A Survey on Machine-Learning Based Security Design for Cyber-Physical Systems

: A cyber-physical system (CPS) is the integration of a physical system into the real world and control applications in a computing system, interacting through a communications network. Network technology connecting physical systems and computing systems enables the simultaneous control of many physical systems and provides intelligent applications for them. However, enhancing connectivity leads to extended attack vectors in which attackers can trespass on the network and launch cyber-physical attacks, remotely disrupting the CPS. Therefore, extensive studies into cyber-physical security are being conducted in various domains, such as physical, network


Introduction
Cyber-physical systems (CPSs) involve the integration of physical systems into the real world and control software in the cyber-world, where these two worlds are connected by networks that are responsible for the interchange of information between them [1,2]. Extensive developments in communications technology can support real-time communications with low latency, which makes it possible to control multiple physical systems remotely and provides various intelligent services to CPS users [3][4][5]. Moreover, adopting wired and wireless networks in a CPS enables the states of massive amounts of industrial equipment to be monitored, and therefore, it is possible to organize and flexibly manage a complex industrial system [5][6][7][8]. Thus, the CPS is one of the key technologies for various industrial domains, including intelligent transport systems [9][10][11], medical systems [12,13], and smart grids [14,15]. For example, in a communication-based train control (CBTC) system [6,9], which is a representative CPS, the communication technologies between trains and ground stations enable real-time feedback control by exchanging the states of the trains and the train control signals through a real-time wireless network. Therefore, the CBTC system reduces the dispatch interval between trains and guarantees better safety than conventional train control systems in guarding against accidents [16].
As the connectivity of the CPS increases and becomes more complex, the paths through which an attacker can infiltrate the CPS are increasing [17][18][19]. The networks that connect the physical systems and the control software are especially vulnerable to external attackers that aim to invade the CPS and cause malfunctions in the physical systems [20,21]. When an attacker accesses the network, the execution of control-critical software can be disturbed in the cyber-world, the control authority of physical system operations on the network can be seized, and the attacker can power-off the physical systems [16,18] or precisely manipulate the physical state with a deceitful attack detection system [14,15]. These cyber-physical attacks induce damage to industrial equipment and processes, causing economic losses and human casualties. In 2015, the BlackEnergy malware caused the malfunction of a power plant in Ukraine, resulting in a massive power outage [20]. In 2014, control of plant equipment was seized by a cyber attack on a German steel mill, and some blast furnaces were damaged [20]. To ensure the reliability of a CPS against adversaries, the need for cyber-physical security research is emerging [17,21].
Cyber-physical security is an extension of conventional cyber-security, where the operation of the physical system is additionally considered. For example, password cracking, which is password recovery process for a system, is one of the important security issues in the conventional cyber-security field due to the risk of personal information leaks. In cyber-physical security, a simple information leakage by password cracking cannot damage the CPS; however, the manipulation of the physical process by unauthorized access with a password can impact the dynamics of the physical systems. Therefore, a variety of cyber-physical security research is conducted by modeling physical dynamics with control theory. However, since CPSs are affected by various factors, such as rapid environmental changes and unexpected events, physical model-based cyber-physical security methods suffer from false alarms that degrade detection performance against cyber-physical attacks. Moreover, because the CPS becomes large and the relationships of each CPS component become complex, the level of accuracy shown by a conventional CPS model and a real CPS decreases, which generates additional attack vectors [22][23][24]. From a control-theoretical viewpoint, large and complex systems can be represented as high-order differential equations [24], where a mathematical model with a high-order term is vulnerable to noise on the state variables [23]. Therefore, it is difficult to obtain an exact mathematical model of a complex physical system, and unconsidered mathematical terms of the inaccurate dynamic system model become vulnerabilities of the model-based attack detector, resulting in inaccurate detection.
To overcome the limitations of legacy model-based cyber-physical security, datadriven anomaly detection methods (where abnormal data are acquired from numerous simulations and controlled experiments) are adopted in cyber-physical security [25,26]. In particular, machine learning (ML), which depicts correlations between an input and output using massive amounts of data without modeling based on physical laws, is adopted in cyber-physical security in order to satisfy high-level safety and reliability concerns [22]. Furthermore, ML techniques enable a model to be generated for the massive and complex relationships of each component of the CPS, including various physical systems in the real world, heterogeneous network protocols, and the complicated application software in the cyber-world, where the generated model can enhance the security level of the CPS.
In this paper, we provide a comprehensive survey of cyber-physical attacks and machine learning-based cyber-physical attack detection technologies. In particular, we focus on attacks that can damage physical systems and manipulate the physical processes. In addition, we mainly consider cyber-physical attack detection methods and attack handling methods with machine-learning techniques. There are a large number of surveys of physical model-based anomaly detection methods [27,28] and network intrusion detection systems (IDSs) [29][30][31]. Thus, conventional deviation-based attack detection methods in control theory and IDS-based anomaly detection techniques are not covered.
The rest of the paper is organized as follows. Section 2 introduces the hierarchical CPS structure and the roles in each layer. Section 3 provides the taxonomy of cyber-physical attacks for each layer. Section 4 presents cyber-physical attack detection methods with machine learning techniques. Section 5 discusses the potential research directions for MLbased cyber-physical security in the context of real-time characteristics in the CPS, resiliency, and data generation methods for learning malicious behavior. Finally, we conclude this survey in Section 6.

Hierarchical Structure of Cyber-Physical Systems
A CPS can be constructed at a large size with massive components, and it can have complex relationships between each physical system in the real world and among control software in the cyber-world. Therefore, it is difficult to analyze the entire CPS [18]. We consider a hierarchical CPS structure as illustrated in Figure 1, which classifies and abstracts the complex CPS components as functions, and therefore the hierarchical CPS structure provides a CPS that is simpler and more intuitive [32]. The hierarchical CPS structure is applied in various fields, including in CBTC systems [9], smart production systems [33], and smart grids [34]. The proposed CPS structure is similar to the Purdue enterprise reference architecture (PERA) [35], which is widely used in industrial control systems. The physical system layer of the proposed structure is matched to the lower layer of the PERA, including the specification layer, detailed design layer, manifestation layer, and operations layer. The network layer of the proposed structure corresponds to networks in the definition layer of the PERA. The application layer of the proposed structure is mapped to upper layer of the PERA, including concept layer and definition layer.

Physical System Layer
The physical system layer represents multiple physical systems, which are objects that operate in the real world. In the physical system layer, multiple physical systems have sensors and actuators in which sensors report states of the physical objects to the computing system in the cyber-world; the actuators operate the physical objects according to commands from the computing system [32]. From sensing and actuating in the physical system, the physical system fulfills the physical processes.
The operation of the physical system is represented as system dynamics in a continuoustime domain. To simplify the expression of physical dynamics, we consider a single-input single-output (SISO) linear time-invariant (LTI) system as follows: where x ∈ R n is the state of the physical system with n state variables, A ∈ R n×n is the system matrix, B ∈ R n is the input matrix, C ∈ R 1×n , u ∈ R is the control input signal, and y ∈ R is the sensor measurement. The system matrix term Ax(t) represents the state transition by the characteristics of the physical system, the input matrix term Bu(t) represents the state transition by the control input signal u(t), and the output matrix term Cx(t) represents the measurement of the state by the sensor attached on the physical system, where all physical state variables in the state vector x(t) cannot be measured by the sensor. The physical systems periodically send a sensor measurement y(t) to the computing system in order to report the state information, and then, the computing system returns the control input signal u(t) to the physical systems to operate them as intended. We assume that matrix pairs (A, B) and (A, C) in (1) are controllable and observable, respectively. The actuating process, which determines the dynamics of physical systems, is executed by the control input signal u(t) on the computing system. The control input signal u(t) is calculated as follows:˙x wherex(t) is the state estimation of the physical system, L is the observer gain, and K is the controller gain. In general, the sensors cannot indicate full states of the physical systems; the computing system implements state estimation based on the system model (1) and sensor measurement y(t) with an observer. From the state estimation in (2), the control input signal is calculated by the state feedback controller with controller gain K. We assume that the controller gain K and observer gain L are well-designed to stabilize the state of the physical systems. Unmanned vehicles [7] and autonomous trains [9] are typical examples of physical systems within intelligent transport systems. Unmanned mobile objects are controlled by centralized control stations on the ground, where the dynamics of the unmanned mobile objects are determined according to the control command from the ground station [16]. Heating, ventilation, and air conditioning (HVAC) systems [36] and production machines [33] are examples of physical systems in industrial areas, and these industrial facilities belong to physical system-layer components. Likewise, in a smart grid, the power plants and the electric equipment that physically transmit electricity are elements of the physical system layer [14,15,37].
Most physical systems, especially unmanned aerial vehicles (UAVs), have power constraints because they have an external battery [38]. Therefore, it is difficult for the physical system to conduct tasks requiring complex computations. To overcome the power limitation, the physical system layer interacts with the computing system through the network layer.

Network Layer
The network layer is responsible for the communication between multiple physical systems in the real world and the computing systems in the cyber-world [2,5]. Due to the introduction of a network in the CPS, it is possible for the computing system to remotely control multiple physical systems, and therefore, in terms of the system configuration cost and flexible system management, the CPS becomes more advantageous than the conventional point-to-point control systems.
Sensor measurement from the physical systems and the control input signal from the application layer are exchanged over the network. When a network error occurs, such as control-related data that are missing [39] and/or a long transmission delay [40,41], physical systems can malfunction [42]. Therefore, a network that constructs a feedback control loop between the physical systems and the computing system must guarantee high-level reliability for data transmission.
In autonomous vehicle systems, wireless communication technologies, such as the IEEE 802.11-based standards, including 802.11p [43] and 802.11bd [44], and cellular vehicleto-everything (C-V2X) communication standards, based on Long Term Evolution (LTE) [45] and 5G new radio (NR) [46], support real-time communication between multiple autonomous vehicles and road-side units (RSUs) fixed on the ground, in which communication enables real-time feedback control between the vehicles and the RSUs for autonomous driving. In the industrial area, wired networks such as EtherCAT [47] or Modbus [48], and wireless networks such as Zigbee [49] and WirelessHART [50], enable remote state reporting and the actuating of industrial facilities in real time. Furthermore, in a power grid, the distributed network protocol (e.g., DNP3) [51] connects the various power facilities and the centralized supervision system.

Application Layer
The application layer represents the computing system with which intelligent tasks are conducted by software in the cyber-world. The applications manage the physical systems [52], predict the state of the physical systems in the next time step [53,54], and provide intelligent functions to CPS users, where various CPS applications are executed based on sensor measurements from physical systems. From the results of the application execution, a computing system determines the system dynamics (1) in the next time step.
Due to the power limitation, the physical system depends on the computing system for the execution of intelligent functions requiring complex computations. In most CPSs, the application layer is supposed to have enough computing power and no electrical power constraints. In addition, due to real-time interactions in network layer, the power-limited physical systems can operate more intelligently than conventional embedded systems.
In intelligent transport systems, the RSUs and other traffic control equipment on the ground negotiate among autonomous vehicles, control the traffic lights at intersections, and distribute road traffic in congestion situations [55]. Furthermore, simultaneous localization and mapping (SLAM) [56], which positions a UAV and configures a map at the same time, and path planning, which determines the motion of vehicles in real time, are the most representative applications of a vehicular CPS. In a smart factory, digital twin technology [53,54], which realizes sophisticated and comprehensive factories in the cyber-world by using big data, is implemented at the application layer, where it is possible to expect the throughput of each production line per unit of time and to improve production lines continuously. Likewise, in a smart grid, a supervision system predicts power consumption for entire regions in real time based on sensor measurements from massive numbers of smart watt-hour meters in the physical system layer and from previous time-series data related to power consumption. Therefore, from power demand predictions, it is possible to feed back the control of electricity generation at the power plants [34].

Taxonomy of Cyber-Physical Attacks
A cyber-physical attack is defined as an exploitation of CPS components that causes a malfunction in a physical system and process, such as the divergence of state x(t) in system dynamics (1). Since the CPS is the integration of the computing system, the networks, and the physical systems, if at least one CPS component is under attack, the states of all physical systems become unstable [32]. In contrast to the conventional embedded system, the CPS is especially vulnerable due to the connectivity of the networks, where an attacker can damage the computing systems, the network, and the physical systems, as illustrated in Figure 2. In addition, the CPSs are vulnerable due to a lack of proper protections for the CPS such as design, configuration, and operation. In this section, we introduce the cyber-physical attacks that can occur against a CPS, where we classify cyber-physical attacks in the context of the hierarchical CPS structure discussed in Section 2.

Physical System Layer
Physical systems exchange a control input signal u(t) and sensor measurement y(t) through the network. When an attacker intrudes into the network, the attacker can modify these two types of control-related data on the network, resulting in divergence from the physical state, x(t). Figure 3 shows attack locations for cyber-physical attacks in the physical system layer. There are three ways to manipulate control-related data on the network: first, the attacker only manipulates the sensor measurement packets y(t) transmitted to the computing system; second, the attacker only manipulates control input signal packets u(t) transmitted to actuators in the physical system; third, the attacker simultaneously manipulates both control input signal u(t) and sensor measurement y(t).

Sensor Attack
A sensor attack is defined as a manipulation of sensor measurement y(k) on the network, which is represented as the addition of a sensor-attack signal to the legitimate sensor measurement, as follows:ỹ whereỹ(t) is the modified sensor measurement, and y a (t) is the sensor-attack signal from the attacker. The purpose of a sensor attack is to deceive the computing system that is conducting state estimation, and therefore an estimation error causes calculation faults in the control input signal u(t) for the actuating process (2). Then, in the physical system (1), a fault control input signal in a sensor attack can cause malfunctions in the physical systems, such as divergence in the state trajectory of the physical system. As cyber-physical security research advances, more sophisticated sensor attacks are being developed. Among the many cyber-physical security studies of the physical system layer, most focus on sensor attacks. For example, the pole-dynamics attack (PDA) [57,58] is one of the latest and most sophisticated sensor attacks, where a malicious user generates the attack signal by utilizing matrices A and C of a physical system (1). Although the PDA rapidly alters state x(t) in the physical system, conventional model-based anomaly detection methods such as the residual-based detector and the χ 2 detector cannot detect a PDA.

Controller Attack
A controller attack is defined as a modification of the control input signal u(t) on a network, which is represented as the addition of the controller attack signal to the legitimate control input signal, as follows:x (t) = Ax(t) + B(u(t) + u a (t)), (4) wherex(t) is the attacked state of the physical system, and u a (t) is the control attack signal from the malicious user. The purpose of a controller attack is to destabilize the physical state x(t) by injecting an unexpected control input signal u a (t). When a controller attack is launched, the physical system does not operate as intended by the computing system, because both the control input signal u(t) from the computing system and controller attack signal u a (t) influence the physical dynamics, x(t).
There are some advanced controller attacks used to avoid detection by conventional model-based detectors. In particular, sophisticated controller attacks exploit zero-dynamics [59], which is a specific behavior of the sensor measurement y(t) = 0 related to system dynamics. Attacks on the control input signal u(t) and initial physical state x(0) are reported in various cyber-physical security studies as the so-called zero-dynamics attack (ZDA) [60]. The ZDA targets the unstable zero-dynamics inherent in the physical system [60] or unstable zero-dynamics generated by discretization [61,62]. When a ZDA is launched, internal physical state x(t) diverges to infinity; however, this divergence is not revealed in sensor measurement y(t) due to a characteristic of zero-dynamics.

Combined Attack
A combined attack is defined as a simultaneous modification of a sensor measurement and the control input signal [63,64], which is represented as follows: Unlike a sensor-only attack and a controller-only attack, the combined attack requires eavesdropping on both channels over which the sensor measurement y(t) and control input signal u(t) are transmitted; therefore, it is difficult to successfully execute a combined attack. In other words, most combined attacks are more sophisticated than sensor-only and controller-only attacks, so detection strategies for the combined attack require more computational resources in order to detect and handle combined attacks.
The covert attack is one of the most typical combined attacks, where the attacker has perfect knowledge of the system dynamics and uses this to generate a sensor attack signal y a (t) and control input signal u a (t) [64]. On the sensor measurement transmission channel, the attacker seizes the legitimate sensor measurement y(t) from the physical system and deceives the computing system by transmitting the generated sensor measurementỹ with perfect system information [65]. Over the control input signal transmission channel, the physical system is controlled as the attacker intends by a malicious control input signal,ũ = (u(t) + u a (t), where that malicious control input signal is generated with perfect system information and with the legitimate sensor measurement signal y(t) from the sensor measurement transmission channel.

Network Layer
The network layer is responsible for exchanging a variety of information between the physical system layer and the application layer with high-level reliability and real-time characteristics. In the network layer, the attacker can disturb data transmission, which violates the integrity of the data and real-time constraints on the CPS, resulting in the destabilization of the physical system. Figure 4 illustrates three representative cyber-physical attacks in the network layer. First, the denial of service (DoS) attack forces dropped packets by exploiting physical characteristics or vulnerabilities in network protocols. Second, the flooding attack induces packet transmission delays in order to cause abnormal behavior in the physical systems. Third, the packet manipulation attack violates the data integrity on the network via packet modification. Although network layer attacks do not seem to have a relationship with physical dynamics (1) directly, these attacks can significantly affect the stability of the physical system.

Denial of Service Attack
In many control-theoretical studies, the DoS attack is defined as the prevention of delivery of control-related data, including control input signals and sensor measurements with certain network attacks [66][67][68][69]. Therefore, from the perspective of control theory, a DoS attack is modeled as a signal drop in the discrete-time domain, which has the same mean as the network disruption attack in the cyber security field. To cover the impact of the physical dynamics (1) by an intentional packet drop from the DoS attack, in this paper, we define the DoS attack as an interruption of end-to-end packet delivery along the packet transmission path by forcing dropped packets, including communication jamming.
The DoS attack is realized in various ways; the implementation method is dependent on communication types and network protocols [70]. In the wired network environment, a physical link cut-off is the easiest way to interrupt transmissions of control-related data. In the wireless communications environment, the jamming attack is achieved by radiating a jamming signal with a high-gain antenna into the air, and this jamming signal reduces the signal-to-noise ratio (SNR), which interferes with the receiver [71]. From man-in-themiddle (MITM) attacks [42], which steal communication authority between two nodes by exploiting vulnerabilities in network protocols, the DoS attack can be implemented by intercepting packets without forwarding.
To express the DoS attack as viewed in the physical system layer, we rewrite physical dynamics (1) with discretization as follows: where A d ∈ R n×n , B d ∈ R n , and C d ∈ R 1×n are the discretized system, input, and output matrices, respectively, via a zero-order hold (ZOH). When the DoS attack is launched against the network, the control input signal cannot be updated due to the dropped packets as follows: Intermittent packet drops from a DoS attack impede the control performance of the physical system. Moreover, if the DoS attack is launched persistently, it destabilizes the physical system with divergence in state x(k) [66,69].
When the CPS is attacked at the network layer, physical system malfunctions trigger a fail-safe mode to avoid a divergence in the physical state via packet losses. The controller area network (CAN) [72], which is a wired in-vehicle network (IVN), connects massive electronic control units (ECUs) in vehicles. When a jamming signal is injected at some point on the CAN bus, most control signals on the CAN bus cannot be transmitted to ECUs, resulting in control errors in the vehicles [73]. In CBTC systems, where multiple trains and a ground station communicate through a leaky waveguide, an attacker can launch a long-range jamming attack to cause communication failures [74,75]. Because of the repeater on the track-side, which is installed to compensate for signal attenuation with distance, jamming signals by an attacker are also amplified, and therefore the passenger capacity per unit hour is reduced because of conservative operation due to communication failures.

Flooding Attack
The flooding attack is defined as an intentional exhaustion of network resources, such as network bandwidth or the memory of network devices, by generating massive amounts of network traffic [76,77]. When an attacker launches a flooding attack, the massive number of packets generated deprives legitimate communication nodes of transmission opportunities, or they fill up the memory in network devices. As the result of a flooding attack, transmission delays for legitimate packets increase and violate real-time constraints on the CPS. To succeed with a flooding attack, the attacker must simply rapidly generate a massive amount of data over the network, and therefore sophisticated knowledge about the network is not required.
In control theory, it is known that time-varying delays in a network negatively affect stability and the control performance of the physical system [41,78]. The effect of the network delay on physical dynamics (1) is represented as follows: where T is the sensor measurement sampling period of the physical system, t k j is the j-th time instance at time step k with 0 < t k j < T, whiled and d are τ max /T and τ min /T , respectively, in which τ max and τ min are the maximum and minimum time-varying network delay bounds, respectively. The stability of the physical system with a large time-varying delay environment is explained in [41], where the allowable delay bound depends on the system dynamics and controller design. Network delay violates the stability condition; the physical state x(t) diverges to infinity, and therefore the flooding attack makes the physical system unstable.
Like the DoS attack, when a flooding attack is launched against the network, physical systems are destabilized or switch into a fail-safe mode that stops or reduces the operation of the physical system to guarantee safety. For UAV control systems in IEEE 802.11-based wireless network environments, although a ground control station (GCS) sends control messages to the UAV, the UAV under an internet control message protocol (ICMP) flooding attack simply hovers in place, because the control-related packets are not received by the pre-configured transmission deadline due to the delay induced by ICMP flooding [79].

Packet Manipulation
Defined as a modification of the header or payload of packets transmitted over the network, packet manipulation consists of a packet-stealing phase and a packet-modification phase. In the packet-stealing phase, the attacker accesses the network and deceives communication nodes, including physical systems and the computing system, using vulnerabilities in the network protocol, CPS implementation, and communication nodes, etc. Then, the packets on the network are forwarded to the attacker. After the packet-stealing process, the attacker modifies the header or payload of the packets received from the legitimate source node and forwards the modified packets to the original destination.
When the attacker manipulates the error-checking field in the header during the modification phase, such as the checksum under the user datagram protocol (UDP), the destination node discards the manipulated packet because it determines that the received packet has an error due to the modified checksum. Therefore, the packet manipulation attack can also have a DoS attack effect. In other words, if the attacker modifies the payload while strictly adhering to the network protocols, then the destination nodes are deceived by the packet manipulation. When the sensor measurements or the control input signal are modified, this packet manipulation attack has an effect equal to physical layer attacks.
The packet manipulation attack can occur in various CPS fields. For a CBTC system, a packet manipulation attack targeting train control command packets is introduced with address resolution protocol (ARP) spoofing [16,32]. Due to the security vulnerability in the ARP process, the attacker can steal communication authority between the train and ground station; train collisions can occur due to control command manipulation. In [55], a sensor data-spoofing attack and various packet injection attacks targeting a vehicular ad-hoc network (VANET) are presented. Specifically, a Sybil attack, which deceives a number of nodes on the road in a VANET, makes it appear that traffic congestion occurs, although it does not, by sending incorrect messages, which results in inconvenience for traffic.

Application Layer
The application layer provides intelligent functions to CPS users and computing performance-limited physical systems. From the input/output (I/O) interfaces in the computing system, such as the serial communication port or network interface card (NIC), the attacker can intrude into the computing system and access important computing components, including file systems, cache memory, and process schedulers, where the attacker can launch attacks to disrupt the computing system. The more sophisticated the application layer, the larger the computing system becomes, and the higher the complexity; however, due to the complexity of the computing system, it is difficult to prevent an attack that targets the system. Figure 5 shows two types of attack that can occur in the application layer. First, an application software attack disturbs the execution of CPS application software, resulting in the return of faulty control commands to the physical system or the generation of a system error. Second, the computing hardware attack executes malicious system commands that can damage computing hardware, such as the power supply, the CPU, and memory, and therefore the computing hardware attack disrupts the computing system itself.

Application Software Attack
An application software attack generates faulty results for service requests from the physical system layer, which then provides faulty services to CPS users and faulty commands to computation resource-limited physical systems. When faulty operational commands are injected into the physical systems, this causes the defective control of the physical system, which the CPS user does not intend.
Application software attacks are implemented by various methods including false code execution [80] and backdoor attacks [81]. False code execution, where the attacker installs malicious software in the computing system, returns false control commands and services to the physical system layer and the CPS user. The Stuxnet attack [82], which damaged an Iranian nuclear facility, BlackEnergy malware [20], which caused a massive power outage by damaging a Ukrainian power plant, and Triton [83], which triggered the fail-safe mode of a Saudi Arabian petrochemical plant, are typical application software attacks achieved with false code injection. Furthermore, the German railway infrastructure system was encrypted by the Wannacry ransomware, resulting in some failures of railway system components [84]. Backdoors, which access the computing system without a legitimate certification process, can also induce the malfunction of CPS applications. For example, object identification application for autonomous vehicles can be damaged by backdoors [85]; for example, modifying the training dataset related to traffic signs. Furthermore, a backdoor-based attack manipulates the setting of the applications, such as neural network parameters, resulting in the degradation of the safety-critical functions of the CPS, such as an emergency stop for an autonomous vehicle [81].
From the perspective of physical dynamics, an application software attack is represented as a fault in an actuation process (2). The modification of memory related to the state estimation process and the control input calculation process under the application software attack involve the manipulation of the observer gain L and controller gain K, respectively. When the observer gain L and controller gain K in the actuating process (2) are replaced to stabilize physical dynamics (1), even though the network layer and physical system layer are legitimate, the physical state x(t) diverges to infinity.
In [86], the authors consider two application software attacks: one disables the feedback control software, and the other replaces legitimate control software with malicious software in order to destabilize a helicopter system. A controller gain change attack is considered in [87], which maliciously modifies the control gain in the control software, crashing a drone system.
Although eavesdropping cannot directly damage the computing system, the sidechannel attack [88,89], which is advanced eavesdropping, can resemble an application software attack. For well-encrypted computing systems, the side-channel attack decrypts data related to the security of the computing system and attempts to find code execution information in the hardware, such as memory and the CPU, where the discovered hardware execution information can be used to configure malicious application software with reverseengineering techniques. As an example of a typical side-channel attack, the cache-side attack periodically flushes a specific location in cache memory and eavesdrops on traces of the target processes [90]. From the eavesdropped traces, the attacker can decrypt the encryption policies of the computing system and can reconfigure malicious CPS applications to make the physical system unstable.

Computing Hardware Attack
The computing hardware attack is defined as disrupting a component of the computing system, such as the power supply, dynamic random access memory (DRAM), the CPU, and storage systems, directly or indirectly. We classify computing hardware attacks into two types of fault: one is a computer system-down attack, and the other is a data manipulation attack in memory via unauthorized accesses. Criteria for the computing hardware attack classification are determined by the impacts of the attacks on the physical system. A computer system-down attack refers to the impossibility of executing computing processes by intentional computer hardware faults, such as shutting down the power supply. Meanwhile, a data manipulation attack refers to modifying computing processes by the exploitation of a hardware vulnerability, but this does not break the computing hardware.
From the perspective of physical dynamics, a system crash from a computing systemdown attack is equal to a DoS attack. When the computing system is disrupted by a malicious power-off, the control application software also stops, and therefore the physical system is no longer controlled by the computing system. Furthermore, the data manipulation type of attack is similar to an application software attack, where a physical bit-flip in DRAM is considered to represent the manipulation of controller gain K in (2).
Computer system-down attacks are implemented by injecting malware and requesting intensive tasks to be performed by the computing system maliciously. The power virus [91] leads to faults in the power supply of the computer by generating power surges that physically disrupt computer components. A CPU thermal attack [92] forces thermally intensive workloads to the CPU and leads to the physical disruption of the CPU or brings it into failsafe mode, stopping the operation of the computing system. Meanwhile, data manipulation attacks are implemented by exploiting hardware vulnerabilities, but this does not break the computing hardware; an example of this is the row hammer attack [93]. The row hammer attack manipulates specific memory locations by intentional high-frequency access to rows of DRAM, exploiting an electromagnetic vulnerability [93,94]. The row hammer attack flips some bits in DRAM, which affects software operations in real time. In [95], a row hammer attack targeting software operation is proposed, which modifies a neural network model for image classification. This attack deteriorates image classification performance, which can do severe damage to a real CPS, such as for obstacle detection software in an autonomous driving system. Moreover, the authors in [96] analyze the performance deterioration from atomic-level bit-flips induced by computing hardware attacks.

ML-Based Cyber-Physical Attack Detection
Due to the advances in communication and computing technologies, the management of a large-scale CPS has been enabled, where each CPS component (including massive physical systems), the communication networks, and the various CPS applications generate enormous amounts of data in each CPS layer of the hierarchical CPS structure proposed in Section 2. Because of the complexity of a large-scale CPS and the substantial amounts of data generated, ML techniques are adopted to detect cyber-physical attacks in order to overcome the detection limits of conventional, static, rule-based anomaly detection and misuse detection methods. In this section, we discuss ML-based cyber-physical attack detection strategies in each hierarchical CPS layer.
An ML-based anomaly detector consists of two phases [97], the training phase and the anomaly detection phase, as shown in Figure 6. In the training phase, the ML-based detector first collects the various CPS data related to cyber-physical security on each CPS layer in normal and attacked environments. On the physical system layer, safety-critical data including massive amounts of sensor measurements from multiple physical systems, control input signals, and control period information can be collected to train the MLmodel in the detector. At the network layer, a variety of packet and network environment information related to threats, as discussed in Section 3, can be collected, such as packet headers, network channel state information, SNR, packet drops, and mean round trip time between the computing system and the physical system. At the application layer, information on the computing system, which can damage system software and hardware, can be collected, including the utilization of the CPU and RAM, the files in storage, and the frequency of specific command execution. After data collection, the ML-based detector labels data regarding whether they are generated under legitimate or abnormal situations. Finally, the ML model is built with features and labels, where various ML classification models can be adopted, such as a neural network [98], Q-learning [99], random forest [100], and the support vector machine (SVM) [101].
In the anomaly detection phase, the ML-based detector classifies abnormal behavior in the CPS with well-trained ML models in the training phase for unknown CPS data. When abnormal data, such as packets maliciously modified by an attacker, are injected into the CPS, the ML model analyzes abnormal behavior from that data. If the ML model classifies the data as abnormal, then the ML-based detector alerts CPS users to the attack and handles it to guarantee the stability of the CPS.
The performance of the ML-based detector is assessed with four metrics [102]: accuracy, precision, recall, and F1-score.

•
Accuracy is defined as the number of correctly classified cases for the entire test dataset, whih is calculated as follows: where TP is the number of correctly classified anomalies, TN is the number of samples correctly classified as normal, FP is the number of normal samples classified as anomalies, and FN is the number of anomalies wrongly classified as normal. • Precision is defined as true-positive detection from samples the detector has determined to be abnormal, and is calculated as follows: Precision is related to false-positive detection, which degrades the control performance of physical systems. • Recall is defined as detection performance with real anomalies, and is calculated as follows: Recall is related to misdetection probability, where a missed detection makes the physical system unstable.
• The F1-score is calculated as the harmonic mean between precision and recall, and is obtained as follows: The F1-score shows the balance between precision and recall in an uneven sample distribution (a large number of normal samples).

Physical System Layer
A recursive neural network (RNN)-based sensor attack detection strategy is proposed in [22], where an attacker targets a vehicle with four-wheel speed sensors. The authors in [22] consider multiple wheel speed sensor attack scenarios in which the proposed detection strategy classifies the location and number of attacked sensors. Experiments for the validation of the proposed RNN-based detector are carried out in a real road environment with actual sensors, where the accuracy of sensor attack detection is greater than 99%. An out-of-distribution detector for autonomous driving systems is proposed in [103], where the authors consider a malicious image injection attack against a visual-based autonomous driving system. For the attacks, the proposed detector adopts an auto-encoder and a deep support vector data description to learn convolutional neural network (CNN) models while reducing the computation time and guaranteeing real-time detection. An ML-based sensor attack-detection method targeting autonomous vehicles is proposed in [104] with a long short-term memory (LSTM)-based CNN model. The authors in [104] focus on various sensor attack scenarios with a small-magnitude attack signal, which poses problems for a conventional model-based detector. The LSTM-based CNN model is evaluated in terms of its accuracy, sensitivity, precision, and F1-score, where it enhances detection performance better than a Kalman filter (KF)-based detector and a KF-based CNN detector. A oneclass SVM-based anomaly detector for connected vehicles is proposed in [105], where the one-class SVM is substituted for a conventional χ 2 detector. The proposed detector on the vehicle allows it to utilize the states of surrounding vehicles connected through the network in order to classify anomalies. The evaluation results show that the proposed one-class SVM model enhances detection accuracy better than the χ 2 detector; however, the state transmission delay from the vehicles connected by the network deteriorates accuracy.
A Bayesian network-based attack detection strategy is proposed in [106] for water treatment systems, with data from multiple sensors and actuators under normal operation and attack situations. The authors in [106] evaluate the proposed detection strategy with precision, recall, and F1-score, in comparison with an SVM and a deep neural network (DNN) model. The proposed strategy has the advantage of a learning speed that is faster than other learning models. A robust supervised learning method to detect cyber-physical attacks on chemical processes is proposed in [107]. The proposed learning method adopts a non-linear SVM for the classification of normal behavior, disturbances, and anomalous behavior. An evaluation of the proposed method is conducted in a hardware-in-the-loop system (HILS) environment for a chemical process under sensor and controller attacks, where the proposed method provides real-time attack detection. A fusion of a physical model-based detector and a learning-based detector, defending against a sophisticated sensor attack targeting an HVAC system, is proposed in [108], where a one-class SVM model is used on the learning-based detector, which enables the detection of an attack that is not detected by a model-based detector. In [36], an SVM-based anomaly detection method is proposed for HVAC system anomalies, where a Gaussian process regression method [109] and an SVM method are combined to classify various faults in HVAC systems. The Gaussian process algorithm estimates the state of the HVAC system, and the SVM detection method is trained with the estimation from the Gaussian process and from sensor measurements. The demonstration result shows a low-level false detection rate and an execution time in milliseconds.
An anomaly detection module to detect cyber-physical attacks targeting a wide-area damping control system is proposed in [110]. The proposed anomaly detection strategy adopts various supervised learning algorithms, such as the SVM, the decision tree, knearest neighbors (KNN) and a neural network, with complete consideration of sensor attacks, controller attacks, and combined attacks. The performance of the anomaly detection module is evaluated in a hardware-in-the-loop testbed environment for two-area, four-machine power systems, resulting in a real-time attack detection with more than 96% accuracy. In [111], an anomaly detection method based on density ratio estimation (DRE) is proposed to detect a stealthy sensor attack targeting an AC microgrid. The proposed ML model with DRE does not require a dataset for abnormal behaviors, unlike other ML-based anomaly detection methods that require massive numbers of attack signals for detection. In simulations, the proposed DRE-based detection method shows a performance that is superior to conventional model-based anomaly detection methods and existing SVM-based detection methods. A covert attack detection method on a smart grid is proposed in [112], which utilizes an SVM model to learn the decision boundary between benign data and a covert attack. To improve the covert attack detection performance and to reduce computational complexity, the authors in [112] propose a genetic algorithm-based feature selection strategy. Compared with a conventional ML technique, such as multi-layer perceptron (MLP), naive Bayesian, and KNN methods, the proposed detection method with a feature selection strategy shows superior performance in terms of its accuracy and F1-score. A classification method for actual faults due to external disturbances and cyber-physical attacks in a large-scale smart grid is proposed in [113], which utilizes an unsupervised dynamic Bayesian network (DBN) model with time-series energy information. A symbolic dynamic filtering technique is adopted to extract features from collected information, which reduces computing resources and discovers interaction relationships between subsystems in large and complex power systems. For a sensor attack, the proposed methods are evaluated in simulations, where the performance of the proposed method achieves an accuracy of 98% and a false-positive detection rate of less than 2%.
We briefly review the ML-based attack detection methods against physical system layer attacks. Table 1 summarizes the existing ML-based detection methods.

Network Layer
For a vehicle platooning scenario in the IEEE 802.11p based VANET environment, the hybrid jamming attack detection method, combined with a protocol knowledge-based method and a learning-based method, is proposed in [114]. The jamming attack causes collisions of safety-critical cooperative awareness messages (CAMs); however, the CAMs are lost due to the inherent collision nature of the IEEE 802.11 communications protocol, and therefore inherent collisions and malicious collisions may not be classified. The proposed hybrid jamming attack detection method is evaluated by changing the number of platooned vehicles to as many as 25, with which the detection performance of the proposed method shows 95% accuracy. A CNN-based source node identification method for the CAN network is proposed in [115]. The proposed method can be utilized to detect abnormal jamming signals that exploit an inherent vulnerability in the CAN bus network, where the CNN model learns the channel characteristics and patterns of the CAN frame. A traffic sequence learning method for various types of network attack detection on a CAN is proposed in [73]. The authors in [73] consider three attack scenarios (DoS, random packet injection, and malicious packet injection with vehicle knowledge), and the proposed learning method, adopting a DNN model, learns these attacks with CAN traffic patterns for attack-free versus abnormal situations. A performance evaluation of the proposed method is conducted with real data from a CAN bus on a real vehicle, and the detection performance of the DNN model is superior to the decision tree algorithm and the KNN method. A supervised ML-based malicious node attack detector is proposed in [116] in consideration of a VANET with the IEEE 802.11p media access control (MAC) protocol and an ad-hoc on-demand distance vector (AODV) routing protocol, where a malicious node exploits the AODV protocol. The proposed detector adopts KNN models to learn various network features, including IP addresses, delay, jitter, dropped packets, and throughput. Simulation results in an NS-3 environment show 99% accuracy, with values less than 1% for the false-positive and false-negative detection ratios.
An SVM-based network attack detector is proposed in [117] for industrial control systems (ICSs). The proposed detector utilizes an SVM model and a K-means clustering method to alert administration to attacks, providing a classification of three types of network attack: the network scan, ARP spoofing, and the flooding attack. A two-stage, packet-level anomaly detector was proposed in [118], where the anomaly detector sequentially inspects the packet signatures and time-series characteristics of the packets. In the first stage, a Bloom-filter method detects packet-level anomalies in exchanged data, and a KNN learning model classifies an attack by inspecting time-series data. The authors validated the performance of the detector with real data from a gas pipeline system. A semi-supervised learning technique to detect multiple cyber-physical attacks is proposed in [119], where the authors consider general industrial control systems adopting various industrial communications protocols. The proposed learning technique simultaneously utilizes a supervised learning model and an unsupervised learning model for automatic feature extraction and network anomaly detection. The proposed technique provides adaptive attack detection in a changing rapid attack-pattern environment, and therefore it has the strength to handle zero-day attacks. In [120], a fusion of learning methods with an LSTM model and a forward neural network (FNN) model is proposed to detect correlated network attacks. The FNN-only attack detection technique shows prominent detection performance only for single attacks, but low detection rates for correlated attacks. Meanwhile, the LSTM-only detection technique shows a remarkable detection capability for correlated attacks, but the accuracy in the detection of a single attack is not competitive. To overcome the defects of these two ML models, the proposed fusion method is adopted in the IDS, which enhances detection accuracy against both single and correlated network attacks.
In [121], the authors present malware detection algorithms with various machine learning models for networks under the DNP3 protocol. Stuxnet, which attacks industrial control systems, is selected as the target malware for the validation of the detection algorithms. A bidirectional RNN-based network attack detector for a power system with the IEEE 1815.1 protocol is proposed in [122]. The proposed RNN model separately learns the headers and payloads of the power system packets in order to classify various types of attack: five types of malware, three types of false-data injections, and a disabling reassembly attack are considered. The proposed detector not only identifies anomalies from the attacks under consideration, but it also detects trials of unauthorized command injections. A CNN-based network attack detector is proposed in [123] for supervisory control and data acquisition (SCADA) networks. The proposed CNN-based detector watches for network attacks in multiple network layers, from the data link layer to the application layer under the DNP3 protocol, where the authors consider 16 types of attacks and their combinations. The evaluation of the proposed detector is conducted on a real dataset from a power delivery system, with a detection performance above 94% precision for all attacks. A one-class SVM model is proposed in [124] to defend against DoS attacks targeting smart grid SCADA systems. In that work, the authors consider software-defined networking (SDN), where SDN is responsible for periodically capturing network device information on a centralized SDN controller. From the captured information, a one-class SVM model is trained, and it classifies DoS attacks against the network. The detection performance of the proposed one-class SVM shows an accuracy better than 99%.

Application Layer
A light-weight ML-based software anomaly detector targeting a camera application in an embedded system is proposed in [125]. The proposed ML detector adopts a k-means algorithm, grouping data into k clusters, where the ML model utilizes the distribution of system call frequencies. A CNN model that detects malware is proposed in [126] to classify benign and malicious application software with various features related to permissions, code patterns, and application program interface (API) calls. The authors in [126] adopt a deep auto-encoder as a pre-training method of a CNN model to enhance the training speed of the proposed CNN model. The proposed detector reaches 99.8% accuracy in malware classification, which is higher than existing SVM models. In [127], an ML-based detector of malicious behavior in a computing system is proposed, using a thermal side channel of a CPU with thermal sensors. With a CNN algorithm, the proposed ML model utilizes temporal changes in a heat map of computing components under attacks such as code injection on a computational loop. The performance evaluation of the proposed detector is conducted on a multi-core processor, which shows robust real-time anomaly detection for the computing system with real-time thermal monitoring using a finite number of thermal sensors on chip.
The authors in [128] analyze the performance of various ML-based side channel-attack detection strategies to defend against micro-architectural side channel attacks. The analysis show that excessively frequent feature sampling for the side-channel attack not only increases the computing overhead from attack detection but also decreases accuracy. Therefore, appropriate feature sampling rates and computational overheads should be selected simultaneously. The same paper shows a trade-off between attack detection performance and detection latency [128] and proposes proper ML model selection for attack detection. An ML-based cache side-channel attack detection strategy is proposed in [129] under realistic computational load conditions, where the cache side-channel attack under zeroload, medium-load, and heavy-load conditions is considered. Hardware events on caches and system-wide information, including total CPU cycles and branch-miss prediction, are selected to train the ML model for attack detection. The evaluation of the ML-based detection strategy is conducted with 12 ML models, where most of them show performance degradation under heavy-load conditions, and with some ML models (such as KNN), a detection overhead is generated. A real-time cache side-channel attack detection method is proposed in [130] with a softmax classification algorithm. The proposed ML-based attack detection method is implemented with an Intel Performance Counter Monitor to measure and learn the state of the CPU for the ML model. Performance evaluation is conducted on various CPUs, where the proposed method can detect an attack within about one second, and the CPU usage is less than 1% for each CPU environment.
Against cyber-physical attacks, and exploiting computing hardware vulnerabilities, an ML-based attack classification method is proposed in [131], where the authors consider two cyber-physical attacks (row hammer and Spectre), which are side-channel attacks exploiting a structural vulnerability of the computer architecture. The authors choose three different ML models-logistic regression, the SVM, and MLP-to build attack classifiers. The proposed methods with three different ML models show detection performances of better than 99.7% accuracy and 98% accuracy against row hammer and Spectre, respectively. A CNN-based row hammer detection model is proposed in [132], which provides the online detection of row hammer without Linux kernel modification. The proposed CNN model monitors suspicious DRAM access patterns and learns complex patterns in DRAM accesses. An experiment is conducted in a desktop PC environment and shows that the proposed CNN model detects raw hammer within about 1.5 s. The detection time of the proposed detector [132] is sufficiently short because the average bit flip time by the raw hammer is 20 s in the experiment environment.
We briefly review the ML-based attack detection methods against physical application layer attacks. Table 3 summarizes the existing ML-based detection methods. In contrast to the physical system and network, computing systems use several common structures, such as an Intel CPU, across the CPS area. Therefore, Table 3 does not contain a CPS area  column, unlike Tables 1 and 2.   Table 3. Summary of ML-based anomaly detection methods in the application layer.

Reference
Defense Against ML Model Validation [125,128,129] Application software Various Experiment [126,127] Application software CNN Experiment [130] Application software Softmax Experiment [131] Computing hardware Various Experiment [132] Computing hardware CNN Experiment

Potential Research Directions
The ML technique is a powerful tool to detect various cyber-physical attacks targeting each CPS layer. However, the ML-based attack detection methods do not always guarantee the stability of the CPS due to the characteristics of the ML technique, such as the requirement of massive attack data and high computation load. Thus, there are some limitations to the adoption of the ML technique for real CPSs for all CPS layers, and it is necessary to overcome the characteristics of the ML in CPS design. In this section, we provide three potential research directions; real-time attack detection, resilient cyber-physical system design, and dataset generation for learning malicious behavior.

Real-Time Attack Detection in ML
General ML applications, such as obstacle detection, require high accuracy and precision. Therefore, general ML applications are evaluated with four performance metrics [102]: accuracy (9), precision (10), recall (11), and the F1-score (12). However, conventional evaluation metrics do not consider time-related metrics. Due to the real-time characteristics of physical dynamics in a CPS, security-critical ML applications must be evaluated with not only the four conventional metrics but also the time to detection metric.
Theoretically, physical dynamics can diverge to infinity, but the state of physical systems in the real world has a finite boundary. When the state of the physical system violates the boundary, the physical system becomes irreparable, which means disruption. Therefore, a cyber-physical attack must be detected before the state of the physical system exceeds the repairable boundary.
Detection deadlines are determined by system dynamics, the state of the physical system when the attack starts, and by the type of attack. Figure 7 shows one example of a real-time detection constraint under a DoS attack with a ball-beam control system, which is a well-known physical control system [133]. The ball-beam system tilts a beam to regulate the position of a ball rolling off the beam due to gravity; therefore, the ball-beam system is intrinsically unstable. When a DoS attack (7) is launched against a ball-beam control system, the ball rolls off the beam due to the inherently unstable characteristics of the system. We consider a control scenario in which the range of the beam is 0 m to 1 m and the reference ball position is 0.5 m. If the position of the ball exceeds the range of the beam, we then consider the physical system to be irreparable. In this scenario, we launch a DoS attack at 15 s; then, the position of the ball drastically decreases and exceeds the range of the beam at 25.75 s. Therefore, the ball-beam control system becomes irreparable. To avoid destroying the physical system, the cyber-physical attack detection strategy should succeed before the physical system reaches the irreparable state boundary. The attack detection deadline is determined to be after 10.75 s, which in this scenario is from the start of the DoS attack to the point where the physical system becomes irreparable.
Many studies into cyber-physical attack detection have been conducted; however, the research on cyber-physical security that takes real-time constraints into consideration is insufficient [27]. In the physical system layer, a system knowledge-based attack detection strategy with KF is proposed in [14], which supports real-time attack detection from sensor attacks and DoS attacks on a smart grid. A real-time image sensor attack detection method with non-linear physical-dynamics knowledge is proposed in [134], where the proposed method is validated for a vehicle and detects the sensor attack within 0.1 s. In the network layer, a real-time packet manipulation-attack detection method is proposed targeting CBTC systems, where distributed network devices continuously monitor the exploitation of the ARP protocol [16]. In [58], a CPS framework provides detection against sophisticated sensor attacks through the network in real-time, where the real-time constraint is determined by the irreparable state condition of the physical system. In the application layer, a real-time anomaly detection method is proposed in [103] for autonomous driving systems, where the ML model classifies a normal image inputs versus malicious inputs causing unsafe conditions in a short time. In [87], a real-time software attack detection and mitigation strategy for a UAV system is proposed, where the attack is detected within a few hundred milliseconds.
ML-based cyber-physical attack detection methods must consider real-time constraints on physical systems. However, due to the enormous computation loads under a complex ML model, attack detection time is delayed, which causes a disruption of the physical system. To satisfy real-time constraints on cyber-physical security, reducing the complexity of an ML model is required while achieving high levels from conventional ML evaluation metrics (9)-(12).

Resilient Cyber-Physical System Design
The purpose of a cyber-physical attack is to disrupt the physical system. In particular, the CPSs for societal infrastructure must have guaranteed safety and must provide normal services in spite of an attack. Therefore, a resilient CPS design that provides seamless performance recovery from an attack is required, with appropriate ML-based attack handling strategies after real-time attack detection. Figure 7 shows an example of the recovery of a ball-beam control system under a DoS attack. When the DoS attack launches at 15 s, the position of the ball drastically leaves the range of the beam, resulting in the irreparable state of the physical system at 25.75 s (the red line). However, if a real-time detection and performance recovery strategy is adopted and operates starting at 22 s, then the position of the ball is regulated in a timely fashion to the reference position of 0.5 m with a temporary, small fluctuation (the magenta line). Through the resilience strategy, the stability of the ball-beam control system is guaranteed against the DoS attack in this control scenario. In conventional physical system security, a hardware redundancy strategy is adopted to handle cyber-physical attacks and unexpected system faults. When one computing system of a CPS shows abnormal behavior, the previously configured auxiliary system then substitutes for the abnormal computing system. A redundant controller architecture is adopted in [107] to mitigate the physical impact of a cyber-physical attack targeting chemical processes, switching controllers when the attack is detected by the SVM-model detector. The authors in [110] also consider a redundant system configuration to guarantee the stability of a power plant against cyber-physical attacks. In [135], a system-level simplex architecture that consists of a high-performance complex control module and a highassurance safety controller with limited performance is proposed to guarantee the safety of the control system against unexpected faults in the complex control module. If the high-performance control module suffers an unexpected error, such as rebooting, the highassurance control module takes over the control functions of the physical system, which provides robustness against system faults. The simplex architecture is also adopted for safety-critical CBTC systems in [32] to provide CPS resiliency against software faults and sensor attacks.
At the network layer, software-defined networking (SDN) can be adopted as one of the network recovery methods against the network layer attacks. SDN is a network paradigm that separates network functions for the control plane and data plane as software [136,137]. In the control plane, the centralized SDN controller periodically monitors the distributed network devices in general and installs network policies. On the data plane, distributed network devices are responsible for delivering the data and reporting the statistics of the network, such as link information, packet transmission successes, and changes in network topology. Interaction between the control plane and data plane enables the handling of network-layer cyber-physical attacks. When abnormal behavior, including attacks, is detected on the data plane, such as a link failure, the network devices send an alarm to the SDN controller, which then handles the abnormal behavior; e.g., with communications link reconfiguration for an alternative path routing method [138,139]. An SDN-based network recovery strategy is proposed in [140] for the performance recovery of a micro-grid against a link cut-off attack, where the proposed strategy detects malicious network topology changes from the attack and provides a seamless recovery of voltage with a small recovery overhead. Furthermore, the SDN provides a mitigation strategy against network delay generated by the flooding attack on the data plane [141,142]. In [58], the authors propose an SDN-based real-time cyber-physical attack detection method that simultaneously considers physical dynamics and network characteristics; the proposed SDN-based method also provides attacker isolation and communications path reconfiguration to recover the physical system from a PDA.
At the application layer, studies have been conducted to handle computing system attacks and guarantee the resiliency of a CPS. In [86], malicious code execution defense strategies are proposed, where the methods of restarting the computing system and utilizing a trust execution environment for the computing hardware platform guarantee safety against malicious code injection attacks. A simplex computing architecture for a secure UAV control is proposed in [87], which switches from the normal control mode to a safe control mode to stabilize the UAV when the attacker damages the virtual machine of the computing system, such as through the manipulation of the control parameter. Moreover, the ML-based applications are vulnerable to cyber-physical attacks against the computing layer, which drastically deteriorates the performance of ML applications [96]. If safetycritical ML applications are attacked, performance degradation in the ML-based detectors means that cyber-physical attacks will be missed. Thus, ML-based attack detection methods should be secure and should guarantee their own resilience. To mitigate application software attacks targeting a neural network model, a pruning-based and fine-tuning-based defense strategy is proposed in [81], which reduces backdoor attack success rates to 0% with only 0.4% accuracy degradation in the original ML application. A watermarking method for an ML model is proposed in [143], enhancing the security level of the ML model against a backdoor attack.

Dataset Generation for Learning Malicious Behavior
Unlike intelligent CPS applications, such as object detection using ML techniques with massive amounts of image data, adapting an ML technique for cyber-physical security is difficult in practice due to the lack of anomalous data for the CPS. Enormous amounts of fault and attack data are required to train the ML-based anomaly detector; however, there are limits to the ability to generate anomalous data such as car accident data and CPS faults in medicine, which involve human casualties [102,144]. Moreover, for unknown attack vectors and attack techniques, it is impossible to learn anomalous data that cause physical damage. Due to the lack of anomalous data collections for training, ML-based detectors provide poor accuracy and can generate false alarms.
The generative adversarial network (GAN) is an ML framework and consists of two neural network models: the generator and the discriminator. Figure 8 illustrates the learning processes of the two different learning models in the GAN. The generator makes malicious signals with a generation function G and random noise z to deceive the discriminator. The discriminator, with the classification function D, identifies legitimate signals from a database and malicious signals from the generator. The identification result from the discriminator, whether successfully classified or not, is back-propagated to both neural network models for training, and the neural network model is updated. From the iterations of malicious signal generation, the discrimination, and the back propagation, the malicious signal from the generator becomes more sophisticated. The learning process as illustrated in Figure 8 is finished when the discriminator no longer classifies the legitimate signals and the maliciously generated signals with the generating function G. A well-designed generator can be utilized to create malicious cyber-physical attack signals to train ML-based anomaly detectors. Multi-variable anomaly detection with a GAN model is proposed in [145], where an LSTM-RNN model is adopted as both a generator and discriminator in order to consider the time-varying characteristics of the physical system. The proposed GAN model is evaluated with a novel metric related to discrimination and anomaly reconstruction from two complex physical system datasets. Besides the generated anomaly signal, a GAN-based anomaly detection strategy that considers real-time requirements is proposed in [146]. In terms of GAN-based anomaly detection, the authors in [146] adopt fog computing to reduce the latency in anomaly detection, which is five times faster than the latency in [145]. In [147], the GAN modeling method is proposed for the analysis of cyber-physical security requirements, including integrity and availability, for production systems. The training of the proposed GAN model utilizes signal and energy information exchanged between the cyber-domain and the physical domain. The authors in [147] evaluate the performance of the security analysis with the proposed GAN modeling method in a 3D printer testbed environment.
A GAN-assisted network IDS is proposed in [148] to achieve a high-accuracy anomaly detection rate on a network with insufficient abnormal data. An evaluation with the KDD'99 dataset [149] shows that the proposed GAN-based IDS outperforms a standalone IDS in terms of its precision, recall, and F1-score. In [150], a hierarchical GAN framework is proposed for network intrusion detection in large-scale distributed networks with an auto-encoder model. The GAN training process on the local network gateway transmits a parametric model to the centralized network controller, which benefits from saving communication overheads rather than duplicating raw traffic. From the received models, the centralized network controller learns a global anomaly detection model.

Conclusions
Since networks combine the physical system and the computing system, a CPS becomes vulnerable to cyber-physical attacks, which may disrupt and cause malfunctions in a physical system in the real world. Moreover, due to the enhanced connectivity of the networks, the CPS will become large and complex; thus, modeling a complex CPS becomes difficult and inaccurate compared to a real CPS, reducing the security level of conventional model-based cyber-physical security strategies. To guarantee the safety and reliability of large and complex CPSs, it is necessary to adopt not only machine learning techniques but also conventional detection approaches in order to enhance the security level of the CPS.
This paper presented a comprehensive survey of the threats that damage the CPS and attack-detection strategies based on ML techniques. First, we presented a hierarchical CPS model that abstracts the complex CPS structure into three layers of CPS functions: the physical system layer, the network layer, and the application layer. Then, we presented cyber-physical attacks for each CPS layer in terms of attack implementations and examples. In particular, we analyzed various cyber-physical attacks from the perspective of physical system dynamics by introducing linear dynamics. In addition, we presented various ML-based cyber-physical attack-detection strategies and security evaluation metrics of the ML-based strategies, where the hierarchical CPS model was considered in order to detect and handle cyber-physical attacks targeting each layer. Finally, we discussed future research directions from the perspectives of real-time attack detection, resilient CPS design, and dataset generation to defend against cyber-physical attacks. These research directions enhance the security level of the CPS, despite the shortcomings of ML techniques, due to their tremendous computation power and data-driven nature.