Graph-Attentive Cyber–Physical Attack Detection and Forensic Attribution in Smart Grids: A Two-Stage Pipeline Combining Physical Anomaly Detection with Network Traffic Analysis.

Saved in:
Bibliographic Details
Title: Graph-Attentive Cyber–Physical Attack Detection and Forensic Attribution in Smart Grids: A Two-Stage Pipeline Combining Physical Anomaly Detection with Network Traffic Analysis.
Authors: Greco, Danilo1 (AUTHOR), Gaggero, Giovanni Battista2 (AUTHOR) giovanni.gaggero@unige.it
Source: Energies (19961073). May2026, Vol. 19 Issue 10, p2394. 23p.
Subject Terms: *Anomaly detection (Computer security), *Intrusion detection systems (Computer security), *Transformer models, *Machine learning, *Cyber physical systems, *Smart power grids, *Computer network traffic, *Digital forensics
Abstract: Smart grids increasingly rely on digital communication, expanding the attack surface beyond the reach of conventional network intrusion-detection systems. Physics-based monitoring can detect anomalies that bypass traffic inspection, but most prior methods only provide binary detection and do not identify attackers or describe associated network behaviour. This paper presents a two-stage cyber–physical detection and attribution pipeline for the IEEE 14-bus smart grid. In Stage 1, a four-layer GATv2 model analyses sliding windows of PLC sensor data and operates as a binary anomaly detector (Benign vs. Attack), achieving  96.39 ± 1.26 %  accuracy, macro-F1  0.949 ± 0.019 , recall  0.992 ± 0.007 , and ROC-AUC  0.994 ± 0.005  (mean ± std, 5 seeds, tuned configuration). GATv2 achieves the highest recall among all tested binary classifiers (Random Forest:  0.970 ; SVM:  0.860 ; KNN:  0.988  at low AUC  0.759 ), the primary metric in safety-critical intrusion detection where a missed attack is more dangerous than a false alarm. A Welch t-test across five independent seeds confirms that GATv2 and RF are statistically equivalent in accuracy ( t = − 2.030 ,  p = 0.096 ). A six-class ablation study reveals that Backdoor is physically near-invisible (F1  = 0.238 , lowest among all classes), motivating the network attribution stage. In Stage 2, triggered only after anomaly detection, a LightGBM model trained on 27 network-traffic features attributes the attack campaign, reaching  83.05 ± 0.00 %  accuracy and macro-F1  0.819 ± 0.002  across all six cyber classes. A final enrichment stage correlates anomaly windows with network events to extract attacker IP and MAC information, suspicious ports, Modbus manipulation signals, and connection-rate anomalies, producing a structured forensic report. Ablations and visual analyses show that graph-based physical sensing and statistical network attribution are complementary. To the best of our knowledge, this is the first work to combine topology-aware GNN physical detection, multi-class cyber attribution, and automated forensic enrichment in a single pipeline evaluated on this dataset. [ABSTRACT FROM AUTHOR]
Database: Energy & Power Source
Full text is not displayed to guests.
FullText Links:
  – Type: pdflink
Text:
  Availability: 1
Header DbId: enr
DbLabel: Energy & Power Source
An: 194141509
AccessLevel: 6
PubType: Academic Journal
PubTypeId: academicJournal
PreciseRelevancyScore: 0
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: Graph-Attentive Cyber–Physical Attack Detection and Forensic Attribution in Smart Grids: A Two-Stage Pipeline Combining Physical Anomaly Detection with Network Traffic Analysis.
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Greco%2C+Danilo%22">Greco, Danilo</searchLink><relatesTo>1</relatesTo> (AUTHOR)<br /><searchLink fieldCode="AR" term="%22Gaggero%2C+Giovanni+Battista%22">Gaggero, Giovanni Battista</searchLink><relatesTo>2</relatesTo> (AUTHOR)<i> giovanni.gaggero@unige.it</i>
– Name: TitleSource
  Label: Source
  Group: Src
  Data: <searchLink fieldCode="JN" term="%22Energies+%2819961073%29%22">Energies (19961073)</searchLink>. May2026, Vol. 19 Issue 10, p2394. 23p.
– Name: Subject
  Label: Subject Terms
  Group: Su
  Data: *<searchLink fieldCode="DE" term="%22Anomaly+detection+%28Computer+security%29%22">Anomaly detection (Computer security)</searchLink><br />*<searchLink fieldCode="DE" term="%22Intrusion+detection+systems+%28Computer+security%29%22">Intrusion detection systems (Computer security)</searchLink><br />*<searchLink fieldCode="DE" term="%22Transformer+models%22">Transformer models</searchLink><br />*<searchLink fieldCode="DE" term="%22Machine+learning%22">Machine learning</searchLink><br />*<searchLink fieldCode="DE" term="%22Cyber+physical+systems%22">Cyber physical systems</searchLink><br />*<searchLink fieldCode="DE" term="%22Smart+power+grids%22">Smart power grids</searchLink><br />*<searchLink fieldCode="DE" term="%22Computer+network+traffic%22">Computer network traffic</searchLink><br />*<searchLink fieldCode="DE" term="%22Digital+forensics%22">Digital forensics</searchLink>
– Name: Abstract
  Label: Abstract
  Group: Ab
  Data: Smart grids increasingly rely on digital communication, expanding the attack surface beyond the reach of conventional network intrusion-detection systems. Physics-based monitoring can detect anomalies that bypass traffic inspection, but most prior methods only provide binary detection and do not identify attackers or describe associated network behaviour. This paper presents a two-stage cyber–physical detection and attribution pipeline for the IEEE 14-bus smart grid. In Stage 1, a four-layer GATv2 model analyses sliding windows of PLC sensor data and operates as a binary anomaly detector (Benign vs. Attack), achieving  96.39 ± 1.26 %  accuracy, macro-F1  0.949 ± 0.019 , recall  0.992 ± 0.007 , and ROC-AUC  0.994 ± 0.005  (mean ± std, 5 seeds, tuned configuration). GATv2 achieves the highest recall among all tested binary classifiers (Random Forest:  0.970 ; SVM:  0.860 ; KNN:  0.988  at low AUC  0.759 ), the primary metric in safety-critical intrusion detection where a missed attack is more dangerous than a false alarm. A Welch t-test across five independent seeds confirms that GATv2 and RF are statistically equivalent in accuracy ( t = − 2.030 ,  p = 0.096 ). A six-class ablation study reveals that Backdoor is physically near-invisible (F1  = 0.238 , lowest among all classes), motivating the network attribution stage. In Stage 2, triggered only after anomaly detection, a LightGBM model trained on 27 network-traffic features attributes the attack campaign, reaching  83.05 ± 0.00 %  accuracy and macro-F1  0.819 ± 0.002  across all six cyber classes. A final enrichment stage correlates anomaly windows with network events to extract attacker IP and MAC information, suspicious ports, Modbus manipulation signals, and connection-rate anomalies, producing a structured forensic report. Ablations and visual analyses show that graph-based physical sensing and statistical network attribution are complementary. To the best of our knowledge, this is the first work to combine topology-aware GNN physical detection, multi-class cyber attribution, and automated forensic enrichment in a single pipeline evaluated on this dataset. [ABSTRACT FROM AUTHOR]
PLink https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=enr&AN=194141509
RecordInfo BibRecord:
  BibEntity:
    Identifiers:
      – Type: doi
        Value: 10.3390/en19102394
    Languages:
      – Code: eng
        Text: English
    PhysicalDescription:
      Pagination:
        PageCount: 23
        StartPage: 2394
    Subjects:
      – SubjectFull: Anomaly detection (Computer security)
        Type: general
      – SubjectFull: Intrusion detection systems (Computer security)
        Type: general
      – SubjectFull: Transformer models
        Type: general
      – SubjectFull: Machine learning
        Type: general
      – SubjectFull: Cyber physical systems
        Type: general
      – SubjectFull: Smart power grids
        Type: general
      – SubjectFull: Computer network traffic
        Type: general
      – SubjectFull: Digital forensics
        Type: general
    Titles:
      – TitleFull: Graph-Attentive Cyber–Physical Attack Detection and Forensic Attribution in Smart Grids: A Two-Stage Pipeline Combining Physical Anomaly Detection with Network Traffic Analysis.
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Greco, Danilo
      – PersonEntity:
          Name:
            NameFull: Gaggero, Giovanni Battista
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 15
              M: 05
              Text: May2026
              Type: published
              Y: 2026
          Identifiers:
            – Type: issn-print
              Value: 19961073
          Numbering:
            – Type: volume
              Value: 19
            – Type: issue
              Value: 10
          Titles:
            – TitleFull: Energies (19961073)
              Type: main
ResultId 1