Graph-Attentive Cyber–Physical Attack Detection and Forensic Attribution in Smart Grids: A Two-Stage Pipeline Combining Physical Anomaly Detection with Network Traffic Analysis.

Saved in:
Bibliographic Details
Title: Graph-Attentive Cyber–Physical Attack Detection and Forensic Attribution in Smart Grids: A Two-Stage Pipeline Combining Physical Anomaly Detection with Network Traffic Analysis.
Authors: Greco, Danilo1 (AUTHOR), Gaggero, Giovanni Battista2 (AUTHOR) giovanni.gaggero@unige.it
Source: Energies (19961073). May2026, Vol. 19 Issue 10, p2394. 23p.
Subject Terms: *Anomaly detection (Computer security), *Intrusion detection systems (Computer security), *Transformer models, *Machine learning, *Cyber physical systems, *Smart power grids, *Computer network traffic, *Digital forensics
Abstract: Smart grids increasingly rely on digital communication, expanding the attack surface beyond the reach of conventional network intrusion-detection systems. Physics-based monitoring can detect anomalies that bypass traffic inspection, but most prior methods only provide binary detection and do not identify attackers or describe associated network behaviour. This paper presents a two-stage cyber–physical detection and attribution pipeline for the IEEE 14-bus smart grid. In Stage 1, a four-layer GATv2 model analyses sliding windows of PLC sensor data and operates as a binary anomaly detector (Benign vs. Attack), achieving  96.39 ± 1.26 %  accuracy, macro-F1  0.949 ± 0.019 , recall  0.992 ± 0.007 , and ROC-AUC  0.994 ± 0.005  (mean ± std, 5 seeds, tuned configuration). GATv2 achieves the highest recall among all tested binary classifiers (Random Forest:  0.970 ; SVM:  0.860 ; KNN:  0.988  at low AUC  0.759 ), the primary metric in safety-critical intrusion detection where a missed attack is more dangerous than a false alarm. A Welch t-test across five independent seeds confirms that GATv2 and RF are statistically equivalent in accuracy ( t = − 2.030 ,  p = 0.096 ). A six-class ablation study reveals that Backdoor is physically near-invisible (F1  = 0.238 , lowest among all classes), motivating the network attribution stage. In Stage 2, triggered only after anomaly detection, a LightGBM model trained on 27 network-traffic features attributes the attack campaign, reaching  83.05 ± 0.00 %  accuracy and macro-F1  0.819 ± 0.002  across all six cyber classes. A final enrichment stage correlates anomaly windows with network events to extract attacker IP and MAC information, suspicious ports, Modbus manipulation signals, and connection-rate anomalies, producing a structured forensic report. Ablations and visual analyses show that graph-based physical sensing and statistical network attribution are complementary. To the best of our knowledge, this is the first work to combine topology-aware GNN physical detection, multi-class cyber attribution, and automated forensic enrichment in a single pipeline evaluated on this dataset. [ABSTRACT FROM AUTHOR]
Database: Energy & Power Source
Full text is not displayed to guests.
Description
Abstract:Smart grids increasingly rely on digital communication, expanding the attack surface beyond the reach of conventional network intrusion-detection systems. Physics-based monitoring can detect anomalies that bypass traffic inspection, but most prior methods only provide binary detection and do not identify attackers or describe associated network behaviour. This paper presents a two-stage cyber–physical detection and attribution pipeline for the IEEE 14-bus smart grid. In Stage 1, a four-layer GATv2 model analyses sliding windows of PLC sensor data and operates as a binary anomaly detector (Benign vs. Attack), achieving  96.39 ± 1.26 %  accuracy, macro-F1  0.949 ± 0.019 , recall  0.992 ± 0.007 , and ROC-AUC  0.994 ± 0.005  (mean ± std, 5 seeds, tuned configuration). GATv2 achieves the highest recall among all tested binary classifiers (Random Forest:  0.970 ; SVM:  0.860 ; KNN:  0.988  at low AUC  0.759 ), the primary metric in safety-critical intrusion detection where a missed attack is more dangerous than a false alarm. A Welch t-test across five independent seeds confirms that GATv2 and RF are statistically equivalent in accuracy ( t = − 2.030 ,  p = 0.096 ). A six-class ablation study reveals that Backdoor is physically near-invisible (F1  = 0.238 , lowest among all classes), motivating the network attribution stage. In Stage 2, triggered only after anomaly detection, a LightGBM model trained on 27 network-traffic features attributes the attack campaign, reaching  83.05 ± 0.00 %  accuracy and macro-F1  0.819 ± 0.002  across all six cyber classes. A final enrichment stage correlates anomaly windows with network events to extract attacker IP and MAC information, suspicious ports, Modbus manipulation signals, and connection-rate anomalies, producing a structured forensic report. Ablations and visual analyses show that graph-based physical sensing and statistical network attribution are complementary. To the best of our knowledge, this is the first work to combine topology-aware GNN physical detection, multi-class cyber attribution, and automated forensic enrichment in a single pipeline evaluated on this dataset. [ABSTRACT FROM AUTHOR]
ISSN:19961073
DOI:10.3390/en19102394