Yifan Jia,Jingyi Wang,Christopher M. Poskitt,Sudipta Chattopadhyay,Jun Sun,Yuqi Chen

DOI: https://doi.org/10.1016/j.ijcip.2021.100452

IF: 3.683

2021-01-01

International Journal of Critical Infrastructure Protection

Abstract:The threats faced by cyber-physical systems (CPSs) in critical infrastructure have motivated research into a multitude of attack detection mechanisms, including anomaly detectors based on neural network models. The effectiveness of anomaly detectors can be assessed by subjecting them to test suites of attacks, but less consideration has been given to adversarial attackers that craft noise specifically designed to deceive them. While successfully applied in domains such as images and audio, adversarial attacks are much harder to implement in CPSs due to the presence of other built-in defence mechanisms such as rule checkers (or invariant checkers). In this work, we present an adversarial attack that simultaneously evades the anomaly detectors and rule checkers of a CPS. Inspired by existing gradient-based approaches, our adversarial attack crafts noise over the sensor and actuator values, then uses a genetic algorithm to optimise the latter, ensuring that the neural network and the rule checking system are both deceived. We implemented our approach for two real-world critical infrastructure testbeds, successfully reducing the classification accuracy of their detectors by over 50% on average, while simultaneously avoiding detection by rule checkers. Finally, we explore whether these attacks can be mitigated by training the detectors on adversarial samples.

Mayra Alexandra Macas Carrasco,Chunming Wu

DOI: https://doi.org/10.1109/icmla.2019.00212

2019-01-01

Abstract:Current Cyber-Physical Systems (CPSs) are sophisticated, complex, and equipped with networked sensors and actuators. As such, they have become further exposed to cyber-attacks. Recent catastrophic events have demonstrated that standard, human-based management of anomaly detection in complex systems is not efficient enough and have underlined the significance of automated detection, intelligent and rapid response. Nevertheless, existing anomaly detection frameworks usually are not capable of dealing with the dynamic and complicated nature of the CPSs. In this study, we introduce an unsupervised framework for anomaly detection based on an Attention-based Spatio-Temporal Autoencoder. In particular, we first construct statistical correlation matrices to characterize the system status across different time steps. Next, a 2D convolutional encoder is employed to encode the patterns of the correlation matrices, whereas an Attention-based Convolutional LSTM Encoder-Decoder (ConvLSTM-ED) is used to capture the temporal dependencies. More precisely, we introduce an input attention mechanism to adaptively select the most significant input features at each time step. Finally, the 2D convolutional decoder reconstructs the correlation matrices. The differences between the reconstructed correlation matrices and the original ones are used as indicators of anomalies. Extensive experimental analysis on data collected from all six stages of Secure Water Treatment (SWaT) testbed, a scaled-down version of a real-world industrial water treatment plant, demonstrates that the proposed model outperforms the state-of-the-art baseline techniques.

Jun Zhang,Lei Pan,Qing-Long Han,Chao Chen,Sheng Wen,Yang Xiang

DOI: https://doi.org/10.1109/jas.2021.1004261

2022-03-01

IEEE/CAA Journal of Automatica Sinica

Abstract:With the booming of cyber attacks and cyber criminals against cyber-physical systems (CPSs), detecting these attacks remains challenging. It might be the worst of times, but it might be the best of times because of opportunities brought by machine learning (ML), in particular deep learning (DL). In general, DL delivers superior performance to ML because of its layered setting and its effective algorithm for extract useful information from training data. DL models are adopted quickly to cyber attacks against CPS systems. In this survey, a holistic view of recently proposed DL solutions is provided to cyber attack detection in the CPS context. A six-step DL driven methodology is provided to summarize and analyze the surveyed literature for applying DL methods to detect cyber attacks against CPS systems. The methodology includes CPS scenario analysis, cyber attack identification, ML problem formulation, DL model customization, data acquisition for training, and performance evaluation. The reviewed works indicate great potential to detect cyber attacks against CPS through DL modules. Moreover, excellent performance is achieved partly because of several high-quality datasets that are readily available for public use. Furthermore, challenges, opportunities, and research trends are pointed out for future research.

Henrik S. Steude,Lukas Moddemann,Alexander Diedrich,Jonas Ehrhardt,Oliver Niggemann

DOI: https://doi.org/10.48550/arXiv.2311.15924

2023-11-27

Abstract:In Cyber-Physical Systems (CPS) research, anomaly detection (detecting abnormal behavior) and diagnosis (identifying the underlying root cause) are often treated as distinct, isolated tasks. However, diagnosis algorithms require symptoms, i.e. temporally and spatially isolated anomalies, as input. Thus, anomaly detection and diagnosis must be developed together to provide a holistic solution for diagnosis in CPS. We therefore propose a method for utilizing deep learning-based anomaly detection to generate inputs for Consistency-Based Diagnosis (CBD). We evaluate our approach on a simulated and a real-world CPS dataset, where our model demonstrates strong performance relative to other state-of-the-art models.

Machine Learning,Artificial Intelligence

Nicholas Jeffrey,Qing Tan,José R. Villar

DOI: https://doi.org/10.3390/electronics13071391

IF: 2.9

2024-04-08

Electronics

Abstract:The swift embrace of Industry 4.0 paradigms has led to the growing convergence of Information Technology (IT) networks and Operational Technology (OT) networks. Traditionally isolated on air-gapped and fully trusted networks, OT networks are now becoming more interconnected with IT networks due to the advancement and applications of IoT. This expanded attack surface has led to vulnerabilities in Cyber–Physical Systems (CPSs), resulting in increasingly frequent compromises with substantial economic and life safety repercussions. The existing methods for the anomaly detection of security threats typically use simple threshold-based strategies or apply Machine Learning (ML) algorithms to historical data for the prediction of future anomalies. However, due to the high levels of heterogeneity across different CPS environments, minimizing the opportunities for transfer learning, and the scarcity of real-world data for training, the existing ML-based anomaly detection techniques suffer from a poor predictive performance. This paper introduces a hybrid anomaly detection approach designed to identify threats to CPSs by combining the signature-based anomaly detection typically utilized in IT networks, the threshold-based anomaly detection typically utilized in OT networks, and behavioural-based anomaly detection using Ensemble Learning (EL), which leverages the strengths of multiple ML algorithms against the same dataset to increase the accuracy. Multiple public research datasets were used to validate the proposed approach, with the hybrid methodology employing a divide-and-conquer strategy to offload the detection of certain cyber threats to computationally inexpensive signature-based and threshold-based methods using domain knowledge to minimize the size of the behavioural-based data needed for ML model training, thus achieving a higher accuracy over a reduced timeframe. The experimental results showed accuracy improvements of 4–7% over those of the conventional ML classifiers in performing anomaly detection across multiple datasets, which is particularly important to the operators of CPS environments due to the high financial and life safety costs associated with interruptions to system availability.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xugui Zhou,Maxfield Kouzel,Homa Alemzadeh

DOI: https://doi.org/10.48550/arXiv.2204.09183

2022-05-03

Abstract:The growing complexity of Cyber-Physical Systems (CPS) and challenges in ensuring safety and security have led to the increasing use of deep learning methods for accurate and scalable anomaly detection. However, machine learning (ML) models often suffer from low performance in predicting unexpected data and are vulnerable to accidental or malicious perturbations. Although robustness testing of deep learning models has been extensively explored in applications such as image classification and speech recognition, less attention has been paid to ML-driven safety monitoring in CPS. This paper presents the preliminary results on evaluating the robustness of ML-based anomaly detection methods in safety-critical CPS against two types of accidental and malicious input perturbations, generated using a Gaussian-based noise model and the Fast Gradient Sign Method (FGSM). We test the hypothesis of whether integrating the domain knowledge (e.g., on unsafe system behavior) with the ML models can improve the robustness of anomaly detection without sacrificing accuracy and transparency. Experimental results with two case studies of Artificial Pancreas Systems (APS) for diabetes management show that ML-based safety monitors trained with domain knowledge can reduce on average up to 54.2% of robustness error and keep the average F1 scores high while improving transparency.

Machine Learning,Artificial Intelligence

Pablo Moriano,Steven C. Hespeler,Mingyan Li,Maria Mahbub

2024-11-22

Abstract:Modern cyberattacks in cyber-physical systems (CPS) rapidly evolve and cannot be deterred effectively with most current methods which focused on characterizing past threats. Adaptive anomaly detection (AAD) is among the most promising techniques to detect evolving cyberattacks focused on fast data processing and model adaptation. AAD has been researched in the literature extensively; however, to the best of our knowledge, our work is the first systematic literature review (SLR) on the current research within this field. We present a comprehensive SLR, gathering 397 relevant papers and systematically analyzing 65 of them (47 research and 18 survey papers) on AAD in CPS studies from 2013 to 2023 (November). We introduce a novel taxonomy considering attack types, CPS application, learning paradigm, data management, and algorithms. Our analysis indicates, among other findings, that reviewed works focused on a single aspect of adaptation (either data processing or model adaptation) but rarely in both at the same time. We aim to help researchers to advance the state of the art and help practitioners to become familiar with recent progress in this field. We identify the limitations of the state of the art and provide recommendations for future research directions.

Cryptography and Security

Amrik Singh -,Sukhpreet Singh -,Mohammad Nazmul Alam -,Gurpreet Singh -

DOI: https://doi.org/10.36948/ijfmr.2024.v06i04.24601

2024-07-14

International Journal For Multidisciplinary Research

Abstract:The proliferation of Internet of Things (IoT) devices has revolutionized various sectors by enabling real-time data collection and processing, leading to unprecedented levels of efficiency and convenience. However, this increased connectivity and data flow also introduce significant security risks, particularly in the realm of anomaly detection. This study delves into the use of deep learning techniques for identifying abnormalities in IoT systems, providing a thorough analysis of state-of-the-art methods, assessing their effectiveness across different IoT scenarios, and exploring future research directions. We review current deep learning-based anomaly detection techniques, examine their applications in real-world settings, and discuss potential improvements and innovations. By synthesizing the latest research and developments, this paper aims to offer a comprehensive understanding of how deep learning can bolster the security and performance of IoT systems. Our findings highlight the importance of robust anomaly detection mechanisms in safeguarding IoT networks and underscore the need for continued advancements in this area. Through this study, we seek to contribute valuable insights into the application of deep learning for enhancing IoT system security and reliability, ultimately supporting the sustainable growth and integration of IoT technologies across various domains.

Qinghua Xu,Shaukat Ali,Tao Yue

DOI: https://doi.org/10.1145/3582571

2023-09-28

Abstract:Anomaly detection is critical to ensure the security of cyber-physical systems (CPS). However, due to the increasing complexity of attacks and CPS themselves, anomaly detection in CPS is becoming more and more challenging. In our previous work, we proposed a digital twin-based anomaly detection method, called ATTAIN, which takes advantage of both historical and real-time data of CPS. However, such data vary significantly in terms of difficulty. Therefore, similar to human learning processes, deep learning models (e.g., ATTAIN) can benefit from an easy-to-difficult curriculum. To this end, in this paper, we present a novel approach, named digitaL twin-based Anomaly deTecTion wIth Curriculum lEarning (LATTICE), which extends ATTAIN by introducing curriculum learning to optimize its learning paradigm. LATTICE attributes each sample with a difficulty score, before being fed into a training scheduler. The training scheduler samples batches of training data based on these difficulty scores such that learning from easy to difficult data can be performed. To evaluate LATTICE, we use five publicly available datasets collected from five real-world CPS testbeds. We compare LATTICE with ATTAIN and two other state-of-the-art anomaly detectors. Evaluation results show that LATTICE outperforms the three baselines and ATTAIN by 0.906%-2.367% in terms of the F1 score. LATTICE also, on average, reduces the training time of ATTAIN by 4.2% on the five datasets and is on par with the baselines in terms of detection delay time.

Machine Learning,Cryptography and Security,Software Engineering

Qinghua Xu,Shaukat Ali,Tao Yue

DOI: https://doi.org/10.1109/ICST49551.2021.00031

2021-01-01

Abstract:Cyber-Physical Systems (CPS) are susceptible to various anomalies during their operations. Thus, it is important to detect such anomalies. Detecting such anomalies is challenging since it is uncertain when and where anomalies can happen. To this end, we present a novel approach called Anomaly deTection with digiTAl twIN (ATTAIN), which continuously and automatically builds a digital twin with live...

Junxuan Liao,Jing Li,Yu Chen,Rongbin Gu,Ying Zhu,Weizhou Peng

DOI: https://doi.org/10.1016/j.aei.2024.102547

IF: 8.8

2024-04-17

Advanced Engineering Informatics

Abstract:With the rapid development of cyber–physical systems, an increasing amount of data is stored in the form of multivariate time series. Detecting anomalies within multivariate time series has become a crucial means to ensure the proper functioning of cyber–physical systems. Traditional methods for anomaly detection in multivariate time series often categorize features into temporal and spatial features based on their representative dimensions. However, these approaches tend to overlook the unique characteristics of cyber–physical systems reflected in the multivariate time series. This hinders their ability to perform well in cases with complex multivariate time series data. To overcome this challenge, we introduce a novel approach that classifies the spatiotemporal features of multivariate time series data into steady features (features that remain constant under external variations) and dynamic features (features that respond to external changes), aligning with the nature of cyber–physical systems. Addressing this challenge involves two main aspects: (1) determining how to classify steady and dynamic features in multivariate time series data and (2) leveraging these features for anomaly detection.To address these challenges, we propose a D ual- P rocess D ynamic G raph-based time series A nomaly D etection (DPDGAD) method. DPDGAD enhances the generalizability of anomaly detection in complex spatiotemporal environments and improves the interpretability of the detected anomalies. We validate the performance of DPDGAD through six real-world datasets generated by cyber–physical systems, achieving F1 scores of 0.7529 and 0.9009 on WADI and SWaT, respectively.

engineering, multidisciplinary,computer science, artificial intelligence

Jiali Ma,Yuanbo Guo,Chen Fang,Qi Zhang

DOI: https://doi.org/10.1109/jiot.2024.3366904

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Although a cyber-physical system (CPS) enhances the system control flexibility by connecting physical devices to the network, it also increases the possibility of network attacks on the system, which can cause damage to both property and personnel. To achieve CPS security, this paper proposes a network security protection method based on a digital twin (DT). By constructing DT models of the CPS physical layer and network layer and collecting real-time data of the system, the system security is improved from several aspects. First, we construct a data-driven behavior model for the CPS physical layer and introduce expert knowledge in order to realize the function of physical layer anomaly diagnosis. Comparisons with related studies show that our method achieves a higher precision, recall rate, and F1 score. Second, we construct an attack graph model for the CPS network layer for CPS network security analysis in order to realize the functions of security risk quantification and security countermeasure recommendation. Finally, we model the interaction between the physical networks and transfer the diagnosis results of the physical layer twin to the network layer twin in order to correct the attack graph. Thus, we achieve an accurate representation of the overall network security situation in real time.

computer science, information systems,telecommunications,engineering, electrical & electronic

A. A. Radhi,Luay Ibrahim Khalaf,Saadaldeen Rashid Ahmed,Omar Ayad Ismael,Sameer Algburi,Baydaa Alhamadani

DOI: https://doi.org/10.1145/3660853.3660932

2024-05-25

Abstract:An essential aspect of cybersecurity is the continuously growing threat landscape, which necessitates the use of advanced anomaly detection techniques in network data. The traditional approach might often be inadequate when it comes to addressing intricate cyber-security issues. Therefore, it is possible that deep learning approaches might be superior in terms of accuracy and performance. The primary objective of our study is to provide a novel algorithm that combines Convolutional Neural Networks (CNNs), Recurrent Neural Networks (RNNs), autoencoders, and GANs to create a comprehensive strategy for detecting anomalies. This technique aims to solve research gaps that have not been previously explored. By using the MTA-KDD'19 dataset, our research enhances precision by achieving a remarkable accuracy rate of 95% in detecting various types of network traffic abnormalities. This discovery not only demonstrated the harmfulness of our deep learning-based approach but also highlighted the effectiveness of these measures in reducing the issue, particularly when faced with diverse threats. This enhances the development of network security procedures. CCS CONCEPTS • Computing methodologies∼ Artificial intelligence • Security and privacy∼Network security

Engineering,Computer Science

Riccardo Colelli,Filippo Magri,Stefano Panzieri,Federica Pascucci

DOI: https://doi.org/10.48550/arXiv.2110.12963

2021-10-25

Cryptography and Security

Abstract:Over the past decade, industrial control systems have experienced a massive integration with information technologies. Industrial networks have undergone numerous technical transformations to protect operational and production processes, leading today to a new industrial revolution. Information Technology tools are not able to guarantee confidentiality, integrity and availability in the industrial domain, therefore it is of paramount importance to understand the interaction of the physical components with the networks. For this reason, usually, the industrial control systems are an example of Cyber-Physical Systems (CPS). This paper aims to provide a tool for the detection of cyber attacks in cyber-physical systems. This method is based on Machine Learning to increase the security of the system. Through the analysis of the values assumed by Machine Learning it is possible to evaluate the classification performance of the three models. The model obtained using the training set, allows to classify a sample of anomalous behavior and a sample that is related to normal behavior. The attack identification is implemented in water tank system, and the identification approach using Machine Learning aims to avoid dangerous states, such as the overflow of a tank. The results are promising, demonstrating its effectiveness.

Weijie Hao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/tase.2021.3073396

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems. The advanced monitoring, control, and management functionalities of the industrial systems firmly rely on the reliable and secure operations of the industrial control system (ICS) network. This article characterizes the ICS network traffic and presents a scalable and efficient solution for real-time ICS network traffic anomaly detection, considering various forms of ICS anomaly events. The events due to the cyberattacks, malicious operating behaviors, and network anomalies can be effectively detected without sophisticated computational requirements and retrieval of communication protocols. The proposed hybrid statistical-machine learning model integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the abnormal traffic patterns with low false omission rates. The proposed solution is extensively evaluated at a realistic ICS cyber–physical system (CPS) testbed, and the numerical results confirm its high detection accuracy and low computational complexity. Note to Practitioners—This article was motivated by the challenge of real-time anomaly detection in industrial cyber–physical systems (CPSs). The existing industrial control system (ICS) network anomaly detection solutions are generally carried out based on a single model based on the historian database and cannot dynamically classify the abnormal conditions in a real-time fashion. A novel hybrid statistical-machine learning model is developed that integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the anomalous events through traffic pattern analysis. The proposed anomaly detection solution can efficiently provide accurate detection for cyberattacks, malicious operating behaviors, and network anomalies while meeting the real-time requirements of ICS networks. The proposed solution can be deployed in the realistic ICS CPSs, e.g., the power generation system, gas pipeline systems, and urban railway transportation systems. The preliminary numerical results obtained from the ICS-CPS testbed suggested that it can provide high detection accuracy with low computational complexity and, hence, can be adopted with minimal deployment hurdles.

Danial Abshari,Chenglong Fu,Meera Sridhar

2024-11-17

Abstract:Modern industrial infrastructures rely heavily on Cyber-Physical Systems (CPS), but these are vulnerable to cyber-attacks with potentially catastrophic effects. To reduce these risks, anomaly detection methods based on physical invariants have been developed. However, these methods often require domain-specific expertise to manually define invariants, making them costly and difficult to scale. To address this limitation, we propose a novel approach to extract physical invariants from CPS testbeds for anomaly detection. Our insight is that CPS design documentation often contains semantically rich descriptions of physical procedures, which can profile inter-correlated dynamics among system components. Leveraging the built-in physics and engineering knowledge of recent generative AI models, we aim to automate this traditionally manual process, improving scalability and reducing costs. This work focuses on designing and optimizing a Retrieval-Augmented-Generation (RAG) workflow with a customized prompting system tailored for CPS documentation, enabling accurate extraction of semantic information and inference of physical invariants from complex, multimodal content. Then, rather than directly applying the inferred invariants for anomaly detection, we introduce an innovative statistics-based learning approach that integrates these invariants into the training dataset. This method addresses limitations such as hallucination and concept drift, enhancing the reliability of the model. We evaluate our approach on real-world public CPS security dataset which contains 86 data points and 58 attacking cases. The results show that our approach achieves a high precision of 0.923, accurately detecting anomalies while minimizing false alarms.

Cryptography and Security,Artificial Intelligence

Shuo Zhang,Jing Liu

DOI: https://doi.org/10.1109/ICASSP49357.2023.10096634

2023-01-01

Abstract:Anomalous signal detection aims to detect unknown abnormal signals of machines from normal signals. However, building effective and interpretable anomaly detection models for safety-critical cyber-physical systems (CPS) is rather difficult due to the unidentified system noise and extremely intricate system dynamics of CPS and the neural network black box. This work proposes a novel time series anomalous signal detection model based on neural system identification and causal inference to track the dynamics of CPS in a dynamical state-space and avoid absorbing spurious correlation caused by confounding bias generated by system noise, which improves the stability, security and interpretability in detection of anomalous signals from CPS. Experiments on three real-world CPS datasets show that the proposed method achieved considerable improvements compared favorably to the state-of-the-art methods on anomalous signal detection in CPS. Moreover, the ablation study empirically demonstrates the efficiency of each component in our method.

Yan Du,Yuanyuan Huang,Guogen Wan,Peilin He

DOI: https://doi.org/10.3390/math10224373

IF: 2.4

2022-11-20

Mathematics

Abstract:In this paper, we propose an unsupervised anomaly detection method based on the Autoencoder with Long Short-Term Memory (LSTM-Autoencoder) network and Generative Adversarial Network (GAN) to detect anomalies in industrial control system (ICS) using cyber–physical fusion features. This method improves the recall of anomaly detection and overcomes the challenges of unbalanced datasets and insufficient labeled samples in ICS. As a first step, additional network features are extracted and fused with physical features to create a cyber–physical dataset. Following this, the model is trained using normal data to ensure that it can properly reconstruct the normal data. In the testing phase, samples with unknown labels are used as inputs to the model. The model will output an anomaly score for each sample, and whether a sample is anomalous depends on whether the anomaly score exceeds the threshold. Whether using supervised or unsupervised algorithms, experimentation has shown that (1) cyber–physical fusion features can significantly improve the performance of anomaly detection algorithms; (2) the proposed method outperforms several other unsupervised anomaly detection methods in terms of accuracy, recall, and F1 score; (3) the proposed method can detect the majority of anomalous events with a low false negative rate.

mathematics

Shivani Gaba,Ishan Budhiraja,Vimal Kumar,Sheshikala Martha,Jebreel Khurmi,Akansha Singh,Krishna Kant Singh,S. S. Askar,Mohamed Abouhawwash

DOI: https://doi.org/10.1109/access.2023.3349022

IF: 3.9

2024-01-01

IEEE Access

Abstract:In this current era, cyber-physical systems (CPSs) have gained concentrated consideration in various fields because of their emergent applications. Though the robust dependence on communication networks creates cyber-physical systems susceptible to deliberated cyber related attacks and detecting these cyber-attacks are the most challenging task. There is the interaction among the components of the cyber and physical worlds, so CPS security needs a distinct approach from past security concerns. Deep learning (DL) distributes better performance than machine learning (ML) due to its layered architecture and the efficient algorithm for extracting prominent information from training data. So, the deep learning models are taken into consideration quickly for detecting cyber-attacks in cyber physical systems. As numerous attack detection methods have been proposed by various authors for enforcing CPS security, this paper reviews and analyzes multiple ways of attack detection presented for CPS using deep learning. We will be putting the excellent potential for detecting cyber-attacks for CPS concerning deep learning modules. The admirable performance is attained partly as highly quality datasets are eagerly obtainable for the use of the public. Moreover, various challenges and research inclinations are also discussed in impending research.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaokang Zhou,Wei Liang,Shohei Shimizu,Jianhua Ma,Qun Jin

DOI: https://doi.org/10.1109/tii.2020.3047675

IF: 12.3

2021-08-01

IEEE Transactions on Industrial Informatics

Abstract:With the increasing population of Industry 4.0, both AI and smart techniques have been applied and become hotly discussed topics in industrial cyber-physical systems (CPS). Intelligent anomaly detection for identifying cyber-physical attacks to guarantee the work efficiency and safety is still a challenging issue, especially when dealing with few labeled data for cyber-physical security protection. In this article, we propose a few-shot learning model with Siamese convolutional neural network (FSL-SCNN), to alleviate the over-fitting issue and enhance the accuracy for intelligent anomaly detection in industrial CPS. A Siamese CNN encoding network is constructed to measure distances of input samples based on their optimized feature representations. A robust cost function design including three specific losses is then proposed to enhance the efficiency of training process. An intelligent anomaly detection algorithm is developed finally. Experiment results based on a fully labeled public dataset and a few labeled dataset demonstrate that our proposed FSL-SCNN can significantly improve false alarm rate (FAR) and F1 scores when detecting intrusion signals for industrial CPS security protection.