Attack Detection using Time Series Foundation Models

Problem
The paper addresses the critical gap in attack detection for cyber-physical systems (CPS) where the plant model or its structure is unknown. This is particularly relevant in scenarios where sensor data is transmitted over potentially compromised networks. The authors focus on two types of attacks: model-free replay attacks and model-based stealthy attacks. Notably, this work is a preprint and has not undergone peer review, which may affect the reliability of the findings.

Method
The authors propose a model-structure-free detector leveraging TimesFM, a time-series foundation model developed by Google Research. This model operates as a surrogate residual generator in a zero-shot manner, meaning it does not require prior training on the specific system being monitored. The paper derives closed-form expressions for the optimal stealthy attack policy against a $χ^2$ detector, applicable to both linear and nonlinear systems. The training process for TimesFM is not explicitly detailed, but it is implied that the model utilizes extensive pre-trained time-series data to generalize effectively to new scenarios.

Results
Empirical evaluations demonstrate that the TimesFM-based detector achieves comparable or superior performance in attack detection when tested on the IEEE 14-bus power system benchmark. Specific performance metrics are not disclosed in the abstract, but the authors claim that their approach outperforms traditional methods in detecting both types of attacks. The paper emphasizes the ability of TimesFM predictions to replace corrupted measurements, enhancing the robustness of the detection mechanism.

Limitations
The authors acknowledge that their approach may not generalize to all types of cyber-physical systems, particularly those with highly complex dynamics or unique operational constraints. Additionally, the reliance on a pre-trained model may introduce biases if the training data does not adequately represent the operational environment. The paper does not address the computational overhead associated with deploying TimesFM in real-time systems, which could be a significant factor in practical applications.

Why it matters
This work has significant implications for the field of cybersecurity in CPS, particularly in enhancing the resilience of systems against sophisticated attacks without requiring detailed knowledge of the system dynamics. The use of a time-series foundation model like TimesFM could pave the way for more adaptive and robust detection mechanisms in various applications, from power grids to autonomous vehicles. The findings contribute to the ongoing discourse on model-free approaches in attack detection, as discussed in related literature, and are available on arXiv.