Clustered Federated Learning for Early Stage Cyber Attacks Detection in Power Systems

Abstract

The increasing digitalization of Cyber-Physical Power Systems (CPPS) has enhanced power system operation and control but has also expanded the attack surface for cyber threats. Detection of early-stage attacks such as reconnaissance and Denial-of-Service (DoS) is critical to prevent power system-wide disruptions. Centralized Machine Learning (ML)-based techniques have been proposed for detecting cyber attacks. However, they struggle to ensure data privacy. Federated Learning (FL) can address this issue through collaborative model training without raw data sharing. Yet, FL’s performance degrades under non-Independent and Identically Distributed (non-IID) data, a common scenario in real-world CPPS environments. In this paper, we propose a cluster-based FL method using Bidirectional Long Short-Term Memory (BiLSTM) for attack detection at the early stages of the cyber kill chain. It uses unsupervised clustering of client model updates for aggregation robustness and model generalization across heterogeneous clients. By grouping clients based on similarity in model updates, our method mitigates the adverse effects of data heterogeneity while preserving data privacy. The UNSW-NB15 dataset is used for distributed training under non-IID conditions and evaluation of the proposed method. Experimental results demonstrate that our cluster-based FL method achieves over 95% detection accuracy, proving its effectiveness in distributed cyber attacks detection in power systems.