*3.3. Automatic Detection of Cyber-Attacks in WDSs*

Following the formalization given for fastICA and ACPD algorithms, this section presents the application of both methods for disclosing cyber-attacks in WDSs. First, based on the available data set, the input time series for fastICA are selected. Hydraulic measurements (e.g., pressure, flow and tank level) are considered in this work as input data, which are combined to get the best input arrangement. After a trial-and-error process, we have identified that decomposing the signal into two components will be enough to suitably identify the effects of the attacks. Indeed, the results presented for the case study confirm this assumption. From the software development point of view, the data is processed in Python language and makes use of the package SKLEARN.

The non-periodic component of the demixed signal is then used as the input for the ACPD algorithm. This second process is responsible for automatically identifying the start and end time of the anomalies, thus allowing the disclosure of the attack. The output of this process is the exact interval of time where the water network was subjected to an attack. With this outcome, it is possible to apply the performance evaluation metrics considered in BATADAL, and then, to compare the ability of the proposed algorithm with other approaches. In this stage, the demixed data is processed in the MATLAB programming environment, and makes use of several tools in the toolbox of Signal-processing. For a better understanding, Figure 1 presents the flowchart of the complete methodology.

**Figure 1.** Flowchart of the complete methodology for disclosing cyber-attacks applying fastICA and ACPD algorithms.
