From Red Flags to Detection Rules: An LLM-driven Pipeline for Real-Time GOOSE Intrusion Detection and Prevention
Resumo
Specification-based Intrusion Detection Systems (IDSs) are widely used in IEC 61850 substations, but rely on manually crafted rules derived from expert knowledge. This paper presents an LLM-driven pipeline that automates the generation of detection rules for real-time GOOSE intrusion detection and prevention. The approach uses labeled communication samples to identify red flags and transform them into intrusion-detection rules. The pipeline supports plug-and-play execution, reproducibility, and parameterized control. A proof-of-concept using the ERENO dataset shows that the generated rules effectively detect anomalous behavior with low operational overhead, indicating that LLM-driven automation is a viable approach for specification-based IDS.Referências
Commission, I. E. (2003). Communication networks and systems in substations - Part 81: Specific communication service mapping (SCSM) - Mappings to MMS (ISO 9506-1 and ISO 9506-2) and to ISO/IEC 8802-3. IET.
Hong, J. and Liu, C. (2019). Intelligent electronic devices with collaborative intrusion detection systems. IEEE Transactions on Smart Grid, 10(1):271–281.
Hong, J., Liu, C., and Govindarasu, M. (2014a). Detection of Cyber Intrusions Using Network-Based Multicast Messages for Substation Automation. In Innovative Smart Grid Technologies (ISGT), pages 1–5. IEEE.
Hong, J., Liu, C.-C., and Govindarasu, M. (2014b). Integrated anomaly detection for cyber security of the substations. IEEE Transactions on Smart Grid, 5(4):1643–1653.
Kwon, Y., Kim, H. K., Lim, Y. H., and Lim, J. I. (2015). A behavior-based intrusion detection technique for smart grid infrastructure. In 2015 IEEE Eindhoven PowerTech, pages 1–6. IEEE.
Malik, H., Alotaibi, M. A., and Almutairi, A. (2022). Cyberattacks identification in iec 61850 based substation using proximal support vector machine. Journal of Intelligent & Fuzzy Systems, 42(2):1213–1222.
Quincozes, S. E., Albuquerque, C., Passos, D., and Mossé, D. (2021). A survey on intrusion detection and prevention systems in digital substations. Computer Networks, 184:107679.
Quincozes, S. E., Albuquerque, C., Passos, D., and Mossé, D. (2023). ERENO: A framework for generating realistic IEC–61850 intrusion detection datasets for smart grids. IEEE Transactions on Dependable and Secure Computing, 21(4):3851–3865.
Quincozes, S. E., Passos, D., Albuquerque, C., Mossé, D., and Ochi, L. S. (2022). ERENO: AN EXTENSIBLE TOOL FOR GENERATING REALISTIC IEC–61850 INTRUSION DETECTION DATASETS. PhD thesis, Universidade Federal Fluminense.
Yang, Y., McLaughlin, K., Gao, L., Sezer, S., Yuan, Y., and Gong, Y. (2016a). Intrusion detection system for IEC 61850 based smart substations. In 2016 IEEE Power and Energy Society General Meeting (PESGM), pages 1–5. IEEE.
Yang, Y., Xu, H.-Q., Gao, L., Yuan, Y.-B., McLaughlin, K., and Sezer, S. (2016b). Multidimensional intrusion detection system for IEC 61850-based SCADA networks. IEEE Transactions on Power Delivery, 32(2):1068–1078.
Hong, J. and Liu, C. (2019). Intelligent electronic devices with collaborative intrusion detection systems. IEEE Transactions on Smart Grid, 10(1):271–281.
Hong, J., Liu, C., and Govindarasu, M. (2014a). Detection of Cyber Intrusions Using Network-Based Multicast Messages for Substation Automation. In Innovative Smart Grid Technologies (ISGT), pages 1–5. IEEE.
Hong, J., Liu, C.-C., and Govindarasu, M. (2014b). Integrated anomaly detection for cyber security of the substations. IEEE Transactions on Smart Grid, 5(4):1643–1653.
Kwon, Y., Kim, H. K., Lim, Y. H., and Lim, J. I. (2015). A behavior-based intrusion detection technique for smart grid infrastructure. In 2015 IEEE Eindhoven PowerTech, pages 1–6. IEEE.
Malik, H., Alotaibi, M. A., and Almutairi, A. (2022). Cyberattacks identification in iec 61850 based substation using proximal support vector machine. Journal of Intelligent & Fuzzy Systems, 42(2):1213–1222.
Quincozes, S. E., Albuquerque, C., Passos, D., and Mossé, D. (2021). A survey on intrusion detection and prevention systems in digital substations. Computer Networks, 184:107679.
Quincozes, S. E., Albuquerque, C., Passos, D., and Mossé, D. (2023). ERENO: A framework for generating realistic IEC–61850 intrusion detection datasets for smart grids. IEEE Transactions on Dependable and Secure Computing, 21(4):3851–3865.
Quincozes, S. E., Passos, D., Albuquerque, C., Mossé, D., and Ochi, L. S. (2022). ERENO: AN EXTENSIBLE TOOL FOR GENERATING REALISTIC IEC–61850 INTRUSION DETECTION DATASETS. PhD thesis, Universidade Federal Fluminense.
Yang, Y., McLaughlin, K., Gao, L., Sezer, S., Yuan, Y., and Gong, Y. (2016a). Intrusion detection system for IEC 61850 based smart substations. In 2016 IEEE Power and Energy Society General Meeting (PESGM), pages 1–5. IEEE.
Yang, Y., Xu, H.-Q., Gao, L., Yuan, Y.-B., McLaughlin, K., and Sezer, S. (2016b). Multidimensional intrusion detection system for IEC 61850-based SCADA networks. IEEE Transactions on Power Delivery, 32(2):1068–1078.
Publicado
25/05/2026
Como Citar
MARTINS, Lucas A.; QUINCOZES, Camilla B.; SIERVO, Giovanni; QUINCOZES, Silvio E.; LUIZELLI, Marcelo Caggiani.
From Red Flags to Detection Rules: An LLM-driven Pipeline for Real-Time GOOSE Intrusion Detection and Prevention. In: SALÃO DE FERRAMENTAS - SIMPÓSIO BRASILEIRO DE REDES DE COMPUTADORES E SISTEMAS DISTRIBUÍDOS (SBRC), 44. , 2026, Praia do Forte/BA.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2026
.
p. 57-65.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc_estendido.2026.23263.
