On the Detection of Cyber-Attacks in the Communication Network of IEC 61850 Electrical Substations

The availability of the data within the network communication remains one of the most critical requirement when compared to integrity and confidentiality. Several threats such as Denial of Service (DoS) or flooding attacks caused by Generic Object Oriented Substation Event (GOOSE) poisoning attacks, for instance, might hinder the availability of the communication within IEC 61850 substations. To tackle such threats, a novel method for the Early Detection of Attacks for the GOOSE Network Traffic (EDA4GNeT) is developed in the present work. Few of previously available intrusion detection systems take into account the specific features of IEC 61850 substations and offer a good trade-off between the detection performance and the detection time. Moreover, to the best of our knowledge, none of the existing works proposes an early anomaly detection method of GOOSE attacks in the network traffic of IEC 61850 substations that account for the specific characteristics of the network data in electrical substations. The EDA4GNeT method considers the dynamic behavior of network traffic in electrical substations. The mathematical modeling of the GOOSE network traffic first enables the development of the proposed method for anomaly detection. In addition, the developed model can also support the management of the network architecture in IEC 61850 substations based on appropriate performance studies. To test the novel anomaly detection method and compare the obtained results with available techniques, two use cases are used

Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations

Integration of Information and Communication Technology (ICT) in modern smart grids (SGs) offers many advantages including the use of renewables and an effective way to protect, control and monitor the energy transmission and distribution. To reach an optimal operation of future energy systems, availability, integrity and confidentiality of data should be guaranteed. Research on the cyber-physical security of electrical substations based on IEC 61850 is still at an early stage. In the present work, we first model the network traffic data in electrical substations, then, we present a statistical Anomaly Detection (AD) method to detect Denial of Service (DoS) attacks against the Generic Object Oriented Substation Event (GOOSE) network communication. According to interpretations on the self-similarity and the Long-Range Dependency (LRD) of the data, an Auto-Regressive Fractionally Integrated Moving Average (ARFIMA) model was shown to describe well the GOOSE communication in the substation process network. Based on this ARFIMA-model and in view of cyber-physical security, an effective model-based AD method is developed and analyzed. Two variants of the statistical AD considering statistical hypothesis testing based on the Generalized Likelihood Ratio Test (GLRT) and the cumulative sum (CUSUM) are presented to detect flooding attacks that might affect the availability of the data. Our work presents a novel AD method, with two different variants, tailored to the specific features of the GOOSE traffic in IEC 61850 substations. The statistical AD is capable of detecting anomalies at unknown change times under the realistic assumption of unknown model parameters. The performance of both variants of the AD method is validated and assessed using data collected from a simulation case study. We perform several Monte-Carlo simulations under different noise variances. The detection delay is provided for each detector and it represents the number of discrete time samples after which an anomaly is detected. In fact, our statistical AD method with both variants (CUSUM and GLRT) has around half the false positive rate and a smaller detection delay when compared with two of the closest works found in the literature. Our AD approach based on the GLRT detector has the smallest false positive rate among all considered approaches. Whereas, our AD approach based on the CUSUM test has the lowest false negative rate thus the best detection rate. Depending on the requirements as well as the costs of false alarms or missed anomalies, both variants of our statistical detection method can be used and are further analyzed using composite detection metrics

Early Attack Detection for Securing GOOSE Network Traffic

The requirements for the security of the network communication in critical infrastructures have been more focused on the availability of the data rather than the integrity and the confidentiality. The availability of communication in IEC 61850 substations can be hindered by Generic Object Oriented Substation Event (GOOSE) poisoning attacks that might result in threats such as Denial of Service (DoS) or flooding attacks. In order to accurately detect similar attacks, a novel method for the Early Detection of Attacks for GOOSE Network Traffic (EDA4GNeT) is developed in the present work. The EDA4GNeT method considers the dynamic behavior of network traffic in electrical substations. A mathematical modeling of GOOSE network traffic is adopted for the anomaly detection based on statistical hypothesis testing. The developed mathematical model of the communication traffic can also support the management of the network architecture in IEC 61850 substations based on appropriate performance studies. To test the novel anomaly detection method and compare the obtained results with related works found in the literature, a simulation of a DoS attack against a 66/11kV substation with several experiments is used as a case study

Predictive Abuse Detection for a PLC Smart Lighting Network Based on Automatically Created Models of Exponential Smoothing

One of the basic elements of a Smart City is the urban infrastructure management system, in particular, systems of intelligent street lighting control. However, for their reliable operation, they require special care for the safety of their critical communication infrastructure. This article presents solutions for the detection of different kinds of abuses in network traffic of Smart Lighting infrastructure, realized by Power Line Communication technology. Both the structure of the examined Smart Lighting network and its elements are described. The article discusses the key security problems which have a direct impact on the correct performance of the Smart Lighting critical infrastructure. In order to detect an anomaly/attack, we proposed the usage of a statistical model to obtain forecasting intervals. Then, we calculated the value of the differences between the forecast in the estimated traffic model and its real variability so as to detect abnormal behavior (which may be symptomatic of an abuse attempt). Due to the possibility of appearance of significant fluctuations in the real network traffic, we proposed a procedure of statistical models update which is based on the criterion of interquartile spacing. The results obtained during the experiments confirmed the effectiveness of the presented misuse detection method

From statistical- to machine learning-based network traffic prediction

Nowadays, due to the exponential and continuous expansion of new paradigms such as Internet of Things (IoT), Internet of Vehicles (IoV) and 6G, the world is witnessing a tremendous and sharp increase of network traffic. In such large-scale, heterogeneous, and complex networks, the volume of transferred data, as big data, is considered a challenge causing different networking inefficiencies. To overcome these challenges, various techniques are introduced to monitor the performance of networks, called Network Traffic Monitoring and Analysis (NTMA). Network Traffic Prediction (NTP) is a significant subfield of NTMA which is mainly focused on predicting the future of network load and its behavior. NTP techniques can generally be realized in two ways, that is, statistical- and Machine Learning (ML)-based. In this paper, we provide a study on existing NTP techniques through reviewing, investigating, and classifying the recent relevant works conducted in this field. Additionally, we discuss the challenges and future directions of NTP showing that how ML and statistical techniques can be used to solve challenges of NTP.publishedVersio

Software development metrics prediction using time series methods

The software development process is an intricate task, with the growing complexity of software solutions and inflating code-line count being part of the reason for the fall of software code coherence and readability thus being one of the causes for software faults and it’s declining quality. Debugging software during development is significantly less expensive than attempting damage control after the software’s release. An automated quality-related analysis of developed code, which includes code analysis and correlation of development data like an ideal solution. In this paper the ability to predict software faults and software quality is scrutinized. Hereby we investigate four models that can be used to analyze time-based data series for prediction of trends observed in the software development process are investigated. Those models are Exponential Smoothing, the Holt-Winters Model, Autoregressive Integrated Moving Average (ARIMA) and Recurrent Neural Networks (RNN). Time-series analysis methods prove a good fit for software related data prediction. Such methods and tools can lend a helping hand for Product Owners in their daily decision-making process as related to e.g. assignment of tasks, time predictions, bugs predictions, time to release etc. Results of the research are presented.Peer ReviewedPostprint (author's final draft

PREDICTIVE TOOLS AS PART OF DECISSION AIDING PROCESSES AT THE AIRPORT – THE CASE OF FACEBOOK PROPHET LIBRARY

Prophet is a quite fresh and promising open-source library for machine learning, developed by Facebook, that gains some significant interest. It could be used for predicting time series taking into account holidays and seasonality effects. Its possible applications and deficit of scientific works concerning its usage within decision processes convinced the authors to state the research question, if the Prophet library could provide reliable prediction to support decision-making processes at the airport. The case of Radawiec airport (located near Lublin, Poland) was chosen. Official measurement data (from the last 4 years) published by the Polish Government  Institute was used to train the neural network and predict daily averages of wind speed, temperature, pressure, relative humidity and rainfall totals during the day and night. It was revealed that most of the predicted data points were within the acceptance threshold, and computations were fast and highly automated. However, the authors believe that the Prophet library is not particularly useful for airport decision-making processes because the way it handles additional regressors and susceptibility to unexpected phenomena negatively affects the reliability of prediction results

Pattern Extraction Algorithm for NetFlow-Based Botnet Activities Detection

As computer and network technologies evolve, the complexity of cybersecurity has dramatically increased. Advanced cyber threats have led to current approaches to cyber-attack detection becoming ineffective. Many currently used computer systems and applications have never been deeply tested from a cybersecurity point of view and are an easy target for cyber criminals. The paradigm of security by design is still more of a wish than a reality, especially in the context of constantly evolving systems. On the other hand, protection technologies have also improved. Recently, Big Data technologies have given network administrators a wide spectrum of tools to combat cyber threats. In this paper, we present an innovative system for network traffic analysis and anomalies detection to utilise these tools. The systems architecture is based on a Big Data processing framework, data mining, and innovative machine learning techniques. So far, the proposed system implements pattern extraction strategies that leverage batch processing methods. As a use case we consider the problem of botnet detection by means of data in the form of NetFlows. Results are promising and show that the proposed system can be a useful tool to improve cybersecurity

Unsupervised Model Selection for Time-series Anomaly Detection

Anomaly detection in time-series has a wide range of practical applications. While numerous anomaly detection methods have been proposed in the literature, a recent survey concluded that no single method is the most accurate across various datasets. To make matters worse, anomaly labels are scarce and rarely available in practice. The practical problem of selecting the most accurate model for a given dataset without labels has received little attention in the literature. This paper answers this question i.e. Given an unlabeled dataset and a set of candidate anomaly detectors, how can we select the most accurate model? To this end, we identify three classes of surrogate (unsupervised) metrics, namely, prediction error, model centrality, and performance on injected synthetic anomalies, and show that some metrics are highly correlated with standard supervised anomaly detection performance metrics such as the $F_1$ score, but to varying degrees. We formulate metric combination with multiple imperfect surrogate metrics as a robust rank aggregation problem. We then provide theoretical justification behind the proposed approach. Large-scale experiments on multiple real-world datasets demonstrate that our proposed unsupervised approach is as effective as selecting the most accurate model based on partially labeled data.Comment: Accepted at International Conference on Learning Representations (ICLR) 2023 with a notable-top-25% recommendation. Reviewer, AC and author discussion available at https://openreview.net/forum?id=gOZ_pKANaP