Hierarchical Clustering for Anomalous Traffic Conditions Detection in Power Substations
Abstract
The IEC 61850 standard has contributed significantly to the substation management and automation process by incorporating the advantages of communications networks into the operation of power substations. However, this modernization process also involves new challenges in other areas. For example, in the field of security, several academic works have shown that the same attacks used in computer networks (DoS, Sniffing, Tampering, Spoffing among others), can also compromise the operation of a substation. This article evaluates the applicability of hierarchical clustering algorithms and statistical type descriptors (averages), in the identification of anomalous patterns of traffic in communication networks for power substations based on the IEC 61850 standard. The results obtained show that, using a hierarchical algorithm with Euclidean distance proximity criterion and simple link grouping method, a correct classification is achieved in the following operation scenarios: 1) Normal traffic, 2) IED disconnection, 3) Network discovery attack, 4) DoS attack, 5) IED spoofing attack and 6) Failure on the high voltage line. In addition, the descriptors used for the classification proved equally effective with other unsupervised clustering techniques such as K-means (partitional-type clustering), or LAMDA (diffuse-type clustering).
Downloads
References
H. Farhangi, "The path of the smart grid," IEEE power and energy magazine, vol. 8, no. 1, pp. 18-28, 2009. https://doi.org/10.1109/MPE.2009.934876
R.H. Khan & J.Y. Khan, "A comprehensive review of the application characteristics and traffic requirements of a smart grid communications network," Computer Networks, vol. 57, no. 3, pp. 825-845, 2013. https://doi.org/10.1016/j.comnet.2012.11.002
TC57, I. E. C. "IEC 61850: Communication networks and systems for power utility automation," International Electrotechnical Commission Std, vol. 53, pp. 54, 2010.
M.T.A. Rashid, S. Yussof, Y. Yusoff, & R. Ismail, "A review of security attacks on IEC61850 substation automation system network," in IEEE Proceedings of the 6th International Conference on Information Technology and Multimedia November, 2014, pp. 5-10. https://doi.org/10.1109/ICIMU.2014.7066594
K. Choi, X. Chen, S. Li, M. Kim, K. Chae, & J, Na, "Intrusion detection of NSM based DoS attacks using data mining in smart grid". Energies, vol. 5, no. 10, pp. 4091-4109, 2012. https://doi.org/10.3390/en5104091
U.K. Premaratne, J. Samarabandu, T.S. Sidhu, R. Beresh, & J.C. Tan, "An intrusion detection system for IEC61850 automated substations." IEEE Transactions on Power Delivery, vol. 25, no. 4, pp. 2376-2383, 2010. https://doi.org/10.1109/TPWRD.2010.2050076
J. Hoyos, M. Dehus, & T.X. Brown, "Exploiting the GOOSE protocol: A practical attack on cyber-infrastructure," In IEEE Globecom Workshops, 2012 pp. 1508-1513. https://doi.org/10.1109/GLOCOMW.2012.6477809
J. Hong, C.-C. Liu, & M. Govindarasu, "Detection of cyber intrusions using network-based multicast messages for substation automation," in Innovative Smart Grid Technologies Conference (ISGT), pp. 1-5.
N. Kush, E. Ahmed, M. Branagan, & E. Foo, "Poisoned goose: exploiting the goose protocol," in Proceedings of the Twelfth Australasian Information Security Conference, 2014, pp. 17-22.
P.K. Chan, M.V. Mahoney & M.H. Arshad, "Learning rules and clusters for anomaly detection in network traffic," in Managing Cyber Threats, 2005, pp. 81-99. https://doi.org/10.1007/0-387-24230-9_3
J. A. Gallardo, Análisis de datos multivariantes, [Online]. Available: http://www.ugr.es/~gallardo/, accessed July, 31, 2019.
G. Münz, S. Li, & G. Carle, "Traffic anomaly detection using k-means clustering," in GI/ITG Workshop MMBnet, 2007, pp. 13-14.
D. Liu & C.H. Lung, "P2p traffic identification and optimization using fuzzy c-means clustering," in IEEE International Conference on Fuzzy Systems (FUZZ), 2011, pp. 2245-2252.https://doi.org/10.1109/FUZZY.2011.6007613
C.J. Dietrich, C. Rossow, & N. Pohlmann, "Cocospot: Clustering and recognizing botnet command and control channels using traffic analysis," Computer Networks, vol. 57, no. 2, pp. 475-486, 2013. https://doi.org/10.1016/j.comnet.2012.06.019
P. Narang, C. Hota, & V. Venkatakrishnan, "Peershark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification," EURASIP Journal on Information security, vol. 2014, no. 1, p. 15, 2014. https://doi.org/10.1186/s13635-014-0015-3
P. Velarde-Alvarado, C. Vargas-Rosales, R. Martinez-Pelaez, H. ToralCruz, & A.F. Martinez-Herrera, "An unsupervised approach for traffic trace sanitization based on the entropy spaces," Telecommunication Systems, vol. 61, no. 3, pp. 609-626, 2016. https://doi.org/10.1007/s11235-015-0017-6
T.P. Fries, "Classification of network traffic using fuzzy clustering for network security," in Industrial Conference on Data Mining, 2017, pp. 278-285. https://doi.org/10.1007/978-3-319-62701-4_22
T. Bajtoš, A. Gajdoš, L. Kleinová, K. Luˇcivjanská, & P. Sokol, "Network intrusion detection with threat agent profiling," Security and Communication Networks, 2018.
https://doi.org/10.1155/2018/3614093
W. Wu, J. Alvarez, C. Liu, & H.M. Sun, "Bot detection using unsupervised machine learning," Microsystem Technologies, vol. 24, no. 1, pp. 209-217, 2018.
https://doi.org/10.1007/s00542-016-3237-0
R. Ierusalimschy, L.H. De Figueiredo, & W.C. Filho, "Lua-an extensible extension language," Software: Practice and Experience, vol. 26, no. 6, pp. 635-652, 1996.
https://doi.org/10.1002/(SICI)1097-024X(199606)26:6<635::AID-SPE26>3.0.CO;2-P
J.C. Gower, "Some distance properties of latent root and vector methods used in multivariate analysis," Biometrika, vol. 53, no. 3-4, pp. 325-338, 1966.
https://doi.org/10.1093/biomet/53.3-4.325
H. Steinhaus, "Sur la division des corp materiels en parties," Bull. Acad. Polon. Sci, vol. 1, no. 804, p. 801, 1956.
J. Aguilar-Martin & R.L. De Mantaras, "The process of classification and learning the meaning of linguistic descriptors of concepts," Approximate reasoning in decision analysis, vol. 1982, pp. 165-175, 1982.
