Efficient Predictive Monitoring of Linear Time-Invariant Systems Under Stealthy Attacks

TL;DR

This paper introduces an efficient online safety monitoring method for linear systems in industrial control, capable of early detection of stealthy attacks that evade traditional anomaly detectors, enhancing system security.

Contribution

It adapts reachability analysis for real-time safety monitoring of LTI systems under stealthy attacks, combining offline symbolic reachable set computation with online safety checks using ellipsoidal calculus.

Findings

The approach predicts attack impact timely and accurately.

It outperforms baseline methods in efficiency and scalability.

Demonstrated effectiveness on Tennessee-Eastman process.

Abstract

Attacks on Industrial Control Systems (ICS) can lead to significant physical damage. While offline safety and security assessments can provide insight into vulnerable system components, they may not account for stealthy attacks designed to evade anomaly detectors during long operational transients. In this paper, we propose a predictive online monitoring approach to check the safety of the system under potential stealthy attacks. Specifically, we adapt previous results in reachability analysis for attack impact assessment to provide an efficient algorithm for online safety monitoring for Linear Time-Invariant (LTI) systems. The proposed approach relies on an offline computation of symbolic reachable sets in terms of the estimated physical state of the system. These sets are then instantiated online, and safety checks are performed by leveraging ideas from ellipsoidal calculus. We illustrate and evaluate our approach using the Tennessee-Eastman process. We also compare our approach with the baseline monitoring approaches proposed in previous work and assess its efficiency and scalability. Our evaluation results demonstrate that our approach can predict in a timely manner if a false data injection attack will be able to cause damage, while remaining undetected. Thus, our approach can be used to provide operators with real-time early warnings about stealthy attacks.