Deep Learning-Based Intrusion Detection System for Advanced Metering Infrastructure

Smart grid is an alternative solution of the conventional power grid which harnesses the power of the information technology to save the energy and meet today's environment requirements. Due to the inherent vulnerabilities in the information technology, the smart grid is exposed to a wide variety of threats that could be translated into cyber-attacks. In this paper, we develop a deep learning-based intrusion detection system to defend against cyber-attacks in the advanced metering infrastructure network. The proposed machine learning approach is trained and tested extensively on an empirical industrial dataset which is composed of several attack categories including the scanning, buffer overflow, and denial of service attacks. Then, an experimental comparison in terms of detection accuracy is conducted to evaluate the performance of the proposed approach with Naive Bayes, Support Vector Machine, and Random Forest. The obtained results suggest that the proposed approaches produce optimal results comparing to the other algorithms. Finally, we propose a network architecture to deploy the proposed anomaly-based intrusion detection system across the Advanced Metering Infrastructure network. In addition, we propose a network security architecture composed of two types of Intrusion detection system types, Host and Network-based, deployed across the Advanced Metering Infrastructure network to inspect the traffic and detect the malicious one at all the levels.Comment: 7 pages, 6 figures. 2019 NISS19: Proceedings of the 2nd International Conference on Networking, Information Systems & Securit

A Performance Comparison of Data Mining Algorithms Based Intrusion Detection System for Smart Grid

Smart grid is an emerging and promising technology. It uses the power of information technologies to deliver intelligently the electrical power to customers, and it allows the integration of the green technology to meet the environmental requirements. Unfortunately, information technologies have its inherent vulnerabilities and weaknesses that expose the smart grid to a wide variety of security risks. The Intrusion detection system (IDS) plays an important role in securing smart grid networks and detecting malicious activity, yet it suffers from several limitations. Many research papers have been published to address these issues using several algorithms and techniques. Therefore, a detailed comparison between these algorithms is needed. This paper presents an overview of four data mining algorithms used by IDS in Smart Grid. An evaluation of performance of these algorithms is conducted based on several metrics including the probability of detection, probability of false alarm, probability of miss detection, efficiency, and processing time. Results show that Random Forest outperforms the other three algorithms in detecting attacks with higher probability of detection, lower probability of false alarm, lower probability of miss detection, and higher accuracy.Comment: 6 pages, 6 Figure

Intelligent intrusion detection system in smart grid using computational intelligence and machine learning

Smart grid systems enhanced the capability of traditional power networks while being vulnerable to different types of cyber-attacks. These vulnerabilities could cause attackers to crash into the network breaching the integrity and confidentiality of the smart grid systems. Therefore, an intrusion detection system (IDS) becomes an important way to provide a secure and reliable services in a smart grid environment. This article proposes a feature-based IDS for smart grid systems. The proposed system performance is evaluated in terms of accuracy, intrusion detection rate (DR), and false alarm rate (FAR). The obtained results show that the random forest and neural network classifiers have outperformed other classifiers. We have achieved a 0.5% FAR on KDD99 dataset and a 0.08% FAR on the NSLKDD dataset. The DR and the testing accuracy on average are 99% for both datasets

Anomaly Detection pada Intrusion Detection System Menggunakan CLIQUE Partitioning

ABSTRAKSI: Intrusi adalah semua tindakan yang mengancam ketersediaan, integritas, dan kerahasiaan sumber daya jaringan, seperti user account, file system, system kernel, dan sebagainya. Untuk mencegah terjadinya intrusi pada jaringan, dibangunlah intrusion detection system (IDS), sebuah sistem yang berfungsi untuk mengamati dan menganalisis sebuah event yang terjadi pada komputer, apakah event tersebut merupakan intrusion atau bukan. Salah satu kategori IDS adalah anomaly detection. Anomaly detection mendeteksi intrusion event berdasarkan profil data. Data yang dianggap intrusi adalah data yang mempunyai karakteristik yang berbeda dari profil data secara umum. Clustering adalah salah satu cara untuk mengetahui profil data tersebut. Ada banyak algoritma clustering yang telah diusulkan untuk anomaly detection pada IDS, salah satunya adalah CLIQUE Partitioning (CP). CP merupakan gabungan dari teknik grid-based clustering dan density-based clustering. CP membagi dataspace ke dalam subspace dan mencari cluster pada masing-masing subspace tersebut. Pengujian dilakukan untuk melihat performansi IDS dari segi computational time, completeness, dan false alarm rate. Algoritma CP mampu menghasilkan performansi yang bagus dari completeness (94.59%) dan false alarm rate (2.54%). Dari segi computational time, CP mampu menghasilkan performansi yang bagus apabila dilihat dari banyaknya tuple (peningkatan banyaknya tuple berbanding linier dengan peningkatan computational time), namun kurang bagus dari segi banyaknya atribut (peningkatan banyaknya tuple berbanding eksponensial dengan peningkatan computational time).Kata Kunci : anomaly detection, IDS, CLIQUE Partitioning, subspace, clusterABSTRACT: Intrusion is any set of event that threaten the availability, integrity, and confidentiality of network resources, such as user account, file system, system kernel, etc. To prevent this event happens, intrusion detection system (IDS), a system for observing and analyzing a computer’s event is an intrusion or not , is built. One of IDS category is anomaly detection. This category detects intrusion event based on data profile. An event is detected as intrusion if it’s characteristic is different from common data profile. Clustering is one way to observe data profile. There’s a lot of clustering algorithm proposed for anomaly detection on IDS, one of them is CLIQUE Partitioning (CP). CP is the combination of grid-based clustering and density-based clustering technique. CP divides dataspace into subspace and searches cluster in every subspace. Testing is done to analyze system’s performance based on computational time, completeness, and false alarm. CP algorithm shows good performance from completeness point of view (94.59%) and false alarm rate (2.54%). From computational time, CP shows good performance based on the amount of tuple (the escalation of the quantity of tuple is linear with the escalation of computational time), but the performance is not too good from the quantity of feature side (the escalation of the quantity of tuple is exponential with the escalation of computational time).Keyword: anomaly detection, IDS, CLIQUE Partitioning, subspace, cluste

A Security Monitoring Framework For Virtualization Based HEP Infrastructures

High Energy Physics (HEP) distributed computing infrastructures require automatic tools to monitor, analyze and react to potential security incidents. These tools should collect and inspect data such as resource consumption, logs and sequence of system calls for detecting anomalies that indicate the presence of a malicious agent. They should also be able to perform automated reactions to attacks without administrator intervention. We describe a novel framework that accomplishes these requirements, with a proof of concept implementation for the ALICE experiment at CERN. We show how we achieve a fully virtualized environment that improves the security by isolating services and Jobs without a significant performance impact. We also describe a collected dataset for Machine Learning based Intrusion Prevention and Detection Systems on Grid computing. This dataset is composed of resource consumption measurements (such as CPU, RAM and network traffic), logfiles from operating system services, and system call data collected from production Jobs running in an ALICE Grid test site and a big set of malware. This malware was collected from security research sites. Based on this dataset, we will proceed to develop Machine Learning algorithms able to detect malicious Jobs.Comment: Proceedings of the 22nd International Conference on Computing in High Energy and Nuclear Physics, CHEP 2016, 10-14 October 2016, San Francisco. Submitted to Journal of Physics: Conference Series (JPCS

On specification-based cyber-attack detection in smart grids

The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cyber incidents. Unlike attack data from real-world cyber incidents, infrastructure knowledge and standards are accessible through expert and domain knowledge. Our proposed approach uses domain knowledge to define the behavior of a smart grid under non-attack conditions and detect attack patterns and anomalies. Using a graph-based specification formalism, we combine cross-domain knowledge that enables the generation of whitelisting rules not only for statically defined protocol fields but also for communication flows and technical operation boundaries. Finally, we evaluate our specification-based intrusion detection system against various attack scenarios and assess detection quality and performance. In particular, we investigate a data manipulation attack in a future-orientated use case of an IEC 60870-based SCADA system that controls distributed energy resources in the distribution grid. Our approach can detect severe data manipulation attacks with high accuracy in a timely and reliable manner

A Transfer Learning Framework for Self-Adaptive Intrusion Detection in the Smart Grid based on Transferability Analysis and Domain-Adversarial Training

Machine learning is a popular approach to security monitoring and intrusion detection in cyber-physical systems (CPS) like the smart grid. General ML approaches presume that the training and testing data are generated by identical or similar independent distribution. This assumption may not hold in many real-world systems and applications like the CPS, since the system and attack dynamics may change the data distribution and thus fail the trained models. Transfer learning (TL) is a promising solution to tackle data distribution divergence problem and maintain performance when facing system and attack variations. However, there are still two challenges in introducing TL into intrusion detection: when to apply TL and how to extract effective features during TL. To address these two challenges, this research proposes a transferability analysis and domain-adversarial training (TADA) framework. This work first proposes a divergence-based transferability analysis to decide whether to apply TL, then develops a spatial-temporal domain-adversarial (DA) training model to reduce distribution divergence between two domains and improve attack detection performance. The main contributions include: (i) A divergence-based transferability analysis to help evaluate the necessity of TL in security monitoring for CPS, such as intrusion detection in the smart grid; (ii) A spatial-temporal DA training approach to extract the spatial-temporal domain-invariant features to mitigate the impact of distribution divergence and enhance detection performance. The extensive experiments demonstrate that the transferability analysis is capable of predicting accuracy drop and determining whether to apply TL. Compared to the state-of-the-art models, TADA can achieve high and more robust detection performance under system and attack variations

DEEP LEARNING TECHNIQUES FOR DETECTION OF FALSE DATA INJECTION ATTACKS ON ELECTRIC POWER GRID

The electric power grid uses a set of measuring and switching devices for its operations and control. The data retrieved from the measuring instruments is assumed to be noisy, therefore a state estimator is used to estimate the correct values of state variables on which the system can take control actions. The modern electric power grid is dependent on communication networks for transferring these measurements, which are susceptible to intrusions from hackers. False data injection attacks (FDIA) are one of the most common attack strategies where an intruder tries to trick the underlying control system of the grid to cause disruptions without getting detected by native anomaly detection measures inbuilt in the state estimator. The native anomaly detection mechanism relies on threshold and residual based measure to flag a set of measurements as anomaly. Therefore, if the attack is devised in such a way that the intrusion can be performed without significantly affecting the residual error of state estimation it can go undetected. We propose a data augmented deep learning based solution to detect such attacks in real time. We propose methods of generating realistic random and targeted attack simulations on standard IEEE architectures and methods of detecting them using deep learning models. We propose recurrent neural network (RNN) based architectures to detect and locate FDIAs and devices compromised in real-time. For detection we propose a supervised and an unsupervised method. Similarly, for location we propose a method to find exact devices compromised which is less practical and then move on to a more feasible and practical solution in supervised and unsupervised conditions. Being an intrusion detection system it is critical to detect all attacks which means false negatives should be penalized heavily, whereas false positives can be accommodated. Therefore, we use recall as our primary performance metric and precision recall curve to find an optimal threshold of probability score. In addition, we demonstrate how our approach is better than a residual error and other previous detection models. We also compare the performance of our models with increasing number of devices being compromised

An Anomaly Detection Scheme for DDoS Attack in Grid Computing

The demand for computing power and storage is increasing continuously and there are applications like scientific research and industrial need, whose computational demand even exceeds the available fastest technologies. As a result it is an economically feasible mean to look into efficiently aggregate existing distributed resources. To achieving this goal makes it possible to build a shared large scale wide-area distributed computing infrastructure, a concept which has been named the Grid computing. The primary objective of Grid computing is to support the sharing of resources and service spanning across multiple administrative domains. Due to the inherently dynamic and multi organizational nature maintaining security of both users and resources is the challenging aspect of Grid. Grid uses internet as an infrastructure to build communication, with the fusion of web services and grid technologies further increases the security concerns for their complex nature. This thesis takes a look at the vulnerability of Grid environment on denial of service attack. We found that deploying an efficient intrusion detection system to Grid can significantly improve its security and it can detect denial of service attack before it affects the victim. But due to the special characteristics and requirement of Grids, the existing traditional intrusion detection system can not work properly in that environment. The focus of this thesis is to investigate and design an anomaly detection system which can detect DoS and DDoS attack with high attack detection and low false alarm rate to achieve high performance. We have extensively surveyed the current literatures in this area; the main stress is put on feature selection for the Grid based anomaly detection system. An entropy based anomaly detection system has been proposed; also we have discussed the advantage of taking entropy as the metric. Finally the performance of the system has been analyzed using NS2 network simulator. For shake of continuity each chapter has its relevant introduction and theory. The work is also supported by list of necessary references. Attempt is made to make the thesis self-content