{"id":9640,"date":"2022-08-18T16:50:48","date_gmt":"2022-08-18T14:50:48","guid":{"rendered":"https:\/\/www.digitalfutures.kth.se\/?page_id=9640"},"modified":"2025-01-23T09:37:24","modified_gmt":"2025-01-23T08:37:24","slug":"causal-reasoning-for-real-time-attack-identification-in-cyber-physical-systems","status":"publish","type":"page","link":"https:\/\/wpmu-tris.sys.kth.se\/digitalfutures\/research\/c3aidti-projects\/completed-c3-ai-dti-projects\/causal-reasoning-for-real-time-attack-identification-in-cyber-physical-systems\/","title":{"rendered":"Causal Reasoning for Real-Time Attack Identification in Cyber-Physical Systems"},"content":{"rendered":"

Objective
\n<\/em>We propose to develop computationally efficient machine learning algorithms and tools for attack detection and identification based on a novel, scalable representation of the physical system state, the communication protocol state and the IT infrastructure\u2019s security state maintained based on noisy observations and measurements from the physical and the IT infrastructure. The key contribution is to learn a succinct representation of the security state of the IT infrastructure that allows computationally efficient belief updates in real-time and enables jointly accounting for the evolution of the state of the physical system, communication protocols, and infrastructure for accurate detection of attacks and identification through causal reasoning based on learnt dependency models.<\/p>\n

The research will help address questions such as achieving real-time situational awareness in complex IT infrastructures, developing anomaly detectors with low false positive and false negative rates, and using information about IT infrastructure to improve attack identification. The project leverages the expertise of three research teams from KTH, UIUC, and MIT, with extensive expertise in cyber-physical systems security, smart grids, and anomaly detection.<\/p>\n

Background
\n<\/em>Modern SCADA systems rely on IP-based communication protocols that are primarily event-driven and follow a publish-subscribe model. The timing and content of protocol messages emerge from interactions between the physical system state and the protocol\u2019s internal state \u2013 as an effect, traditional approaches to anomaly detection result in excessive false positives and, ultimately, alarm fatigue.<\/p>\n

Crossdisciplinary collaboration
\n<\/em>The project is a collaboration between the\u00a0KTH Royal Institute of Technology, the\u00a0University of Illinois at Urbana-Champaign and MIT.<\/span><\/p>\n

Watch the recorded presentation at the Digitalize in Stockholm 2023 event:<\/strong><\/p>\n