Developing a Hybrid Intrusion Detection System Using Data Mining for Power Systems

Synchrophasor systems provide an immense volume of data for wide area monitoring and control of power systems to meet the increasing demand of reliable energy. The construction of traditional intrusion detection systems (IDSs) that use manually created rules based upon expert knowledge is knowledge-intensive and is not suitable in the context of this big data problem. This paper presents a systematic and automated approach to build a hybrid IDS that learns temporal state-based specifications for power system scenarios including disturbances, normal control operations, and cyber-attacks. A data mining technique called common path mining is used to automatically and accurately learn patterns for scenarios from a fusion of synchrophasor measurement data, and power system audit logs. As a proof of concept, an IDS prototype was implemented and validated. The IDS prototype accurately classifies disturbances, normal control operations, and cyber-attacks for the distance protection scheme for a two-line three-bus power transmission system.