[论文解读] RNN-based Early Cyber-Attack Detection for the Tennessee Eastman Process
本文提出一种基于 RNN 的预测方法,采用 GRU 单元来检测 Tennessee Eastman Process 数据集中的网络攻击异常,通过 NAB 指标评估并与 DPCA 进行比较。该方法旨在在多种模式和攻击类型下实现早期检测。
An RNN-based forecasting approach is used to early detect anomalies in industrial multivariate time series data from a simulated Tennessee Eastman Process (TEP) with many cyber-attacks. This work continues a previously proposed LSTM-based approach to the fault detection in simpler data. It is considered necessary to adapt the RNN network to deal with data containing stochastic, stationary, transitive and a rich variety of anomalous behaviours. There is particular focus on early detection with special NAB-metric. A comparison with the DPCA approach is provided. The generated data set is made publicly available.
研究动机与目标
- Motivate robust anomaly detection for cyber-attacks in industrial multivariate time series from a realistic process model.
- Adapt RNN forecasting to handle stochastic, stationary, transient, and diverse anomalous behaviors in TEP.
- Enable early anomaly detection using the NAB metric and assess practical performance.
- Provide a public dataset of TEP with labeled normal and attacked scenarios for research use.
提出的方法
- Use a 2-layer stacked GRU RNN (64 cells per layer) to forecast multivariate time series from the TEP dataset.
- Train with MSE loss using RMSProp; input window equals prediction window; ReLU activations in hidden layers and linear output activation.
- Normalize inputs; compute prediction error via MSE, smooth with exponential moving average, and detect anomalies using a threshold from training data.
- Adopt an NAB-based evaluation framework to assess early detection quality and windowing of anomaly perception.
- Compare the RNN approach against DPCA, highlighting single-mode limitations and transient-mode false positives for DPCA.
实验结果
研究问题
- RQ1Can a GRU-based forecasting model reliably detect a wide range of cyber-attacks in the Tennessee Eastman Process datasets?
- RQ2How does the NAB-metric capture early anomaly detection performance for continuous industrial time series under various attack types?
- RQ3How does the RNN-based method compare to DPCA in terms of accuracy, false positives, and ability to handle multiple plant modes?
- RQ4What anomaly window settings best align with actual attack intervals to maximize NAB scores?
主要发现
| Method (attacks series) | NAB-score |
|---|---|
| Ideal detector | 1.000 |
| RNN (all) | 0.373 |
| DPCA (all) | 0.086 |
| RNN (except #23) | 0.803 |
| DPCA (except #23) | 0.649 |
- RNN with stateless GRU cells and no dropout effectively handles stochasticity, stationarity, transient behavior, and anomalies in the TEP dataset.
- NAB-based evaluation shows the RNN achieves higher scores than DPCA for MEAS and SP attacks, indicating improved early detection.
- DPCA struggles with transient modes and produces many false positives; it requires separate models per mode, limiting practicality.
- For MV attacks, RNN detection is delayed, attributed to longer post-attack anomaly consequences in the plant dynamics.
- The authors provide publicly available TEP datasets with normal and attacked scenarios for research use.
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。