Visible to the public Graph-Based Event Classification in Grid Security Gateways

TitleGraph-Based Event Classification in Grid Security Gateways
Publication TypeConference Paper
Year of Publication2019
AuthorsObert, James, Chavez, Adrian
Conference Name2019 Second International Conference on Artificial Intelligence for Industries (AI4I)
Date Publishedsep
Keywordsanomaly detection, control theory, cryptography, cyber-physical attacks, DERA, distributed power generation, electrical grid distribution network, encrypted communications, Encryption, graph theory, Grid Security, grid security gateways, Grid Trust, network anomaly detection, Network security, packet header behavioral analysis, power distribution control, power distribution control devices, power engineering computing, power grids, power system security, probability, Protocols, pubcrawl, renewable distributed energy resource aggregators, renewable energy sources, security, SG system, Substations, TCP-IP packet, TCPIP, telecommunication security, time-series data, transport protocols, Trusted Communications
AbstractIn recent years the use of security gateways (SG) located within the electrical grid distribution network has become pervasive. SGs in substations and renewable distributed energy resource aggregators (DERAs) protect power distribution control devices from cyber and cyber-physical attacks. When encrypted communications within a DER network is used, TCP/IP packet inspection is restricted to packet header behavioral analysis which in most cases only allows the SG to perform anomaly detection of blocks of time-series data (event windows). Packet header anomaly detection calculates the probability of the presence of a threat within an event window, but fails in such cases where the unreadable encrypted payload contains the attack content. The SG system log (syslog) is a time-series record of behavioral patterns of network users and processes accessing and transferring data through the SG network interfaces. Threatening behavioral pattern in the syslog are measurable using both anomaly detection and graph theory. In this paper it will be shown that it is possible to efficiently detect the presence of and classify a potential threat within an SG syslog using light-weight anomaly detection and graph theory.
Citation Keyobert_graph-based_2019