Intrusion Detection in Cyber-Physical Grid Using Incremental ML With Adaptive Moment Estimation

Abstract

A novel online and adaptive machine-learning approach for network intrusion detection is proposed in this work with a use case of unknown attack detection in the industrial cyber-physical power grid. Existing machine-learning (ML) based-intrusion detection systems in cyber-physical power systems rely on a fixed dataset with known attack anomalies for training. These approaches can lead to poor detection accuracy as unknown cyber-attacks target the system. As a result, these ML approaches need to be re-trained from scratch . This research proposes an adaptive network intrusion detection technique that identifies anomalies in industrial cyber-power grids and is capable of detecting unknown attacks with significant accuracy. The proposed intrusion detector, a neural network with adaptive moment estimation, incorporates an adaptive incremental learning when exposed to a new vulnerability. It can be deployed at the device level in the phasor measurement network systems and evolves with the latest knowledge-base of cyber threats. The proposed approach is validated using a real cyber-physical simulation environment consisting of real-time digital simulator, multiple hardware phasor measurement units, and a network simulator under two different scenarios of unknown attacks, and extensive analysis is performed for different network architecture, training epochs, choice of loss functions, and the volume of data utilized. Results show that the incremental approach improves the accuracy of brute-force attacks to $>99.9\%$ and penetration-test attacks to 63.7%. Further, the applicability of our method is validated on two publicly available datasets where incremental learning improved DDoS attack detection accuracy to 97.7%, UDP attacks to 73.1%, DoS attacks to 99% and Scan attacks to 94.2%.