Cyber-Physical Systems (CPSes) have been investigated as a key area of research since they are the core of Internet of Things. CPSs integrate computing and communication with control and monitoring of entities in the physical world. Due to the tight coupling of cyber and physical domains, and to the possible catastrophic consequences of the malicious attacks on critical infrastructures, security is one of the key concerns. However, the exponential growth of IoT has led to deployment of CPSes without support for enforcing important security properties. Specification-based Intrusion Detection Systems (IDS) have been shown to be effective for securing these systems. Mining the specifications of CPSes by experts is a cumbersome and error-prone task. Therefore, it is essential to dynamically monitor the CPS to learn its common behaviors and formulate specifications for detecting malicious bugs and security attacks. Existing solutions for specification mining only combine data and events, but not time. However, time is a semantic property in CPS systems, and hence incorporating time in addition to data and events, is essential for obtaining high accuracy.

This paper proposes ARTINALI++, which dynamically mines specifications in CPS systems with arbitrary size and complexity. ARTINALI++ captures the security properties by incorporating time as a substantial property of the system, and generate a multi-dimensional model for the general CPS systems. Moreover, it enhances the model through discovering invariants that represent the physical motions and distinct operational modes in complex CPS systems. We build Intrusion Detection Systems based on ARTINALI++ for three CPSes with various levels of complexity including smart meter, smart artificial pancreas and unmanned aerial vehicle, and measure their detection accuracy. We find that the ARTINALI++ significantly reduces the ratio of false positives and false negatives by 23.45% and 73.6% on average, respectively, over other dynamic specification mining tools on the three CPS platforms.

网络物理系统 (CPS) 是物联网的核心，因此被视为研究的关键领域。CPS 将计算和通信与物理世界中实体的控制和监视相结合。由于网络域和物理域的紧密耦合，以及对关键基础设施的恶意攻击可能带来的灾难性后果，安全性是关键问题之一。然而，物联网的指数增长导致 CPS 的部署不支持强制执行重要的安全属性。基于规范的入侵检测系统 (IDS) 已被证明可有效保护这些系统。由专家挖掘 CPS 的规范是一项繁琐且容易出错的任务。所以，动态监控 CPS 以了解其常见行为并制定检测恶意错误和安全攻击的规范至关重要。现有的规范挖掘解决方案只结合了数据和事件，而不是时间。然而，时间是 CPS 系统中的一种语义属性，因此除了数据和事件之外，还要结合时间，对于获得高精度至关重要。

本文提出了 ARTINALI++，它可以在任意大小和复杂度的CPS 系统中动态挖掘规范。ARTINALI++通过将时间作为系统的实质属性来捕捉安全属性，并为通用CPS系统生成多维模型。此外，它通过发现代表物理运动和不同操作模式的不变量来增强模型在复杂的 CPS 系统中。我们为三种不同复杂程度的CPS（包括智能电表、智能人工胰腺和无人机）构建了基于ARTINALI++的入侵检测系统，并测量了它们的检测精度。我们发现，与三个 CPS 平台上的其他动态规范挖掘工具相比，ARTINALI++ 平均分别显着降低了误报率和漏报率 23.45% 和 73.6%。