Artificial Immune System (AIS) Based Intrusion Detection System (IDS) for Smart Grid Advanced Metering Infrastructure (AMI) Networks

Abstract

The Smart Grid is a large system consisting of many components that contribute to the bidirectional exchange of power. The reason for it being “smart” is because vast amounts of data are transferred between the meter components and the control systems which manage the data. The scale of the smart grid is too large to micromanage. That is why smart grids must learn to use Artificial Intelligence (AI) to be resilient and self-healing against cyber-attacks that occur on a daily basis. Unlike traditional cyber defense methods, Artificial Immune System (AIS) principles have an advantage because they can detect attacks from inside the network and stop them before they occur. The goal of the report is to provide a proof of concept that an AIS can be implemented on smart grid AMI (Advanced Metering Infrastructure) networks and furthermore be able to detect intrusions and anomalies in the network data. The report describes a proof of concept implementation of an AIS system for intrusion detection with a synthetic packet capture (pcap) dataset containing common Internet protocols used in Smart grid AMI networks. An intention of the report is to provide the necessary background for understanding the implementation in the later sections. The background section defines what a smart grid is and how its Advanced Metering Infrastructure (AMI) works, describing all three networks the AMI consists of. The Wide Area Network (WAN) is one of the three networks and we were scoping down to WAN for our project. The report goes on to discuss the current cyber threats as well as defense solutions related to the smart grid network infrastructure today. One of the most widely used defense mechanisms is the Intrusion Detection System (IDS), which has many important techniques that can be used in the AIS based IDS implementation of this report. The most commonly used AIS algorithms are defined. Specifically, the Negative Selection Algorithm (NSA) is used for our implementation. The NSA algorithm components used in the implementation section are thoroughly explained and the AIS based IDS framework is defined. A list of AIS usages/values in enterprise networks is presented as well as research on current NSA use in AIS implementations. The latter portion of the report consists of the design and implementation. Due to data constraints and various other limitations, the team wasn’t able to complete the initial implementation successfully. Therefore, a second implementation design was created, leading to the main implementation which meets the project’s objective. The implementation employs a proof of concept approach using a C# console application which performs all steps of an AIS on user created network data. In conclusion, the second implementation has the ability to detect intrusions in a synthetic dataset of “man-made” network data. This proves the AIS algorithm works and furthers the understanding that if the implementation was scaled up and used on real-time WAN network data it would run successfully and prevent attacks. The report also documents the limitations and problems one can run into when attempting to implement a solution of this scale. The ending sections of the report consists of the Requirements, Assessment, Assumptions, Results, and lessons learned followed by the Acknowledgments to MITRE Corporation which helped immensely throughout the development of the report.