Anomaly Detection for a Water Treatment System Using Unsupervised Machine Learning

TL;DR

This paper compares deep neural networks and one-class SVMs for anomaly detection in a water treatment cyber-physical system, demonstrating that DNNs reduce false positives and have a slightly better overall detection performance.

Contribution

It introduces an unsupervised anomaly detection approach using DNNs and SVMs on water treatment data, providing a comparative analysis of their effectiveness.

Findings

DNNs produce fewer false positives than SVMs.

SVMs detect slightly more anomalies.

DNNs achieve a marginally better F measure.

Abstract

In this paper, we propose and evaluate the application of unsupervised machine learning to anomaly detection for a Cyber-Physical System (CPS). We compare two methods: Deep Neural Networks (DNN) adapted to time series data generated by a CPS, and one-class Support Vector Machines (SVM). These methods are evaluated against data from the Secure Water Treatment (SWaT) testbed, a scaled-down but fully operational raw water purification plant. For both methods, we first train detectors using a log generated by SWaT operating under normal conditions. Then, we evaluate the performance of both methods using a log generated by SWaT operating under 36 different attack scenarios. We find that our DNN generates fewer false positives than our one-class SVM while our SVM detects slightly more anomalies. Overall, our DNN has a slightly better F measure than our SVM. We discuss the characteristics of the DNN and one-class SVM used in this experiment, and compare the advantages and disadvantages of the two methods.