Towards Attack Detection in Multimodal Cyber-Physical Systems with Sticky HDP-HMM based Time Series Analysis

Automatic detection of the precise occurrence and duration of an attack reflected in time-series logs generated by cyber-physical systems is a challenging problem. This problem is exacerbated when performing this analysis using logs with limited system information. In a realistic scenario, multiple and differing attack methods may be employed in rapid succession. Modern or legacy systems operate in multiple modes and contain multiple devices recording a variety of continuous and categorical data streams. This work presents a non-parametric Bayesian framework that addresses these challenges using the sticky Hierarchical Dirichlet Process Hidden Markov Model (sHDP-HMM). Additionally, we explore metrics for measuring the accuracy of the detected events: their timings and durations and compares the computational efficiency of different inference implementations of the model. The efficacy of attack detection is demonstrated in two settings: an avionics testbed and a consumer robot.