Anomaly Behavior Analysis for Smart Grid Automation System

Angel Orozco et al have enlightened Anomalous Behavior Analysis in Smart Grid Automation System in
smart cities in their paper. Their objectives for the smart cities is to exploit advanced communication
technologies to support the delivery of high quality services. Their main claim in this paper is the ABA-
IDS methodology for a Smart Grid System, which they claimed to be very accurate to detect abnormal
behaviors and classify them as physical errors or cyber-attacks. Furthermore, it determines the root
cause with high detection rate and low false alarms. Smart Grid testbed has been used for the
evaluation of their approach by launching different types of attacks.

In their methodology monitoring unit is capturing and filtering the traffic, the ABA-IDS uses the PMU
Connection Tester, which is a software whose objective is to verify that the data streamed from any
known phasor measurement device is being received.

Training Unit consists of three modules: 1) dataset, 2) features extraction, and 3) rules generation. This
unit is considered as the knowledge builder for our ABA-IDS. Dataset is used for the monitored raw data
to be stored into a database using MySQL having data both types of data representing both normal and
abnormal behavior. Features extraction is the module that filters and rearranges the data, so that all the
repeated, unnecessary, and static data are dropped. Rules Generated for ABA-IDS uses Weka as data
mining tool by using JRip algorithm.

Normal Operations Reference Model This is a rule-based model generated by the training unit and
defines the space of the normal operations detecting any abnormal event.

Runtime Unit is considered as the testing phase of their ABA-IDS. It includes three modules:) Runtime
Features extraction module is in charge of filtering the required features and send them to the
classification module. Classification This unit is to create a runtime model that will be compared with the
reference model. The classification rules in the reference model are used to determine if the behavior of
the system is normal or not. Risk Management unit enforces the decisions of the anomaly protection
engine after evaluating the effect and the cost of that action whether to drop, log or pass.

Through their research they have achieved great accuracy to detect abnormal behaviors and
classification of them as physical errors or cyber-attacks. Furthermore, it determines the root cause with
high detection rate and low false alarms

Critics

in some cases impersonation attack, closely follows the normal behavior of the PMU making it difficult
to detect.

In this work some scenarios were not considered, for instance cyberattacks that mimic physical errors.