Dynamic Attack Scoring Using Distributed Local Detectors

Nowadays, continuously operating critical services increasingly rely on complex cyber-physical systems, which are also known as high-profile targets of cyberattacks, potentially resulting in security breaches that can cause severe damage. This paper presents a novel study on detecting cyberattacks against distributed supervisory control systems. AttackTracker, a scalable and unsupervised analytic framework for behavior-based online intrusion detection, is organized as a hierarchical network of cooperating attack detectors. Each local attack detector monitors and reports the status of a subsystem by labeling observations, assigning attack scores, and raising red flags by comparing actual versus predicted signal values from the observed input stream. While higher-level detectors utilize information aggregated from detectors at lower levels to assess the global security status of the supervisory control system. Our experiments show that AttackTracker outperforms leading methods for detecting complex attacks in a real-world operational context and it can be used for intrusion detection across a wide range of cyber-physical systems.