{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,10]],"date-time":"2026-03-10T14:59:26Z","timestamp":1773154766439,"version":"3.50.1"},"reference-count":50,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2023,11,1]],"date-time":"2023-11-01T00:00:00Z","timestamp":1698796800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,11,1]],"date-time":"2023-11-01T00:00:00Z","timestamp":1698796800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"C3iHub, IIT Kanpur"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"Abstract<\/jats:title>Due to the importance of Critical Infrastructure (CI) in a nation\u2019s economy, they have been lucrative targets for cyber attackers. These critical infrastructures are usually Cyber-Physical Systems such as power grids, water, and sewage treatment facilities, oil and gas pipelines, etc. In recent times, these systems have suffered from cyber attacks numerous times. Researchers have been developing cyber security solutions for CIs to avoid lasting damages. According to standard frameworks, cyber security based on identification, protection, detection, response, and recovery are at the core of these research. Detection of an ongoing attack that escapes standard protection such as firewall, anti-virus, and host\/network intrusion detection has gained importance as such attacks eventually affect the physical dynamics of the system. Therefore, anomaly detection in physical dynamics proves an effective means to implement defense-in-depth. PASAD is one example of anomaly detection in the sensor\/actuator data, representing such systems\u2019 physical dynamics. We present EPASAD, which improves the detection technique used in PASAD to detect these micro-stealthy attacks, as our experiments show that PASAD\u2019s spherical boundary-based detection fails to detect. Our method EPASAD overcomes this by using Ellipsoid boundaries, thereby tightening the boundaries in various dimensions, whereas a spherical boundary treats all dimensions equally. We validate EPASAD using the dataset produced by the TE-process simulator and the C-town datasets. The results show that EPASAD improves PASAD\u2019s average recall by 5.8% and 9.5% for the two datasets, respectively.<\/jats:p>","DOI":"10.1186\/s42400-023-00162-z","type":"journal-article","created":{"date-parts":[[2023,11,1]],"date-time":"2023-11-01T02:02:14Z","timestamp":1698804134000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["EPASAD: ellipsoid decision boundary based Process-Aware Stealthy Attack Detector"],"prefix":"10.1186","volume":"6","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3650-4804","authenticated-orcid":false,"given":"Vikas","family":"Maurya","sequence":"first","affiliation":[]},{"given":"Rachit","family":"Agarwal","sequence":"additional","affiliation":[]},{"given":"Saurabh","family":"Kumar","sequence":"additional","affiliation":[]},{"given":"Sandeep","family":"Shukla","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,11,1]]},"reference":[{"issue":"1\u20138","key":"162_CR1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijcip.2020.100377","volume":"30","author":"W Aoudi","year":"2020","unstructured":"Aoudi W, Almgren M (2020) A scalable specification-agnostic multi-sensor anomaly detection system for IIoT environments. Int J Crit Infrastruct Prot 30(1\u20138):100377","journal-title":"Int J Crit Infrastruct Prot"},{"key":"162_CR2","doi-asserted-by":"crossref","unstructured":"Aoudi W, Almgren M (2021) A framework for determining robust context-aware attack-detection thresholds for cyber-physical systems. In: 2021 Australasian computer science week multiconference. ACM, Dunedin, New Zealand, pp\u00a01\u20136","DOI":"10.1145\/3437378.3437393"},{"key":"162_CR3","doi-asserted-by":"crossref","unstructured":"Aoudi W, Iturbe M, Almgren M (2018) Truth will out: departure-based process-level detection of stealthy attacks on control systems. In: ACM SIGSAC conference on computer and communications security. ACM, Toronto, Canada, pp 817\u2013831","DOI":"10.1145\/3243734.3243781"},{"key":"162_CR4","doi-asserted-by":"publisher","first-page":"317","DOI":"10.1016\/j.patcog.2018.07.023","volume":"84","author":"B Biggio","year":"2018","unstructured":"Biggio B, Roli F (2018) Wild patterns: ten years after the rise of adversarial machine learning. Pattern Recogn 84:317\u2013331","journal-title":"Pattern Recogn"},{"issue":"2\u20133","key":"162_CR5","doi-asserted-by":"publisher","first-page":"217","DOI":"10.1016\/0167-2789(86)90031-X","volume":"20","author":"D Broomhead","year":"1986","unstructured":"Broomhead D, King G (1986) Extracting qualitative dynamics from experimental data. Phys D 20(2\u20133):217\u2013236","journal-title":"Phys D"},{"key":"162_CR6","doi-asserted-by":"crossref","unstructured":"Cardenas A, Amin S, Lin Z, Huang Y, Huang C, Sastry S (2011) Attacks against process control systems: risk assessment, detection, and response. In: 6th ACM symposium on information, computer and communications security. ACM, Hong Kong, pp 355\u2013366","DOI":"10.1145\/1966913.1966959"},{"key":"162_CR7","unstructured":"CSIS: Significant cyber incidents (2022), https:\/\/www.csis.org\/programs\/strategic-technologies-program\/significant-cyber-incidents, accessed: 03\/04\/2022"},{"key":"162_CR8","unstructured":"Di Pinto A, Dragoni Y, Carcano A (2018) Triton: the first ICS cyber attack on safety instrument systems. In: Proc. Black Hat USA, vol.\u00a02018. Black Hat, USA, pp 1\u201326"},{"key":"162_CR9","doi-asserted-by":"crossref","unstructured":"Dong Q, Yang Z, Chen Y, Li X, Zeng K (2017) Anomaly detection in cognitive radio networks exploiting singular spectrum analysis. In: International conference on mathematical methods, models, and architectures for computer network security. Springer, Springer, Warsaw, Poland, pp 247\u2013259","DOI":"10.1007\/978-3-319-65127-9_20"},{"issue":"3","key":"162_CR10","doi-asserted-by":"publisher","first-page":"245","DOI":"10.1016\/0098-1354(93)80018-I","volume":"17","author":"J Downs","year":"1993","unstructured":"Downs J, Vogel E (1993) A plant-wide industrial process control problem. Comput Chem Eng 17(3):245\u2013255","journal-title":"Comput Chem Eng"},{"key":"162_CR11","doi-asserted-by":"crossref","unstructured":"Dutta A.K, Mukhoty B, Shukla S.K (2021) Catchall: a robust multivariate intrusion detection system for cyber-physical systems using low rank matrix. In: Proceedings of the 2th Workshop on CPS &IoT security and privacy, pp 47\u201356","DOI":"10.1145\/3462633.3483978"},{"key":"162_CR12","volume-title":"Singular spectrum analysis: a new tool in time series analysis","author":"J Elsner","year":"2013","unstructured":"Elsner J, Tsonis A (2013) Singular spectrum analysis: a new tool in time series analysis. Springer Science & Business Media, New York USA"},{"key":"162_CR13","doi-asserted-by":"crossref","unstructured":"Erba A et al (2020) Constrained concealment attacks against reconstruction-based anomaly detectors in industrial control systems. In: Annual computer security applications conference. ACM, Austin, USA, pp 480\u2013495","DOI":"10.1145\/3427228.3427660"},{"key":"162_CR14","unstructured":"Falliere N, Murchu L, Chien E (2010) W32.Stuxnet dossier. Tech. rep., White paper, Symantec Corp., Security Response"},{"key":"162_CR15","doi-asserted-by":"crossref","unstructured":"Feng C, Li T, Chana D (2017) Multi-level anomaly detection in industrial control systems via package signatures and LSTM networks. In: 47th Annual IEEE\/IFIP international conference on dependable systems and networks (DSN). IEEE, Denver, US, pp 261\u2013272","DOI":"10.1109\/DSN.2017.34"},{"issue":"Part B","key":"162_CR16","doi-asserted-by":"publisher","first-page":"906","DOI":"10.1016\/j.neucom.2015.10.018","volume":"174","author":"X Gao","year":"2016","unstructured":"Gao X, Hou J (2016) An improved SVM integrated GS-PCA fault diagnosis approach of Tennessee Eastman process. Neurocomputing 174(Part B):906\u2013911","journal-title":"Neurocomputing"},{"key":"162_CR17","doi-asserted-by":"crossref","unstructured":"Garcia L, Brasser F, Cintuglu M, Sadeghi A, Mohammed O, Zonouz S (2017) Hey, my malware knows physics! attacking PLCs with physical model aware rootkit. In: NDSS. NDSS, San Diego, USA, pp 1\u201315","DOI":"10.14722\/ndss.2017.23313"},{"key":"162_CR18","doi-asserted-by":"crossref","unstructured":"Goh J, Adepu S, Tan M, Lee Z (2017) Anomaly detection in cyber physical systems using recurrent neural networks. In: 18th international symposium on high assurance systems engineering. IEEE, Singapore, pp 140\u2013145","DOI":"10.1109\/HASE.2017.36"},{"key":"162_CR19","doi-asserted-by":"publisher","first-page":"934","DOI":"10.1016\/j.csda.2013.04.009","volume":"71","author":"N Golyandina","year":"2014","unstructured":"Golyandina N, Korobeynikov A (2014) Basic singular spectrum analysis and forecasting with R. Comput Stat Data Anal 71:934\u2013954","journal-title":"Comput Stat Data Anal"},{"key":"162_CR20","doi-asserted-by":"publisher","DOI":"10.1201\/9780367801687","volume-title":"Analysis of time series structure: SSA and related techniques","author":"N Golyandina","year":"2001","unstructured":"Golyandina N, Nekrutkin V, Zhigljavsky A (2001) Analysis of time series structure: SSA and related techniques. CRC Press, Boca Raton, Florida"},{"key":"162_CR21","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-34913-3","volume-title":"Singular spectrum analysis for time series","author":"N Golyandina","year":"2013","unstructured":"Golyandina N, Zhigljavsky A (2013) Singular spectrum analysis for time series. Springer Science & Business Media, Berlin, Germany"},{"key":"162_CR22","doi-asserted-by":"crossref","unstructured":"Guan Y, Ghorbani A, Belacel N (2003) Y-Means: a clustering method for intrusion detection. In: Canadian conference on electrical and computer engineering. IEEE, Montreal, Canada, pp 1083\u20131086","DOI":"10.1109\/CCECE.2003.1226084"},{"key":"162_CR23","doi-asserted-by":"crossref","unstructured":"Had\u017eiosmanovi\u0107 D, Sommer R, Zambon E, Hartel P (2014) Through the eye of the PLC: semantic security monitoring for industrial processes. In: 30th annual computer security applications conference. ACM, New Orleans, USA, pp 126\u2013135","DOI":"10.1145\/2664243.2664277"},{"issue":"2","key":"162_CR24","doi-asserted-by":"publisher","first-page":"405","DOI":"10.1016\/S0031-3203(99)00216-2","volume":"34","author":"P Hansen","year":"2001","unstructured":"Hansen P, Mladenovi\u0107 N (2001) J-Means: a new local search heuristic for minimum sum of squares clustering. Pattern Recogn 34(2):405\u2013413","journal-title":"Pattern Recogn"},{"key":"162_CR25","unstructured":"Hassani H (2010) A brief introduction to singular spectrum analysis. Tech. rep, Cardiff School of Mathematics"},{"issue":"2","key":"162_CR26","doi-asserted-by":"publisher","first-page":"577","DOI":"10.1109\/TSMCB.2007.914695","volume":"38","author":"W Hu","year":"2008","unstructured":"Hu W, Hu W, Maybank S (2008) Adaboost-based algorithm for network intrusion detection. IEEE Trans Syst Man Cybern Part B (Cybern) 38(2):577\u2013583","journal-title":"IEEE Trans Syst Man Cybern Part B (Cybern)"},{"issue":"4","key":"162_CR27","doi-asserted-by":"publisher","first-page":"6345","DOI":"10.1109\/JIOT.2019.2905878","volume":"6","author":"H Jeon","year":"2019","unstructured":"Jeon H, Eun Y (2019) A stealthy sensor attack for uncertain cyber-physical systems. IEEE Internet Things J 6(4):6345\u20136352","journal-title":"IEEE Internet Things J"},{"key":"162_CR28","doi-asserted-by":"crossref","unstructured":"Kiss I, Genge B, Haller P (2015) A clustering-based approach to detect cyber attacks in process control systems. In: 13th international conference on industrial informatics. IEEE, Cambridge, UK, pp 142\u2013148","DOI":"10.1109\/INDIN.2015.7281725"},{"key":"162_CR29","doi-asserted-by":"crossref","unstructured":"Kovacevic A, Nikolic D (2015) Cyber attacks on critical infrastructure: review and challenges. In: Handbook of research on digital crime, cyberspace security, and information assurance, pp 1\u201318","DOI":"10.4018\/978-1-4666-6324-4.ch001"},{"key":"162_CR30","first-page":"1","volume":"388","author":"R Lee","year":"2016","unstructured":"Lee R, Assante M, Conway T (2016) Analysis of the cyber attack on the Ukrainian power grid. Electr Inf Sharing Anal Center (E-ISAC) Defense Use Case 388:1\u201329","journal-title":"Electr Inf Sharing Anal Center (E-ISAC) Defense Use Case"},{"issue":"62","key":"162_CR31","first-page":"1","volume":"30","author":"RM Lee","year":"2014","unstructured":"Lee RM, Assante MJ, Conway T (2014) German steel mill cyber attack. Ind Control Syst 30(62):1\u201315","journal-title":"Ind Control Syst"},{"issue":"4","key":"162_CR32","doi-asserted-by":"publisher","first-page":"1630","DOI":"10.1109\/TSG.2015.2495133","volume":"8","author":"G Liang","year":"2016","unstructured":"Liang G, Zhao J, Luo F, Weller SR, Dong ZY (2016) A review of false data injection attacks against modern power systems. IEEE Trans Smart Grid 8(4):1630\u20131638","journal-title":"IEEE Trans Smart Grid"},{"key":"162_CR33","unstructured":"Lichman M et al (2013) UCI machine learning repository. http:\/\/archive.ics.uci.edu\/ml"},{"key":"162_CR34","doi-asserted-by":"crossref","unstructured":"Mathur A, Tippenhauer N (2016) SWaT: a water treatment testbed for research and training on ICS security. In: International workshop on cyber-physical systems for smart water networks (CySWater). IEEE, Vienna, Austria, pp 31\u201336","DOI":"10.1109\/CySWater.2016.7469060"},{"issue":"9","key":"162_CR35","doi-asserted-by":"publisher","first-page":"2618","DOI":"10.1109\/TAC.2015.2498708","volume":"61","author":"Y Mo","year":"2015","unstructured":"Mo Y, Sinopoli B (2015) On the performance degradation of cyber-physical systems under stealthy integrity attacks. IEEE Trans Autom Control 61(9):2618\u20132624","journal-title":"IEEE Trans Autom Control"},{"key":"162_CR36","doi-asserted-by":"crossref","unstructured":"Mohammad Y, Nishida T (2011) On comparing SSA-based change point discovery algorithms. In: IEEE\/SICE international symposium on system integration (SII). IEEE, Kyoto, Japan, pp 938\u2013945","DOI":"10.1109\/SII.2011.6147575"},{"key":"162_CR37","doi-asserted-by":"publisher","first-page":"319","DOI":"10.1081\/SAC-120017494","volume":"32","author":"V Moskvina","year":"2003","unstructured":"Moskvina V, Zhigljavsky A (2003) Change-point detection algorithm based on the singular-spectrum analysis. Commun Stat Simul Comput 32:319\u2013352","journal-title":"Commun Stat Simul Comput"},{"issue":"4","key":"162_CR38","doi-asserted-by":"publisher","first-page":"2308","DOI":"10.1109\/TII.2014.2330796","volume":"10","author":"P Nader","year":"2014","unstructured":"Nader P, Honeine P, Beauseroy P (2014) lp-norms in one-class classification for intrusion detection in SCADA systems. IEEE Trans Ind Inf 10(4):2308\u20132317","journal-title":"IEEE Trans Ind Inf"},{"key":"162_CR39","doi-asserted-by":"crossref","unstructured":"Shoukry Y, Martin P, Yona Y, Diggavi S, Srivastava M (2015) PyCRA: physical challenge-response authentication for active sensors under spoofing attacks. In: 22nd ACM SIGSAC conference on computer and communications security. ACM, Denver, USA, pp 1004\u20131015","DOI":"10.1145\/2810103.2813679"},{"issue":"1","key":"162_CR40","doi-asserted-by":"publisher","first-page":"82","DOI":"10.1109\/MCS.2014.2364723","volume":"35","author":"RS Smith","year":"2015","unstructured":"Smith RS (2015) Covert misappropriation of networked control systems: presenting a feedback structure. IEEE Control Syst Mag 35(1):82\u201392","journal-title":"IEEE Control Syst Mag"},{"key":"162_CR41","doi-asserted-by":"crossref","unstructured":"Stouffer K, Pillitteri V, Lightman S, Abrams M, Hahn A (2015) Guide to industrial control systems (ICS) security\u2013Rev. 2. Tech. Rep.\u00a082, NIST Special Publication","DOI":"10.6028\/NIST.SP.800-82r2"},{"issue":"10","key":"162_CR42","doi-asserted-by":"publisher","first-page":"04018065 (1-15)","DOI":"10.1061\/(ASCE)WR.1943-5452.0000983","volume":"144","author":"R Taormina","year":"2018","unstructured":"Taormina R, Galelli S (2018) Deep-learning approach to the detection and localization of cyber-physical attacks on water distribution systems. J Water Resour Plan Manag 144(10):04018065 (1\u201315)","journal-title":"J Water Resour Plan Manag"},{"issue":"5","key":"162_CR43","doi-asserted-by":"publisher","first-page":"04017009 (1-12)","DOI":"10.1061\/(ASCE)WR.1943-5452.0000749","volume":"143","author":"R Taormina","year":"2017","unstructured":"Taormina R, Galelli S, Tippenhauer N, Salomons E, Ostfeld A (2017) Characterizing cyber-physical attacks on water distribution systems. J Water Resour Plan Manag 143(5):04017009 (1\u201312)","journal-title":"J Water Resour Plan Manag"},{"issue":"8","key":"162_CR44","doi-asserted-by":"publisher","first-page":"04018048 (1\u201311)","DOI":"10.1061\/(ASCE)WR.1943-5452.0000969","volume":"144","author":"R Taormina","year":"2018","unstructured":"Taormina R et al (2018) Battle of the attack detection algorithms: disclosing cyber attacks on water distribution networks. J Water Resour Plann Manag 144(8):04018048 (1\u201311)","journal-title":"J Water Resour Plann Manag"},{"key":"162_CR45","doi-asserted-by":"crossref","unstructured":"Teixeira A, Shames I, Sandberg H, Johansson KH (2012) Revealing stealthy attacks in control systems. In: 2012 50th Annual Allerton conference on communication, control, and computing (Allerton). IEEE, pp 1806\u20131813","DOI":"10.1109\/Allerton.2012.6483441"},{"key":"162_CR46","doi-asserted-by":"publisher","first-page":"197","DOI":"10.2495\/RISK180171","volume":"121","author":"A Terai","year":"2018","unstructured":"Terai A, Chiba T, Shintani H, Kojima S, Abe S, Koshijima I (2018) Intrusion detection method for industrial control systems using singular spectrum analysis. WIT Trans Eng Sci 121:197\u2013208","journal-title":"WIT Trans Eng Sci"},{"key":"162_CR47","doi-asserted-by":"crossref","unstructured":"Urbina D, Giraldo J, Cardenas A, Valente J, Faisal M, Tippenhauer N, Ruths J, Candell R, Sandberg H (2016) Survey and new directions for physics-based attack detection in control systems. Tech. rep., National Institute of Standards and Technology","DOI":"10.6028\/NIST.GCR.16-010"},{"issue":"3","key":"162_CR48","doi-asserted-by":"publisher","first-page":"395","DOI":"10.1016\/0167-2789(89)90077-8","volume":"35","author":"R Vautard","year":"1989","unstructured":"Vautard R, Ghil M (1989) Singular spectrum analysis in nonlinear dynamics, with applications to paleoclimatic time series. Phys D 35(3):395\u2013424","journal-title":"Phys D"},{"issue":"4","key":"162_CR49","doi-asserted-by":"publisher","first-page":"2614","DOI":"10.1109\/JSYST.2015.2496293","volume":"11","author":"X Zheng","year":"2015","unstructured":"Zheng X, Julien C, Kim M, Khurshid S (2015) Perceptions on the state of the art in verification and validation in cyber-physical systems. IEEE Syst J 11(4):2614\u20132627","journal-title":"IEEE Syst J"},{"issue":"4","key":"162_CR50","doi-asserted-by":"publisher","first-page":"1877","DOI":"10.1109\/TII.2017.2658732","volume":"13","author":"J Zhu","year":"2017","unstructured":"Zhu J, Ge Z, Song Z (2017) Distributed parallel PCA for modeling and monitoring of large-scale plant-wide processes with big data. IEEE Trans Industr Inf 13(4):1877\u20131885","journal-title":"IEEE Trans Industr Inf"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-023-00162-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-023-00162-z\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-023-00162-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,1]],"date-time":"2023-11-01T02:02:52Z","timestamp":1698804172000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-023-00162-z"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,1]]},"references-count":50,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2023,12]]}},"alternative-id":["162"],"URL":"https:\/\/doi.org\/10.1186\/s42400-023-00162-z","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,11,1]]},"assertion":[{"value":"5 December 2022","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"3 May 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 November 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"All the authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"28"}}