Towards Attack Detection in Multimodal Cyber-Physical Systems with Sticky HDP-HMM based Time Series Analysis

Abstract

Automatic detection of the precise occurrence and duration of an attack reflected in time-series logs generated by cyber-physical systems is a challenging problem. This problem is exacerbated when performing this analysis using logs with limited system information. In a realistic scenario, multiple and differing attack methods may be employed in rapid succession. Modern or legacy systems operate in multiple modes and contain multiple devices recording a variety of continuous and categorical data streams. This work presents a non-parametric Bayesian framework that addresses these challenges using the sticky Hierarchical Dirichlet Process Hidden Markov Model (sHDP-HMM) . Additionally, we explore metrics for measuring the accuracy of the detected events, their timings and durations, and compare the computational efficiency of different inference implementations of the model. The efficacy of attack detection is demonstrated in two settings: an avionics testbed and a consumer robot.