Anomaly detection for cyber-physical systems

We claim: 1. A method for anomaly detection in a cyber-physical system (CPS), the method comprising: deriving a physics-based correlation from a configuration of one or more physical components of the CPS, the physics-based correlation defining a mathematical relationship between a plurality of physical attributes of the CPS, the plurality of physical attributes comprising a first physical attribute and a second physical attribute; acquiring measurements of respective physical attributes of the plurality of physical attributes from the CPS, the measurements associated with a capture time; applying the mathematical relationship defined between the plurality of physical attributes to determine an estimated value for the first physical attribute at the capture time based, at least in part, on a measurement of the second physical attribute associated with the capture time; determining a physical state (PS) error metric for the capture time, the PS error metric configured to quantify deviation of the acquired measurements associated with the capture time from the mathematical relationship defined between the plurality of physical attributes by the physics-based correlation, wherein the PS error metric is based, at least in part, on an error between a measurement of the first physical attribute associated with the capture time and the estimated value of the first physical attribute determined for the capture time; and detecting anomalous behavior of the CPS based, at least in part, on the PS error metric. 2. The method of claim 1 , wherein the physics-based correlation is further configured to define a constraint of a first physical attribute of the plurality of physical attributes, and wherein the PS error metric is based, at least in part, on a degree to which the measurement of the first physical attribute conforms with the constraint. 3. The method of claim 1 , further comprising receiving measurements of one or more physical attributes of the plurality of physical attributes from a sensor device coupled to a physical process of the CPS. 4. The method of claim 3 , wherein: the estimated value for the first physical attribute at the capture time is based, at least in part, on a measurement of a third physical attribute acquired at the capture time. 5. The method of claim 1 , further comprising: determining an estimate of the second physical attribute of the plurality of physical attributes based, at least in part, on the mathematical relationship defined between the plurality of physical attributes by the physics-based correlation and the measurement of the first physical attribute; wherein the PS error metric is based, at least in part, on a difference between the estimate of the first physical attribute and the measurement of the first physical attribute and a difference between the estimate of the second physical attribute and a measurement of the second physical attribute. 6. The method of claim 1 , further comprising: determining an error threshold for the physics-based correlation, the error threshold based on a deviation between training measurements of the plurality of physical attributes, the training measurements configured to characterize nominal operation of the CPS; and detecting the anomalous behavior of the CPS responsive to the PS error metric exceeding the error threshold. 7. The method of claim 1 , further comprising: deriving a first membership function from one or more fuzzy sets, the one or more fuzzy sets corresponding to nominal operation of the CPS and comprising training measurements of the plurality of physical attributes, wherein the first membership function is configured to model a PS error distribution, the PS error distribution corresponding to differences between the training measurements of the plurality of physical attributes and the mathematical relationship defined between the plurality of physical attributes by the physics- based correlation; acquiring measurements of the plurality of physical attributes; and utilizing the first membership function to determine the PS error metric, the PS error metric configured to quantify a degree to which the acquired measurements of the physical attributes conform to the PS error distribution of the first membership function. 8. The method of claim 7 , wherein the one or more fuzzy sets further comprise training measurements of a cyber feature, the training measurements of the cyber feature corresponding to nominal operation of an electronic communication network of the CPS, the method further comprising: deriving a second membership function from the training measurements of the cyber feature; utilizing the second membership function to determine a cyber state (CS) error metric, the CS error metric configured to quantify a degree to which acquired measurements of the cyber feature correspond to the second membership function; and detecting the anomalous behavior of the CPS based, at least in part, on the PS error metric and the CS error metric. 9. An apparatus for monitoring a CPS, the apparatus comprising: a processor; and an anomaly detector configured for operation on the processor, the anomaly detector further configured to: derive a physics-based correlation from a configuration of one or more physical components of the CPS, the physics-based correlation defining a mathematical relationship between a plurality of physical attributes of the CPS, the plurality of physical attributes comprising a first physical attribute and a second physical attribute; acquire measurements of respective physical attributes of the plurality of physical attributes from the CPS, the measurements associated with a capture time; apply the mathematical relationship defined between the plurality of physical attributes to determine an estimated value for the first physical attribute at the capture time based, at least in part, on a measurement of the second physical attribute associated with the capture time; determine a first affinity metric for the capture time, the first affinity metric configured to quantify a degree to which the acquired measurements associated with the capture time conform to the mathematical relationship defined between the plurality of physical attributes by the physics-based correlation, wherein the first affinity metric is based, at least in part, on an error between a measurement of the first physical attribute associated with the capture time and the estimated value of the first physical attribute determined for the capture time; and detect anomalous behavior of the CPS based, at least in part, on a health metric determined for the CPS, the health metric based, at least in part, on the first affinity metric and a second affinity metric, the second affinity metric configured to quantify a degree to which a cyber feature conforms with nominal behavior of an electronic communication network of the CPS. 10. The apparatus of claim 9 , wherein the physics-based correlation is further configured to define a constraint of the first physical attribute, and wherein the first affinity metric is based, at least in part, on a degree to which the measurement of the first physical attribute conforms with the constraint. 11. The apparatus of claim 9 , wherein the anomaly detector is communicatively coupled to a sensor device through the electronic communication network of the CPS. 12. The apparatus of claim 9 , wherein: the estimated value for the first physical attribute at the capture time is based, at least in part, on a measurement of a third physical attribute acquired at the capture time. 13. The apparatus of claim 1 , wherein: the anomaly detector is further con