Securing Swarms: Cross-Domain Adaptation for ROS2-based CPS Anomaly Detection

TL;DR

This paper presents a domain adaptation-based anomaly detection model for CPS that transfers attack knowledge from network data to multi-layer CPS environments, improving security without needing labeled CPS attack data.

Contribution

It introduces an adaptable, label-free CPS anomaly detection approach using domain adaptation to transfer knowledge from network traffic datasets to CPS environments.

Findings

Effective detection across network and CPS environments

Outperforms existing anomaly detection methods

Works with diverse attack types

Abstract

Cyber-physical systems (CPS) are being increasingly utilized for critical applications. CPS combines sensing and computing elements, often having multi-layer designs with networking, computational, and physical interfaces, which provide them with enhanced capabilities for a variety of application scenarios. However, the combination of physical and computational elements also makes CPS more vulnerable to attacks compared to network-only systems, and the resulting impacts of CPS attacks can be substantial. Intelligent intrusion detection systems (IDS) are an effective mechanism by which CPS can be secured, but the majority of current solutions often train and validate on network traffic-only datasets, ignoring the distinct attacks that may occur on other system layers. In order to address this, we develop an adaptable CPS anomaly detection model that can detect attacks within CPS without the need for previously labeled data. To achieve this, we utilize domain adaptation techniques that allow us to transfer known attack knowledge from a network traffic-only environment to a CPS environment. We validate our approach using a state-of-the-art CPS intrusion dataset that combines network, operating system (OS), and Robot Operating System (ROS) data. Through this dataset, we are able to demonstrate the effectiveness of our model across network traffic-only and CPS environments with distinct attack types and its ability to outperform other anomaly detection methods.