{"title":"Asymptotic Performance Limitations in Cyberattack Detection","authors":"Onur Toker","doi":"10.1109/OJCAS.2023.3338639","DOIUrl":null,"url":null,"abstract":"In this paper, we consider the difficulty of cyberattack detection with \n<inline-formula> <tex-math>$d$ </tex-math></inline-formula>\n sensors and \n<inline-formula> <tex-math>$n$ </tex-math></inline-formula>\n observations, and derive performance bounds that are valid independent of the attack detection algorithm used. In other words, regardless of whether it is an artificial intelligence (AI) or sensor fusion based approach or it is derived using a completely new innovative idea, a cyberattack detector using multiple observations does have certain fundamental performance bounds that are independent of the algorithm used. Cyberattacks introduce different forms of anomalies that may be small or large, and given enough measured data, even tiny anomalies will become more noticeable and cyberattack detection problem will be easier provided that a carefully designed attack detection algorithm is used. For example, False Data Injection (FDI) attacks with small injected error may be harder to detect, but such attacks can cause major failures if continued over a long time period. A natural question to ask is to what degree the cyberattack detection problem becomes easier if more and more measurements acquired over a long time period are used for threat assessment, and the risk level reduction achieved for each new observation. For a cyberattack detector, the false alarm rate is the probability of triggering an alarm when there is no cyberattack, and the probability of miss is the probability of not detecting a cyberattack. The risk level of a cyberattack detector is defined as the sum of the probability of false alarm and the probability of miss. By using the notion of Hellinger distance and total variation norm between probability distributions, we derive upper and lower bounds for the minimum possible (achievable) risk level under multiple measurements, and study asymptotic properties of such bounds. These performance bounds are valid regardless of the cyberattack detection algorithm selection; they imply certain fundamental performance limits in cyberattack detection applications with given number of observations; and also help us to understand the number of observations needed for a given cyberattack detection performance level.","PeriodicalId":93442,"journal":{"name":"IEEE open journal of circuits and systems","volume":null,"pages":null},"PeriodicalIF":2.4000,"publicationDate":"2023-12-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10339844","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE open journal of circuits and systems","FirstCategoryId":"1085","ListUrlMain":"https://ieeexplore.ieee.org/document/10339844/","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}
引用次数: 0
Abstract
In this paper, we consider the difficulty of cyberattack detection with
$d$
sensors and
$n$
observations, and derive performance bounds that are valid independent of the attack detection algorithm used. In other words, regardless of whether it is an artificial intelligence (AI) or sensor fusion based approach or it is derived using a completely new innovative idea, a cyberattack detector using multiple observations does have certain fundamental performance bounds that are independent of the algorithm used. Cyberattacks introduce different forms of anomalies that may be small or large, and given enough measured data, even tiny anomalies will become more noticeable and cyberattack detection problem will be easier provided that a carefully designed attack detection algorithm is used. For example, False Data Injection (FDI) attacks with small injected error may be harder to detect, but such attacks can cause major failures if continued over a long time period. A natural question to ask is to what degree the cyberattack detection problem becomes easier if more and more measurements acquired over a long time period are used for threat assessment, and the risk level reduction achieved for each new observation. For a cyberattack detector, the false alarm rate is the probability of triggering an alarm when there is no cyberattack, and the probability of miss is the probability of not detecting a cyberattack. The risk level of a cyberattack detector is defined as the sum of the probability of false alarm and the probability of miss. By using the notion of Hellinger distance and total variation norm between probability distributions, we derive upper and lower bounds for the minimum possible (achievable) risk level under multiple measurements, and study asymptotic properties of such bounds. These performance bounds are valid regardless of the cyberattack detection algorithm selection; they imply certain fundamental performance limits in cyberattack detection applications with given number of observations; and also help us to understand the number of observations needed for a given cyberattack detection performance level.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
