The protection of Cyber–Physical Systems (CPSs) from cybersecurity threats is essential to ensure the resilience and safety of critical infrastructures. Anomaly detection approaches for CPSs proposed in the literature use either network data or data from sensors/actuators as inputs, often failing to detect attacks that affect only specific components. In this paper, we propose a novel two-stage framework for threat detection in CPSs. This framework integrates anomaly detection models that operate on both network and physical data, by leveraging a decision fusion technique to combine the outputs into a coherent decision. To assess the effectiveness of the framework, we employ an unlabeled release of a real-world dataset, integrating network traffic with sensors/actuators data. Additionally, we offer explicit labeling rules to ensure reproducibility. The results demonstrate that our approach substantially improves CPSs security, efficiently identifying subtle attacks that can evade traditional methods relying on a single data source. In particular, we show that integrating both physical and network data improves the F1 score by approximately 10% compared to using just network data, and by nearly 30% compared to using just physical data.
Empowered Cyber–Physical Systems security using both network and physical data / Canonico, Roberto; Esposito, Giovanni; Navarro, Annalisa; Romano, Simon Pietro; Sperli, Giancarlo; Vignali, Andrea. - In: COMPUTERS & SECURITY. - ISSN 0167-4048. - 152:(2025). [10.1016/j.cose.2025.104382]
Empowered Cyber–Physical Systems security using both network and physical data
Canonico, Roberto;Navarro, Annalisa;Romano, Simon Pietro;Sperli, Giancarlo;Vignali, Andrea
2025
Abstract
The protection of Cyber–Physical Systems (CPSs) from cybersecurity threats is essential to ensure the resilience and safety of critical infrastructures. Anomaly detection approaches for CPSs proposed in the literature use either network data or data from sensors/actuators as inputs, often failing to detect attacks that affect only specific components. In this paper, we propose a novel two-stage framework for threat detection in CPSs. This framework integrates anomaly detection models that operate on both network and physical data, by leveraging a decision fusion technique to combine the outputs into a coherent decision. To assess the effectiveness of the framework, we employ an unlabeled release of a real-world dataset, integrating network traffic with sensors/actuators data. Additionally, we offer explicit labeling rules to ensure reproducibility. The results demonstrate that our approach substantially improves CPSs security, efficiently identifying subtle attacks that can evade traditional methods relying on a single data source. In particular, we show that integrating both physical and network data improves the F1 score by approximately 10% compared to using just network data, and by nearly 30% compared to using just physical data.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
