With the increased reliance on digitization in industrial control systems, the need for effective monitoring techniques has risen dramatically. Specifically, there is now a growing concern about the so-called false data injection (FDI) attacks. These attacks aim to alter the raw sensors’ data to cause malicious outcomes. Any serious FDI algorithm is based on an intimate knowledge of the system and its associated physics models, which renders conventional outlier/anomaly detection techniques almost obsolete in the face of such attacks. Thus, a critical need has emerged to develop a new class of defense methods that are capable of detecting FDI attacks under the assumption that the attacker has a strong familiarity with the system and its physics modeling. This class of defense methods are denoted by model-based defenses which are premised on the assumption that the attacker, while having a good understanding of the system, does not have full privileged access to all proprietary data and historical records of operation. However, (s)he is assumed to be capable of learning system behavior using self-learning techniques during an initial lie-in-wait period. To defend against this scenario, we propose a new model-based randomized window algorithm that searches time-series data for signatures that can serve as classifiers between normal and FDI scenarios. The classifiers are based on the correlations between the dominant degrees of freedom (DOFs) and the less-dominant DOFs (expected to be very sensitive to the system details that are unknown to the attacker). For demonstration, RELAP5 models are employed to calculate representative nuclear reactor behavior during a number of transient scenarios. Falsified data are injected into the RELAP5-simulated behavior, and the proposed signature-identification algorithm is employed to detect the injected data.

随着对工业控制系统中数字化的日益依赖，对有效监控技术的需求急剧增加。具体而言，现在人们对所谓的虚假数据注入（FDI）攻击越来越关注。这些攻击旨在更改原始传感器的数据以导致恶意结果。任何严肃的FDI算法都基于对系统及其相关物理模型的深入了解，这使得传统的异常值/异常检测技术几乎在面对此类攻击时已过时。因此，迫切需要开发一种新的防御方法，该方法能够在假设攻击者对系统及其物理建模非常熟悉的情况下检测FDI攻击。此类防御方法由基于模型的防御表示，前提是假设攻击者虽然对​​系统有很好的了解，但没有对所有专有数据和操作历史记录的完全特权访问。但是，假设他能够在最初的等待期间使用自学习技术来学习系统行为。为了抵御这种情况，我们提出了一种新的基于模型的随机窗口算法，该算法在时间序列数据中搜索可以用作普通和FDI方案之间分类器的签名。分类器基于主要自由度（DOF）和次要自由度（预计对攻击者未知的系统细节非常敏感）之间的相关性。为了示范 RELAP5模型用于计算许多瞬态情况下的代表性核反应堆行为。将伪造的数据注入到RELAP5模拟的行为中，并采用提出的签名识别算法来检测注入的数据。