Modelagem e Detecção de Ataques Grayhole ao Protocolo GOOSE usando o Framework ERENO
Abstract
The growing need to enhance cybersecurity in critical infrastructure, specifically in electric substations that communicate via the Generic Object Oriented Substation Event (GOOSE) protocol, calls for effective threat detection and prevention techniques. This protocol, defined by the IEC-61850 standard, protects physical devices by notifying events such as electrical faults. However, its adoption opens gaps for the exploitation of vulnerabilities through attacks whose signatures need to be mapped. In particular, the literature lacks Grayhole attack signatures. This work proposes the modeling and implementation of such an attack targeted to the GOOSE protocol. Furthermore, such modeling is incorporated into ERENO, a framework for generating intrusion datasets. The effectiveness of the resulting dataset is validated through five machine learning algorithms, with the J48 algorithm standing out, achieving a 90.68% F1-Score.
References
Abdul, R. M. T., Salman, Y., Yunus, Y., and Roslan, I. (2014). A review of security attacks on IEC61850 substation automation system network. In 6th International Conference on Information Technology and Multimedia, pages 5–10. IEEE.
Almomani, I., Al-Kasasbeh, B., and Al-Akhras, M. (2016). Wsn-ds: A dataset for intrusion detection systems in wireless sensor networks. Journal of Sensors, 2016.
Attia, M., Sedjelmaci, H., Senouci, S. M., and Aglzim, E.-H. (2015). A new intrusion detection approach against lethal attacks in the smart grid:temporal and spatial based detections. In 2015 Global Information Infrastructure and Networking Symposium (GIIS), pages 1–3, Guadalajara, Mexico.
Bohara, A., Ros-Giralt, J., Elbez, G., Valdes, A., Nahrstedt, K., and Sanders, W. H. (2020). Ed4gap: Efficient detection for goose-based poisoning attacks on iec 61850 substations. In 2020 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pages 1–7. IEEE.
Commission, I. E. (2003). Communication networks and systems in substations - ALL PARTS. IET.
Elbez, G., Nahrstedt, K., and Hagenmeyer, V. (2022). Early Detection of GOOSE Denial of Service (DoS) Attacks in IEC 61850 Substations. In 2022 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pages 367–373.
Hahn, A., Sun, C.-C., and Liu, C.-C. (2016). Cybersecurity of SCADA within Substations.
Hong, J., Liu, C., and Govindarasu, M. (2014). Detection of Cyber Intrusions Using Network-Based Multicast Messages for Substation Automation. In Innovative Smart Grid Technologies (ISGT), pages 1–5. IEEE.
Hong, J. and Liu, C.-C. (2019). Intelligent electronic devices with collaborative intrusion detection systems. IEEE Transactions on Smart Grid, 10(1):271–281.
Hoyos, J., Dehus, M., and Brown, T. X. (2012). Exploiting the goose protocol: A practical attack on cyber-infrastructure. In 2012 IEEE Globecom Workshops, pages 1508–1513.
Kush, N., Branagan, M., Foo, E., and Ahmed, E. (2014). Poisoned goose: exploiting the goose protocol. In Proceedings of the Twelfth Australasian Information Security Conference (AISC 2014), pages 17–22. Australian Computer Society, Inc.
McLennan, M., Group, S., and Group, Z. I. (2022). The global risks report 2022 17th edition. Disponível em: [link].
Pal, S., Sikdar, B., and Chow, J. H. (2018). An online mechanism for detection of grayhole attacks on pmu data. IEEE Transactions on Smart Grid, 9(4):2498–2507.
Quincozes, S. (2022). ERENO: An Extensible Tool for Generating Realistic IEC–61850 Intrusion Detection Datasets. PhD thesis, Fluminense Federal University.
Quincozes, S. E., Kazienko, J. F., and Quincozes, V. E. (2023). An extended evaluation on machine learning techniques for Denial-of-Service detection in Wireless Sensor Networks. Internet of Things, 22:100684.
Rajkumar, V. S., Tealane, M., Ştefanov, A., and Palensky, P. (2020). Cyber attacks on protective relays in digital substations and impact analysis. In 2020 8th Workshop on Modeling and Simulation of Cyber-Physical Energy Systems, pages 1–6. IEEE.
Ustun, T. S., Farooq, S. M., and Hussain, S. S. (2019). A Novel Approach for Mitigation of Replay and Masquerade Attacks in Smartgrids Using IEC 61850 Standard. IEEE Access, 7:156044–156053.
Wang, X., Fidge, C., Nourbakhsh, G., Foo, E., Jadidi, Z., and Li, C. (2022). Anomaly detection for insider attacks from untrusted intelligent electronic devices in substation automation systems. IEEE Access, 10:6629–6649.
Witten, I. H. and Frank, E. (2002). Data mining: practical machine learning tools and techniques with Java implementations. ACM Sigmod Record, 31(1):76–77.
Almomani, I., Al-Kasasbeh, B., and Al-Akhras, M. (2016). Wsn-ds: A dataset for intrusion detection systems in wireless sensor networks. Journal of Sensors, 2016.
Attia, M., Sedjelmaci, H., Senouci, S. M., and Aglzim, E.-H. (2015). A new intrusion detection approach against lethal attacks in the smart grid:temporal and spatial based detections. In 2015 Global Information Infrastructure and Networking Symposium (GIIS), pages 1–3, Guadalajara, Mexico.
Bohara, A., Ros-Giralt, J., Elbez, G., Valdes, A., Nahrstedt, K., and Sanders, W. H. (2020). Ed4gap: Efficient detection for goose-based poisoning attacks on iec 61850 substations. In 2020 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pages 1–7. IEEE.
Commission, I. E. (2003). Communication networks and systems in substations - ALL PARTS. IET.
Elbez, G., Nahrstedt, K., and Hagenmeyer, V. (2022). Early Detection of GOOSE Denial of Service (DoS) Attacks in IEC 61850 Substations. In 2022 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pages 367–373.
Hahn, A., Sun, C.-C., and Liu, C.-C. (2016). Cybersecurity of SCADA within Substations.
Hong, J., Liu, C., and Govindarasu, M. (2014). Detection of Cyber Intrusions Using Network-Based Multicast Messages for Substation Automation. In Innovative Smart Grid Technologies (ISGT), pages 1–5. IEEE.
Hong, J. and Liu, C.-C. (2019). Intelligent electronic devices with collaborative intrusion detection systems. IEEE Transactions on Smart Grid, 10(1):271–281.
Hoyos, J., Dehus, M., and Brown, T. X. (2012). Exploiting the goose protocol: A practical attack on cyber-infrastructure. In 2012 IEEE Globecom Workshops, pages 1508–1513.
Kush, N., Branagan, M., Foo, E., and Ahmed, E. (2014). Poisoned goose: exploiting the goose protocol. In Proceedings of the Twelfth Australasian Information Security Conference (AISC 2014), pages 17–22. Australian Computer Society, Inc.
McLennan, M., Group, S., and Group, Z. I. (2022). The global risks report 2022 17th edition. Disponível em: [link].
Pal, S., Sikdar, B., and Chow, J. H. (2018). An online mechanism for detection of grayhole attacks on pmu data. IEEE Transactions on Smart Grid, 9(4):2498–2507.
Quincozes, S. (2022). ERENO: An Extensible Tool for Generating Realistic IEC–61850 Intrusion Detection Datasets. PhD thesis, Fluminense Federal University.
Quincozes, S. E., Kazienko, J. F., and Quincozes, V. E. (2023). An extended evaluation on machine learning techniques for Denial-of-Service detection in Wireless Sensor Networks. Internet of Things, 22:100684.
Rajkumar, V. S., Tealane, M., Ştefanov, A., and Palensky, P. (2020). Cyber attacks on protective relays in digital substations and impact analysis. In 2020 8th Workshop on Modeling and Simulation of Cyber-Physical Energy Systems, pages 1–6. IEEE.
Ustun, T. S., Farooq, S. M., and Hussain, S. S. (2019). A Novel Approach for Mitigation of Replay and Masquerade Attacks in Smartgrids Using IEC 61850 Standard. IEEE Access, 7:156044–156053.
Wang, X., Fidge, C., Nourbakhsh, G., Foo, E., Jadidi, Z., and Li, C. (2022). Anomaly detection for insider attacks from untrusted intelligent electronic devices in substation automation systems. IEEE Access, 10:6629–6649.
Witten, I. H. and Frank, E. (2002). Data mining: practical machine learning tools and techniques with Java implementations. ACM Sigmod Record, 31(1):76–77.
Published
2023-09-18
How to Cite
GONÇALVES, Jerusa C.; QUINCOZES, Silvio E.; QUINCOZES, Vagner E.; KAZIENKO, Juliano F..
Modelagem e Detecção de Ataques Grayhole ao Protocolo GOOSE usando o Framework ERENO. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 23. , 2023, Juiz de Fora/MG.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2023
.
p. 417-430.
DOI: https://doi.org/10.5753/sbseg.2023.233550.
