Two-phase Dual COPOD Method for Anomaly Detection in Industrial Control System. (arXiv:2305.00982v1 [cs.LG])

Critical infrastructures like water treatment facilities and power plants
depend on industrial control systems (ICS) for monitoring and control, making
them vulnerable to cyber attacks and system malfunctions. Traditional ICS
anomaly detection methods lack transparency and interpretability, which make it
difficult for practitioners to understand and trust the results. This paper
proposes a two-phase dual Copula-based Outlier Detection (COPOD) method that
addresses these challenges. The first phase removes unwanted outliers using an
empirical cumulative distribution algorithm, and the second phase develops two
parallel COPOD models based on the output data of phase 1. The method is based
on empirical distribution functions, parameter-free, and provides
interpretability by quantifying each feature’s contribution to an anomaly. The
method is also computationally and memory-efficient, suitable for low- and
high-dimensional datasets. Experimental results demonstrate superior
performance in terms of F1-score and recall on three open-source ICS datasets,
enabling real-time ICS anomaly detection.