Application of Correlation Indices on Intrusion Detection Systems: Protecting the Power Grid Against Coordinated Attacks

Abstract: The future power grid will be characterized by the pervasive use of heterogeneous and non-proprietary information and communication technology, which exposes the power grid to a broad scope of cyber-attacks. In particular, Monitoring-Control Attacks (MCA) --i.e., attacks in which adversaries manipulate control decisions by fabricating measurement signals in the feedback loop-- are highly threatening. This is because, MCAs are (i) more likely to happen with greater attack surface and lower cost, (ii) difficult to detect by hiding in measurement signals, and (iii) capable of inflicting severe consequences by coordinating attack resources. To defend against MCAs, we have developed a semantic analysis framework for Intrusion Detection Systems (IDS) in power grids. The framework consists of two parts running in parallel: a Correlation Index Generator (CIG), which indexes correlated MCAs, and a Correlation Knowledge-Base~(CKB), which is updated aperiodically with attacks' Correlation Indices (CI). The framework has the advantage of detecting MCAs and estimating attack consequences with promising runtime and detection accuracy. To evaluate the performance of the framework, we computed its false alarm rates under different attack scenarios.