{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,20]],"date-time":"2026-06-20T06:02:59Z","timestamp":1781935379536,"version":"3.54.5"},"reference-count":50,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2023,2,3]],"date-time":"2023-02-03T00:00:00Z","timestamp":1675382400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"RSF","award":["#21-71-20078"],"award-info":[{"award-number":["#21-71-20078"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Algorithms"],"abstract":"<jats:p>Cyberattacks on cyber-physical systems (CPS) can lead to severe consequences, and therefore it is extremely important to detect them at early stages. However, there are several challenges to be solved in this area; they include an ability of the security system to detect previously unknown attacks. This problem could be solved with the system behaviour analysis methods and unsupervised or semi-supervised machine learning techniques. The efficiency of the attack detection system strongly depends on the datasets used to train the machine learning models. As real-world data from CPS systems are mostly not available due to the security requirements of cyber-physical objects, there are several attempts to create such datasets; however, their completeness and validity are questionable. This paper reviews existing approaches to attack and anomaly detection in CPS, with a particular focus on datasets and evaluation metrics used to assess the efficiency of the proposed solutions. The analysis revealed that only two of the three selected datasets are suitable for solving intrusion detection tasks as soon as they are generated using real test beds; in addition, only one of the selected datasets contains both network and sensor data, making it preferable for intrusion detection. Moreover, there are different approaches to evaluate the efficiency of the machine learning techniques, that require more analysis and research. Thus, in future research, the authors aim to develop an approach to anomaly detection for CPS using the selected datasets and to conduct experiments to select the performance metrics.<\/jats:p>","DOI":"10.3390\/a16020085","type":"journal-article","created":{"date-parts":[[2023,2,3]],"date-time":"2023-02-03T03:36:57Z","timestamp":1675395417000},"page":"85","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":47,"title":["Detection of Cyberattacks and Anomalies in Cyber-Physical Systems: Approaches, Data Sources, Evaluation"],"prefix":"10.3390","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8394-0783","authenticated-orcid":false,"given":"Olga","family":"Tushkanova","sequence":"first","affiliation":[{"name":"Computer Security Problems Laboratory, St. Petersburg Federal Research Center of the Russian Academy of Sciences, 199178 Saint-Petersburg, Russia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5266-8649","authenticated-orcid":false,"given":"Diana","family":"Levshun","sequence":"additional","affiliation":[{"name":"Computer Security Problems Laboratory, St. Petersburg Federal Research Center of the Russian Academy of Sciences, 199178 Saint-Petersburg, Russia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3104-0622","authenticated-orcid":false,"given":"Alexander","family":"Branitskiy","sequence":"additional","affiliation":[{"name":"Computer Security Problems Laboratory, St. Petersburg Federal Research Center of the Russian Academy of Sciences, 199178 Saint-Petersburg, Russia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6707-9153","authenticated-orcid":false,"given":"Elena","family":"Fedorchenko","sequence":"additional","affiliation":[{"name":"Computer Security Problems Laboratory, St. Petersburg Federal Research Center of the Russian Academy of Sciences, 199178 Saint-Petersburg, Russia"},{"name":"Department of computer science and engineering, Saint-Petersburg Electrotechnical University ETU \u201cLETI\u201d, 197022 Saint-Petersburg, Russia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2923-4954","authenticated-orcid":false,"given":"Evgenia","family":"Novikova","sequence":"additional","affiliation":[{"name":"Computer Security Problems Laboratory, St. Petersburg Federal Research Center of the Russian Academy of Sciences, 199178 Saint-Petersburg, Russia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6859-7120","authenticated-orcid":false,"given":"Igor","family":"Kotenko","sequence":"additional","affiliation":[{"name":"Computer Security Problems Laboratory, St. Petersburg Federal Research Center of the Russian Academy of Sciences, 199178 Saint-Petersburg, Russia"},{"name":"Department of computer science and engineering, Saint-Petersburg Electrotechnical University ETU \u201cLETI\u201d, 197022 Saint-Petersburg, Russia"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2023,2,3]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Levshun, D., Chechulin, A., and Kotenko, I. (2021). Design of Secure Microcontroller-Based Systems: Application to Mobile Robots for Perimeter Monitoring. Sensors, 21.","DOI":"10.3390\/s21248451"},{"key":"ref_2","unstructured":"Turton, W., and Mehrotra, K. (2022, December 20). Hackers Breached Colonial Pipeline Using Compromised Password. 4 June 2021. Available online: https:\/\/www.bloomberg.com\/news\/articles\/2021-06-04\/hackers-breached-colonial-pipeline-using-compromised-password."},{"key":"ref_3","unstructured":"Jones, S. (2022, December 20). Venezuela Blackout: What Caused It and What Happens Next. The Guardian 13 March 2019. Available online: https:\/\/www.theguardian.com\/world\/2019\/mar\/13\/venezuela-blackout-what-caused-it-and-what-happens-next."},{"key":"ref_4","unstructured":"Graham, R. (2022, December 20). Cyberattack Hits Germany\u2019s Domestic Fuel Distribution System. 1 February, 2022. Available online: https:\/\/www.bloomberg.com\/news\/articles\/2022-02-01\/mabanaft-hit-by-cyberattack-that-disrupts-german-fuel-deliveries."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"106017","DOI":"10.1016\/j.asoc.2019.106017","article-title":"APAD: Autoencoder-based payload anomaly detection for industrial IoE","volume":"88","author":"Kim","year":"2020","journal-title":"Appl. Soft Comput."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"8897926:1","DOI":"10.1155\/2020\/8897926","article-title":"Anomaly Detection for Industrial Control System Based on Autoencoder Neural Network","volume":"2020","author":"Wang","year":"2020","journal-title":"Wirel. Commun. Mob. Comput."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"43387","DOI":"10.1109\/ACCESS.2022.3168976","article-title":"Systematic Literature Review of Security Event Correlation Methods","volume":"10","author":"Kotenko","year":"2022","journal-title":"IEEE Access"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"165130","DOI":"10.1109\/ACCESS.2020.3022862","article-title":"TON_IoT telemetry dataset: A new generation dataset of IoT and IIoT for data-driven intrusion detection systems","volume":"8","author":"Alsaedi","year":"2020","journal-title":"IEEE Access"},{"key":"ref_9","unstructured":"Goh, J., Adepu, S., Junejo, K.N., and Mathur, A. (2016, January 10\u201312). A dataset to support research in the design of secure water treatment systems. Proceedings of the Critical Information Infrastructures Security: 11th International Conference, CRITIS 2016, Paris, France. Revised Selected Papers 11."},{"key":"ref_10","unstructured":"Shin, H.K., Lee, W., Yun, J.H., and Kim, H. (2020, January 10). HAI 1.0: HIL-based augmented ICS security dataset. Proceedings of the 13th USENIX Conference on Cyber Security Experimentation and Test, Boston, MA, USA."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Meleshko, A., Shulepov, A., Desnitsky, V., Novikova, E., and Kotenko, I. (2022). Visualization Assisted Approach to Anomaly and Attack Detection in Water Treatment Systems. Water, 14.","DOI":"10.3390\/w14152342"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Camacho, D., Rosaci, D., Sarn\u00e9, G.M.L., and Versaci, M. (2022). Intelligent Distributed Computing XIV, Springer International Publishing.","DOI":"10.1007\/978-3-030-96627-0"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"107024","DOI":"10.1016\/j.epsr.2021.107024","article-title":"Intelligent anomaly identification in cyber-physical inverter-based systems","volume":"193","author":"Khan","year":"2021","journal-title":"Electr. Power Syst. Res."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"968","DOI":"10.1016\/j.promfg.2020.05.136","article-title":"Real-time outlier detection and Bayesian classification using incremental computations for efficient and scalable stream analytics for IoT for manufacturing","volume":"48","author":"Parto","year":"2020","journal-title":"Procedia Manuf."},{"key":"ref_15","unstructured":"Mohammadi Rouzbahani, H., Karimipour, H., Rahimnejad, A., Dehghantanha, A., and Srivastava, G. (2020). Handbook of Big Data Privacy, Springer."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Mokhtari, S., Abbaspour, A., Yen, K.K., and Sargolzaei, A. (2021). A machine learning approach for anomaly detection in industrial control systems based on measurement data. Electronics, 10.","DOI":"10.3390\/electronics10040407"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Park, S., and Lee, K. (2021). Improved Mitigation of Cyber Threats in IIoT for Smart Cities: A New-Era Approach and Scheme. Sensors, 21.","DOI":"10.3390\/s21061976"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"36639","DOI":"10.1109\/ACCESS.2020.2975066","article-title":"A Dual-Isolation-Forests-Based Attack Detection Framework for Industrial Control Systems","volume":"8","author":"Elnour","year":"2020","journal-title":"IEEE Access"},{"key":"ref_19","first-page":"548","article-title":"A Distributed Intrusion Detection System using Machine Learning for IoT based on ToN-IoT Dataset","volume":"13","author":"Gad","year":"2022","journal-title":"Int. J. Adv. Comput. Sci. Appl."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Kumar, P., Tripathi, R., and Gupta, G.P. (2021, January 5\u20138). P2IDF: A privacy-preserving based intrusion detection framework for software defined Internet of Things-fog (SDIoT-Fog). Proceedings of the Adjunct 2021 International Conference on Distributed Computing and Networking, Nara, Japan.","DOI":"10.1145\/3427477.3429989"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Hu\u010d, A., \u0160alej, J., and Trebar, M. (2021). Analysis of machine learning algorithms for anomaly detection on edge devices. Sensors, 21.","DOI":"10.3390\/s21144946"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Inoue, J., Yamagata, Y., Chen, Y., Poskitt, C.M., and Sun, J. (2017, January 18\u201321). Anomaly Detection for a Water Treatment System Using Unsupervised Machine Learning. Proceedings of the 2017 IEEE International Conference on Data Mining Workshops (ICDMW), Orleans, LA, USA.","DOI":"10.1109\/ICDMW.2017.149"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Gaifulina, D., and Kotenko, I. (2021, January 10\u201321). Selection of deep neural network models for IoT anomaly detection experiments. Proceedings of the 2021 29th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), Valladolid, Spain.","DOI":"10.1109\/PDP52278.2021.00049"},{"key":"ref_24","unstructured":"Shalyga, D., Filonov, P., and Lavrentyev, A. (2018). Anomaly Detection for Water Treatment System based on Neural Network with Automatic Architecture Optimization. arXiv."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"88348","DOI":"10.1109\/ACCESS.2020.2993335","article-title":"Multivariate abnormal detection for industrial control systems using 1D CNN and GRU","volume":"8","author":"Xie","year":"2020","journal-title":"IEEE Access"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"81","DOI":"10.1016\/j.comcom.2022.02.022","article-title":"IADF-CPS: Intelligent Anomaly Detection Framework towards Cyber Physical Systems","volume":"188","author":"Nagarajan","year":"2022","journal-title":"Comput. Commun."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Fan, Y., Li, Y., Zhan, M., Cui, H., and Zhang, Y. (2020\u20131, January 29). IoTDefender: A Federated Transfer Learning Intrusion Detection Framework for 5G IoT. Proceedings of the 2020 IEEE 14th International Conference on Big Data Science and Engineering (BigDataSE), Guangzhou, China.","DOI":"10.1109\/BigDataSE50710.2020.00020"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Audibert, J., Michiardi, P., Guyard, F., Marti, S., and Zuluaga, M.A. (2020, January 6\u201310). USAD: UnSupervised Anomaly Detection on Multivariate Time Series. Proceedings of the KDD\u201920, 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, Virtual Event, CA, USA.","DOI":"10.1145\/3394486.3403392"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Li, D., Chen, D., Shi, L., Jin, B., Goh, J., and Ng, S.K. (2019, January 17\u201319). MAD-GAN: Multivariate Anomaly Detection for Time Series Data with Generative Adversarial Networks. Proceedings of the International Conference on Artificial Neural Networks, Munich, Germany.","DOI":"10.1007\/978-3-030-30490-4_56"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"301198","DOI":"10.1016\/j.fsidi.2021.301198","article-title":"A behavioral-based forensic investigation approach for analyzing attacks on water plants using GANs","volume":"37","author":"Neshenko","year":"2021","journal-title":"Forensic Sci. Int. Digit. Investig."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Wu, P., Moustafa, N., Yang, S., and Guo, H. (2020\u20131, January 29). Densely connected residual network for attack recognition. Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China.","DOI":"10.1109\/TrustCom50675.2020.00042"},{"key":"ref_32","first-page":"1011","article-title":"Detecting Anomalies in Time-Series Data using Unsupervised Learning and Analysis on Infrequent Signatures","volume":"24","author":"Bian","year":"2020","journal-title":"J. IKEEE"},{"key":"ref_33","unstructured":"Lundberg, S.M., and Lee, S.I. (2017, January 4\u20139). A Unified Approach to Interpreting Model Predictions. Proceedings of the NIPS\u201917, 31st International Conference on Neural Information Processing Systems, Long Beach, CA, USA."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Ribeiro, M.T., Singh, S., and Guestrin, C. (2016, January 13\u201317). \u201cWhy Should I Trust You?\u201d: Explaining the Predictions of Any Classifier. Proceedings of the KDD\u201916, 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, CA, USA.","DOI":"10.1145\/2939672.2939778"},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Lin, Q., Adepu, S., Verwer, S., and Mathur, A. (2018, January 4\u20138). TABOR: A Graphical Model-Based Approach for Anomaly Detection in Industrial Control Systems. Proceedings of the ASIACCS\u201918, 2018 on ACM Asia Conference on Computer and Communications Security, Incheon, Republic of Korea.","DOI":"10.1145\/3196494.3196546"},{"key":"ref_36","unstructured":"Sukhostat, L. (2022). Cybersecurity for Critical Infrastructure Protection via Reflection of Industrial Control Systems, IOS Press."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Tavallaee, M., Bagheri, E., Lu, W., and Ghorbani, A.A. (2009, January 8\u201310). A detailed analysis of the KDD CUP 99 data set. Proceedings of the 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, Ottawa, ON, Canada.","DOI":"10.1109\/CISDA.2009.5356528"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Sharafaldin, I., Habibi Lashkari, A., and Ghorbani, A. (2018, January 22\u201324). Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP 2018), Funchal, Portugal.","DOI":"10.5220\/0006639801080116"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Moustafa, N., and Slay, J. (2015, January 10\u201312). UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). Proceedings of the 2015 Military Communications and Information Systems Conference (MilCIS), Canberra, Australia.","DOI":"10.1109\/MilCIS.2015.7348942"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Qin, Y., and Kondo, M. (2021, January 12\u201313). Federated Learning-Based Network Intrusion Detection with a Feature Selection Approach. Proceedings of the 2021 International Conference on Electrical, Communication, and Computer Engineering (ICECCE), Kuala Lumpur, Malaysia.","DOI":"10.1109\/ICECCE52056.2021.9514222"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Murenin, I., Doynikova, E., and Kotenko, I. (2021, January 15\u201317). Towards Security Decision Support for large-scale Heterogeneous Distributed Information Systems. Proceedings of the 2021 14th International Conference on Security of Information and Networks (SIN), Edinburgh, UK.","DOI":"10.1109\/SIN54109.2021.9699195"},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Choi, S., Yun, J.H., and Kim, S.K. (2018, January 24\u201326). A Comparison of ICS Datasets for Security Research Based on Attack Paths. Proceedings of the CRITIS, Kaunas, Lithuania.","DOI":"10.1007\/978-3-030-05849-4_12"},{"key":"ref_43","unstructured":"Lemay, A., and Fernandez, J.M. (2016, January 8). Providing SCADA Network Data Sets for Intrusion Detection Research. Proceedings of the 9th Workshop on Cyber Security Experimentation and Test (CSET 16), Austin, TX, USA."},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Pieprzyk, J., and Suriadi, S. (2017). Information Security and Privacy, Springer International Publishing.","DOI":"10.1007\/978-3-319-59870-3"},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Suthaharan, S., Alzahrani, M., Rajasegarar, S., Leckie, C., and Palaniswami, M. (2010, January 7\u201310). Labelled data collection for anomaly detection in wireless sensor networks. Proceedings of the 2010 Sixth International Conference on Intelligent Sensors, Sensor Networks and Information Processing, Brisbane, Australia.","DOI":"10.1109\/ISSNIP.2010.5706782"},{"key":"ref_46","doi-asserted-by":"crossref","first-page":"1745","DOI":"10.1109\/TMC.2018.2866249","article-title":"Classifying IoT Devices in Smart Environments Using Network Traffic Characteristics","volume":"18","author":"Sivanathan","year":"2019","journal-title":"IEEE Trans. Mob. Comput."},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"779","DOI":"10.1016\/j.future.2019.05.041","article-title":"Towards the Development of Realistic Botnet Dataset in the Internet of Things for Network Forensic Analytics: Bot-IoT Dataset","volume":"100","author":"Koroniotis","year":"2019","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_48","doi-asserted-by":"crossref","unstructured":"Hamza, A., Gharakheili, H.H., Benson, T.A., and Sivaraman, V. (2019, January 3\u20134). Detecting Volumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity. Proceedings of the 2019 ACM Symposium on SDN Research, San Jose, CA, USA.","DOI":"10.1145\/3314148.3314352"},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Xu, H., Chen, W., Zhao, N., Li, Z., Bu, J., Li, Z., Liu, Y., Zhao, Y., Pei, D., and Feng, Y. (2018, January 23\u201327). Unsupervised Anomaly Detection via Variational Auto-Encoder for Seasonal KPIs in Web Applications. Proceedings of the WWW\u201918, 2018 World Wide Web Conference, Lyon, France.","DOI":"10.1145\/3178876.3185996"},{"key":"ref_50","doi-asserted-by":"crossref","unstructured":"Hundman, K., Constantinou, V., Laporte, C., Colwell, I., and Soderstrom, T. (2018, January 19\u201323). Detecting Spacecraft Anomalies Using LSTMs and Nonparametric Dynamic Thresholding. Proceedings of the KDD\u201918, 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, London, UK.","DOI":"10.1145\/3219819.3219845"}],"container-title":["Algorithms"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-4893\/16\/2\/85\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T18:23:04Z","timestamp":1760120584000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-4893\/16\/2\/85"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,2,3]]},"references-count":50,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2023,2]]}},"alternative-id":["a16020085"],"URL":"https:\/\/doi.org\/10.3390\/a16020085","relation":{},"ISSN":["1999-4893"],"issn-type":[{"value":"1999-4893","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,2,3]]}}}