Anomaly-Based Detection of Cyberattacks on Line Current Differential Relays

Abstract

Currently, the architecture of Line Current Differential Relays (LCDRs) is designed to respond to internal faults on the protected line using local and remotely-communicated current measurements. However, this architecture cannot distinguish between real faults and cyber-induced attacks whose goal is to cause false tripping of the line protected by the LCDR. In this paper, we propose an Anomaly-Based Scheme (ABS) for detecting false-tripping attacks against LCDRs, in the form of relay attacks, replay attacks, general false-data-injection attacks, and time-synchronization attacks. The ABS employs the Isolation Forest algorithm, which is trained on features determined from local current measurements to confirm real faults and differentiate them from false-tripping attacks. No trip command will be issued unless the sensed fault is confirmed as a non-attack by the ABS. The performance of the proposed ABS is tested and validated using the IEEE 9-bus benchmark in PSCAD/EMTDC environment. Simulation results show that the proposed ABS: (i) can accurately detect different categories of cyberattacks, (ii) does not negatively impact the accuracy of the fault-detection function, and (iii) is robust to the change in the power system’s operating point.