Higher-Order Moment-Based Anomaly Detection

TL;DR

This paper develops a distributionally robust anomaly detection method using higher-order moments to better control false alarms and limit attack impacts in complex cyber-physical systems.

Contribution

It introduces a novel thresholding approach based on higher-order moments that improves detection robustness and bounds attack reachability.

Findings

Tighter detection thresholds reduce false alarms.

Bounded attack impact under stealthy conditions.

Numerical results demonstrate improved detection performance.

Abstract

The identification of anomalies is a critical component of operating complex, and possibly large-scale and geo-graphically distributed cyber-physical systems. While designing anomaly detectors, it is common to assume Gaussian noise models to maintain tractability; however, this assumption can lead to the actual false alarm rate being significantly higher than expected. Here we design a distributionally robust threshold of detection using finite and fixed higher-order moments of the detection measure data such that it guarantees the actual false alarm rate to be upper bounded by the desired one. Further, we bound the states reachable through the action of a stealthy attack and identify the trade-off between this impact of attacks that cannot be detected and the worst-case false alarm rate. Through numerical experiments, we illustrate how knowledge of higher-order moments results in a tightened threshold, thereby restricting an attacker's potential impact.