Robust Anomaly Detection in Cyber Physical System using Kullback-Leibler Divergence in Error Distributions

We investigate anomaly detection in Cyber-Physical System (CPS), where anomalies are attacks to CPS to disrupt the operations of critical infrastructures. We use the Secure Water Treatment (SWaT) systems dataset, where normal and attack states are simulated in the water tanks. Among different types of anomalies, we focus on detecting the contextual anomalies, which can be challenging to detect with the Out-Of-Limit threshold method. Recent research shows promising results in detecting anomalies from analyzing error distributions from the machine learning classifier. Similarly, we statistically analyze prediction error patterns from Recurrent Neural Network (RNN) and Mixture Density Network (MDN) classifiers to detect anomalies. First, we generate anomaly scores with Local Outlier Factor (LOF) and remove point anomalies. With the fixed window size, an empirical probability distribution is estimated, and we apply the sliding window to measure the difference of probability distributions between the other windows. To measure the difference efficiently between anomalies and normal data, we use Kullback-Leibler divergence. Our preliminary result shows that we can effectively detect contextual anomalies compared with Nearest Neighbor Distance (NND) approach.