Anomaly Detection in Digital Substation Communication using Transformer-Based Distribution Fitting

Abstract

Digital substations, which replace traditional analog infrastructure, are essential to power grid operation but are facing growing vulnerability to cyber attacks. Existing anomaly detection in substation communication requires labeled datasets for supervised training and fails to incorporate temporal characteristics, which cannot detect unknown persistent attacks. Setting arbitrary thresholds for outlier detection leads to high false positives and low detection rates. This paper addresses cyber security challenges related to IEC 61850 Generic Object Oriented Substation Event (GOOSE) protocol within digital substations. We propose a novel unsupervised Transformer-based Distribution Fitting Anomaly Detection (TF-DiFAD) method for time series GOOSE frames with a robust thresholding technique. Deep packet inspection is used to extract features from GOOSE frames, which are processed through the proposed TF-DiFAD model. TF-DiFAD combines the deep learning transformer model with statistical distribution fitting techniques to accurately detect anomalous GOOSE frames. Specifically, reconstruction errors are generated using a state-of-the-art transformer model. A novel model-agnostic solution is applied for setting anomaly thresholds and calculating anomaly probabilities. The Kolmogorov-Smirnov test is employed to select the best-fitting distribution for these errors. TF-DiFAD is benchmarked against other state-of-the-art models using two distinct test datasets, demonstrating superior performance. The results indicate that TF-DiFAD detects anomalies with Receiver Operating Characteristics Area Under Curve (ROC AUC) scores of 96.84% and 95.73% respectively for both datasets.