Time-Based Data Manipulation for Anomaly Detection in Cyber-Physical Systems
사이버 물리시스템에서 이상 탐지를 위한 시간 기반 데이터 처리
- 주제(키워드) Timeseries , CPS , Anomaly Detection , Data Analysis
- 주제(DDC) 621.39
- 발행기관 아주대학교 일반대학원
- 지도교수 Young-June Choi
- 발행년도 2025
- 학위수여년월 2025. 8
- 학위명 박사
- 학과 및 전공 일반대학원 컴퓨터공학과
- 실제URI http://www.dcollection.net/handler/ajou/000000035205
- 본문언어 영어
- 저작권 아주대학교 논문은 저작권에 의해 보호받습니다.
초록/요약
As Cyber-Physical Systems (CPS) become increasingly integrated with the Industrial Internet of Things (IIoT), ensuring comprehensive security across both network and physical layers has become a critical challenge. CPS environments generate large-scale, heterogeneous, and temporally complex data, requiring multi-layered security strategies capable of detecting both cyber intrusions and physical anomalies. This thesis proposes a dual-layer approach that combines (1) alert-level aggregation for network-layer intrusion detection, and (2) scalable anomaly detection for physical-layer sensor data using a hierarchical autoencoder architecture. Chapter 1 outlines the background and research motivation, emphasizing the structural limitations of conventional intrusion detection systems in handling the temporal, multivariate, and layered characteristics of CPS data. To overcome these challenges, this study proposes a security framework that distinctly addresses both the cyber and physical domains. Chapter 2 introduces a frequency-based alert representation framework that transforms massive volumes of heterogeneous alerts generated by multiple intrusion detection systems (IDS) into structured multivariate time series. By aggregating alert occurrences over fixed time windows, the approach reduces redundancy and produces interpretable indicators that integrate outputs from both signature-based and anomaly-based IDS. This forms the basis for efficient and scalable network-layer threat monitoring. Chapter 3 proposes a hierarchical autoencoder-based anomaly detection framework for high-dimensional physical sensor data. The architecture comprises a temporal model, which compresses the temporal behavior of each individual feature, and an association model, which captures inter-feature dependencies from the latent vectors. This layered design enhances detection accuracy while improving computational efficiency. Additionally, a segment-based training strategy is introduced to support long sequence handling and reduce resource consumption. Experiments conducted on real-world CPS benchmark datasets, including SWaT and HAI, as well as synthetic long-duration attack scenarios, demonstrate the effectiveness of the proposed framework in terms of detection performance, robustness, and training efficiency. The network-layer alert aggregation enables real-time monitoring, while the physical-layer anomaly detection accurately captures complex deviations in system behavior. In conclusion, this thesis presents a comprehensive CPS security framework tailored for IIoT-integrated environments. By jointly addressing network-level alert processing and physical-level anomaly detection through temporal and association modeling, the proposed approach provides a scalable, interpretable, and practically deployable solution for modern industrial CPS infrastructures.
more목차
1. Introduction 1
1.1. Background 3
1.1.1. Internet of Things (IoT) 3
1.1.2. Industrial Internet of Things (IIoT) 6
1.1.3. Industrial Control Systems (ICS) and Cyber-Physical Systems (CPS) 8
1.1.4. Research Domain 9
1.2. Research Area 10
1.2.1. Possible Attacks 10
1.2.2. Intrusion Detection System (IDS) 12
1.2.3. Time series Analysis 15
1.2.4. Time series Analysis using deep learning 17
1.3. Problem Definition 19
1.3.1. Network Intrusion Detection 19
1.3.2. Time series Anomaly Detection 21
2. Frequency-Based Representation of Massive Alerts and Combination of Indicators by Heterogeneous Intrusion Detection Systems for Anomaly Detection 23
2.1. Introduction 23
2.2. Related Works 26
2.2.1. Alert Aggregation and Alert Correlation 26
2.2.2. Security Visualization 27
2.3. Preliminary analysis 29
2.3.1. Approach 29
2.3.2. Candidates 31
2.3.3. Potential Evaluation 32
2.4. Method for Situational Awareness 37
2.4.1. Overall Structure 37
2.4.2. Indicators 39
2.4.3. Label 44
2.4.4. Model 45
2.4.5. Combination of Indicators from Heterogeneous IDS 47
2.5. Experiments and Results 48
2.5.1. Dataset 48
2.5.2. Configuration of Attack Scenario 49
2.5.3. Results 51
2.6. Conclusions 57
3. Unsupervised Anomaly Detection Approach using a Sequential Architecture with Preprocessed features from Multivariate Time-series 58
3.1. Introduction 58
3.2. Related Works 61
3.2.1. Deep learning based Anomaly Detection in ICS 61
3.2.2. Graph based Anomaly Detection 64
3.2.3. Multimodal Machine Learning 65
3.3. Proposed Method 67
3.3.1. Motivation 67
3.3.2. Structure 68
3.3.3. Anomaly Detection 73
3.4. Experiments & Result 73
3.4.1. Environments 74
3.4.2. Computational Complexity & Memory Usage 74
3.4.3. Benchmark Dataset 78
3.4.4. Synthetic Data 82
3.4.5. Training time 86
3.5. Conclusion 87
4. Final Remark 88
Reference 90
