This paper presents an anomaly detection method using a hybrid observer --
which consists of a discrete state observer and a continuous state observer. We
focus our attention on anomalies caused by intelligent attacks, which may
bypass existing anomaly detection methods because neither the event sequence
nor the observed residuals appear to be anomalous. Based on the relation
between the continuous and discrete variables, we define three conflict types
and give the conditions under which the detection of the anomalies is
guaranteed. We call this method conflict-driven anomaly detection. The
effectiveness of this method is demonstrated mathematically and illustrated on
a Train-Gate (TG) system