Abstract. Generic Object Oriented Substation Events (GOOSE), as an essential component of IEC 61850 communication standard, plays an important role in intelligent substation. Any abnormal change of GOOSE field values could cause substation automatic system failures, incorrect switching, or physical damages in the field devices, which will result in probably catastrophic losses. To mitigate the risks caused by vulnerabilities of GOOSE protocol, a behavior-based intrusion detection system is proposed. Different from the existing proposed approaches, considering there is no attack traffic in intelligent substation network so far, one class classifier is used to model the normal behaviors. Compared to the existing approaches, it can usually detect much more complex attacks. To specify the proposed system, when giving a GOOSE message, we first convert it into a feature vector with a specific approach. Considering only normal GOOSE messages are given, One Class classifier with Extreme Learning Machine (OC-ELM) is used to model the information embedded in the normal training set. Extensive experiments demonstrate the efficiency and effectiveness of the proposed intrusion detection system.