SADCPS: Semi-supervised Attack Detection in Cyber Physical Systems

SADCPS: Semi-supervised Attack Detection in Cyber Physical Systems

In security standards, operation log of Cyber Physical System (CPS) should be periodically reviewed to uncover those attacks that were not detected by Industrial Intrusion Detection System (IIDS). In this review, security experts may find some attack samples; however this manual process is not practical considering the large number of samples in log. In addition, in sophisticated cyber-attacks such as Stuxnet worm, determining normal samples with high confidence can be complicated. Hence, a semi-supervised dataset with only some positive samples (attacks) is available. In this paper, a statistical method for detecting attacks in such datasets is proposed. To the best of our knowledge, this work is the first try on detecting attacks in semisupervised datasets in industrial settings. This method, which is called SADCPS, assumes that attack samples are significantly different from normal ones in several features. These features are identified by Welch’s statistical t-test. Each discriminative feature decides whether a sample is attack or not. Then for each sample, weighted voting is performed on the results of discriminative features and attack index is calculated. Thus, security experts instead of searching all samples, only inspect samples with higher attack indexes. For evaluations, a milk pasteurization process with almost 50 I/Os (features) were simulated and its normal operation and operation under attack were logged for several periods. Results indicated that given only few attacks, SADCPS assigns most of the first ranks (higher attack indexes) to attack samples.