Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Process-Aware Stealthy Attack Detector

This repository contains the necessary code and data files to reproduce the findings from the paper titled "Truth Will Out: Departure-Based Process-Level Detection of Stealthy Attacks on Control Systems" published in ACM CCS 2018.

This repository contains both the data and code to reproduce the figures from Sections 4.1, 4.2, 4.4 and 4.5 in the paper, relating to the detection of damage attacks, stealthy attacks, and other experiments such as setting the alarm threshold. The model-based implementation is not included here, but it was performed using ar.


This repository contains the captures obtained from the Tennessee-Eastman challenge process, by using DVCP-TE that were used in the paper. However, this repository does not contain the data from the SWaT testbed plant used in Section 4.3 (as the dataset is already available and we do not have redistribution rights) nor the data from the real water distribution plant from Section 4.6, due to the confidentiality of the process.

In the Data directory, each subdirectory contains the data used for the validation in the aforementioned sections.


The pasad.m file in the Matlab code directory contains the Matlab code to reproduce the figures from the aforementioned sections of the paper. Data_creator.m uses the DVCP-TE model to create the data used in the scenarios. Be aware that, as the DVCP-TE model is randomized, the created data from the script might slightly vary from the actual data contained in the data directory.

The pasad_param.pdf file shows the parameters that are needed to run with PASAD to reproduce the figures in the paper. The different parameters are explained in Section II of the paper. Apart from these used parameters, this file also contains the Sensor signal that was plotted. The number of the sensor is the same as the index of the data column in the CSV files from the data directory. For instance, XMEAS(5) readings are in the fifth column of the CSV files.

In the case of the SWaT data, the Sensor column shows the analyzed sensor signal of the Testbed. As for the "Run no." number column, it shows the observation numbers of the SWaT_Dataset_Attack_v0.xlsx file from the dataset that were used for the experiment. That variable has no effect in the rest of the rows.

Using the repository

The code and data contained in this repository is free to download, execute, modify and share for research and other non-commercial purposes. Published works using the code and/or data from this repository should cite the following paper:

Wissam Aoudi, Mikel Iturbe, and Magnus Almgren. 2018. Truth Will Out: Departure-Based Process-Level Detection of Stealthy Attacks on Control Systems. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). ACM, New York, NY, USA, 817-831. DOI:


Process-Aware Stealthy Attack Detection








No releases published


No packages published