Anomaly Detection in Scada Networks Using Expert Models and Machine Learning Based Techniques



Journal Title

Journal ISSN

Volume Title



Critical infrastructures such as power grids are facing clear and present danger from cyber threats and attacks. A case in point is the 2016 Ukraine’s power grid attack, which has confirmed that cyber adversaries could cause persistent blackout using malware. This incident occurred despite the fact that there have been significant cyber security research efforts and improvements made to the power grid in the last two decades to protect and defend against cyber attacks. Therefore, cyber attack mitigation efforts such as intrusion detection in general or anomaly detection in particular remain a formidable challenge. Yet, anomaly detection also face a challenge of its own, a high false positive rate. Another challenge in protecting power grids from cyber attack comes from the fact that heightened security concerns have limited cyber security researchers from having access to an operational power grid network, as a result, numerous previous research works have been based on testbeds, simulated models, or a single substation of the power grid. To address these challenges, this work presents: (1) The first in-depth characterization of a large-scale realworld federated bulk power grid that utilizes IEC 60870-5-104 Supervisory Control and Data Acquisition (SCADA) protocol to control and monitor physical processes of the grid; (2) A connection-scoped anomaly detection system (CS-ADS) that unifies both traditional and modern machine learning models with integrated expert domain knowledge into one design. The design intent of this CS-ADS is to reduce false positive rate while increasing true positive rate. To evaluate the proposed CS-ADS, real-world ICS/SCADA malware will be employed as an adversary model.



Machine learning, Electric power systems, Anomaly detection (Computer security), Supervisory control systems