Hidden Markov Model-Based Attack Detection for Networked Control Systems Subject to Random Packet Dropouts

Abstract

The problem of attack detection for Stuxnet in the industrial control system is discussed in this article. Different operating modes (normal and hazard modes) may occur in the nominal process. In this article, we consider that the transition between different modes follows a Markov chain model with a certain transition probability. However, when the Stuxnet attack is launched, the attack signals with random multitude and frequency will be injected to trigger more hazard modes, and finally, hasten fatigue of control devices. Under this unpredictable attack, the transition between operating modes will not follow the regular transition probabilities. Therefore, a hidden Markov model with time-varying transition probabilities is utilized to describe the Stuxnet attack. The transition probabilities are estimated based on the measurements. By recognizing operating modes and predicting the number of the occurrence of hazard modes, the Stuxnet attack can be detected earlier if the predicted value exceeds the threshold. In the operating mode recognition, the expectation maximization algorithm is used to estimate the parameters considering random packet dropouts caused by the unreliable network. A simulation is conducted to verify the effectiveness of the proposed method.