Related papers: Explainable Autoencoder-Based Anomaly Detection in IEC 61850 GOOSE Networks

Explainable Autoencoder-Based Anomaly Detection in IEC 61850 GOOSE Networks

URL: http://arxiv.org/abs/2601.09287v1
Date: Wed, 14 Jan 2026 08:47:07 GMT
Title: Explainable Autoencoder-Based Anomaly Detection in IEC 61850 GOOSE Networks
Authors: Dafne Lozano-Paredes, Luis Bote-Curiel, Juan Ramón Feijóo-Martínez, Ismael Gómez-Talal, José Luis Rojo-Álvarez,
Abstract summary: This paper proposes an explainable, unsupervised multi-view anomaly detection framework for IEC 61850 GOOSE networks.<n>Anomaly detection is implemented using reconstruction errors mixed with statistically grounded thresholds, enabling robust detection without specified attack types.<n> Experimental results show attack detection rates above 99% with false positives remaining below 5% of total traffic.
Score: 4.641687438249026
License: http://creativecommons.org/licenses/by/4.0/
Abstract: The IEC 61850 Generic Object-Oriented Substation Event (GOOSE) protocol plays a critical role in real-time protection and automation of digital substations, yet its lack of native security mechanisms can expose power systems to sophisticated cyberattacks. Traditional rule-based and supervised intrusion detection techniques struggle to detect protocol-compliant and zero-day attacks under significant class imbalance and limited availability of labeled data. This paper proposes an explainable, unsupervised multi-view anomaly detection framework for IEC 61850 GOOSE networks that explicitly separates semantic integrity and temporal availability. The approach employs asymmetric autoencoders trained only on real operational GOOSE traffic to learn distinct latent representations of sequence-based protocol semantics and timing-related transmission dynamics in normal traffic. Anomaly detection is implemented using reconstruction errors mixed with statistically grounded thresholds, enabling robust detection without specified attack types. Feature-level reconstruction analysis provides intrinsic explainability by directly linking detection outcomes to IEC 61850 protocol characteristics. The proposed framework is evaluated using real substation traffic for training and a public dataset containing normal traffic and message suppression, data manipulation, and denial-of-service attacks for testing. Experimental results show attack detection rates above 99% with false positives remaining below 5% of total traffic, demonstrating strong generalization across environments and effective operation under extreme class imbalance and interpretable anomaly attribution.

Related papers

Unsupervised Anomaly Detection in Multi-Agent Trajectory Prediction via Transformer-Based Models [45.08545174556591]
We propose an unsupervised anomaly detection framework based on a multi-agent Transformer.<n>A dual evaluation scheme has been proposed to assess both detection stability and physical alignment.<n>Our framework identifies 388 unique anomalies missed by Time-to-Collision and statistical baselines.
arXiv Detail & Related papers (2026-01-28T08:33:10Z)
Evaluation of Real-Time Mitigation Techniques for Cyber Security in IEC 61850 / IEC 62351 Substations [0.0]
The digitalization of substations enlarges the cyber-attack surface, necessitating effective detection and mitigation of cyber attacks in digital substations.<n> cryptographic authentication has emerged as a practical candidate for real-time cyber defense, as specified in IEC 62351.<n>This paper presents the design logic and implementation aspects of three potential real-time mitigation techniques capable of countering GOOSE-based attacks.
arXiv Detail & Related papers (2025-11-24T04:20:49Z)
Adaptive Attacks on Trusted Monitors Subvert AI Control Protocols [80.68060125494645]
We study adaptive attacks by an untrusted model that knows the protocol and the monitor model.<n>We instantiate a simple adaptive attack vector by which the attacker embeds publicly known or zero-shot prompt injections in the model outputs.
arXiv Detail & Related papers (2025-10-10T15:12:44Z)
ViSTR-GP: Online Cyberattack Detection via Vision-to-State Tensor Regression and Gaussian Processes in Automated Robotic Operations [5.95097350945477]
Connected and automated factories face growing cybersecurity risks that can potentially cause interruptions and damages to physical operations.<n>Data-integrity attacks often involve sophisticated exploitation of vulnerabilities that enable an attacker to access and manipulate the operational data.<n>This paper develops an online detection framework, ViSTR-GP, that cross-checks encoder-reported measurements against a vision-based estimate from an overhead camera outside the controller's authority.
arXiv Detail & Related papers (2025-09-13T19:10:35Z)
Cyber Attacks Detection, Prevention, and Source Localization in Digital Substation Communication using Hybrid Statistical-Deep Learning [39.58317527488534]
This paper proposes a novel method using hybrid statistical-deep learning for the detection, prevention, and source localization of IEC 61850 SV injection attacks.<n>It effectively discards malicious SV frames with minimal processing overhead and latency, maintains robustness against communication network latency variation and time-synchronization issues.<n>Results demonstrate the method's suitability for practical deployment in IEC 61850-compliant digital substations.
arXiv Detail & Related papers (2025-07-01T07:38:22Z)
Interpretable Anomaly Detection in Encrypted Traffic Using SHAP with Machine Learning Models [0.0]
This study aims to develop an interpretable machine learning-based framework for anomaly detection in encrypted network traffic.<n>Models are trained and evaluated on three benchmark encrypted traffic datasets.<n> SHAP visualizations successfully revealed the most influential traffic features contributing to anomaly predictions.
arXiv Detail & Related papers (2025-05-22T05:50:39Z)
CANTXSec: A Deterministic Intrusion Detection and Prevention System for CAN Bus Monitoring ECU Activations [53.036288487863786]
We propose CANTXSec, the first deterministic Intrusion Detection and Prevention system based on physical ECU activations.<n>It detects and prevents classical attacks in the CAN bus, while detecting advanced attacks that have been less investigated in the literature.<n>We prove the effectiveness of our solution on a physical testbed, where we achieve 100% detection accuracy in both classes of attacks while preventing 100% of FIAs.
arXiv Detail & Related papers (2025-05-14T13:37:07Z)
CryptoFormalEval: Integrating LLMs and Formal Verification for Automated Cryptographic Protocol Vulnerability Detection [41.94295877935867]
We introduce a benchmark to assess the ability of Large Language Models to autonomously identify vulnerabilities in new cryptographic protocols. We created a dataset of novel, flawed, communication protocols and designed a method to automatically verify the vulnerabilities found by the AI agents.
arXiv Detail & Related papers (2024-11-20T14:16:55Z)
Convolutional Neural Network Design and Evaluation for Real-Time Multivariate Time Series Fault Detection in Spacecraft Attitude Sensors [41.94295877935867]
This paper presents a novel approach to detecting stuck values within the Accelerometer and Inertial Measurement Unit of a drone-like spacecraft. A multi-channel Convolutional Neural Network (CNN) is used to perform multi-target classification and independently detect faults in the sensors. An integration methodology is proposed to enable the network to effectively detect anomalies and trigger recovery actions at the system level.
arXiv Detail & Related papers (2024-10-11T09:36:38Z)
CC-Cert: A Probabilistic Approach to Certify General Robustness of Neural Networks [58.29502185344086]
In safety-critical machine learning applications, it is crucial to defend models against adversarial attacks. It is important to provide provable guarantees for deep learning models against semantically meaningful input transformations. We propose a new universal probabilistic certification approach based on Chernoff-Cramer bounds.
arXiv Detail & Related papers (2021-09-22T12:46:04Z)

This list is automatically generated from the titles and abstracts of the papers in this site.