Next Article in Journal
Transfer Characteristics of the Nonlinear Parity-Time-Symmetric Wireless Power Transfer System at Detuning
Next Article in Special Issue
Enhancing Cybersecurity in Smart Grids: False Data Injection and Its Mitigation
Previous Article in Journal
Modelling of Hard Coal Beneficiation Process Utilising Negative Pressure Pneumatic Separator
Previous Article in Special Issue
An Approach to Detecting Cyber Attacks against Smart Power Grids Based on the Analysis of Network Traffic Self-Similarity
Article

Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations

1
Institute of Automation and Applied Informatics (IAI), Karlsruhe Institute of Technology (KIT), Hermann-von-Helmholtz-Platz 1, 76344 Eggenstein-Leopoldshafen, Germany
2
Information Trust Institute (ITI), University of Illinois at Urbana-Champaign (UIUC), 1206 W Clark St, Urbana, IL 61801, USA
*
Author to whom correspondence should be addressed.
Energies 2020, 13(19), 5176; https://doi.org/10.3390/en13195176
Received: 30 August 2020 / Revised: 27 September 2020 / Accepted: 29 September 2020 / Published: 5 October 2020
(This article belongs to the Special Issue Cybersecurity in Smartgrids)
Integration of Information and Communication Technology (ICT) in modern smart grids (SGs) offers many advantages including the use of renewables and an effective way to protect, control and monitor the energy transmission and distribution. To reach an optimal operation of future energy systems, availability, integrity and confidentiality of data should be guaranteed. Research on the cyber-physical security of electrical substations based on IEC 61850 is still at an early stage. In the present work, we first model the network traffic data in electrical substations, then, we present a statistical Anomaly Detection (AD) method to detect Denial of Service (DoS) attacks against the Generic Object Oriented Substation Event (GOOSE) network communication. According to interpretations on the self-similarity and the Long-Range Dependency (LRD) of the data, an Auto-Regressive Fractionally Integrated Moving Average (ARFIMA) model was shown to describe well the GOOSE communication in the substation process network. Based on this ARFIMA-model and in view of cyber-physical security, an effective model-based AD method is developed and analyzed. Two variants of the statistical AD considering statistical hypothesis testing based on the Generalized Likelihood Ratio Test (GLRT) and the cumulative sum (CUSUM) are presented to detect flooding attacks that might affect the availability of the data. Our work presents a novel AD method, with two different variants, tailored to the specific features of the GOOSE traffic in IEC 61850 substations. The statistical AD is capable of detecting anomalies at unknown change times under the realistic assumption of unknown model parameters. The performance of both variants of the AD method is validated and assessed using data collected from a simulation case study. We perform several Monte-Carlo simulations under different noise variances. The detection delay is provided for each detector and it represents the number of discrete time samples after which an anomaly is detected. In fact, our statistical AD method with both variants (CUSUM and GLRT) has around half the false positive rate and a smaller detection delay when compared with two of the closest works found in the literature. Our AD approach based on the GLRT detector has the smallest false positive rate among all considered approaches. Whereas, our AD approach based on the CUSUM test has the lowest false negative rate thus the best detection rate. Depending on the requirements as well as the costs of false alarms or missed anomalies, both variants of our statistical detection method can be used and are further analyzed using composite detection metrics. View Full-Text
Keywords: intrusion detection; model-based anomaly detection; substation communication network; IEC 61850 electrical substations; ARFIMA model; cyber-physical security; DoS attacks intrusion detection; model-based anomaly detection; substation communication network; IEC 61850 electrical substations; ARFIMA model; cyber-physical security; DoS attacks
Show Figures

Figure 1

MDPI and ACS Style

Elbez, G.; Keller, H.B.; Bohara, A.; Nahrstedt, K.; Hagenmeyer, V. Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations. Energies 2020, 13, 5176. https://doi.org/10.3390/en13195176

AMA Style

Elbez G, Keller HB, Bohara A, Nahrstedt K, Hagenmeyer V. Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations. Energies. 2020; 13(19):5176. https://doi.org/10.3390/en13195176

Chicago/Turabian Style

Elbez, Ghada, Hubert B. Keller, Atul Bohara, Klara Nahrstedt, and Veit Hagenmeyer. 2020. "Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations" Energies 13, no. 19: 5176. https://doi.org/10.3390/en13195176

Find Other Styles
Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Article Access Map by Country/Region

1
Back to TopTop