Catching Intrusions: Classifier Performances for Detecting Network-specific Anomalies in Energy Systems

Future energy infrastructures, as the smart grid, will decentralize and integrate different producers, consumers, and network entities. They will be the most complex and likewise the most exposed network infrastructures. Their protection is crucial for the modern society and calls for appropriate security mechanisms to implement multi-level security. This requires a protocol-specific monitoring in the core of the process control networks as well as in peripheral subsystems to detect intrusions. For an application in a wide range of the integrated subnetworks, the monitoring must be self-adapting to the network traffic of the respective domain. For this purpose, protocol knowledge and machine learning algorithms can compose intelligent and flexible anomaly detectors. This paper presents recent results in developing such machine learning detectors by analyzing six classification methods with real-world traffic traces from two energy control networks. The results for different traffic processing methods are discussed in terms of f-score, precision, and recall. They show the high potential of using classification methods for training detectors to enable an intelligent identification of anomalies in smart energy networks with minimal configuration effort.