Attack Detection using Time Series Foundation Models
For operators of cyber-physical systems, this work provides a zero-shot detection method that requires no plant model, addressing a practical security bottleneck.
This paper proposes a model-structure-free attack detector for cyber-physical systems using TimesFM, a time-series foundation model, achieving comparable or superior detection performance against replay and stealthy attacks without plant knowledge. Numerical results on the IEEE 14-bus power system demonstrate efficacy.
This paper addresses the problem of attack detection in cyber-physical systems without any knowledge of the plant model or its structure. A remotely located plant transmits sensor measurements to an operator over a network that is assumed to be under attack. We consider two classes of attacks: model-free replay attacks and model-based stealthy attacks. For the latter, we derive closed-form expressions for the optimal stealthy attack policy against a $χ^2$ detector, for both linear and nonlinear systems. We then propose a model-structure-free detector based on TimesFM, a time-series foundation model developed by Google Research, which serves as a surrogate residual generator operating in a zero-shot fashion. We show empirically that the TimesFM-based detector achieves a comparable or superior attack detection performance. The efficacy of the proposed approach is demonstrated numerically on the IEEE 14-bus power system. We also demonstrate that TimesFM predictions can serve as a substitute for corrupted measurements, a practical mitigation technique when classical redundancy assumptions fail.