An Attention-based Anomaly Detection Model for Ensuring Cyber Security in Nuclear Facilities

Feiyan Dong - The University of Tokyo
Shi Chen - The University of Tokyo
Kazuyuki Demachi - The University of Tokyo
Nuclear facilities are subjected to Industrial Control Systems (ICSs), which involve considerable number of dispersed devices in physically secure locations with adoption of cybers existing in device interconnection network and remote connectivity. These cybers, which expose vulnerabilities in ICS and hence become susceptible to cyber-attacks, transmit operators’ controlling information to the logic actuators and feedback environment information through sensors. Once an intended attack was succeeded transporting via the communication cyber, the normal behavior of the ICS could be affected, which might result in entity failure, high cost on maintenance and severe accidents. Therefore, there is an impending demand to secure the overall ICS of a nuclear facility through anomaly detection on ICS operational-level data. The operational-level data is measured from the numerus devices within one system, forming multivariate data due to the interconnected cyber. Recently, deep learning-based approaches have made fruitful improvements in anomaly detection using multivariate datasets. Nevertheless, conventional approaches treat multivariate data as a set of independent multiple univariate data, taking into account only temporal information with neglection of the potential relationships between variables, which lose significant features and pose difficulties of explicitly detecting the anomaly in overall systems. To alleviate this problem, an attention-based model is proposed to take advantages of both temporal and inner relationships of multivariate data. The proposed model is first trained from the deviations between the analyzed result and its ground truth value. Sequentially, combined with inner relationships, anomaly detection of the whole system can be accomplished. Consequently, the false true situation of anomaly detection results can be precluded dramatically. The performance is evaluated and verified on the benchmark datasets. The experimental results show the feasibility of proposed model, which can achieve robust and reliable results on detecting different cyber-attack scenarios through corresponding operational anomaly behaviors.