Anomaly detection is critical to ensure the security of cyber-physical systems (CPS). However, due to the increasing complexity of attacks and CPS themselves, anomaly detection in CPS is becoming more and more challenging. In our previous work, we proposed a digital twin-based anomaly detection method, called ATTAIN, which takes advantage of both historical and real-time data of CPS. However, such data vary significantly in terms of difficulty. Therefore, similar to human learning processes, deep learning models (e.g., ATTAIN) can benefit from an easy-to-difficult curriculum. To this end, in this paper, we present a novel approach, named digitaL twin-based Anomaly deTecTion wIth Curriculum lEarning (LATTICE), which extends ATTAIN by introducing curriculum learning to optimize its learning paradigm. LATTICE attributes each sample with a difficulty score, before being fed into a training scheduler. The training scheduler samples batches of training data based on these difficulty scores such that learning from easy to difficult data can be performed. To evaluate LATTICE, we use five publicly available datasets collected from five real-world CPS testbeds. We compare LATTICE with ATTAIN and two other state-of-the-art anomaly detectors. Evaluation results show that LATTICE outperforms the three baselines and ATTAIN by 0.906%-2.367% in terms of the F1 score. LATTICE also, on average, reduces the training time of ATTAIN by 4.2% on the five datasets and is on par with the baselines in terms of detection delay time.

翻译：异常检测对于保障信息物理系统（CPS）的安全至关重要。然而，随着攻击手段与系统自身复杂性的日益提升，CPS中的异常检测正面临越来越大的挑战。在先前工作中，我们提出了一种名为ATTAIN的基于数字孪生的异常检测方法，该方法同时利用了CPS的历史与实时数据。但此类数据在难度上存在显著差异。因此，类似人类的学习过程，深度学习模型（如ATTAIN）也能从由易到难的课程安排中获益。为此，本文提出了一种新方法——基于数字孪生的课程学习异常检测（LATTICE），该方法通过引入课程学习对ATTAIN的学习范式进行优化升级。LATTICE为每个样本赋予一个难度评分，再将其输入训练调度器。该调度器依据这些难度评分对训练数据进行批量采样，从而实现从易到难的学习过程。为评估LATTICE，我们采用了从五个真实CPS测试平台收集的公开数据集，并将其与ATTAIN及另外两种当前最优的异常检测器进行对比。评估结果表明，在F1分数上，LATTICE超越三种基线方法及ATTAIN达0.906%-2.367%；同时，LATTICE在五个数据集上的平均训练时间较ATTAIN缩短4.2%，且在检测延迟时间方面与基线方法相当。