The threats faced by cyber-physical systems (CPSs) in critical infrastructure have motivated research into a multitude of attack detection mechanisms, including anomaly detectors based on neural network models. The effectiveness of anomaly detectors can be assessed by subjecting them to test suites of attacks, but less consideration has been given to adversarial attackers that craft noise specifically designed to deceive them. While successfully applied in domains such as images and audio, adversarial attacks are much harder to implement in CPSs due to the presence of other built-in defence mechanisms such as rule checkers(or invariant checkers). In this work, we present an adversarial attack that simultaneously evades the anomaly detectors and rule checkers of a CPS. Inspired by existing gradient-based approaches, our adversarial attack crafts noise over the sensor and actuator values, then uses a genetic algorithm to optimise the latter, ensuring that the neural network and the rule checking system are both deceived.We implemented our approach for two real-world critical infrastructure testbeds, successfully reducing the classification accuracy of their detectors by over 50% on average, while simultaneously avoiding detection by rule checkers. Finally, we explore whether these attacks can be mitigated by training the detectors on adversarial samples.
翻译:关键基础设施的网络物理系统(CPS)所面临的威胁激发了对许多攻击性探测机制的研究,包括以神经网络模型为基础的异常探测器。通过测试攻击套套,可以评估异常探测器的有效性,但较少考虑格斗攻击者使用专门设计来欺骗它们的声音。虽然在图像和音频等领域成功地应用了对立攻击,但在CPS中,由于存在其他内在防御机制,如规则检查器(或变化中检查器),对抗性攻击更难实施。在这项工作中,我们展示了一种对抗性攻击,同时避开了CPS的异常探测器和规则检查器。受基于梯度的现有方法的启发,我们的对抗性攻击手动噪音对传感器和动画值的冲击,然后使用基因算法来优化后者,确保神经网络和规则检查系统都受到欺骗。我们实施了两种真实世界关键基础设施测试台的方法,成功地将其探测器的分类精确率降低了50%以上,同时避免规则检查器的检测。最后,我们探索这些攻击的检测器能否通过训练减少对立性样品。
相关内容
微信扫码咨询专知VIP会员