Memoryless Cumulative Sign Detector for Stealthy CPS Sensor Attacks

TL;DR

This paper introduces CUSIGN, a memoryless run-time monitor that detects stealthy sensor attacks in cyber-physical systems by analyzing sign changes in residuals, enhancing detection without large data storage.

Contribution

The paper proposes a novel, memoryless sign-based detection method for stealthy sensor attacks, augmenting existing detectors with improved detection capabilities and attack magnitude bounds.

Findings

Effective detection of stealthy sensor attacks demonstrated in simulations.

Memoryless design reduces data storage requirements for real-time detection.

Augmentation with CUSUM enhances attack magnitude estimation.

Abstract

Stealthy false data injection attacks on cyber-physical systems introduce erroneous measurements onto sensors with the intent to degrade system performance. An intelligent attacker can design stealthy attacks with knowledge of the system model and noise characteristics to evade detection from state-of-the-art fault detectors by remaining within detection thresholds. However, during these hidden attacks, an attacker with the intention of hijacking a system will leave traces of non-random behavior that contradict with the expectation of the system model. Given these premises, in this paper we propose a run-time monitor called Cumulative Sign (CUSIGN) detector, for identifying stealthy falsified measurements by identifying if measurements are no longer behaving in a random manner. Specifically, our proposed CUSIGN monitor considers the changes in sign of the measurement residuals and their expected occurrence in order to detect if a sensor could be compromised. Moreover, our detector is designed to be a memoryless procedure, eliminating the need to store large sequences of data for attack detection. We characterize the detection capabilities of the proposed CUSIGN technique following the well-known $\chi^2$ failure detection scheme. Additionally, we show the advantage of augmenting CUSIGN to the model-based Cumulative Sum (CUSUM) detector, which provides magnitude bounds on attacks, for enhanced detection of sensor spoofing attacks. Our approach is validated with simulations on an unmanned ground vehicle (UGV) during a navigation case study.