shairoMt / Anomaly_detection_at_SWaT

0 stars 0 forks source link

Summary of paper "Anomaly Detection in Cyber Physical Systems using Recurrent Neural Networks" #2

Open shairoMt opened 3 years ago

shairoMt commented 3 years ago

create a summery to explain the paper and highlight some points and used approaches, in order to define new tickets

shairoMt commented 3 years ago

Intro:

The paper presents an unsupervised approach to detect cyber attacks in CPS. The used model is Recurrent Neural network which is a time series predictor. Then they used the Cumulative Sum method to identify anomalies in a replicate. The proposed method can detect either anomalies and identify the sensor that is being under attack. In this paper the dataset SWaT is used. SWaT consists of two parts: network dataset and physical dataset, at this experiment just the physical dataset is used.

Why unsupervised?

In usual cases of anomalies detection we can use supervised approaches based on normal and abnormal data. In this way we can differentiate between both classes. But by appearances of new class of attack, which was not considered before, the model will fail to detect the anomalies coming from this attack. Nevertheless it could not be easy to have labelled data of CPSs especially for attack data and also, simulated data may not be realistic.

Using unsupervised learning approach will let us focus on the normal expected data, so the model will consider anything far from this data as anomaly. In such scenarios, unsupervised learning have the advantage of not requiring any abnormal data in the training phase.

Main idea

The proposed method at this paper is detecting anomalies by using a model, that is trained on normal data, to predict the next coming normal behaviour, then useng the Cumulative Sum method to identify abnormal behaviours.

Model specifications

Here come the used mythologies at the paper.

LSTM

Cumulative Sum (CUSUM)

Based on the prediction of the LSTM-RNN, the difference between the predicted outputs and the actual sensor data is calculated. Instead of identifying thresholds at each sensor, the CUSUM method to detect the deviations that corresponds to anomalies is applied. CUSUM calculates the cumulative sum of the sequence predictions to detect small deviations over time. So this method will not measure the size of difference between single prediction and observation, but will consider a long context and detect deviations.

Experiment

Pre-processing

A SWat water processing has 6 stages (where the stage in the water filter machine is a step of toward water filtering) and each stage has its own sensors. The attacks are mainly focused just on the first stage P1. So just this part of the dataset will be used. In the experiment:

Training

Training was made to run until the validation loss stopped decreasing or until it hit its maximum iteration of 200. Using the entire training set (normal behaviour data) for P1, the model took approximately 24 hours to train.

Results

In total, 9 out of the 10 attacks were detected. The proposed method was also successful in detecting SSMP, MMSP, and MSMP attacks.

Limitations

The current proposed approach was only applicable to P1. This is because we were unable to train all the sensor data due to the vast amount of data involved and limited infrastructure (that is used by training, they mean computers and processors used in experiment).