Verification and Anomaly Detection for Event-Based Control of Manufacturing Systems.

Many important systems can be described as discrete event systems, including a manufacturing cell and patient flow in a clinic. Faults often occur in these systems and addressing these faults is important to ensure proper functioning. There are two main ways to address faults. Faults can be prevented from ever occurring, or they can be detected at the time at which they occur. This work develops methods to address faults in event-based systems for which there is no formal, pre-existing model. A primary application is manufacturing systems, where reducing downtime is especially important and pre-existing formal models are not commonly available. There are three main contributions. The first contribution is formalizing input order robustness - inputs occurring in different orders and yielding the same final state and set of outputs - and creating a method for its verification for logic controllers and networks of controllers. Theory is developed for a class of networks of controllers to be verified modularly, reducing the computational complexity. Input order robustness guarantees determinism of the closed-loop system. The second contribution is an anomaly detection solution for event-based systems without a pre-existing formal model. This solution involves model generation, performance assessment, and anomaly detection itself. A new variation of Petri nets was created to model the systems in this solution that incorporates resources in a less restrictive way. The solution detects anomalies and provides information about when the anomaly was first observed to help with debugging. The third contribution is the identification and resolution of five inconsistencies found between typical academic assumptions and industry practice when applying the anomaly detection solution to an industrial system. Resolutions to the inconsistencies included working with industry collaborators to change logic, and developing new algorithms to incorporate into the anomaly detection solution. Through these resolutions, the anomaly detection solution was improved to make it easier to apply to industrial systems. These three contributions for handling faults will help reduce down-time in manufacturing systems, and hence increase productivity and decrease costs.Ph.D.Electrical Engineering: SystemsUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/78897/1/lzallen_1.pd

Conflict-driven Hybrid Observer-based Anomaly Detection

This paper presents an anomaly detection method using a hybrid observer -- which consists of a discrete state observer and a continuous state observer. We focus our attention on anomalies caused by intelligent attacks, which may bypass existing anomaly detection methods because neither the event sequence nor the observed residuals appear to be anomalous. Based on the relation between the continuous and discrete variables, we define three conflict types and give the conditions under which the detection of the anomalies is guaranteed. We call this method conflict-driven anomaly detection. The effectiveness of this method is demonstrated mathematically and illustrated on a Train-Gate (TG) system

BINet: Multi-perspective Business Process Anomaly Classification

In this paper, we introduce BINet, a neural network architecture for real-time multi-perspective anomaly detection in business process event logs. BINet is designed to handle both the control flow and the data perspective of a business process. Additionally, we propose a set of heuristics for setting the threshold of an anomaly detection algorithm automatically. We demonstrate that BINet can be used to detect anomalies in event logs not only on a case level but also on event attribute level. Finally, we demonstrate that a simple set of rules can be used to utilize the output of BINet for anomaly classification. We compare BINet to eight other state-of-the-art anomaly detection algorithms and evaluate their performance on an elaborate data corpus of 29 synthetic and 15 real-life event logs. BINet outperforms all other methods both on the synthetic as well as on the real-life datasets

Improving SIEM for critical SCADA water infrastructures using machine learning

Network Control Systems (NAC) have been used in many industrial processes. They aim to reduce the human factor burden and efficiently handle the complex process and communication of those systems. Supervisory control and data acquisition (SCADA) systems are used in industrial, infrastructure and facility processes (e.g. manufacturing, fabrication, oil and water pipelines, building ventilation, etc.) Like other Internet of Things (IoT) implementations, SCADA systems are vulnerable to cyber-attacks, therefore, a robust anomaly detection is a major requirement. However, having an accurate anomaly detection system is not an easy task, due to the difficulty to differentiate between cyber-attacks and system internal failures (e.g. hardware failures). In this paper, we present a model that detects anomaly events in a water system controlled by SCADA. Six Machine Learning techniques have been used in building and evaluating the model. The model classifies different anomaly events including hardware failures (e.g. sensor failures), sabotage and cyber-attacks (e.g. DoS and Spoofing). Unlike other detection systems, our proposed work helps in accelerating the mitigation process by notifying the operator with additional information when an anomaly occurs. This additional information includes the probability and confidence level of event(s) occurring. The model is trained and tested using a real-world dataset