SIDS: State-based intrusion detection for stage-based cyber physical systems

Attacks to Cyber Physical Systems (CPSs) are detected by Industrial Intrusion Detection Systems (IIDSs). Operation of stage-based CPSs (those for which their underlying process is batch) consists of three parts: normal states, normal transitions between the normal states, and normal time-intervals for transitions. Unfortunately, state-of-the-art IIDSs directly address cyber-attacks that result in anomalous states whereas anomalous transitions or time-intervals can also indicate cyber-attacks. In this paper, a State-based IDS (SIDS) is proposed to detect all three anomalies. For doing this, SIDS first automatically extracts the normal behavior of CPS. Then it monitors current CPS behavior and detects intrusions by directly looking at the data of field layer. A small-scale but real CPS (a mixer process) is provided to illustrate how SIDS works. In addition, experimental results on three cyber-attacks orchestrated on a simulated milk pasteurization process indicate that SIDS can successfully detect cyber-attacks to large I/O CPSs.