The rise in attempted and successful attacks on critical infrastructure, such as power grid and water treatment plants, has led to an urgent need for the creation and adoption of methods for detecting such attacks often launched either by insiders or state actors. This paper focuses on one such method that aims at the detection of attacks that compromise one or more actuators and sensors in a plant either through successful intrusion in the plant's communication network or directly through the plant computers. The method, labelled as Distributed Attack Detection (DAD), detects attacks in real-time by identifying anomalies in the behavior of the physical process in the plant. Anomalies are identified by using monitors that are implementations of invariants derived from the plant design. Each invariant must hold either throughout the plant operation, or when the plant is in a given state. The effectiveness of DAD was assessed experimentally on an operational water treatment plant named SWaT that is a near-replica of commercially available large treatment plants. The method used in DAD was found to be effective in detecting stealthy and coordinated attacks.

中文翻译：

---

水处理厂中的分布式攻击检测：方法和案例研究

对关键基础设施（例如电网和水处理厂）的未遂和成功攻击的增加导致迫切需要创建和采用方法来检测通常由内部人员或国家行为者发起的此类攻击。本文重点介绍一种此类方法，该方法旨在检测通过成功入侵工厂通信网络或直接通过工厂计算机入侵工厂中一个或多个执行器和传感器的攻击。该方法被称为分布式攻击检测 (DAD)，它通过识别工厂物理过程行为的异常来实时检测攻击。异常是通过使用监视器来识别的，监视器是从工厂设计派生的不变量的实现。每个不变量必须在整个工厂运行期间或在工厂处于给定状态时保持不变。DAD 的有效性是在名为 SWaT 的运营水处理厂上通过实验评估的，该水处理厂几乎是市售大型处理厂的复制品。发现 DAD 中使用的方法在检测隐蔽和协同攻击方面是有效的。