Direct vs Indirect Methods for Behavior-based Attack Detection

TL;DR

This paper compares direct and indirect data-driven behavior-based attack detection methods for unknown LTI systems, analyzing their performance, consistency, and error bounds using input-output data.

Contribution

It introduces two covariance estimation methods for behavior-based detectors, proves their consistency, and compares their performance through finite sample bounds and numerical experiments.

Findings

Neither method is universally superior; performance depends on data set size and detection horizon.

Direct method excels with large data sets, while indirect method performs better with smaller data sets.

Tradeoff exists between the methods based on data availability and detection requirements.

Abstract

We study the problem of data-driven attack detection for unknown LTI systems using only input-output behavioral data. In contrast with model-based detectors that use errors from an output predictor to detect attacks, we study behavior-based data-driven detectors. We construct a behavior-based chi-squared detector that uses a sequence of inputs and outputs and their covariance. The covariance of the behaviors is estimated using data by two methods. The first (direct) method employs the sample covariance as an estimate of the covariance of behaviors. The second (indirect) method uses a lower dimensional generative model identified from data to estimate the covariance of behaviors. We prove the consistency of the two methods of estimation and provide finite sample error bounds. Finally, we numerically compare the performance and establish a tradeoff between the methods at different regimes of the size of the data set and the length of the detection horizon. Our numerical study indicates that neither method is invariable superior, and reveals the existence of two regimes for the performance of the two methods, wherein the direct method is superior in cases with large data sets relative to the length of the detection horizon, while the indirect method is superior in cases with small data sets.