Application of Correlation Indices on Intrusion Detection Systems: Protecting the Power Grid Against Coordinated Attacks

TL;DR

This paper proposes a semantic analysis framework for intrusion detection in power grids that uses correlation indices to identify and assess coordinated cyber-attacks, enhancing detection accuracy and response capabilities.

Contribution

It introduces a novel framework combining a correlation index generator and knowledge base for detecting and analyzing coordinated attacks in power grid cyber-security.

Findings

Framework detects MCAs with promising runtime and accuracy

False alarm rates vary under different attack scenarios

Effective in estimating attack consequences

Abstract

The future power grid will be characterized by the pervasive use of heterogeneous and non-proprietary information and communication technology, which exposes the power grid to a broad scope of cyber-attacks. In particular, Monitoring-Control Attacks (MCA) --i.e., attacks in which adversaries manipulate control decisions by fabricating measurement signals in the feedback loop-- are highly threatening. This is because, MCAs are (i) more likely to happen with greater attack surface and lower cost, (ii) difficult to detect by hiding in measurement signals, and (iii) capable of inflicting severe consequences by coordinating attack resources. To defend against MCAs, we have developed a semantic analysis framework for Intrusion Detection Systems (IDS) in power grids. The framework consists of two parts running in parallel: a Correlation Index Generator (CIG), which indexes correlated MCAs, and a Correlation Knowledge-Base~(CKB), which is updated aperiodically with attacks' Correlation Indices (CI). The framework has the advantage of detecting MCAs and estimating attack consequences with promising runtime and detection accuracy. To evaluate the performance of the framework, we computed its false alarm rates under different attack scenarios.