2018 the 3rd IEEE International Conference on Cloud Computing and Big Data Analysis
Ensemble Learning Methods for Power System Cyber-Attack Detection
Xiayang Chen, Lei Zhang, Yi Liu, Chaojing Tang
College of Electronic Science, National University of Defense Technology
Changsha, China
e-mail:
[email protected]
Abstract—Power system is one of the most important industrial
control systems in today's society. In recent years, power
systems have been well researched and developed extensively
with a high rate. In order to optimally integrate systems and
reduce costs, lots of advanced information technologies are
involved into power systems. Traditional power system is
changing to the smart power grid rapidly. Therefore, modern
power systems are now exposing to the public network and
information security is becoming a new threat to resilience. In
this work, we explore the suitability of ensemble learning
methods as a means of detecting power system cyber-attack.
We evaluate various ensemble learning methods as cyber-
attack detectors and discuss the practical implications for
deploying ensemble learning methods as an enhancement to
existing power system architectures.
Keywords-ensemble learning; power system; industrial
control system; intrusion detect; cyber-attack detection
I. INTRODUCTION
The main task of power system is transmitting of
electricity to the customers. Power systems have been
designed with the fault tolerance mechanisms and
redundancy to perform this task, but information security
was not a consideration at the time. As formerly physically
isolated power systems were joined to the Internet for
integrated control and management, it bring about a greater
potential for unauthorized access and uncovered these
systems to the same vulnerabilities that trouble traditional
computer systems and networks.
In this work, we explore the suitability of ensemble
learning methods as a means of detecting power system
cyber-attack. We evaluate the classification performance of
various ensemble learning methods. They are evaluated in
the terms of classification accuracy, precision, recall and F-
measure. 15 power system attack datasets are used in this
paper to evaluate those ensemble learning methods. These
datasets are collected from a model power system
constructed by Mississippi State University and Oak Ridge
National Laboratory [1]. Each dataset has about five
thousand instances. The datasets contains 129 features.
These features consist of 116 columns for phasor
measurements of electrical waves, 12 columns for control
panel logs, Snort alerts and relay logs and the one column for
label. In total, 6 kinds of event scenarios are recorded in the
datasets. To simple the experiment, we grouped these event
scenarios as either an attack or normal operations.
The remainder of this paper is organized as follows.
Section 2 is related work. Section 3 discusses our
978-1-5386-4301-3/18/$31.00 ©2018 IEEE
methodology of ensemble learning methods. In Section 4, we
demonstrate our results. And finally, Section 5 shows
conclusions.
II. RELATED WORK
Ensemble learning has distinguished itself as an
outstanding detector of malicious and anomalous events in
intrusion detection for traditional computer systems and
networks, since it has better performance in comparison with
single machine learning method [2]. It is deployed by
incorporating several base classifiers to produce final class
output.
Many previous researchers have applied classifier
ensemble to Intrusion Detect Systems (IDSs). An ensemble
classifier based on majority voting which consisted of three
base classifiers, i.e. neural network, support vector machine,
and multivariate regression splines were proposed for
anomaly detection in paper [3]. The performance of the
proposed approach was evaluated on the KDDCup99 dataset.
Feature selection also was applied to reduce the
computational overhead in this work. Ensemble of decision
tree and support vector machine using weighted ensemble
approach was discussed in [4]. The proposed approach was
implemented on the full features set of KDDCup99 dataset.
Accuracy was acted as performance evaluation in this work.
In paper [5], a classifier ensemble, called Adaboost, was
applied to improve the performance of decision stump. False
alarm rate and precision were used to evaluate the proposed
method. Their evaluation was on the reduced-features of
KDDCup99 dataset. A product rule combination was
demonstrated by [6]. It was applied as the combiner to
predict final class prediction. The area under ROC curve
(AUC) was used as a performance evaluation metric. This
proposed scheme was also evaluated on the KDDCup99
dataset. The paper [7] proposed a tree-based classifiers
ensemble with hybrid feature selections for intrusion
detection systems. Three feature selection techniques, i.e.
PSO, ACO, and GA were involved aiming at obtaining the
best subset of features. Moreover, four tree-based classifier
algorithms, i.e. RF, NBT, LMT, and REPT were grouped for
classification analysis. This proposed scheme was evaluated
on the NSL-KDD dataset.
In recent years, the emergence of power system has
motivated research into many kinds of intrusion detection
techniques. One type of IDS research focuses on Intelligent
Electronic Devices (IED) security within power system. An
anomaly-based detection technique for IED was proposed by
Chee-Wooi Ten et al. in [8]. This detection technique was
613
host-based. Therefore, it only identified attacks against a
single IED in the substation according to the log from that
IED. Another IDS which provided a protection mechanism
for smart household appliances was proposed by Chen et al.
in [9]. This IDS created security rules for individual
appliances via modeling three factors of the appliance,
device security, usability and electricity pricing, with
homogeneous functions. More IDSs of this kind obtain
system level detection based on behaviors of multiple
devices within the system. In [10], the behaviors of three
kinds of physical devices, head-ends, data aggregation points
distribution access points and subscriber energy meters, were
taken into consideration to construct a specification-based
IDS for the electric grid. In this paper, readings from 22
sensors of these devices were used as state components.
These components were quantized into a limited number of
ranges. Three state machines with 3456, 1728, and 3456
states were built respectively for the three devices in the
terms of conjunctive normal form. Obviously, it’s very
expensive to build such IDS’s because of the large state
space. In addition, this IDS can only detect a small number
of attacks by using a limited number of sensors.
Another type of IDSs for power system makes use of
communication traffic in the information infrastructure to
detect cyber-attacks. Yang et al. proposed an IDS in [11] for
synchrophasor systems. It detected cyber-attacks based on
access control white lists, protocol-based white lists and
network behavior-based rules. However, this IDS was
limited to cyber-attacks such as Man-in-the-Middle (MITM)
and Denial of Service (DoS). Similar to Yang’s IDS, Zhang
et al. in [12] proposed a distributed IDS which analyzed
communications traffic at different network levels of smart
grid. These network levels included home area networks,
neighborhood area networks, and wide area networks. An
intelligent module was applied to each level to classify
possible cyber-attacks and malicious data in the utilization of
data mining algorithms. Then a system level view of the
whole communication network was constructed by
communicating of these modules. The construction of this
system level view was aimed at improving the detection
accuracy. An anomaly detection technique for industrial
control systems was proposed by Hadeli et al. in [13], which
extracted behavior patterns from protocols used in industrial
control systems, such as GOOSE messages, Modbus/TCP,
Manufacturing Message Specification, IEEE 61850 and
redundant network routing protocols.
III. METHODOLGY
A. The Base Learning Methods Used for Detection
We select 5 representative learning methods as base
methods, which are widely applied in classification problems.
They are Bayesnet, OneR, Ripper, C4.5 and SVM. These 5
classifiers can be grouped under four main categories:
1. Probabilistic classification (Bayesnet)
2. Rule induction (OneR, Ripper)
3. Decision tree learning (C4.5)
4. Non-probabilistic binary classification (SVM)
614
OneR. OneR is a very simplistic method that evaluates
each feature optimum rule and chooses the best one from all
feature rule sets [14].
Bayesnet. This method is designed for pattern
classification based on the Bayesian decision rule with neural
network architecture [15]. It can learn the probability density
functions (PDFs) of individual pattern classes from a set of
learning samples.
C4.5. This is a decision support approach which uses a
tree-like graph or model of decisions and their possible
consequences [16]. It is a development of earlier ID3
algorithm [17] and builds a decision tree based on
information gain ratio.
SVM. Support vector machines [18] trained using
sequential minimal optimization [19]. SVM classifies
instances by constructing a hyperplane or set of hyperplanes
in a high-dimensional space. New instances are then divided
into a class based on their position in that space relative to
the hyperplanes.
Ripper. Incremental Reduced Error Pruning algorithm
that applies a separate-and-conquer methodology developed
in [20] and improved by Cohen as shown in [21] to generate
a sophisticated rule set.
B. The Ensemble Learning Methods Used for Detection
Adaptive boosting. This is an algorithm applied to
improve the performance of other types of learning methods
[22]. It is an ensemble learning method in which each new
model instance focuses on training examples which were
classified in correctly in the previous models.
Bagging. It is also called random subspace method. It is
an ensemble learning method which aims at reducing the
correlation between estimators in an ensemble via training
them on random samples of features instead of the entire
feature set [23].
Majority voting. In this paper, every base classifier
mentioned above are put together to votes for one class label,
and the final output class label is the one that receives more
than half of the votes, otherwise a rejection option is given.
Random forest. Random forest operates by constructing
a multitude of decision trees at training time and outputting
the final result based on the consideration of all the trees’
results.
C. The Experiment Setup
The experiment is operated on a computer with Windows
10, 32GB RAM, and Intel core i7 CPU 2.6GHz. The overall
performances of classifiers are evaluated in Java
environment using Waikato Environment for Knowledge
Analysis (Weka) [24]. Bayesnet, OneR, Libsvm, JRip, J48,
AdaboostM1, Bagging, Vote and RandomForest are adopted
as implementations of the bayesnet, OneR, SVM, Ripper,
C4.5, adaptive boosting, bagging, majority voting and
random forest in the Weka respectively. All the classifiers
referred above use default parameters of Weka.
In total 17 learning methods are tested on power system
attack datasets [1]. The 3x cross validation methodology is
used in our experiments. Each dataset is partitioned into 3
sets randomly. The model is built on a two-thirds selection
from the dataset and tested on the remaining one third to
evaluate the learning methods performance. To reduce the
disturbance of randomness, this procedure repeats for each
learning methods and each dataset for 5 times.
IV. RESULTS
class such as cyber-attack. It is similar to accuracy that
ensemble methods have a higher average precision value
than basic learning methods. For precision, three methods
based on SVM (basic, bagging and adaptive boosting SVM)
score the highest than others.

A. Performance Metrics
Four metrics are used to evaluate the proposed approach.
They are average accuracy, the precision, the recall and the
F-score metrics. The four metrics used are defined as follows:
TP  TN
average accuracy (1)
TP  FP  FN  TN
2 recall precision
F  score (2)
recall  precision
precision TP (TP  FP) (3)
recall TP (TP  FN ) (4)
Figure 2. The average precision
TP is the number of instances correctly identified as
normal class, TN is the number of instances correctly
identified as abnormal class, FP is the number of instances
which are incorrectly marked as normal class and FN is the
number of instances that are incorrectly marked as abnormal
class. Precision represents the proportion of relevant
instances among the retrieved instances, while recall is the
proportion of relevant instances that have been retrieved over
the total amount of relevant instances. F-score is a good
metric to evaluate the performance of anomaly detection
approaches, which combined precision and recall in a
harmonic way.
B. Ensemble Learning Method Evaluation
Figure 1 shows the classification accuracy average over Figure 3. The average recall
the 15 datasets for 17 different algorithms. There are 5 basic
machine learning methods, 5 ensemble learning methods
based on bagging methods, 5 ensemble learning based on
adaptive boosting, a majority voting based on 5 basic
learning methods and a random forest method in the figure.
Figure 1 tells us that ensemble methods can help to obtain
better performances than basic learning methods in terms of
accuracy average.

Figure 4. The average F-score

Figure 3 shows results for averaged recall. As recall

Figure 1. The average accuracy
Figure 2 demonstrates the precision value of the various
learning methods averaged over the 15 datasets. As the
measure of positive prediction rate, precision provides a
sense of the false positive values when predicting for specific
reflects true positive rate, this evaluation identifies the
learning methods that detected cyber-attacks most
successfully. On the contrary to the precision, SVM
performs significantly worse in recall. The high precision
values coupled with the low recall values for some learning
methods indicate that methods are bias towards one class.
That means SVM may correctly classify malicious power
system disturbances, but at the cost of a disproportionate

615
amount of false negative values. Classifiers like this would
not be reliable. This conclusion is also shown in figure 4
where three SVM methods have low F-scores.
The F-score is displayed in Figure 4. It intrinsically
displays classification performance in terms of both
precision and recall. As expected, those learners that
performed better in terms of both precision and recall have
the higher F-score. From Figure 4 we can see that the
random forest performs the best. Except the bayesnet,
ensemble methods based on bagging and adaptive boosting
perform better than the basic methods.
According to the results of our experiments, it can be
concluded that ensemble learning is effective enhancement
to basic learning methods and it is available approach to
providing reliable detection results for cyber-attack in
industrial control system (ICS) environment such as power
system.
V. CONCLUSION
The classification approaches to machine learning are
still not widely used in ICS as an intrusion detection system
[25]. Especially, using ensemble learning methods in an ICS
environment is a relatively new topic. According to the
results of applying ensemble learning methods to these
power system datasets, it can be concluded that ensemble
learning is available approach to providing reliable decision
support to power system operators on whether the system is
under attack.
Despite these results, we consider that further work is
necessary to make ensemble learning systems deployable in
an operation environment. It is necessary for these results to
be tested on a broader set of power system data with a wider
variety of classification schemes, learning approaches, and
amounts of labeled data. This work can be treated as an
initial set of evidence for the application of ensemble
learning methods in ICS environment and motivation for
further research.
ACKNOWLEDGMENT
Our search is supported by the National Science
Foundation of China (Project No. 61672527).
REFERENCES
[1] Thomas H. Morris and Wei Gao. Industrial control system cyber
attacks. In International Symposium on ICS and Scada Cyber
Security Research, pages 22–29, 2013.
[2] Bayu Adhi Tama and Kyung Hyune Rhee. A combination of pso-
based feature selection and tree-based classifiers ensemble for
intrusion detection systems. Advances in Computer Science and
Ubiquitous Computing, pages 489–495, 2015.
[3] Srinivas Mukkamala, Andrew H. Sung, and Ajith Abraham. Intrusion
detection using an ensemble of intelligent paradigms. Journal of
Network and Computer Applications, 28(2):167–182, 2005.
[4] Sandhya Peddabachigari, Ajith Abraham, Crina Grosan, and Johnson
Thomas. Modeling intrusion detection system using hybrid intelligent
systems. Journal of Jiangxi University of Science and Technology,
30(1):114–132, 2007.
[5] W. Hu, W. Hu, and S Maybank. Adaboost-based algorithm for
network intrusion detection. IEEE Transactions on Systems Man and
616
Cybernetics Part B Cybernetics A Publication of the IEEE Systems
Man and Cybernetics Society, 38(2):577, 2008.
[6] Jo Cabrera, O B. D, Guti, Carlos Rrez, and Raman KMehra.
Ensemble methods for anomaly detection and distributed intrusion
detection in mobile ad-hoc networks. Information Fusion, 9(1):96–
119, 2008.
[7] Bayu Adhi Tama and Kyung Hyune Rhee. Hfste: Hybrid feature
selections and tree-based classifiers ensemble for intrusion detection
system. Ieice Transactions on Information and Systems,
E100.D(8):1729–1737, 2017.
[8] Chee Wooi Ten, Junho Hong, and Chen Ching Liu. Anomaly
detection for cybersecurity of the substations. IEEE Transactions on
Smart Grid, 5(4):1643–1653, 2014.
[9] Yuxin Chen and Bo Luo. S2a:secure smart household appliances. In
ACM Conference on Data & Application Security & Privacy, pages
217–228, 2012.
[10] Robert Mitchell and Ing Ray Chen. Behavior-rule based intrusion
detection systems for safety critical smart grid applications. IEEE
Transactions on Smart Grid, 4(3):1254–1263, 2013.
[11] Y. Yang, K. Mclaughlin, S. Sezer, T. Littler, B. Pranggono, P. Brogan,
and H. F. Wang. Intrusion detection system for network security in
synchrophasor systems. In Iet International Conference on
Information and Communications Technologies, pages 246–252,
2013.
[12] Yichi Zhang, Lingfeng Wang, Weiqing Sun, Robert C. Green Ii, and
Mansoor Alam. Distributed intrusion detection system in a multi-
layer network architecture of smart grids. IEEE Transactions on
Smart Grid, 2(4):796–808, 2011.
[13] Hadeli Hadeli, Ragnar Schierholz, Markus Braendle, and Cristian
Tuduce. Leveraging determinism in industrial control systems for
advanced anomaly detection and reliable security configuration. In
IEEE International Conference on Emerging Technologies & Factory
Automation, pages 1189–1196, 2009.
[14] Robert C. Holte. Very simple classification rules perform well on
most commonly used datasets. Machine Learning, 11(1):63–90, 1993.
[15] Sukhan Lee and S Shimoji. Bayesnet: Bayesian classification network
based on biased random competition using gaussian kernels. In IEEE
International Conference on Neural Networks, pages 1354–1359
vol.3, 1993.
[16] J. Ross Quinlan. C4.5: programs for machine learning. 1, 1993.
[17] J. R. Quinlan. Induction of decision trees. Machine Learning,
1(1):81–106, 1986.
[18] John C. Platt. Sequential minimal optimization: A fast algorithm for
training support vector machines. 1998.
[19] Corinna Cortes and Vladimir Vapnik. Support-vector networks.
Machine Learning, 20(3):273–297, 1995.
[20] Johannes Frnkranz and Gerhard Widmer. Incrementalreduced error
pruning. Machine Learning Proceedings, pages 70–77, 1994.
[21] William W. Cohen. Fast effective rule induction. Machine Learning
Proceedings 1995, 46(2):115–123, 1995.
[22] Yoav Freund and Robert E Schapire. A decision-theoretic
generalization of on-line learning and an application to boosting. In
European Conference on Computational Learning Theory, pages 23–
37, 1995.
[23] Leo Breiman. Bagging predictors. Machine Learning, 24(2):123–140,
1996.
[24] Muamer N. Mohammad, Norrozila Sulaiman, and Osama Abdulkarim
Muhsin. A novel intrusion detection system by using intelligent data
mining in weka environment. Procedia Computer Science, 3(1):1237–
1242, 2011.
[25] Raymond C. Borges Hink, Justin M. Beaver, Mark A. Buckner,
Tommy Morris, Uttam Adhikari, and Shengyi Pan. Machine learning
for power system disturbance and cyber-attack discrimination. In
International Symposium on Resilient Control Systems, pages 1–8,
2014.