Detection of Cyber-Physical Faults and Intrusions from Physical Correlations

Abstract: Cyber-physical systems are critical infrastructures that are crucial both to the reliable delivery of resources such as energy, and to the stable functioning of automatic and control architectures. These systems are composed of interdependent physical, control and communications networks described by disparate mathematical models creating scientific challenges that go well beyond the modeling and analysis of the individual networks. A key challenge in cyber-physical defense is a fast online detection and localization of faults and intrusions without prior knowledge of the failure type. We describe a set of techniques for the efficient identification of faults from correlations in physical signals, assuming only a minimal amount of available system information. The performance of our detection method is illustrated on data collected from a large building automation system.

• The paper introduces a detection framework that leverages spectral analysis of correlation matrices to identify anomalies in cyber-physical systems.
• It employs time series detrending and sparse PCA for low-rank approximation to accurately localize faulty sensor groups.
• Experimental results on an HVAC system demonstrate robustness against noise and scalability for complex, real-world CPS applications.

Detection of Cyber-Physical Faults and Intrusions

Introduction

The study "Detection of Cyber-Physical Faults and Intrusions from Physical Correlations" investigates methods for detecting and localizing faults and intrusions within cyber-physical systems (CPS) by analyzing correlations among physical signals. CPS are integral to various critical infrastructures, including energy distribution and automated control systems. The convergence of physical, control, and communication networks in these systems results in complex interdependencies, posing scientific challenges in modeling and analysis.

The primary objective is to achieve swift detection and localization of CPS anomalies without requiring pre-established attack vectors. The research emphasizes real-time response capabilities, drawing from minimal pre-existing knowledge about system architecture. Data from a large building automation system serves as the experimental foundation, demonstrating practical application of the developed techniques.

Methodology

Time Series Analysis and Correlation Matrix Construction

Detection relies on analyzing data from physical sensors embedded in a CPS. Each sensor feeds a time series of data which can include diverse real or integer-valued signals. The model adopted for detecting anomalies assumes these series are a composite of ideal operation, noisy deviations, and potential failure signals.

A vital step involves detrending sensors' data to isolate meaningful correlations. This is achieved by approximating each sensor's trace using a centered running mean, calculated over an adjustable window, $\tau_{\text{av}$. The correlation matrix, crucial for detection, is constructed by determining correlations over another window, $\tau_{\text{corr}$, capturing temporal signal dependencies.

Detection Protocol

Detection is based on spectral analysis of the correlation matrix. Anomalies manifest as submatrices with elevated correlation values. The presence of such anomalies is inferred from significant spectral gaps—the separation between consecutive eigenvalues in the matrix spectrum. The suggested detection criterion involves comparing the magnitude of the largest spectral gap with the characteristic noise scale determined from eigenvalue fluctuations.

Localization of Anomalous Submatrix

Low-Rank Approximation and Sparse PCA

Upon detecting anomalies, localization involves identifying the most likely group of affected sensors. This is performed using sparse PCA through a low-rank approximation technique whereby the correlation matrix is decomposed to find dominant singular vectors corresponding to potentially anomalous signals. An optimal subset size $k^{*} = \sqrt{N}$ provides a balance between detection accuracy and computational feasibility.

Biclustering Techniques

Alternative localization methods adopt biclustering algorithms, which iteratively identify submatrices with elevated means. These approaches, such as the $\mathcal{LAS}$ and $\mathcal{IGP$, employ greedy and iterative procedures to efficiently delineate anomalous sensor groups. Each algorithm's complexity is analyzed to ensure practicality in real-time scenarios, particularly emphasizing swift convergence.

Experimental Results

Real-world data from an HVAC system in a large building was utilized to validate theoretical predictions. Notably, the detection and localization methods demonstrated robustness despite sensor heterogeneity and noise. Controlled experiments further revealed limitations on anomaly localization, with efficacy declining as the anomalous submatrix diminishes in proportion to the total signal set.

Conclusion

The paper successfully provides methodologies for CPS fault detection and localization derived from physical signal analysis. Future work includes expanding experimental validation across other CPS contexts and integrating communications data to enhance detection accuracy. Achieving these goals will contribute to developing resilient CPS capable of adaptive and proportional response to faults and intrusions.

The findings underscore significant implications for developing scalable, efficient fault detection frameworks which can generalize beyond specific system architectures.