Learning Constraint-Based Model for Detecting Malicious Activities in Cyber Physical Systems

Advances in computing, communications, sensors, and cloud computing have resulted in the proliferation of Internet of Things (IoT) which forms a foundation for Cyber-Physical Systems (CPS). Cyber-physical attacks can cause tangible effects in the physical world. The attacker's goal is to disrupt the normal operations of the CPS for example: equipment overstress, safety limits violation, damage to the product quality, safety compliance violation etc. The continued rise of cyber-attacks together with the evolving skills of the attackers, and the inefficiency of the traditional security algorithms to defend against advanced and sophisticated attacks such as Distributed Denial of service (DDoS), slow DoS and zero-day, necessitate the development of novel defense and resilient detection techniques compared to traditional approaches like signature and behavior-based methods. To deal with this, we propose a novel approach for learning detection model that includes operational and network data to detect advanced attacks. More precisely, our approach is able to learn a relational network that connects events at different system layers so that attacks can be identified with higher confidence level. In this paper, we propose a decision model by learning a set of constraints/relations from the data that conjunctively defines the normal operation of a CPS. The solutions of the decision model characterize the normal states of a given CPS. The malicious operations are detected when one or more constraints fail for a given state of CPS. The results demonstrates the effectiveness of the approach. The main advantage of our approach is the interpretability of the model.