Sequential detection of cyber-physical attacks on industrial systems

International audience ; It is assumed that the observations represent a linear superposition of unknown nuisance parameters (stochastic or deterministic), random noise and a system parameter abruptly changing its current value from nominal to abnormal at an unknown but non-random change-point. It is assumed that this statistical model characterizes the cyber-physical attacks on industrial systems, like SCADA. The negative impact of unknown nuisance parameter on the detector is eliminated by utilizing the invariant statistics technique or statistical filtering technique. The statistical decision problem is formulated as a detection of abruptly arriving transient changes of finite duration. The criterion of optimality seeks to minimize the worst-case probability of missed detection subject to an acceptable level of the worst-case probability of false alarm within a given time period. To solve the problem, an optimal solution in a subclass of open-ended sequential tests with variable thresholds is proposed. The Variable Threshold Window Limited CUmulative SUM (VTWL CUSUM) test, previously developed for independent observations, is adapted now to the observation model with nuisance parameters. Finally, the variable threshold of the VTWL CUSUM test is optimized with respect to the optimality criterion and the probabilities of missed detection and false alarm are studied.