ERENO: A Framework for Generating Realistic IEC–61850 Intrusion Detection Datasets for Smart Grids

IF 7 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE IEEE Transactions on Dependable and Secure Computing Pub Date : 2024-07-01 DOI:10.1109/TDSC.2023.3336857

Silvio E. Quincozes, Célio Albuquerque, Diego G. Passos, Daniel Mossé

{"title":"ERENO: A Framework for Generating Realistic IEC–61850 Intrusion Detection Datasets for Smart Grids","authors":"Silvio E. Quincozes, Célio Albuquerque, Diego G. Passos, Daniel Mossé","doi":"10.1109/TDSC.2023.3336857","DOIUrl":null,"url":null,"abstract":"Connected and digital electricity substations based on IEC–61850 standards enable novel applications. On the other hand, such connectivity also creates an extended attack surface. Therefore, Intrusion Detection Systems (IDSs) have become an essential component of safeguarding substations from malicious activities. However, in contrast to traditional information technology systems, there is a serious lack of realistic data for training, testing, and evaluating IDSs in smart grid scenarios. Many existing substation IDSs rely on datasets from other contexts or on proprietary datasets that do not allow reproducibility, validation, or performance comparison with competing algorithms. To address this issue, we propose the Efficacious Reproducer Engine for Network Operations (ERENO) synthetic traffic generation framework based on the IEC–61850 standard specifications. As an additional contribution, and as a proof-of-concept, we create and make available a suite of realistic IEC–61850 datasets that model 8 use cases, namely traffic for seven common attacks and one for normal network traffic. Based on those datasets, we further evaluate how enriched features combining raw data from the substation can significantly improve intrusion detection performance. Our results suggest that it can improve F1-Score up to 47.22% for masquerade attacks.","PeriodicalId":13047,"journal":{"name":"IEEE Transactions on Dependable and Secure Computing","volume":null,"pages":null},"PeriodicalIF":7.0000,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Dependable and Secure Computing","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1109/TDSC.2023.3336857","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 3

Abstract

Connected and digital electricity substations based on IEC–61850 standards enable novel applications. On the other hand, such connectivity also creates an extended attack surface. Therefore, Intrusion Detection Systems (IDSs) have become an essential component of safeguarding substations from malicious activities. However, in contrast to traditional information technology systems, there is a serious lack of realistic data for training, testing, and evaluating IDSs in smart grid scenarios. Many existing substation IDSs rely on datasets from other contexts or on proprietary datasets that do not allow reproducibility, validation, or performance comparison with competing algorithms. To address this issue, we propose the Efficacious Reproducer Engine for Network Operations (ERENO) synthetic traffic generation framework based on the IEC–61850 standard specifications. As an additional contribution, and as a proof-of-concept, we create and make available a suite of realistic IEC–61850 datasets that model 8 use cases, namely traffic for seven common attacks and one for normal network traffic. Based on those datasets, we further evaluate how enriched features combining raw data from the substation can significantly improve intrusion detection performance. Our results suggest that it can improve F1-Score up to 47.22% for masquerade attacks.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

ERENO：为智能电网生成真实 IEC-61850 入侵检测数据集的框架

基于 IEC-61850 标准的互联和数字化变电站可实现新颖的应用。另一方面，这种连接性也扩大了攻击面。因此，入侵检测系统（IDS）已成为保护变电站免受恶意活动攻击的重要组成部分。然而，与传统的信息技术系统相比，智能电网场景中严重缺乏用于培训、测试和评估 IDS 的真实数据。许多现有的变电站 IDS 依赖于其他环境下的数据集或专有数据集，这些数据集无法与竞争算法进行再现、验证或性能比较。为解决这一问题，我们提出了基于 IEC-61850 标准规范的网络运行有效再现引擎（ERENO）合成流量生成框架。作为额外的贡献和概念验证，我们创建并提供了一套真实的 IEC-61850 数据集，其中模拟了 8 种使用情况，即七种常见攻击的流量和一种正常网络流量。基于这些数据集，我们进一步评估了结合变电站原始数据的丰富特征如何显著提高入侵检测性能。结果表明，对于伪装攻击，F1-Score 最高可提高 47.22%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IEEE Transactions on Dependable and Secure Computing 工程技术-计算机：软件工程

CiteScore

11.20

自引率

5.50%

发文量

354

审稿时长

9 months

期刊介绍： The "IEEE Transactions on Dependable and Secure Computing (TDSC)" is a prestigious journal that publishes high-quality, peer-reviewed research in the field of computer science, specifically targeting the development of dependable and secure computing systems and networks. This journal is dedicated to exploring the fundamental principles, methodologies, and mechanisms that enable the design, modeling, and evaluation of systems that meet the required levels of reliability, security, and performance. The scope of TDSC includes research on measurement, modeling, and simulation techniques that contribute to the understanding and improvement of system performance under various constraints. It also covers the foundations necessary for the joint evaluation, verification, and design of systems that balance performance, security, and dependability. By publishing archival research results, TDSC aims to provide a valuable resource for researchers, engineers, and practitioners working in the areas of cybersecurity, fault tolerance, and system reliability. The journal's focus on cutting-edge research ensures that it remains at the forefront of advancements in the field, promoting the development of technologies that are critical for the functioning of modern, complex systems.