Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Novel Generative AI-Based Framework for Anomaly Detection in Multicast Messages in Smart Grid Communications

Aydin Zaboli, Seong Lok Choi, Tai-Jin Song, Junho Hong

TL;DR

This paper tackles anomaly detection in IEC 61850 multicast messages (GOOSE/SV) within smart grid communications by introducing CyberGridToD, an LLM-based task-oriented dialogue framework. It leverages historical human recommendations to automate decision-making, builds robust GOOSE/SV datasets from a hardware-in-the-loop testbed, and evaluates performance against human-in-the-loop baselines using standard and advanced metrics. Results indicate that the ToD approach, particularly with Anthropic Claude Pro in full training, achieves superior detection performance, scalability, and adaptability, reducing reliance on retraining. The work suggests that such ToD systems can provide fast, explainable IDS capabilities for digital substations and points to future enhancements including self-learning and broader multicast support.

Abstract

Cybersecurity breaches in digital substations can pose significant challenges to the stability and reliability of power system operations. To address these challenges, defense and mitigation techniques are required. Identifying and detecting anomalies in information and communication technology (ICT) is crucial to ensure secure device interactions within digital substations. This paper proposes a task-oriented dialogue (ToD) system for anomaly detection (AD) in datasets of multicast messages e.g., generic object oriented substation event (GOOSE) and sampled value (SV) in digital substations using large language models (LLMs). This model has a lower potential error and better scalability and adaptability than a process that considers the cybersecurity guidelines recommended by humans, known as the human-in-the-loop (HITL) process. Also, this methodology significantly reduces the effort required when addressing new cyber threats or anomalies compared with machine learning (ML) techniques, since it leaves the models complexity and precision unaffected and offers a faster implementation. These findings present a comparative assessment, conducted utilizing standard and advanced performance evaluation metrics for the proposed AD framework and the HITL process. To generate and extract datasets of IEC 61850 communications, a hardware-in-the-loop (HIL) testbed was employed.

A Novel Generative AI-Based Framework for Anomaly Detection in Multicast Messages in Smart Grid Communications

TL;DR

This paper tackles anomaly detection in IEC 61850 multicast messages (GOOSE/SV) within smart grid communications by introducing CyberGridToD, an LLM-based task-oriented dialogue framework. It leverages historical human recommendations to automate decision-making, builds robust GOOSE/SV datasets from a hardware-in-the-loop testbed, and evaluates performance against human-in-the-loop baselines using standard and advanced metrics. Results indicate that the ToD approach, particularly with Anthropic Claude Pro in full training, achieves superior detection performance, scalability, and adaptability, reducing reliance on retraining. The work suggests that such ToD systems can provide fast, explainable IDS capabilities for digital substations and points to future enhancements including self-learning and broader multicast support.

Abstract

Cybersecurity breaches in digital substations can pose significant challenges to the stability and reliability of power system operations. To address these challenges, defense and mitigation techniques are required. Identifying and detecting anomalies in information and communication technology (ICT) is crucial to ensure secure device interactions within digital substations. This paper proposes a task-oriented dialogue (ToD) system for anomaly detection (AD) in datasets of multicast messages e.g., generic object oriented substation event (GOOSE) and sampled value (SV) in digital substations using large language models (LLMs). This model has a lower potential error and better scalability and adaptability than a process that considers the cybersecurity guidelines recommended by humans, known as the human-in-the-loop (HITL) process. Also, this methodology significantly reduces the effort required when addressing new cyber threats or anomalies compared with machine learning (ML) techniques, since it leaves the models complexity and precision unaffected and offers a faster implementation. These findings present a comparative assessment, conducted utilizing standard and advanced performance evaluation metrics for the proposed AD framework and the HITL process. To generate and extract datasets of IEC 61850 communications, a hardware-in-the-loop (HIL) testbed was employed.
Paper Structure (12 sections, 10 figures, 3 tables, 2 algorithms)

This paper contains 12 sections, 10 figures, 3 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Contributions
  4. Paper Outline
  5. Cybersecurity in Digital Substations
  6. IEC 61850-based Multicast Messages Dataset
  7. Anomaly Recommendations in Digital Substations
  8. A Proposed Large Language Model-based Task-Oriented Dialogue IDS Framework
  9. Challenges of HITL Process and ML Models
  10. Results and Discussion
  11. Case Studies: SV and GOOSE Anomaly Detection
  12. Conclusion

Figures (10)

  • Figure 1: A pre-processing step based on the feature extraction for a log of GOOSE and SV messages (actual data from an HIL testbed).
  • Figure 2: GOOSE/SV recommendations in the HITL and proposed frameworks.
  • Figure 3: A proposed LLM-based ToD system for AD of multicast messages.
  • Figure 4: A comparison of HITL process and the proposed methodology in AD for SV datasets in the same LLM (i.e, Anthropic Claude Pro).
  • Figure 5: A comparative LLM-based ToD framework for SV dataset.
  • ...and 5 more figures