Evaluating the capability of machine learning models to detect unknown cyberattacks at digital substations

Authors

DOI:

https://doi.org/10.18372/2073-4751.86.21276

Keywords:

digital substation, cybersecurity, critical infrastructure, intrusion detection system, machine learning, unseen attack detection, SANDI-2024, IEC 104

Abstract

The article addresses the problem of evaluating the capability of machine learning models to detect unknown cyberattacks in network traffic of digital substations. The relevance of the study is determined by the fact that digital substations are part of critical infrastructure, and their operation depends on secure network interaction between automation devices, monitoring systems and industrial communication protocols. The experimental study is based on the processed IEC 104 part of the SANDI-2024 dataset, which was designed for training and evaluating intrusion detection systems for electrical substations. The paper proposes a leave-one-attack-out evaluation scenario, in which one attack type is completely excluded from the training set and used only during testing. This approach makes it possible to evaluate the ability of models to detect attack types that were not represented in the training data. The study compares supervised machine learning models and anomaly-based approaches. The supervised group includes Logistic Regression, K-Nearest Neighbors, Linear SVM, Gaussian Naive Bayes, Random Forest, Extra Trees and HistGradientBoosting. The anomaly-based group includes Isolation Forest, One-Class SVM and Local Outlier Factor. The experimental results show that in the standard known-attack scenario, the models achieve nearly perfect classification metrics. However, in the leave-one-attack-out scenario, model performance depends significantly on the type of unseen attack and on the decision threshold. Extra Trees achieved the best average result among supervised models, while Local Outlier Factor demonstrated the best balance among anomaly-based models. Additional threshold analysis showed that the detection of the most difficult unseen attack can be significantly improved by adjusting the classification threshold. The obtained results confirm the importance of using unseen attack detection scenarios for a more realistic evaluation of IDS models in digital substations.

References

A dataset to train intrusion detection systems based on machine learning models for electrical substations / E. D. G. Mlot et al. Data in brief. 2024. P. 111153. URL: https:// doi.org/10.1016/j.dib.2024.111153 (date of access: 10.05.2026).

Dataset to train intrusion detection systems based on machine learning models for electrical substations / G. M. E. Damian et al. Zenodo. URL: https://zenodo.org/records/ 15487636 (date of access: 10.05.2026).

GitHub – esguti / cybersecurity-datasets: tools to process network captures in PCAP format from IEC61850 or IEC60870-5-104 (also known as IEC104). GitHub. URL: https://github.com/esguti/cybersecurity-datasets (date of access: 10.05.2026).

Machine learning-based intrusion detection for smart grid computing: a survey / N. Sahani et al. ACM transactions on cyber-physical systems. 2023. URL: https://doi.org/ 10.1145/3578366 (date of access: 10.05.2026).

Zero-day attack detection in digital substations using in-context learning / F. Manzoor et al. 2024 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm). 2024. P. 220-225. URL: https://doi.org/10.1109/SmartGridComm60555.2024.10738025 (date of access: 10.05.2026).

Detecting zero-day attacks in digital substations via in-context learning. arXiv.org. URL: https://arxiv.org/abs/2501.16453 (date of access: 10.05.2026).

Machine-Learning-Based anomaly detection for GOOSE in digital substations / H. Nhung-Nguyen et al. Energies. 2024. Vol. 17, no. 15. P. 3745. URL: https://doi.org/ 10.3390/en17153745 (date of access: 10.05.2026).

GOOSE secure: A comprehensive dataset for in-depth analysis of GOOSE spoofing attacks in digital substations / O. A. Tobar-Rosero et al. Energies. 2024. Vol. 17, no. 23. P. 6098. URL: https://doi.org/10.3390/ en17236098 (date of access: 10.05.2026).

Alves de Oliveira J. A., Pereira dos Santos A. F. P., Salles R. M. RNN for intrusion detection in digital substations based on the IEC 61850. Journal of information security and applications. 2025. Vol. 94. P. 104197. URL: https://doi.org/10.1016/j.jisa.2025.104197 (date of access: 10.05.2026).

Hamdi N. A hybrid learning technique for intrusion detection system for smart grid. Sustainable computing: informatics and systems. 2025. P. 101102. URL: https:// doi.org/10.1016/j.suscom.2025.101102 (date of access: 10.05.2026).

Intrusion detection in smart grСВВ using artificial intelligence-based ensemble modelling / A. Alsirhani et al. Cluster computing. 2025. Vol. 28, no. 4. URL: https://doi.org/10.1007/s10586-024-04964-9 (date of access: 10.05.2026).

Research on intrusion detection of IEC 61850 protocol based on feature selection and triadic concept analysis / H.-M. Wang et al. Cybersecurity. 2025. Vol. 8, no. 1. URL: https://doi.org/10.1186/s42400-025-00463-5 (date of access: 10.05.2026).

Anomaly detection in IEC-61850 GOOSE networks: evaluating unsupervised and temporal learning for real-time intrusion detection. arXiv.org. URL: https://arxiv.org/ abs/2604.14233 (date of access: 10.05.2026).

Explainable autoencoder-based anomaly detection in IEC 61850 GOOSE networks. arXiv.org. URL: https://arxiv.org/ abs/2601.09287 (date of access: 10.05.2026).

ERENO: A framework for generating realistic IEC-61850 intrusion detection datasets for smart grСВВ / S. E. Quincozes et al. IEEE transactions on dependable and secure computing. 2023. P. 1-15. URL: https:// doi.org/10.1109/tdsc.2023.3336857 (date of access: 10.05.2026).

Downloads

Published

2026-05-30

How to Cite

Kovylin, A. (2026). Evaluating the capability of machine learning models to detect unknown cyberattacks at digital substations. Problems of Informatization and Control, 2(86), 75–82. https://doi.org/10.18372/2073-4751.86.21276

Issue

Vol. 2 No. 86 (2026)

Section

Статті

License

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The scientific journal adheres to the principles of Open Access and provides free, immediate, and permanent access to all published materials without financial, technical, or legal barriers for readers.

All articles are published in Open Access under the Creative Commons Attribution 4.0 International (CC BY 4.0) license.

Copyright

Authors who publish their works in the journal:

  • retain the copyright to their publications;

  • grant the journal the right of first publication of the article;

  • agree to the distribution of their materials under the CC BY 4.0 license;

  • have the right to reuse, archive, and distribute their works (including in institutional and subject repositories), provided that proper reference is made to the original publication in the journal.