Anomaly Detection for a Water Treatment System Using Unsupervised Machine Learning (1709.05342v2)

Abstract: In this paper, we propose and evaluate the application of unsupervised machine learning to anomaly detection for a Cyber-Physical System (CPS). We compare two methods: Deep Neural Networks (DNN) adapted to time series data generated by a CPS, and one-class Support Vector Machines (SVM). These methods are evaluated against data from the Secure Water Treatment (SWaT) testbed, a scaled-down but fully operational raw water purification plant. For both methods, we first train detectors using a log generated by SWaT operating under normal conditions. Then, we evaluate the performance of both methods using a log generated by SWaT operating under 36 different attack scenarios. We find that our DNN generates fewer false positives than our one-class SVM while our SVM detects slightly more anomalies. Overall, our DNN has a slightly better F measure than our SVM. We discuss the characteristics of the DNN and one-class SVM used in this experiment, and compare the advantages and disadvantages of the two methods.

• The paper investigates applying unsupervised machine learning models, including Deep Neural Networks and one-class Support Vector Machines, for anomaly detection in the SWaT water treatment system testbed.
• Comparative analysis showed the DNN model slightly outperformed the one-class SVM in F-measure, demonstrating better false positive reduction for temporal sequence anomaly detection.
• This study advances unsupervised anomaly detection understanding for critical infrastructure and suggests future work on enhancing DNN models for gradual shifts or exploring alternative methodologies.

Anomaly Detection for a Water Treatment System Using Unsupervised Machine Learning

The paper "Anomaly Detection for a Water Treatment System Using Unsupervised Machine Learning" investigates unsupervised machine learning methodologies applied to anomaly detection within Cyber-Physical Systems (CPSs), specifically focusing on a real-world secure water treatment testbed known as SWaT. The research presents an informed comparison between two prominent unsupervised learning models: Deep Neural Networks (DNN) suited to time series data, integrated with an LSTM layer, and one-class Support Vector Machines (SVM), widely recognized in anomaly detection applications.

The central dataset employed is derived from SWaT, a scaled-down, fully operational model of a water treatment plant used at the Singapore University of Technology and Design. The dataset spans continuous operation over an eleven-day period, capturing seven days of normal operation and four days simulated under thirty-six diverse attack scenarios. This testbed perfectly encapsulates the complexities inherent to CPS architectures where software control systems logically integrate with dynamic, stochastic physical processes.

Methodology Overview

The research evaluates unsupervised learning by utilizing DNN implemented for probabilistic outlier detection where anomalies, characterized by low probability assignments, trigger alerts. The DNN architecture is developed using a layer of Long Short-Term Memory (LSTM) followed by fully connected feed-forward layers processing both discrete and continuous valued sensors and actuators data. The chosen loss function, cross-entropy, targets optimization over this setup, trained thoroughly across epochs with data from the SWaT normal operation logs.

In parallel, one-class SVMs leverage sliding window approaches for anomaly classification. Using Radial Basis Function (RBF) kernels, SVMs process multidimensional input windows to classify each sequence as normal or anomalous, based on data vectors indicating temporal patterns.

Results and Analysis

The comparative evaluation indicates the DNN marginally outperforms one-class SVMs regarding F-measure, providing higher precision albeit slightly lower recall than the one-class SVM. The DNN's ability to minimize false positive rates thus signifies its robustness in successfully identifying valid anomalies over temporal sequences of sensor and actuator logs. Analysis highlights the DNN's limitations in detecting gradual operational shifts, which remains a potential avenue for enhancing detection capability. Conversely, the one-class SVM benefits from enhanced sensitivity to various anomalies but generates intermittent false positives, attributed to its handling of non-linear, windowed data snapshots without considering broader historical context.

Implications and Future Directions

This paper advances the comprehension of unsupervised anomaly detection in CPS operations, emphasizing practical deployment within critical infrastructures such as water treatment facilities. The findings suggest several pivotal pathways for future inquiry, notably enhancing DNN model architecture to better capture long-term trends or resolve gradual shift anomalies. Broader deployment of simulators or real-world CPS settings would be beneficial in validating and refining model performances. Additionally, expanding comparisons to include diverse anomaly detection methodologies or specification mining techniques can underpin a more holistic understanding of effectiveness toward nuanced anomaly indications.

Concluding Thoughts

The presented research eloquently navigates the complexities of assessing unsupervised learning models' efficacy in detecting anomalies within CPS frameworks. Although predominantly focused on SWaT, the insights draw valuable implications for anomaly detection across similar infrastructural contexts, underscoring the salient role of meticulously designed machine learning techniques in pre-emptively safeguarding critical infrastructure from potential cyber and operational threats.