INTRUSION DETECTION FOR CYBER-PHYSICAL POWER SYSTEMS

INTRUSION DETECTION
FOR CYBER-PHYSICAL
POWER SYSTEMS
Tommy Morris and Shengyi Pan
Electrical and Computer Engineering
Distributed Analytics and Security
Institute
Mississippi State University
1
Synchrophasor System and Data Flow
Synchrophasor Technology
• Synchrophasor devices
Consumption
Generation
Transmission
Distribution
- PMU measures
 Voltage, current, frequency
 At up to 120 sample/second
 Time-synchronized
- PDC concentrate data
• Advantages
PMU/Relay
- Enable state monitoring,
and Specification-based
IDS
- Allow real-time control
Wide Area
Network
Historian
Monitoring
Displaying
Data
Concentration
Near Real-time
Dynamic Security
Assessment
Early Warning
System
• Characteristics
Automatic
Determination
of Control
Actions
Energy Management System (EMS)
System Control
Center
- Adoption of TCP/IP via IEEE
C37.118 protocol
- Directly interact with
physical system
 Need vuln. Analysis3
A Successful Vulnerability Exploitation
• Remote trip command injection
Control Room
Relay
Snort
Snort
Outstation
DMZ
WWW
Enterprise Network
Overview
• Problem statement
- Find unique signatures for different scenarios
 Power system disturbances and cyber attacks
- Captured thousands instances of scenarios in lab
 Huge amount of data
 Heterogeneous data sources
• Power system and measurement system dynamics
 Time variation for measured events - different sequences of events
for same scenario
 Measured events out of order, extra events, missing events etc.
• Related work
- No applications of data mining to mine patterns for both
power system events and cyber attacks
- Traditional data mining did not work well for large data:
only binary classification
5
Cyber Attack Scenario in the Test Bed
Remote trip command
Injection Attack
①
BR2 BR3
BR4
G1
Steady
State
Snort
detects trip
command
BR1
G2
R1
R2 R3
R4
②
Snort Log
=1
Substation Switch
Recipient Policy
②
Relay R1
trips
Relay R1
= Trip
PDC
③
Breakers
Open
IR1 = 0
IR2 = 0
I = current measured by PMU R1
R1
This
is a unique sequence of
IR2 = current measured by PMU R2
events for the remote trip
command injection attack, which
is the signature for this scenario.
①
Snort
Syslog
Control Panel
OpenPDC
Power System Disturbance Scenario in Test Bed
Single-line-to-ground
(SLG) Fault
BR1
BR4
G1
G2
R1
Steady
State
R2 R3
R4
Recipient Policy
②
①
Excessive
high current
IR1 = High
IR2 = High
②
Relays
R1&R2 trip
R1 Log=Trip
R2 Log=Trip
Breakers
Open
IR1 = 0
IR2 = 0
③
BR2 BR3
Substation Switch
PDC
①
IR1 = is
current
measured
by PMU
This
a unique
sequence
of R1
IR2 = current measured by PMU R2
events
representing the SLG
fault, which is the signature for
this scenario.
Snort
Syslog
Control Panel
OpenPDC
③
Heterogeneous Data Sources
Data attributes:
PMU
•V, I, F, dF, P, Q
Relays
Control
Panel
Snort
•Trip events
•Maintenance
logs, Control
panel logs
•Network
Activities,
Flags, logs,
Alarms
• All data sources are
time stamped
• Data captured during
scenarios
• Data is labeled
• Huge amount of data
Feature selection:
• PMU: 3 phase currents
• Relay log
• Control panel log
• Snort log
Measured Event Database
• One MED is created and labeled for one instance
• Aggregating heterogeneous data during one
instance
• Quantizing each feature in the MED
An example MED for one instance of SLG fault scenario
H: Current High; N: Current Normal; L: Current Low
: An event
States and Path
Example MED for SLG (Phase-a-to-ground) fault scenario
Sys State ID:
S0
S3
S4
S1
S2
S0
Path: {S0, S1, S2, S3, S4}
• A State is a vector of feature measurements with
assigned quantized values. For example:
S0 = [Ia of R1 = N, Ia of R2 = N, …, R1Log = 0, R2Log = 0,…]
• A Path is a sequence of states.
• Data is quantized
• Continuous same states are merged
• Only ordering is retained
Significantly reduce
the amount of data.
10
Time Variation In Events Creates Different Paths
Example MED for Phase-a-to-ground fault scenario
Sys State ID:
S0
S3
S4
S1
S2
S0
Path: {S0, S1, S2, S3, S4}
S3
S4
S1
S5
Measured events out of order
S0
Path 2: {S0, S1, S5, S3, S4}
• A State is a vector of feature measurements with assigned
quantized values. For example:
S0 = [Ia of R1 = N, Ia of R2 = N, …, R1Log = 0, R2Log = 0,…]
11
Different Paths Due To Extra Events
Example MED for Phase-a-to-ground fault scenario
Sys State ID:
S0
S3
S4
S1
S2
S0
Path: {S0, S1, S2, S3, S4}
S3
S4
S3
S6
S4
S1
S5
S1
S2
Extra Event
S0
Path 2: {S0, S1, S5, S3, S4}
S0
Path 3: [S0, S1, S2, S3, S6, S4]
12
Three Paths for Phase-a-to-Ground Fault Scenario
S6
S5
S4
S3
S2
S1
S0
Time
Normal: P1 = {S0, S1, S2, S3, S4}
Events out of order: P2 = {S0, S1, S5, S3, S4}
Extra State: P3 = {S0, S1, S2, S3, S6, S4}
1059 instances of SLG fault scenario with 447 unique paths!
We need a method to find a pattern to represent
all 447 unique paths.
13
Frequent Sequential Pattern
• Frequent pattern: a pattern (a set of items, subsequences,
substructures, etc.) that occurs frequently in a data set
• Frequent sequential pattern: Frequent pattern with
consideration of ordering
• Frequent sequential pattern mining is first proposed by
Agrawal and Srikant.
• Algorithms to find frequent sequential pattern
• A priori [Agrawal et al.] and Frequent Pattern Growth [Han et al.]
• Application of frequent sequential pattern mining
• Medical treatments: mining clinical pathways for patients with
different diseases
• A clinical pathway is a sequence of patient’s physiological states
14
How to Find Pattern?
PathID
System States
Number
of paths
1
S0, S1, S2, S3, S4
6
2
S0, S1, S5, S3, S4
1
3
S0, S1, S2, S3, S6, S4
3
• Sequence X = {S0,…, Sn}
• Support is the fraction of paths
that contain a sequence X
• A sequence X is frequent if X’s
support is greater than the
minimum support (minsup)
threshold
• Let minsup = 70%
• For this example, there are 26 frequent sequential patterns, for example:
{S0}:100%, {S1}:100%, …, {S0, S1}: 100%,…,{S0,S1,S2}: 90%, {S0,
S1, S2, S3}: 90%, {S0, S1, S3, S4}: 100%, {S0, S1, S2, S3, S4}: 90%
• Mining common path algorithm
• Find the max-sequential-patterns
• A sequence X is a max-sequential-pattern if X is frequent and there
exists no frequent super-pattern Y ‫כ‬X
• {S0, S1, S2, S3, S4} is the max-sequential-pattern in this example. It is
also called common path.
15
Introduction to Hybrid Intrusion Detection System
• IDS design goal
- Classify cyber attacks in power system
- Distinguish power system disturbances or legitimate
control actions from cyber attacks
 Avoid false positive, i.e. a disturbance classified as a cyber attack
 Avoid false negative: cyber attacks impersonate disturbance,
legitimate control actions
 Automatic responses: know the details of specific events rather than
anomaly vs. normal
• IDS design requirements
- Classify general power system disturbances, legitimate
control actions and detailed cyber attacks – hence
“Hybrid”.
16
Distance Protection Scheme
3-bus 2-line transmission system implementing 2-zone distance protection
G: generator, BR: breaker, R: relay/PMU, L: transmission line, B: bus
1.Distance protection: different tripping time for different
zones (each relay has its own two protection zones)
• Cyber attack: disable the distance protection
2.SLG faults occur at any location between two relays at L1
or L2
• Cyber attack: replay SLG faults to cause blackout
3.Operator takes one of the two lines out for maintenance
• Cyber attack: command injection to take any relay out of service
17
Power System and Attack Scenarios
Power System Scenarios
SLG Faults (Q1, Q2)
• Relays trip to clear the faults
Transmission line
maintenance (Q5, Q6)
• A planned trip signal from
control panel
Normal operating
condition(Q25)
• No events happen
• Periodic random load changes
Cyber Attacks
SLG Fault replay (Q3, Q4)
• Impersonate the SLG faults
• Altered PMU data & remote
trip
Relay trip command
injection (Q7- Q12)
• Mimics line maintenance
• Replay MODBUS trip packets
to relay(s)
Disabling relays (Q13-Q24)
• Interrupt protection scheme
and line maintenance
• Change relay settings via
18
backdoor
Input Data
• Data sources
- 3 phases current magnitudes from PMU
 PMU sample rate: 120 samples per second
- Relay logs from R1, R2, R3, R4: relay tripping status
- Snort log: network activities
- Control panel log: administrative control activities
• Simulated 10,000 instances of 25 total scenarios
- In random order, random fault locations and load levels
- Data captured during scenarios
- Total data size: 38 GB
- Data is labeled with instance number and scenario names
- Half used for training and half used for testing
19
Confusion Matrix
Actual
Classes
SLG Flt.
SLG Flt.
Replay
Line Mnt.
Cmd. Inj.
Attack
Normal
Oper.
Relay
Disable
SLG Faults
1009
65
0
0
0
3
SLG Flt.
Replay
0
634
1
31
0
5
Line Mnt.
0
0
238
0
0
0
Cmd. Inj.
Attack
16
6
1
508
0
0
Normal Oper.
0
0
0
0
114
0
Relay
Disable
3
4
0
0
0
2127
Unknown
4
4
1
93
0
127
Classification
• Avg. Accuracy = (1009+634+238+508+114+2127)/5000 = 92.52%
• False Positive = (65+3)/5000 = 1.36%
- # of power system scenarios classified as attacks
• False Negative = (16+3+1+1)/5000 = 0.42%
- # of attacks classified as power system scenarios
• Unclassification rate = (4+4+1+93+127)/5000 = 4.58%
20
What About Detecting Zero Day Scenarios?
• Zero-day attacks are attacks
unknown to an IDS (never
seen before)
• Zero-day scenarios are
simulated by randomly
excluding several known
scenarios from training
• Testing steps
• 10 round validation
• Each round randomly excludes 4
scenarios in the training process
• Accuracy
= # of zero-day cases being classified
# of zero-day cases
• Avg. Acc. of 10 rounds are 73.43%
- Beats previous work
Results for 10 round validation
Round
Scenarios Excluded Z.D. Acc. (%)
1
Q3, Q11, Q18, Q22
76.3
2
Q2, Q8, Q12, Q23
67.3
3
Q6, Q11, Q16, Q17
50.5
4
Q1, Q5, Q8, Q10
73.3
5
Q1, Q9, Q19, Q21
91.8
6
Q5, Q13, Q20, Q23
64.7
7
Q5, Q10, Q15, Q16
63.8
8
Q12, Q13, Q19, Q24
70.7
9
Q2, Q7, Q9, Q17
76.3
10
Q9, Q10, Q16, Q19
99.8
21
Conclusions
I. Mining common paths algorithm: automatically learn
patterns for power system behaviors and cyber
attacks
1. Preprocess off-line power system data into paths
2. Find maximum frequent sequential patterns or common
paths
3. Properly grouping paths using system expertise before
mining common paths will increase the accuracy
II. A hybrid intrusion detection system (IDS)
1. Mining common paths algorithm scales well to detect a
variety of power system scenarios and cyber attacks in a
larger system
2. Tested on a 3-bus 2-line system with scenarios taking place at
different locations
• Above 90% accuracy, and less than 5% FP rate
• Step closer to automated response
3. Ability to detect zero-day attacks
22
THANK YOU!
Questions?
23
Cyber Attack Flow
Network
Reconnaissance
• Sniffing in the network
• Looking for sensitive information
- IP address ranges, user ID, passwords,
device location etc.
Active Scanning
• Sending messages to targets (probing)
- map the network, identify connected
equipment and running services
• Looking for soft spots or vulnerabilities in
target’s defense
Vulnerability
assessment
Intrusion
Detection
System
(IDS)
Exploiting
Vulnerabilities
• Exploiting vulnerabilities
• Gain access to and control target; cause
malicious actions
Denial of Service
(DoS)
• Disable the target by exploiting system
flaws related to vendor implementations
of communications protocols
24
Cyber Attacks Against Power System
• Increasing interconnected networks
• Provides an increased attack surface
• More network interfaces to attempt penetration
• Attractiveness of cyber attack methods
• Easily available software to exploit existing vulnerabilities
• Easier to spread malware
• Simultaneous attacks for multiple targets from a remote location
• Attacker profiles
• Government, hostile organizations, insiders, hackers
• Physical sabotage not required for cyber attack
• Attack from a safe and secret place
• Consequences
• Attacker gains remote control of critical devices
• Interruption of power system operations
• Power outages, blackouts
25
Denial of Service Attacks
• Packet flooding
- High network traffic volume
 E.g. TCP SYN Flooding
- Validate devices’ ability to
withstand large volumes of
traffic
• Well known DoS attacks
- LAND, Teardrop, Ping of death,
etc.
• Protocol mutation
Time
- ICMP, DNP3, TCP, UDP,
MODBUS/TCP, HTTP, ARP, IEEE
C37.118 and more
26
Sequences of Events for SLG Fault
140
120
Time (ms)
100
80
Time variation of events
60
40
20
0
Ia of R1 = High
Ia of R2 = High
R1 = Trip
Events
R2 = Trip
Ia of R1 = 0
Ia of R2 = 0
Common Paths for Line Maintenance and
Command Injection Attack
(IR1 = Normal, IR2 =
Normal, R1 = NT, R2 = NT,
SNT = (R1, R2), CP = 0)
35
(IR1 = Normal, IR2 =
(IR1 = Normal, IR2 =
(IR1 = Normal, IR2 =
Normal, R1 = T, R2 = T, Normal, R1 = NT, R2 = NT, Normal, R1 = T, R2 = T,
SNT = 0, CP = 0)
SNT = (R1, R2), CP = 0)
SNT = 0, CP = 0)
30
(IR1 = Normal, IR2 = Normal,
R1 = NT, R2 = NT, SNT = 0, CP
= (R1, R2))
State ID
25
(IR1 = Zero, IR2 =
Zero, R1 = T, R2 =
T, SNT = 0, CP = 0)
20
(IR1 = Zero, IR2 =
Zero, R1 = T, R2 =
T, SNT = 0, CP = 0)
15
10
5
0
1
Line Maintenance
Command Injection Attack
(IR1 = Normal, IR2 = Normal, R1 =
NT, R2 = NT, SNT = 0, CP = 0)
2
3
4
5
Time
•
A total number of 477 common paths are created for
25 scenarios; Training time: 0.33 seconds/scenario,
and 34 MB memory
6
Related Work
• Vulnerability assessment
• Test beds: Idaho National Lab SCADA testbed, Sandia National Lab’s Virtual
Control System Environment
• Methods: penetration tests, security testing tools, graphic modelling, formal
methods
*** None for synchrophasor system!
• Pattern learning for power system events and cyber attacks
• Power system disturbances: learn pattern from data
• Time domain: decision tree, statistical methods
• Frequency domain: SVM, ANN
*** Creating time domain data mining algorithm: mining common paths algorithm
• Learning cyber attack patterns in power system
• ORNL applied traditional data mining algorithms: only work for classifying binary classes
• Intrusion detection system: attacks signatures or system legitimate behaviors
*** Common paths algorithm can learn patterns for both disturbances and cyber
attacks
29
Related Work Cont.
• Intrusion detection system (IDS) for Smart Grid
• Host-based IDS, Network-based IDS, Rule-based IDS, IDS using power system
theory
*** No stateful monitoring
• Specification-based IDS:
• Stateful monitoring: specification (sequence of system states)
• Currently specifications are created manually
*** Expensive development process!
• Can we learn specifications automatically?
• Sequential pattern mining: mining clinical pathway in the field of medical care. A
clinical pathway is a sequence of patient’s physiological states.
*** Mining common paths algorithm
30
Outline
•Introduction and Motivation
•Contribution
•Vulnerability assessment for synchrophasor
system
•Pattern mining from power system data using
mining common path algorithm
•A hybrid intrusion detection system
•Conclusion and future work
31
Synchrophasor System and Wide-area
Situational Awareness
• 2010 American Reinvestment and Recovery Act funded
Synchrophasor project
- Add 800 phasor measurement units (PMUs)
- Adoption of TCP/IP network
- Real-time, high-speed, time-synchronized information about grid
conditions
- Accurate grid condition monitoring and wide-area visualization are
essential
 What is happening?
 What could happen next?
• Today there are over 1000 PMUs installed across North
America
- Large attack interface
- Require vulnerability assessment
32
Contributions
• Vulnerability assessment for a synchrophasor system
- Vulnerability tests revealed vulnerabilities in a synchrophasor system
- Suggestions for utilities to mitigate security risk for synchrophasor
system
- A new fuzzing framework was created for a synchrophasor protocol;
IEEE C37.118
• Mining common path algorithm for power system data
- Learn unique patterns (common paths) from data for unique power system
behaviors
 A common path is a signature which represents a unique behavior
- Frequent sequential pattern mining algorithm borrowed from health
care domain
 Applied to power system behaviors
 Method to preprocess power system data to map to algorithm for training
- Classifier matches monitored behavior to common paths
 Increased classifier fidelity compared to anomaly and specification based
classifiers
33
Contribution Cont.
• A hybrid intrusion detection system (IDS)
- Applied mining common paths algorithm to a large power
system
- Less expensive to create the IDS for power system
Automatically learn patterns from big data
Little system expertise required to create IDS
- Capable of detecting disturbances, normal control
operations and cyber attacks
Types and locations
Step closer to automated responses
- High detection accuracy, stateful monitoring, processing
high volume data, detect zero-day attacks
34
Outline
•Introduction and Motivation
•Contribution
•Vulnerability assessment for synchrophasor
system
•Pattern mining from power system data using
mining common path algorithm
•A hybrid intrusion detection system
•Conclusion and future work
35
Vulnerability Assessment for Synchrophasor System
• Problem Statement
- Identify synchrophasor device vulnerabilities
- Confirm device compliance with Smart Grid cybersecurity
standards
• Related work
- Synchrophasor system test bed is under development…
- Little effort on vulnerability assessment for
synchrophasor system
• Hypothesis:
- Develop testing process and framework to discover
device vulnerabilities and prove conformance to
standards
36
Vulnerability Assessment Steps
Process to compromise a targeted synchrophasor device
PMU/PDC
• Identify plaintext information,
e.g. access points, running
services
• Identify vulnerabilities
with network protocols
via DoS, masquerade
attack etc.
• Identify password
complexity, auditing, etc.
Ensure compliance requirements derived from:
• NISTIR 7628: Guidelines for Smart Grid Cyber Security; DHS Cybersecurity
Procurement Language for Control Systems; Utility requirements
37
Fuzzing Framework for IEEE C37.118 Protocol
Components:
1. Network packets capturing:
Validation
Engine
• MITM Server: Ettercap
2. Test cases generation
• Protocol parser: parsing IEEE
C37.118 packets
• Fuzzing engine: loading smart
fuzzer and dumb fuzzer for
different frames
3. Target monitoring
• Validation engine: ICMP
Echo/HTTP request for failure
validation
PMU
MITM Server
PDC
Recipient Policy
Recipient Policy
Protocal Parser
Log
Engine
Configuration File
Command
Frame Fuzzer
Fuzzing Engine
Configration
Frame Fuzzer
Recipient Po licy
Data Frame
Fuzzer
Header Frame
Fuzzer
4. Logging pertinent data on
failure
38
Vulnerability Assessment Results
Vulnerability Assessment Results
• Weak passwords mechanism
- Weak password complexity
- Password xor’d with fixed key
- No password timeout
• Open ports for unused services
- Operating system debugger port left
open
• Weak auditing mechanism
- Missing event logs
- Event log non-repudiation
• Man-in-the-middle attacks
- Replay attacks
- Steal SSH and Radius credentials
- No MODBUS/IEEE C37.118 digital
signature
Fuzzing Results
•
•
•
•
PDC crashes
PDC keeps resetting itself
PMU stops streaming
Data information lost, e.g. no
frequency data present if frequency
field in data packets is mutated
4 Reports provided to utility
and synchrophasor device
vendors with identified
vulnerabilities.
THIS DOES NOT MEAN WE
ARE ABSOLUTELY SECURE!
39
Outline
•Introduction and Motivation
•Contribution
•Vulnerability assessment for synchrophasor
system
•Pattern mining from power system data using
mining common path algorithm
•A hybrid intrusion detection system
•Conclusion and future work
40
Classifier Design
• Validate the correctness of common paths by creating a classifier
• Training process: compute common paths for different classes
using mining common path algorithm
• Testing process: match a test path with a common path
- Compare to all common paths (cpi)
- For each path under test (PUTi) :
1. If cpi ⊆ PUTi then cpi is a candidate common path
2. The PUTi is classified as class of the maximal length candidate common path
3. If more than one maximal candidate common path are maximal then PUTi is
classified as uncertain.
• 1059 paths for SLG fault, 274 paths for remote trip command
injection attack
- In random order, random fault locations, random load levels
- Labeled by class name, load levels and fault location (if applicable)
- Half used as training paths, half used as testing paths
41
Experiment 1: Evaluation on Two Classes: SLG
Fault and Remote Command Injection Attack
• Validate if common paths for the two classes are unique
• Training with paths of two classes
- 203 common paths for SLG fault class; 18 common path for
command injection attack class
• Testing
- 519 testing paths of SLG fault scenario; 127 testing paths of cmd. Inj.
attack scenario
Confusion matrix for testing paths of SLG fault and command injection
Classes
SLG Fault
Cmd. Inj
Unknown
Testing paths Total
Accuracy
SLG Fault Cmd. Inj.
491
0
0
123
28
4
519
127
95.0%
(491+123)/(519+127) x 100% = 95.0%
42
Experiment 2: Evaluation on More Classes
• Additional experiment used to verify correctness of common paths
• Stress the mining common path algorithm
- Demonstrate the ability of the algorithm to create unique common paths
based on smaller differences between similar classes
• SLG fault class is divided into 36 SLG fault classes by 9 fault location
ranges and 4 load level ranges
- Example: an SLG fault class can be “SLG fault @ 10-23% of the transmission
line with load level is in 200-249 MW”
Plot of SLG fault locations vs. relay R1 and R2 trip times
0.6
R2 Trip Time
R1 Trip Time
Time (sec)
0.4
①
②
③ ④
⑤
⑥ ⑦
⑧
⑨
0.2
0
10
15
20
25
30
35
40
45
50
55
60
65
Fault Location at Line L1 (%)
70
75
80
85
90 43
Experiment 2: Evaluation on More Classes
Training:
1.Grouping paths by
pre-defined classes
•36 SLG fault classes
•4 cmd. inj. att. classes
2. Compute common
paths for each class
3.Combine common
paths as needed
•10 classes: 9 fault
locations and cmd.
inj. att.
•2 classes: SLG fault
and cmd. inj. att.
44
Evaluation Results
Confusion matrix for testing paths of SLG fault and command injection
Classes
SLG Fault
Cmd. Inj
Unknown
Testing paths Total
Binary Accuracy
SLG Fault Cmd. Inj.
497
0
0
127
21
0
519
127
96.6%
Confusion matrix for 9 SLG fault locations and 1 command injection
Classes
10-23%
23-29%
30-35%
36-40%
41-60%
61-65%
65-70%
71-80%
81-90%
C. Inj.
Unc. Fault
Unknown
10 classes
Accuracy
1023%
191
0
0
0
0
0
0
0
0
0
0
4
2329%
3
4
0
7
0
0
0
0
0
0
0
0
3035%
0
0
4
0
0
0
0
0
0
0
9
0
3640%
0
0
0
2
2
0
0
0
0
0
7
0
4160%
0
0
0
6
41
5
8
0
0
0
0
1
6164%
0
0
0
0
2
10
3
0
0
0
0
0
6570%
0
0
0
0
0
0
14
1
0
0
0
0
7180%
0
0
0
0
0
0
4
38
0
0
0
0
8190%
0
0
0
0
0
0
0
18
135
0
0
0
87.6% = (191+4+4+2+41+10+14+38+135+127)/(519+127) x 100%
C.
Inj.
0
0
0
0
0
0
0
0
0
127
0
0
45
Evaluation Conclusion
• Classifier can automatically be trained from data using mining
common path algorithm
• Create common paths for differentiating
- Binary classes: SLG fault scenario and a cyber attack
- Multiple similar SLG fault scenarios
Differences between experiment 1 and experiment 2
Experiment 1
Experiment 2
Compute common paths over broad
range of input paths
Compute common paths over grouped
input paths
Does not require system expertise
Require system expertise to know how
to group paths
Provides no extra information on fault
locations
Provides extra information on fault
locations
Accuracy for binary classification: 95%
Accuracy for binary classification: 96.6%
The users can decide whether or not to use the grouping path strategy based on
• How much expertise they have?
• Do they need extra information?
• How much extra accuracy the classifier will provide?
46
Outline
•Introduction and Motivation
•Contribution
•Vulnerability assessment for synchrophasor
system
•Pattern mining from power system data using
mining common path algorithm
•A hybrid intrusion detection system
•Conclusion and future work
47
IDS Training and Testing Process
Training Process
1. One MED is created from data collected from one instance
• MED are converted in to paths
• 10,000 paths are created
2. Paths are preprocessed
• Subclasses for SLG fault scenarios are predefined based on relay behavior
chart
• Paths are grouped based predefined classes
3. Common paths are mined for each group of paths
4. Combine common paths as needed
• A total number of 477 common paths are created for 25 scenarios;
Training time: 0.33 seconds/scenario, and 34 MB memory
Testing Process: match a test path with a common path
• If no match: unknown
48
Outline
•Introduction and Motivation
•Contribution
•Vulnerability assessment for synchrophasor
system
•Pattern mining from power system data using
mining common path algorithm
•A hybrid intrusion detection system
•Conclusion and future work
49
Future Work
1. Vulnerability assessment in cyber-physical system
• Quantify the vulnerabilities: how likely a vulnerability will be exploited?
• Extend assessment methodologies to advanced metering systems, other
industrial control systems
2. Apply the IDS to other wide-area protection schemes and larger
power system scale
• How to train for a much larger system? (Thousands of buses?)
• Data management, feature selection (How to manage larger data? Are all
features needed? )
3. What if the PMU is not at every bus?
• Optimal locations of PMU while keeping the high detection accuracy
• Impact of PMU sampling rate
4. How to implement the IDS in real-time?
• How to handle continuous stream of synchrophasor data?
• Buffer the data -> mine patterns off-line ->detection in real-time
• Window real-time data -> learn pattern from data in window -> refine pattern as
data continues coming (window size?)
50
Publications
• Journal under review
• Pan, S, Morris, T, Adhikari, U, “Developing a Hybrid Intrusion Detection System
Using Data Mining for Power System,” under review for IEEE Transaction on
Smart Grid.
• Pan, S, Morris, T, Adhikari, U, “Detection for Fault and Cyber Attack in Power
System by Mining Synchrophasor Data,” under review for IEEE Transaction on
Industrial Informatics.
• Pan, S, Morris, T, Adhikari, U, “A Specification-based Intrusion Detection
System for Cyber-physical Environment in Electric Power System,” submitted
to the International Journal of Computer Security.
• Published journal papers
• Morris, T., Pan, S., Adhikari, U., Younan, N., King, R., Madani, V., “Cyber Security
Testing and Intrusion Detection for Synchrophasor Systems,” Accepted by
International Journal of Network Science (IJNS).
• Srivastava, A.; Morris, T.; Ernster, T.; Vellaithurai, C.; Pan, S., Adhikari, U.,
"Modeling Cyber-Physical Vulnerability of the Smart Grid With Incomplete
Information," IEEE Transactions on Smart Grid, vol.4, no.1, pp.235,244, March
2013
51
Publications Cont.
• Book Chapters
• Morris, T., Pan, S., Adhikari, U., Younan, N., King, R., Madani, V., "Phasor Measurement Unit and Phasor Data
Concentrator Cyber Security" in Systems and Optimization Aspects of Smart Grid Challenges, Carvalho, M., Pappu, V.,
Pardalos, P., Eds., Springer US.
• Conference
• Adhikari, U., Morris, T., Pan, S., “A Causal Event Graph for Cyber-Power System Events Using Synchrophasor,” accepted
by IEEE Power Energy Society General Meeting. July 27-31, 2014. Washinton, D.C.
• Adhikari, U., Morris, T., Pan, S., “A Cyber-Physical Power System Test Bed for Intrusion Detection Systems,” accepted by
IEEE Power Energy Society General Meeting. July 27-31, 2014. Washinton, D.C.
• Pan, S., Morris, T., Adhikari, U., “Causal Event Graphs Cyber-physical System Intrusion Detection System,” proc. of the 8th
Annual Cyber Security and Information Intelligence Research Workshop (CSIIRW8). Jan 8 -10, 2013. Oak Ridge, TN.
• Sprabery, R., Morris, T., Pan, S., Adhikari, U., “Protocol Mutation Intrusion Detection for Synchrophasor
Communications,” proc. of the 8th Annual Cyber Security and Information Intelligence Research Workshop (CSIIRW8).
Jan 8-10, 2013. Oak Ridge, TN.
• Morris, T., Adhikari, U., Pan, S., “Cyber Security Recommendations for Wide Area Monitoring, Protection, and Control
Systems,” IEEE Power Energy Society General Meeting. July 22-26, 2012. San Diego, CA.
• Adhikari, U., Morris, T., Dahal, N., Pan, S., King, R., Younan, N. Madani, V., “Development of Power System Test Bed for
Data Mining of Synchrophasors Data,” Cyber-Attack and Relay Testing in RTDS. IEEE Power Energy Society General
Meeting. July 22-26, 2012. San Diego, CA.
• Morris, T., Pan, S., Lewis, J., Moorhead, J., Reaves, B., Younan, N., King, R., Freund, M., Madani, V., “Cybersecurity Testing
of Substation Phasor Measurement Units and Phasor Data Concentrators,” proc. of the 7th Annual ACM Cyber Secruity
and Information Intelligence Research Workshop (CSIIRW). October 12-14, 2011. Oak Ridge, TN.
• Guo, Y., Pan, S., Wang, H., Zheng, H., “A Hybrid Classification Approach to Improving Location Accuracy In A Bluetooth based Room Localization System,” proc. of the International Conference on Machine Learning and Cybernetics (ICMLC),
11-14 Jul. 2010
• Rahman, T., Pan, S. Zhang, Q., “Design of A High Throughput 128-bit AES (Rijndael Block Cipher) System,” proc. of the
International Multi-Conference of Engineers and Computer Scientists (IMECS), 17-19 Mar. 2010
52