Attack Detection and Location Using State Forecasting in Multivariate Time Series of ICS

ICS (industrial control systems) security researches have paid a great effort on anomaly detection base on the analyzes of communication protocols, network dataflow, sensor time series. However, few research have been done to recognize cyber attacks as well as the localization, which make active security control impossible. Actually, to recognize cyber attacks is crucial for ICS security control. In this paper, we proposed a novel multivariate time series attack detection and location framework based on adaptive state space formulation and forecasting. To dynamically describe systems' state transition characteristics, a graph structure learning scheme was designed based on Attention mechanism. Furthermore, to achieve state forecasting of systems, an improved Kalman filter with Transformer mechanism was proposed. Experiments on datasets from real industrial scenario demonstrated the effectiveness, and proved that the proposed method achieved higher location accuracy than the state-of-the-art methods.