CatchAll: A Robust Multivariate Intrusion Detection System for Cyber-Physical Systems using Low Rank Matrix

Abstract

Critical infrastructures often depend upon cyber-physical systems (CPS), as seen in the smart grid, autonomous vehicle monitoring, industrial monitoring systems, etc. With the IT/OT convergence, cyber-physical systems became connected to the Internet through firewalls and De-militarized Zones (DMZs). Therefore, cyber-attacks disrupting critical infrastructure services are not uncommon. Advanced attackers often use techniques to subvert standard defenses such as network intrusion detection, firewall, etc., by using packet fragmentation, overlapping fragments, checksum manipulation, sequence number manipulation, etc. Therefore, attacks often go through perimeter defenses and start affecting the physical dynamics of the CPS. This paper proposes a robust intrusion detection system dubbed CatchAll for detecting attacks by finding anomalies in the dynamics of the cyber-physical systems. The proposed Intrusion Detection System(IDS) uses unsupervised learning, as the availability of labeled data is often a problem. We further assume that some fraction of the training data might get corrupted, possibly by network noise or data poisoning attacks. Such assumptions make our method applicable to real-world scenarios, where clean and trusted training data may not be available. The proposed IDS works in $O(d)$ space and time complexity at the deployment and outperforms existing anomaly detection techniques in several real-world data sets and attack scenarios.