RNN for intrusion detection in digital substations based on the IEC 61850

IF 3.7 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Johnatan Alves de Oliveira , Anderson Fernandes Pereira dos Santos , Ronaldo Moreira Salles
{"title":"RNN for intrusion detection in digital substations based on the IEC 61850","authors":"Johnatan Alves de Oliveira ,&nbsp;Anderson Fernandes Pereira dos Santos ,&nbsp;Ronaldo Moreira Salles","doi":"10.1016/j.jisa.2025.104197","DOIUrl":null,"url":null,"abstract":"<div><div>Network communication has become a reality within electrical power systems. The IEC 61850 standard establishes the protocols and requirements for digital communications in substations. However, despite enhanced connectivity and integration benefits, network communication has also introduced cyber threats to these environments. Intrusion detection systems based on machine learning have emerged as a potential solution to address these threats in the context of IEC 61850-based communication. Literature indicates that algorithms using decision trees have shown enhanced effectiveness in detecting attacks on GOOSE protocol communication, alongside some exploration of deep learning techniques. Thus, this work examines the use of deep learning, specifically recurrent neural networks (RNNs), for intrusion detection in GOOSE protocol communication. To achieve this, a realistic electrical power system simulation was conducted using a Real-Time Digital Simulator (RTDS) combined with a physical Intelligent Electronic Device (IED) in a hardware-in-the-loop (HIL) setup. Four types of cyber-attacks were executed during the simulation: masquerade, replay, message injection, and poisoning attack. Network traffic datasets were also generated and made publicly available, with each frame sample clearly labeled as normal or malicious. Subsequently, the Recurrent Neural Network (RNN), Long Short-Term Memory (LSTM), Bidirectional LSTM (BiLSTM), Gated Recurrent Unit (GRU), and Bidirectional GRU (BiGRU) algorithms were trained and tested to detect the so-called masquerade attack, a more stealthy type of attack in the context of the GOOSE protocol. The results indicated that recurrent neural networks performed better than decision tree-based algorithms in detecting masquerade attacks. Additionally, RNNs also improve detection performance in multi-class problems by classifying network traffic into four types of attacks and normal behavior.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"94 ","pages":"Article 104197"},"PeriodicalIF":3.7000,"publicationDate":"2025-08-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625002340","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Network communication has become a reality within electrical power systems. The IEC 61850 standard establishes the protocols and requirements for digital communications in substations. However, despite enhanced connectivity and integration benefits, network communication has also introduced cyber threats to these environments. Intrusion detection systems based on machine learning have emerged as a potential solution to address these threats in the context of IEC 61850-based communication. Literature indicates that algorithms using decision trees have shown enhanced effectiveness in detecting attacks on GOOSE protocol communication, alongside some exploration of deep learning techniques. Thus, this work examines the use of deep learning, specifically recurrent neural networks (RNNs), for intrusion detection in GOOSE protocol communication. To achieve this, a realistic electrical power system simulation was conducted using a Real-Time Digital Simulator (RTDS) combined with a physical Intelligent Electronic Device (IED) in a hardware-in-the-loop (HIL) setup. Four types of cyber-attacks were executed during the simulation: masquerade, replay, message injection, and poisoning attack. Network traffic datasets were also generated and made publicly available, with each frame sample clearly labeled as normal or malicious. Subsequently, the Recurrent Neural Network (RNN), Long Short-Term Memory (LSTM), Bidirectional LSTM (BiLSTM), Gated Recurrent Unit (GRU), and Bidirectional GRU (BiGRU) algorithms were trained and tested to detect the so-called masquerade attack, a more stealthy type of attack in the context of the GOOSE protocol. The results indicated that recurrent neural networks performed better than decision tree-based algorithms in detecting masquerade attacks. Additionally, RNNs also improve detection performance in multi-class problems by classifying network traffic into four types of attacks and normal behavior.
基于iec61850的数字变电站入侵检测RNN
在电力系统中,网络通信已经成为现实。IEC 61850标准建立了变电站数字通信的协议和要求。然而,尽管增强了连接性和集成性,网络通信也给这些环境带来了网络威胁。基于机器学习的入侵检测系统已经成为在基于IEC 61850的通信环境中解决这些威胁的潜在解决方案。文献表明,使用决策树的算法在检测对GOOSE协议通信的攻击方面显示出更高的有效性,同时还对深度学习技术进行了一些探索。因此,这项工作研究了在GOOSE协议通信中使用深度学习,特别是循环神经网络(rnn)进行入侵检测。为了实现这一目标,在硬件在环(HIL)设置中,使用实时数字模拟器(RTDS)结合物理智能电子设备(IED)进行了真实的电力系统仿真。在模拟过程中执行了四种类型的网络攻击:伪装攻击、重播攻击、消息注入攻击和投毒攻击。网络流量数据集也被生成并公开提供,每个帧样本都被清楚地标记为正常或恶意。随后,对循环神经网络(RNN)、长短期记忆(LSTM)、双向LSTM (BiLSTM)、门控循环单元(GRU)和双向GRU (BiGRU)算法进行了训练和测试,以检测所谓的假面攻击,这是GOOSE协议背景下更隐蔽的攻击类型。结果表明,递归神经网络在检测伪装攻击方面优于基于决策树的算法。此外,rnn还通过将网络流量分为四种攻击和正常行为,提高了对多类问题的检测性能。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Journal of Information Security and Applications
Journal of Information Security and Applications Computer Science-Computer Networks and Communications
CiteScore
10.90
自引率
5.40%
发文量
206
审稿时长
56 days
期刊介绍: Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信