INTRUSION DETECTION FOR CYBER-PHYSICAL POWER SYSTEMS Tommy Morris and Shengyi Pan Electrical and Computer Engineering Distributed Analytics and Security Institute Mississippi State University 1 Synchrophasor System and Data Flow Synchrophasor Technology • Synchrophasor devices Consumption Generation Transmission Distribution - PMU measures Voltage, current, frequency At up to 120 sample/second Time-synchronized - PDC concentrate data • Advantages PMU/Relay - Enable state monitoring, and Specification-based IDS - Allow real-time control Wide Area Network Historian Monitoring Displaying Data Concentration Near Real-time Dynamic Security Assessment Early Warning System • Characteristics Automatic Determination of Control Actions Energy Management System (EMS) System Control Center - Adoption of TCP/IP via IEEE C37.118 protocol - Directly interact with physical system Need vuln. Analysis3 A Successful Vulnerability Exploitation • Remote trip command injection Control Room Relay Snort Snort Outstation DMZ WWW Enterprise Network Overview • Problem statement - Find unique signatures for different scenarios Power system disturbances and cyber attacks - Captured thousands instances of scenarios in lab Huge amount of data Heterogeneous data sources • Power system and measurement system dynamics Time variation for measured events - different sequences of events for same scenario Measured events out of order, extra events, missing events etc. • Related work - No applications of data mining to mine patterns for both power system events and cyber attacks - Traditional data mining did not work well for large data: only binary classification 5 Cyber Attack Scenario in the Test Bed Remote trip command Injection Attack ① BR2 BR3 BR4 G1 Steady State Snort detects trip command BR1 G2 R1 R2 R3 R4 ② Snort Log =1 Substation Switch Recipient Policy ② Relay R1 trips Relay R1 = Trip PDC ③ Breakers Open IR1 = 0 IR2 = 0 I = current measured by PMU R1 R1 This is a unique sequence of IR2 = current measured by PMU R2 events for the remote trip command injection attack, which is the signature for this scenario. ① Snort Syslog Control Panel OpenPDC Power System Disturbance Scenario in Test Bed Single-line-to-ground (SLG) Fault BR1 BR4 G1 G2 R1 Steady State R2 R3 R4 Recipient Policy ② ① Excessive high current IR1 = High IR2 = High ② Relays R1&R2 trip R1 Log=Trip R2 Log=Trip Breakers Open IR1 = 0 IR2 = 0 ③ BR2 BR3 Substation Switch PDC ① IR1 = is current measured by PMU This a unique sequence of R1 IR2 = current measured by PMU R2 events representing the SLG fault, which is the signature for this scenario. Snort Syslog Control Panel OpenPDC ③ Heterogeneous Data Sources Data attributes: PMU •V, I, F, dF, P, Q Relays Control Panel Snort •Trip events •Maintenance logs, Control panel logs •Network Activities, Flags, logs, Alarms • All data sources are time stamped • Data captured during scenarios • Data is labeled • Huge amount of data Feature selection: • PMU: 3 phase currents • Relay log • Control panel log • Snort log Measured Event Database • One MED is created and labeled for one instance • Aggregating heterogeneous data during one instance • Quantizing each feature in the MED An example MED for one instance of SLG fault scenario H: Current High; N: Current Normal; L: Current Low : An event States and Path Example MED for SLG (Phase-a-to-ground) fault scenario Sys State ID: S0 S3 S4 S1 S2 S0 Path: {S0, S1, S2, S3, S4} • A State is a vector of feature measurements with assigned quantized values. For example: S0 = [Ia of R1 = N, Ia of R2 = N, …, R1Log = 0, R2Log = 0,…] • A Path is a sequence of states. • Data is quantized • Continuous same states are merged • Only ordering is retained Significantly reduce the amount of data. 10 Time Variation In Events Creates Different Paths Example MED for Phase-a-to-ground fault scenario Sys State ID: S0 S3 S4 S1 S2 S0 Path: {S0, S1, S2, S3, S4} S3 S4 S1 S5 Measured events out of order S0 Path 2: {S0, S1, S5, S3, S4} • A State is a vector of feature measurements with assigned quantized values. For example: S0 = [Ia of R1 = N, Ia of R2 = N, …, R1Log = 0, R2Log = 0,…] 11 Different Paths Due To Extra Events Example MED for Phase-a-to-ground fault scenario Sys State ID: S0 S3 S4 S1 S2 S0 Path: {S0, S1, S2, S3, S4} S3 S4 S3 S6 S4 S1 S5 S1 S2 Extra Event S0 Path 2: {S0, S1, S5, S3, S4} S0 Path 3: [S0, S1, S2, S3, S6, S4] 12 Three Paths for Phase-a-to-Ground Fault Scenario S6 S5 S4 S3 S2 S1 S0 Time Normal: P1 = {S0, S1, S2, S3, S4} Events out of order: P2 = {S0, S1, S5, S3, S4} Extra State: P3 = {S0, S1, S2, S3, S6, S4} 1059 instances of SLG fault scenario with 447 unique paths! We need a method to find a pattern to represent all 447 unique paths. 13 Frequent Sequential Pattern • Frequent pattern: a pattern (a set of items, subsequences, substructures, etc.) that occurs frequently in a data set • Frequent sequential pattern: Frequent pattern with consideration of ordering • Frequent sequential pattern mining is first proposed by Agrawal and Srikant. • Algorithms to find frequent sequential pattern • A priori [Agrawal et al.] and Frequent Pattern Growth [Han et al.] • Application of frequent sequential pattern mining • Medical treatments: mining clinical pathways for patients with different diseases • A clinical pathway is a sequence of patient’s physiological states 14 How to Find Pattern? PathID System States Number of paths 1 S0, S1, S2, S3, S4 6 2 S0, S1, S5, S3, S4 1 3 S0, S1, S2, S3, S6, S4 3 • Sequence X = {S0,…, Sn} • Support is the fraction of paths that contain a sequence X • A sequence X is frequent if X’s support is greater than the minimum support (minsup) threshold • Let minsup = 70% • For this example, there are 26 frequent sequential patterns, for example: {S0}:100%, {S1}:100%, …, {S0, S1}: 100%,…,{S0,S1,S2}: 90%, {S0, S1, S2, S3}: 90%, {S0, S1, S3, S4}: 100%, {S0, S1, S2, S3, S4}: 90% • Mining common path algorithm • Find the max-sequential-patterns • A sequence X is a max-sequential-pattern if X is frequent and there exists no frequent super-pattern Y כX • {S0, S1, S2, S3, S4} is the max-sequential-pattern in this example. It is also called common path. 15 Introduction to Hybrid Intrusion Detection System • IDS design goal - Classify cyber attacks in power system - Distinguish power system disturbances or legitimate control actions from cyber attacks Avoid false positive, i.e. a disturbance classified as a cyber attack Avoid false negative: cyber attacks impersonate disturbance, legitimate control actions Automatic responses: know the details of specific events rather than anomaly vs. normal • IDS design requirements - Classify general power system disturbances, legitimate control actions and detailed cyber attacks – hence “Hybrid”. 16 Distance Protection Scheme 3-bus 2-line transmission system implementing 2-zone distance protection G: generator, BR: breaker, R: relay/PMU, L: transmission line, B: bus 1.Distance protection: different tripping time for different zones (each relay has its own two protection zones) • Cyber attack: disable the distance protection 2.SLG faults occur at any location between two relays at L1 or L2 • Cyber attack: replay SLG faults to cause blackout 3.Operator takes one of the two lines out for maintenance • Cyber attack: command injection to take any relay out of service 17 Power System and Attack Scenarios Power System Scenarios SLG Faults (Q1, Q2) • Relays trip to clear the faults Transmission line maintenance (Q5, Q6) • A planned trip signal from control panel Normal operating condition(Q25) • No events happen • Periodic random load changes Cyber Attacks SLG Fault replay (Q3, Q4) • Impersonate the SLG faults • Altered PMU data & remote trip Relay trip command injection (Q7- Q12) • Mimics line maintenance • Replay MODBUS trip packets to relay(s) Disabling relays (Q13-Q24) • Interrupt protection scheme and line maintenance • Change relay settings via 18 backdoor Input Data • Data sources - 3 phases current magnitudes from PMU PMU sample rate: 120 samples per second - Relay logs from R1, R2, R3, R4: relay tripping status - Snort log: network activities - Control panel log: administrative control activities • Simulated 10,000 instances of 25 total scenarios - In random order, random fault locations and load levels - Data captured during scenarios - Total data size: 38 GB - Data is labeled with instance number and scenario names - Half used for training and half used for testing 19 Confusion Matrix Actual Classes SLG Flt. SLG Flt. Replay Line Mnt. Cmd. Inj. Attack Normal Oper. Relay Disable SLG Faults 1009 65 0 0 0 3 SLG Flt. Replay 0 634 1 31 0 5 Line Mnt. 0 0 238 0 0 0 Cmd. Inj. Attack 16 6 1 508 0 0 Normal Oper. 0 0 0 0 114 0 Relay Disable 3 4 0 0 0 2127 Unknown 4 4 1 93 0 127 Classification • Avg. Accuracy = (1009+634+238+508+114+2127)/5000 = 92.52% • False Positive = (65+3)/5000 = 1.36% - # of power system scenarios classified as attacks • False Negative = (16+3+1+1)/5000 = 0.42% - # of attacks classified as power system scenarios • Unclassification rate = (4+4+1+93+127)/5000 = 4.58% 20 What About Detecting Zero Day Scenarios? • Zero-day attacks are attacks unknown to an IDS (never seen before) • Zero-day scenarios are simulated by randomly excluding several known scenarios from training • Testing steps • 10 round validation • Each round randomly excludes 4 scenarios in the training process • Accuracy = # of zero-day cases being classified # of zero-day cases • Avg. Acc. of 10 rounds are 73.43% - Beats previous work Results for 10 round validation Round Scenarios Excluded Z.D. Acc. (%) 1 Q3, Q11, Q18, Q22 76.3 2 Q2, Q8, Q12, Q23 67.3 3 Q6, Q11, Q16, Q17 50.5 4 Q1, Q5, Q8, Q10 73.3 5 Q1, Q9, Q19, Q21 91.8 6 Q5, Q13, Q20, Q23 64.7 7 Q5, Q10, Q15, Q16 63.8 8 Q12, Q13, Q19, Q24 70.7 9 Q2, Q7, Q9, Q17 76.3 10 Q9, Q10, Q16, Q19 99.8 21 Conclusions I. Mining common paths algorithm: automatically learn patterns for power system behaviors and cyber attacks 1. Preprocess off-line power system data into paths 2. Find maximum frequent sequential patterns or common paths 3. Properly grouping paths using system expertise before mining common paths will increase the accuracy II. A hybrid intrusion detection system (IDS) 1. Mining common paths algorithm scales well to detect a variety of power system scenarios and cyber attacks in a larger system 2. Tested on a 3-bus 2-line system with scenarios taking place at different locations • Above 90% accuracy, and less than 5% FP rate • Step closer to automated response 3. Ability to detect zero-day attacks 22 THANK YOU! Questions? 23 Cyber Attack Flow Network Reconnaissance • Sniffing in the network • Looking for sensitive information - IP address ranges, user ID, passwords, device location etc. Active Scanning • Sending messages to targets (probing) - map the network, identify connected equipment and running services • Looking for soft spots or vulnerabilities in target’s defense Vulnerability assessment Intrusion Detection System (IDS) Exploiting Vulnerabilities • Exploiting vulnerabilities • Gain access to and control target; cause malicious actions Denial of Service (DoS) • Disable the target by exploiting system flaws related to vendor implementations of communications protocols 24 Cyber Attacks Against Power System • Increasing interconnected networks • Provides an increased attack surface • More network interfaces to attempt penetration • Attractiveness of cyber attack methods • Easily available software to exploit existing vulnerabilities • Easier to spread malware • Simultaneous attacks for multiple targets from a remote location • Attacker profiles • Government, hostile organizations, insiders, hackers • Physical sabotage not required for cyber attack • Attack from a safe and secret place • Consequences • Attacker gains remote control of critical devices • Interruption of power system operations • Power outages, blackouts 25 Denial of Service Attacks • Packet flooding - High network traffic volume E.g. TCP SYN Flooding - Validate devices’ ability to withstand large volumes of traffic • Well known DoS attacks - LAND, Teardrop, Ping of death, etc. • Protocol mutation Time - ICMP, DNP3, TCP, UDP, MODBUS/TCP, HTTP, ARP, IEEE C37.118 and more 26 Sequences of Events for SLG Fault 140 120 Time (ms) 100 80 Time variation of events 60 40 20 0 Ia of R1 = High Ia of R2 = High R1 = Trip Events R2 = Trip Ia of R1 = 0 Ia of R2 = 0 Common Paths for Line Maintenance and Command Injection Attack (IR1 = Normal, IR2 = Normal, R1 = NT, R2 = NT, SNT = (R1, R2), CP = 0) 35 (IR1 = Normal, IR2 = (IR1 = Normal, IR2 = (IR1 = Normal, IR2 = Normal, R1 = T, R2 = T, Normal, R1 = NT, R2 = NT, Normal, R1 = T, R2 = T, SNT = 0, CP = 0) SNT = (R1, R2), CP = 0) SNT = 0, CP = 0) 30 (IR1 = Normal, IR2 = Normal, R1 = NT, R2 = NT, SNT = 0, CP = (R1, R2)) State ID 25 (IR1 = Zero, IR2 = Zero, R1 = T, R2 = T, SNT = 0, CP = 0) 20 (IR1 = Zero, IR2 = Zero, R1 = T, R2 = T, SNT = 0, CP = 0) 15 10 5 0 1 Line Maintenance Command Injection Attack (IR1 = Normal, IR2 = Normal, R1 = NT, R2 = NT, SNT = 0, CP = 0) 2 3 4 5 Time • A total number of 477 common paths are created for 25 scenarios; Training time: 0.33 seconds/scenario, and 34 MB memory 6 Related Work • Vulnerability assessment • Test beds: Idaho National Lab SCADA testbed, Sandia National Lab’s Virtual Control System Environment • Methods: penetration tests, security testing tools, graphic modelling, formal methods *** None for synchrophasor system! • Pattern learning for power system events and cyber attacks • Power system disturbances: learn pattern from data • Time domain: decision tree, statistical methods • Frequency domain: SVM, ANN *** Creating time domain data mining algorithm: mining common paths algorithm • Learning cyber attack patterns in power system • ORNL applied traditional data mining algorithms: only work for classifying binary classes • Intrusion detection system: attacks signatures or system legitimate behaviors *** Common paths algorithm can learn patterns for both disturbances and cyber attacks 29 Related Work Cont. • Intrusion detection system (IDS) for Smart Grid • Host-based IDS, Network-based IDS, Rule-based IDS, IDS using power system theory *** No stateful monitoring • Specification-based IDS: • Stateful monitoring: specification (sequence of system states) • Currently specifications are created manually *** Expensive development process! • Can we learn specifications automatically? • Sequential pattern mining: mining clinical pathway in the field of medical care. A clinical pathway is a sequence of patient’s physiological states. *** Mining common paths algorithm 30 Outline •Introduction and Motivation •Contribution •Vulnerability assessment for synchrophasor system •Pattern mining from power system data using mining common path algorithm •A hybrid intrusion detection system •Conclusion and future work 31 Synchrophasor System and Wide-area Situational Awareness • 2010 American Reinvestment and Recovery Act funded Synchrophasor project - Add 800 phasor measurement units (PMUs) - Adoption of TCP/IP network - Real-time, high-speed, time-synchronized information about grid conditions - Accurate grid condition monitoring and wide-area visualization are essential What is happening? What could happen next? • Today there are over 1000 PMUs installed across North America - Large attack interface - Require vulnerability assessment 32 Contributions • Vulnerability assessment for a synchrophasor system - Vulnerability tests revealed vulnerabilities in a synchrophasor system - Suggestions for utilities to mitigate security risk for synchrophasor system - A new fuzzing framework was created for a synchrophasor protocol; IEEE C37.118 • Mining common path algorithm for power system data - Learn unique patterns (common paths) from data for unique power system behaviors A common path is a signature which represents a unique behavior - Frequent sequential pattern mining algorithm borrowed from health care domain Applied to power system behaviors Method to preprocess power system data to map to algorithm for training - Classifier matches monitored behavior to common paths Increased classifier fidelity compared to anomaly and specification based classifiers 33 Contribution Cont. • A hybrid intrusion detection system (IDS) - Applied mining common paths algorithm to a large power system - Less expensive to create the IDS for power system Automatically learn patterns from big data Little system expertise required to create IDS - Capable of detecting disturbances, normal control operations and cyber attacks Types and locations Step closer to automated responses - High detection accuracy, stateful monitoring, processing high volume data, detect zero-day attacks 34 Outline •Introduction and Motivation •Contribution •Vulnerability assessment for synchrophasor system •Pattern mining from power system data using mining common path algorithm •A hybrid intrusion detection system •Conclusion and future work 35 Vulnerability Assessment for Synchrophasor System • Problem Statement - Identify synchrophasor device vulnerabilities - Confirm device compliance with Smart Grid cybersecurity standards • Related work - Synchrophasor system test bed is under development… - Little effort on vulnerability assessment for synchrophasor system • Hypothesis: - Develop testing process and framework to discover device vulnerabilities and prove conformance to standards 36 Vulnerability Assessment Steps Process to compromise a targeted synchrophasor device PMU/PDC • Identify plaintext information, e.g. access points, running services • Identify vulnerabilities with network protocols via DoS, masquerade attack etc. • Identify password complexity, auditing, etc. Ensure compliance requirements derived from: • NISTIR 7628: Guidelines for Smart Grid Cyber Security; DHS Cybersecurity Procurement Language for Control Systems; Utility requirements 37 Fuzzing Framework for IEEE C37.118 Protocol Components: 1. Network packets capturing: Validation Engine • MITM Server: Ettercap 2. Test cases generation • Protocol parser: parsing IEEE C37.118 packets • Fuzzing engine: loading smart fuzzer and dumb fuzzer for different frames 3. Target monitoring • Validation engine: ICMP Echo/HTTP request for failure validation PMU MITM Server PDC Recipient Policy Recipient Policy Protocal Parser Log Engine Configuration File Command Frame Fuzzer Fuzzing Engine Configration Frame Fuzzer Recipient Po licy Data Frame Fuzzer Header Frame Fuzzer 4. Logging pertinent data on failure 38 Vulnerability Assessment Results Vulnerability Assessment Results • Weak passwords mechanism - Weak password complexity - Password xor’d with fixed key - No password timeout • Open ports for unused services - Operating system debugger port left open • Weak auditing mechanism - Missing event logs - Event log non-repudiation • Man-in-the-middle attacks - Replay attacks - Steal SSH and Radius credentials - No MODBUS/IEEE C37.118 digital signature Fuzzing Results • • • • PDC crashes PDC keeps resetting itself PMU stops streaming Data information lost, e.g. no frequency data present if frequency field in data packets is mutated 4 Reports provided to utility and synchrophasor device vendors with identified vulnerabilities. THIS DOES NOT MEAN WE ARE ABSOLUTELY SECURE! 39 Outline •Introduction and Motivation •Contribution •Vulnerability assessment for synchrophasor system •Pattern mining from power system data using mining common path algorithm •A hybrid intrusion detection system •Conclusion and future work 40 Classifier Design • Validate the correctness of common paths by creating a classifier • Training process: compute common paths for different classes using mining common path algorithm • Testing process: match a test path with a common path - Compare to all common paths (cpi) - For each path under test (PUTi) : 1. If cpi ⊆ PUTi then cpi is a candidate common path 2. The PUTi is classified as class of the maximal length candidate common path 3. If more than one maximal candidate common path are maximal then PUTi is classified as uncertain. • 1059 paths for SLG fault, 274 paths for remote trip command injection attack - In random order, random fault locations, random load levels - Labeled by class name, load levels and fault location (if applicable) - Half used as training paths, half used as testing paths 41 Experiment 1: Evaluation on Two Classes: SLG Fault and Remote Command Injection Attack • Validate if common paths for the two classes are unique • Training with paths of two classes - 203 common paths for SLG fault class; 18 common path for command injection attack class • Testing - 519 testing paths of SLG fault scenario; 127 testing paths of cmd. Inj. attack scenario Confusion matrix for testing paths of SLG fault and command injection Classes SLG Fault Cmd. Inj Unknown Testing paths Total Accuracy SLG Fault Cmd. Inj. 491 0 0 123 28 4 519 127 95.0% (491+123)/(519+127) x 100% = 95.0% 42 Experiment 2: Evaluation on More Classes • Additional experiment used to verify correctness of common paths • Stress the mining common path algorithm - Demonstrate the ability of the algorithm to create unique common paths based on smaller differences between similar classes • SLG fault class is divided into 36 SLG fault classes by 9 fault location ranges and 4 load level ranges - Example: an SLG fault class can be “SLG fault @ 10-23% of the transmission line with load level is in 200-249 MW” Plot of SLG fault locations vs. relay R1 and R2 trip times 0.6 R2 Trip Time R1 Trip Time Time (sec) 0.4 ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ 0.2 0 10 15 20 25 30 35 40 45 50 55 60 65 Fault Location at Line L1 (%) 70 75 80 85 90 43 Experiment 2: Evaluation on More Classes Training: 1.Grouping paths by pre-defined classes •36 SLG fault classes •4 cmd. inj. att. classes 2. Compute common paths for each class 3.Combine common paths as needed •10 classes: 9 fault locations and cmd. inj. att. •2 classes: SLG fault and cmd. inj. att. 44 Evaluation Results Confusion matrix for testing paths of SLG fault and command injection Classes SLG Fault Cmd. Inj Unknown Testing paths Total Binary Accuracy SLG Fault Cmd. Inj. 497 0 0 127 21 0 519 127 96.6% Confusion matrix for 9 SLG fault locations and 1 command injection Classes 10-23% 23-29% 30-35% 36-40% 41-60% 61-65% 65-70% 71-80% 81-90% C. Inj. Unc. Fault Unknown 10 classes Accuracy 1023% 191 0 0 0 0 0 0 0 0 0 0 4 2329% 3 4 0 7 0 0 0 0 0 0 0 0 3035% 0 0 4 0 0 0 0 0 0 0 9 0 3640% 0 0 0 2 2 0 0 0 0 0 7 0 4160% 0 0 0 6 41 5 8 0 0 0 0 1 6164% 0 0 0 0 2 10 3 0 0 0 0 0 6570% 0 0 0 0 0 0 14 1 0 0 0 0 7180% 0 0 0 0 0 0 4 38 0 0 0 0 8190% 0 0 0 0 0 0 0 18 135 0 0 0 87.6% = (191+4+4+2+41+10+14+38+135+127)/(519+127) x 100% C. Inj. 0 0 0 0 0 0 0 0 0 127 0 0 45 Evaluation Conclusion • Classifier can automatically be trained from data using mining common path algorithm • Create common paths for differentiating - Binary classes: SLG fault scenario and a cyber attack - Multiple similar SLG fault scenarios Differences between experiment 1 and experiment 2 Experiment 1 Experiment 2 Compute common paths over broad range of input paths Compute common paths over grouped input paths Does not require system expertise Require system expertise to know how to group paths Provides no extra information on fault locations Provides extra information on fault locations Accuracy for binary classification: 95% Accuracy for binary classification: 96.6% The users can decide whether or not to use the grouping path strategy based on • How much expertise they have? • Do they need extra information? • How much extra accuracy the classifier will provide? 46 Outline •Introduction and Motivation •Contribution •Vulnerability assessment for synchrophasor system •Pattern mining from power system data using mining common path algorithm •A hybrid intrusion detection system •Conclusion and future work 47 IDS Training and Testing Process Training Process 1. One MED is created from data collected from one instance • MED are converted in to paths • 10,000 paths are created 2. Paths are preprocessed • Subclasses for SLG fault scenarios are predefined based on relay behavior chart • Paths are grouped based predefined classes 3. Common paths are mined for each group of paths 4. Combine common paths as needed • A total number of 477 common paths are created for 25 scenarios; Training time: 0.33 seconds/scenario, and 34 MB memory Testing Process: match a test path with a common path • If no match: unknown 48 Outline •Introduction and Motivation •Contribution •Vulnerability assessment for synchrophasor system •Pattern mining from power system data using mining common path algorithm •A hybrid intrusion detection system •Conclusion and future work 49 Future Work 1. Vulnerability assessment in cyber-physical system • Quantify the vulnerabilities: how likely a vulnerability will be exploited? • Extend assessment methodologies to advanced metering systems, other industrial control systems 2. Apply the IDS to other wide-area protection schemes and larger power system scale • How to train for a much larger system? (Thousands of buses?) • Data management, feature selection (How to manage larger data? Are all features needed? ) 3. What if the PMU is not at every bus? • Optimal locations of PMU while keeping the high detection accuracy • Impact of PMU sampling rate 4. How to implement the IDS in real-time? • How to handle continuous stream of synchrophasor data? • Buffer the data -> mine patterns off-line ->detection in real-time • Window real-time data -> learn pattern from data in window -> refine pattern as data continues coming (window size?) 50 Publications • Journal under review • Pan, S, Morris, T, Adhikari, U, “Developing a Hybrid Intrusion Detection System Using Data Mining for Power System,” under review for IEEE Transaction on Smart Grid. • Pan, S, Morris, T, Adhikari, U, “Detection for Fault and Cyber Attack in Power System by Mining Synchrophasor Data,” under review for IEEE Transaction on Industrial Informatics. • Pan, S, Morris, T, Adhikari, U, “A Specification-based Intrusion Detection System for Cyber-physical Environment in Electric Power System,” submitted to the International Journal of Computer Security. • Published journal papers • Morris, T., Pan, S., Adhikari, U., Younan, N., King, R., Madani, V., “Cyber Security Testing and Intrusion Detection for Synchrophasor Systems,” Accepted by International Journal of Network Science (IJNS). • Srivastava, A.; Morris, T.; Ernster, T.; Vellaithurai, C.; Pan, S., Adhikari, U., "Modeling Cyber-Physical Vulnerability of the Smart Grid With Incomplete Information," IEEE Transactions on Smart Grid, vol.4, no.1, pp.235,244, March 2013 51 Publications Cont. • Book Chapters • Morris, T., Pan, S., Adhikari, U., Younan, N., King, R., Madani, V., "Phasor Measurement Unit and Phasor Data Concentrator Cyber Security" in Systems and Optimization Aspects of Smart Grid Challenges, Carvalho, M., Pappu, V., Pardalos, P., Eds., Springer US. • Conference • Adhikari, U., Morris, T., Pan, S., “A Causal Event Graph for Cyber-Power System Events Using Synchrophasor,” accepted by IEEE Power Energy Society General Meeting. July 27-31, 2014. Washinton, D.C. • Adhikari, U., Morris, T., Pan, S., “A Cyber-Physical Power System Test Bed for Intrusion Detection Systems,” accepted by IEEE Power Energy Society General Meeting. July 27-31, 2014. Washinton, D.C. • Pan, S., Morris, T., Adhikari, U., “Causal Event Graphs Cyber-physical System Intrusion Detection System,” proc. of the 8th Annual Cyber Security and Information Intelligence Research Workshop (CSIIRW8). Jan 8-10, 2013. Oak Ridge, TN. • Sprabery, R., Morris, T., Pan, S., Adhikari, U., “Protocol Mutation Intrusion Detection for Synchrophasor Communications,” proc. of the 8th Annual Cyber Security and Information Intelligence Research Workshop (CSIIRW 8). Jan 8-10, 2013. Oak Ridge, TN. • Morris, T., Adhikari, U., Pan, S., “Cyber Security Recommendations for Wide Area Monitoring, Protection, and Control Systems,” IEEE Power Energy Society General Meeting. July 22-26, 2012. San Diego, CA. • Adhikari, U., Morris, T., Dahal, N., Pan, S., King, R., Younan, N. Madani, V., “Development of Power System Test Bed for Data Mining of Synchrophasors Data,” Cyber-Attack and Relay Testing in RTDS. IEEE Power Energy Society General Meeting. July 22-26, 2012. San Diego, CA. • Morris, T., Pan, S., Lewis, J., Moorhead, J., Reaves, B., Younan, N., King, R., Freund, M., Madani, V., “Cybersecurity Testing of Substation Phasor Measurement Units and Phasor Data Concentrators,” proc. of the 7th Annual ACM Cyber Secruity and Information Intelligence Research Workshop (CSIIRW). October 12-14, 2011. Oak Ridge, TN. • Guo, Y., Pan, S., Wang, H., Zheng, H., “A Hybrid Classification Approach to Improving Location Accuracy In A Bluetooth based Room Localization System,” proc. of the International Conference on Machine Learning and Cybernetics (ICMLC), 11-14 Jul. 2010 • Rahman, T., Pan, S. Zhang, Q., “Design of A High Throughput 128-bit AES (Rijndael Block Cipher) System,” proc. of the International Multi-Conference of Engineers and Computer Scientists (IMECS), 17-19 Mar. 2010 52