The threats faced by cyber-physical systems (CPSs) in critical infrastructure have motivated research into a multitude of attack detection mechanisms, including anomaly detectors based on neural network models. The effectiveness of anomaly detectors can be assessed by subjecting them to test suites of attacks, but less consideration has been given to adversarial attackers that craft noise specifically designed to deceive them. While successfully applied in domains such as images and audio, adversarial attacks are much harder to implement in CPSs due to the presence of other built-in defence mechanisms such as rule checkers (or invariant checkers). In this work, we present an adversarial attack that simultaneously evades the anomaly detectors and rule checkers of a CPS. Inspired by existing gradient-based approaches, our adversarial attack crafts noise over the sensor and actuator values, then uses a genetic algorithm to optimise the latter, ensuring that the neural network and the rule checking system are both deceived. We implemented our approach for two real-world critical infrastructure testbeds, successfully reducing the classification accuracy of their detectors by over 50% on average, while simultaneously avoiding detection by rule checkers. Finally, we explore whether these attacks can be mitigated by training the detectors on adversarial samples.

关键基础设施中网络物理系统 (CPS) 面临的威胁促使人们研究多种攻击检测机制，包括基于神经网络模型的异常检测器。异常检测器的有效性可以通过让它们接受攻击测试套件来评估，但很少考虑到对抗性攻击者专门设计来欺骗他们的噪音。虽然成功应用于图像和音频等领域，但由于存在其他内置防御机制，例如规则检查器（或不变检查器），因此在 CPS 中实施对抗性攻击要困难得多。）。在这项工作中，我们提出了一种同时逃避 CPS 的异常检测器和规则检查器的对抗性攻击。受现有基于梯度的方法的启发，我们的对抗性攻击在传感器和执行器值上制造噪声，然后使用遗传算法优化后者，确保神经网络和规则检查系统都被欺骗。我们为两个现实世界的关键基础设施测试平台实施了我们的方法，成功地将其检测器的分类准确度平均降低了 50% 以上，同时避免了规则检查器的检测。最后，我们探索是否可以通过在对抗样本上训练检测器来减轻这些攻击。