Abstract
Conventional security methods deployed in power plants have difficulty detecting time delay attacks, since they do not alter network packets. However, these attacks can cause damage and instability in power systems, so detecting them is an urgent anomaly detection problem. Current state-of-the-art anomaly detection methods employ machine learning (ML) or statistical regression models in a supervised fashion, which require large amounts of labeled data for training. This data may be hard to practically obtain, so it is preferable to use unsupervised methods, which do not need labeled data. However, unsupervised anomaly detection solutions suffer from high false positive rates, especially under weak and moderate attacks. To improve on existing unsupervised solutions, we develop and present a dual-stage anomaly detection method using a Recurrent Variational Autoencoder (RVAE) and K-means clustering for detecting time delay attacks in power systems. We focus on samples including weak or moderate attacks which existing solutions cannot accurately detect, but can still harm the system if strategically targeted. We call these cases borderline samples, and use an additional clustering enhancement to more accurately classify them. Evaluation of the proposed approach on our power plant dataset demonstrates that our approach is effective in detecting time delay attacks, with 14.7% higher area under the ROC curve (AUC) than RVAE for borderline samples.