Blithe behavior rule based insider threat detection for smart grid
1. #13/ 19, 1st Floor, Municipal Colony, Kangayanellore Road, Gandhi Nagar, Vellore – 6.
Off: 0416-2247353 / 6066663 Mo: +91 9500218218
Website: www.shakastech.com, Email - id: shakastech@gmail.com,
info@shakastech.com
BLITHE: BEHAVIOR RULE BASED INSIDER THREAT DETECTION
FOR SMART GRID
ABSTRACT
A Behavior ruLe based methodology is proposed for Insider THrEat detection
(BLITHE) of data monitor devices in smart grid, where the continuity and accuracy of
operations are of vital importance. Based on the DC power flow model and state estimation
model, three behavior rules are extracted to depict the behavior norms of each device,
such that a device (trustee) that is being monitored on its behavior can be easily checked
on the deviation from the behavior specification. Specifically, a rule-weight and
compliance-distance based grading strategy is designed, which greatly improves the
effectiveness of the traditional grading strategy for evaluation of trustees. The statistical
property, i.e., the mathematical expectation of compliance degree of each trustee, is
particularly analyzed from both theoretical and practical perspectives, which
achieves satisfactory trade-off between detection accuracy and false alarms to detect
more sophisticated and hidden attackers.
INTRODUCTION
Smart grid, as widely considered to be the next generation of the power grid, has
attracted considerable attention. As a typical cyber-physical system (CPS), smart grid
incorporates information and communications technology (ICT) into the traditional
power system and is characterized by sophisticated reliability, efficiency, economy,
and sustainability. To ensure that smart grid can operate continuously even when some
components fail, power research communities use meters or phasor measurement units
(PMUs), placed at important locations of the power system, to monitor system components
and report their measurements to the control centre (CC), and the latter can estimate the
state variables based on the meter measurements. The estimation utilizes state estimation
model, which heavily relies on the accuracy of the reported measurements that CC
receives. Recently, smart grid researchers have realized the threat of bad
measurements (or information corruption) and developed techniques to address this
2. #13/ 19, 1st Floor, Municipal Colony, Kangayanellore Road, Gandhi Nagar, Vellore – 6.
Off: 0416-2247353 / 6066663 Mo: +91 9500218218
Website: www.shakastech.com, Email - id: shakastech@gmail.com,
info@shakastech.com
challenge. Information corruption threats in smart grid are very complex, as they can
come from both outsider and insider. Particularly, due to the openness brought by
integrating ICT into the power system, some devices could be compromised and
become insider attackers. While great efforts have been made to resist the outsider attacks,
much less attention has been paid to the insider ones because of the difficulties
stemmed from their concealment and potentiality. Today, even though the insider threat
detection for CPS has attracted considerable concern due to the dire consequence of CPS
failure, the effective and accurate detection techniques for CPS, especially for smart
grid, are still in their infancy with very few studies conducted.
PROBLEM STATEMENT
Generally, insider threat detection techniques can be classified into three types:
signature-based, anomaly-based and specification-based techniques.
Signature-based detection technique is exceedingly capable of identifying known
attacks; it cannot effectively cope with unknown attacker patterns.
The proposed anomaly-based schemes utilize resource constrained sensors and/or
actuators for outlining anomaly patterns, which suffers from high computational
overhead in detecting insider threats and generally has high rates of false alarms.
Specification-based techniques have been proposed only for insider threat detection of
misbehaving patterns in communication protocols.
Because all electrical devices are connected as a whole system and each state
variable should manifest specific compliance to make smart grid to be equilibrious,
the topology restriction and data correlation indeed exist in smart grid.
Therefore, behavior rule specifications can be taken good advantage of to depict
the behavior criteria and norms of all devices in the system. However, due to
the complexity of smart grid and the potentiality and concealment of insider
threats, to design an efficient and effective behavior rule specification based
insider threat detection methodology for smart grid still faces many challenges.
3. #13/ 19, 1st Floor, Municipal Colony, Kangayanellore Road, Gandhi Nagar, Vellore – 6.
Off: 0416-2247353 / 6066663 Mo: +91 9500218218
Website: www.shakastech.com, Email - id: shakastech@gmail.com,
info@shakastech.com
EXISTING SYSTEM
False positive probability method
There were no numerical data studies regarding the false positive probability pfp and
the false negative probability pfn. Even though three of them had miniature
numerical data, one or two data points characterizing pfn=pfp, instead of a data
set that could be transformed into a receiver operating characteristic (ROC)
figure, i.e., a pfn versus pfp curve, are studied merely.
One of them proposed an insider threat detection technique which can
effectively balance small false positives pfp for a high detection probability 1pfn to
deal with more sophisticated and hidden threats to support secure applications in
smart grid.
Two of them tried to exploit the topology restriction and data correlation of smart grid
to detect insider threats.
Disadvantages
Since it only addressed very high-level requirements in smart grid, it is too coarse-
grained to be applied in practical scenarios.
Because both of them only consider the very specific scenarios of smart grid, they are
not universal and effective solutions.
Flocking-based method
Flocking-based modeling paradigm is designed to identify insider threats for the
transient stability process of smart grid. Observing the characteristics of smart
grid from a hierarchical cyber-physical perspective, natural physical
couplings amongst power systems are leveraged as telltale signs to identify
insider cyber threats.
Disadvantages
4. #13/ 19, 1st Floor, Municipal Colony, Kangayanellore Road, Gandhi Nagar, Vellore – 6.
Off: 0416-2247353 / 6066663 Mo: +91 9500218218
Website: www.shakastech.com, Email - id: shakastech@gmail.com,
info@shakastech.com
Threat model is limited to narrow scenarios of the transient stability process,
which is urgent to be extended to generalized circumstances covering the stability
process of smart grid. State estimation model
Liu et al. proposed one adaptive partitioning state estimation (APSE) method to
detect bad data injections in smart grid. APSE divides the large system into
several subsystems, and the detection procedures are continuously performed
in yielded subsystems until the place of the insider threat is located.
PROPOSED SYSTEM
To propose behavior rule based insider threat detection (BLITHE)
methodology for smart grid, which can improve the accuracy of detection with
very low false alarms.
With comprehensive and accurate behavior rule definitions, proposed
methodology can also be easily generalized to other CPSs.
Considering the fact that each rule usually has different effect and
prominence on evaluation of the compliance degree of trustee, the rule-weight
and compliance distance based grading strategy is designed to improve the
traditional evaluation strategy.
Advantages
Trade-off between detection accuracy and false alarms of insider threat detection
HARDWARE REQUIREMENTS
Processor : Any Processor above 500 MHz.
Ram : 128Mb.
Hard Disk : 10 Gb.
Compact Disk : 650 Mb.
5. #13/ 19, 1st Floor, Municipal Colony, Kangayanellore Road, Gandhi Nagar, Vellore – 6.
Off: 0416-2247353 / 6066663 Mo: +91 9500218218
Website: www.shakastech.com, Email - id: shakastech@gmail.com,
info@shakastech.com
Input device : Standard Keyboard and Mouse.
Output device : VGA and High Resolution Monitor.
SOFTWARE SPECIFICATION
Operating System : Windows Family.
Techniques : JDK 1.5 or higher
Database : MySQL 5.0