The emerging wide area monitoring systems (WAMS) have brought significant improvements in electric grids' situational awareness. However, the newly introduced system can potentially increase the risk of cyber-attacks, which may be disguised as normal physical disturbances. This paper deals with the event and intrusion detection problem by leveraging a stream data mining classifier (Hoeffding adaptive tree) with semi-supervised learning techniques to distinguish cyber-attacks from regular system perturbations accurately. First, our proposed approach builds a dictionary by learning higher-level features from unlabeled data. Then, the labeled data are represented as sparse linear combinations of learned dictionary atoms. We capitalize on those sparse codes to train the online classifier along with efficient change detectors. We conduct numerical experiments with industrial control systems cyber-attack datasets. We consider five different scenarios: short-circuit faults, line maintenance, remote tripping command injection, relay setting change, as well as false data injection. The data are generated based on a modified IEEE 9-bus system. Simulation results show that our proposed approach outperforms the state-of-the-art method.
翻译:新兴的广域监测系统(WAMS)大大改善了电网的状况意识,然而,新引入的系统有可能增加网络攻击的风险,而网络攻击可能被伪装成正常的物理扰动。本文件涉及事件和入侵探测问题,利用流数据采矿分类器(Hoffting Indeptive troogle)和半监督的学习技术,将网络攻击与常规系统扰动准确地区分开来。首先,我们提议的方法通过从未贴标签的数据中学习更高层次的特征来建立字典。然后,标签数据被作为学习的词典原子的稀疏线性线性组合。我们利用这些稀疏代码来培训在线分类器,同时培训高效的改变探测器。我们用工业控制系统网络攻击数据集进行数字实验。我们考虑五种不同的情况:短路故障、线维护、远程出动指令注射、中继器设置变化以及假数据注入。数据是根据经过修改的 IEEEE 9-bus系统生成的。模拟结果显示,我们提议的方法是超越了最先进的方法。