Distributed cyber-physical intrusion detection using stacking learning for wide-area protection system

Wide-area protection systems (WAPSs) heavy depends on communication technologies to operate, which leaves space for cyberattacks. A well-designed stealthy and coordinated cyberattacks can disrupt the seamless operation of WAPS by compromising measurement signals, control signals, or both. In this paper, we present a distributed cyber-physical intrusion detection system (DCPIDS) that utilizes the bilateral data from both the cyber side and the physical side to accurately detect cyberattacks on both measurement and control signals in WAPSs. DCPIDS consists of multiple slave agents (SAs) scattered in every area of the power system for regional-area intrusion detection and a master agent (MA) embedded in the system protection center for system status awareness. For the SAs, a hybrid-based intrusion detection method is utilized to conduct regional-area intrusion detection. The proposed method receives the bilateral data to simultaneously detect data integrity attacks on measurement and control signals using three classification models and performs the identification of single and coordinated attacks using a rule-based approach. Further, to train the classification models in the proposed method, a NewStacking-based model training algorithm is adopted. The proposed algorithm combines different selected classifiers that operate on two different feature subsets, which improves the detection accuracy of the models and extends the generalization ability with better robustness. Experimental results reveal that the proposed algorithm has better performance than existing machine learning algorithms and state-of-art works, the proposed method can identify single and coordinated attacks with high accuracy, and our DCPIDS satisfies the real-time requirements for practical online application.