Hybrid VAE-Based Cyber Intrusion Detection in Rail Track SCADA
Benjamin Gyimah Boateng and Prof. Nii Attoh-Okine
Department of Civil and Environmental Engineering, University of Maryland, College Park, MD
1. BACKGROUND
Track geometry (gage, crosslevel, alignment, warp) is critical to rail safety and operation [1]. Modern railways use SCADA systems to support real-time communication and monitoring of distributed track geometry sensors [2].
The integration of Operational Technology (OT) and Information Technology (IT) rapidly expands the cyber-physical attack surface. False Data Injection (FDI) attacks can stealthily mask critical defects, drastically increasing safety risks across the network [3].
2. RESEARCH GAP
- Rule-based Intrusion Detection Systems (IDS) struggle significantly with subtle, multivariate FDI.
- Most FDI studies focus on power grids or generic SCADA environments, not rail track geometry.
- Few adaptive, rail-specific FDI detection frameworks exist that are capable of early detection.
3. RESEARCH CONTRIBUTION
- Developed a Hybrid VAE+MAD unsupervised framework for FDI detection.
- Comparison with Isolation Forest (IF) and baseline VAE algorithms.
- Percentile vs Cross-Validation thresholding evaluation.
- Improved Detection at low injection level (2-5%).
4. PROJECT WORKFLOW
Synthetic FDI injections approximate, but do not fully replicate, real attacks. We propose an end-to-end framework for detecting multivariate FDI using Variational Autoencoders (VAE) and Median Absolute Deviation (MAD).
Fig. 2 End-to-end research workflow
Fig. 3 VAE Architecture for the Research Workflow, Multivariate FDI
5. RESULTS AND DISCUSSION
Thresholding approaches affect detection robustness. Percentile vs. Cross-Validation thresholds are compared across multiple injection levels to assess the reliability of early warning detection.
Fig. 4 Percentile vs Cross-Validation Thresholding at 5% Injection
Fig. 5 IF Anomaly Score and VAE Reconstruction Error (RE) Score
Fig. 7 Performance Metrics of IF, VAE, VAE + MAD
6. CONCLUSION & FUTURE WORK
LIMITATION
Synthetic FDI injections approximate, but do not fully replicate, real attacks.
FUTURE WORK
LLM-assisted adaptive thresholding and automated intrusion reporting.
CONCLUSION
- Hybrid VAE+MAD outperforms IF and baseline VAE across all FDI levels.
- Adaptive (CV-based) thresholding is critical for reliable detection.
- Effective detection was achieved even at 2% injection, enabling early warning.
- Results support rail-specific, data-driven SCADA intrusion detection.
7. REFERENCES
- [1]Lakshminarayana, S., T. Z. Teng, R. Tan, and D. K. Yau, Modelling and detecting false data injection attacks against railway traction power systems. ACM Transactions on Cyber-Physical Systems, Vol. 2, No. 4, 2018, pp. 1–29.
- [2]Elnour, M., N. Meskin, and K. M. Khan, Hybrid attack detection framework for industrial control systems using 1D-convolutional neural network and isolation forest. IEEE, 2020, pp. 877–884.
- [3]Zhou, Q., X. Chen, and Z. Hu, Isolation Forest Based Detection for False Data Attacks in Power Systems. IEEE Transactions on Power Systems, 2022.