Sensor Data Analytics for Intrusion Detection Tech Tesfay, Prof. - PowerPoint PPT Presentation

Sensor Data Analytics for Intrusion Detection Tech Tesfay, Prof. Anna Scaglione Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 1 / 29

Outline Motivation for cyber-physical intrusion detection Reconnaissance activity identification using: Fog computing: at the network age using Th´ evenin source impedance Cloud computing: at the control centre using data from multiple input sources Grand vision: automated threat detection by leveraging data from other sources Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 2 / 29

Motivation “Whatever can go wrong, will go wrong” Murphy’s law . There will be security breaches no matter how much protection is put in place. Even worse, most utilities have not put security in place. Example : Ukraine power grid attack, Stuxnet malware, US power grid breach report .... Attacks - system diverges from the safe operating limits 1 . Solution: Put (additional) security measures to counter such attacks? 1 cardenas2011attacks Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 3 / 29

Our approach Use intrusion detection to detect malicious activities: Leverage knowledge of the physical laws governing the safe operating limits. Use high resolution ( µ PMU) measurements. Use mirrored SCADA packet. Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 4 / 29

Not so easy to accomplish! Intrusion detection is a challenging task given the following challenges: Challenges Insufficient number of µ PMUs (lack of full system observability), Need for real-time analysis (latency of centralized analytics), Inaccuracy of the grid parameters in the database (time-varying/human errors) Designing appropriate rules to correlate data from different sources and output the correct security status of the grid Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 5 / 29

Hierarchical intrusion detection architecture Fog computing data analysis at the network Control Center edge (local rules), near real-time analysis (1 sec in our case), Cloud Computing prioritizing communication of eventful segments, Fog Computing Cloud computing co-analysis of data from multiple sensors (central rules) PMUs/SCADA Packet Sniffer event localization and Figure: Intrusion Detection Architecture. categorization (natural vs malicious anomaly) 1 jamei2016micro Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 6 / 29

Reconnaissance activity identification using fog computing Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 7 / 29

Case study: Reconnaissance through Th´ evenin estimation Normally-open switch at a substation is a good point for attacker to gauge its controllability over SCADA network by toggling the switch status. Can we identify this specific reconnaissance activity? Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 8 / 29

Case study: Reconnaissance through Th´ evenin estimation Insight The Th´ evenin impedance upstream seen from a distribution substation is dominated by the transformer impedance Implication: The upstream Th´ evenin impedance for “closed-switch” is almost half of the value when the switch is “open” Goal Online Tracking of Th´ evenin source impedance using after transformer substation µ PMU data Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 8 / 29

Related work on Th´ evenin estimation: Least-square methods 1 , 2 , 3 , 4 , 5 . Addressing the quasi steady-state adverse effect on Th´ evenin estimation 6 , 7 . Th´ evenin circuit estimation in a three-phase unbalanced distribution grid 8 using RMS volatge values. 1 vu1999use 2 smon2006local 3 tsai2008line 4 parniani2006voltage 5 arefifar2009online 6 abdelkader2012online 7 alinejadline 8 hart1986characterising Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 9 / 29

Our Contributions First to utilize Th´ evenin parameter for reconnaissance activity identification Online estimation of Th´ evenin parameters in a balanced/unbalanced grid, Proposing a robust algorithm for non-stationary and correlated data. Removing the inaccurate common assumption of constant Th´ evenin voltage angle over a short window Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 10 / 29

Th´ evenin Equivalent Circuit Transmission Thevenin Equivalent v i Subtransmission/ Z th Distribution Feeder Bus1 E PMU/ μ PMU th v [ k ] = E th [ k ] − Z th [ k ] i [ k ] (1) Figure: Transmission Grid Th´ evenin Equivalent Seen from Substation In the sequence domain, assuming transposed lines in the transmission level:         v 0 [ k ] 0 Z 0 [ k ] 0 0 i 0 [ k ]  . v 1 [ k ]  = E 1 [ k ]  − 0 Z 1 [ k ] 0 i 1 [ k ] (2)      v 2 [ k ] 0 0 0 Z 2 [ k ] i 2 [ k ] Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 11 / 29

Estimation: Unbalanced Grid Taking advantage of unbalanced data Assuming Z 1 [ k ] ≈ Z 2 [ k ]: Z 0 [ k ] = − v 0 [ k ] Z 1 [ k ] = − v 2 [ k ] E 1 [ k ] = v 1 [ k ] i 2 [ k ] − v 2 [ k ] i 1 [ k ] i 0 [ k ] , i 2 [ k ] , . (3) i 2 [ k ] Estimation at each instant of time only depends on the measurements of that time-instant. Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 12 / 29

Estimation: Balanced Grid The only non-trivial equation is: v 1 [ k ] = E 1 [ k ] − Z 1 [ k ] i 1 [ k ] (4) Assumption: The resistive part of the Th´ evenin impedance is negligible compared to the inductive part. E jXi   v Figure: Phasor Diagram of the Equivalent Th´ evenin Circuit for Balanced Grid. Let A [ k ] = | E [ k ] | and i im be the imaginary component of the current, then we have: A 2 [ k ] − v 2 [ k ] − X 2 [ k ] | i [ k ] | 2 + 2 i im [ k ] X [ k ] v [ k ] = 0 (5) � �� � r ( A , X ; k ) Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 13 / 29

Estimation: Balanced Grid we form the following M over-determined homogeneous set of quad. equations:     r ( A , X ; k − M + 1) 0 r ( A , X ; k − M + 2) 0         = (4) . .  .   .  . .     r ( A , X ; k ) 0 � �� � � r ( A , X ; k ) Minimize the squared-norm of the vector � r ( A , X ; k ): θ [ k ] f ( A , X ; k ) = 1 r ( A , X ; k ) || 2 min 2 || � (5) where θ [ k ] = [ A [ k ] , X [ k ]] T . Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 13 / 29

Estimation: Balanced Grid Advantages of our formulation: Having the assumption of constant Th´ evenin voltage phase angle over a window of M samples is not needed Reporting phasor angles relative to the voltage phasor angle removes the effect of off-nominal frequency Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 13 / 29

Estimation: Balanced Grid The Levenberg-Marquardt Algorithm (LMA) is used to solve the non-linear least square problem. Advantages: 1 handling close to rank-deficient matrices, 2 better performance compared to Gauss-Newton for a bad initial guess. Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 13 / 29

LMA Algorithm 1: LMA at time instant k Input: � r ( A , X ; k ), and an initial guess θ 0 [ k ] Output: Th´ evenin parameters at time k begin flag ← 1; initialize ρ < 1, λ , and ǫ ; θ [ k ] ← θ 0 [ k ]; while flag=1 do J = ∇ � r ( θ ; k ); P LM ← − ( J T J + λ diag( J T J )) − 1 J T � r ( θ ; k ); θ new [ k ] ← θ [ k ] + P LM ; if f ( θ new ; k ) < f ( θ ; k ) then λ ← ρλ ; θ [ k ] ← θ new [ k ]; else λ ← λ ρ ; if f ( θ ; k ) < ǫ then flag ← 0; φ [ k ] ← sin − 1 ( X [ k ] i r [ k ] / A [ k ]) return E [ k ], X [ k ]; Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 14 / 29

Numerical Results: Unbalanced Grid Added Section μ PMU Z T tr 1 IEEE 34-Bus E 115/24.9 KV th Feeder YN-YN Figure: Modified IEEE-34 Bus Test Case Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 15 / 29

Numerical Results: Unbalanced Grid Estimated Actual 2 . 5533 + j 9 . 4392 2 . 5716 + j 9 . 4320 Z 0 2 . 9922 + j 10 . 92 2 . 99 + j 10 . 8901 Z 1 Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 15 / 29

Numerical Results: Balanced Grid New-England test-case, load ramp event of +2%/sec at load bus 16. Estimated Thevenin Reactance 30 Estimated 25 Actual Reactance(Ohm) 20 15 10 5 0 54.5 55 55.5 56 56.5 57 57.5 58 Time (Sec) Figure: Estimated Th´ evenin Reactance Seen from Bus 16 of New England Test Case Using LMA Method. Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 16 / 29

Application : Reconnaissance Activity Identification Estimated Positive Sequence Thevenin Impedance 5 15 Estimated Estimated Actual ( Switch Open ) Actual ( Switch Open ) Actual (Switch Close ) Actual (Switch Close ) 4 10 Re(Z 1 ) Ohm Im(Z 1 ) Ohm 3 2 5 1 0 0 0 0.1 0.2 0.3 0.4 0.5 0 0.1 0.2 0.3 0.4 0.5 Figure: Substation Main-Spare Time (Sec) Time (Sec) Transformer Setup Figure: Estimated Th´ evenin Source Impedance Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 17 / 29

Reconnaissance activity identification using cloud computing Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 18 / 29

Steps: Analyse event using data from multiple µ PMU Integrate SCADA data in the analysis for event categorization (natural vs malicious anomaly). Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 19 / 29