Authors: Nataliia Neshenko (Florida Atlantic University), Elias Bou-Harb (University of Texas at San Antonio), and Borko Furht (University of Texas at San Antonio)



With the continuous modernization of water plants, malicious, often state-sponsored attacks continue to create havoc in such critical realms. Motivated by this, this paper proposes an unsupervised data-driven approach to support cyber forensics in such unique setups. Specifically, the proposed approach aims at inferring and attributing cyber attacks using sensor readings and actuators states. The approach operates using attack-free data, which is attractive towards cyber forensics of such systems, where attack-related empirical data is rarely widely available due to security and privacy reasons. The proposed method also provides the capability to track and identify the attacked assets for prioritization purposes. The proposed approach exploits Bidirectional Generative Adversarial Networks (BiGAN) to fingerprint the behavior of the system under regular operation. It employs a combination of Recurrent Neural Network (RNN) and Convolutional Neural Networks (CNN) as a basis of its design components. The Energy Distance (ED) and Maximum Mean Discrepancy (MMD) are used to evaluate how firmly the model has learned the system’s behavior. The approach also leverages the l1-norm distance between unseen data and corresponding reconstruction to estimate the irregularity score representing cyber attacks. The relative importance of the obtained residual error for each sensor/actuator is put forward to attribute the attacked assets. To this end, we independently employ a regression tree technique, a game-theoretic concept known as Shapley values, and a model-wise approach, the KernelSHAP, as residual loss to identify the relation of each asset to the inferred anomaly. The results are then amalgamated to pinpoint the attacked asset. Empirical evaluations using data collected in a testbed representing a small-scale water treatment plant uncovered 32 out of the 36 cyber incidents; exceeding the performance of state-of-the-art. We also show that the proposed approach identifies the exploited sensors/actuators with more than 8-15% accuracy improvement over current available works. We postulate and stress the fact that such proposed methods significantly contributes towards the forensics of critical infrastructure.