Intrusion Detection System for Digital Substations Using Semi-Supervised Learning and Traffic Distance Similarity Clustering

Abstract

Cyber attacks on power grids are imminent and potentially have a severe impact, as evidenced by the cyber attacks in Ukraine in 2015, 2016, and 2022. In response to this challenge, machine learning-based Intrusion Detection Systems (IDS) have become more prevalent as a potential mitigation owing to their alignment with the latest advances in artificial intelligence. However, existing anomaly detection methods for power grid Operational Technology (OT) are often inadequate, as they primarily focus on detecting power grid physical anomalies at the later attack stages and suffer from the scarcity of available data for supervised machine learning. To address these limitations, we propose a novel semi-supervised IDS specifically for digital substations of the power system. The proposed detection method identifies the distinctive distance similarity of digital substation OT communication traffic using a Convolutional Neural Network and Chebyshev distance of packet payloads, and Kolmogorov-Smirnov of packets’ interarrival time using Fast Fourier Transform amplitude. Subsequently, these traffic features are combined into a vector and classified using a novel hybrid semi-supervised Self-Organizing Map (SOM) and Density-Based Spatial Clustering of Applications with Noise (DBSCAN). Results indicate that the proposed method can identify zero-day attacks and achieve accuracy and F1 above 95%.