An abnormal traffic detection method in smart substations based on coupling field extraction and DBSCAN

Smart Substation becomes more vulnerable to cyber attacks due to the high integration of information technologies, so it is essential to detect intrusion behaviour by abnormal traffic analysis in smart substations. Although there have been many detection methods for abnormal traffic, the existing ones all focus on the format check of a single field of the industrial transmission protocol, and ignore the deep coupling relationships among multiple protocol fields, which lead to more or less false detections and missed detections. To overcome this problem and further improve the detection accuracy, in this paper, we propose an abnormal traffic detection method based on the coupling field extraction and the density-based spatial clustering of applications with noise (DBSCAN). By using correlation analysis to extract the coupling fields of the protocol fields and using DBSCAN to remove the noise in the coupling fields, the deep coupling relationship between the coupling fields can be mined by the piecewise linear function fitting method, and used to detect abnormal traffic. The simulation results on 10,000 frames traffic prove that the proposed detection method can effectively identify the abnormal traffic.

[1]  Wei Guoli,et al.  Traffic Prediction and Attack Detection Approach Based on PSO Optimized Elman Neural Network , 2019, 2019 11th International Conference on Measuring Technology and Mechatronics Automation (ICMTMA).

[2]  Jianhui Wang,et al.  Real-time intrusion detection in power system operations , 2013, IEEE Transactions on Power Systems.

[3]  Mohammad Shahidehpour,et al.  Reliability Modeling and Assessment of Cyber Space in Cyber-Physical Power Systems , 2020, IEEE Transactions on Smart Grid.

[4]  K. McLaughlin,et al.  Intrusion Detection System for IEC 60870-5-104 based SCADA networks , 2013, 2013 IEEE Power & Energy Society General Meeting.

[5]  Xue Wang,et al.  Comparison deep learning method to traditional methods using for network intrusion detection , 2016, 2016 8th IEEE International Conference on Communication Software and Networks (ICCSN).

[6]  Qi Song,et al.  A New DBSCAN Parameters Determination Method Based on Improved MVO , 2019, IEEE Access.

[7]  Victor O. K. Li,et al.  Online False Data Injection Attack Detection With Wavelet Transform and Deep Neural Networks , 2018, IEEE Transactions on Industrial Informatics.

[8]  Mehul Motani,et al.  Detecting False Data Injection Attacks in AC State Estimation , 2015, IEEE Transactions on Smart Grid.

[9]  Y. B. Yuan,et al.  Stateful intrusion detection for IEC 60870-5-104 SCADA security , 2014, 2014 IEEE PES General Meeting | Conference & Exposition.

[10]  Nhien-An Le-Khac,et al.  Detecting Abnormal Traffic in Large-Scale Networks , 2020, 2020 International Symposium on Networks, Computers and Communications (ISNCC).

[11]  Lingfeng Wang,et al.  Reliability Modeling and Evaluation of Active Cyber Physical Distribution System , 2018, IEEE Transactions on Power Systems.

[12]  Sakir Sezer,et al.  Multidimensional Intrusion Detection System for IEC 61850-Based SCADA Networks , 2017, IEEE Transactions on Power Delivery.

[13]  Jagath Samarabandu,et al.  An Intrusion Detection System for IEC61850 Automated Substations , 2010, IEEE Transactions on Power Delivery.

[14]  Jiale Suonan,et al.  IEC 61850-Based Feeder Terminal Unit Modeling and Mapping to IEC 60870-5-104 , 2012, IEEE Transactions on Power Delivery.

[15]  Petr Mlynek,et al.  Overview of Communication Scenarios for IEC 60870-5-104 Substation Model , 2020, 2020 21st International Scientific Conference on Electric Power Engineering (EPE).