Information Technology Reference
In-Depth Information
5.2
Invariant Induction
Since Langley's BACON system [10], there has been a substantial amount of work on
equation induction within the AI and engineering communities and a number of sys-
tems have been developed [5], [15]. However the main aim of this work was to dis-
cover equations that could be used by engineers and there has not been any applica-
tion of the learnt equations to the problem of SCADA security and anomaly detection.
Research into the more general problem of invariant induction has been carried out
by Michael Ernst, whose Daikon system [6] dynamically identifies invariant proper-
ties of the variables within a program by instrumenting its source code and running it
over a test bed that is intended to give a comprehensive coverage of the program's
behaviour. As the program runs the variables are analysed for invariant properties,
such as x > 10, x + y = 35, etc. Although Ernst's techniques are similar to the ones
described in this paper, the area of application is different. Ernst's approach is orien-
tated towards debugging applications and not towards building up a normal model of
SCADA data and using this to detect intrusions. Furthermore, Ernst's pruning tech-
nique does not allow invariants that are usually true, e.g. 99% of the time.
5.3
Support for the State Estimator in Electricity Networks
A lot of research has been carried out on the development of state estimation and the
extension of it to include topology errors. This includes the work by Clements on the
identification of topology errors [1] [14] and recent research by Wollenberg on mas-
sive data loss and pseudo-measurements [8]. However, none of the work so far has
applied anomaly-detecting techniques to these problems and very little work has been
done on intrusion detection in SCADA systems.
6
Experiments
Using a load flow program
5
, real and reactive power flow measurements for a six bus
network were calculated for total system loads varying over the annual cycle given
with the specification of the IEEE 24 bus test network [16]. This provided 8736 files
containing snapshots of the network for every hour of every day for a year. To test the
false positive rate of the anomaly detectors, one in ten of these files was set aside and
then the n-gram and invariant induction techniques were used to learn normal models
of the network.
Test data was generated by introducing between 1 and 44 random errors into a se-
lection of the normal data files. These errors included changing the sign of a reading,
moving the decimal point to the right or left and swapping one of the digits with a
random number. The ability of the two anomaly-detecting techniques to identify the
errors was then evaluated.
5
For these experiments we adapted the load flow program supplied with Wood & Wollen-
berg's
Power Generation, Operation and Control
[20].
