Scalable Anomaly Detection and Isolation in Cyber-physical Systems Using Bayesian Networks

Anomalies in cyber-physical systems may arise due to malicious cyber attacks or operational faults in the physical devices. Accurately detecting the anomalies and isolating their root-causes is important for identifying appropriate reactive and preventive measures and building resilient cyber-physical systems. Anomaly detection and isolation in cyber-physical systems is challenging, because the impact of a cyber attack on the operation of a physical system may manifest itself only after some time. In this paper, we present a Bayesian network approach for learning the causal relations between cyber and physical variables as well as their temporal correlations from unlabeled data. We describe the data transformations that we performed to deal with the heterogeneous characteristics of the cyber and physical data, so that the integrated dataset can be used to learn the Bayesian network structure and parameters. We then present scalable algorithms to detect different anomalies and isolate their respective root-cause using a Bayesian network. We also present results from evaluating our algorithms on an unlabeled dataset consisting of anomalies due to cyber attacks and physical faults in a commercial building system. INTRODUCTION Cyber-physical systems (CPS) combine computing and communication capabilities with monitoring and control of entities in the physical world. CPS systems are part of many safetycritical infrastructures and industrial control systems, such as electric power grids and building automation systems. Tradi∗The authors would like to thank United Technologies Research Center for supporting this work. tional approaches for protecting control systems have primarily focused on gradual deterioration or abrupt faults in physical components. However, the coupling between information and communication technologies and the physical controllers in a CPS system makes the control system more vulnerable, especially since networked systems make it possible to launch remote attacks. Hence, there is a growing need for protecting control systems against malicious cyber attacks. As part of cyber-security mechanisms, several authentication and access control technologies have been developed for protecting information. These technologies can also be used to prevent attacks in cyber-physical control systems to some extent. However, in addition, a resilient CPS architecture needs to include mechanisms for detecting and reacting to anomalies. Anomaly detection refers to the problem of finding patterns that do not conform to expected behavior. Traditional anomaly detection schemes for cyber security analyze network traces for detecting network anomalies, but do not analyze the impact of attacks on physical components. On the other hand, system theory focuses more on reliability and stability of physical systems, but does not completely model information technology (IT) infrastructure. Prior work in fault tolerant control systems use redundancy and reconfiguration mechanisms to address the vulnerability of sensors and actuators to physical failures [1]. These techniques primarily focus on reliability and do not address vulnerabilities arising from security attacks. Recently, in [2], the authors suggest that the physical controllers can be monitored to detect anomalies that cannot be detected through IT mechanisms. Likewise, in [3], the authors provide some ways of leveraging system-theoretic techniques to counter cyber security attacks, in the context of a smart power grid. In [4], a smart power grid is modeled as an undirected graph and a polynomial-time detection algorithm based on generalized likelihood ratio with L1 norm regularization is used for finding small, but unobservable attacks. However, in order to successfully detect CPS anomalies and perform root-cause analysis to establish whether the anomalies are a result of a cyber attack or a fault in the physical components (sensors, actuators, controllers), we need an integrated approach that is based on understanding the cause-effect relationship between the cyber components and the physical system. In this paper, we propose an anomaly detection method that relies on a probabilistic graphical model of the underlying CPS. Specifically, we use a Bayesian network to characterize a CPS under nominal operation. This approach follows an unsupervised generative modeling concept where the model learns the individual characteristics of subcomponents (sensors/actuators) and the causal relationships among them under nominal condition, from a dataset. Then during regular operation, if a fault occurs in the system, it manifests itself as a low probability or anomalous event. Given an anomalous condition, further analysis can be performed to isolate which individual characteristics or causal relationship has changed to cause the anomaly. This provides a mechanism to perform root-cause analysis without using explicitly labeled training datasets for different faults. Thus, this approach potentially has good coverage, such that a single model can be leveraged for the detection and root cause isolation of multiple types of faults (even those that are previously unknown) in a CPS. Training such models is also easy as it avoids the extremely challenging task of acquiring sufficient labeled data for all types of faults in a CPS. Other benefits include the ability to handle heterogenous data, while accounting for the differences in the time scales for cyber and physical entities. While some studies in literature applied Bayesian networks (primarily in a supervised manner) for cyber security problems, our work applies Bayesian networks in an unsupervised manner for cyber-physical security problems.