CPS Attack Detection under Limited Local Information in Cyber Security: A Multi-node Multi-class Classification Ensemble Approach

TL;DR

This paper proposes a novel ensemble method for multi-class attack detection in distributed cyber-physical systems, effectively handling data censorship and incomplete local data without sharing raw data.

Contribution

It introduces a multi-node multi-class classification ensemble approach that completes missing information for global attack detection without data sharing.

Findings

The ensemble approach outperforms full-data methods in experiments.

Effective classification despite local data incompleteness.

Validated on numerical experiments simulating multi-node data-censoring.

Abstract

Cybersecurity breaches are the common anomalies for distributed cyber-physical systems (CPS). However, the cyber security breach classification is still a difficult problem, even using cutting-edge artificial intelligence (AI) approaches. In this paper, we study the multi-class classification problem in cyber security for attack detection. A challenging multi-node data-censoring case is considered. In such a case, data within each data center/node cannot be shared while the local data is incomplete. Particularly, local nodes contain only a part of the multiple classes. In order to train a global multi-class classifier without sharing the raw data across all nodes, the main result of our study is designing a multi-node multi-class classification ensemble approach. By gathering the estimated parameters of the binary classifiers and data densities from each local node, the missing information for each local node is completed to build the global multi-class classifier. Numerical experiments are given to validate the effectiveness of the proposed approach under the multi-node data-censoring case. Under such a case, we even show the out-performance of the proposed approach over the full-data approach.