TY - GEN
T1 - Revitalizing Self-Organizing Map
T2 - 36th IFIP International Conference on ICT Systems Security and Privacy Protection, SEC 2021
AU - Kim, Young Geun
AU - Yun, Jeong Han
AU - Han, Siho
AU - Kim, Hyoung Chun
AU - Woo, Simon S.
N1 - Publisher Copyright:
© 2021, IFIP International Federation for Information Processing.
PY - 2021
Y1 - 2021
N2 - Detecting rare cases of anomalies in Cyber-Physical Systems (CPSs) is an extremely challenging task. It is especially difficult to accurately model various instances of CPS measurements due to the dearth of anomaly samples and the subtlety of how their patterns appear. Moreover, the detection performance may be severely limited owing to mediocre or inaccurate forecasting by the underlying prediction models. In this work, we focus on improving the anomaly detection performance by leveraging the forecasting error patterns generated from prediction models, such as Sequence-to-Sequence (seq2seq), Mixture Density Networks (MDNs), and Recurrent Neural Networks (RNNs). To this end, we introduce Self-Organizing Map-based Anomaly Detector (SOMAD), an anomaly detection framework based on a novel test statistic, SomAnomaly, for Cyber-Physical System (CPS) security. Upon evaluation on two popular CPS datasets, we demonstrate that SOMAD outperforms baseline approaches through online multiple testing, using Time-Series Aware Precision and Recall (TaPR) metrics. Accordingly, we empirically demonstrate that forecasting error patterns of raw CPS data can be useful when detecting anomalies through a fast, statistical multiple testing approach such as ours.
AB - Detecting rare cases of anomalies in Cyber-Physical Systems (CPSs) is an extremely challenging task. It is especially difficult to accurately model various instances of CPS measurements due to the dearth of anomaly samples and the subtlety of how their patterns appear. Moreover, the detection performance may be severely limited owing to mediocre or inaccurate forecasting by the underlying prediction models. In this work, we focus on improving the anomaly detection performance by leveraging the forecasting error patterns generated from prediction models, such as Sequence-to-Sequence (seq2seq), Mixture Density Networks (MDNs), and Recurrent Neural Networks (RNNs). To this end, we introduce Self-Organizing Map-based Anomaly Detector (SOMAD), an anomaly detection framework based on a novel test statistic, SomAnomaly, for Cyber-Physical System (CPS) security. Upon evaluation on two popular CPS datasets, we demonstrate that SOMAD outperforms baseline approaches through online multiple testing, using Time-Series Aware Precision and Recall (TaPR) metrics. Accordingly, we empirically demonstrate that forecasting error patterns of raw CPS data can be useful when detecting anomalies through a fast, statistical multiple testing approach such as ours.
KW - Anomaly detection
KW - CPS
KW - Self-Organizing Map
UR - https://www.scopus.com/pages/publications/85111351217
U2 - 10.1007/978-3-030-78120-0_25
DO - 10.1007/978-3-030-78120-0_25
M3 - Conference contribution
AN - SCOPUS:85111351217
SN - 9783030781194
T3 - IFIP Advances in Information and Communication Technology
SP - 382
EP - 397
BT - ICT Systems Security and Privacy Protection - 36th IFIP TC 11 International Conference, SEC 2021, Proceedings
A2 - Jøsang, Audun
A2 - Futcher, Lynn
A2 - Hagen, Janne
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 22 June 2021 through 24 June 2021
ER -