiment
  12. Partially observed setting
  13. Computation of $\log\Bigl(\frac{\epsilon^2}{k\vbound \ol{M}}\Bigr)$ in Theorem \ref{['th:t2_error_incurred']}
  14. Conclusion
  15. Analysis of AD-CPS
  16. ...and 2 more sections

Figures (6)

  • Figure 1: Empirical false positive error $\wh{FPE}_{\window,\delta}$ for $\window = 5$ (Figure \ref{['subfig:W_5']}) and $\window = 20$ (Figure \ref{['subfig:W_20']}) under nominal condition.
  • Figure 2: Empirical false negative error $\wh{FNE}_{\window,\delta}$ for $\sbound_{\ol{\pnoise}} = 0.005$ (Figure \ref{['subfig:W_5']}) and $\sbound_{\ol{\pnoise}} = 0.1$ (Figure \ref{['subfig:W_20']}), as a function of $\ol{\athr}$ and $\sbound_{a}$. Here $\window =20$ is considered.
  • Figure 3: Trade-off between $\wh{FPE}_{\window,\delta}$ and $\wh{FNE}_{\window,\delta}$ for different values of $\vbound$ and $\sbound_{a}$.
  • Figure 4: $\wh{FPE}_{\window,\delta}$ when $\window$-step honesty is violated (Assumption \ref{['assum:ad_assum']}).
  • Figure 5: Test signal and detection alarm using two different detection schemes. The simulations were conducted with $\vbound=0.001$, $\sbound_{\ol{\pnoise}}=0.01$, $\sbound_a = 0.1$, and $\window=20$.
  • ...and 1 more figures