Haitao Wu,Zhongwei Qiao,Yuepeng Zhang,Xiaoyu Ji

DOI: https://doi.org/10.1109/ei250167.2020.9346879

2020-01-01

Abstract:With the development of ubiquitous electric Internet of things(UEIoT), the number and types of terminal devices in the smart grid have reached an unprecedented level. In order to ensure the stable operation of the smart grid, we need to monitor the operation status of each terminal, detect various software-level or hardware-level attacks in time, and make corresponding decisions. In this paper, we propose a novel detection method based on multi-dimensional information fusion and computer vision, in which power consumption, traffic, message data and security logs generated by terminal equipments are drawn as characteristic graphs, and then we use a convolution neural network(CNN) to recognize them. According to the detection results, we can know whether there is an attack and if so, which kind of attack has occurred. We also use actual measurement data of an DTU to test our method, and it achieves real-time detection and has high precision.

Lu Chen,Tao Zhang,Yuanyuan Ma,Mu Chen

DOI: https://doi.org/10.1109/iist62526.2024.00098

2024-01-01

Abstract:With the increasing complexity, automation, and intelligence of network attacks, new types of attacks are constantly emerging in the network, posing great challenges to network attack detection and timely response based on prior rules. In order to more effectively and accurately identify abnormal traffic, a network abnormal traffic detection algorithm based on improved convolutional neural networks is proposed. The algorithm first inputs the key features of traffic anomaly monitoring, converts them into color images through visualization technology, extracts higher dimensional features, and then uses neural structure search technology to find a lightweight convolutional network structure with high accuracy and less time consumption. The optimal model is used to output the type of traffic anomaly. The results indicate that the algorithm has a higher accuracy and the shortest classification time for a single image.

Qiumei Cheng,Chunming Wu,Shiying Zhou

DOI: https://doi.org/10.1109/lcomm.2020.3048995

IF: 3.5529

2021-01-01

IEEE Communications Letters

Abstract:The alert correlation process that aggregates computer network security alerts to the same attack scenario provides a coherent view of network status at a higher abstraction level. This letter proposes a framework called Alert-GCN to correlate alerts that belong to the same attack using graph convolutional networks (GCN). The intuition is that the stacked convolutional layers help aggregate alert information from farther neighbors in the alert graph, thus facilitating attack scenario discovery. Alert-GCN first transforms alerts into alert graph with one-hot encoding and then feeds the graph into the GCN to perform node classification. The experimental results indicate that Alert-GCN outperforms traditional classification models in correlating alerts.

Tianzhixi Yin,Syed Ahsan Raza Naqvi,Sai Pushpak Nandanoori,Soumya Kundu

2024-11-05

Abstract:This paper explores the detection and localization of cyber-attacks on time-series measurements data in power systems, focusing on comparing conventional machine learning (ML) like k-means, deep learning method like autoencoder, and graph neural network (GNN)-based techniques. We assess the detection accuracy of these approaches and their potential to pinpoint the locations of specific sensor measurements under attack. Given the demonstrated success of GNNs in other time-series anomaly detection applications, we aim to evaluate their performance within the context of power systems cyber-attacks on sensor measurements. Utilizing the IEEE 68-bus system, we simulated four types of false data attacks, including scaling attacks, additive attacks, and their combinations, to test the selected approaches. Our results indicate that GNN-based methods outperform k-means and autoencoder in detection. Additionally, GNNs show promise in accurately localizing attacks for simple scenarios, although they still face challenges in more complex cases, especially ones that involve combinations of scaling and additive attacks.

Systems and Control

Zhi-Yang,Xiao-jun

2020-01-01

Abstract:Intrusion Detection Algorithm of Power Grid Industrial Control System Based on CNN ZHAO Zhi-Yang, XIA Xiao-Jun (University of Chinese Academy of Sciences, Beijing 100049, China) (Shenyang Institute of Computing Technology, Chinese Academy of Sciences, Shenyang 110168, China) Abstract: Traditional power grid industrial control systems are mainly isolated from external networks through tools such as firewalls, but with the application of new technologies such as cloud computing and the Internet of Things, the degree of interconnection between networks has continued to deepen, and the difficulty of security protection has greatly increased. How to effectively detect network intrusion behavior has become very important. Compared with traditional intrusion detection technology, convolutional neural networks have a better ability to extract intrusion features. This study proposes a power grid industrial control system intrusion detection algorithm based on convolutional neural networks. The KDD99 dataset is processed for model training, and a cascade convolution layer is added to optimize the network structure. Under the premise of small parameter scale, the real-time requirements of the model are guaranteed. Compared with the traditional SVM algorithm and the k-means algorithm, the intrusion detection accuracy of the proposed algorithm in this study is improved, the false detection rate is reduced, and the intrusion behavior to the power grid industrial control system can be effectively detected.

Alfan Presekal,Alexandru Stefanov,Vetrivel S. Rajkumar,Peter Palensky

DOI: https://doi.org/10.1109/tsg.2023.3237011

IF: 10.275

2023-09-01

IEEE Transactions on Smart Grid

Abstract:Electrical power grids are vulnerable to cyber attacks, as seen in Ukraine in 2015 and 2016. However, existing attack detection methods are limited. Most of them are based on power system measurement anomalies that occur when an attack is successfully executed at the later stages of the cyber kill chain. In contrast, the attacks on the Ukrainian power grid show the importance of system-wide, early-stage attack detection through communication-based anomalies. Therefore, in this paper, we propose a novel method for online cyber attack situational awareness that enhances the power grid resilience. It supports power system operators in the identification and localization of active attack locations in Operational Technology (OT) networks in near real-time. The proposed method employs a hybrid deep learning model of Graph Convolutional Long Short-Term Memory (GC-LSTM) and a deep convolutional network for time series classification-based anomaly detection. It is implemented as a combination of software defined networking, anomaly detection in communication throughput, and a novel attack graph model. Results indicate that the proposed method can identify active attack locations, e.g., within substations, control center, and wide area network, with an accuracy above 96%. Hence, it outperforms existing state-of-the-art deep learning-based time series classification methods.

engineering, electrical & electronic

Sha Peng,Mengxiang Liu,Li Chai,Ruilong Deng

DOI: https://doi.org/10.1109/tsg.2024.3445113

IF: 10.275

2024-01-01

IEEE Transactions on Smart Grid

Abstract:The increasing deployment of solar photovoltaic (PV) systems in the electric grid, aimed at addressing the energy crisis and surging power demands, has expanded the potential vulnerability to cyberattacks due to the inter-networking of the grid-connected power electronics converters. In this paper, we propose a dynamic spatiotemporal graph neural network (DST-GNN) for cyberattack detection in grid-tied PV systems. Specifically, to exploit the inherent graph topology of the grid-tied PV system, we start by employing a GNN with a dynamic weighted adjacency matrix to capture the latent spatial correlations within signal data. Then, a one-dimensional convolution neural network (1D-CNN) is utilized to extract the underlying temporal patterns. Notably, we leverage the system dynamics to determine the dynamic graph weights and the number of graph convolution layers, while the hyper-parameters of 1D-CNN are designed based on the periodicity of input signals. Finally, the integration of the priori physical system knowledge further enhances the interpretability and improves the detection performance of DST-GNN. To the best of our knowledge, this is the first work that embeds the grid-tied PV system into a graph structure for cyberattack detection. The effectiveness of DST-GNN is evaluated through comprehensive case studies on a hardware-in-the-loop (HIL) grid-tied PV testbed, and numerical results demonstrate its superiority over baseline methods.

Yizhak Vaisman,Gilad Katz,Yuval Elovici,Asaf Shabtai

DOI: https://doi.org/10.48550/arXiv.2311.18525

2023-11-30

Abstract:To protect an organizations' endpoints from sophisticated cyberattacks, advanced detection methods are required. In this research, we present GCNetOmaly: a graph convolutional network (GCN)-based variational autoencoder (VAE) anomaly detector trained on data that include connection events among internal and external machines. As input, the proposed GCN-based VAE model receives two matrices: (i) the normalized adjacency matrix, which represents the connections among the machines, and (ii) the feature matrix, which includes various features (demographic, statistical, process-related, and Node2vec structural features) that are used to profile the individual nodes/machines. After training the model on data collected for a predefined time window, the model is applied on the same data; the reconstruction score obtained by the model for a given machine then serves as the machine's anomaly score. GCNetOmaly was evaluated on real, large-scale data logged by Carbon Black EDR from a large financial organization's automated teller machines (ATMs) as well as communication with Active Directory (AD) servers in two setups: unsupervised and supervised. The results of our evaluation demonstrate GCNetOmaly's effectiveness in detecting anomalous behavior of machines on unsupervised data.

Cryptography and Security,Machine Learning

Jiao Hao,Zongbao Zhang,Yihan Ping

DOI: https://doi.org/10.4018/ijitsa.336475

2024-01-17

International Journal of Information Technologies and Systems Approach

Abstract:The stability and reliability of the power system are of utmost significance in upholding the smooth functioning of modern society. Fault diagnosis and prediction represent pivotal factors in the operation and maintenance of the power system. This article presents an approach employing graph neural network (GNN) to enhance the precision and efficiency of power system fault diagnosis and prediction. The system's efficacy lies in its ability to capture the intricate interconnections and dynamic variations within the power system by conceptualizing it as a graph structure and harnessing the capabilities of GNN. In this study, the authors introduce a substitution for the pooling layer with a convolution operation. A central role is played by the global average pooling layer, connecting the convolution layer and the fully connected layer. The fully connected layer carries out nonlinear computations, ultimately providing the classification at the top-level output layer. In experiments and tests, we verified the performance of the system.

Liang Li,Yuanhui He,Feiyang Huang,Ziming Zhao,Zhuoxue Song,Tong Zhou,Zhenyuan Li,Fan Zhang

DOI: https://doi.org/10.1109/cscwd61410.2024.10580010

2024-01-01

Abstract:Intrusion Detection Systems (IDSs) are vital in detecting network attacks and ensuring the confidentiality and integrity of network resources. Currently, industry-standard IDSs primarily rely on rule-based or anomaly-detection techniques. However, existing detection techniques often generate false positives and negatives, also known as the alert fatigue problem. This influx of incorrect events diminishes the IDS’s efficiency by overburdening security analysts. In this paper, we present ACVS, an innovative automated alert cross-verification system that leverages Graph Neural Networks for identifying misclassifications in security events. Initially, ACVS generates event graphs using attributes like IP addresses and timestamps from sequences of security events and then employs correlation analysis on these events, utilizing alert information to verify misclassifications. Finally, the system uses Graph Neural Networks to classify and correct these security events automatically. We conduct evaluations for ACVS on a substantial real-world dataset comprising over 5 million security events, which are categorized into 5 distinct groups. The results reveal that ACVS markedly enhances the accuracy of intrusion detection systems and substantially reduces the need for manual analysis.

Jiazhu Dai,Weifeng Zhu,Xiangfeng Luo

DOI: https://doi.org/10.48550/arXiv.2011.14365

2020-11-29

Abstract:Graph-structured data exist in numerous applications in real life. As a state-of-the-art graph neural network, the graph convolutional network (GCN) plays an important role in processing graph-structured data. However, a recent study reported that GCNs are also vulnerable to adversarial attacks, which means that GCN models may suffer malicious attacks with unnoticeable modifications of the data. Among all the adversarial attacks on GCNs, there is a special kind of attack method called the universal adversarial attack, which generates a perturbation that can be applied to any sample and causes GCN models to output incorrect results. Although universal adversarial attacks in computer vision have been extensively researched, there are few research works on universal adversarial attacks on graph structured data. In this paper, we propose a targeted universal adversarial attack against GCNs. Our method employs a few nodes as the attack nodes. The attack capability of the attack nodes is enhanced through a small number of fake nodes connected to them. During an attack, any victim node will be misclassified by the GCN as the attack node class as long as it is linked to them. The experiments on three popular datasets show that the average attack success rate of the proposed attack on any victim node in the graph reaches 83% when using only 3 attack nodes and 6 fake nodes. We hope that our work will make the community aware of the threat of this type of attack and raise the attention given to its future defense.

Machine Learning,Cryptography and Security

Xinxin Chen,Zhe Yang,Wenlong Liao,Runan Song,Kuangpu Liu,Bin Zhang

DOI: https://doi.org/10.1109/TPWRS.2022.3196403

IF: 7.326

2023-07-01

IEEE Transactions on Power Systems

Abstract:The widespread penetration of advanced metering infrastructure brings an opportunity to detect electricity theft by analyzing the electricity consumption data collected from smart meters. However, existing models have poor performance in electricity theft detection, since most of them fail to capture the time dependence, periodicity, and latent feature from complex electricity consumption data. To address above concerns, a graph convolutional neural network (GCN) and a Euclidean convolutional neural network (CNN) are combined to form a novel model for electricity theft detection in this paper. On one hand, the high-dimensional power load curves are modeled as a graph from a new perspective on graph theory. Then, the GCN depicts the time dependence and periodicity by performing graph convolutional operations. On the other hand, the CNN captures the latent features from the power load curves by carrying out Euclidean convolutional procedures. Numerical simulations show that the proposed model integrates the benefits of GCN and CNN, leading to superiority over the popular benchmarks in electricity theft detection.

Engineering,Computer Science

Zhihong Zhang

DOI: https://doi.org/10.1109/ICTEI60496.2023.00065

2023-09-11

Abstract:At present, most network intrusion detection is to analyze the data afterwards, that is, after the attack, it can react. This is not conducive to the timely detection of anomalies and the effective management of the network. Therefore, this paper designs a network traffic anomaly detection algorithm based on Deep CNN (Convective Neural Network). For the safety and reliability of data transmission and the reasonable allocation of network resources, it is necessary to detect the anomaly of network traffic. In view of the current Internet security requirements, simple and quick methods can quickly and effectively detect security incidents when they break out, thus gaining time for network defense. Finally, the detection accuracy of the algorithm proposed in this paper is compared with GA and ACA. The results show that the detection accuracy is the ratio between the number of abnormal traffic time series detected and the expected number of abnormal sequences. It can be seen that the accuracy of the three algorithms can reach $50 \%$, but the detection accuracy of the algorithm proposed in this paper is the highest, with an average accuracy of $94.13 \%$. The algorithm in this paper ensures a high detection speed while maintaining a certain detection accuracy.

Engineering,Computer Science

Da Li,Tao Shang,Xueqin Gao,Yao Tang

DOI: https://doi.org/10.1109/mass56207.2022.00061

2022-01-01

Abstract:Cooperative attack is a main threat to power cyber-physical system, which has a high success rate and strong destructiveness. The existing detection methods are limited by a single data type, so it is difficult to detect the combination of cooperative attacks and take defensive measures. In this paper, we propose feature relation graph convolutional network for cooperative attack detection by means of extracting the feature relationship and power node topology relationship. In this method, the power monitoring system data and the communication network data are fused to improve the efficiency of cooperative attack detection. Compared with graph convolutional network, the training time of the proposed method is reduced by 67.78%-94.60% and the detection accuracy is improved by 0.65%-3.41%.

Hong-Dang Le,Minho Park

DOI: https://doi.org/10.3390/electronics13122404

IF: 2.9

2024-06-20

Electronics

Abstract:As network sizes grow, attack schemes not only become more varied but also increase in complexity. This diversification leads to a proliferation of attack variants, complicating the identification and differentiation of potential threats. Enhancing system security necessitates the implementation of multi-class intrusion detection systems. This approach enables the categorization of incoming network traffic into distinct intrusion types and illustrates the specific attack encountered within the Internet. Numerous studies have leveraged deep learning (DL) for Network-based Intrusion Detection Systems (NIDS), aiming to improve intrusion detection. Among these DL algorithms, Graph Neural Networks (GNN) stand out for their ability to efficiently process unstructured data, especially network traffic, making them particularly suitable for NIDS applications. Although NIDS usually monitors incoming and outgoing flows in a network, represented as edge features in graph format, traditional GNN studies only consider node features, overlooking edge features. This oversight can result in losing important flow data and diminish the system's ability to detect attacks effectively. To address this limitation, our research makes several key contributions: (1) Emphasize the significance of edge features for enhancing GNN for multi-class intrusion detection, (2) Utilize port information, which is essential for identifying attacks but often overlooked during training, (3) Reorganize features embedded within the graph. By doing this, the graph can represent close to the actual network, which is the node showing endpoint identification information such as IP addresses and ports; the edge contains information related to flow such as Duration, Number of Packet/s, and Length....; (4) Compared to traditional methods, our experiments demonstrate significant performance improvements on both CIC-IDS-2017 (98.32%) and UNSW-NB15 (96.71%) datasets.

engineering, electrical & electronic,computer science, information systems,physics, applied

Seyed Hamed Haghshenas,Md Abul Hasnat,Mia Naeini

DOI: https://doi.org/10.1109/ISGT51731.2023.10066446

2022-12-07

Abstract:This paper presents a Temporal Graph Neural Network (TGNN) framework for detection and localization of false data injection and ramp attacks on the system state in smart grids. Capturing the topological information of the system through the GNN framework along with the state measurements can improve the performance of the detection mechanism. The problem is formulated as a classification problem through a GNN with message passing mechanism to identify abnormal measurements. The residual block used in the aggregation process of message passing and the gated recurrent unit can lead to improved computational time and performance. The performance of the proposed model has been evaluated through extensive simulations of power system states and attack scenarios showing promising performance. The sensitivity of the model to intensity and location of the attacks and model's detection delay versus detection accuracy have also been evaluated.

Machine Learning,Signal Processing,Systems and Control

Tao Yi,Xingshu Chen,Yi Zhu,Weijing Ge,Zhenhui Han

DOI: https://doi.org/10.1016/j.jnca.2022.103580

IF: 7.574

2023-03-01

Journal of Network and Computer Applications

Abstract:With the development of new technologies such as big data, cloud computing, and the Internet of Things, network attack technology is constantly evolving and upgrading, and network attack detection technology is forced to undergo corresponding iterative evolution. Three main problems are associated with these technologies: the automatic representation of heterogeneous and complex network traffic data, the uneven network attack samples, and the contradiction between the accuracy of the anomaly detection model and the continuous evolution of attacks. Researchers have proposed several network attack detection techniques based on deep learning to address these problems. This study reviews and analyzes the studies aimed at dealing with such problems, considering multiple factors, such as models, traffic representation and feature extraction, threat detection model training, and model robustness improvement. Finally, the existing problems and challenges associated with the current research are analyzed with respect to data category imbalance, high-dimensional massive data processing, concept distribution drift, real-time interpretability of the detection model, and the security of the model.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Osman Boyaci,Mohammad Rasoul Narimani,Katherine Davis,Erchin Serpedin

DOI: https://doi.org/10.48550/arXiv.2112.13166

2021-12-25

Abstract:As a highly complex and integrated cyber-physical system, modern power grids are exposed to cyberattacks. False data injection attacks (FDIAs), specifically, represent a major class of cyber threats to smart grids by targeting the measurement data's integrity. Although various solutions have been proposed to detect those cyberattacks, the vast majority of the works have ignored the inherent graph structure of the power grid measurements and validated their detectors only for small test systems with less than a few hundred buses. To better exploit the spatial correlations of smart grid measurements, this paper proposes a deep learning model for cyberattack detection in large-scale AC power grids using Chebyshev Graph Convolutional Networks (CGCN). By reducing the complexity of spectral graph filters and making them localized, CGCN provides a fast and efficient convolution operation to model the graph structural smart grid data. We numerically verify that the proposed CGCN based detector surpasses the state-of-the-art model by 7.86 in detection rate and 9.67 in false alarm rate for a large-scale power grid with 2848 buses. It is notable that the proposed approach detects cyberattacks under 4 milliseconds for a 2848-bus system, which makes it a good candidate for real-time detection of cyberattacks in large systems.

Cryptography and Security,Artificial Intelligence,Machine Learning,Signal Processing,Systems and Control

Xinfan Jiang,Yonggang Liu,Jinbo Wu,Zhuping Liu,Yuanxi Chen,Chuangxin Guo

DOI: https://doi.org/10.1109/ei259745.2023.10512548

2023-01-01

Abstract:In modern electric power systems, accurate and fast risk assessment is of paramount importance. Traditional methods, relying on iterative computations, have a substantial computational demand, hindering their efficiency in real-time evaluations. This paper introduces a novel risk assessment approach using Graph Convolutional Networks (GCNs), which leverages the graph structure of power system data, thereby enhancing the efficiency of risk assessment and further bolstering the power grid's risk analysis and early warning capabilities. This study utilized the IEEE RTS-79 system to generate representative samples, designed experiments to fine-tune model hyperparameters via grid search, and subsequently trained the model. A comparative analysis was then carried out among various traditional machine learning methods and deep learning models. The results indicate that GCNs exhibit exceptional generalization capabilities, meeting the demands for real-time risk assessment in modern power systems.

Mai Ye,Shiming Men,Lei Xie,Bing Chen

DOI: https://doi.org/10.1145/3605801.3605807

2023-01-01

Abstract:APT(Advanced Persistent Threat) are known for their stealth, persistence, and sophistication, often carried out by skilled and well-funded attackers. To detect and investigate APT attacks at the host-level, scholars have extensively studied the provenance graph, which preserves the complete attack context. However, existing methods have impractical requirements for data collection and threshold setting, severely impacting their real-world performance. In this paper, we propose GCA (Graph Competitive Autoencoder), a GNN-based graph-level anomaly detection system. We first extract entities and their interactions from host logs to construct a provenance graph. Subsequently, we utilize GNN (Graph Neural Network) as a graph encoder to obtain graph-level embeddings. In the anomaly detection part, we use the competitive autoencoder and mutual information maximization to identify the attack graph. With this model, we can conduct graph-level anomaly detection even when the training data is partially contaminated, without manually setting the threshold. We deploy and evaluate our model on the public dataset StreamSpot. Our results show that GCA outperforms existing methods in terms of accuracy and practicality.