Mitigating Impact of Data Poisoning Attacks on CPS Anomaly Detection with Provable Guarantees ^†

Abstract

Anomaly-based attack detection methods depend on some form of machine learning to detect data falsification attacks in smart living cyber–physical systems. However, there is a lack of studies that consider the presence of attacks during the training phase and their effect on detection and false alarm performance. To improve the robustness of time series learning for anomaly detection, we propose a framework by modifying design choices such as regression error type and loss function type while learning the thresholds for an anomaly detection framework during the training phase. Specifically, we offer theoretical proofs on the relationship between poisoning attack strengths and how that informs the choice of loss functions used to learn the detection thresholds. This, in turn, leads to explainability of why and when our framework mitigates data poisoning and the trade-offs associated with such design changes. The theoretical results are backed by experimental results that prove attack mitigation performance with NIST-specified metrics for CPS, using real data collected from a smart metering infrastructure as a proof of concept. Thus, the contribution is a framework that guarantees security of ML and ML for security simultaneously.

1. Introduction

Data falsification attacks from sensors have been widely studied in cyber–physical system (CPS) domains. The objective of data falsification attacks is to disrupt the operational accuracy and functioning of a CPS application. To detect such attacks, anomaly detection approaches, which involve some form of machine learning (ML), have been developed. For example, in CPS anomaly detection, a series of works proposed in  [1,2,3] involve learning a low dimensional representation of the benign profile of sensing data from a large distributed network of CPS sensors. This is followed by learning a detection threshold of the benign profile from the low dimensional representation. However, all these works assume that the training data are attack- and error-free.

In contrast, the discipline of adversarial ML deals with attacks that are analogous to data falsification attacks, but designed specifically to exploit inherent weaknesses in the ML/AI principles [4,5,6] and may happen during training. Naturally, therefore, learning-based anomaly detection frameworks designed to detect data falsification attacks are themselves vulnerable to adversarial ML attacks. Therefore, there is a need to design robust learning-based anomaly detection frameworks that are gracefully immune to adversarial ML attacks, while still being able to detect those attacks that the anomaly detection approach was originally designed to identify.

Proof-of-Concept Application: To show experimental validity of our work, we use smart metering infrastructure (SMI) as a smart living CPS sensing proof-of-concept application. We consider a neighborhood of households each installed with a smart energy meters that sense power consumption data periodically. We select a state-of-the-art learning-based anomaly detector (See Section 3 for formal details) that was developed to identify electricity theft and other attacks in SMI [1] during the testing phase by accurately learning the thresholds of a latent space that specified benign behavior of a network of smart meters from a neighborhood. The work in  [1] proved that any data falsification attack from one or more smart meters during test phase (that in the real world can result from cyber attack/physical tampering of meters) violates the learned thresholds of benign behavior from training data containing smart meter power consumption data.

However, for any kind of machine learning to be successful, the training and test data should ideally come from the same distribution. Therefore, learning the profile of benign data during training must be performed on data collected from the actual SMI deployment. Naturally, even though the adversary does not know the exact detection model, they know that falsifying data during training will degrade the learning performance of the anomaly-based attack detector by preventing accurate profiling of benign behavior. Infact, an audit study [7] conducted across several countries revealed the presence of organized manipulation of smart meters which biases any data collected.

Scope: Within adversarial ML, attacks are broadly categorized as evasion and poisoning. Data poisoning attacks falsify data during the training phase, thereby preventing accurate learning and negatively affecting the performance of the ML-based framework during the test phase. In this paper, we focus on the mitigating impact of ’data poisoning attacks’ [8] on anomaly-based attack detection methods that use machine learning principles. Furthermore, adversarial ML attacks specify varying possible levels of knowledge an adversary could possess: (1) white-box, (2) black-box, (3) gray-box. In a white-box, the adversary is assumed to have exact knowledge of the ML technique and direct access to all training/test data points, representing the worst-case scenario. In the black-box approach, the attacker has no knowledge of the model and partial access to the data. The gray-box approach falls in between, where the adversary has some knowledge of the model and partial access to the data points. Although white-box strategies can have serious consequences, the likelihood of such attacks is lower compared to black-box attacks that are much easier to launch and hence more likely (especially in the context of our chosen proof-of-concept application smart metering infrastructure). Hence, in this paper, we focus on the black-box approach to data poisoning given its high likelihood.

We implement data falsification attacks of varying intensities over varying possible subsets compromised by smart meters (termed as Random Smart Meter Level poisoning attack (RSL)) during the training phase to emulate various potential intents of an attacker. This biases the learned low-dimensional latent representation of the feature space and hence its detection thresholds. We apply our modified threshold learning approach and then evaluate the impact of undetected attacks with and without the presence of data poisoning and compare with the approach proposed in [1]. We observe a significant degradation in the anomaly detection model’s performance proposed in [1] while proving that proposed advancements on detection threshold learning via resilient and adaptive M-estimation theory mitigates the impact of undetected attacks in the test set caused by data poisoning attacks launched during training.

Contributions: (1) We propose a novel robust learning framework for learning anomaly detection thresholds by integrating weighted regression and the theory of M-estimators.

(2) We demonstrate the relationship between the data poisoning attack strength and how it impacts the loss function choice, and a very counter-intuitive false alarm trade-off that accounts for the lower base rate probability of experiencing a data poisoning attack.

(3) We develop formal, explainable theoretical proofs that show which loss function offers mitigation, and why, under different intensities of data poisoning attacks.

(4) We compare improvements of the proposed resilient ML-based anomaly detection over prior works using two unconventional metrics for more practical security evaluation: (a) impact of undetected attacks; (b) expected time between two false alarms.

Benefits: We take a unique approach of breaking down the anomaly detection framework into its key facets (anomaly detection metric latent space, effect of regression type choice, effect of loss function choice, effect of base rate fallacy). Furthermore, this is in contrast to other works which just randomly try different loss functions and find the best one empirically. Additionally, we show which data and attack characteristics should be used and how to optimally derive the best loss function (i.e., estimator of parameter) that should be used for learning in an application agnostic manner by focusing on distribution characteristics in the regression errors over the latent anomaly detection metric being used for attack/anomaly detection. We provide explainability of why the proposed mitigation framework really works with the associated trade-offs, and failure points via our chosen metrics of evaluation, such as the impact of undetected attacks.

A preliminary version of this work appeared in [9]. However, the earlier paper did not (i) prove why this mitigation occurs, (ii) explain the design choices made for anomaly detection learning, and why and when they are appropriate against data poisoning attacks, and (iii) have theoretical results that verify the correctness of the experimental outcomes. In this paper, we address (i), (ii), and (iii) to provide a proper scientific foundation for the preliminary work.

2. Related Work

There is one work on adversarial machine learning that discusses smart grids in the context of differential privacy [10]. For poisoning attacks and defenses in a general regression setting, Ref. [11] proposes an adversarial poisoning technique that adds extra points to an existing dataset to bias the prediction in a classical linear regression problem. This approach works in an open setting but is not applicable in a CPS setting, where all smart meters must be physically registered with a utility. Some works [12] have proposed game-theoretic defenses for theoretical regression problems involving a rational adversary, which are valid under white-box attack assumptions, where the adversary both knows the detection model and has access to all training data points. In [11], the attack in a regression setting involved adding extra points to the training set, and the defense limited the inclusion of these extra points in the learning process. However, in our case, time is an invariant design feature, making the addition of extra points for poisoning infeasible. There have been significant theoretical advances in evaluating the vulnerabilities of ML models against adversarial attacks, particularly in computer vision and image processing algorithms [4,13]. Additionally, practical works on adversarial attacks targeting spam email detection [5], as well as various theoretical studies on attacks and defenses [11], also exist. Most existing work in smart living CPS focuses on strategies that disrupt operations, but does not explain the mitigation of data poisoning attacks that target the machine learning aspect of anomaly-based data integrity attack detectors.

3. Background and Preliminaries

The SMI consists of smart meters deployed in houses that periodically collect power consumption data. At any hour t, the power consumption reported by the i-th smart meter in house i is denoted as $P^i\left(t\right)$. We now provide the details of the anomaly detection process.

3.1. Anomaly Detection Problem Specification

The model being poisoned is a time series anomaly detection method proposed in a series of previous works [1,3,14,15]. We chose this technique due to the following reasons: (1) it represents the most recent theoretical work in micro-grid-level time series anomaly detection, capable of detecting very low data falsification margins while maintaining a low false alarm rate; (2) the method has been shown to generalize to other CPS/IoT domains such as Phasor Measurement Units [15], Smart Transportation Systems [3], and Smart Water Usage Monitoring [14]; (3) it adheres to the latest National Institute of Standards and Technology (NIST)-specified metrics [2], such as the impact of undetected attacks and expected time between false alarms; (4) while many anomaly detection methods in industrial CPS rely on pairwise comparison of positive covariance structures [16] for invariant design, such calculations are expensive for large community-scale smart living CPS (like SMI). The method in [1] proposes a lightweight equivalent. Additionally, the chosen framework’s metrics show unique deviation signatures under different data integrity attack types, which assist in reconstructing the attack type, strategy, and severity.

The goal of the anomaly detection framework in the test set is to detect orchestrated data falsification attacks in a smart metering infrastructure. Poisoning attacks, on the other hand, aim to alter the training data, degrading the model’s performance in the test set in two ways: (1) integrity violation, which aims to increase missed detections, and (2) availability violation, which aims to increase the false alarm rate.

In this paper, we focus solely on integrity violations caused by poisoning attacks. While our poisoning attack targets a specific technique proposed in [1], it generalizes to other time series anomaly detection methods that use regression-based learning to determine anomaly detection thresholds. This generality arises from the shared design similarities among time series anomaly detection approaches.

To provide a generic contribution while demonstrating the practical effectiveness of a specific framework and application, we describe the anomaly detection technique [1] through the following key aspects: (1) anomaly detection metric, (2) residuals of a time series, (3) learning of thresholds from residuals, and (4) anomaly detection criterion.

3.2. Time Series Anomaly Detection Method

The anomaly detection method converts the raw data into a latent space called $RUC\left(T\right)$ that is a low-dimensional time series representation. We provide the steps below:

Anomaly detection Metric: The anomaly detection metric is a time series of the harmonic-to-arithmetic mean ratio from multiple smart meters (proposed in [1,15]). To achieve invariance in the time series of the metric under benign conditions, the ratio is calculated over strategic spatial and temporal granularity, designed to maximize positive covariance among individual meters in the micro-grid. Mathematically, the invariant metric is as follows:

$$Q^r\left(T\right)={\displaystyle \frac{{\sum }_{t=1}^{W}HM\left(t\right)}{{\sum }_{t=1}^{W}AM\left(t\right)}}$$

(1)

where $HM\left(t\right)$ and $AM\left(t\right)$ are the harmonic and arithmetic means of power consumption $P^i\left(t\right)$ from 200 smart meters at time slot t, after applying a Box-Cox transformation. The temporal granularity is indexed by the T-th time window, with each time window consisting of a length of W time slots.

In the case of SMI, previous work determined that $W=24$ h, and the granularity included the entire solar village of 200 houses due to its small size. Hence, for a typical year, the range of $T\in \{1,365\}$. This method operates in a decentralized manner for each spatial cluster. In this paper, we focus on a single spatial cluster, specifically a small solar village forming a micro-grid of 200 houses.

Safe Margins: Safe margins quantify the expected upper and lower bounds of the anomaly detection metric at any time window T. The expected value of the ratio metric at the T-th time window is denoted as ${\mu }^{Q^r}\left(T\right)$. ${\mu }^{Q^r}\left(T\right)$ is the cumulative weighted time average of ratios observed across the T-th window over multiple years (non-parametric statistic). In contrast, ${\sigma }_r$ denotes the standard deviation of the probability distribution of $Q^r\left(T\right)$ samples in the training set (parametric statistic). The upper and lower safe margins are neighborhoods around the expected value ${\mu }^{Q^r}\left(T\right)$, controlled by a scalar factor $\kappa$ of the standard deviation (${\sigma }_r$) of the distribution of the ratio metric. Mathematically, this is

$${\mathrm{\Gamma }}_{high}\left(T\right)={\mu }^{Q^r}\left(T\right)+\kappa {\sigma }_r$$

(2)

$${\mathrm{\Gamma }}_{low}\left(T\right)={\mu }^{Q^r}\left(T\right)-\kappa {\sigma }_r$$

(3)

where ${\mathrm{\Gamma }}_{high}\left(T\right)$ is the upper safe margin and the ${\mathrm{\Gamma }}_{low}\left(T\right)$ is the lower safe margin. The conceptual details of why this is helpful can be found in [1].

Latent Space Metric: The concept of residual latent space metric is important for balancing missed detections and false alarms in time series learning-based anomaly detection. Residuals represent the difference between the sample $Q^r\left(T\right)$ and the safe margins. The residual at any time window, $\nabla \left(T\right)$, equals 0 if $Q^r\left(T\right)$ is within the upper and lower safe margins, and is non-zero when $Q^r\left(T\right)$ falls outside these margins. A $Q^r\left(T\right)$ larger than ${\mathrm{\Gamma }}_{high}\left(T\right)$ (outside the upper safe margin) results in a positive $\nabla \left(T\right)$, while $Q^r\left(T\right)$ smaller than ${\mathrm{\Gamma }}_{low}\left(T\right)$ (outside the lower safe margin) results in a negative $\nabla \left(T\right)$. Mathematically, this is represented as follows:

$$\nabla \left(T\right):\left\{\begin{array}{cc}=Q^r\left(T\right)-{\mathrm{\Gamma }}_{high}\left(T\right),\hfill & if{Q}^r\left(T\right)>{\mathrm{\Gamma }}_{high}\left(T\right);\hfill \\ =Q^r\left(T\right)-{\mathrm{\Gamma }}_{low}\left(T\right),\hfill & if{Q}^r\left(T\right)<{\mathrm{\Gamma }}_{low}\left(T\right);\hfill \\ =0,\hfill & \mathrm{otherwise};\hfill \end{array}\right.$$

(4)

The $\nabla \left(T\right)$ are known as stateless residuals [16]. The corresponding stateful residuals are obtained from the stateless residuals by calculating the cumulative sum of $\nabla \left(T\right)$ over a sliding window of length F. At any T, the stateful residual is given by

$$RUC\left(T\right)=\sum _{j=T-FS}^T\nabla \left(j\right)$$

(5)

Thus, the vector of $RUC\left(T\right)$ per year has 365 entries, which can be zero, positive, or negative.

Threshold Learning from Latent Space: Using the positive $RUC\left(T\right)$ values (denoted by $RU{C}^{+}\left(T\right)$) as training data points, the best upper threshold (${\tau }_{max}$) is found. Similarly, all negative $RU{C}^{-}\left(T\right)$ values are used as training data points for determining the best lower threshold (${\tau }_{min}$). Setting a threshold from the set of discrete $RU{C}^{+}\left(T\right)$ and $RU{C}^{-}\left(T\right)$ points is similar to fitting a straight line to the set of points; thus, the threshold learning problem is treated as a regression problem. Since the threshold is time-invariant, the regression reduces to finding the bias term, which is the unknown model parameter. The search spaces for the upper and lower thresholds are denoted by ${\tau }^{+}$ and ${\tau }^{-}$, respectively. We now introduce some terminology related to regression analysis for completeness and clarity:

Regression Error: In regression problems, the error is the difference between a candidate model parameter (or threshold) and a training data point. For each candidate model parameter, an error value is calculated for each training data point. In linear regression, positive and negative errors are treated equally. This is denoted as $s_i$.

Loss Function: The loss function represents the regression error, indicating the fit of the candidate model parameters ${\tau }^{+}$ and ${\tau }^{-}$. For example, linear regression uses the square of the regression error ($L2$ norm). For each candidate model parameter and training data point, there is one corresponding loss value.

Empirical Risk Function: It is an equation that maps the goodness of a candidate parameter across all training data points (observations). Typically, it is the average of the loss function values across all training data points. In linear regression, the empirical risk is typically the mean of squared errors. Since regression involves finding the function that best approximates the data, the candidate model parameter with the minimum empirical risk is the optimal solution. Hence, this type of regression is known as least squares regression.

A series of prior works in smart living CPS [1] argues that the $L1$ norm (absolute errors), rather than the $L2$ norm (squared regression error), should be used as the loss function to improve robustness against unpredictable human behaviors that affect the benign pattern in the latent space $RUC\left(T\right)$. Algorithm 1 summarizes the basic framework for learning thresholds as proposed in [1]. In Algorithm 1, the regression error is $\tau -RUC\left(T\right)$. Notice that, unlike in linear regression, the regression errors are assigned unequal weights, and the weighted regression errors are stored separately in $\mathbb{C}$ and $\mathbb{P}$.

Algorithm 1: Calculate ${\tau }_{max}$

Detection Criterion: The $RUC\left(T^{test}\right)$ is the invariant in the test set. If it is violates the upper and lower thresholds, it indicates an attack.

$$RUC\left(T^{test}\right):\left\{\begin{array}{cc}\in [{\tau }_{min},{\tau }_{max}]\hfill & \mathrm{No} \mathrm{Attack};\hfill \\ \notin [{\tau }_{min},{\tau }_{max}],\hfill & \mathrm{Attack} \mathrm{Inferred};\hfill \end{array}\right.$$

(6)

Using this approach, prior work [1] demonstrated that small-margin additive attacks increase $RUC\left(T^{test}\right)$, violating the upper threshold ${\tau }_{max}$. For other attack types, such as deductive/camouflage attacks, $RUC\left(T^{test}\right)$ decreases, violating the lower threshold ${\tau }_{min}$.

4. Threat Model

The main goal of poisoning attacks is to reduce the learning accuracy of the detector during the training phase, allowing attacks to go undetected in the test set. This occurs when training phase attacks result in the widening of the true thresholds (i.e., the upper threshold increases and the lower threshold decreases). Additionally, the adversarial goal requires two threat models: one for the training set and one for the test set.

4.1. Training Phase Threat Model

The adversary injects false data into the training phase through a subset of compromised smart meters. As we show in Section 4.2, this biases the anomaly detection metric used to profile benign behavior. Utilities may not always face attacks from optimal adversaries. An attacker can poison the training process by introducing false data directly through smart meters (or other physical sensors) by compromising a subset of smart meters (referred to as attack scale) and injecting a specific amount of false data per smart meter (referred to as attack strength). In reality, both attack scale and strength can take on any value. To model this, we vary the attack scale and strength to create multiple simulated attack datasets, leading to a more comprehensive evaluation of potential threats.

Training Attack Strength, denoted by ${\delta }_{avg}^{\left(p\right)}$, refers to the average margin of false data injected per meter during training. The ${\delta }_{avg}^{\left(p\right)}$ is used as a variable to assess the sensitivity of performance degradation in the anomaly detector.

Training Attack Scale, denoted by ${\rho }_{mal}^{\left(p\right)}$, refers to the fraction of meters used by an adversary to launch meter-level training data poisoning. ${\rho }_{mal}$ is used as a variable to assess the sensitivity of the detector’s performance degradation.

Training Attack Type: This refers to how the data are falsified from their original value, $P_t^i$. Several attack types relevant to SMI have been reported in [1] (e.g., additive, camouflage, conflict). In the context of poisoning aimed at violating the detector’s integrity, we found that a deductive attack type launched during the training phase is sufficient to achieve this. Details are provided in Section 4.2.

Deductive attacks reduce the original data, represented as $P_t^i-{\delta }_t^{\left(p\right)}$, where ${\delta }_t^{\left(p\right)}\in [{\delta }_{min},{\delta }_{max}]$, and the expected value of ${\delta }_t^{\left(p\right)}$ converges to the strategic Training Attack Strength ${\delta }_{avg}^{\left(p\right)}$. Furthermore, deductive data falsification attacks are easy to launch, particularly on smart meters, and a large fraction of smart meters are plagued by deductive attacks [7], leading to electricity theft, and making it a highly relevant problem when training anomaly-based attack detectors in SMI.

4.2. Investigating Impact of Data Poisoning on Latent Spaces in Anomaly Detection

Random poisoning at the smart meter level gives adversaries a distinct advantage. It is more practical because it can be launched at any time, requiring only access to a set of CPS sensing endpoints (e.g., smart meters) and no other knowledge. In machine learning, the training and test sets should ideally come from the same distribution, which means training on actual smart living CPS system data is necessary. However, the attacks the utility aims to detect during testing may already be present in the training set. In such cases, we need to make the learning process more robust in Algorithm 1 when $RU{C}^{+}$ or $RU{C}^{-}$ inputs are perturbed. This is exactly what happens if there is a deductive attack from varying percentages of smart meters in a micro-grid. Figure 1 illustrates the impact of a basic deductive attack with ${\delta }_{avg}^p=200$ and ${\rho }_{mal}^p=0.3$ over a 1-month period during the training of a model using live smart meter deployment on $RUC\left(T\right)$. As the ratio and $RUC\left(T\right)$ decrease, more negative RUCs appear in $RU{C}^{-}\left(T\right)$, influencing the learning of ${\tau }_{min}$ (See). This results in a lower ${\tau }_{min}$ being triggered by the negative RUCs.

Generally, for most anomaly detection metrics (including $RUC\left(T\right)$), higher ${\rho }_{mal}^{\left(p\right)}$ and ${\delta }_{avg}^{\left(p\right)}$ lead to greater deviations in the metric, indicating stronger poisoning impacts. However, when ${\delta }_{avg}^{\left(p\right)}$ is excessively high, evident changes in the $RUC\left(T\right)$ space may occur. Additionally, benign changes (refer to 50–100) highlight the necessity of threshold learning. Interestingly, the learned upper threshold also increases following a poisoning attack. This unexpected outcome arises due to the design of safe margins ${\mathrm{\Gamma }}_{high}\left(T\right)$ and ${\mathrm{\Gamma }}_{low}\left(T\right)$, which aimed to reduce false alarms in the initial approach. Thus, robust learning for both thresholds is essential. Additionally, clustering-based methods to identify potential points are not unified, as the number of clusters formed a priori is unknown and depends on the specific values of ${\rho }_{mal}^{\left(p\right)}$ and ${\delta }_{avg}^{\left(p\right)}$, with various combinations potentially used by an adversary. From the above analysis, we can infer that threshold learning is compromised in both directions. This finding is particularly noteworthy, as a single type of poisoning attack (i.e., deductive) during training can impact both the upper and lower thresholds, as illustrated in Figure 1. This manipulation enables the evasion of detection during testing.

4.3. Test Phase Threat Model

The test set threat model mirrors the smart meter-level perturbation, as the goal is to prevent the utility from detecting data falsification from smart meters. Therefore, we will not elaborate on this section but will use different notations, introducing the terms ${\delta }_{avg}^{\left(te\right)}$ for attack strength and ${\rho }_{mal}^{\left(te\right)}$ for attack scale, both used for evasion in the test set. This holds true whether residuals or raw meter data were perturbed during poisoning.

5. Resilient Learning Under Poisoning Attacks

We need to design a threshold learning method that mitigates the bias induced in the threshold estimate. In typical linear regression, the empirical loss function is ${\displaystyle \frac{1}{n}}{\sum }_i^n{s}_i^2$, where the i-th training data point, denoted by $r_i$ (the RUC in our case), is formally called the residual. $s_i$ represents the difference between the data point and a given candidate estimate, expressed as $s_i(r_i,{\tau }_j)=|r_i-{\tau }_j|$, formally called the regression error. The poisoning attack causes the magnitude of $r_i$ to change, which in turn perturbs $s_i$, affecting the threshold learning through regression. To achieve the above, we first provide theoretical insight into robust learning under poisoning attacks, including M-estimation. Second, we provide theoretical proof for the choice of M-estimators by demonstrating their theoretical relationship with poisoning attack strength. Third, we propose a robust algorithm for learning thresholds from the latent space.

5.1. Theoretical Intuition on Robust Learning Estimator

In the subsequent analysis, we explain how to determine a suitable loss function tailored to the specific characteristics of the attack and the rationale behind it. During the training phase, attackers can inject random attacks with different values of ${\delta }_{avg}^{\left(p\right)}$ and ${\rho }_{mal}^{\left(p\right)}$. This manifests as varying degrees of perturbation in the $RUC$ latent space. Let the varying degree of perturbations be denoted as ${\delta }_s$. These different poisoning attacks will lead to changes in regression errors (denoted as $s_i$) for each point in the latent space. The perturbation in the latent space depends on the product of the margin of false data (attack strength) ${\delta }_{avg}^{\left(p\right)}$ and attack scale ${\rho }_{mal}^{\left(p\right)}$, resulting in a specific perturbation value of ${\delta }_s$ in the latent space, as shown in Section 4.2. In general, increasing ${\rho }_{mal}^{\left(p\right)}$ and ${\delta }_{avg}^{\left(p\right)}$ leads to a larger ${\delta }_s$. The distribution of $s_i$ samples, contaminated by a margin ${\delta }_s$, is defined as follows:

$$P:=\{(1-{\delta }_s)N_D+{\delta }_{s}G\},$$

(7)

where $N_D$ refers to a normal (or ideal) distribution, typically representing the assumed parametric model of $s_i$, and G represents an arbitrary symmetric distribution for contaminated $s_i$ that captures deviations from $N_D$. The parameter ${\delta }_{avg}^{\left(p\right)}$ and/or ${\rho }_{mal}^{\left(p\right)}$ significantly influences the perturbed $RUC\left(T\right)$ values, which in turn result in perturbed regression errors $s_i$, introducing variations and deviations from the assumed parametric model (i.e., the normal distribution in regression). This influence is reflected in the distribution G, which captures the contaminated $s_i$. As ${\delta }_s$ increases, the contamination in $s_i$ becomes more pronounced. On the other hand, the complementary value $1-{\delta }_{avg}^{\left(s\right)}$ has a notably smaller influence. This component accounts for the portion of perturbed $s_i$ that still follows the normal distribution $N_D$, belonging to the portion of training data that remains unpoisoned. Although present, these $s_i$ have a relatively minor impact compared to those captured by the distribution G.

Small Strength Poisoning Attacks: Figure 2 depicts the two probability distributions originating from the two distinct sets (poisoned and non-poisoned) of regression errors. The yellow line in Figure 2 corresponds to the perturbed $s_i$ values arising from poisoned $RUC$ values represented by G. Specifically, the poisoning attack we implemented had a very small ${\delta }_{avg}^{\left(p\right)}=100$ and we kept the ${\rho }_{mal}^{\left(p\right)}=0.4$. After performing a Kolmogorov–Smirnov test [17,18], we found that the contaminated distribution G most closely fits a double exponential distribution. However, note that the above is only true when ${\delta }_{avg}^{\left(p\right)}$ is relatively small, given the same value of ${\rho }_{mal}^{\left(p\right)}$.

In contrast, the green line in Figure 2 represents the distribution of benign regression errors originating from the benign $RUC$ values, denoted as $N_D$. The Kolmogorov–Smirnov test revealed that $N_D$ most closely fits the Gaussian distribution.

This distribution P is a composite distribution where the central region is approximated by a mixture of normal distributions ($N_D$), while the tail section resembles a double exponential distribution (G).

$\sigma$ is the scale parameter of the input set $RUC\left(T\right)$ and $c>0$ is a constant, where $c\sigma$ is a separating point dividing the compound distribution such that points smaller than $c\sigma$ come from the unperturbed true Gaussian distribution $N_D$, and points greater than $c\sigma$ follow a double exponential distribution. As mentioned in [19], in the most general case, guessing the least favorable distribution allows for hypothesis testing on compound distributions, as in our case. Hence, we can rewrite Equation (7), as a least favorable distribution, by the following:

$$P=\left\{\begin{array}{cc}(1-{\delta }_s)N_D:N(s_i,\tau ,\sigma )\hfill & \mathrm{if} |s_i|\le c\sigma ;\hfill \\ {\delta }_{s}G:{\displaystyle \frac{1}{\sigma \sqrt{\left(2\pi \right)}}}exp({-c\sigma s}_i+{\displaystyle \frac{c^2{\sigma }^2}{2}})\hfill & \mathrm{if} |s_i|>c\sigma .\hfill \end{array}\right.$$

(8)

where $\tau$ and $\sigma$ correspond to the location and scale parameters of the least favorable distribution (i.e., the regression errors $s_i$), and $N(s_i,\tau ,\sigma )$ represents the pdf of a normal distribution. The second part represents the pdf of a double exponential distribution. Without loss of generality, Equation (8) is the density function for the least favorable distribution.

Following the theory of least favorable distributions, the pdf is not expressed via the raw input $s_i$, but rather a standardized input. An estimator is known as “minimax” when it performs best in the worst-case scenario, which is useful during poisoning attacks. A minimax estimator should be a Bayes estimator with respect to a least favorable distribution [20]. To demonstrate this, we use Equation (8) to find the best estimator under small poisoning attacks.

In maximum likelihood estimation (MLE), the likelihood function is taken over all N datapoints. Where $(r_i-\tau )=s_i$ and $\beta =c\sigma$ as a function of the scale parameter, the likelihood of the least favorable distribution is given by

$$L=\left\{\begin{array}{cc}\prod _{i=1}^N{\displaystyle \frac{1}{\sqrt{2\pi {\beta }^2}}}exp\left({\displaystyle \frac{-1}{2{\beta }^2}}{\left(s_i\right)}^2\right)\hfill & \mathrm{if} |s_i|\le \beta \hfill \\ \prod _{i=1}^N{\displaystyle \frac{1}{\sqrt{2\pi {\beta }^2}}}exp\left(-\beta s_i+{\displaystyle \frac{{\beta }^2}{2}}\right)\hfill & \mathrm{if} |s_i|>\beta .\hfill \end{array}\right.$$

(9)

We know that optimizing the likelihood function is equivalent to optimizing the negative log-likelihood function. Hence, let $\rho \left(s_i\right)=-log\left(L\right)$. With some algebra and derivation, it can be shown that the negative natural logarithm of Equation (9) is given by

$$\rho \left(s_i\right)=\left\{\begin{array}{cc}{\displaystyle \frac{1}{2{\beta }^2}}\left(\sum _{i=1}^n{\left(s_i\right)}^2\right)+C\hfill & \mathrm{if}|s_i|\le \beta ;\hfill \\ \begin{array}{c}{\displaystyle \frac{n}{2}}ln\left(2\pi \right)+nln\left(\beta \right)+\beta \sum _{i=1}^n\left|s_i\right|\hfill \\ +{\displaystyle \frac{{\beta }^2}{2}}\hfill \end{array}\hfill & \mathrm{if}|s_i|>\beta .\hfill \end{array}\right.$$

(10)

In general, the parameter estimate $\tau$ via MLE is found by solving the following empirical risk minimization problem:

$$arg\underset{\tau }{min}\sum _{k=1}^n\rho \left(s_i\right)\mathrm{where}\rho \left(s_i\right)=-logL\left(s_i\right)$$

(11)

In generalized MLE, the estimated parameter $\tau$ (the location parameter of the least favorable distribution in Equation (8)) minimizes the log-likelihood function. Therefore, minimizing the log-likelihood function is equivalent to finding the solution to ${\sum }_{i=1}^n\psi \left(s_i\right)=0$, where $\psi \left(s_i\right)={\displaystyle \frac{\partial \rho \left(s_i\right)}{\partial s_i}}$. Through algebraic derivation (see Appendix A), it can be shown that the derivative ${\displaystyle \frac{\partial \rho }{\partial s_i}}$ equals to the Influence Function (IF) of a least favorable distribution.

Influence Functions mathematically specify a function that is a descriptive model of the rate at which a specific loss function (used for machine learning) will change with the perturbations/changes in input training data. Since first-order derivatives capture rate of change in a function w.r.t in one of the inputs, the IF is the first-order partial derivative of the relevant optimal loss function w.r.t. to the training input to the regression model in our case. Related to the above, if we can prove that, given poisoning attacks of varying strengths, the Influence Function values of a certain estimator are on average lower than other estimators, it can be proven theoretically that it will be best estimator regardless the application. Following Appendix A, by integrating this Influence Function (equivalent to the summation in Equation (11)), we obtain the following result:

$$M\left(s_i\right)=\left\{\begin{array}{cc}{\displaystyle \frac{s_i^2}{2}}\hfill & \mathrm{if} |s_i|\le \beta ;\hfill \\ \beta |s_i|-{\displaystyle \frac{{\beta }^2}{2}}\hfill & \mathrm{if} |s_i|>\beta .\hfill \end{array}\right.$$

(12)

The above equation, in fact, turns out to be matching the Huber estimator [21] from the family of M-estimators  [22]. Thus, we showed that the optimal M-estimator for the location parameter of the least favorable distribution ($\tau$) is when the contamination of poisoning happens with smaller-strength poisoning attacks and should be used if it is known that poisoning attacks are small in strength.

Large Strength Poisoning Attacks: Figure 3 shows a contaminated distribution of $s_i$ resulting from a large data poisoning attack we implemented using ${\delta }_{avg}^{\left(p\right)}=700$ (i.e., 7 times more in strength than the small poisoning attack) and ${\rho }_{mal}^{\left(p\right)}=0.5$, compared to the benign $s_i$ distribution.

In Figure 3, the green line depicts the distribution of regression errors that correspond to the benign portion of the training dataset, and closely approximates a normal distribution ($N_D$) verified via the K-S test. On the other hand, the yellow line depicts the distribution of regression errors that correspond to the attacked portion of the training dataset from the RUC latent space where the poisoning attack has large ${\delta }_{avg}^{\left(p\right)}=700$. Performing a K-S test on the yellow perturbed distribution, we found it fits closely with the student t-distribution. This disparity requires us to consider the variability introduced by larger attacks and corresponding regression error distributions, differently than the case of smaller poisoning attacks.

In the least favorable distribution, the two components of the compound distribution, $N_D$ and G, are distinctly separated by $\beta$; i.e., each exhibiting a distinctly different shape.

In contrast, the parametric form of t-distribution seamlessly blends both $N_D$ and G into a single distribution with heavy tails [17,23].

The prominent impact of this larger poisoning attack strength results in the emergence of a different type of contaminated distribution represented by $P_{{\delta }_s}$ in Equation (13). We can represent the set $P_{{\delta }_s}$ as an inclusive range of contaminated distributions arising from various attack types, each introducing different levels of ${\delta }_s$ contamination, ranging from small to large perturbations. This set is defined as follows:

$$P_{{\delta }_s}:=\{P:P=(1-{\delta }_s)N_D+{\delta }_{s}G,\}$$

(13)

The probability density function (pdf) of the student t-distribution, with an auxiliary scale correction, can be expressed as follows:

$$f_{\tau }\left(s_i\right)={\displaystyle \frac{\mathrm{\Gamma }\left(\frac{\nu +1}{2}\right)}{\sqrt{\nu \pi c^2{\sigma }^2}\mathrm{\Gamma }\left(\frac{\nu }{2}\right)}}{\left(1+{\displaystyle \frac{{s_i}^2}{\nu c^2{\sigma }^2}}\right)}^{-{\displaystyle \frac{\nu +1}{2}}}$$

(14)

Here, the gamma function is denoted as $\mathrm{\Gamma }$, $\nu$ represents the degrees of freedom, $s_i$ is the regression error, and $c\sigma =\beta$ represents the scale parameter in the t-distribution. Thus, the likelihood function for the t-distribution, considering all N training data points, is

$$f_{\tau }\left(s_i\right)=\prod _{i=1}^N{\displaystyle \frac{\mathrm{\Gamma }\left(\frac{\nu +1}{2}\right)}{\sqrt{\nu \pi {\beta }^2}\mathrm{\Gamma }\left(\frac{\nu }{2}\right)}}{\left(1+{\displaystyle \frac{{s_i}^2}{\nu {\beta }^2}}\right)}^{-{\displaystyle \frac{\nu +1}{2}}}$$

(15)

Since maximizing the likelihood function is equivalent to minimizing the log-likelihood function, taking the negative natural logarithm of Equation (15) yields

$$\rho \left(s_i\right)={\displaystyle \frac{\nu +1}{2}}ln\left(1+{\displaystyle \frac{s_i^2}{\nu {\beta }^2}}\right)+constant$$

(16)

In general, the parameter estimate $\tau$ via MLE, just like in the earlier case, is found by the following empirical risk minimization problem:

$$arg\underset{\tau }{min}\sum _{k=1}^n\rho \left(s_i\right)\mathrm{where}\rho \left(s_i\right)=-log\left(f_{\tau }\left(s_i\right)\right)$$

(17)

In our problem, we deal with a single statistically variable parameter, and we sample residual values within a window. In the t-distribution, the degrees of freedom indicate that smaller values result in heavier tails, while larger values make it resemble a Gaussian distribution. Considering these factors, choosing a smaller $\nu =1$ for the degrees of freedom is appropriate for larger attacks, as shown in Figure 3. Hence, replacing $\nu =1$ in Equation (16), and using the algebra and derivation shown in Appendix B, by taking the derivative of Equation (16) with respect to $s_i$ and then integrating, we obtain the following solution according to M-estimation theory:

$${\beta }^{2}log\left(1+{\left({\displaystyle \frac{s_i}{\beta }}\right)}^2\right)$$

(18)

The above equation, in fact, matches the so-called Cauchy–Lorentz Loss Function from the class of M-estimator functions, which explains why we choose this loss function for resilient threshold learning  [22].

Significance: The significance of the above analysis is that the mitigation resulting from resilient learning in anomaly detection can be performed by implementing different kinds of attack strategies and checking the contaminated distribution’s nature and derive the corresponding optimal estimator that will produce the minimax estimate under such attacks.

5.2. Robust Learning Algorithms for Detection Threshold

While the previous section was dedicated to theoretically estimating the best loss function for learning under different types of attacks, this section is about how to use the identified appropriate estimators to propose a resilient threshold learning algorithm for time series anomaly detectors that is robust under the presence of data poisoning attacks during the training. Specifically, we combine the benefits of quantile-weighted regression with the robust Cauchy and Huber loss functions for learning the thresholds.

This results in two new threshold learning algorithms: (a) Quantile-Weighted Regression with Huber Loss (Algorithm 2), and (b) Quantile-Weighted Regression with Cauchy Loss (Algorithm 3). In our experiments, we compare these with classical (unweighted/non-quantile) regression with Cauchy loss and unweighted regression with Huber loss, with pseudo-code provided in the preliminary version of this work [9].

Algorithm 2: Quantile-Weighted Regression with Huber loss (${\tau }_{max}^{\left(h\right)}$)

For the algorithms, we provide the pseudocode for learning the upper threshold ${\tau }_{max}$, since the same process applies to learning ${\tau }_{min}$. For learning ${\tau }_{min}$, the algorithm remains the same except that it runs with inputs $RU{C}^{-}\left(T\right)$ and parameter ${\tau }^{-}$.

For optimal learning of ${\tau }_{max}$, the input training samples are $RU{C}^{+}\left(T\right)$, and the search space for the candidate parameter is ${\tau }^{+}$ for each algorithm. We begin by explaining Algorithm 2, which uses Huber loss and modified quantile-weighted regression (to handle heteroskedasticity). The regression error is defined as the difference ${\tau }^{+}-RU{C}_i^{+}\left(T\right)$. Quantile regression applies different weights to the regression error depending on whether the candidate parameter fit is greater or lesser than the input points. This approach is necessary to reduce false alarms since the distribution of $RUC$ samples is not Gaussian, violating the assumptions of ordinary least squares regression.

We select a candidate ${\tau }^{+}$ for the upper threshold and compare whether it is greater or less than each point in the set $RU{C}^{+}\left(T\right)$. If $RU{C}^{+}\left(T\right)<{\tau }^{+}$, we assign it a weight ${\lambda }_c$ and calculate the corresponding weighted regression errors, denoted as $S^{+}$. Otherwise, if $RU{C}^{+}\left(T\right)\ge {\tau }^{+}$, we assign the regression error a weight ${\lambda }_p$, where ${\lambda }_p>{\lambda }_c$. To embed the Huber estimator, for each weighted error $S^{+}$, we calculate a loss value $L_s^{+}$ according to the Huber loss, depending on whether $S^{+}$ is greater or less than ${\beta }_h$. This procedure gives an $L_s$ value for each training data point in the set $RU{C}^{+}\left(T\right)$ for a fixed ${\tau }^{+}$.

The empirical loss value for a single candidate ${\tau }^{+}$ is the sum of $L_s$ values over each entry in the set $RU{C}^{+}\left(T\right)$, denoted as ${\sum }_{RU{C}^{+}\left(T\right)}{L}_s^{+}$. Each candidate ${\tau }^{+}$ generates a unique ${\sum }_{RU{C}^{+}\left(T\right)}{L}_s^{+}$. The final optimal estimate is the ${\tau }^{+}$ that minimizes ${\sum }_{RU{C}^{+}\left(T\right)}{L}_s^{+}$, as shown in the last line of Algorithm 2.

In a similar manner, we describe Algorithm 3, which uses the Cauchy loss instead of Huber, while keeping everything else the same. The only difference is the calculation of $L^{+}s$ from the weighted regression error $S^{+}$, based on how the Cauchy loss transforms the error into a loss value. The optimal solution is denoted as ${\tau }_{max}^{\left(c\right)}$, indicating that the Cauchy loss function was used for learning the upper threshold.

Algorithm 3: Quantile Weighted with Cauchy loss (${\tau }_{max}^{\left(c\right)}$)

When no asymmetric weights are applied to the regression errors, Algorithms 2 and 3 have been rewritten for Huber and Cauchy losses, respectively, using similar logic. In each case, we are only learning the bias parameter without the slope, as we want a fixed, time-independent threshold for flagging an anomaly.

5.3. Learning Hyperparameters

Now, we discuss the selection of the scaling hyperparameters of the loss functions, ${\beta }_c$ and ${\beta }_h$, and the hyperparameters of the weighted quantile regressors, ${\lambda }_c$ and ${\lambda }_p$, over a cross-validation set. The search space for ${\beta }_c$ and ${\beta }_h$ is bounded between 0 and the extremum of the set $S^{+}$ or $S^{-}$, and ${\lambda }_p$ is between 0 and 1, with ${\lambda }_c$ less than ${\lambda }_p$.

We partitioned the first 3 months of the 2016 dataset and used several values of the $\beta$ scaling hyperparameter, with a feasible range dictated by the regression errors (i.e., $|RUC-\tau |$) as discussed in the previous subsection. We tested several combinations of $\beta$ in each partition, selected the best one using the objective in Equation (19), and averaged the results.

$$arg\underset{{\beta }_c^{+},{\beta }_c^{-},{\lambda }_c,{\lambda }_p}{min}(w_{md}MD+w_{fa}FA)$$

(19)

For all results, we kept $w_{fa}=0.7$ and $w_{md}=0.3$. The weight assignment reflects that reducing false alarms is more than half as important. We minimized the joint false alarm (FA) and missed detection (MD) rates in the cross-validation sets. We used a coordinate grid search method over the cross-validation set to learn the best hyperparameters. This process was performed across various combinations of attack scales and strengths. After obtaining the optimal $\beta$ value for each loss function across all attack scales and strengths, we calculated the average across these attack combinations for each loss.

5.4. Theoretical Results and Explainability

This section is dedicated to the proof of correctness of experimental results. Often, some papers implement a robust learning approach and report the performance but that does not prove correctness of experimental observations because experiments/codes may have biases/bugs which may alter conclusions. Therefore, it is imperative that researchers give theoretical proofs to prove correctness of experiments and its conclusions.

In the previous section, we showed the relationship between poisoning attacks, their influence on the distribution of regression errors, and how should inform the loss function choice. Now, we theoretically prove that in the presence of poisoning attacks with varying degrees of perturbation, which loss function provides better mitigation and why—which addresses an important aspect of machine learning, i.e., the explainability aspect. In the experimental section, we show that the theoretical results match the experimental result, which is a proof of correctness of the experimental findings.

Consider regression error data points $s_i\in S=s_1,\dots ,s_N,$ where $s_i\in (0,1)$ for $i=1,\dots ,N$, and ${\beta }_{c,h}=\beta \in (0,1)$ is the hyperparameter of the loss function. The regression error data points are classified into two categories based on the hyperparameter $\beta$. Among the N data points, those that exceed $\beta$ are categorized as “large errors”, while those that fall within the range of $-\beta$ to $\beta$ are categorized as “small errors”.

Consequently, we can express this situation as follows: Out of the N data points, m have regression errors greater than $\beta$ ($s_i>\beta$, where $i=1,\dots ,m$), and the remaining $N-m$ data points have errors within the interval $-\beta$ to $\beta$ ($s_i\le \beta$, where $i=m+1,\dots ,N$). Thus, the perturbed errors are those either greater than $\beta$ or within the range of $-\beta$ to $\beta$. It is important to observe that in the context of RSL attacks, adversaries introduce perturbations of varying strength, either small or large, into $RUC$ training data points. This leads to distinct sets of regression errors following different distributions, as described by Equation (13). In reality, knowing the type and characteristics of attacks a priori is not straightforward, so the choice of the best loss function remains unclear. To compare the performance of different loss functions, we present an analysis based on Influence Functions (IFs) and Mathematical Induction.

Comparing the Influence Functions (IFs) of the Cauchy and Huber estimators, the estimator with the smaller IF under perturbations is less affected by attacks and thus more robust. To maintain broad applicability, we can make an initial assumption about the regression error data points, denoted as $s_i\in S$ and parameterized by $\beta$. We aim to progressively extend this assumption and demonstrate its validity.

Let $s_i\in S=\{s_1,\dots ,s_m,s_{m+1},\dots ,s_n,i=1,\dots ,N\}$, $s_i\in (0,1)$, and $\beta \in (0,1)$; the following inequality holds true:

$${\beta }^2\sum _{i=1}^N{\displaystyle \frac{s_i}{{\beta }^2+s_i^2}}\le \beta \sum _{i=1}^m\mathrm{sgn}\left(s_i\right)+\sum _{i=m+1}^N{s}_i$$

(20)

then the above means that $I{F}_C<I{F}_H$ and, hence, Cauchy provides more mitigation compared to Huber. In contrast, if $I{F}_C>I{F}_H$, then the Huber loss would provide more mitigation than Cauchy. This comparison indicates that the effectiveness of these robust loss functions in mitigating the influence of outliers depends on their relative Influence Functions.

This assumption shows that any perturbation in individual data points has a smaller effect on the Influence Function (IF) of Cauchy compared to Huber. In Equation (20), we can distinguish between two categories of regression errors: those considered small and those classified as large. This differentiation can be expressed as follows:

• If $s_1>\beta$, i.e., big residual

  $${\beta }^2\sum _{i=1}^m{\displaystyle \frac{s_i}{{\beta }^2+s_i^2}}\le \beta \sum _{i=1}^m\mathrm{sgn}\left(s_i\right)$$

  (21)
• If $s_1\le \beta$, i.e., small residual

  $${\beta }^2\sum _{i=m+1}^N{\displaystyle \frac{s_i}{{\beta }^2+s_i^2}}\le \sum _{i=m+1}^N{s}_i$$

  (22)

We employ a direct inductive proof in this analysis. We start by examining a single data point, denoted as $\forall i,s_i\in (0,1)$, and determine whether the inequality in Equation (20) holds. Then, we generalize it for multiple points based on the conditions of our problem.

Let $s_1\in (0,1)$ with $sgn\left(s_1\right)=+1$. Depending on whether $s_1>\beta$ (large) or $s_1\le \beta$ (small), we provide a direct proof using Equations (21) and (22). A positive error can fall into either category, large or small. Case 1: considers the scenario where the residual is large. We begin by proving the inequality for a single point using Equation (21), and then generalize the argument to multiple points. Case 2: addresses the case of small errors. We similarly start with a single point and extend the proof to multiple points using Equation (22). Finally, we consider Case 3: where both large and small errors occur simultaneously (which is the practical casr) and prove which influence function yields a lower value. Thus, the complete set of cases is as follows:

Case 1: If $s_1>\beta$, big regression error, then $I{F}_C<I{F}_H$:

The left side is always negative since $s_1>0$ and $\beta >0$, while the right-hand side is positive. Thus, our assumption (i.e., $I{F}_C<I{F}_H$) holds for large regression errors.

For the case where $s_1>\beta$ (a large regression error), we will show that the opposite statement, $I{F}_C>I{F}_H$, is false through proof by contradiction.

However, the last inequality is logically impossible because squared terms cannot be smaller than negative terms. Assuming the opposite leads to a mathematical contradiction. Thus, $I{F}_C\ngeqq I{F}_H$ when $s_1>\beta$ (indicating a large regression error), with $s>0$ and $\beta >0$. Hence, we proved that the Cauchy loss function mitigates the impact of poisoning more effectively than the Huber loss for bigger residuals which happen under poisoning.

Generalization to Multiple Big Regression Errors: Now, suppose there are a total of m large errors $s_i$, where $s_i>\beta$ ($i=1,\dots ,m$). Given these m large errors, we have m inequalities of the form

$$\begin{array}{cc}\hfill {\beta }^2{\displaystyle \frac{s_1}{{\beta }^2+s_1^2}}& <\beta sgn\left(s_1\right),\cdots ,{\beta }^2{\displaystyle \frac{s_m}{{\beta }^2+s_m^2}}<\beta sgn\left(s_m\right)\hfill \end{array}$$

Applying generalized Triangle Inequality leads to the following:

$${\beta }^2\sum _{i=m+1}^N{\displaystyle \frac{s_i}{{\beta }^2+{s_i}^2}}<\beta \sum _{i=m+1}^{N}sgn\left(s_i\right)$$

(23)

This inequality is valid because the total value on the left-hand side is smaller than the total value on the right-hand side. The reasoning behind this is that each individual term on the left is minimized due to the properties of the generalized Triangle Inequality, which effectively bounds the summation when compared to the sum of the signs of the larger errors on the right.

Case 2: If $s_1\le \beta$ small regression error, then suppose $s_1\to 0$ or greater. Hence, $s_1\ge 0$. Then, we can write

Our demonstration has shown that, when dealing with small errors, the IF of Cauchy is less than that of Huber, indicating that the Cauchy loss function is either better than or equal to Huber under small poisoning attacks.

Generalization to Multiple Small Regression Errors: Now, consider the case of $N-m$ small regression errors where $s_i\le \beta$, ($i=m+1,\dots ,N$). Given a total of $N-m$ small errors, we have $N-m$ inequalities of the form

$$\begin{array}{cc}\hfill {\beta }^2{\displaystyle \frac{s_1}{{\beta }^2+s_1^2}}& \le s_1,\cdots ,{\beta }^2{\displaystyle \frac{s_{N-m}}{{\beta }^2+s_{N-m}^2}}\le s_{N-m}\hfill \end{array}$$

Applying the generalized Triangle Inequality, we combine the above inequalities and derive a new inequality. For all $s_i\le \beta$ ($i=m+1,\dots ,N$), the following holds true:

$${\beta }^2\sum _{i=m}^N{\displaystyle \frac{s_i}{{\beta }^2+{s_i}^2}}\le \sum _{i=m}^N{s}_i$$

(24)

The above indicates that, in the presence of very small attacks, both the Cauchy and Huber loss functions provide equally effective mitigation in predicting the detection thresholds.

Case 3: Mixed Regression Errors (Large and Small). We consider the scenario where both large and small errors are present simultaneously (real world case study) and prove which influence function yields a lower value.

Previously, we showed that Equation (13) represents the distributions affected by ${\delta }_s$, resulting from various attack types. In real-world scenarios, whether ${\delta }_s$ results from a large or small poisoning attack, it causes both small and large perturbations in regression errors. The key difference is the ratio of small to large errors. For instance, a large attack strength leads to a higher number of large regression errors compared to small errors. Thus, in real-world scenarios, we need to combine inequality Equations (23) and (24) by using a similar technique that involves summing the two sides of these inequalities. As a result, Equation (20) holds for all small and large regression errors $s_i\in (0,1)$, i.e.,

$${\beta }^2\sum _{i=1}^N{\displaystyle \frac{s_i}{{\beta }^2+{s_i}^2}}\le \beta \sum _{i=1}^{m}sgn\left(s_i\right)+\sum _{i=m+1}^N{s}_i$$

(25)

The analysis reveals that the Cauchy loss has a lower IF compared to the Huber loss function when both small and large errors are present due to attacks and benign fluctuations. Based on this, it is explainable that the Cauchy loss function is more effective for the greedy case where the attacker seeks to launch larger data poisoning strengths to quickly inflict maximum damage. However, the experiments also reveal a trade-off related to the low base rate probability of a poisoning attack occurring that reveals a deeper scientific question.

5.5. Security Evaluation Metrics

Unlike previous works, we used two novel metrics for security evaluation, instead of popular metrics such as false alarm rate, missed detection rate, ROC curves, and precision, recall. This deliberate avoidance is following the recommendations by NIST [2] for security evaluation of time series anomaly-based attack detectors.

When it comes to cybersecurity of critical CPS infrastructure, detection rate should not be used as a way to test the goodness of a defense. This is because the algorithms are public, so attackers can always come up with a poisoning strategy that does not violate the robust/resilient thresholds and escape detection. In that case, the detection rate is zero. However, it does not prove the effectiveness of the cybersecurity/mitigation strategy. Rather, what really proves effectiveness of the security mitigation is if we can prove that the impact of undetected attack is small or limited when an evasion attack that just bypasses the learned robust threshold during training is applied by the attacker during the testing. Hence, we use impact of undetected attack as one the metrics of security evaluation while evaluating our work’s effectiveness in the test set.

Another key concern is the false alarm rate and why it is misleading to use false alarm rates for time series detectors like ours which frequently check for attacks (not one time check). Suppose a cybersecurity mitigation has a false alarm rate of 1%. If the detector runs every second, then 1% false alarm rate will yield 864 false alarms in a single day (clearly unusable practically) if there are no actual attacks. However, if the detectors runs per hour of the day, the same 1% false alarm rate in the same scenario produces on average at least two false alarms per day (more usable but still poor). Given that the prior probability of an actual attack is much lower than the benign condition, such false frequencies and rates become even more misleading. As is clear from the above discussion, it is proven that false alarm rates are inappropriate for cybersecurity mechanisms that operate on streaming data because it does not give any idea on the usability of the approach. This is well known from Axelsson et. al.’s seminal work on the flaws of cybersecurity detection metrics [24]. From the above explanation, it is clear that the usage of ROC curves, false alarm, missed detection, and precision, recall is misleading and should be avoided. Hence, NIST recommends not to use false alarm rates for cybersecurity approaches that run frequently on streaming data. Rather, the expected (average) time between consecutive false alarms which incorporates the notion of time and gives a better sense of whether the cybersecurity mechanism produces false alarms at a frequency that is practical and usable. The larger the average time gap between any two false alarms, the better it is because the number of costly disruptions and host-based security audits needed is going to be lesser.

Impact of Undetected Attack: The effectiveness of integrity violations is quantified through the impact of undetected attacks on the utility after applying our attack and defense mechanisms [2]. To calculate the impact of undetected attacks per day, we use lost revenue, denoted by $RR$, in terms of the unit price of electricity:

$$RR=({\delta }_{avg}\ast M\ast \eta \ast E)/1000$$

(26)

where $\eta =24$ is the number of reports per day, $E=\$0.12$ is the average per unit (KW-Hour) cost of electricity in the USA, ${\delta }_{avg}$ is the margin of false data in the test set, and M is the number of compromised smart meters in the test set. The impact of undetected attack is as follows:

$$Impact=RR\ast T_{detect}$$

(27)

$T_{detect}$ is the time difference between attack start and end of the test set in days. Lesser $Impact$ indicates better mitigation.

Expected Time between Consecutive False Alarms: Instead of the well-known false alarm rate, we use the expected time between two false alarms $E_{T_{FA}}$ to evaluate false alarm performance. The $E_{T_{FA}}$ is a NIST [2] recommended metric to avoid base rate fallacy in the reported performance false alarm performance for time series anomaly based detection for cybersecurity:

$$E_{T_{FA}}={\displaystyle \frac{{\sum }_{{\eta }_{FA}}{T}_{BFA}}{{\eta }_{FA}-1}}$$

(28)

where ${\eta }_{FA}$ is the number of false alarms, and $T_{BFA}$ is the time gap between two false alarms. If there is only one false alarm, $E_{T_{FA}}$ is set to 364, assuming another false alarm is likely within a year. A lower $E_{T_{FA}}$ indicates worse performance.

6. Experimental Evaluation

For the experimental evaluation, our proof of concept is a dataset from the Pecan Street project [25] containing hourly power consumption from 200 smart meters over three years (2014, 2015, 2016) divided into training, cross-validation, and testing. The training data includes all records from 2014 and 2015, as in previous work [1], to ensure fair performance. The remaining records from 2016 are divided into two parts for cross-validation and testing. All records from the first three months of 2016 are used for cross-validation, while the remaining nine months are used as the test set. The hyperparameters ${\beta }_c$ and ${\beta }_h$, learned through cross-validation, were found to be $0.0002$ and $0.0001$, respectively. For each loss function and regression type, we measure performance based on the impact of undetected attacks as a function of the following attack variables: (1) poisoning attack strength ${\delta }_{avg}^{\left(p\right)}$ and scale ${\rho }_{mal}^{\left(p\right)}$, and (2) evasion attack strength ${\delta }_{avg}^{\left(te\right)}$ and scale ${\rho }_{mal}^{\left(te\right)}$.

Furthermore, while reporting performance we use different acronyms that denote the threshold learning algorithm that includes both regression type and loss function. These acronyms are described in

Table 1. Acronyms for design choices.

Acronym	Regression Type	Loss Function
QC	Quantile	Cauchy
QH	Quantile	Huber
NQC	Regular	Cauchy
NQH	Regular	Huber
L1	Quantile	MAE
L2	Quantile	MSE

. The algorithmic procedure for regular (i.e.) non quantile versions of the NQC and NQH can be found in our preliminary conference version [9].

RSL Poisoning Implementation Details: For RSL poisoning attack, we varied poisoning margin ${\delta }_{avg}^{\left(p\right)}$ between 50 and 300 and varied ${\rho }_{mal}^{\left(p\right)}$ between 20 and $70\%$, and the RSL attack duration was between 1 April and 30 June 2014.

RSL Evasion Implementation Details: To investigate performance in the test set, we crafted attacks with varying percentages of compromised meters ${\rho }_{mal}^{\left(te\right)}$ and varying data perturbation margins ${\delta }_{avg}^{\left(te\right)}$. The combinations were selected such that none of the attacks exceeded the learned standard limit, allowing us to measure the impact of undetected attacks. In the test set, we varied ${\rho }_{mal}^{\left(te\right)}$ between 20 and $70\%$, and ${\delta }_{avg}^{\left(te\right)}$ between 10 and 400, covering a wide range of attack intensities.

To remove bias in performance, we launched evasion attacks on three distinct 90-day time frames in 2016. The reported IMPACT (USD) in each result is the average impact of undetected attacks per 90-day frame, across the three attack time frames.

Performance evaluation of Robustness: For comparative performance evaluation, we compare all loss function choices by grouping them into two categories: (a) within quantile-weighted regression and (b) within unweighted regression. We select the best-performing loss function from each group and compare their performance to determine which loss function type and regression type is most robust against a given attack.

Performance is measured in terms of the mean impact of undetected attacks per 90 days (I) (when there is an evasion attack in the test set) and the expected time between false alarms ($E_{T_{fa}}$) (when there are no attacks in the test set). The impact of an undetected attack is influenced by (i) poisoning attack strength and (ii) evasion attack strength. Therefore, we use these two attack parameters to measure how the impact of undetected attacks varies across loss functions and regression choices.

6.1. Evaluating Impact of Undetected Attacks

This subsection is dedicated to all results related to impact of undetected attacks in the test set as a result of data poisoning, given that we assume the attacker knows the threshold and is never detected.

Now, we discuss loss function choices with asymmetric weighting of positive versus negative regression errors, which is our proposed framework. Figure 4a shows that across various poisoning strengths (${\delta }_{avg}^{\left(p\right)}$), the QC loss function consistently results in equal or lower attack impact across all loss function choices. The evasion attack strength is ${\delta }_{avg}^{\left(te\right)}=100$, with a scale of ${\rho }_{mal}=0.60$, which bypasses detection assuming the attacker has complete knowledge of our method.

Next, we vary the evasion strength to evaluate performance. In Figure 4b, we observe that, across various evasion attack strengths, the QC loss function results in a lower impact compared to all other loss function choices. The poisoning attack strength is ${\delta }_{avg}^{\left(p\right)}=200$ and the scale is ${\rho }_{mal}=0.50$ for Figure 4b.

Effect of Loss function choice Here, we show the impact the loss function choice alone had on the resilient learning without Quantile weights used in the learning. Figure 5a indicates that, across different poisoning attack strengths ${\delta }_{avg}^{\left(p\right)}$, the NQC (unweighted Cauchy Loss) is equal to or lower in impact than NQH. The evasion attack strength is ${\delta }_{avg}^{\left(te\right)}=150$ and the scale is ${\rho }_{mal}=0.40$. In contrast, for a poisoning attack with ${\delta }_{avg}^{\left(p\right)}=200$ and ${\rho }_{mal}^{\left(p\right)}=0.50$, Figure 5b shows the impact across all evasion strengths ${\delta }_{avg}^{\left(te\right)}$, and proves that the NQC is lower in impact than NQH.

Impact of Quantile Weights’ Choice Next, we compare the winning loss function, Cauchy, in both quantile regression and regular (non-quantile) in Figure 6a,b. It is important to isolate the effect that quantile weights have on the mitigation, keeping the same most robust loss function. We find that regular Cauchy performs better in minimizing the impact of undetected attacks. This might lead the hasty conclusion that quantile-weight Cauchy loss is less optimal than regular Cauchy. However, this is counterintuitive, because later in

Table 2. Expected time between false alarms: no test set attacks.

Empirical Loss	${\mathit{E}}_{{\mathit{T}}_{\mathbf{FA}}}$
QL1	334.29
QL2	364.65
QC	115.21
QH	313.84
NQC	103.53
NQH	253.01

, we show that the false alarm performance of NQC is poorer. Due to base rate paradox, the false alarm performance should get higher priority due to imbalanced prior probability of not having a poisoning. Hence, we should use quantile Cauchy, even though the non-quantile has less impact of undetected attack, because using quantile cauchy gives jointly better $E_{T_{FA}}$ and I.

Figure 6a shows that the impact of NQC is either equal to or lower than the impact of QC for varying poisoning strength ${\delta }_{avg}^{\left(p\right)}$ for a representative evasion attack with ${\delta }_{avg}^{\left(te\right)}=150$ and ${\rho }_{mal}=0.30$. Similarly, Figure 6b shows either equal or lower impact of performance for NQC than the impact of QC for varying evasion attack for a representative poisoning attack with ${\delta }_{avg}^p=130$ and ${\rho }_{mal}=0.50$. The results clearly indicate that the NQC loss function outperforms all other loss functions in terms of impact of undetected.

Impact versus Varying Attack Scale: We want to determine if the conclusions change when ${\rho }_{mal}^{\left(p\right)}$ is adjusted. Figure 7a shows that the QC is either equal to or lower in impact than all other loss functions. Similarly, Figure 7b shows that the NQC is either equal to or lower in impact than NQH. For both Figure 7a,b, the poisoning attack strength is ${\delta }_{avg}^{\left(p\right)}=100W$ and the evasion strength is ${\delta }_{avg}^{\left(te\right)}=120W$.

6.2. Evaluating False Alarm Performance with Base Rate Effects

In this subsection, we analyze the expected time between false alarms under two variations. First, we examine the expected time between two consecutive false alarms with training data poisoning, but there is no attacks launched in the test set. The question we are asking here is whether this occurrence causes an increase in false alarm due to the design response of using robust ML principles for anomaly detection criterion. Second, we measure the expected time between two consecutive false alarms with no poisoning attacks in the training set and no data falsification attacks in the test set as well—we call this base rate ETFA. This is important because this is the most probable scenario and important to verify that the fear of poisoning attacks that led to a more resilient algorithm does not cause degradation of system usability (that is negatively affected by increased false alarm).

Expected Time Between False Alarms with No test set attacks: To measure the expected time between false alarms, we used the annual base rate of false alarms in the test set when there were no attacks throughout 2016. This is because the false alarm rate is typically highest when no attacks are present, given that poisoning was part of the training set. Table 2 presents the expected time between false alarms for various loss functions in the presence of an RSL poisoning attack and shows that the quantile Cauchy loss yields worse false alarm performance compared to other design choices. The quantile version of Cauchy performs slightly better than the non-quantile version.

Base Rate Paradox Trade-off under No Poisoning: 

Table 3. False alarm performance: no poisoning attacks.

Empirical Loss	${\mathit{E}}_{{\mathit{T}}_{\mathbf{FA}}}$
L1	364.0
L2	364.0
QC	45.5
QH	364.0
NQC	45.5
NQH	45.5

shows the expected time between false alarms in the test set, when there is no data poisoning during training. Note that the base rate probability of a poisoning attack occurring is very low. The quantile Cauchy loss has poor false alarm performance, generating one false alarm every 45 days. On the other hand, the quantile Huber is as good as quantile L2, generating a false alarm every 364 days.

An interesting trade-off is that using robust loss functions comes at the cost of increased false alarms, especially when the low base rate of poisoning is considered. Therefore, while adopting a robust loss function, this trade-off should be considered, and the weights during cross-validation may need to be adjusted accordingly. Our recommendation is that quantile Huber is the best choice, even though quantile Cauchy is theoretically more robust to poisoning attacks. When a poisoning attack does occur (though its probability is low), quantile Huber performs better than the more popular quantile L1 and L2 loss functions.

6.3. System Complexity and Performance Discussion

Here, we discuss the model size and complexity of learning.

Model size: There are two parameters for threshold learning—the upper and the lower detection threshold and two hyperparameters of the Cauchy/Huber loss function (i.e., the scaling hyperparameter in the M-estimator) as applied to the learning of upper and lower threshold learning. Hence, the model size is small.

Complexity: The method is very lightweight in storage complexity. It only stores threshold values and regression parameters, making it highly suitable for resource-constrained environments. Regarding computational time complexity, the RUC generation scales linearly with the size of the input data $\left(O\right(n\left)\right)$. On the other hand, the threshold learning that uses a Cauchy loss is a convex and differentiable, unlike quantile L1. Hence, gradient descent applies with a known complexity of $O\left(knd\right)$, where k is the number of iterations needed, n is the number of samples, and d is the number of features. Since our learning of attack detection threshold needs only a single feature (i.e., the RUC latent space), the complexity of the robust learning is $O\left(kn\right)$. Per iteration, the complexity is $O\left(n\right)$, which also gives the importance of using latent representation metric (i.e., RUC). The number of iterations depends on the step size and it is an arbitrary choice of the designer. However, since the RUC metric space is sparse and contains small numbers between −1 and +1 in range, the number of iterations will not cause a performance bottleneck.

7. Conclusions

This paper proposed two robust approaches for learning the threshold of time series anomaly-based attack detection, with theoretical justification for the experimental results, using a smart metering infrastructure as a proof of concept. Our approach involved robust loss functions, including Cauchy and Huber, applied to quantile and unweighted regression errors. Through comprehensive analysis, we theoretically assessed the security performance of these methods, determining their suitability for different attack strengths. Additionally, we emphasized the crucial role that data point distribution plays in selecting the appropriate loss function for learning thresholds and its relation to security performance. We validated our findings through experimental assessments using metrics such as the impact of undetected attacks and the expected time between false alarms, both well suited for evaluating security under advanced persistent threats. Our results indicate that, in terms of impact robustness, Cauchy outperforms the more widely known Huber loss function, especially under moderate to high attack strengths. However, when accounting for the base rate fallacy, quantile-weighted Huber loss emerges as a more effective choice for reducing false alarm occurrences.