{"id":"https://openalex.org/W2501509689","doi":"https://doi.org/10.1145/3011018","title":"Automatic Construction of Statechart-Based Anomaly Detection Models for Multi-Threaded Industrial Control Systems","display_name":"Automatic Construction of Statechart-Based Anomaly Detection Models for Multi-Threaded Industrial Control Systems","publication_year":2017,"publication_date":"2017-02-24","ids":{"openalex":"https://openalex.org/W2501509689","doi":"https://doi.org/10.1145/3011018","mag":"2501509689"},"language":"en","primary_location":{"id":"doi:10.1145/3011018","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3011018","pdf_url":null,"source":{"id":"https://openalex.org/S2492086750","display_name":"ACM Transactions on Intelligent Systems and Technology","issn_l":"2157-6904","issn":["2157-6904","2157-6912"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Intelligent Systems and Technology","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5009205764","display_name":"Amit Kleinmann","orcid":"https://orcid.org/0000-0003-4423-1399"},"institutions":[{"id":"https://openalex.org/I16391192","display_name":"Tel Aviv University","ror":"https://ror.org/04mhzgx49","country_code":"IL","type":"education","lineage":["https://openalex.org/I16391192"]}],"countries":["IL"],"is_corresponding":true,"raw_author_name":"Amit Kleinmann","raw_affiliation_strings":["Tel Aviv University, Ramat-Aviv Tel-Aviv, Israel"],"raw_orcid":"https://orcid.org/0000-0003-4423-1399","affiliations":[{"raw_affiliation_string":"Tel Aviv University, Ramat-Aviv Tel-Aviv, Israel","institution_ids":["https://openalex.org/I16391192"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5042818115","display_name":"Avishai Wool","orcid":"https://orcid.org/0000-0002-8371-4759"},"institutions":[{"id":"https://openalex.org/I16391192","display_name":"Tel Aviv University","ror":"https://ror.org/04mhzgx49","country_code":"IL","type":"education","lineage":["https://openalex.org/I16391192"]}],"countries":["IL"],"is_corresponding":false,"raw_author_name":"Avishai Wool","raw_affiliation_strings":["Tel Aviv University, Ramat-Aviv Tel-Aviv, Israel"],"raw_orcid":"https://orcid.org/0000-0002-8371-4759","affiliations":[{"raw_affiliation_string":"Tel Aviv University, Ramat-Aviv Tel-Aviv, Israel","institution_ids":["https://openalex.org/I16391192"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5009205764"],"corresponding_institution_ids":["https://openalex.org/I16391192"],"apc_list":null,"apc_paid":null,"fwci":3.0734,"has_fulltext":false,"cited_by_count":30,"citation_normalized_percentile":{"value":0.92331342,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":98},"biblio":{"volume":"8","issue":"4","first_page":"1","last_page":"21"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10917","display_name":"Smart Grid Security and Resilience","score":0.9990000128746033,"subfield":{"id":"https://openalex.org/subfields/2207","display_name":"Control and Systems Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.9973999857902527,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8851110935211182},{"id":"https://openalex.org/keywords/finite-state-machine","display_name":"Finite-state machine","score":0.5234472155570984},{"id":"https://openalex.org/keywords/multiplexing","display_name":"Multiplexing","score":0.5040399432182312},{"id":"https://openalex.org/keywords/deterministic-finite-automaton","display_name":"Deterministic finite automaton","score":0.485128253698349},{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.44388267397880554},{"id":"https://openalex.org/keywords/asynchronous-communication","display_name":"Asynchronous communication","score":0.4220260679721832},{"id":"https://openalex.org/keywords/markov-chain","display_name":"Markov chain","score":0.41220223903656006},{"id":"https://openalex.org/keywords/algorithm","display_name":"Algorithm","score":0.38688358664512634},{"id":"https://openalex.org/keywords/real-time-computing","display_name":"Real-time computing","score":0.36030638217926025},{"id":"https://openalex.org/keywords/parallel-computing","display_name":"Parallel computing","score":0.33544376492500305},{"id":"https://openalex.org/keywords/theoretical-computer-science","display_name":"Theoretical computer science","score":0.3267437219619751},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.13856291770935059}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8851110935211182},{"id":"https://openalex.org/C167822520","wikidata":"https://www.wikidata.org/wiki/Q176452","display_name":"Finite-state machine","level":2,"score":0.5234472155570984},{"id":"https://openalex.org/C19275194","wikidata":"https://www.wikidata.org/wiki/Q222903","display_name":"Multiplexing","level":2,"score":0.5040399432182312},{"id":"https://openalex.org/C104091681","wikidata":"https://www.wikidata.org/wiki/Q837528","display_name":"Deterministic finite automaton","level":3,"score":0.485128253698349},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.44388267397880554},{"id":"https://openalex.org/C151319957","wikidata":"https://www.wikidata.org/wiki/Q752739","display_name":"Asynchronous communication","level":2,"score":0.4220260679721832},{"id":"https://openalex.org/C98763669","wikidata":"https://www.wikidata.org/wiki/Q176645","display_name":"Markov chain","level":2,"score":0.41220223903656006},{"id":"https://openalex.org/C11413529","wikidata":"https://www.wikidata.org/wiki/Q8366","display_name":"Algorithm","level":1,"score":0.38688358664512634},{"id":"https://openalex.org/C79403827","wikidata":"https://www.wikidata.org/wiki/Q3988","display_name":"Real-time computing","level":1,"score":0.36030638217926025},{"id":"https://openalex.org/C173608175","wikidata":"https://www.wikidata.org/wiki/Q232661","display_name":"Parallel computing","level":1,"score":0.33544376492500305},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.3267437219619751},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.13856291770935059},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.0},{"id":"https://openalex.org/C76155785","wikidata":"https://www.wikidata.org/wiki/Q418","display_name":"Telecommunications","level":1,"score":0.0},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3011018","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3011018","pdf_url":null,"source":{"id":"https://openalex.org/S2492086750","display_name":"ACM Transactions on Intelligent Systems and Technology","issn_l":"2157-6904","issn":["2157-6904","2157-6912"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Intelligent Systems and Technology","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/9","display_name":"Industry, innovation and infrastructure","score":0.5}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":27,"referenced_works":["https://openalex.org/W38537450","https://openalex.org/W214166028","https://openalex.org/W766792511","https://openalex.org/W1561205616","https://openalex.org/W1590786596","https://openalex.org/W1674877186","https://openalex.org/W1973343935","https://openalex.org/W1974853427","https://openalex.org/W1985987493","https://openalex.org/W1992867926","https://openalex.org/W2021702566","https://openalex.org/W2039427951","https://openalex.org/W2039875296","https://openalex.org/W2063189201","https://openalex.org/W2089944128","https://openalex.org/W2099529102","https://openalex.org/W2119463329","https://openalex.org/W2123847451","https://openalex.org/W2161592722","https://openalex.org/W2288766236","https://openalex.org/W2399043755","https://openalex.org/W2465974911","https://openalex.org/W2535751405","https://openalex.org/W2619874920","https://openalex.org/W3105682467","https://openalex.org/W4254813923","https://openalex.org/W4256497308"],"related_works":["https://openalex.org/W2361614440","https://openalex.org/W2743632810","https://openalex.org/W1428391281","https://openalex.org/W2355522437","https://openalex.org/W2111868903","https://openalex.org/W4281261571","https://openalex.org/W3087272834","https://openalex.org/W2280116234","https://openalex.org/W2384360959","https://openalex.org/W2100711766"],"abstract_inverted_index":{"Traffic":[0],"of":[1,38,172,226,237,267],"Industrial":[2],"Control":[3],"System":[4],"(ICS)":[5],"between":[6],"the":[7,13,34,91,109,128,133,149,214,249,260,275,279,285,289,296],"Human":[8],"Machine":[9],"Interface":[10],"(HMI)":[11],"and":[12,56,96,145,160,191,240,288],"Programmable":[14],"Logic":[15],"Controller":[16],"(PLC)":[17],"is":[18,26,170],"known":[19],"to":[20,30,99,106,247],"be":[21],"highly":[22],"periodic.":[23],"However,":[24],"it":[25],"sometimes":[27],"multiplexed,":[28],"due":[29],"asynchronous":[31],"scheduling.":[32],"Modeling":[33],"network":[35],"traffic":[36,93,114],"patterns":[37],"multiplexed":[39,139,231],"ICS":[40,212,232],"streams":[41],"using":[42,213],"Deterministic":[43],"Finite":[44],"Automata":[45],"(DFA)":[46],"for":[47,157,164,181,193],"anomaly":[48],"detection":[49],"typically":[50],"produces":[51],"a":[52,57,66,87,112,122,155,201,210,224,263],"very":[53],"large":[54],"DFA":[55,76,174],"high":[58],"false-alarm":[59,265,286],"rate.":[60],"In":[61,272],"this":[62,72],"article,":[63],"we":[64,131,153],"introduce":[65],"new":[67],"modeling":[68,77],"approach":[69],"that":[70,89,195,229],"addresses":[71],"gap.":[73],"Our":[74,116],"Statechart":[75,280],"includes":[78],"multiple":[79],"DFAs,":[80],"one":[81,137,173,189],"per":[82,138,175],"cyclic":[83],"pattern,":[84],"together":[85],"with":[86,234,253,262,295],"DFA-selector":[88],"de-multiplexes":[90],"incoming":[92],"into":[94,135,251],"sub-channels":[95],"sends":[97],"them":[98],"their":[100],"respective":[101],"DFAs.":[102],"We":[103,203,218],"demonstrate":[104],"how":[105],"automatically":[107],"construct":[108],"statechart":[110,169,258],"from":[111,127,209],"captured":[113],"stream.":[115,129],"unsupervised":[117],"learning":[118],"algorithms":[119,179,222,244],"first":[120],"build":[121],"Discrete-Time":[123],"Markov":[124],"Chain":[125],"(DTMC)":[126],"Next,":[130],"split":[132,248],"symbols":[134,194,250],"sets,":[136],"cycle,":[140,190],"based":[141],"on":[142,207,223],"symbol":[143,238],"frequencies":[144],"node":[146],"degrees":[147],"in":[148,186,200,293],"DTMC":[150],"graph.":[151],"Then,":[152],"create":[154],"sub-graph":[156],"each":[158,165],"cycle":[159],"extract":[161],"Euler":[162,176],"cycles":[163],"sub-graph.":[166],"The":[167,178,243,256],"final":[168],"comprised":[171],"cycle.":[177,202],"allow":[180],"non-unique":[182],"symbols,":[183],"which":[184],"appear":[185,196],"more":[187,197],"than":[188,198],"also":[192,219],"once":[199],"evaluated":[204],"our":[205,221],"solution":[206],"traces":[208,228,233,261],"production":[211],"Siemens":[215],"S7-0x72":[216],"protocol.":[217],"stress-tested":[220],"collection":[225],"synthetically-generated":[227],"simulated":[230],"varying":[235],"levels":[236],"uniqueness":[239],"time":[241],"overlap.":[242],"were":[245],"able":[246],"sets":[252],"99.6%":[254],"accuracy.":[255],"resulting":[257],"modeled":[259],"median":[264],"rate":[266,287],"as":[268,270],"low":[269],"0.483%.":[271],"all":[273],"but":[274],"most":[276],"extreme":[277],"scenarios,":[278],"model":[281,291],"drastically":[282],"reduced":[283],"both":[284],"learned":[290],"size":[292],"comparison":[294],"naive":[297],"single-DFA":[298],"model.":[299]},"counts_by_year":[{"year":2025,"cited_by_count":5},{"year":2024,"cited_by_count":2},{"year":2023,"cited_by_count":1},{"year":2022,"cited_by_count":4},{"year":2021,"cited_by_count":4},{"year":2020,"cited_by_count":3},{"year":2019,"cited_by_count":4},{"year":2018,"cited_by_count":5},{"year":2017,"cited_by_count":2}],"updated_date":"2026-05-21T09:19:25.381259","created_date":"2025-10-10T00:00:00"}