研究成果

Several relative entropy-based methods have been studied in cyber-attack detection of control systems. Most existing studies set the threshold values of relative entropy by trial and error such that their error probabilities become small. Meanwhile, the relationship between threshold values and error probabilities in likelihood ratio tests is clarified by Information theory. Information theory also clarifies the relationship between relative entropy and likelihood ratio test. To theoretically set the threshold, the authors have investigated the relationship between relative entropy and the likelihood ratio test using experimental data from DoS attacks and man-in-the-middle attacks on control communication (Modbus TCP). This paper investigates the relationship between threshold values and error probabilities in actual experiments. Error probabilities are classified as false positive rates and false negative rates. Neyman-Pearson lemma shows how to construct a detector that considers the trade-off between false positive and false negative rates. Stein's lemma shows how to give optimal threshold values. We build a detector from the two lemmas that consider the trade-off with probability models of delay time between Response and ACK of Modbus TCP. We conduct experiments and discuss optimal threshold setting methods in the sense that the false positive rates cannot be further reduced when false positive rates are fixed.