Electrical networks of transmission system operators are mostly built up as isolated networks without access to the Internet. With the increasing popularity of smart grids, securing the communication network has become more important to avoid cyber-attacks that could result in possible power outages. For misuse detection, signature-based approaches are already in use and special rules for a wide range of protocols have been developed. However, one big disadvantage of signature-based intrusion detection is that zero-day exploits cannot be detected. Machine-learning-based anomaly detection methods have the potential to achieve that. In this paper, various such methods for intrusion detection in substations, which use the asynchronous communication protocol International Electrotechnical Commission (IEC) 60870-5-104, are tested and compared. The evaluation of the proposed methods is performed by applying them to a data set which includes normal operation traffic and four different attacks. While the results of supervised and semi-supervised machine learning approaches are rather encouraging, the unsupervised and signature-based methods suffer from general bad performance and had difficulties to detect some attacks.

中文翻译：

---

使用IEC 60870-5-104协议的变电站入侵检测方法比较

传输系统运营商的电气网络大多建立为孤立的网络，无法访问Internet。随着智能电网的日益普及，保护通信网络对于避免可能导致断电的网络攻击变得越来越重要。对于滥用检测，已经使用了基于签名的方法，并且针对各种协议开发了特殊规则。但是，基于签名的入侵检测的一大缺点是无法检测到零日漏洞。基于机器学习的异常检测方法有可能实现这一目标。在本文中，测试并比较了使用异步通信协议国际电工委员会（IEC）60870-5-104的各种变电站入侵检测方法。通过将所建议的方法应用于包括正常操作流量和四种不同攻击的数据集来进行评估。尽管有监督和半监督机器学习方法的结果令人鼓舞，但无监督和基于签名的方法却普遍表现不佳，并且难以检测到某些攻击。