Process-Aware Stealthy Attack Detection (PASAD)

• The paper introduces PASAD, a data-driven anomaly detection method that models normal sensor dynamics using Hankel matrices and SVD to flag deviations via a spherical decision boundary.
• It employs a univariate approach by projecting live observations into a learned signal subspace, allowing rapid detection of stealthy anomalies in industrial process plants and other infrastructures.
• Extensions like EPASAD refine detection by using ellipsoid boundaries for direction-specific sensitivity, improving recall rates for micro-stealthy attacks while balancing computational efficiency.

Process-Aware Stealthy Attack Detection (PASAD) is a univariate, data-driven anomaly detection methodology designed to identify stealthy cyber-physical attacks that manipulate the physical dynamics of systems such as industrial process plants, water distribution networks, and other critical infrastructure. PASAD operates by modeling the normal temporal structure of sensor or actuator time series, projecting live data into a learned signal subspace, and detecting deviations that suggest anomalous or adversarial interventions. The technique forms the basis for a family of detectors, including PASAD itself and its ellipsoid-boundary generalization EPASAD, which allocate decision boundaries in the projected feature space to increase sensitivity to subtle, targeted process anomalies.

1. Methodological Foundation: Structure of PASAD

PASAD captures dominant deterministic process dynamics by constructing a Hankel (trajectory) matrix from a sliding window of univariate sensor or actuator observations. Specifically, for a time series $\{m_t\}_{t=1}^T$, the method fixes a window length $L$ and builds

$$M_i = [m_i, m_{i+1}, \ldots, m_{i+L-1}]^T, \quad i=1,\ldots, T-L+1$$

The complete trajectory matrix $M \in \mathbb{R}^{L \times (T-L+1)}$ is then subjected to singular spectrum analysis (SSA) or singular value decomposition (SVD) to extract the first $R \ll L$ principal left singular vectors, yielding a basis $U \in \mathbb{R}^{L \times R}$ for the dominant subspace. Each lagged vector is projected:

$x_i = U^T M_i$

A reference mean $\mu = (1/N)\sum_{i=1}^N x_i$ is computed from attack-free training projections, where $N$ is the number of training windows.

The central PASAD decision rule is based on the Euclidean distance (“departure score”) from $\mu$ in this projected space:

$D_t = \| x_t - \mu \|_2^2$

An anomaly is declared whenever $D_t$ exceeds a pre-set radius $r^2$, where $r$ is chosen from the maximum distance observed in the training regime (possibly plus a slack $\epsilon$ to absorb benign drift):

$$r^2 = \max_{i \leq N} \| x_i - \mu \|_2^2 + \epsilon$$

This sphere-based boundary treats each projected dimension equally, leading to an $R$-sphere around the normal cluster in $\mathbb{R}^R$.

2. Practical Implementation and Deployment

PASAD is implemented by first learning the signal subspace from a dedicated window of attack-free operation, followed by online, per-sample monitoring through subspace projection and distance test. The algorithm is univariate by construction—each sensor or actuator is analyzed independently via its own PASAD instance. Key parameters include the lag/window length $L$, the subspace rank $R$, and the detection threshold $\delta$ (equivalently $r^2$).

Operational steps:

1. Offline phase: Construct Hankel matrix from attack-free data, compute SVD, select $R$, compute mean $\mu$ and determine $r$.
2. Online phase: For each new observation, build the lagged vector, project to the subspace, compute $D_t$, and compare to threshold.

Resource requirements are modest; dominant computational costs per sample arise from matrix-vector operations of dimension $R$, with memory allocated for the subspace basis and running window.

PASAD's performance is contingent on appropriate window and subspace sizing: too small $R$ risks underfitting and missing process structure, while oversized $R$ introduces noise and reduces anomaly sensitivity.

3. Sensitivity and Limitations: Stealthy and Micro-Stealthy Attacks

While PASAD's subspace-residual approach is effective against abrupt or moderate-magnitude process anomalies, the isotropic nature of the spherical boundary renders it vulnerable to micro-stealthy attacks. If the normal-operation cluster is highly anisotropic in its principal components, then a sophisticated attacker can exert small perturbations along directions of high variance (“loose” axes) that degrade process performance while remaining below detection radius $r$.

Empirical evaluation confirms that PASAD experiences significant delay in flagging moderate-magnitude stealthy attacks and may fail altogether to detect low-magnitude (“micro-stealthy”) attacks when deviations occur along less constrained directions (Maurya et al., 2022). This suggests that while PASAD successfully captures the dominant deterministic dynamics, its uniform sensitivity may be suboptimal for adversaries that engineer directionally selective attacks.

4. Advancements: EPASAD and Generalized Subspace Boundaries

EPASAD extends PASAD by substituting the spherical decision region with a data-adaptive ellipsoid, offering direction-specific sensitivity. Instead of the Euclidean norm, EPASAD computes the Mahalanobis-type departure score:

$D_t = (x_t - \mu)^T \Sigma^{-1} (x_t - \mu)$

where $\Sigma$ is the sample covariance of projected normal points, regularized as necessary:

$$\Sigma = \frac{1}{N} \sum_{i=1}^N (x_i - \mu)(x_i - \mu)^T + \delta I$$

An anomaly is flagged when $D_t > 1 + \epsilon$, coherently tightening the allowed deviation along each principal axis. For computational efficiency, $\Sigma$ may be diagonalized, resulting in an axis-aligned ellipsoid. EPASAD’s additional parameterization incurs $O(R^2)$ storage and inversion cost per sensor, but for practical $R$ (typically $2 \leq R \leq 5$) this is negligible.

Table: Boundary types and computational complexity (per sensor)

Detector	Test Statistic	Boundary Type	Per-sample Cost
PASAD	$\| x_t - \mu \|_2^2$	Sphere	$O(R)$
EPASAD	$(x_t - \mu)^T\Sigma^{-1}(x_t - \mu)$	Ellipsoid	$O(R^2)$ (full), $O(R)$ (diagonal)

The ellipsoid boundary of EPASAD enables significantly higher recall rates for micro-stealthy and moderate attacks: on Tennessee-Eastman data, micro-stealthy recall rose from 7.5% (PASAD) to 17.3% (EPASAD), and for stealthy attacks from 50.3% to 54.2% (Maurya et al., 2022). On the C-Town dataset, aggregated recall increased from 54.8% to 64.3%, with a false-alarm rate actually reduced (from 4.4% to 3.7%). EPASAD also detected attacks entirely missed by PASAD, and faster, reflecting tighter, dimension-adapted anomaly boundaries.

5. Empirical Studies and Comparative Performance

Recent empirical studies have confirmed PASAD's effectiveness in realistic CPS environments and against sophisticated adversarial strategies.

Water Treatment Process: A fluoridation process was modeled by a second-order plus dead-time plant with PID control (Mattos et al., 6 Nov 2025). PASAD was implemented with lag dimension $r=26$, embedding length $L=500$, and threshold set to the maximum training statistic. Under a grid of stealthy attacks (covert change-of-reference by an SI-informed adversary), PASAD achieved near-100% true positive rate for moderate setpoint changes ($|{\gamma}_{ref}| \geq 0.1$), zero false positives, and detection delays of 40–60 samples, even as the attacker's plant model deviated up to $\pm10\%$ from ground truth. Under increasing Gaussian measurement noise, PASAD maintained robust sensitivity across four decades of variance, whereas baseline CUSUM detectors required continual retuning and suffered miss rates.

Tennessee-Eastman and C-Town Benchmarks: Systematic evaluation on the 41-channel TE chemical plant and the 43-sensor C-Town water network showed marked improvements for EPASAD over PASAD, especially for subtle attacks. These results underscore the centrality of process-aware subspace methods in defense-in-depth architectures for industrial CPS monitoring.

6. Integration with Model-based and Fusion Approaches

PASAD’s statistical subspace-residual score can be fused with other model-based detection statistics (e.g., innovations-based CUSUM, KL-divergence residual comparison) to further enhance detection power (Zaman et al., 2020). In particular, sequentially accumulated KL-divergence statistics, derived from innovations under probing and packet dropouts, offer rapid detection with low variance under strong model assumptions and can serve as a “first line” test in a PASAD-driven detection fusion center. Such integration supports a trade-off between low detection delays and robustness to modeling error.

Potential extensions include generalizing to multivariate PASAD—jointly embedding multiple sensor streams within a single trajectory matrix and subspace, or integrating deep-learning predictors with PASAD/EPASAD scores as auxiliary features for richer anomaly characterizations.

7. Trade-Offs, Challenges, and Future Directions

Trade-offs: Ellipsoid-boundary PASAD (EPASAD) requires more training data for robust covariance estimation; ill-conditioned covariance matrices from limited or highly correlated data necessitate regularization or axis alignment. The method increases model complexity and storage, yet practical impact is moderate for low-dimensional projections. Parameter selection (lag length, subspace rank, threshold) remains critical for balancing recall and false-alarm rates.

Challenges: PASAD is univariate by construction; real-world industrial attacks may span coordinated manipulation across multiple sensors or actuators. Extensions to multivariate or fused embedding spaces remain an open research area. For nonlinear or time-varying plants, extensions such as kernelized subspace tracking or dynamic thresholding are under investigation.

Prospective improvements include adaptive boundary updating to track slow process drifts, embedding of domain knowledge (such as known plant time constants or delay structures) directly into the window and embedding design, and the employment of low-rank plus diagonal covariance approximations for more nuanced ellipsoid boundaries. Lowering the detection threshold adaptively with respect to time-evolving noise statistics can maintain stringent false positive guarantees while improving sensitivity.

A plausible implication is that as process-aware, data-driven detection matures, combinations of PASAD-style subspace scores, model-based residual tests, and distributional divergence metrics could establish strong and robust multi-layered defense-in-depth for industrial CPS, with rapid flagging of both abrupt and highly stealthy attack vectors.