Research on Attack Node Localization in Cyber–Physical Systems Based on Residual Analysis and Cooperative Game Theory

Abstract

With the widespread application of cyber–physical systems (CPS) in the field of automation, security concerns have become increasingly prominent. One critical and urgent challenge is the accurate identification of sensor nodes compromised by false data injection (FDI) attacks in multiple-input multiple-output (MIMO) control systems. Building on the implementation of multi-step sampling and residual-based anomaly detection using a support vector machine (SVM), this paper further introduces the Shapley value evaluation method from cooperative game theory and a voting mechanism, and proposes a method for node attack localization. First, multi-step sampling is conducted within each control period to provide a large amount of effective data for the localization of attacked sensor nodes. Next, the residual between the estimated value of the MIMO system’s full response and the actual value received by the controller is calculated, and an SVM model is used to detect anomalies in the residual. Finally, the Shapley value contribution of each residual to the SVM anomaly detection result is evaluated based on cooperative game theory and combined with a voting mechanism to achieve accurate localization of the attacked sensor nodes. Simulation results demonstrate that the proposed method achieves an anomaly detection accuracy of 96.472% and can accurately localize attacked nodes in both single-node and multi-node attack scenarios, indicating strong robustness and practical applicability.

1. Introduction

A cyber–physical system (CPS) is a highly integrated system that combines physical devices, information-processing technologies, network communication, and intelligent control algorithms [1]. It enables the automation and intelligent management of complex systems through real-time data acquisition, analysis, and feedback control [2]. CPSs are widely applied in critical domains such as smart grids, industrial manufacturing, intelligent transportation, and healthcare monitoring [3]. However, such deep integration also makes CPS susceptible to various information security threats, especially false data injection (FDI) attacks, which severely compromise the data integrity and core control functions of the system [4]. The attacker, after compromising the communication protocol between the sender and receiver, adds malicious data to the acquired legitimate data and sends it to the receiving end in order to deceive the receiver and disrupt the control system [5]. For example, in the 2000 Maroochy Shire sewage incident, a former employee infiltrated the system via wireless frequencies and manipulated the water treatment and sewage facilities, resulting in the release of 1.5 million liters of untreated sewage into the environment and causing a serious environmental pollution event [6]. In the 2010 Stuxnet worm attack, false data injection was used to alter the rotational speed of centrifuges at Iranian nuclear facilities, causing physical damage to the equipment while keeping the monitoring systems unaware of any abnormalities [7]. In addition, in 2015, Ukraine’s power grid suffered a cyberattack in which attackers implanted malicious firmware and took control of industrial control systems, disconnecting the power supply to substations and affecting the lives of nearly 230,000 people [8]. These incidents not only revealed security vulnerabilities of CPS in critical infrastructure but also highlighted the importance and urgency of strengthening system security measures to prevent future FDI attacks from severely impacting the stability and functional integrity of CPS operations.

For CPS, sensor nodes are typically distributed across different geographical locations. When sensor nodes are subjected to FDI attacks, existing anomaly detection mechanisms often fail to accurately identify the attacked nodes. Consequently, the system tends to adopt conservative strategies, such as discarding all sensor data, which leads to performance degradation and may even trigger unnecessary control responses. How to accurately localize the attacked sensor nodes based on anomaly detection remains a critical problem that has yet to be effectively addressed. To address this issue, this paper builds on multi-step sampling and employs SVM to perform anomaly detection on the residuals, further integrating Shapley value evaluation from cooperative game theory and a voting strategy to achieve accurate localization of the attacked nodes. This method is capable of preserving normal data to the greatest extent while ensuring system security, thereby enhancing the robustness of system operations. Therefore, conducting in-depth research on the localization of sensor nodes under FDI attacks holds significant theoretical value and practical engineering relevance. The main focus of this study is as follows:

(1)

Multi-step sampling is introduced within each control period to provide a large amount of effective data for the localization of attacked sensor nodes.

(2)

SVM is introduced to perform anomaly detection on the residuals corresponding to each sensor node in the CPS, enhancing the system’s ability to identify anomalies under complex attack scenarios and providing prior information to support the subsequent localization of attacked sensor nodes.

(3)

The Shapley value from cooperative game theory is employed to evaluate the contribution of the residuals corresponding to each sensor node to the SVM detection result, providing a decision basis for the localization of attacked sensor nodes.

(4)

A voting mechanism is employed within each control period to achieve accurate localization of attacked sensor nodes, addressing the limitations of existing methods in identifying attacked sensor nodes.

Through these investigations, the goal is to enable the controller to promptly identify attacked sensor nodes and take effective countermeasures following an FDI attack.

2. Related Work

Currently, FDI attack detection methods can be categorized into three main types: traditional detection methods, model-based methods, and data-driven methods. Traditional detection methods typically rely on predefined rules or statistical techniques to monitor the system for abnormal behavior. These approaches are generally based on known patterns of normal operation and detect anomalies by comparing current data against these patterns. Reference [9] proposed a chi-square-based detector integrated with cosine similarity matching for detecting FDI attacks in smart grids. This method enhances sensitivity to abnormal data by evaluating the similarity between residuals and feature vectors, and is particularly effective in scenarios where system states are known a priori. However, it is vulnerable to noise and non-Gaussian distributions, and its detection accuracy deteriorates in the presence of stealthy attacks or nonlinear system dynamics. These limitations reduce its applicability in more complex and dynamic environments. Reference [10] proposed a graphical analysis approach to analyze defense mechanisms against FDI attacks targeting power system state estimation. The proposed method incorporates both an exact algorithm and a computationally efficient approximation to identify a minimal set of protective measurements, thereby improving defensive performance and optimizing resource allocation. While the method offers strong theoretical guarantees and reduces computational burden, its performance heavily relies on accurate network topology information and its applicability may be limited in dynamic or reconfigurable systems. Reference [11] proposed a distributed detection method for FDI attacks, utilizing a Markov graph derived from bus phase angles. By employing equivalent transformations of measurement data and cooperative detection based on a maximum weighted residual model, the method effectively identifies FDI attacks in smart grids. However, its performance strongly depends on precise estimation of the system’s statistical dependencies and may deteriorate in the presence of significant noise or under dynamically evolving grid topologies. Reference [12] proposed a method for detecting FDI attacks in AC state estimation by tracking dynamic measurement variations and quantifying deviations in measurement distributions using Kullback–Leibler (KL) divergence. This approach effectively characterizes the impact of data manipulation on measurement distributions, thereby enabling accurate attack detection. However, its performance depends on accurate estimation of the pre-attack distribution and is hindered by high computational complexity in high-dimensional settings. These factors limit its applicability in real-time systems. Traditional detection methods rely on predefined rules or statistical analysis, making them susceptible to noise interference and ineffective against complex or unknown attack patterns. Due to the lack of adaptability, these methods exhibit low detection accuracy in dynamic environments and struggle to cope with modern cyberattacks. Model-based methods describe normal system behavior by constructing mathematical or physical models of the system and use these models to predict the expected system states. By comparing actual data with model predictions, significant deviations indicate the presence of anomalies or faults in the system. Reference [13] proposed a security framework for smart grids that leverages a Kalman filter and a power grid topology model. It detects denial-of-service attacks, random disturbances, and FDI attacks by using a chi-square detector and a Euclidean norm detector to compare the residuals between estimated states and measured values. However, the method is highly dependent on the accuracy of the system model, and its detection performance may degrade significantly in the presence of model mismatch, non-Gaussian noise, or changes in grid topology. Reference [14] developed a stochastic unknown input estimator (SUIE) designed to detect FDI attacks via system state estimation. The SUIE mitigates the influence of process and measurement noise on state estimates by dynamically adjusting system gains. However, its performance is strongly dependent on the structural accuracy of the system model, and the estimator may exhibit slow convergence in high-dimensional or noise-prone environments. These limitations reduce its effectiveness for real-time detection applications. Reference [15] proposed a dynamic network attack model that integrates local network information to characterize typical data injection attacks. The model also aims to capture the potential dynamic behaviors of attackers. In addition, the detection strategy accounts for system uncertainties within the cyber–physical power system framework. However, its detection performance depends on the accuracy of the assumed attack behavior, and may degrade under unexpected network dynamics or stealthy, irregular attacks. These limitations arise from the model’s limited adaptability to unforeseen scenarios. Reference [16] introduced a false data injection detection mechanism based on sparse signal optimization, which distinguishes nominal system states from anomalies by leveraging the inherent sparsity of attack vectors. The approach formulates the detection problem as a convex optimization task aimed at recovering the sparse attack signal. However, its performance may degrade when attacks are widespread or dense, and it requires careful parameter tuning to maintain detection accuracy. Moreover, the computational burden increases significantly in large-scale systems, thereby limiting its applicability to real-time scenarios. Model-based methods rely on accurate system models, and their detection performance may degrade if the model is incomplete or subject to change. In contrast, data-driven methods do not depend on explicit system models; instead, they utilize machine learning or deep learning techniques to learn normal system behavior from historical data and automatically identify anomalies. Reference [17] proposed a mixed-strategy detection approach for multi-type network attacks, formulated within a zero-sum stochastic game framework. The approach models the interaction between the attacker and the defender as a stochastic game and derives the optimal detection policy by computing the Nash equilibrium under uncertainty. However, the effectiveness of the method relies on accurate modeling of attacker behavior and transition probabilities, which may not be practically attainable in real-world implementations. Moreover, the extensive strategy space results in high computational complexity, thereby limiting its applicability in real-time environments. Reference [18] provides a systematic survey of deep learning-based attack detection approaches in cyber–physical systems. Most of the reviewed methods are heavily dependent on large volumes of labeled training data and exhibit poor model interpretability. They also tend to overlook system topology and physical constraints, relying solely on data-driven feature learning. Moreover, deep learning models often incur high computational costs and demonstrate limited real-time capability and adaptability in resource-constrained environments, which substantially restricts their practical deployment in engineering applications. Reference [19] proposed a supervised learning approach for detecting FDI attacks by training classifiers on labeled historical data to classify system states as normal or malicious. The study also evaluated its robustness against both overt and stealthy attack scenarios. However, the approach is highly dependent on high-quality labeled data, and its detection accuracy deteriorates significantly when attack samples are scarce or of unseen types. Reference [20] proposed a mode-based anomaly detection method for addressing integrity and availability attacks in industrial cyber–physical systems. The method partitions the system’s operational states into multiple modes and assigns a specialized detector to each mode, with the aim of enhancing detection accuracy during dynamic state transitions. However, its performance is highly sensitive to the accuracy of mode classification, and rapid state transitions or inaccurate partitioning may result in increased false alarms or missed detections. The method also requires extensive domain knowledge, which may hinder its practical deployment in complex industrial environments. In addition, data-driven methods rely on large volumes of high-quality data, and the absence of prior knowledge may impede the model’s ability to capture complex system behaviors effectively. In summary, most existing studies on FDI attacks in cyber–physical systems primarily concentrate on detection, while lacking effective mechanisms for localizing compromised sensor nodes. This represents a major limitation to achieving accurate system defense and timely recovery.

3. System Modeling of CPS and FDI Attack Behavior

3.1. System Modeling of CPS

Figure 1 illustrates the structure of a CPS, which consists of a MIMO physical plant, a controller, and a communication network. $y_j^s(k)$ denotes the data sent by sensor node $j$ under an FDI attack, where $j\in \{1,2,\cdots ,q\}$. Sensor nodes conduct synchronized sampling and transmit the sampled data to the controller, which triggers the execution of the control algorithm upon receiving all data.

The discrete model of a MIMO system with input–output coupling characteristics can be represented as shown in Equation (1).

$$\left\{\begin{array}{c}x(k+1)=Ax(k)+Bu(k)+w(k)\\ y(k)=Cx(k)+v(k)\end{array}\right.$$

(1)

Here, $A$ is the $n\times n$ state transition matrix, $B$ is the $n\times p$ control input matrix, and $C$ is the $q\times n$ output matrix. $x(k)\in {ℝ}^n$ denotes the system state vector, with the initial condition $x(0)=x_0$. $u(k)\in {ℝ}^p$ is the control input vector. $v(k)\in {ℝ}^q$ represents the measurement noise, and $w(k)\in {ℝ}^n$ denotes the process noise. $u(k)$ and $y(k)$ are given as shown in Equations (2) and (3).

$$u(k)={\left[\begin{array}{ccc}{u}_1(k)& \cdots & u_p(k)\end{array}\right]}^T$$

(2)

$$y(k)={\left[\begin{array}{ccccc}{y}_1(k)& \cdots & y_j(k)& \cdots & y_q(k)\end{array}\right]}^T$$

(3)

The controller obtains the system state estimation through a Kalman filter and adopts the linear quadratic regulator (LQR) algorithm to implement the control strategy.

3.2. FDI Attack Behavior Targeting Sensor Nodes

In CPS, an attacker can tamper with the data transmitted by sensor nodes, causing the controller to make incorrect decisions based on falsified information, which leads to abnormal behavior in the MIMO system. The FDI attack model is defined as $\alpha (k)\in {ℝ}^q$, as shown in Equation (4).

$$\alpha (k)={\left[\begin{array}{ccccc}{\alpha }_1(k)& \cdots & {\alpha }_j(k)& \cdots & {\alpha }_q(k)\end{array}\right]}^T$$

(4)

The actual value received by the controller, $y^s(k)$, is given as shown in Equation (5).

$$y^s(k)=\left[\begin{array}{c}{y}_1^s(k)\\ ⋮\\ y_j^s(k)\\ ⋮\\ y_q^s(k)\end{array}\right]=\left[\begin{array}{c}{y}_1(k)+{\alpha }_1(k)\\ ⋮\\ y_j(k)+{\alpha }_j(k)\\ ⋮\\ y_q(k)+{\alpha }_q(k)\end{array}\right]$$

(5)

4. FDI Attack Detection and Attacked Node Localization

4.1. Residual-Based SVM Attack Detection Under Multi-Step Sampling Conditions

Multi-step sampling refers to the process in which the control input remains constant within a single control period, while the sensors perform multiple data acquisitions from the physical plant and transmit the sampled data to the controller via sensor nodes. A total of $m$ samples are taken within one control period, as shown in Equation (6):

$$m={\displaystyle \frac{T_k}{T_s}}$$

(6)

where $T_k$ denotes the control period and $T_s$ denotes the sampling period. Under multi-step sampling conditions, the actual value received by the controller, $y^s(k,i)$, is given as shown in Equation (7):

$$y^s(k,i)=\left[\begin{array}{c}{y}_1^s(k,i)\\ ⋮\\ y_j^s(k,i)\\ ⋮\\ y_q^s(k,i)\end{array}\right]=\left[\begin{array}{c}{y}_1(k,i)+{\alpha }_1(k,i)\\ ⋮\\ y_j(k,i)+{\alpha }_j(k,i)\\ ⋮\\ y_q(k,i)+{\alpha }_q(k,i)\end{array}\right]$$

(7)

where $i\in \{1,2,\cdots ,m\}$. $k$ denotes the control period index, and $i$ denotes the sampling period index. The full response output of the system, $y^{response}(k,i)$, is given in Equations (8) and (9):

$$x(k)=A^{k}x(0)+{\displaystyle \sum _{N=0}^{k-1}{A}^{k-1-N}Bu(N)}$$

(8)

$$y^{response}(k,i)=C{e}^{A(t-t_0)}x(k)+C{\displaystyle {\int }_{t_0}^t{e}^{A(t-\tau )}Bu(k)d\tau }$$

(9)

where $t=k{T}_k+i{T}_s$ and $t_0=k{T}_k$. Therefore, the residual vector is given in Equation (10).

$$E(k,i)=y^s(k,i)-y^{response}(k,i)={\left[\begin{array}{ccccc}{e}_1(k,i)& \cdots & e_j(k,i)& \cdots & e_q(k,i)\end{array}\right]}^T$$

(10)

To determine whether $E(k,i)$ is anomalous, it is necessary to first train an SVM model capable of effectively distinguishing between normal and anomalous samples. The binary classification optimization problem of the SVM can be formulated as follows:

$$\underset{w,b,\xi }{\min }{\displaystyle \frac{1}{2}}{‖w‖}^2+L{\displaystyle \sum _g^G{\xi }_g}$$

(11)

$$M_g(w^T\varphi (E_g)+b)\ge 1-{\xi }_g,{\xi }_g\ge 0$$

(12)

where Equation (11) represents an optimization problem, and Equation (12) defines the corresponding constraints. $w$ is the normal vector of the hyperplane. $b$ is the bias term, which determines the position of the hyperplane. ${\xi }_g$ is the slack variable, representing the extent to which the g-th sample is allowed to violate the margin requirements. $L$ is the penalty coefficient, which controls the trade-off between maximizing the classification margin and tolerating classification errors. $G$ denotes the total number of samples, with $g\in \{1,2,\cdots G\}$. $E_g$ is the g-th residual vector sample. $M_g$ represents the label of the g-th sample, where +1 indicates a normal sample and −1 indicates an anomalous sample. $\varphi (E_g)$ is the feature-mapping function that maps $E_g$ into a high-dimensional feature space. Owing to the strong adaptability of the Gaussian Radial Basis Function (RBF) kernel in handling nonlinearly separable data, the RBF kernel is adopted in this study to perform nonlinear mapping, thereby enhancing the model’s ability to discriminate between normal and anomalous residuals. The decision function of the SVM model can be obtained from Equations (11) and (12), which is used to determine whether the residual vector $E(k,i)$ is anomalous, as shown in Equation (13):

$$f_{\mathrm{svm}}(E(k,i))=sign(w^T\varphi (E(k,i))+b)$$

(13)

where $f_{\mathrm{svm}}(E(k,i))$ represents the classification output of the SVM model for the residual vector $E(k,i)$. The model outputs a label of +1 or −1, where +1 indicates that the detection result for the residual vector $E(k,i)$ is normal, and −1 indicates that the detection result for $E(k,i)$ is anomalous. $sign$ is the sign function, which classifies the residual vector based on whether the output value of $(w^T\varphi (E(k,i))+b)$ is positive or negative. By using the output label of the SVM, it is possible to determine whether the data from each sampling instance is anomalous, thereby providing prior information for the subsequent localization of attacked sensor nodes.

4.2. FDI Attack Node Localization Based on Shapley Value and Voting Mechanism

After the SVM model classifies the residual vector $E(k,i)$ as anomalous $(-1)$, the Shapley value is introduced to evaluate the contribution of each residual in the residual vector to the anomaly detection. For a residual subset $S\in E(k,i)$ that does not include $e_j(k,i)$, and a residual $e_j(k,i)$ to be evaluated, the Shapley value ${\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))$ is the weighted average of the marginal contributions of $e_j\left(k,i\right)$ to the SVM decision function over all possible permutations of the residuals, as shown in Equation (14).

$${\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))={\displaystyle \sum _{S\subseteq E(k,i)/\{e_j(k,i)\}}\frac{\left|S\right|!(|E(k,i)|-|S|-1)!}{|E(k,i)|!}}(f_{\mathrm{svm}}(S\cup \{e_j(k,i)\})-f_{\mathrm{svm}}(S))$$

(14)

$\left|S\right|$ is the total number of residuals in the subset $S$, and $|E(k,i)|$ is the total number of residuals in the residual vector $E(k,i)$. $f_{\mathrm{svm}}\left(S\right)$ represents the SVM output of the residual subset $S$. $f_{\mathrm{svm}}(S\cup \{e_j(k,i)\})$ represents the SVM output after adding the residual $e_j\left(k,i\right)$ to the subset $S$. Therefore, the Shapley value vector $Z$ of the residual vector $E(k,i)$, when predicted as anomalous by the SVM model, is given as shown in Equation (15):

$$Z={[{\varphi }_{f_{\mathrm{svm}}}(e_1(k,i)),\cdots ,{\varphi }_{f_{\mathrm{svm}}}(e_j(k,i)),\cdots ,{\varphi }_{f_{\mathrm{svm}}}(e_q(k,i))]}^T$$

(15)

where, when the SVM model classifies the residual vector $E\left(k,i\right)$ as normal $(+1)$, the Shapley value of all residuals in $E\left(k,i\right)$ is set to zero.

Within a control period, the Shapley value matrix $\mathsf{\Phi }$ is given as shown in Equation (16).

$$\mathsf{\Phi }=\left[\begin{array}{ccc}{\varphi }_{f_{\mathrm{svm}}}(e_1(k,1))& \cdots & {\varphi }_{f_{\mathrm{svm}}}(e_1(k,m))\\ ⋮& \ddots & ⋮\\ {\varphi }_{f_{\mathrm{svm}}}(e_q(k,1))& \cdots & {\varphi }_{f_{\mathrm{svm}}}(e_q(k,m))\end{array}\right]$$

(16)

In this study, when $f_{\mathrm{svm}}(E(k,i))=-1$:

(1)

If ${\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))>0$, it indicates that $e_j\left(k,i\right)$ supports the SVM detection result being anomalous, and thus it is considered as casting a supporting vote for the anomaly detection.

(2)

If ${\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))<0$, it indicates that $e_j\left(k,i\right)$ opposes the SVM detection result being anomalous, and thus it is considered as casting an opposing vote against the anomaly detection.

When $f_{\mathrm{svm}}\left(E\left(k,i\right)\right)=1$, ${\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))=0$, which indicates that the residual does not participate in voting for the anomaly detection result of the SVM and is regarded as an abstention.

The voting results of the Shapley values corresponding to the residuals of each sensor node in the k-th control period are counted, as shown in Equation (17):

$$\left\{\begin{array}{c}{O}_{{\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))>0}(k)\\ O_{{\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))<0}(k)\\ O_{{\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))=0}(k)\end{array}\right\}=sign\left\{\begin{array}{c}{\varphi }_{f_{\mathrm{svm}}}(e_j(k,1))\\ {\varphi }_{f_{\mathrm{svm}}}(e_j(k,2))\\ ⋮\\ {\varphi }_{f_{\mathrm{svm}}}(e_j(k,m))\end{array}\right\}$$

(17)

where $sign$ is the sign function used to count the voting results. $O_{{\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))>0}(k)$ represents the number of votes during the k-th control period in which the Shapley value of the residual corresponding to sensor node $j$ is greater than zero. $O_{{\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))<0}(k)$ represents the number of votes in which the Shapley value of the residual corresponding to sensor node $j$ is less than zero during the k-th control period. $O_{{\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))=0}(k)$ represents the number of votes during the k-th control period in which the Shapley value of the residual corresponding to sensor node $j$ is equal to zero.

(1)

If

$${\displaystyle \frac{O_{{\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))>0}(k)}{m}}>75\%$$

(18)

it indicates that the supporting votes dominate in the voting process for the residual corresponding to sensor node $j$ when the SVM detection result is anomalous, meaning that sensor node $j$ was attacked by an FDI attack during the k-th control period.

(2)

If

$${\displaystyle \frac{O_{{\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))<0}(k)}{m}}>75\%$$

(19)

it indicates that the opposing votes dominate in the voting process for the residual corresponding to sensor node $j$ when the SVM detection result is anomalous, meaning that sensor node $j$ was not attacked by an FDI attack during the k-th control period.

(3)

If

$${\displaystyle \frac{O_{{\varphi }_{f_{\mathrm{svm}}}(e_j(k,i))=0}(k)}{m}}>75\%$$

(20)

it indicates that the residual corresponding to sensor node $j$ is largely not involved in the voting process for the SVM anomaly detection result, with abstentions being dominant. This means that sensor node $j$ did not experience an FDI attack during the k-th control period.

5. Simulation Results

To verify the feasibility of SVM and Shapley values in FDI attack detection and localization, a coupled double-input double-output model is constructed, with its state-space equations given in Equation (1).

Here,

$$A=\left[\begin{array}{cccc}-0.5& 0.3& 0.1& 0\\ 0.3& -0.5& 0.2& 0\\ 0.1& 0.2& -0.6& 0.3\\ 0& 0& 0.3& -0.4\end{array}\right]$$

(21)

$$B=\left[\begin{array}{cc}1& 0\\ 0& 1\\ 1& 0\\ 0& 1\end{array}\right]$$

(22)

$$C=\left[\begin{array}{cccc}0.4& 0.4& 0& 0\\ 0& 0& 0.4& 0.5\end{array}\right]$$

(23)

$$w(k)\sim \mathcal{N}\left(0,\left[\begin{array}{cccc}0.0001& 0& 0& 0\\ 0& 0.0002& 0& 0\\ 0& 0& 0.0001& 0\\ 0& 0& 0& 0.0002\end{array}\right]\right)$$

(24)

$$v(k)\sim \mathcal{N}\left(0,\left[\begin{array}{cc}0.02& 0\\ 0& 0.01\end{array}\right]\right)$$

(25)

The control period is 10 s, and the sampling period is 0.1 s. The controller obtains the system state estimation through a Kalman filter and applies an LQR algorithm to implement the control strategy.

Table 1. Key parameters used in the simulation experiments.

Parameter Name	Value
Kernel function	RBF
Regularization parameter	10
Kernel width	0.1
Node 1 Attack Amplitude	3 or 2
Node 1 Attack Frequency	0.05 Hz or 0.1 Hz
Node 2 Attack Amplitude	3 or 4
Node 2 Attack Frequency	0.05 Hz

lists the key parameters used in the simulation experiments.

5.1. SVM Model Training and Detection Performance Evaluation

In the localization of FDI attack nodes, the SVM model is used to determine whether $E(k,i)$ is anomalous. To evaluate the performance of the model, a confusion matrix is typically used, as shown in

Table 2. Confusion matrix of the binary classification SVM model.

Label Classification		Predicted Label
		Positive Class (+1)	Negative Class (−1)
True label	Positive class (+1)	TP	FN
	Negative class (−1)	FP	TN

. It consists of four components: true positives (TP), false negatives (FN), false positives (FP), and true negatives (TN).

Based on the confusion matrix, a series of evaluation metrics can be calculated:

(1)

Accuracy measures the ratio of correctly classified samples to the total number of samples, as shown in Equation (26).

$$\mathrm{Accuracy}={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$$

(26)

(2)

Precision measures the percentage of predicted positive samples that are actually positive, as shown in Equation (27).

$$\mathrm{Precision}={\displaystyle \frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FP}}}$$

(27)

(3)

Recall indicates the proportion of positive samples that are correctly identified among all actual positive cases, as shown in Equation (28).

$$\mathrm{Recall}={\displaystyle \frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FN}}}$$

(28)

(4)

The F1 score represents the harmonic average of precision and recall, as shown in Equation (29).

$$F1={\displaystyle \frac{\mathrm{Precision}\ast \mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}}$$

(29)

By applying FDI attacks to sensor node 1 and sensor node 2, the attack models are constructed as shown in Equations (30) and (31).

$${\alpha }_1(k)=3\sin (2\pi \ast 0.05)$$

(30)

$${\alpha }_2(k)=3\sin (2\pi \ast 0.05)$$

(31)

Subsequently, the corresponding residuals are calculated, and a dataset is constructed for training and testing the SVM model, as illustrated in Figure 2 and

Table 3. Summary of the dataset used for SVM training and testing.

Item	Description
Total samples	4000
Normal samples	2300
Anomalous samples	1700
Feature dimension	2 (residuals of node 1 and node 2)
Sample labels	normal: +1, anomalous: −1
Training set	1500 normal + 1200 anomalous samples
Test set	800 normal + 500 anomalous samples

. Among them, 1500 normal samples and 1200 anomalous samples are randomly selected as the training set, while the remaining samples are used for testing. To evaluate the model performance, three independent random splits and training–testing procedures are conducted, and the average result is reported as the final SVM performance metric. The detailed results are presented in

Table 4. Evaluation metrics of the SVM classification model.

Accuracy	Precision	Recall	F1 Score
96.472%	95.748%	99.583%	97.613%

.

5.2. Voting Analysis and Validation of the Anomalous Node Localization Mechanism

Figure 3 illustrates the variation in the actual values received by the controller and the estimated full response of the system in the absence of FDI attacks. The blue solid line represents the actual value received by the controller, $y_j^s(k,i)$, while the red dashed line represents the estimated full response of the system, $y_j^{\mathrm{response}}(k,i)$. Taking the time interval between 200 s and 400 s as an example, the differences between $y_j^{\mathrm{response}}(k,i)$ and $y_j^s(k,i)$ for each sensor node remain relatively small.

The previously trained SVM model is used to perform anomaly detection on $E(k,i)={[e_1(k,i),e_2(k,i)]}^T$ and to compute the corresponding Shapley values for each residual. Figure 4 shows the Shapley values of the residuals corresponding to sensor nodes 1 and 2 when no FDI attack is present. It can be observed that during the time interval from 200 s to 400 s, most of the Shapley values for $e_1\left(k,i\right)$ and $e_2\left(k,i\right)$ are equal to 0, indicating that $E(k,i)={[e_1(k,i),e_2(k,i)]}^T$ is classified as normal by the SVM model. A small number of nonzero Shapley values appear, mainly due to the inherent error in the detection model, which prevents the detection accuracy from reaching 100%. However, this influence is negligible in the subsequent statistical analysis.

Table 5. Voting results of residuals in the absence of FDI attacks.

${\mathit{e}}_1\left(\mathit{k},\mathit{i}\right)$			${\mathit{e}}_2\left(\mathit{k},\mathit{i}\right)$
Abstentions	Supporting Votes	Opposing Votes	Abstentions	Supporting Votes	Opposing Votes
1	0	0	1	0	0
1	0	0	1	0	0
1	0	0	1	0	0
1	0	0	1	0	0
1	0	0	1	0	0
1	0	0	1	0	0
1	0	0	1	0	0
1	0	0	1	0	0
1	0	0	1	0	0
1	0	0	1	0	0
0.99	0.01	0	0.99	0.01	0
1	0	0	1	0	0
1	0	0	1	0	0
1	0	0	1	0	0
1	0	0	1	0	0
0.99	0.01	0	0.99	0.01	0
1	0	0	1	0	0
1	0	0	1	0	0
1	0	0	1	0	0
1	0	0	1	0	0

presents the voting results of the residuals $e_1\left(k,i\right)$ and $e_2\left(k,i\right)$ corresponding to the sensor nodes during each control period within the time interval from 200 s to 400 s (a total of 20 control periods, with 100 samples per control period), under the condition that no FDI attacks are applied to the sensor nodes. It can be observed that the voting results for both residuals $e_1\left(k,i\right)$ and $e_2\left(k,i\right)$ are predominantly abstentions in each control period. This indicates that when the SVM model performs detection on the residual vector $E(k,i)={[e_1(k,i),e_2(k,i)]}^T$, the detection results are generally normal, meaning that none of the sensor nodes were subjected to FDI attacks during these 20 control periods.

FDI attacks ${\alpha }_1(k)$ and ${\alpha }_2(k)$ are applied separately to sensor nodes 1 and 2. The expressions of the FDI attack models are given in Equations (32) and (33).

$${\alpha }_1\left(k\right)\left\{\begin{array}{cc}=0& other\\ =2\sin (2\pi \ast 0.1)& [300\mathrm{s},400\mathrm{s}]\end{array}\right.$$

(32)

$${\alpha }_2\left(k\right)\left\{\begin{array}{cc}=0& other\\ =4\sin (2\pi \ast 0.05)& [200\mathrm{s},400\mathrm{s}]\end{array}\right.$$

(33)

Figure 5 shows the variation between the actual values received by the controller and the system’s full response estimates when FDI attacks are applied to different sensor nodes at different time intervals. The blue solid line represents the actual value received by the controller, $y_j^s(k,i)$, and the red dashed line represents the system’s full response estimate, $y_j^{\mathrm{response}}(k,i)$. A significant discrepancy between $y_2^{\mathrm{response}}(k,i)$ and $y_2^s(k,i)$ is observed for sensor node 2 during the 200 s to 400 s interval. For sensor node 1, a noticeable difference between $y_1^s(k,i)$ and $y_1^{\mathrm{response}}(k,i)$ appears between 300 s and 400 s, while the two remain relatively close between 200 s and 300 s.

The previously trained SVM model is used to perform anomaly detection on $E(k,i)={[e_1(k,i),e_2(k,i)]}^T$ and to calculate the corresponding Shapley values for each residual. Figure 6 presents the Shapley values of the residuals corresponding to sensor nodes 1 and 2 under FDI attacks. The Shapley values of $e_1\left(k,i\right)$ are mostly less than 0 during the 200 s to 300 s interval, and mostly greater than 0 during the 300 s to 400 s interval. In contrast, the Shapley values of $e_2\left(k,i\right)$ are mostly greater than or equal to 0 throughout the entire 200 s to 400 s time period.

Table 6. Voting results of residuals under FDI attacks.

${\mathit{e}}_1\left(\mathit{k},\mathit{i}\right)$			${\mathit{e}}_2\left(\mathit{k},\mathit{i}\right)$
Abstentions	Supporting Votes	Opposing Votes	Abstentions	Supporting Votes	Opposing Votes
0.07	0.01	0.92	0.07	0.93	0
0.03	0.02	0.95	0.03	0.97	0
0.05	0.01	0.94	0.05	0.95	0
0.06	0.02	0.92	0.06	0.94	0
0.07	0.01	0.92	0.07	0.93	0
0.06	0.03	0.91	0.06	0.94	0
0.06	0.03	0.91	0.06	0.94	0
0.07	0.03	0.90	0.07	0.93	0
0.06	0.03	0.91	0.06	0.94	0
0.05	0.01	0.94	0.05	0.95	0
0.05	0.87	0.08	0.05	0.94	0.01
0.05	0.88	0.07	0.05	0.95	0
0.04	0.88	0.08	0.04	0.96	0
0.04	0.90	0.06	0.04	0.95	0.01
0.03	0.88	0.09	0.03	0.97	0
0.04	0.90	0.06	0.04	0.96	0
0.05	0.87	0.08	0.05	0.95	0
0.05	0.90	0.05	0.05	0.95	0
0.04	0.91	0.05	0.04	0.96	0
0.05	0.87	0.08	0.05	0.95	0

presents the voting results of the residuals $e_1\left(k,i\right)$ and $e_2\left(k,i\right)$, corresponding to sensor nodes 1 and 2, during each control period within the 200 s to 400 s time interval (a total of 20 control periods, with 100 samples per control period), under FDI attacks. The results show that for control periods 1 to 10, the voting results for $e_1\left(k,i\right)$ are mainly opposing votes, while for control periods 11 to 20, the voting results are predominantly supporting votes. This indicates that sensor node 1 was subjected to an FDI attack during the 300 s to 400 s interval. For control periods 1 to 20, the voting results for $e_2\left(k,i\right)$ are mainly supporting votes, indicating that sensor node 2 was under FDI attack throughout the entire 200 s to 400 s interval.

6. Conclusions

This study addresses the threat of FDI attacks targeting sensor nodes in CPS by proposing an attack localization method that integrates SVM-based anomaly detection with a Shapley value voting mechanism. Simulation results demonstrate that the proposed method achieves a detection accuracy of 96.472%, with a precision of 95.748%, recall of 99.583%, and an F1-score of 97.613% during the anomaly detection phase. Although the detection accuracy does not reach 100%, the voting strategy introduced in the localization mechanism can effectively compensate for this limitation. By accurately identifying multiple simultaneously attacked sensor nodes, the strategy demonstrates strong robustness and promising potential for engineering applications. Future research will focus on evaluating the method’s robustness under varying noise characteristics and system parameter perturbations, as well as exploring the integration of adaptive parameter estimation and robust classification techniques to enhance its applicability and generalizability under model uncertainties.