Differentiation Between Faults and Cyberattacks through Combined Analysis of Cyberspace Logs and Physical Measurements
- URL: http://arxiv.org/abs/2601.03289v1
- Date: Sun, 04 Jan 2026 16:29:06 GMT
- Title: Differentiation Between Faults and Cyberattacks through Combined Analysis of Cyberspace Logs and Physical Measurements
- Authors: Mohammad Shamim Ahsan, Haizhou Wang, Venkateswara Reddy Motakatla, Minghui Zhu, Peng Liu,
- Abstract summary: We propose a non-trivial approach of distinguishing undetected faults and cyberattacks in DER systems.<n>Specifically, a special kind of dependency graph is constructed using a novel virtual physical variable-oriented taint analysis algorithm.<n>A set of patterns capturing domain-specific knowledge is derived to bridge the semantic gaps between the cyber and physical sides.
- Score: 17.1894688401576
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: In recent years, cyberattacks - along with physical faults - have become an increasing factor causing system failures, especially in DER (Distributed Energy Resources) systems. In addition, according to the literature, a number of faults have been reported to remain undetected. Consequently, unlike anomaly detection works that only identify abnormalities, differentiating undetected faults and cyberattacks is a challenging task. Although several works have studied this problem, they crucially fall short of achieving an accurate distinction due to the reliance on physical laws or physical measurements. To resolve this issue, the industry typically conducts an integrated analysis with physical measurements and cyberspace information. Nevertheless, this industry approach consumes a significant amount of time due to the manual efforts required in the analysis. In this work, we focus on addressing these crucial gaps by proposing a non-trivial approach of distinguishing undetected faults and cyberattacks in DER systems. Specifically, first, a special kind of dependency graph is constructed using a novel virtual physical variable-oriented taint analysis (PVOTA) algorithm. Then, the graph is simplified using an innovative node pruning technique, which is based on a set of context-dependent operations. Next, a set of patterns capturing domain-specific knowledge is derived to bridge the semantic gaps between the cyber and physical sides. Finally, these patterns are matched to the relevant events that occurred during failure incidents, and possible root causes are concluded based on the pattern matching results. In the end, the efficacy of our proposed automatic integrated analysis is evaluated through four case studies covering failure incidents caused by the FDI attack, undetected faults, and memory corruption attacks.
Related papers
- Demystifying deep search: a holistic evaluation with hint-free multi-hop questions and factorised metrics [89.1999907891494]
We present WebDetective, a benchmark of hint-free multi-hop questions paired with a controlled Wikipedia sandbox.<n>Our evaluation of 25 state-of-the-art models reveals systematic weaknesses across all architectures.<n>We develop an agentic workflow, EvidenceLoop, that explicitly targets the challenges our benchmark identifies.
arXiv Detail & Related papers (2025-10-01T07:59:03Z) - Causal Graph Profiling via Structural Divergence for Robust Anomaly Detection in Cyber-Physical Systems [25.567981742631005]
Causal Graph-based Anomaly Detection framework designed for reliable cyberattack detection in public infrastructure systems.<n>CGAD follows a two-phase supervised framework -- causal profiling and anomaly scoring.<n>By leveraging causal structures, CGAD achieves superior adaptability and accuracy in non-stationary and imbalanced time series environments.
arXiv Detail & Related papers (2025-08-13T05:26:43Z) - siForest: Detecting Network Anomalies with Set-Structured Isolation Forest [0.0]
Modern cybersecurity systems face the challenge of analyzing billions of daily network interactions to identify potential threats.<n>This paper investigates the use of variations of the Isolation Forest (iForest) machine learning algorithm for detecting anomalies in internet scan data.<n>In particular, it presents the Set-Partitioned Isolation Forest (siForest), a novel extension of the iForest method to detect anomalies in set-structured data.
arXiv Detail & Related papers (2024-12-08T18:18:40Z) - It Is Time To Steer: A Scalable Framework for Analysis-driven Attack Graph Generation [50.06412862964449]
Attack Graph (AG) represents the best-suited solution to support cyber risk assessment for multi-step attacks on computer networks.
Current solutions propose to address the generation problem from the algorithmic perspective and postulate the analysis only after the generation is complete.
This paper rethinks the classic AG analysis through a novel workflow in which the analyst can query the system anytime.
arXiv Detail & Related papers (2023-12-27T10:44:58Z) - Progressing from Anomaly Detection to Automated Log Labeling and
Pioneering Root Cause Analysis [53.24804865821692]
This study introduces a taxonomy for log anomalies and explores automated data labeling to mitigate labeling challenges.
The study envisions a future where root cause analysis follows anomaly detection, unraveling the underlying triggers of anomalies.
arXiv Detail & Related papers (2023-12-22T15:04:20Z) - A Variational Autoencoder Framework for Robust, Physics-Informed
Cyberattack Recognition in Industrial Cyber-Physical Systems [2.051548207330147]
We develop a data-driven framework that can be used to detect, diagnose, and localize a type of cyberattack called covert attacks on industrial control systems.
The framework has a hybrid design that combines a variational autoencoder (VAE), a recurrent neural network (RNN), and a Deep Neural Network (DNN)
arXiv Detail & Related papers (2023-10-10T19:07:53Z) - DyEdgeGAT: Dynamic Edge via Graph Attention for Early Fault Detection in
IIoT Systems [12.641578474466646]
DyEdgeGAT is a novel approach for early-stage fault detection in IIoT systems.
It incorporates operating condition contexts into node dynamics modeling, enhancing its accuracy and robustness.
We rigorously evaluated DyEdgeGAT using both a synthetic dataset and a real-world industrial-scale flow facility benchmark.
arXiv Detail & Related papers (2023-07-07T12:22:16Z) - Ranking-Based Physics-Informed Line Failure Detection in Power Grids [66.0797334582536]
Real-time and accurate detecting of potential line failures is the first step to mitigating the extreme weather impact and activating emergency controls.
Power balance equations nonlinearity, increased uncertainty in generation during extreme events, and lack of grid observability compromise the efficiency of traditional data-driven failure detection methods.
This paper proposes a Physics-InformEd Line failure Detector (FIELD) that leverages grid topology information to reduce sample and time complexities and improve localization accuracy.
arXiv Detail & Related papers (2022-08-31T18:19:25Z) - Towards an Awareness of Time Series Anomaly Detection Models'
Adversarial Vulnerability [21.98595908296989]
We demonstrate that the performance of state-of-the-art anomaly detection methods is degraded substantially by adding only small adversarial perturbations to the sensor data.
We use different scoring metrics such as prediction errors, anomaly, and classification scores over several public and private datasets.
We demonstrate, for the first time, the vulnerabilities of anomaly detection systems against adversarial attacks.
arXiv Detail & Related papers (2022-08-24T01:55:50Z) - Causality-Based Multivariate Time Series Anomaly Detection [63.799474860969156]
We formulate the anomaly detection problem from a causal perspective and view anomalies as instances that do not follow the regular causal mechanism to generate the multivariate data.
We then propose a causality-based anomaly detection approach, which first learns the causal structure from data and then infers whether an instance is an anomaly relative to the local causal mechanism.
We evaluate our approach with both simulated and public datasets as well as a case study on real-world AIOps applications.
arXiv Detail & Related papers (2022-06-30T06:00:13Z) - Inter-Domain Fusion for Enhanced Intrusion Detection in Power Systems:
An Evidence Theoretic and Meta-Heuristic Approach [0.0]
False alerts due to/ compromised IDS in ICS networks can lead to severe economic and operational damage.
This work presents an approach for reducing false alerts in CPS power systems by dealing with uncertainty without prior distribution of alerts.
arXiv Detail & Related papers (2021-11-20T00:05:39Z) - Towards Unbiased Visual Emotion Recognition via Causal Intervention [63.74095927462]
We propose a novel Emotion Recognition Network (IERN) to alleviate the negative effects brought by the dataset bias.
A series of designed tests validate the effectiveness of IERN, and experiments on three emotion benchmarks demonstrate that IERN outperforms other state-of-the-art approaches.
arXiv Detail & Related papers (2021-07-26T10:40:59Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.