Smart Substation Network Fault Classification Based on a Hybrid Optimization Algorithm

Accurate network fault diagnosis in smart substations is key to strengthening grid security. To solve fault classification problems and enhance classification accuracy, we propose a hybrid optimization algorithm consisting of three parts: anti-noise processing (ANP), an improved separation interval method (ISIM), and a genetic algorithm-particle swarm optimization (GA-PSO) method. ANP cleans out the outliers and noise in the dataset. ISIM uses a support vector machine (SVM) architecture to optimize SVM kernel parameters. Finally, we propose the GA-PSO algorithm, which combines the advantages of both genetic and particle swarm optimization algorithms to optimize the penalty parameter. The experimental results show that our proposed hybrid optimization algorithm enhances the classification accuracy of smart substation network faults and shows stronger performance compared with existing methods

Smart Substation Network Fault Classification Based on a Hybrid Optimization Algorithm

Accurate network fault diagnosis in smart substations is key to strengthening grid security. To solve fault classification problems and enhance classification accuracy, we propose a hybrid optimization algorithm consisting of three parts: anti-noise processing (ANP), an improved separation interval method (ISIM), and a genetic algorithm-particle swarm optimization (GA-PSO) method. ANP cleans out the outliers and noise in the dataset. ISIM uses a support vector machine (SVM) architecture to optimize SVM kernel parameters. Finally, we propose the GA-PSO algorithm, which combines the advantages of both genetic and particle swarm optimization algorithms to optimize the penalty parameter. The experimental results show that our proposed hybrid optimization algorithm enhances the classification accuracy of smart substation network faults and shows stronger performance compared with existing methods

Combined network intrusion and phasor data anomaly detection for secure dynamic control centers

The dynamic operation of power transmission systems requires the acquisition of reliable and accurate measurement and state information. The use of TCP/IP-based communication protocols such as IEEE C37.118 or IEC 61850 introduces different gateways to launch cyber-attacks and to compromise major system operation functionalities. Within this study, a combined network intrusion and phasor data anomaly detection system is proposed to enable a secure system operation in the presence of cyber-attacks for dynamic control centers. This includes the utilization of expert-rules, one-class classifiers, as well as recurrent neural networks to monitor different network packet and measurement information. The effectiveness of the proposed network intrusion and phasor data anomaly detection system is shown within a real-time simulation testbed considering multiple operation and cyber-attack conditions

Machine Learning Based Detection of False Data Injection Attacks in Wide Area Monitoring Systems

The Smart Grid (SG) is an upgraded, intelligent, and a more reliable version of the traditional Power Grid due to the integration of information and communication technologies. The operation of the SG requires a dense communication network to link all its components. But such a network renders it prone to cyber attacks jeopardizing the integrity and security of the communicated data between the physical electric grid and the control centers. One of the most prominent components of the SG are Wide Area Monitoring Systems (WAMS). WAMS are a modern platform for grid-wide information, communication, and coordination that play a major role in maintaining the stability of the grid against major disturbances. In this thesis, an anomaly detection framework is proposed to identify False Data Injection (FDI) attacks in WAMS using different Machine Learning (ML) and Deep Learning (DL) techniques, i.e., Deep Autoencoders (DAE), Long-Short Term Memory (LSTM), and One-Class Support Vector Machine (OC-SVM). These algorithms leverage diverse, complex, and high-volume power measurements coming from communications between different components of the grid to detect intelligent FDI attacks. The injected false data is assumed to target several major WAMS monitoring applications, such as Voltage Stability Monitoring (VSM), and Phase Angle Monitoring (PAM). The attack vector is considered to be smartly crafted based on the power system data, so that it can pass the conventional bad data detection schemes and remain stealthy. Due to the lack of realistic attack data, machine learning-based anomaly detection techniques are used to detect FDI attacks. To demonstrate the impact of attacks on the realistic WAMS traffic and to show the effectiveness of the proposed detection framework, a Hardware-In-the-Loop (HIL) co-simulation testbed is developed. The performance of the implemented techniques is compared on the testbed data using different metrics: Accuracy, F1 score, and False Positive Rate (FPR) and False Negative Rate (FNR). The IEEE 9-bus and IEEE 39-bus systems are used as benchmarks to investigate the framework scalability. The experimental results prove the effectiveness of the proposed models in detecting FDI attacks in WAMS

Ethercat tabanlı bir scada sisteminde kural ve makine öğrenmesine dayalı saldırı ve anomali tespiti

06.03.2018 tarihli ve 30352 sayılı Resmi Gazetede yayımlanan “Yükseköğretim Kanunu İle Bazı Kanun Ve Kanun Hükmünde Kararnamelerde Değişiklik Yapılması Hakkında Kanun” ile 18.06.2018 tarihli “Lisansüstü Tezlerin Elektronik Ortamda Toplanması, Düzenlenmesi ve Erişime Açılmasına İlişkin Yönerge” gereğince tam metin erişime açılmıştır.Endüstriyel kontrol sistemleri (EKS) bulundukları konum ve bileşenleri bakımından kritik altyapıya sahip sistemler olup, bilişim teknolojilerinden (BT) bağımsız olarak uygulama alanına göre kendilerine ait kabul ve işleyişleri bulunmaktadır. Bu sistemler, günümüzde otomasyon hiyerarşisinde yer alan seviyeler arası yatay ve dikey entegrasyonun tek bir protokolle sağlanması fikrinden yola çıkılarak Ethernet ile de adapte edilmiş durumdadır. Dolayısıyla EKS'ler hem doğalarından hem de Ethernet üzerinden bilişim teknolojilerinin sunduğu hizmetlerin içerisine dahil edildiklerinden dolayı siber saldırılara karşı tehdit altındadır. Bu durum, çoğunlukla iletişim altyapısı üzerinden gelen saldırıların tespiti için özelinde EKS çözümlerini gerektirir. Bu çalışmada, otomasyon uygulamalarında yaygın bir kullanıma sahip olan, Ethernet tabanlı gerçek zamanlı EtherCAT protokolü için Snort saldırı tespit sistemi üzerinde bilinen ve bilinmeyen saldırıları tespit eden bütüncül bir yapı ve makine öğrenmesi teknikleriyle anomali tespiti olmak üzere ikisi kural biri anomali tespitine dayanan 3 farklı yaklaşım sunulmaktadır. Sistem, geliştirilen önişlemci yardımıyla, bilinen saldırılar için güvenli düğüm yaklaşımı, bilinmeyen saldırılar için ise saha veri yolu tekrar periyodunu tespit ederek istatistiksel tekniklerle ve özgün çözümlerle kural tabanlı olarak saldırı tespitini kapsamaktadır. Tespitler bir günlükleme ve izleme yapısı olan ELK yığını üzerinde kullanıcıya sunulmaktadır. Ayrıca, yine bilinmeyen saldırılar için oluşturulan su seviye kontrol otomasyonu test ortamı üzerinde olaylar gerçeklenerek bir veri seti hazırlanması ve çeşitli öğrenme tekniklerinin veri seti üzerinde anomali tespitini kapsamaktadır. Bilinmeyen saldırıların tespiti kapsamında uygulanan periyot tespitinin %95-%99 doğrulukla yapılabildiği görülmüştür. Önerilen sistem üzerinde ise MAC aldatma, veri enjeksiyonu, DoS, köle saldırıları gibi ataklar gerçeklenmiş, alarm ve günlüklemeler incelendiğinde saldırıların başarıyla tespit edildiği görülmüştür. Ayrıca, k-NN ve SVM GA tekniklerinin olay tespitinde başarılı sonuç verdikleri belirlenmiştir.Industrial control systems (ICS) are critical infrastructures in terms of their location and components. These systems have their own features and operation related to the application field independent from the information technologies (IT). They are also adapted with the Ethernet technologies based on the idea of providing horizontal and vertical integration between the levels in the automation hierarchy with a single protocol. Therefore, ICSs are threatened by cyber attacks, due to both their nature and support of IT services through Ethernet. This risk requires ICS specific solutions to detect and prevent attacks which use communication infrastructure. In this study, two rule based which detect known and unknown attacks on the Snort system and one anomaly based which uses machine learning techniques, in total of three different approaches were presented as a holistic structure for Ethernet based real-time EtherCAT protocol, which is widely used in automation applications. In the case of rule based intrusion detection, the EtherCAT preprocessor was proposed, which applies the trust node approach for known attacks, and identifies the field bus repetition period for unknown attacks, with statistical techniques and novel solutions. The findings were presented to the user on the ELK stack, which is a logging and monitoring structure. For anomaly based intrusion detection, the water level control automation testbed was developed, a dataset was prepared by generating events and various machine learning techniques were applied on the dataset. According to the findings obtained in this research, it was concluded that the period determination which was applied within the scope of unknown attack detection can be made with 95% - 99% accuracy. When the logs and alerts of the realized MAC spoofing, data injection, DoS, slave attacks were investigated, it was seen that the attacks were able to be detected successfully. For anomaly detection part of the study, k-NN and SVM GA techniques were found to be successful in detecting events