Graph-Attentive Cyber–Physical Attack Detection and Forensic Attribution in Smart Grids: A Two-Stage Pipeline Combining Physical Anomaly Detection with Network Traffic Analysis.
Saved in:
| Title: | Graph-Attentive Cyber–Physical Attack Detection and Forensic Attribution in Smart Grids: A Two-Stage Pipeline Combining Physical Anomaly Detection with Network Traffic Analysis. |
|---|---|
| Authors: | Greco, Danilo1 (AUTHOR), Gaggero, Giovanni Battista2 (AUTHOR) giovanni.gaggero@unige.it |
| Source: | Energies (19961073). May2026, Vol. 19 Issue 10, p2394. 23p. |
| Subject Terms: | *Anomaly detection (Computer security), *Intrusion detection systems (Computer security), *Transformer models, *Machine learning, *Cyber physical systems, *Smart power grids, *Computer network traffic, *Digital forensics |
| Abstract: | Smart grids increasingly rely on digital communication, expanding the attack surface beyond the reach of conventional network intrusion-detection systems. Physics-based monitoring can detect anomalies that bypass traffic inspection, but most prior methods only provide binary detection and do not identify attackers or describe associated network behaviour. This paper presents a two-stage cyber–physical detection and attribution pipeline for the IEEE 14-bus smart grid. In Stage 1, a four-layer GATv2 model analyses sliding windows of PLC sensor data and operates as a binary anomaly detector (Benign vs. Attack), achieving 96.39 ± 1.26 % accuracy, macro-F1 0.949 ± 0.019 , recall 0.992 ± 0.007 , and ROC-AUC 0.994 ± 0.005 (mean ± std, 5 seeds, tuned configuration). GATv2 achieves the highest recall among all tested binary classifiers (Random Forest: 0.970 ; SVM: 0.860 ; KNN: 0.988 at low AUC 0.759 ), the primary metric in safety-critical intrusion detection where a missed attack is more dangerous than a false alarm. A Welch t-test across five independent seeds confirms that GATv2 and RF are statistically equivalent in accuracy ( t = − 2.030 , p = 0.096 ). A six-class ablation study reveals that Backdoor is physically near-invisible (F1 = 0.238 , lowest among all classes), motivating the network attribution stage. In Stage 2, triggered only after anomaly detection, a LightGBM model trained on 27 network-traffic features attributes the attack campaign, reaching 83.05 ± 0.00 % accuracy and macro-F1 0.819 ± 0.002 across all six cyber classes. A final enrichment stage correlates anomaly windows with network events to extract attacker IP and MAC information, suspicious ports, Modbus manipulation signals, and connection-rate anomalies, producing a structured forensic report. Ablations and visual analyses show that graph-based physical sensing and statistical network attribution are complementary. To the best of our knowledge, this is the first work to combine topology-aware GNN physical detection, multi-class cyber attribution, and automated forensic enrichment in a single pipeline evaluated on this dataset. [ABSTRACT FROM AUTHOR] |
| Database: | Energy & Power Source |
|
Full text is not displayed to guests.
Login for full access.
|
|
| Abstract: | Smart grids increasingly rely on digital communication, expanding the attack surface beyond the reach of conventional network intrusion-detection systems. Physics-based monitoring can detect anomalies that bypass traffic inspection, but most prior methods only provide binary detection and do not identify attackers or describe associated network behaviour. This paper presents a two-stage cyber–physical detection and attribution pipeline for the IEEE 14-bus smart grid. In Stage 1, a four-layer GATv2 model analyses sliding windows of PLC sensor data and operates as a binary anomaly detector (Benign vs. Attack), achieving 96.39 ± 1.26 % accuracy, macro-F1 0.949 ± 0.019 , recall 0.992 ± 0.007 , and ROC-AUC 0.994 ± 0.005 (mean ± std, 5 seeds, tuned configuration). GATv2 achieves the highest recall among all tested binary classifiers (Random Forest: 0.970 ; SVM: 0.860 ; KNN: 0.988 at low AUC 0.759 ), the primary metric in safety-critical intrusion detection where a missed attack is more dangerous than a false alarm. A Welch t-test across five independent seeds confirms that GATv2 and RF are statistically equivalent in accuracy ( t = − 2.030 , p = 0.096 ). A six-class ablation study reveals that Backdoor is physically near-invisible (F1 = 0.238 , lowest among all classes), motivating the network attribution stage. In Stage 2, triggered only after anomaly detection, a LightGBM model trained on 27 network-traffic features attributes the attack campaign, reaching 83.05 ± 0.00 % accuracy and macro-F1 0.819 ± 0.002 across all six cyber classes. A final enrichment stage correlates anomaly windows with network events to extract attacker IP and MAC information, suspicious ports, Modbus manipulation signals, and connection-rate anomalies, producing a structured forensic report. Ablations and visual analyses show that graph-based physical sensing and statistical network attribution are complementary. To the best of our knowledge, this is the first work to combine topology-aware GNN physical detection, multi-class cyber attribution, and automated forensic enrichment in a single pipeline evaluated on this dataset. [ABSTRACT FROM AUTHOR] |
|---|---|
| ISSN: | 19961073 |
| DOI: | 10.3390/en19102394 |