Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Information-Theoretic Digital Twins for Stealthy Attack Detection in Industrial Control Systems: A Closed-Form KL Divergence Approach

Inda Kreso, Mehran Tarif, Fatemeh Moradi, Iman Khazrak, Mostafa M Rezaee, Mohammadhossein Homaei

Abstract

Digital twins (DTs) are increasingly used to monitor and secure Industrial Control Systems (ICS), yet detecting stealthy False Data Injection Attacks (FDIAs) that manipulate system states within normal physical bounds remains challenging. Deep learning anomaly detectors often over-generalize such subtle manipulations, while classical fault detection methods do not scale well in highly correlated multivariate systems. We propose a closed-loop Information-Theoretic Digital Twin (IT-DT) framework for real-time anomaly detection. N4SID identification is combined with steady-state Kalman filtering to quantify residual distribution shifts via closed-form KL divergence, capturing both mean deviations and malicious cross-covariance shifts. Evaluations on the SWaT and WADI datasets show that IT-DT achieves F1-scores of 0.832 and 0.615, respectively, with better precision than deep learning baselines such as TranAD. Computational profiling indicates that the analytical approach requires minimal memory and provides approximately a 600x inference speedup over transformer-based methods on CPU hardware. This makes the framework suitable for resource-constrained industrial edge controllers without GPU acceleration.

Information-Theoretic Digital Twins for Stealthy Attack Detection in Industrial Control Systems: A Closed-Form KL Divergence Approach

Abstract

Digital twins (DTs) are increasingly used to monitor and secure Industrial Control Systems (ICS), yet detecting stealthy False Data Injection Attacks (FDIAs) that manipulate system states within normal physical bounds remains challenging. Deep learning anomaly detectors often over-generalize such subtle manipulations, while classical fault detection methods do not scale well in highly correlated multivariate systems. We propose a closed-loop Information-Theoretic Digital Twin (IT-DT) framework for real-time anomaly detection. N4SID identification is combined with steady-state Kalman filtering to quantify residual distribution shifts via closed-form KL divergence, capturing both mean deviations and malicious cross-covariance shifts. Evaluations on the SWaT and WADI datasets show that IT-DT achieves F1-scores of 0.832 and 0.615, respectively, with better precision than deep learning baselines such as TranAD. Computational profiling indicates that the analytical approach requires minimal memory and provides approximately a 600x inference speedup over transformer-based methods on CPU hardware. This makes the framework suitable for resource-constrained industrial edge controllers without GPU acceleration.
Paper Structure (23 sections, 7 equations, 3 figures, 3 tables, 1 algorithm)

This paper contains 23 sections, 7 equations, 3 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Works
  3. Classical Statistical and State-Space Methods in ICS
  4. Deep Learning and Reconstructive Anomaly Detection
  5. Digital Twins and Information-Theoretic Security
  6. Research Gap and Questions
  7. System Model and Problem Formulation
  8. Physical System and Digital Twin Formulation
  9. Information-Theoretic Attack Detection
  10. Proposed Information-Theoretic Detection Method
  11. Empirical Distribution Estimation
  12. Analytical KL Divergence Calculation
  13. Static Quantile Thresholding Mechanism
  14. Experimental Evaluation
  15. Experiment 1: Detection Efficacy and Statistical Significance
  16. ...and 8 more sections

Figures (3)

  • Figure 1: System architecture of the proposed IT-DT framework. The physical ICS layer feeds multivariate sensor measurements into the digital twin, where a steady-state Kalman filter continuously generates innovation residuals. The information-theoretic detection engine quantifies distributional shifts via closed-form KL divergence against a precomputed normal reference, triggering an alarm upon threshold exceedance.
  • Figure 2: Sensitivity analysis of F1-score with respect to window size $W$ on SWaT and WADI datasets. Shaded regions indicate one standard deviation across $K=10$ chronological validation folds. Performance remains stable within $\pm 5\%$ F1 across the evaluated range, confirming robustness to this hyperparameter. $W=60$ is selected as the optimal value.
  • Figure 3: KL divergence score $d_t$ over time for SWaT Attack #41. The shaded red region denotes the active attack window. IT-DT crosses the threshold $\tau^*$ at $43.5$ s after attack onset, compared to $88.0$ s for TranAD, which a direct consequence of monitoring joint distributional shifts rather than accumulated reconstruction errors.