Haitao Wu,Zhongwei Qiao,Yuepeng Zhang,Xiaoyu Ji

DOI: https://doi.org/10.1109/ei250167.2020.9346879

2020-01-01

Abstract:With the development of ubiquitous electric Internet of things(UEIoT), the number and types of terminal devices in the smart grid have reached an unprecedented level. In order to ensure the stable operation of the smart grid, we need to monitor the operation status of each terminal, detect various software-level or hardware-level attacks in time, and make corresponding decisions. In this paper, we propose a novel detection method based on multi-dimensional information fusion and computer vision, in which power consumption, traffic, message data and security logs generated by terminal equipments are drawn as characteristic graphs, and then we use a convolution neural network(CNN) to recognize them. According to the detection results, we can know whether there is an attack and if so, which kind of attack has occurred. We also use actual measurement data of an DTU to test our method, and it achieves real-time detection and has high precision.

Zhining LV,Ziheng HU,Baifeng NING,Lifu DING,Gangfeng YAN,Xiasheng SHI

DOI: https://doi.org/10.1109/ICPRE48497.2019.9034805

2019-01-01

Abstract:Power system intelligent terminal equipment is widely used in real-time monitoring, data acquisition, power management, power distribution and other tasks of smart grid. The power system intelligent terminal can obtain various information of users and power companies in the power grid, but there is still a lack of protection means for the connection and communication process of the terminal components. In this paper, a novel method based on improved deep belief network(IDBN) is proposed to accomplish the business-level security monitoring and attack detection of power system terminal. A non-intrusive business-level monitoring platform for power system terminals is established, which uses energy metering intelligent terminals as an example for non-intrusive data collection. Based on this platform, the I-DBN extracts the spatial and temporal attack characteristics of the external monitoring data of the system. Some fault conditions and cyber attacks of the model have been simulated to demonstrate the effectiveness of the proposed detection method and the results show excellent performance. The method and platform proposed in this paper can be extended to other services in the power industry, providing a theoretical basis and implementation method for realizing the security monitoring of power system intelligent terminals from the business level.

Yanjie Li,Xiaoyu Ji,Chenggang Li,Xiaofeng Xu,Wei Yan,Xu Yan,Yanjiao Chen,Wenyuan Xu

DOI: https://doi.org/10.1109/iceiec49280.2020.9152334

2020-01-01

Abstract:In recent years, artificial intelligence has been widely used in the field of network security, which has significantly improved the effect of network security analysis and detection. However, because the power industrial control system is faced with the problem of shortage of attack data, the direct deployment of the network intrusion detection system based on artificial intelligence is faced with the problems of lack of data, low precision, and high false alarm rate. To solve this problem, we propose an anomaly traffic detection method based on cross-domain knowledge transferring. By using the TrAdaBoost algorithm, we achieve a lower error rate than using LSTM alone.

Tao Zhao,Xiaoyu Ji,Wenyuan Xu,Aidong Xu,Yixin Jiang,Yang Cao

DOI: https://doi.org/10.1109/ei247390.2019.9061849

2019-01-01

Abstract:With the increase of power terminal devices and IoT devices which are accessed to the power grid, their security issues are becoming more and more important. While the microgrid controllers are served as the central core of the entire microgrid, the attacks on microgrid controllers and other power end devices have been launched in recent years. It's obvious that the current safety protection measures for power end devices are insufficient. However, microgrid controllers cannot be protected by traditional intrusion detection systems or anti-virus software. Motivated by these concerns, this paper proposes a non-intrusive malicious code security monitoring scheme based on a power side channel. The core idea is to measure the power consumption data of the microgrid controller, to extract the power consumption feature, and to identify the abnormality sample through CWRNN neural network to determine whether the microgrid controller is attacked or not. The advantage of this method is that it can effectively detect unknown attacks without modifying the original software system. What's more, the method is evaluated in the experimental test, and the detection accuracy can reach to 92%.

Zhi-Yang,Xiao-jun

2020-01-01

Abstract:Intrusion Detection Algorithm of Power Grid Industrial Control System Based on CNN ZHAO Zhi-Yang, XIA Xiao-Jun (University of Chinese Academy of Sciences, Beijing 100049, China) (Shenyang Institute of Computing Technology, Chinese Academy of Sciences, Shenyang 110168, China) Abstract: Traditional power grid industrial control systems are mainly isolated from external networks through tools such as firewalls, but with the application of new technologies such as cloud computing and the Internet of Things, the degree of interconnection between networks has continued to deepen, and the difficulty of security protection has greatly increased. How to effectively detect network intrusion behavior has become very important. Compared with traditional intrusion detection technology, convolutional neural networks have a better ability to extract intrusion features. This study proposes a power grid industrial control system intrusion detection algorithm based on convolutional neural networks. The KDD99 dataset is processed for model training, and a cascade convolution layer is added to optimize the network structure. Under the premise of small parameter scale, the real-time requirements of the model are guaranteed. Compared with the traditional SVM algorithm and the k-means algorithm, the intrusion detection accuracy of the proposed algorithm in this study is improved, the false detection rate is reduced, and the intrusion behavior to the power grid industrial control system can be effectively detected.

Tong Li,Hai Zhao,Yaodong Tao,Donghua Huang,Chao Yang,Shuheng Xu

DOI: https://doi.org/10.1155/2022/1415713

IF: 3.12

2022-01-01

Computational Intelligence and Neuroscience

Abstract:Numerous internal and external intrusion attacks have appeared one after another, which has become a major problem affecting the normal operation of the power system. The power system is the infrastructure of the national economy, ensuring that the information security of its network not only is an aspect of computer information security but also must consider high-standard security requirements. This paper analyzes the intrusion threat brought by the power information network and conducts in-depth research and investigation combined with the intrusion detection technology of the power information network. It analyzes the structure of the power knowledge network and cloud computing through deep learning-based methods and provides a network interference detection model. The model combines the methods of abuse detection and anomaly detection, which solves the problem that the abuse analysis model does not detect new attack variants. At the same time, for big data network data retrieval, it retrieves and analyzes data flow quickly and accurately with the help of deep learning of data components. It uses a fuzzy integral method to optimize the accuracy of power information network intrusion prediction, and the accuracy reaches 98.11%, with an increase of 0.6%.

Yu-jun Xiao,Wen-yuan Xu,Zhen-hua Jia,Zhuo-ran Ma,Dong-lian Qi

DOI: https://doi.org/10.1631/fitee.1601540

2017-01-01

Abstract:Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years, exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately, PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus, an effective method for PLC protection is yet to be designed. Motivated by these concerns, we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption, which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements, we extract a discriminative feature set from the power trace, and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally, an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed, and for a trojan attack whose difference from the normal program is around 0.63%, the detection accuracy reaches 99.83%.

Yanjie Li,Ruiwen He,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei247390.2019.9061783

2019-01-01

Abstract:Security threats of smart grid terminals continue to increase. In order to realize non-invasive intrusion detection of power distribution terminal devices in smart grid, we propose a novel anomaly-based intrusion detection approach that use power side-channel. The approach monitors programs running in the terminals by collecting and analyzing the power consumption data of terminal devices. We run three abnormal programs and one normal program in the distribution terminal units (DTUs), and then extract feature values of the power consumption data and lastly conducted anomaly-based intrusion detection through LSTM neural network. Our evaluation results demonstrate that a false positive rate is less than 2% and an accuracy rate is more than 90%.

Kai Jin,Lei Zhang,Yujie Zhang,Duo Sun,Xiaoyuan Zheng

DOI: https://doi.org/10.3390/electronics12204329

IF: 2.9

2023-10-19

Electronics

Abstract:The current mainstream intrusion detection models often have a high false negative rate, significantly affecting intrusion detection systems' (IDSs) practicability. To address this issue, we propose an intrusion detection model based on a multi-scale one-dimensional convolutional neural network module (MS1DCNN), an efficient channel attention module (ECA), and two bidirectional long short-term memory modules (BiLSTMs). The proposed hybrid MS1DCNN-ECA-BiLSTM model uses the MS1DCNN module to extract features with a different granularity from the input data and uses the ECA module to enhance the weight of important features. Finally, the model carries out sequence learning through two BiLSTM layers. We use the dung beetle optimizer (DBO) to optimize the hyperparameters in the model to obtain better classification results. Additionally, we use the synthetic minority oversampling technique (SMOTE) to fill several samples to reduce the local false negative rate. In this paper, we train and test the model using accurate network data from a water storage industrial control system. In the multi-classification experiment, the model's accuracy was 97.04%, the precision was 97.17%, and the false negative rate was 2.95%; in the binary classification experiment, the accuracy and false negative rate were 99.30% and 0.7%. Compared with other mainstream methods, our model has a higher score. This study provides a new algorithm for the intrusion detection of industrial control systems.

engineering, electrical & electronic,computer science, information systems,physics, applied

Sidra Abbas,Shtwai Alsubai,Stephen Ojo,Gabriel Avelino Sampedro,Ahmad Almadhor,Abdullah Al Hejaili,Imen Bouazzi,Abbas, Sidra,Ojo, Stephen,Sampedro, Gabriel Avelino

DOI: https://doi.org/10.1007/s11227-024-05993-2

IF: 3.3

2024-03-10

The Journal of Supercomputing

Abstract:The rapid growth of Internet of Things (IoT) devices has changed human interactions with the environment. IoT networks require specialized defense strategies distinct from traditional corporate contexts. Security measures such as anti-malware software, firewalls, authentication protocols, and encryption techniques are established but face limitations against evolving attack strategies. Therefore, this study proposes an intrusion detection approach for a realistic IoT environment, employing various variants of deep learning models such as deep neural networks (DNNs), convolutional neural networks (CNNs), and recurrent neural networks (RNNs). The research tested three variants for each model: DNN1, DNN2, DNN3, CNN1, CNN2, CNN3, RNN1, RNN2, RNN3 . All these variants are customized and tuned differently to analyze the efficacy of the suggested methodology. Likewise, notable observation highlights the significance of aligning training and validation accuracy curves that indicate controlled overfitting, validating the model's reliability in accurately predicting intrusion and benign network traffic in IoT settings. Results reveal that RNN1 achieves the best results: accuracy of 98.61%, precision of 98.55%, recall of 98.61%, and F1-score of 98.57% compared with other DNN and CNN architectures and benchmark papers. This study advances intrusion detection within IoT networks through a comprehensive evaluation of deep learning models and inspires ongoing research to enhance intrusion detection systems' resilience in dynamic IoT environments.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Bo-Xiang Wang,Jiann-Liang Chen,Chiao-Lin Yu

DOI: https://doi.org/10.1109/access.2022.3175886

IF: 3.9

2022-05-27

IEEE Access

Abstract:The work develops a network threat detection system, AI@NTDS, that uses the behavioral features of attackers and intelligent techniques. The proposed AI@NTDS system combines data analysis, feature extraction, and feature evaluation to construct a detection model, which supports a more straightforward strategy by which the operating system or its operators can defend against network attacks. The Linux system interaction information of SSH (Secure Shell) and Telnet are obtained from the Cowrie Honeypot and labeled according to Enterprise Tactics of MITRE ATT&CK to ensure dataset credibility. The proposed AI@NTDS system has three levels, depending on the attacker's attacks and the user's risk of damage. Fifty-two features are used to detect the network threat level. The features contain message-based features for all kinds of Linux operating instructions, host-based features for all types of information in the network connection process, and geography-based features are related to the attacker's location. AI-based algorithms LightGBM, Random Forest and the K-NN algorithm are used to verify the identification of the custom features. Finally, the detection model that is trained using the best combination of features is used to predict the test dataset. The accuracy of the proposed AI@NTDS system reaches 99%, 95.66%, and 94.08% with the LightGBM, Random Forest, and K-NN algorithms, respectively. The mutual dependencies of features and network threats are evaluated. Results of a performance analysis reveal that the proposed AI@NTDS system has an accuracy of 99.20% and an F1-score of 99.80%. It is superior to existing detection mechanisms, which it outperforms by 4% and 1% i- accuracy and F1-score, respectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Bin Wang,Jianye Zhang,Cheng Luo,Ling Yang,Jia Chen,Haibo Ma

DOI: https://doi.org/10.1109/itoec53115.2022.9734439

2022-03-04

Abstract:With the continuous and in-depth development of smart grid construction, the degree of automation of the power system is rapidly increasing, and the number of grid sensors, the scale of information network and the number of decision-making units have greatly increased. The network security of the power industry control system is facing severe challenges. This paper studies the in-depth analysis technology of real-time interactive protocols of power industrial control systems, captures data packets and analyzes the data packets layer by layer to obtain application layer field data streams, and realizes in-depth analysis of power industrial control system protocols such as IEC104 protocol and IEC61850 protocol. Research on anomaly detection technology of power industrial control system real-time interaction process based on feature matching, and realize the detection of abnormal behaviors of terminals, networks, and host devices through syntactic and semantic analysis and business command analysis, as well as the detection of regular network attack behaviors such as malicious code and virus Trojan horses.

Sungmoon Kwon,Hyunguk Yoo,Taeshik Shon

DOI: https://doi.org/10.1109/access.2020.2989770

IF: 3.9

2020-01-01

IEEE Access

Abstract:The introduction of the cyber-physical system (CPS) into power systems has created a variety of communication requirements and functions that existing legacy systems do not support. To this end, the IEEE 1815.1 standard defines the mapping between existing distributed network protocol networks and IEC 61850 networks that reflect new requirements. However, advanced CPS cyberattacks have been reported, and in order to address cyberattacks, security research on new power systems that use network devices and heterogeneous communication is necessary. In this study, we propose an intrusion detection system for an IEEE 1815.1-based power system using CPS. We 1) analyze an IEEE 1815.1-based power system network and propose a suitable application method for an intrusion detection system, 2) suggest a bidirectional recurrent neural network-based anomaly detection system for an IEEE 1815.1-based network, and 3) demonstrate the verification of the proposed technique using various power system-specific attack data, including real power system using CPS network traffic, CPS malware behavior (CMB), false data injection (FDI), and disabling reassembly (DR) attacks. Proposed technique successfully detected five types of CMB attacks, three types of FDI and DR attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Rongrong Jiang,Zhengqiu Weng,Lili Shi,Erxuan Weng,Hongmei Li,Weiqiang Wang,Tiantian Zhu,Wuzhao Li

DOI: https://doi.org/10.1002/cpe.8258

2024-08-17

Concurrency and Computation Practice and Experience

Abstract:Summary With the development of the Internet of Things (IoT), the number of terminal devices is rapidly growing and at the same time, their security is facing serious challenges. For the industrial control system, there are challenges in detecting and preventing botnet. Traditional detection methods focus on capturing and reverse analyzing the botnet programs first and then parsing the extracted features from the malicious code or attacks. However, their accuracy is very low and their latency is relatively high. Moreover, they sometimes even cannot recognize the unknown botnets. The machine learning based detection methods rely on manual feature engineering and have a weak generalization. The deep learning‐based methods mostly rely on the system log, which does not take into account the multisource information such as traffic. To address the above issues, from the perspective of the botnet features, this paper proposes an intelligent detection method over parallel CNN‐LSTM, integrating the spatial and temporal features to identify botnets. Experimental demonstrate that the accuracy, recall, and F1‐score of our proposed method achieve up to over 98%, and the precision, 97.8%, is not the highest but reasonable. It reveals compared with the existing start‐of‐the‐art methods, our proposed method outperforms in the botnet detection. Our methodology's strength lies in its ability to harness the multifaceted information present in IoT traffic, offering a more nuanced and comprehensive analysis. The parallel CNN‐LSTM architecture ensures that spatial and temporal data are processed concurrently, preserving the integrity of the information and enabling a more robust detection mechanism. The result is a detection system that not only performs exceptionally well in a controlled environment but also holds promise for real‐world application, where the rapid and accurate identification of botnets is paramount.

computer science, theory & methods, software engineering

Shiyu Wang,Wenxiang Xu,Yiwen Liu

DOI: https://doi.org/10.1016/j.comnet.2023.109982

IF: 5.493

2023-08-14

Computer Networks

Abstract:The Internet of Things (IoT), as the information carrier of the Internet and telecommunications networks, is a new network technology comprising physical entities embedded with electronic components, software and sensors, and characterized by strong complexity and openness. With the massive amount of data, the occurrence of network intrusion is also increasingly frequent, involving industrial control systems, IoT devices, mobile security, cloud services, and telecommunications services. With the diversification and intelligence of cyberattack behaviors, traditional intrusion detection systems (IDSs) face problems—such as insufficient feature extraction and inaccurate model classification—when faced with high-dimensional features and nonlinear massive data. Due to their powerful data representation learning ability, deep learning methods save substantial time in processing high-dimensional and complex intrusion data. On this basis, we propose an intrusion detection model using ResNet, Transformer and BiLSTM (Res-TranBiLSTM) that takes into account both the spatial and temporal features of network traffic. We use the Synthetic Minor Overriding Technique (SMOTE) – Edited Nearest Neighbor (ENN) method to alleviate the degree of data imbalance. In addition, we respectively establish a spatial feature extraction model based on ResNet and a temporal feature extraction model based on Transformer and BiLSTM to extract spatial features and temporal features parallelly. Finally, spatiotemporal features are included to achieve attack detection and classification. Further, simulation experiments are conducted using the public data sets NSL-KDD and CIC-IDS2017. The experiments are implemented using Python programming language and Pytorch framework. The results reveal that the performance of our proposed model is better than that of other models, with accuracy reaching 90.99%, 99.15% and 99.56%, on NSL-KDD dataset, CIC-IDS2017 dataset and MQTTset dataset, respectively. It increased the detection accuracy by about 1%-10% on NSL-KDD dataset and about 0.2%-10% on CIC-IDS2017 dataset, and about 1%-10% on MQTTset dataset. These results demonstrate that this method is effective in constructing and optimizing large-scale IDS in the IoT environment.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Xi He,Li Zhang,Tao Liu,Wei Wang

DOI: https://doi.org/10.1109/compcomm.2018.8780699

2018-01-01

Abstract:Intrusion detection based on network traffic has been widely studied in traditional network systems. At the same time, the security threats faced by Industrial Control Systems (ICS) are becoming increasingly severe. The network communication environments of ICSs are very different from the traditional Internet in in terms of protocols, interaction modes and security considerations. How to detect anomalies effectively in power production control system is an important issue. In this work, we use a representative Distributed Control System (DCS) working in thermal power generation scenarios and conduct various attacks on this DCS to generate an original network traffic. We then consider the time correlation and interaction stability of the DCS and propose a dual window scheme (Dual-Win) to get more effective features based on basic features. We use several machine learning methods for the detection of anomalies based on the traffic data. The experimental results show that our method achieves the detection accuracy as 99.41% with only basic traffic features, and the detection accuracy can be as 99.77% with the basic and Dual-Win features.

Yuhong Wu,Xiangdong Hu

DOI: https://doi.org/10.1155/2022/7777211

2022-09-26

Scientific Programming

Abstract:Now, the use of deep learning technology to solve the problems of the low multiclassification task detection accuracy and complex feature engineering existing in traditional intrusion detection technology has become a research hotspot. In all kinds of deep learning, recurrent neural networks (RNN) are very important. The RNN processes 41 feature attributes and maps them to a 122-dimensional high-dimensional feature space. To detect multiclassification tasks, this study proposes an intrusion detection method based on fully connected recurrent neural networks and compares its performance with previous machine learning methods on benchmark datasets. The research results show that the intrusion detection system (IDS) model based on fully connected recurrent neural network is very suitable for classification of intrusion detection. Classification methods, especially in multiclassification tasks, have high detection accuracy, significantly improve the detection performance of detection attacks and DoS attacks, and it provides a new research direction for the future attempts of intrusion detection methods for industrial control systems.

computer science, software engineering

Lizhi Wang,Lynn Pepin,Yan Li,Fei Miao,Amir Herzberg,Peng Zhang

DOI: https://doi.org/10.1109/PESGM40551.2019.8974098

2019-01-01

Abstract:A botnet is a collection of internet-facing devices that are compromised and controlled by a malicious hacker. In this paper, we propose an attack utilising a botnet of high-wattage internet-facing devices, which we call a power botnet. Power botnet attacks can decrease the reliability of power supply, damage the power quality and even cause catastrophic consequences in power distribution grid. To study the effects on power distribution systems, we simulate three different types of power botnet attacks using OpenDSS, and show the change of OLTC lifespans under attacks. We then use deep learning methods to detect these attacks. We show successful detection for two of these attacks and a low detection rate for the third attack. To the best of our knowledge, this is the first paper to consider power botnet attacks, and leverage deep learning methods to detect these attacks on power distribution grids. Future work such as detection schemes for more complicated power botnet attacks will be developed based on the results of this work.

Yung-Chung Wang,Yi-Chun Houng,Han-Xuan Chen,Shu-Ming Tseng

DOI: https://doi.org/10.3390/s23042171

IF: 3.9

2023-02-16

Sensors

Abstract:The prevalence of internet usage leads to diverse internet traffic, which may contain information about various types of internet attacks. In recent years, many researchers have applied deep learning technology to intrusion detection systems and obtained fairly strong recognition results. However, most experiments have used old datasets, so they could not reflect the latest attack information. In this paper, a current state of the CSE-CIC-IDS2018 dataset and standard evaluation metrics has been employed to evaluate the proposed mechanism. After preprocessing the dataset, six models—deep neural network (DNN), convolutional neural network (CNN), recurrent neural network (RNN), long short-term memory (LSTM), CNN + RNN and CNN + LSTM—were constructed to judge whether network traffic comprised a malicious attack. In addition, multi-classification experiments were conducted to sort traffic into benign traffic and six categories of malicious attacks: BruteForce, Denial-of-service (DoS), Web Attacks, Infiltration, Botnet, and Distributed denial-of-service (DDoS). Each model showed a high accuracy in various experiments, and their multi-class classification accuracy were above 98%. Compared with the intrusion detection system (IDS) of other papers, the proposed model effectively improves the detection performance. Moreover, the inference time for the combinations of CNN + RNN and CNN + LSTM is longer than that of the individual DNN, RNN and CNN. Therefore, the DNN, RNN and CNN are better than CNN + RNN and CNN + LSTM for considering the implementation of the algorithm in the IDS device.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Zhefan Zhang,Zhiheng Zhao,Jinyong Deng,Yongzhe Chen

DOI: https://doi.org/10.1109/EIECS59936.2023.10435492

2023-01-01

Abstract:As an important part of the information age, network security has been concerned. Industrial control system is an indispensable part of modern production process, but it is also facing the threat from cyber-attacks. Intrusion detection system is an indispensable part of the industrial control system security defense system. It detects the attack data by monitoring the real-time status of network traffic. This paper offers an intrusion detection approach based on parallel CNN-LSTM with self-attention mechanism in accordance with the features of industrial control system network traffic, using the UNSW-NB15 dataset as the research object. After experimental analysis, the accuracy, recall and F1 value are 98.66%, 95.88% and 95.91% and The FPR and FAR are 2.28% and 2.23%. Compared with other intrusion detection models, the proposed method has better performance.