Summary of paper "Anomaly Detection in Cyber Physical Systems using Recurrent Neural Networks"

[shairoMt]

create a summery to explain the paper and highlight some points and used approaches, in order to define new tickets

[shairoMt]

Intro:

The paper presents an unsupervised approach to detect cyber attacks in CPS. The used model is Recurrent Neural network which is a time series predictor. Then they used the Cumulative Sum method to identify anomalies in a replicate. The proposed method can detect either anomalies and identify the sensor that is being under attack. In this paper the dataset SWaT is used. SWaT consists of two parts: network dataset and physical dataset, at this experiment just the physical dataset is used.

Why unsupervised?

In usual cases of anomalies detection we can use supervised approaches based on normal and abnormal data. In this way we can differentiate between both classes. But by appearances of new class of attack, which was not considered before, the model will fail to detect the anomalies coming from this attack. Nevertheless it could not be easy to have labelled data of CPSs especially for attack data and also, simulated data may not be realistic.

Using unsupervised learning approach will let us focus on the normal expected data, so the model will consider anything far from this data as anomaly. In such scenarios, unsupervised learning have the advantage of not requiring any abnormal data in the training phase.

Main idea

The proposed method at this paper is detecting anomalies by using a model, that is trained on normal data, to predict the next coming normal behaviour, then useng the Cumulative Sum method to identify abnormal behaviours.

Model specifications

Here come the used mythologies at the paper.

LSTM

• Input sequences of data for 100 seconds. (all sensors? physical and network dataset?)
• The network has three LSTM stacks with 100 hidden units each .
• The used loss function is a mean-square loss function.

Cumulative Sum (CUSUM)

Based on the prediction of the LSTM-RNN, the difference between the predicted outputs and the actual sensor data is calculated. Instead of identifying thresholds at each sensor, the CUSUM method to detect the deviations that corresponds to anomalies is applied. CUSUM calculates the cumulative sum of the sequence predictions to detect small deviations over time. So this method will not measure the size of difference between single prediction and observation, but will consider a long context and detect deviations.

Experiment

Pre-processing

A SWat water processing has 6 stages (where the stage in the water filter machine is a step of toward water filtering) and each stage has its own sensors. The attacks are mainly focused just on the first stage P1. So just this part of the dataset will be used. In the experiment:

• they used all the values of the sensors and actuators in P1 as features for training the model. In essence, the value from LIT101, FIT101, MV101, P101 and P102 were used, which have numeric attribute.
• Then normalising each feature by removing the mean and scaling to unit variance. Hence, all the data was normalised to be on the same scale, to prevent the domination of any features over the others.
• The normal behaviour data was divided into 80% for training and 20% for validation

Training

Training was made to run until the validation loss stopped decreasing or until it hit its maximum iteration of 200. Using the entire training set (normal behaviour data) for P1, the model took approximately 24 hours to train.

Results

In total, 9 out of the 10 attacks were detected. The proposed method was also successful in detecting SSMP, MMSP, and MSMP attacks.

Limitations

The current proposed approach was only applicable to P1. This is because we were unable to train all the sensor data due to the vast amount of data involved and limited infrastructure (that is used by training, they mean computers and processors used in experiment).