Enhancing Network Security Management in Water Systems using FM-based Attack Attribution

Enhancing Network Security Management in Water Systems using FM-based Attack Attribution Aleksandar Avdalovi c, Joseph Khoury, Ahmad Taha, Elias Bou-Harb Division of Computer Science and Engineering, Louisiana State University, USA Civil and Environmental Engineering, V anderbilt University, USA Abstract --Water systems are vital components of modern infrastructure, yet they are increasingly susceptible to sophisticated cyber attacks with potentially dire consequences on public health and safety. While state-of-the-art machine learning techniques effectively detect anomalies, contemporary model-agnostic attack attribution methods using LIME, SHAP, and LEMNA are deemed impractical for large-scale, interdependent water systems. This is due to the intricate interconnectivity and dynamic interactions that define these complex environments. Such methods primarily emphasize individual feature importance while falling short of addressing the crucial sensor-actuator interactions in water systems, which limits their effectiveness in identifying root cause attacks. T o this end, we propose a novel model-agnostic Factorization Machines (FM)-based approach that capitalizes on water system sensor-actuator interactions to provide granular explanations and attributions for cyber attacks. For instance, an anomaly in an actuator pump activity can be attributed to a top root cause attack candidates, a list of water pressure sensors, which is derived from the underlying linear and quadratic effects captured by our approach. In multi-feature cyber attack scenarios involving intricate sensor-actuator interactions, our FM-based attack attribution method effectively ranks attack root causes, achieving approximately 20% average improvement over SHAP and LEMNA. Additionally, our approach maintains strong performance in single-feature attack scenarios, demonstrating versatility across different types of cyber attacks. Notably, our approach maintains a low computational overhead equating to an O(n) time complexity, making it suitable for real-time applications in critical water system infrastructure. Our work underscores the importance of modeling feature interactions in water systems, offering a robust tool for operators to diagnose and mitigate root cause attacks more effectively. I NTRODUCTION W ATER systems at the physical layer comprise critical components such as flow and pressure sensors, and actuators, which are monitored and controlled by cyber layer systems to ensure a safe and reliable water supply for both communities and industries.