Explainable Autoencoder-Based Anomaly Detection in IEC 61850 GOOSE Networks

TL;DR

This paper introduces an explainable, unsupervised autoencoder-based anomaly detection framework for IEC 61850 GOOSE networks, effectively identifying cyberattacks with high accuracy and interpretability in power substation communications.

Contribution

It presents a novel multi-view autoencoder approach that separates semantic and temporal features for robust, explainable anomaly detection in IEC 61850 GOOSE traffic, addressing class imbalance and zero-day attack detection.

Findings

Detection rates above 99% for cyberattacks

False positive rate below 5% of total traffic

Effective generalization across different environments

Abstract

The IEC 61850 Generic Object-Oriented Substation Event (GOOSE) protocol plays a critical role in real-time protection and automation of digital substations, yet its lack of native security mechanisms can expose power systems to sophisticated cyberattacks. Traditional rule-based and supervised intrusion detection techniques struggle to detect protocol-compliant and zero-day attacks under significant class imbalance and limited availability of labeled data. This paper proposes an explainable, unsupervised multi-view anomaly detection framework for IEC 61850 GOOSE networks that explicitly separates semantic integrity and temporal availability. The approach employs asymmetric autoencoders trained only on real operational GOOSE traffic to learn distinct latent representations of sequence-based protocol semantics and timing-related transmission dynamics in normal traffic. Anomaly detection is implemented using reconstruction errors mixed with statistically grounded thresholds, enabling robust detection without specified attack types. Feature-level reconstruction analysis provides intrinsic explainability by directly linking detection outcomes to IEC 61850 protocol characteristics. The proposed framework is evaluated using real substation traffic for training and a public dataset containing normal traffic and message suppression, data manipulation, and denial-of-service attacks for testing. Experimental results show attack detection rates above 99% with false positives remaining below 5% of total traffic, demonstrating strong generalization across environments and effective operation under extreme class imbalance and interpretable anomaly attribution.