Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Yifan Jia,Jingyi Wang,Christopher M. Poskitt,Sudipta Chattopadhyay,Jun Sun,Yuqi Chen

DOI: https://doi.org/10.1016/j.ijcip.2021.100452

IF: 3.683

2021-01-01

International Journal of Critical Infrastructure Protection

Abstract:The threats faced by cyber-physical systems (CPSs) in critical infrastructure have motivated research into a multitude of attack detection mechanisms, including anomaly detectors based on neural network models. The effectiveness of anomaly detectors can be assessed by subjecting them to test suites of attacks, but less consideration has been given to adversarial attackers that craft noise specifically designed to deceive them. While successfully applied in domains such as images and audio, adversarial attacks are much harder to implement in CPSs due to the presence of other built-in defence mechanisms such as rule checkers (or invariant checkers). In this work, we present an adversarial attack that simultaneously evades the anomaly detectors and rule checkers of a CPS. Inspired by existing gradient-based approaches, our adversarial attack crafts noise over the sensor and actuator values, then uses a genetic algorithm to optimise the latter, ensuring that the neural network and the rule checking system are both deceived. We implemented our approach for two real-world critical infrastructure testbeds, successfully reducing the classification accuracy of their detectors by over 50% on average, while simultaneously avoiding detection by rule checkers. Finally, we explore whether these attacks can be mitigated by training the detectors on adversarial samples.

Sheng Xu,Yongxiang Xia,Hui-Liang Shen

DOI: https://doi.org/10.1109/tcsii.2020.2999875

2020-01-01

Abstract:In this brief, we analyze the damage caused by malware-induced cyber attacks in Cyber-Physical Power Systems (CPPSs). Incubation period and detection probability of the malware are considered in our analytical framework. From attacker's perspective, the trade-off between attack effectiveness and detection risk is studied to help choose the best attack timing and obtain the maximum payoff. Moreover, we conduct case studies in CPPSs formed by coupling IEEE 118-Bus System with scale-free communication networks. Simulation results reveal that the maximum expected payoff for the attacker is affected by the coupling pattern and the structure of communication network in CPPSs.

Sheng Xu,Yongxiang Xia,Hui-Liang Shen

DOI: https://doi.org/10.1109/jsyst.2022.3150576

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:In this article, we study how to resist malware attacks in cyber-physical power systems (CPPSs) through cyber protection. A model that incorporates the power flow analysis, the cyber monitoring and control, and the factor of cyber protection is proposed to simulate malware attacks in CPPSs. Meanwhile, an evaluation method is also developed to estimate the effectiveness of different cyber protection strategies. Through simulations, we conduct case studies in a test CPPS generated by coupling the IEEE 118 Bus System with a scale-free communication network. The protection effects of three heuristic cyber protection strategies, namely, target protection, random protection, and acquaintance protection are compared and analyzed. Simulation results reveal that compared with the other two strategies, target protection can suppress malware propagation and resist malware attacks more effectively. Moreover, we also investigate the optimal cyber protection problem in CPPSs and formulate it as a zero-one integer programming problem. We solve the problem by genetic algorithm and find that some low-degree cyber nodes also play a significant role in resisting malware attacks in CPPSs, especially when the protection budget is tight.

Kang-Di Lu,Zheng-Guang Wu

DOI: https://doi.org/10.1109/icarm54641.2022.9959185

2022-01-01

Abstract:The cyber-physical power system (CPPS) is evolved from the traditional power system by the deployment of information networks with control systems, computational units, and communication networks. However, their integration into CPPS introduces new challenges in maintaining security. Various malicious cyber-attacks are drawn much attention recently after the discovery of the impact on CPPS state estimation. Thus, it is of great significance for operators to detect cyber-attacks and identify the types of attacks in CPPS to make decisions appropriately. This problem can be viewed as a multi-class classification problem from the perspective of machine learning. Accordingly, this paper proposes an ensemble learning-based cyber-attacks detection model for CPPS state estimation. In the proposed model, we use the subspace features and then send the data to the classifier for ensemble, where decision trees and random vector functional link networks are introduced as the basic classifier. The proposed model is validated by employing simulated data on IEEE 14-bus and 30-bus systems. Simulation results demonstrate the performance of the proposed cyber-attacks detection model.

Tao Yang,Zhenze Jiang,Peiyu Liu,Qiang Yang,Wenhai Wang

DOI: https://doi.org/10.1016/j.knosys.2023.110949

IF: 8.139

2023-01-01

Knowledge-Based Systems

Abstract:In Industrial Cyber-Physical Systems (ICPSs), the attacker can intrude into the cyber system through many penetration tools and attack the physical system. Payload-based traffic anomaly detection is a popular technique against these attacks. Due to the imbalanced distribution of normal and attack samples in ICPS, existing payload-based detection methods are mostly implemented based on unsupervised learning, typically comprising a word segmentation model and an unsupervised classifier. However, existing methods may disrupt semantic correlations and face challenges in extracting com-plex payload dependence relationships. To address these issues, this paper proposes a traffic anomaly detection approach, which consists of a data preprocessing model, an unsupervised word segmentation model, and an unsupervised classification model based on autoencoder. The unsupervised word segmentation model utilizes Long Short-Term Memory (LSTM) to calculate the probability of each word segmentation combination, effectively addressing the issue of inaccurate segmentation results in existing payload segmentation models. The unsupervised classification model, which combines 1D-Convolutional Neural Network (1D-CNN) and Bidirectional Encoder Representation from Transformers (BERT), addresses the challenge of extracting complex payload dependence relationships in existing classification models. The proposed detection approach is evaluated using a Cyber-Physical Attack Dataset (CPAD). Compared with the state-of-the-art detection approaches, the proposed approach has shown a significant improvement in Precision, with an increase of 18.83%. Additionally, the Recall has also been substantially enhanced, with a gain of 22.3%. Overall, the F1 has demonstrated a comprehensive improvement of 20.60%. (c) 2023 Elsevier B.V. All rights reserved.

Jiang Jiang,Yongxiang Xia,Sheng Xu,Hui-Liang Shen,Jiajing Wu

DOI: https://doi.org/10.1063/1.5139254

2020-01-01

Abstract:Cyber-physical systems (CPSs) are integrations of information technology and physical systems, which are more and more significant in society. As a typical example of CPSs, smart grids integrate many advanced devices and information technologies to form a safer and more efficient power system. However, interconnection with the cyber network makes the system more complex, so that the robustness assessment of CPSs becomes more difficult. This paper proposes a new CPS model from a complex network perspective. We try to consider the real dynamics of cyber and physical parts and the asymmetric interdependency between them. Simulation results show that coupling with the communication network makes better robustness of power system. But since the influences between the power and communication networks are asymmetric, the system parameters play an important role to determine the robustness of the whole system.

Yishuang Hu,Zhengwei Jiang,Yikai Sun,Yi Ding,Chenbo Xu,Xueqi Jin

DOI: https://doi.org/10.1088/1755-1315/467/1/012113

2020-01-01

IOP Conference Series Earth and Environmental Science

Abstract:Aiming at monitoring the behaviour of power system to make it work correctly and better, cyber physical power system (CPPS) was introduced. However, due to the high integration of cyber system, the complexity of power system is greatly enhanced, which puts forward higher requirements for the reliable and safe operation of CPPS. Moreover, when the cyber system is under attack, abnormal information flow may lead to abnormal energy flow. Therefore, this paper proposes a data transmission mechanism to analyse the information flow among CPPS. A data transmission optimization model based on the transmission matrix is constructed. The data transmission from the cyber system to the power system is quantified by the model. The practicability of the proposed data transmission mechanism is given by numerous cases.

Mayra Alexandra Macas Carrasco,Chunming Wu

DOI: https://doi.org/10.1109/icmla.2019.00212

2019-01-01

Abstract:Current Cyber-Physical Systems (CPSs) are sophisticated, complex, and equipped with networked sensors and actuators. As such, they have become further exposed to cyber-attacks. Recent catastrophic events have demonstrated that standard, human-based management of anomaly detection in complex systems is not efficient enough and have underlined the significance of automated detection, intelligent and rapid response. Nevertheless, existing anomaly detection frameworks usually are not capable of dealing with the dynamic and complicated nature of the CPSs. In this study, we introduce an unsupervised framework for anomaly detection based on an Attention-based Spatio-Temporal Autoencoder. In particular, we first construct statistical correlation matrices to characterize the system status across different time steps. Next, a 2D convolutional encoder is employed to encode the patterns of the correlation matrices, whereas an Attention-based Convolutional LSTM Encoder-Decoder (ConvLSTM-ED) is used to capture the temporal dependencies. More precisely, we introduce an input attention mechanism to adaptively select the most significant input features at each time step. Finally, the 2D convolutional decoder reconstructs the correlation matrices. The differences between the reconstructed correlation matrices and the original ones are used as indicators of anomalies. Extensive experimental analysis on data collected from all six stages of Secure Water Treatment (SWaT) testbed, a scaled-down version of a real-world industrial water treatment plant, demonstrates that the proposed model outperforms the state-of-the-art baseline techniques.

Yunan Zhang,Yixin Jiang,Aidong Xu,Xiaoyun Kuang,Chao Hong,Jiaqi Chen

DOI: https://doi.org/10.1109/CYBER53097.2021.9588220

2021-01-01

Abstract:The active anomaly detection system of cyber physical power system (CPPS) can make up for the shortcomings of traditional isolation-based defense methods, to detect cyberattacks that breach the security boundary. The traditional detection method based on only communication side features may have high false positive rate and false negative rate. To address this defect, an abnormal traffic detection...

Lei Wang,Pengcheng Xu,Zhaoyang Qu,Xiaoyong Bo,Yunchang Dong,Zhenming Zhang,Yang Li

DOI: https://doi.org/10.3389/fenrg.2021.666130

IF: 3.4

2021-04-21

Frontiers in Energy Research

Abstract:Existing coordinated cyber-attack detection methods have low detection accuracy and efficiency and poor generalization ability due to difficulties dealing with unbalanced attack data samples, high data dimensionality, and noisy data sets. This paper proposes a model for cyber and physical data fusion using a data link for detecting attacks on a Cyber–Physical Power System (CPPS). The two-step principal component analysis (PCA) is used for classifying the system’s operating status. An adaptive synthetic sampling algorithm is used to reduce the imbalance in the categories’ samples. The loss function is improved according to the feature intensity difference of the attack event, and an integrated classifier is established using a classification algorithm based on the cost-sensitive gradient boosting decision tree (CS-GBDT). The simulation results show that the proposed method provides higher accuracy, recall, and F-Score than comparable algorithms.

energy & fuels

Sungmoon Kwon,Hyunguk Yoo,Taeshik Shon

DOI: https://doi.org/10.1109/access.2020.2989770

IF: 3.9

2020-01-01

IEEE Access

Abstract:The introduction of the cyber-physical system (CPS) into power systems has created a variety of communication requirements and functions that existing legacy systems do not support. To this end, the IEEE 1815.1 standard defines the mapping between existing distributed network protocol networks and IEC 61850 networks that reflect new requirements. However, advanced CPS cyberattacks have been reported, and in order to address cyberattacks, security research on new power systems that use network devices and heterogeneous communication is necessary. In this study, we propose an intrusion detection system for an IEEE 1815.1-based power system using CPS. We 1) analyze an IEEE 1815.1-based power system network and propose a suitable application method for an intrusion detection system, 2) suggest a bidirectional recurrent neural network-based anomaly detection system for an IEEE 1815.1-based network, and 3) demonstrate the verification of the proposed technique using various power system-specific attack data, including real power system using CPS network traffic, CPS malware behavior (CMB), false data injection (FDI), and disabling reassembly (DR) attacks. Proposed technique successfully detected five types of CMB attacks, three types of FDI and DR attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tao Yang,Weijie Hao,Qiang Yang,Wenhai Wang

DOI: https://doi.org/10.1016/j.eswa.2023.120668

IF: 8.5

2023-01-01

Expert Systems with Applications

Abstract:Industrial cyber-physical systems (ICPSs) are facing increasing cyber threats that can cause catastrophes in the physical systems. Efficient network traffic anomaly detection is essential for guaranteeing the system's security and reliability. However, existing research on network traffic anomaly detection for ICPS has several limitations. First, most traffic anomaly detection models focus on centralized detection. Thus, all traffic packets have to be uploaded to the control center for detection, which leads to a heavy traffic load. However, real-time and reliable communication is crucial to ICPSs. The heavy traffic load may cause communication delays or packets lost by corruption. Second, Seasonal AutoRegressive Integrated Moving Average (SARIMA) is popular in ICPS network traffic anomaly detection. However, most SARIMA-based detection models can only detect anomalous traffic once. Thus, they are unable to detect anomalies continuously and are not suitable for actual ICPS. Third, the features extracted from network traffic affect the classification performance. However, most existing feature extraction models cannot sufficiently extract traffic features, leading to poor detection performance. To address the limitations above, this paper proposes a cloud-edge coordinated network traffic anomaly detection approach. The proposed approach consists of a set of anomalous traffic alarm models deployed in the edge areas and an anomalous traffic analysis model deployed in the cloud. The former is implemented based on Improved Online SARIMA (IOSARIMA) algorithm that can detect anomalous traffic continuously and upload it to the cloud for further analysis, filtering massive normal traffic packets and making traffic load smaller. The anomalous traffic analysis model consists of a feature extraction algorithm and a Convolutional Neural Network (CNN) classifier, which can sufficiently extract traffic features and identify the attack types precisely. The proposed anomaly detection approach is extensively evaluated on a realistic ICPS testbed, including 3 edges (i.e., power generation, power transmission and power distribution) and a cloud consisting of an engineering workstation and a Supervisory Control And Data Acquisition (SCADA) workstation. The experimental results confirm the smaller traffic load and better detection performance, compared with the existing detection models.

G Y Sree Varshini,S Latha

DOI: https://doi.org/10.1016/j.heliyon.2024.e26332

IF: 3.776

2024-02-19

Heliyon

Abstract:Cyber-Physical Power System (CPPS) refers to a system in which the elements of the internet and the physical power system communicate and work together. With the use of modern communication and information technology, grid monitoring and control have improved. However, the components of a cyber system are extremely vulnerable to cyberattacks via cyber connections due to inadequate cyber security measures. Therefore, an adaptive defence strategy is required for the analysis and mitigation of the coordinated attack. The conventional approach of using an offline controller requires tuning for changes in the operating conditions of the system, which is inappropriate for the modern CPPS. To counter the coordinated attack, a framework that integrates STATCOM based Adaptive Model Predictive Controller with RPME and time delay compensator is proposed. This paper addresses attack impact, detection, and mitigation methods in CPPS. In both time domain and frequency domain simulations the case studies are conducted for three distinct situations namely physical attack, cyberattack, and coordinated attack. Convolutional Neural Network (CNN), Support Vector Machine (SVM), Random Forest (RF), and K Nearest Neighbour (KNN) are four data-driven methods used for the detection of anomalies in PMU measurement data. Simulation studies show that CNN performs better in anomaly detection than other classifiers based on assessed performance metrics. For coordinated attack mitigation the proposed STATCOM based Adaptive Model Predictive Controller with RPME quickly recovers the system than the STATCOM based conventional lead-lag controller. The efficacy of the proposed strategy is validated on the WSCC 3 machine 9 bus system.

Kang-Di Lu,Zheng-Guang Wu

DOI: https://doi.org/10.1109/tcsii.2022.3181827

2022-01-01

Abstract:In cyber-physical power systems (CPPSs), false data injection attack (FDIA) has drawn much attention due to its stealthiness. It is of great importance to investigate the potential behaviors of attackers to improve the cyber-security of CPPSs. However, most FDIA models are often constructed separately on the effect of attackers or the impact of attacks. Accordingly, this brief proposes a multi-objective stealthy FDIA scheme in AC grid model. The attack model is described as a multi-objective optimization problem, where minimization of contaminated measurements and maximization of the attack impact are considered as two objectives while remaining stealthy. To deal with the established attack model, a non-dominated sorting genetic algorithm II (NSGAII) is introduced as the solver. To improve the efficiency of generating attack vector, a new representation mechanism is proposed to describe locations and values of injected states. Additionally, during the evolutionary process, we propose a mutation operation to balance the sparsity and impact of FDIA. Simulation results on the IEEE 14-bus, 30-bus, and 118-bus systems demonstrate the feasibility of the NSGAII-based FDIA model.

Yu-Chu Tian,Chunjie Zhou,Xiaoya Hu,Bowen Hu,Xin Du

DOI: https://doi.org/10.1109/TII.2022.3168774

IF: 12.3

2023-03-01

IEEE Transactions on Industrial Informatics

Abstract:Advanced cyber-physical power systems (CPPS) has been put forward by the strong integration of energy networks and communication networks. While CPPS brings a promising solution with high efficiency, strong flexibility, great scalability, and improved reliability, it inevitably poses some security challenges. In order to address these challenges, it is essential to accurately describe the attack behavior and system security situation. In this article, a dynamic risk propagation evaluation approach is proposed for accurately predicting attacks and quantitatively analyzing system risk. It is equipped with a partitioned cellular automata model to deal with spatial heterogeneity in the partitioned system. The intentions of targeted attack are also considered for predicting attacks. Then, the cyber-to-physical risk is quantitatively identified from multiple dimensions. Finally, the verification of attack intention is designed to dynamically update and adjust the predicted result. The presented approach is demonstrated through a case study on a CPPS.

Computer Science,Engineering

Yuan Luo,Ya Xiao,Long Cheng,Guojun Peng,Danfeng (Daphne) Yao

DOI: https://doi.org/10.1145/3453155

IF: 16.6

2022-06-30

ACM Computing Surveys

Abstract:Anomaly detection is crucial to ensure the security of cyber-physical systems (CPS). However, due to the increasing complexity of CPSs and more sophisticated attacks, conventional anomaly detection methods, which face the growing volume of data and need domain-specific knowledge, cannot be directly applied to address these challenges. To this end, deep learning-based anomaly detection (DLAD) methods have been proposed. In this article, we review state-of-the-art DLAD methods in CPSs. We propose a taxonomy in terms of the type of anomalies, strategies, implementation, and evaluation metrics to understand the essential properties of current methods. Further, we utilize this taxonomy to identify and highlight new characteristics and designs in each CPS domain. Also, we discuss the limitations and open problems of these methods. Moreover, to give users insights into choosing proper DLAD methods in practice, we experimentally explore the characteristics of typical neural models, the workflow of DLAD methods, and the running performance of DL models. Finally, we discuss the deficiencies of DL approaches, our findings, and possible directions to improve DLAD methods and motivate future research.

computer science, theory & methods

Prashanth Krishnamurthy,Ali Rasteh,Ramesh Karri,Farshad Khorrami

2024-06-18

Abstract:Increased connectivity and remote reprogrammability/reconfigurability features of embedded devices in current-day power systems (including interconnections between information technology -- IT -- and operational technology -- OT -- networks) enable greater agility, reduced operator workload, and enhanced power system performance and capabilities. However, these features also expose a wider cyber-attack surface, underscoring need for robust real-time monitoring and anomaly detection in power systems, and more generally in Cyber-Physical Systems (CPS). The increasingly complex, diverse, and potentially untrustworthy software and hardware supply chains also make need for robust security tools more stringent. We propose a novel framework for real-time monitoring and anomaly detection in CPS, specifically smart grid substations and SCADA systems. The proposed method enables real-time signal temporal logic condition-based anomaly monitoring by processing raw captured packets from the communication network through a hierarchical semantic extraction and tag processing pipeline into time series of semantic events and observations, that are then evaluated against expected temporal properties to detect and localize anomalies. We demonstrate efficacy of our methodology on a hardware in the loop testbed, including multiple physical power equipment (real-time automation controllers and relays) and simulated devices (Phasor Measurement Units -- PMUs, relays, Phasor Data Concentrators -- PDCs), interfaced to a dynamic power system simulator. The performance and accuracy of the proposed system is evaluated on multiple attack scenarios on our testbed.

Systems and Control

Han Qin,Jiaming Weng,Dong Liu,Donglian Qi,Yufei Wang

DOI: https://doi.org/10.17775/cseejpes.2020.04550

IF: 6.014

2024-01-01

CSEE Journal of Power and Energy Systems

Abstract:With the help of advanced information technology, real-time monitoring and control levels of cyber-physical distribution systems (CPDS) have been significantly improved. However due to the deep integration of cyber and physical systems, attackers could still threaten the stable operation of CPDS by launching cyber-attacks, such as denial-of-service (DoS) attacks. Thus, it is necessary to study the CPDS risk assessment and defense resource allocation methods under DoS attacks. This paper analyzes the impact of DoS attacks on the physical system based on the CPDS fault self-healing control. Then, considering attacker and defender strategies and attack damage, a CPDS risk assessment framework is established. Furthermore, risk assessment and defense resource allocation methods, based on the Stackelberg dynamic game model, are proposed under conditions in which the cyber and physical systems are launched simultaneously. Finally, a simulation based on an actual CPDS is performed, and the calculation results verify the effectiveness of the algorithm.

Jiali Ma,Yuanbo Guo,Chen Fang,Qi Zhang

DOI: https://doi.org/10.1109/jiot.2024.3366904

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Although a cyber-physical system (CPS) enhances the system control flexibility by connecting physical devices to the network, it also increases the possibility of network attacks on the system, which can cause damage to both property and personnel. To achieve CPS security, this paper proposes a network security protection method based on a digital twin (DT). By constructing DT models of the CPS physical layer and network layer and collecting real-time data of the system, the system security is improved from several aspects. First, we construct a data-driven behavior model for the CPS physical layer and introduce expert knowledge in order to realize the function of physical layer anomaly diagnosis. Comparisons with related studies show that our method achieves a higher precision, recall rate, and F1 score. Second, we construct an attack graph model for the CPS network layer for CPS network security analysis in order to realize the functions of security risk quantification and security countermeasure recommendation. Finally, we model the interaction between the physical networks and transfer the diagnosis results of the physical layer twin to the network layer twin in order to correct the attack graph. Thus, we achieve an accurate representation of the overall network security situation in real time.

computer science, information systems,telecommunications,engineering, electrical & electronic