FARIMA model‐based communication traffic anomaly detection in intelligent electric power substations

Yang, Qiang; Hao, Weijie; Ge, Leijiao; Ruan, Wenjie; Chi, Fujian

doi:10.1049/iet-cps.2018.5052

Cited by 26 publications

(27 citation statements)

References 20 publications

(38 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is a considerable limitation as they increase the deployment and operational costs. Our AD statistical method is compared with the most relevant approaches available in the literature ( [21,29]) and the results are listed in Table 1.…”

Section: Performance Of the Anomaly Detection (Ad) Methodsmentioning

confidence: 99%

“…In [21,29], statistical AD methods for the detection of attacks in 61,850 substations, are proposed. In [21], the authors present a statistical detection based on a comparison of the residuals with a variance-based threshold while assuming a model to describe a signal embedded in WGN for the network traffic.…”

Section: Performance Of the Anomaly Detection (Ad) Methodsmentioning

confidence: 99%

“…Modeling the network traffic in electrical substations is a challenging task due to the different operation modes including normal operation and burst data in case of faults. Studies focusing on describing the network traffic ( [29][30][31]) show that the GOOSE network traffic exhibits short-range dependency, self-similarity and LRD features. Some research works have been conducted to model the substation communication network.…”

Section: Distributional Considerations Of the Datamentioning

confidence: 99%

“…Some research works have been conducted to model the substation communication network. However, few of them consider the self-similarity of the network traffic such as [29,30]. In the next section, we will study the possible presence of self-similarity features in the GOOSE network traffic data.…”

Section: Distributional Considerations Of the Datamentioning

confidence: 99%

“…An ARFIMA model consists of an Auto-Regressive (AR) part, a Moving Average (MA) filter, and an integration term (I) which is employed for differencing the raw measurements we select for modeling the IEC 61850 GOOSE traffic. (ARFIMA model is also referred to as Fractional ARIMA (FARIMA) model in some references [29,30]).…”

Section: Arfima Modelmentioning

confidence: 99%

See 4 more Smart Citations

Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations

et al. 2020

View full text Add to dashboard Cite

Integration of Information and Communication Technology (ICT) in modern smart grids (SGs) offers many advantages including the use of renewables and an effective way to protect, control and monitor the energy transmission and distribution. To reach an optimal operation of future energy systems, availability, integrity and confidentiality of data should be guaranteed. Research on the cyber-physical security of electrical substations based on IEC 61850 is still at an early stage. In the present work, we first model the network traffic data in electrical substations, then, we present a statistical Anomaly Detection (AD) method to detect Denial of Service (DoS) attacks against the Generic Object Oriented Substation Event (GOOSE) network communication. According to interpretations on the self-similarity and the Long-Range Dependency (LRD) of the data, an Auto-Regressive Fractionally Integrated Moving Average (ARFIMA) model was shown to describe well the GOOSE communication in the substation process network. Based on this ARFIMA-model and in view of cyber-physical security, an effective model-based AD method is developed and analyzed. Two variants of the statistical AD considering statistical hypothesis testing based on the Generalized Likelihood Ratio Test (GLRT) and the cumulative sum (CUSUM) are presented to detect flooding attacks that might affect the availability of the data. Our work presents a novel AD method, with two different variants, tailored to the specific features of the GOOSE traffic in IEC 61850 substations. The statistical AD is capable of detecting anomalies at unknown change times under the realistic assumption of unknown model parameters. The performance of both variants of the AD method is validated and assessed using data collected from a simulation case study. We perform several Monte-Carlo simulations under different noise variances. The detection delay is provided for each detector and it represents the number of discrete time samples after which an anomaly is detected. In fact, our statistical AD method with both variants (CUSUM and GLRT) has around half the false positive rate and a smaller detection delay when compared with two of the closest works found in the literature. Our AD approach based on the GLRT detector has the smallest false positive rate among all considered approaches. Whereas, our AD approach based on the CUSUM test has the lowest false negative rate thus the best detection rate. Depending on the requirements as well as the costs of false alarms or missed anomalies, both variants of our statistical detection method can be used and are further analyzed using composite detection metrics.

show abstract

Section: Performance Of the Anomaly Detection (Ad) Methodsmentioning

confidence: 99%

Section: Performance Of the Anomaly Detection (Ad) Methodsmentioning

confidence: 99%

Section: Distributional Considerations Of the Datamentioning

confidence: 99%

Section: Distributional Considerations Of the Datamentioning

confidence: 99%

Section: Arfima Modelmentioning

confidence: 99%

See 3 more Smart Citations

Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations

et al. 2020

View full text Add to dashboard Cite

show abstract

Network traffic prediction model based on ensemble empirical mode decomposition and multiple models

Lian

Tian

2021

Int J Communication

View full text Add to dashboard Cite

Summary In order to improve the prediction accuracy of network traffic, a novel prediction model based on ensemble empirical mode decomposition and multiple models is proposed. In this study, ensemble empirical mode decomposition algorithm is introduced to decompose the network traffic and get several components. Approximate entropy is introduced to judge the complexity of each component. According to the results of approximate entropy, echo state network is selected to predict high complexity components, support vector machine is used to predict medium complexity components, and autoregressive integrated moving average model is introduced to predict low complexity components. The advantages of each prediction model are used to predict the appropriate component. The final prediction results are obtained by adding the predicted values of each component. In order to solve the problem that the prediction performance of support vector machine and echo state network is affected by their parameters, an improved whale optimization algorithm is proposed to optimize the parameters of the model. Meanwhile, the calculation results of approximate entropy show that compared with the original network traffic, the complexity of each component obtained by ensemble empirical mode decomposition is reduced, which reduces the complexity of modeling. Three network traffic datasets with sampling periods of 10 ms, 1 s, and 10 min are collected. Compared with the other five state‐of‐the‐art prediction models, the case study results show that the proposed prediction model has better prediction accuracy and excellent statistical performance indicators.

show abstract

Influence of Mobile Internet Based on Big Data Analysis on Integrated Marketing Communication Mode

Hua

Bao

Theodoraki

2022

The 2021 International Conference on Smart Technologies and Systems for Internet of Things

View full text Add to dashboard Cite

FARIMA model‐based communication traffic anomaly detection in intelligent electric power substations

Cited by 26 publications

References 20 publications

Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations

Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations

Network traffic prediction model based on ensemble empirical mode decomposition and multiple models

Influence of Mobile Internet Based on Big Data Analysis on Integrated Marketing Communication Mode

Contact Info

Product

Resources

About