A cyber attack launched on a critical infrastructure (CI), such as a power grid or a water treatment plant, could lead to anomalous behavior. There exist several methods to detect such behavior. This paper reports on a study conducted to compare two methods for detecting anomalies in CI. One of these methods, referred to as design-centric, generates invariants from the design of a CI. Another method, referred to as data-centric, generates the invariants from data collected from an operational CI. The key question that motivated the study is “How do design and data-centric methods compare in the effectiveness of the generated invariants in detecting process anomalies.” The data-centric approach used Association Rule Mining for generating invariants from operational data. These invariants, and their performance in detecting anomalies, was compared against those generated by a design-centric approach reported in the literature. The entire study was conducted in the context of an operational scaled down version of a water treatment plant.

在关键基础设施（CI）（例如电网或水处理厂）上发起的网络攻击可能导致异常行为。存在几种检测这种行为的方法。本文报告了一项研究，以比较两种检测CI中异常的方法。这些方法之一（称为以设计为中心）从CI的设计中生成不变量。另一种方法，称为以数据为中心，根据从操作CI收集的数据生成不变式。推动这项研究的关键问题是“设计和以数据为中心的方法如何比较所生成的不变量在检测过程异常方面的有效性。” 以数据为中心的方法使用关联规则挖掘从操作数据生成不变式。这些不变量及其在检测异常中的性能，将其与文献报道的以设计为中心的方法生成的结果进行了比较。整个研究是在水处理厂规模缩小的情况下进行的。