Table of Contents
Fetching ...

Large Language Models for Detecting Cyberattacks on Smart Grid Protective Relays

Ahmad Mohammad Saber, Saeed Jafari, Zhengmao Ouyang, Paul Budnarain, Amr Youssef, Deepa Kundur

TL;DR

Addressing FDIA threats against transformer current differential relays (TCDRs), the paper develops an on-site LLM-based detector that texts six-channel TCDR measurements into prompts and fine-tunes compact models. The main result is that DistilBERT achieves $97.6\%$ true-positive rate for cyberattack detection with latency below $<6\mathrm{ms}$ per sample, while preserving fault-detection reliability; GPT-2 and DistilBERT+LoRA offer comparable performance. The framework provides interpretable decisions via self-attention maps and maintains robustness under complex attacks and measurement noise, with a fully reproducible dataset released. This work demonstrates practical, edge-deployable, privacy-preserving cybersecurity augmentation for smart grids.

Abstract

This paper presents a large language model (LLM)-based framework for detecting cyberattacks on transformer current differential relays (TCDRs), which, if undetected, may trigger false tripping of critical transformers. The proposed approach adapts and fine-tunes compact LLMs such as DistilBERT to distinguish cyberattacks from actual faults using textualized multidimensional TCDR current measurements recorded before and after tripping. Our results demonstrate that DistilBERT detects 97.6% of cyberattacks without compromising TCDR dependability and achieves inference latency below 6 ms on a commercial workstation. Additional evaluations confirm the framework's robustness under combined time-synchronization and false-data-injection attacks, resilience to measurement noise, and stability across prompt formulation variants. Furthermore, GPT-2 and DistilBERT+LoRA achieve comparable performance, highlighting the potential of LLMs for enhancing smart grid cybersecurity. We provide the full dataset used in this study for reproducibility.

Large Language Models for Detecting Cyberattacks on Smart Grid Protective Relays

TL;DR

Addressing FDIA threats against transformer current differential relays (TCDRs), the paper develops an on-site LLM-based detector that texts six-channel TCDR measurements into prompts and fine-tunes compact models. The main result is that DistilBERT achieves true-positive rate for cyberattack detection with latency below per sample, while preserving fault-detection reliability; GPT-2 and DistilBERT+LoRA offer comparable performance. The framework provides interpretable decisions via self-attention maps and maintains robustness under complex attacks and measurement noise, with a fully reproducible dataset released. This work demonstrates practical, edge-deployable, privacy-preserving cybersecurity augmentation for smart grids.

Abstract

This paper presents a large language model (LLM)-based framework for detecting cyberattacks on transformer current differential relays (TCDRs), which, if undetected, may trigger false tripping of critical transformers. The proposed approach adapts and fine-tunes compact LLMs such as DistilBERT to distinguish cyberattacks from actual faults using textualized multidimensional TCDR current measurements recorded before and after tripping. Our results demonstrate that DistilBERT detects 97.6% of cyberattacks without compromising TCDR dependability and achieves inference latency below 6 ms on a commercial workstation. Additional evaluations confirm the framework's robustness under combined time-synchronization and false-data-injection attacks, resilience to measurement noise, and stability across prompt formulation variants. Furthermore, GPT-2 and DistilBERT+LoRA achieve comparable performance, highlighting the potential of LLMs for enhancing smart grid cybersecurity. We provide the full dataset used in this study for reproducibility.
Paper Structure (17 sections, 1 equation, 5 figures, 7 tables)

This paper contains 17 sections, 1 equation, 5 figures, 7 tables.

Figures (5)

  • Figure 1: Possible intrusion points for cyberattacks on a TCDR.
  • Figure 2: Test system.
  • Figure 3: Example of a textualized FDIA sample generated using the structured prompt template.
  • Figure 4: Tokenized representation of the textualized FDIA sample in Fig. \ref{['fig:textualized_example']} using the HuggingFace distilbert-base-uncased tokenizer.
  • Figure 5: Attention weights assigned to TCDR measurements under a cyberattack.