Detecting Zero-Day Attacks in IEC-61850 based Digital Substations via In-Context Learning
| dc.contributor.author | Manzoor, Faizan | en |
| dc.contributor.committeechair | Jin, Ming | en |
| dc.contributor.committeemember | Liu, Chen-Ching | en |
| dc.contributor.committeemember | Viswanath, Bimal | en |
| dc.contributor.department | Electrical Engineering | en |
| dc.date.accessioned | 2025-05-26T08:00:15Z | en |
| dc.date.available | 2025-05-26T08:00:15Z | en |
| dc.date.issued | 2025-05-25 | en |
| dc.description.abstract | The occurrences of cyber attacks, with novel attack techniques, on the electrical power grids have been increasing every year. In this thesis, we address the critical challenge of detecting novel/zero-day attacks in digital substations that employ the IEC-61850 communication protocol. While many heuristic and ML-based methods have been proposed for attack detection in IEC-61850 digital substations, generalization to novel or zero-day attacks remains challenging. We propose an approach that leverages the in-context learning (ICL) capability of the transformer architecture, the fundamental building block of large language models. The ICL approach enables the model to detect zero-day attacks and learn from a few examples of that attack without explicit retraining. Our experiments on the IEC-61850 dataset demonstrate that the proposed method achieves more than 85% detection accuracy on zero-day attacks while the existing state-of-the-art baselines fail. This work paves the way for building more secure and resilient digital substations of the future. | en |
| dc.description.abstractgeneral | Cyber attacks targeting electrical power grids are becoming increasingly frequent, with attackers continuously developing new methods. In this paper, we focus on the crucial challenge of detecting previously unknown, or ``zero-day", cyber attacks in digital substations that use a specific communication standard known as IEC-61850. While existing machine learning methods are effective at detecting known threats, they typically struggle with attacks they have not encountered before. To overcome this limitation, we propose a novel approach that uses a powerful type of neural network called a transformer. Transformers, known primarily for their role in large language models, possess an ability called ``In-Context Learning," which allows them to rapidly adapt to and detect new attack patterns using just a few examples, without needing extensive retraining or updates. Our experiments demonstrate that our method successfully identifies zero-day attacks with an accuracy of over 85%, significantly outperforming current state-of-the-art techniques. This research offers a promising direction toward more secure and resilient future digital substations. | en |
| dc.description.degree | Master of Science | en |
| dc.format.medium | ETD | en |
| dc.identifier.other | vt_gsexam:43657 | en |
| dc.identifier.uri | https://hdl.handle.net/10919/134226 | en |
| dc.language.iso | en | en |
| dc.publisher | Virginia Tech | en |
| dc.rights | In Copyright | en |
| dc.rights.uri | http://rightsstatements.org/vocab/InC/1.0/ | en |
| dc.subject | In-context learning | en |
| dc.subject | IEC-61850 | en |
| dc.subject | intrusion detection systems | en |
| dc.subject | zero-day attacks | en |
| dc.subject | GPT-2 transformer | en |
| dc.title | Detecting Zero-Day Attacks in IEC-61850 based Digital Substations via In-Context Learning | en |
| dc.type | Thesis | en |
| thesis.degree.discipline | Electrical Engineering | en |
| thesis.degree.grantor | Virginia Polytechnic Institute and State University | en |
| thesis.degree.level | masters | en |
| thesis.degree.name | Master of Science | en |
Files
Original bundle
1 - 1 of 1