Model-based vs data-driven approaches to the detection of cyber-attacks

Over the past few decades, important innovations in different fields such as aerospace, automotive, energy or healthcare, were made possible by the integration of the physical and digital worlds. However, the proliferation of Cyber-Physical Systems (CPSs) in our daily lives introduces new vulnerabilities and security threats. In response, cyber-security has emerged as a critical challenge that we aim at investigating in this thesis. We focus specifically on Networked Control Systems (NCSs) and we analyze them in a scenario in which there are replay attacks threatening their integrity. Among the possible mitigation strategies against this type of cyber-attack, we provide two different approaches to their detection. For the first one we adopt a system-theoretic perspective and implement a detection mechanism based on the knowledge of the system under attack. The resulting anomaly detector, implemented for replay attack detection, is programmed to recognize any behavior of the system that deviates from the expected one. Conversely, the second approach is entirely data-driven, requiring no prior knowledge of the system dynamics. Here we employ for attack detection a machine learning model that is not explicitly programmed but continuously refines its structure by learning essential information from available data sources. Our study culminates in a comprehensive comparative analysis of these two methodologies, assessing their effectiveness in detecting replay attacks.