In connection with anomaly detection in cyber-physical systems, we suggest in this paper a new way of modelling large systems consisting of a huge number of sensors, actuators and controllers. We base the approach on analytical methods usually used in kinetic gas theory, where one tries to describe the overall behavior of a gas without looking at each molecule separately. We model the system as a multi-agent network and derive predictions on the behavior of the network as a whole. These predictions can then be used to monitor the operation of the system. If the deviation between the predictions and the measured attributes of the operational cyber-physical system is sufficiently large, the monitoring system can raise an alarm. This way of modelling the normal behavior of a cyber-physical system has the advantage over machine learning methods mainly used for this purpose, that it is not based on the effective operation of the system during a training phase, but rather on the specification of the system and its intended use. It will detect anomalies in the system’s operation independent of their source—may it be an attack, a malfunction or a faulty implementation.

Top