Johnatan Alves de Oliveira , Anderson Fernandes Pereira dos Santos , Ronaldo Moreira Salles
{"title":"RNN for intrusion detection in digital substations based on the IEC 61850","authors":"Johnatan Alves de Oliveira , Anderson Fernandes Pereira dos Santos , Ronaldo Moreira Salles","doi":"10.1016/j.jisa.2025.104197","DOIUrl":null,"url":null,"abstract":"<div><div>Network communication has become a reality within electrical power systems. The IEC 61850 standard establishes the protocols and requirements for digital communications in substations. However, despite enhanced connectivity and integration benefits, network communication has also introduced cyber threats to these environments. Intrusion detection systems based on machine learning have emerged as a potential solution to address these threats in the context of IEC 61850-based communication. Literature indicates that algorithms using decision trees have shown enhanced effectiveness in detecting attacks on GOOSE protocol communication, alongside some exploration of deep learning techniques. Thus, this work examines the use of deep learning, specifically recurrent neural networks (RNNs), for intrusion detection in GOOSE protocol communication. To achieve this, a realistic electrical power system simulation was conducted using a Real-Time Digital Simulator (RTDS) combined with a physical Intelligent Electronic Device (IED) in a hardware-in-the-loop (HIL) setup. Four types of cyber-attacks were executed during the simulation: masquerade, replay, message injection, and poisoning attack. Network traffic datasets were also generated and made publicly available, with each frame sample clearly labeled as normal or malicious. Subsequently, the Recurrent Neural Network (RNN), Long Short-Term Memory (LSTM), Bidirectional LSTM (BiLSTM), Gated Recurrent Unit (GRU), and Bidirectional GRU (BiGRU) algorithms were trained and tested to detect the so-called masquerade attack, a more stealthy type of attack in the context of the GOOSE protocol. The results indicated that recurrent neural networks performed better than decision tree-based algorithms in detecting masquerade attacks. Additionally, RNNs also improve detection performance in multi-class problems by classifying network traffic into four types of attacks and normal behavior.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"94 ","pages":"Article 104197"},"PeriodicalIF":3.7000,"publicationDate":"2025-08-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625002340","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
Network communication has become a reality within electrical power systems. The IEC 61850 standard establishes the protocols and requirements for digital communications in substations. However, despite enhanced connectivity and integration benefits, network communication has also introduced cyber threats to these environments. Intrusion detection systems based on machine learning have emerged as a potential solution to address these threats in the context of IEC 61850-based communication. Literature indicates that algorithms using decision trees have shown enhanced effectiveness in detecting attacks on GOOSE protocol communication, alongside some exploration of deep learning techniques. Thus, this work examines the use of deep learning, specifically recurrent neural networks (RNNs), for intrusion detection in GOOSE protocol communication. To achieve this, a realistic electrical power system simulation was conducted using a Real-Time Digital Simulator (RTDS) combined with a physical Intelligent Electronic Device (IED) in a hardware-in-the-loop (HIL) setup. Four types of cyber-attacks were executed during the simulation: masquerade, replay, message injection, and poisoning attack. Network traffic datasets were also generated and made publicly available, with each frame sample clearly labeled as normal or malicious. Subsequently, the Recurrent Neural Network (RNN), Long Short-Term Memory (LSTM), Bidirectional LSTM (BiLSTM), Gated Recurrent Unit (GRU), and Bidirectional GRU (BiGRU) algorithms were trained and tested to detect the so-called masquerade attack, a more stealthy type of attack in the context of the GOOSE protocol. The results indicated that recurrent neural networks performed better than decision tree-based algorithms in detecting masquerade attacks. Additionally, RNNs also improve detection performance in multi-class problems by classifying network traffic into four types of attacks and normal behavior.
期刊介绍:
Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.