CPS-GUARD: Intrusion detection for cyber-physical systems and IoT devices using outlier-aware deep autoencoders

•A semi-supervised learning technique for intrusion detection in cyber-physical systems.•Outlier-aware deep autoencoder for imperfect training data.•Self-tuning threshold selection method for normal data points.•Evaluation with cyber-physical systems and IoT devices on up-to-date attacks. Detecting attacks to Cyber-Physical Systems (CPSs) is of utmost importance, due to their increasingly frequent use in many critical assets. Intrusion detection in CPSs and other domains, such as the Internet of Things, is often addressed through machine and deep learning. However, many existing proposals tend to favor the application of complex detection models over the usability in real-world operations. This paper presents CPS-GUARD, a novel intrusion detection approach based on a single semi-supervised autoencoder and a technique to set the threshold used to discriminate normal operations from attacks. The technique is outlier-aware, in that it relies on outlier detection to mitigate inherent imperfections of the training data. CPS-GUARD is evaluated by means of direct experiments with normal and intrusion data points pertaining to individual sensing devices, an HTTP server and four full-fledged systems, including CPSs. Experiments are based on a wide spectrum of attacks available in six state-of-the-art datasets. The intrusion detection results of CPS-GUARD are within 0.949-1.000 recall, 0.961-0.999 precision and 0.006-0.027 false positive rate depending on the specific system. The results are competitive with other existing intrusion detection methods. The evaluation is complemented by a comparative study on alternative threshold selection and outlier detection techniques.