ICS Anomaly Detection Based on Sensor Patterns and Actuator Rules in Spatiotemporal Dependency

• Published in: IEEE transactions on industrial informatics Vol. 20; no. 8; pp. 10647 - 10656
• Main Authors: Cai, Jun, Wei, Zeheng, Luo, Jianzhen
• Format: Journal Article
• Language: English
• Published: Piscataway IEEE 01.08.2024; The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
• Subjects: Actuators; Anomalies; Anomaly detection; Control systems; cyber-physical system (CPS); Data models; graph neural network (GNN); Graph neural networks; industrial control system; Industrial electronics; Integrated circuit modeling; Knowledge based engineering; Prediction models; Sensors; Spatiotemporal data; Spatiotemporal phenomena; Topology; topology construction
• ISSN: 1551-3203; 1941-0050
• DOI: 10.1109/TII.2024.3393528

Data-driven methods, such as deep learning, are widely adopted to detect cyberattacks for Industrial control systems (ICSs). Due to the neglect of entity spatial relationships (ESR), however, there is a potential discrepancy between the learned device topology and the real physical process. Meanwhile, existing methods confuse sensor patterns, actuator rules, and some interference within spatiotemporal dependence, suffering from undetected attack issue. To achieve precise detection without using design knowledge, we propose a sensor-actuator separated anomaly detection method (SA2) that distinguishes sensor patterns and actuator rules, constructing prediction models for sensors (PM-SEN) and actuators (PM-ACT) separately. Moreover, we propose an ESR-based topology construction method for providing process-conformed topology and an attack span-based evaluation method for validating the undetected attack issue. The experimental results show that SA2 outperforms all baselines in the F1 score, effectively detecting all attacks (zero undetected rate), compared to an optimal baseline with an undetected rate of close to 50%.