TY - GEN
T1 - A Robust Hybrid Framework Combining Deductive Temporal Logic and Machine Learning for Fault and Cyber-Attack Detection in the Tennessee Eastman Process
AU - Mehrpouyan, Hoda
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.
PY - 2025
Y1 - 2025
N2 - Industrial control systems (ICS) face both physical faults and stealthy cyber-attacks, yet existing detection methods rarely address both threats comprehensively. Model-based monitors—such as temporal-logic rules—provide interpretable alarms but falter in high-dimensional settings and against novel anomalies, while data-driven approaches—like Random Forest classifiers or autoencoders—adapt to complex patterns but often obscure decision rationale and miss unseen threats such as replay attacks. Alarms are fused using a graded, source-attributed strategy, and a class-balanced Random Forest learns nonlinear fusion, outperforming simple logical-OR baselines. On the Tennessee Eastman Process benchmark, our framework delivers near-perfect F1 scores on process faults (F1≈0.99) with only seven false alarms over 24h, and boosts replay-attack detection from F1<0.10 to 0.70 (precision 0.64, recall 0.78, AUC 0.99). These results demonstrate that combining symbolic logic, statistical learning, and temporal similarity detection yields a scalable, interpretable, and resilient solution for comprehensive ICS monitoring.
AB - Industrial control systems (ICS) face both physical faults and stealthy cyber-attacks, yet existing detection methods rarely address both threats comprehensively. Model-based monitors—such as temporal-logic rules—provide interpretable alarms but falter in high-dimensional settings and against novel anomalies, while data-driven approaches—like Random Forest classifiers or autoencoders—adapt to complex patterns but often obscure decision rationale and miss unseen threats such as replay attacks. Alarms are fused using a graded, source-attributed strategy, and a class-balanced Random Forest learns nonlinear fusion, outperforming simple logical-OR baselines. On the Tennessee Eastman Process benchmark, our framework delivers near-perfect F1 scores on process faults (F1≈0.99) with only seven false alarms over 24h, and boosts replay-attack detection from F1<0.10 to 0.70 (precision 0.64, recall 0.78, AUC 0.99). These results demonstrate that combining symbolic logic, statistical learning, and temporal similarity detection yields a scalable, interpretable, and resilient solution for comprehensive ICS monitoring.
KW - Deductive Temporal Logic (DTL)
KW - Hybrid Anomaly Detection
KW - Industrial Control Systems
UR - https://www.scopus.com/pages/publications/105014868607
U2 - 10.1007/978-3-032-00630-1_10
DO - 10.1007/978-3-032-00630-1_10
M3 - Conference contribution
AN - SCOPUS:105014868607
SN - 9783032006295
T3 - Lecture Notes in Computer Science
SP - 172
EP - 190
BT - Availability, Reliability and Security - ARES 2025 International Workshops, Proceedings
A2 - Coppens, Bart
A2 - Volckaert, Bruno
A2 - De Sutter, Bjorn
A2 - Naessens, Vincent
PB - Springer Science and Business Media Deutschland GmbH
T2 - International Workshops on Availability, Reliability and Security, held under the umbrella of the 20th International conference on Availability, Reliability and Security, ARES 2025
Y2 - 11 August 2025 through 14 August 2025
ER -