Anomaly Detection for Insider Attacks from Untrusted Intelligent Electronic Devices in Substation Automation Systems

Loading...
Thumbnail Image
File version

Version of Record (VoR)

Author(s)
Wang, Xuelei
Fidge, Colin
Nourbakhsh, Ghavameddin
Foo, Ernest
Jadidi, Zahra
Li, Calvin
Griffith University Author(s)
Primary Supervisor
Other Supervisors
Editor(s)
Date
2022
Size
File type(s)
Location
Abstract

In recent decades, cyber security issues in IEC 61850-compliant substation automation systems (SASs) have become growing concerns. Many researchers have developed various strategies to detect malicious behaviours of SASs during the system operational stage, such as anomaly-based detection. However, most existing anomaly-based detection methods identify an abnormal behaviour by checking every single network packet without any association. These traditional methods cannot effectively detect “stealthy” attacks which modify legitimate messages slightly while imitating patterns of benign behaviours. In this paper, we present feature selection and extraction methods to generalise and summarise critical features when detecting insider attacks triggering from untrusted control devices within SASs. By applying a sliding window-based sequential classification mechanism, our detection method can detect anomalies across multiple devices without the need to learn datasets collected from all devices. Firstly, to generalise critical features and summarise systems’ behaviours so that it is unnecessary to collect all datasets, we selected and extracted six critical network features from generic object-oriented substation events (GOOSE) messages and seven summarised physical features based on the general architecture of the primary plant of distribution substations. After that, to improve detection accuracy and reduce computational costs, we applied sliding window algorithms to divide datasets into different overlapped window-based snippets. Then we applied a sequential classification model based on Bidirectional Long Short-Term Memory networks to train and test those datasets. As a result, our method can detect insider attacks across multiple devices accurately with a false-negative rate of less than 1%.

Journal Title

IEEE Access

Conference Title
Book Title
Edition
Volume
Issue
Thesis Type
Degree Program
School
Publisher link
Patent number
Funder(s)
Grant identifier(s)
Rights Statement
Rights Statement

© The Author(s) 2021. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Item Access Status
Note

This publication has been entered as an advanced online version in Griffith Research Online.

Access the data
Related item(s)
Subject

Engineering

Information and computing sciences

Persistent link to this record
Citation

Wang, X; Fidge, C; Nourbakhsh, G; Foo, E; Jadidi, Z; Li, C, Anomaly Detection for Insider Attacks from Untrusted Intelligent Electronic Devices in Substation Automation Systems, IEEE Access, 2022

Collections