TY - JOUR
T1 - Anomaly-Based Detection of Cyberattacks on Line Current Differential Relays
AU - Mohammad Saber, Ahmad
AU - Youssef, Amr
AU - Svetinovic, Davor
AU - Zeineldin, Hatem H.
AU - El-Saadany, Ehab F.
N1 - Funding Information:
This work was supported by Khalifa University under Grant CIRA-013-2020.
Publisher Copyright:
© 2010-2012 IEEE.
PY - 2022/11/1
Y1 - 2022/11/1
N2 - Currently, the architecture of Line Current Differential Relays (LCDRs) is designed to respond to internal faults on the protected line using local and remotely-communicated current measurements. However, this architecture cannot distinguish between real faults and cyber-induced attacks whose goal is to cause false tripping of the line protected by the LCDR. In this paper, we propose an Anomaly-Based Scheme (ABS) for detecting false-tripping attacks against LCDRs, in the form of relay attacks, replay attacks, general false-data-injection attacks, and time-synchronization attacks. The ABS employs the Isolation Forest algorithm, which is trained on features determined from local current measurements to confirm real faults and differentiate them from false-tripping attacks. No trip command will be issued unless the sensed fault is confirmed as a non-attack by the ABS. The performance of the proposed ABS is tested and validated using the IEEE 9-bus benchmark in PSCAD/EMTDC environment. Simulation results show that the proposed ABS: (i) can accurately detect different categories of cyberattacks, (ii) does not negatively impact the accuracy of the fault-detection function, and (iii) is robust to the change in the power system's operating point.
AB - Currently, the architecture of Line Current Differential Relays (LCDRs) is designed to respond to internal faults on the protected line using local and remotely-communicated current measurements. However, this architecture cannot distinguish between real faults and cyber-induced attacks whose goal is to cause false tripping of the line protected by the LCDR. In this paper, we propose an Anomaly-Based Scheme (ABS) for detecting false-tripping attacks against LCDRs, in the form of relay attacks, replay attacks, general false-data-injection attacks, and time-synchronization attacks. The ABS employs the Isolation Forest algorithm, which is trained on features determined from local current measurements to confirm real faults and differentiate them from false-tripping attacks. No trip command will be issued unless the sensed fault is confirmed as a non-attack by the ABS. The performance of the proposed ABS is tested and validated using the IEEE 9-bus benchmark in PSCAD/EMTDC environment. Simulation results show that the proposed ABS: (i) can accurately detect different categories of cyberattacks, (ii) does not negatively impact the accuracy of the fault-detection function, and (iii) is robust to the change in the power system's operating point.
KW - Anomaly detection
KW - cyber-physical security
KW - isolation forest
KW - line current differential relays
KW - power systems
KW - protection
KW - smart grid
UR - http://www.scopus.com/inward/record.url?scp=85133789751&partnerID=8YFLogxK
U2 - 10.1109/TSG.2022.3185764
DO - 10.1109/TSG.2022.3185764
M3 - Journal article
AN - SCOPUS:85133789751
SN - 1949-3053
VL - 13
SP - 4787
EP - 4800
JO - IEEE Transactions on Smart Grid
JF - IEEE Transactions on Smart Grid
IS - 6
ER -