Michael Grosskpf

Aligning replicate time series for cyber-physical network intrusion detection

Engineered control systems, like the power grid and waste-water treatment facilities, provide critical infrastructure in U.S. and Canada. These systems are potentially under threat from cyber attack, so early detection is critical for limiting the damage to the system and to the greater public. While network intrusion is a well-developed field of cyber-security, the inclusion of physical observations from the control system can improve the sensitivity of security to potentially dangerous intrusions. The monitoring of these systems provides measurements on a large number of contemporaneous time series. Understanding the correlations in residuals between these time series, after removing their typical operation, can be used to detect anomalous network behavior. In this joint work with Earl Lawrence at Los Alamos National Laboratory, I present results using a hidden Markov model for alignment of replicate time series for characterizing the baseline behavior of the HVAC system of a lab facility. This data provides a useful testbed for testing potential network security models. I'll also touch a bit on my experiences at the lab as time permits.