Table of Contents
Fetching ...

Explainable Autoencoder-Based Anomaly Detection in IEC 61850 GOOSE Networks

Dafne Lozano-Paredes, Luis Bote-Curiel, Juan Ramón Feijóo-Martínez, Ismael Gómez-Talal, José Luis Rojo-Álvarez

TL;DR

This work tackles anomaly detection in IEC 61850 GOOSE networks under limited labeled attack data by proposing an explainable, unsupervised, multi-view framework. It combines asymmetric autoencoders trained on normal traffic to separately model semantic sequence dynamics and timing-based transmission, with EVT-based thresholds on reconstruction error for robust detection. Feature-level reconstruction error provides direct attribution to IEC 61850 characteristics, enabling practical post-event analysis. Evaluations on real substation data and a public attack dataset demonstrate high detection rates with low false positives, and show strong cross-environment generalization and interpretability for unseen threats.

Abstract

The IEC 61850 Generic Object-Oriented Substation Event (GOOSE) protocol plays a critical role in real-time protection and automation of digital substations, yet its lack of native security mechanisms can expose power systems to sophisticated cyberattacks. Traditional rule-based and supervised intrusion detection techniques struggle to detect protocol-compliant and zero-day attacks under significant class imbalance and limited availability of labeled data. This paper proposes an explainable, unsupervised multi-view anomaly detection framework for IEC 61850 GOOSE networks that explicitly separates semantic integrity and temporal availability. The approach employs asymmetric autoencoders trained only on real operational GOOSE traffic to learn distinct latent representations of sequence-based protocol semantics and timing-related transmission dynamics in normal traffic. Anomaly detection is implemented using reconstruction errors mixed with statistically grounded thresholds, enabling robust detection without specified attack types. Feature-level reconstruction analysis provides intrinsic explainability by directly linking detection outcomes to IEC 61850 protocol characteristics. The proposed framework is evaluated using real substation traffic for training and a public dataset containing normal traffic and message suppression, data manipulation, and denial-of-service attacks for testing. Experimental results show attack detection rates above 99% with false positives remaining below 5% of total traffic, demonstrating strong generalization across environments and effective operation under extreme class imbalance and interpretable anomaly attribution.

Explainable Autoencoder-Based Anomaly Detection in IEC 61850 GOOSE Networks

TL;DR

This work tackles anomaly detection in IEC 61850 GOOSE networks under limited labeled attack data by proposing an explainable, unsupervised, multi-view framework. It combines asymmetric autoencoders trained on normal traffic to separately model semantic sequence dynamics and timing-based transmission, with EVT-based thresholds on reconstruction error for robust detection. Feature-level reconstruction error provides direct attribution to IEC 61850 characteristics, enabling practical post-event analysis. Evaluations on real substation data and a public attack dataset demonstrate high detection rates with low false positives, and show strong cross-environment generalization and interpretability for unseen threats.

Abstract

The IEC 61850 Generic Object-Oriented Substation Event (GOOSE) protocol plays a critical role in real-time protection and automation of digital substations, yet its lack of native security mechanisms can expose power systems to sophisticated cyberattacks. Traditional rule-based and supervised intrusion detection techniques struggle to detect protocol-compliant and zero-day attacks under significant class imbalance and limited availability of labeled data. This paper proposes an explainable, unsupervised multi-view anomaly detection framework for IEC 61850 GOOSE networks that explicitly separates semantic integrity and temporal availability. The approach employs asymmetric autoencoders trained only on real operational GOOSE traffic to learn distinct latent representations of sequence-based protocol semantics and timing-related transmission dynamics in normal traffic. Anomaly detection is implemented using reconstruction errors mixed with statistically grounded thresholds, enabling robust detection without specified attack types. Feature-level reconstruction analysis provides intrinsic explainability by directly linking detection outcomes to IEC 61850 protocol characteristics. The proposed framework is evaluated using real substation traffic for training and a public dataset containing normal traffic and message suppression, data manipulation, and denial-of-service attacks for testing. Experimental results show attack detection rates above 99% with false positives remaining below 5% of total traffic, demonstrating strong generalization across environments and effective operation under extreme class imbalance and interpretable anomaly attribution.
Paper Structure (22 sections, 7 equations, 4 figures, 3 tables)

This paper contains 22 sections, 7 equations, 4 figures, 3 tables.

Figures (4)

  • Figure 1: Overview of the proposed multi-view anomaly detection framework for IEC 61850 GOOSE communication.
  • Figure 2: Visualization of the Raw Temporal Feature Space.
  • Figure 3: Visualization of the AE latent spaces. Direct projection of the bottleneck representations learned by the AEs for different time window lengths.
  • Figure 4: Feature contribution to the anomaly score for different attack types and time window lengths.