Detecting Zero-Day Attacks in Digital Substations via In-Context Learning

TL;DR

This paper introduces an in-context learning approach using transformer models to detect zero-day cyber attacks in digital substations, achieving high accuracy without retraining, thus enhancing grid security.

Contribution

It presents a novel in-context learning method leveraging transformers for zero-day attack detection in IEC-61850 substations, outperforming existing approaches.

Findings

Achieves over 85% detection accuracy on zero-day attacks.

Outperforms state-of-the-art baselines in detection accuracy.

Demonstrates effectiveness of ICL in cyber-physical security.

Abstract

The occurrences of cyber attacks on the power grids have been increasing every year, with novel attack techniques emerging every year. In this paper, we address the critical challenge of detecting novel/zero-day attacks in digital substations that employ the IEC-61850 communication protocol. While many heuristic and machine learning (ML)-based methods have been proposed for attack detection in IEC-61850 digital substations, generalization to novel or zero-day attacks remains challenging. We propose an approach that leverages the in-context learning (ICL) capability of the transformer architecture, the fundamental building block of large language models. The ICL approach enables the model to detect zero-day attacks and learn from a few examples of that attack without explicit retraining. Our experiments on the IEC-61850 dataset demonstrate that the proposed method achieves more than $85\%$ detection accuracy on zero-day attacks while the existing state-of-the-art baselines fail. This work paves the way for building more secure and resilient digital substations of the future.