IEEE 1815.1-Based Power System Security With Bidirectional RNN-Based Network Anomalous Attack Detection for Cyber-Physical System

The introduction of the cyber-physical system (CPS) into power systems has created a variety of communication requirements and functions that existing legacy systems do not support. To this end, the IEEE 1815.1 standard defines the mapping between existing distributed network protocol networks and IEC 61850 networks that reflect new requirements. However, advanced CPS cyberattacks have been reported, and in order to address cyberattacks, security research on new power systems that use network devices and heterogeneous communication is necessary. In this study, we propose an intrusion detection system for an IEEE 1815.1-based power system using CPS. We 1) analyze an IEEE 1815.1-based power system network and propose a suitable application method for an intrusion detection system, 2) suggest a bidirectional recurrent neural network-based anomaly detection system for an IEEE 1815.1-based network, and 3) demonstrate the verification of the proposed technique using various power system-specific attack data, including real power system using CPS network traffic, CPS malware behavior (CMB), false data injection (FDI), and disabling reassembly (DR) attacks. Proposed technique successfully detected five types of CMB attacks, three types of FDI and DR attacks.


I. INTRODUCTION
The Distributed network protocol (DNP3) [1] is the de facto communication protocol used at the distribution and transmission level and it is widely used in the North American and Asian power systems. With the introduction of the cyber-physical system (CPS), various power systems are connected, resulting in communication functions and requirements that the existing DNP3 systems cannot support. However, the ''IEC 61850-Communication networks and systems for power utility automation [2]'' standard is the standard for communication networks and systems in substations. Since 2007, IEC 61850 has expanded to communications networks and systems for power utility The associate editor coordinating the review of this manuscript and approving it for publication was Hong-Ning Dai . automation and includes a variety of interconnected systems related to power systems, including hydropower systems and wind power systems. In particular, IEC 61850 defines a systematic data structure and communication functions, considering the interoperability and requirements of various interconnected systems for power systems using CPS. Therefore, for the power system using CPS, the existing DNP3 system adopts the IEC 61850 system; the standard for mapping DNP3 and IEC 61850 for this is IEEE 1815.1 [3]. Fig. 1 shows the supervisory control and data acquisition (SCADA) system of CPS. The intelligent electronic device (IED) is connected to wireless/wired sensors, actuators and physical devices to perform monitoring, metering, protection, and control. The human machine interface (HMI) connected to the IED allows an operator to check the system status and interact with it. The remote terminal unit (RTU) collects the field digital and analog signals monitored by the IEDs, transmits them to the SCADA workstation, interprets the control commands of the SCADA workstation, and transmits the control commands to the corresponding IED. Historian stores sensor data and performs logging. Fig. 2 shows the IEEE 1815.1 use cases. IEEE 1815.1 use case (a) is when the IEC 61850 IED is connected to a DNP3 master. An example of using IEEE 1815.1 use case (a) is when an IEC 61850 substation is connected to a network control center using DNP3 communication. IEEE 1815.1 use case (b) is when the DNP3 IED is connected to an IEC 61850 Client. An example of using IEEE 1815.1 use case (b) is when an IEC 61850 substation should be connected to DNP3 legacy IEDs. Thus, power systems are more connected with network and complicated due to the use of CPS and heterogeneous communication.
Cyberattacks targeting CPS are becoming more advanced. BlackEnergy3 (2015) and Crashoverride (2016), which caused blackouts in Ukraine, and TRITON (2017), a highly advanced malware that installs backdoors in a safety instrumented system (SIS), have been recently reported. In addition, in June 2019, the Xenotime hacking group, behind TRITON, was believed to be acquiring data from the power industry in the US and Asia-Pacific, creating a crisis in cyber security in the power system. In particular, Crashoverride and TRITON have the function of attacking the control system by generating a packet complying with the CPS communication protocol. Therefore, security based on network traffic behavior is required rather than a simple whitelist-based security. However, the application of IEEE 1815.1 is being considered when opening a new substation in a network control center using the existing DNP3 communication. But the current research on IEEE 1815.1-based network security is limited to the work of Yoo et al. [4], a security analysis study for heterogeneous networks, and no cyber security system has been proposed. Therefore, this study proposes an intrusion detection system in environment IEEE 1815.1-based system to address cyber threats targeting CPS. To this end, we 1) analyze the IEEE 1815.1-based network and propose a suitable application method of an intrusion detection system, 2) propose a bidirectional recurrent neural network (BRNN)-based anomaly detection system and a method for improving false detection for IEEE 1815.1-based network. The proposed method is validated through actual power system using CPS network traffic and various CPS-specific attack data including CPS malware behavior (CMB), false data injection (FDI) [5], and disabling reassembly (DR) [6] attacks. The main contributions of this study are as follows.
1) The IEEE 1815.1-based power system was analyzed and an application method of the network security solution such as intrusion detection system was proposed.
2) Bidirectional RNN based anomaly detection system is proposed considering the network characteristics of power system using CPS in the heterogeneous system with DNP3 and IEC 61850.
3) Test methods for abnormal behavior were presented through various CPS-specific attack data including power system using CPS network traffic, CMB, FDI, and DR attacks. This paper is organized as follows. In Section II, related research is described. In Section III, the application scope of the proposed technique and the target protocol are presented. Section IV describes the proposed technique and Section V VOLUME 8, 2020 describes the normal and attack data sets used to verify the proposed technique. Section VI describes the verification of the proposed technique and discussion about the proposed technique. Finally, we provide conclusions in Section VII.

II. RELATED WORKS
The CPS intrusion detection system can be divided into anomaly detection based on a network packet header or network traffic flow and that based on a network packet payload or measurement value. Yun et al. [7] proposed a method of whitelisting traffic patterns based on the main header information of the packet by each command. The proposed technique can identify the abnormality of the use of a disused abnormal command and network transmission of a single command. However, this technique does not detect the abuse or absence of existing used commands. Zolanvari et al. [8] detected abnormal behavior through various features of network traffic flow and machine learning algorithms. Because statistical information is regarding network traffic flow of the existing transmission control protocol (TCP) port, it has a disadvantage in that an advanced attack executed through the existing port is difficult to detect. As an anomaly detection study based on the network packet payload and measurement values, Agrawal et al. [9] proposed a support vector machine (SVM) model to discriminate abnormal behavior using the variation in the measurement data as a feature. Wu et al. [10] proposed a neural network model for discriminating abnormal behavior using the measurement data as a feature. These studies are typical blackbox-level machine learning-based techniques. In this case, it is difficult to analyze the detection result and improve the false detection. Goh et al. [11] proposed a model to learn a recurrent neural network (RNN) using the measurement data as a feature and analyze the results through cumulative sum (CUSUM). Goh et al. did not determine normal or abnormal characteristics through the RNN but generated the next measurement data that is predicted and abnormal behavior was determined through CUSUM, a technique for analyzing continuous data. Therefore, it has the advantage that it is easy to analyze the learning results. Lin et al. [12] proposed a model to learn normal behavior through timed automata (TA) and Bayesian networks after simplifying changes in measurement data to quick/slow and up/down. Compared to the existing SVM and the cyclic neural network, it shows a faster processing speed but has a disadvantage of low accuracy in learning normal behavior. Feng et al. [13] proposed a normal behavior learning technique for changes in measurement data and control events and showed a high normal behavior learning rate. However, it has a disadvantage that in expressing the change in measurement data, it is difficult to intuitively interpret the detection result because it maps each change in the measurement data to one of several Gaussian mixture models (GMMs) generated based on the expectation-maximization (EM) algorithm.
Existing studies have investigated network anomaly detection using network packet header and traffic flow features and payload anomaly detection using network packet payload and measurement values. Network anomaly detection does not detect advanced attacks using manipulation of payloads. However, payload anomaly detection does not detect various attacks that prevent data acquisition through a network such as denial of service (DoS). In our prior work [14], we proposed an anomaly detection model that learned header-based whitelist and payload through one-class support vector machine (OCSVM) and verified it using testbed data. However, the model did not detect advanced attacks such as FDI and DR and it is difficult to improve because it generates anomaly detection results through OCSVM.
Research regarding the security of an IEEE 1815.1-based network is limited to the work of Yoo et al. [4], which is a security analysis study for heterogeneous networks, and no cyber security system has been proposed. Therefore, this study analyzes the network of a heterogeneous system with DNP3 and IEC 61850 and proposes a suitable application method of an intrusion detection system. In addition, to utilize the advantages of related research and compensate for the disadvantages, we include both header and payload in the feature use. In addition, we selected RNN as anomaly detection algorithm. The RNN can predict patterns over a set of network input data and also using RNN as a data generation model, rather than for abnormal behavior discrimination, RNN results can be interpreted intuitively. Model verification is performed through actual IEEE 1815.1-based power system data using CPS and advanced CPS-specific attack data such as CMB, FDI, and DR attacks.

III. APPLICATION SCOPE AND PROTOCOL OF THE PROPOSED TECHNIQUE
''NISTIR 8219 -Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection'' [15] describes the definition and function of anomaly detection in industrial control systems. There are three types of anomaly detection systems described in NISTIR 8219: networkbased, agent-based, and historian-and sensor-based systems. A network-based system aggregates the overall network traffic and performs anomaly detection. An agent base installed in specific systems performs abnormal behavior detection based on collected information. A historian-and sensor-based system performs abnormal behavior detection through sensor data stored in the historian. The technique proposed in this study aims to detect network attacks such as Crashoverride and TRITON using CPS protocols. Therefore, based on the classifier of the recent national institute of standards and technology (NIST) work, it belongs to the category of a network-based system and performs abnormal behavior detection for the entire network traffic of the power system. Network traffic may be collected by performing mirroring on the network switch, such as NISTIR 8219, or by performing mirroring on an RTU that communicates with both SCADA and IEDs. However, commercial products are already available for a variety of general information technology (IT) network traffic except the protocol of the power system. Therefore, the proposed technique only covers the network traffic of the power system using CPS such as DNP3 and IEC 61850.
The proposed technique is applicable to both IEEE 1815.1 use case (a) and (b). However, use case (b) is a case where DNP3 legacy IEDs are connected to an IEC 61850 substation, and its practical applications are limited. However, use case (a) is a dominant case in which a new IEC 61850-based digital substation is connected to a control center of an existing power grid and some actual application cases exist. The IEEE 1815.1-based power system data used in this paper are also data collected in the field of use case (a); thus, the subsequent description is with regard to IEEE 1815.1 use case (a). Fig. 3 shows the communication flow of the IEEE 1815.1 use case (a). A key feature of the IEEE 1815.1-based networks is the use of process images. The process image, which is a database that stores the current data values of all IEDs, is updated through communication between the gateway and the IEDs. When acquiring data from SCADA, a command is not directly sent to an IED and necessary data are acquired from the process image of the gateway. There are as many as dozens of IEDs, depending on the site, and there may be delays in directly communicating with the IEDs in real time. Therefore, using the process image has the advantage of not having to perform real-time pass through with a large number of IEDs. However, in the case of a control command message, protocol conversion is performed through the gateway and directly transmitted to the relevant IED. Because of these characteristics, the SCADA and IED communication sections have different communication characteristics with the gateway as the boundary; messages in the gateway-IED section are not detected in the SCADA-gateway section. Therefore, to collect all network traffic in an IEEE 1815.1-based network, network traffic collection for two sections, the SCADA-gateway and gateway-IED, is required. In this environment in which substations are transformed into IEC 61850-based automated substations through the application of the IEEE 1815.1 standard structure, the proposed technique of this study is applied and verified for the DNP3 communication section which is known for cyber-security threats as described in [16] and can be attacked using Internet communication protocols such as TCP/internet protocol (IP).
The DNP3 protocol is one of the data transmission protocols widely used in SCADA systems for power and water in North America and Asia and is defined in IEEE 1815-2012 [1]. DNP3 is more reliable than IEC 60870-5 [17], a data transmission protocol of the SCADA system which is mainly used in Europe, because a fragmented message can be transmitted according to message length. The data acquisition side is defined as the DNP3 master and the data transmission side as the DNP3 outstation. There are two types of communication: request response and unsolicited response. The request response type is that in which an outstation responds after the master sends a request. The unsolicited response type allows the outstation to send a message without the master's request to more quickly report important events. The transmitted data do not include detailed information such as the name of the data other than the type. Therefore, when communication is first established, the master requests the entire data of the outstation to perform synchronization. As a function of security, IEEE 1815-2012 specifies secure authentication version 5, which uses digital-signature-based authentication and encryption. However, the majority of SCADA systems using DNP3 do not use authentication and encryption functions because of the availability of legacy devices depending on its capability and the necessity of installing public key infrastructure (PKI). The DNP3 protocol operates at the application layer and internally consists of a data link layer, a transport function, and an application layer. Fig. 4 shows a field of a DNP3 message for each layer. The data link layer is a layer for station addressing and error detection and performs DNP3 communication link management. The transport function segments the message up to 249 bytes for reliable communication and manages the segment message. The transport function field consists of a 1-bit FIR, FIN, and 6-bit sequence number, indicating whether it is the first or last segment message. Even in the application layer, messages can be divided according to the performance of the application. Thus, the application header has control fields similar to transport functions. The object header contains object information required by each function code and consists of object type information such as a binary/analog signal and integer/float and address range information of the object.

IV. PROPOSED TECHNIQUE A. ALGORITHM SELECTION
Despite the existence of advanced cyber threats targeting CPS such as Crashoverride and TRITON, few network intrusion detection systems have been applied to VOLUME 8, 2020  [14], [18], the main reasons why the intrusion detection system is not actually used for CPS are the frequent false positives and the difficulty in interpreting the detection results. For example, a false positive rate of 0.1% means very high accuracy. However, at least 100,000 packets in a general-sized CPS network and millions of packets in a big-sized CPS network can be sent per day. Therefore, even if 100,000 packets are transmitted per day, a false detection rate of 0.1% means that 100 false detections occur per day. Frequent false positives can mitigate security awareness of security managers. In the case of TRITON, forensic analysis has reported that two or more intrusion detection alerts were ignored, allowing hackers to successfully install malware.
Therefore, a measure for improving the accuracy by analyzing the cause of false positives is needed. However, the difficulty in interpreting detection results hinders improvement of false positives. The algorithms of detection techniques of previous studies such as Zolanvari et al. [8], Agrawal et al. [9], Wu et al. [10], and Feng et al. [13] generate their detection results at a black box level and there is no suggestion to interpret the detection results. Therefore, it is difficult to analyze whether an abnormal behavior detected as a detection result is a false detection for normal behavior or a true detection for an abnormal behavior. This leads to difficulty in using and improving detection results. To solve this problem, there is a technique that can easily visually analyze the result value instead of at the black box level, such as a graph-based automata creation as in Lin et al. [12]. However, as a result of practical application, it was found that detection is performed only one time in the automata-based detection technique which is a problem. For example, when there is an automata represented by (1234) * , if a packet of a type representing 5 after 123 has been transmitted and determined to be abnormal, a ground is needed to determine whether the next abnormality determination would continue to be performed again as a 4 state after a 3 state which has been normal or as a 1 state again after a 4 state. In particular, the data used for the verification of the proposed technique have a normal network flow pattern length of greater than 100. From analysis, it has been noted that the time to return to normal network flow after abnormal behavior is inconsistent. Therefore, we selected the RNN algorithm that can determine the next abnormality by learning the pattern of the data input after the occurrence of abnormal behavior. The RNN stack is a useful model for predicting patterns over a set of input data [19]. In this study, RNN is used as a model to predict the data of the next expected packet by learning the pattern through a series of network packet data rather than directly determining abnormal behavior. The general ''many to many'' RNN model is not suitable because it performs an accuracy calculation by generating all the next predictive data for each input over a series of inputs. Therefore, we use a ''many to one'' RNN model that predicts only one next prediction data for a series of inputs. However, in our priori research [18], it was found that the unidirectional RNN model did not predict rare data. For example, suppose there are commands with a 5-s cycle and a command with a 5-min cycle. In this case, the unidirectional RNN model tends to predict only 5-s periodic commands, ignoring 5-min periodic commands for better accuracy. Therefore, this study uses a ''many to one'' bidirectional RNN structure. However as shown in Fig. 5, traditional ''many to one'' bidirectional RNN uses N series input as forward layer and (N+1)th to (N+m)th input as backward layer to predict the (N+1)th input. Because backward layer already has (N+1)th input, the backward layer's weight became so high and appropriate training cannot be done. Therefore we propose new type of many to one bidirectional RNN as shown in Fig. 6. This structure receives N traffic patterns as input and generates (N+1)th prediction data and further receives M data from (N+2)th data to correct (N+1)th prediction data. As M data are additionally used for correction delay abnormal behavior determination, a model with a smaller M is advantageous for real-time detection.

B. BRNN-BASED ANOMALY DETECTION SYSTEM
The BRNN-based anomaly detection system is shown in Fig. 7. It is largely divided into training, and test phases. The training phase is the step of creating a BRNN model that generates the next prediction value by learning with the training data and threshold. The test phase is the step of 77576 VOLUME 8, 2020 generating a predicted value of the BRNN model through test data including normal and attack data and providing a detection result by comparing the predicted value to a threshold. Even within each step, learning and detection are performed by separating the header and payload of the packet. Anomaly detection for the header of a packet aims to ensure normal data acquisition through the network by learning the pattern of the communication flow of the network and determining anomalies on the network. The detection of abnormal behavior of the payload portion of the packet ensures the validity of power system data by determining abnormal behavior in payload data acquired through the network.

1) TRAINING PHASE OF THE BRNN-based ANOMALY DETECTION SYSTEM a: HEADER TRAINING PHASE
Training phase of BRNN-based anomaly detection system is shown Fig. 8. The BRNN model is trained by extracting the header part from the packet and using the extracted header as a series of inputs. The function code for determining the type of a command and FIN, FIR and SEQ for packet reassembly and detecting packet duplication and loss were selected as the main features of the header. In the case of SEQ, we didn't use integer value of SEQ, but it is generally represented by 1 using a changed value from the previous packet. The red-colored part of Fig. 9 shows the header feature. The application layer fragmentation fields were excluded from the feature because fragmentation was not used in our data. Because the number of header types is finite, 1-hot vectors are constructed for each finite header type without generating prediction values as real values for each field. Therefore, a higher accuracy BRNN model can be expected without considering the types of headers that cannot be generated. In addition, the header information corresponding to a 1-hot vector can be used as a whitelist. In general, even normal network communication includes abnormal communication flow because of network instability. Therefore, the anomaly frequency detected through normal training data learning is used to set the threshold during the test phase.

b: PAYLOAD TRAINING PHASE
Training a BRNN model with an entire set of payloads as input is less than optimal in terms of learning time and accuracy. To improve the learning time, it is possible to shorten it by removing unnecessary fields in advance, such as a value that is always constant. To improve accuracy, it is advantageous to extract the fields related to pattern learning. Ideally, fields that are not related to pattern learning, such as fields with random values, are expected to have their weights related to the corresponding fields all set to zero during the training process. Otherwise, fields that are not related to pattern training will act as variables that reduce accuracy in loss calculation during the training phase. Therefore, via constructing a separate BRNN by removing unrelated fields and tying related fields, a BRNN model of higher accuracy can be constructed. Payload training phase consists of preprocessing, association rule mining, rule revision and BRNN model training steps.
Preprocessing: During the preprocessing step, the field always used as a constant value is removed and the change in the variable field value is expressed as increased, decreased, or unchanged. Removing constant value fields shortens the BRNN model training and association rule mining time. In addition, the main reason for removing constant value fields is that in BRNN model training, the data is meaningless, and for association rule mining, a set of constant value fields is always generated as the highest frequency of association rules. Changing field values to increased, decreased, and unchanged is because association rule mining is not optimized for numeric values such as integer and float.
Association rule: During the association rule mining step, we used the Apriori algorithm to find patterns in which the increase and decrease in each value always matches and generate the association rule. Algorithm I shows pseudo code of Apriori algorithm. Let P = { 1 , 2 , · · · , k } be a set of k payload data and = { 1 , 2 , · · · , l } be a set of l fields in the payload in which each field in increased,decreased,unchanged . Metrics used in the Apriori algorithm include support, trust, lift, and conviction. Among them, we used confidence, which means the accuracy of the rule, and under the assumption that the data change in VOLUME 8, 2020

the CPS is made under certain conditions, min_conf is set to 1. Example of association rule is field A increases when field B increases for proportional relations field A and B.
Rule Revision: The generated association rule goes through a rule revision step. During the rule revision step, the field  that is not included in the test data or missed by the algorithm but also including the monitoring rule for safety in use.
BRNN Models Training: BRNN models are created by training the real values for each rule as input rather than a series of incremental and decrement values for each field. The number of BRNN models is same as number of field set of association rules. However, if all data are not included through association rule mining, additional BRNN can be configured using the remaining fields after eliminating unnecessary fields at the discretion of the engineer. The maximum error rates of each field after training each BRNN model are used to set the thresholds during the test phase. Fig. 10 shows test phase of the BRNN-based anomaly detection system. A predictive header value is generated from a series of header information and compared to the actual header value. Because the header information is expressed as a 1-hot vector, the result of the comparison is divided into right and wrong. Abnormal data flow, such as packet loss, occurs even in a normal operating control system. Therefore, alarming with only one wrong prediction can be a cause of frequent false positives. To solve this problem, we set the Z score suitable for use as the threshold through the anomaly frequency calculated during the training phase. If the current anomaly frequency per unit time exceeds the threshold, it is determined as an anomaly. If an input value that cannot be represented as a 1-hot vector occurs, it is considered as an anomaly because it is regarded as abnormal behavior resulting from an inappropriate command or packet type use.

b: PAYLOAD TEST PHASE
BRNN learned by each association rule uses different input fields and requires different input lengths. Therefore, the predictive payload value is generated by inputting the appropriate series of payload information for each BRNN and comparing it to the actual payload value. Unlike the header information, because it is not a 1-hot vector, the actual output payload generally has a real value. The initial threshold is set as the maximum prediction error rate of the payload calculated during the training phase. When the threshold is exceeded by comparing the error between the predicted and actual values, it is determined as anomalous.

V. DATASET A. IEEE 1815.1-BASED POWER SYSTEM DATA USING CPS
A total of three days of network packets were collected from an operating IEEE 1815.1-based Korean substation. The SCADA gateway has approximately 320,000 DNP3 packets. The collected packet was confirmed by the engineer as normal data without a cyberattack and abnormal behavior.
However, it was found that 2% abnormal network traffic was included because of network burst and session reestablishment. The DNP3 master equipment acquires five types of data as shown in Table 1 according to the power market operation rule [20] and the observed normal network traffic pattern length is 137.
Because the actual payload data are private information, the entire contents cannot be publicly shared. Therefore, with the aid of engineers, four IEDs and 127 data were selected to express substations out of dozens of IEDs. DNP3 has no data naming rules. Therefore, IEEE 1815.1 maps the data points of DNP3 according to the data and naming rules standardized in IEC 61850. The data name of IEC 61850 largely consists of LDName, LNName, DataObjectName, and DataAttribute-Name, as shown in Fig. 11. LDName is a logical device (LD) name that is the name of a corresponding device and it is application specific. LNName is a logical node (LN) name that consists of an application-specific prefix, a class name of four alpha characters as defined in IEC 61850-7-4 [21], and an instance ID that is a number for distinguishing the same class name. DataObjectName is a data object belonging to each LN class and is also defined in IEC 61850-7-4. Each DataObjectName belongs to the common data class (CDC) defined in IEC 61850-7-3 [22] and each DataAt-tributeName and attributes type are defined in the CDC. The example in Fig. 11 shows the ctlVal attribute of Pos which means switch position in XCBR which is a circuit  breaker of E1QA5 LD. CtlVal is a BOOLEAN value with on and off. The selected 127 data with 4 IEDs were organized into data names mapped in IEC 61850 according to the standard of IEEE 1815.1, as shown in the Appendix. The IEDs of Fig. 12 shows data point composition of each IED. However, application-specific information, which is private, was removed or replaced with meaningless information when it was necessary to distinguish between data. A total of 50% of the collected data was used for training and the remaining 50% for testing.

B. ATTACK DATASET
Attacks cannot be performed against an actually operating substation. Therefore, using a commercial product of Triangle Microworks' distributed test manager (DTM) [23], a DNP3 network with four IEDs was constructed to configure the same experimental environment as a substation as shown Fig. 12. When an attack packet itself could be generated in the DTM, it was generated through the DNP3 master of the DTM. Otherwise, the packet was directly generated using Ostinato [24], which is an open source traffic generator in Attack PC. To construct the attack dataset, the packet was generated by a CMB attack, an FDI attack, and a DR attack and it included in the test packet. A description of each type of attack is as follows.

1) CMB ATTACK
The main types of attacks of Crashoverride [25] and TRI-TON [26] are reconnaissance and DoS attacks and file transfer commands. Table 2 shows 3 type of CMB attack. The reconnaissance attack is an attack for collecting network information. In the case of DNP3, the integrity data polling command that requests the entire data of the device belongs to this attack. When the session is re-established, integrity data polling commands may be transmitted depending on the DNP3 device configuration. In this case, the integrity data polling, which is unrelated to the session re-establishment, should be detected as abnormal. A DoS attack refers to device operation through abnormal control commands, such as operate and cold/warm restart of DNP3. The file transfer command is an attack for transferring malicious firmware and files and file writing is initiated through the OPEN_FILE command of DNP3. Because all commands were standard DNP3 commands supported by DTM, DTM sent commands of the IBM attack type through the DNP3 master and a total of five commands were sent 10 times.

2) FDI ATTACK
An FDI attack [5] is an attack that is not easily detected by generating false data that maintains the linear characteristics during data manipulation after identifying the linear characteristics in the data. An FDI attack was performed by selecting data with linear characteristics for the fields included in each association rule. Fig. 13 shows a graph of an FDI attack performed against active and apparent power in a proportional relationship with each other. The red line represents the point in time of the attack. FDI (a) is the case in which one data has been changed to an abnormal value. The abnormal value is the original value plus 10% to 100% of the original value. FDI (b) is the case in which the data has been changed in the decreasing direction, and in the case of FDI (c), the original value has been changed to 1.5 times. Because an FDI attack is an attack performed on data values, FDI attack data is directly injected into existing payload data without network packet transmission. Ten types of FDI attacks were performed 10 times on 10 analog input data included in the association rule.

3) DR ATTACK
A DR attack is an attack that interrupts reassembly by transmitting a packet having an abnormal reassembly header  between normal packets when the DNP3 message is fragmented because of its long length. The segment message processing method of DNP3 is to drop all segment messages that were previously transmitted at the moment of receiving packets of abnormal FIR, FIN, and sequence fields. Thus, continuous DR attacks can lead to DoS [16], and depending on the configuration of the DNP3 device, a single DR attack can cause tens of seconds of DoS [18]. Fig. 14 is an example of a DR attack. When data is transmitted in four segment messages, FIR means the first is set in the first segment message and no flag is set in the middle segment messages. In the fourth segment message, FIN, which means the last packet, is set. However, because of the DR attack, the segmentation field of the third packet is manipulated and changed to abnormal such that segment messages 1 and 2 are dropped and the corresponding command cannot be processed. Because such an abnormal DR attack message could not be generated through DTM, the DR attack was generated through Ostinato on the attack PC. Three types of DR attacks including FIR, FIN, and FIR + FIN were performed 10 times each and each attack made data acquisition impossible for more than 30 s.

VI. VERIFICATION OF THE PROPOSED TECHNIQUE A. DEVELOPMENT ENVIRONMENT AND MODEL GENERATION RESULTS
The development environment is an Intel Core i7-8700 central processing unit (CPU) with 16 GB of memory,  a GeForce GTX 1070 Ti, and TensorFlow library. The parameters of each learning model were optimized by repeated experiments. The RNN cell type was selected as a gated recurrent unit (GRU) [27] for faster learning. Table 3 summarizes the parameters of the generated header-based anomaly and payload-based anomaly detection models.
There was considerable trial and error in the creation of the association rule. Finally, five data point groups were created as listed in Table 4. To create an association rule, we first removed the constant value field. Binary values are not likely to change in a normal operating substation environment. In practice, the binary values also had a small number of data points that changed but selected data points were not changed. For analog input, AI #8 and AI #12 are excluded because of constant values. The constant value fields can be configured as whitelists for monitoring. Therefore, the Apriori algorithm is performed on 11 analog inputs and the min_conf is set to 1 under the assumption that data change occurs under specific conditions in the CPS. The first problem encountered is the generation of meaningless rules based on data imbalance. As a result of analyzing the created association rule, approximately 70-95% of the analog data were expressed as unchanged according to data points. The analysis result from the engineering information is a result of the power data changing in a cycle of approximately 100 s. Therefore, to focus on the data change, unchanged data is treated as VOLUME 8, 2020 missing data such that it does not affect the association rule calculation. The second problem we faced was the lower confidence resulting from data errors. As a result of analysis through engineering information, the analog input value is transmitted by rounding off the measured float value to an integer. This results in data errors because of measurement and rounding down, creating certain patterns of variation that are not always consistent. Therefore, we set min_conf to a lower value of 0.7, not 1. As a result, four association rules and two data point groups were generated by the Apriori algorithm. Analyzing the data point group of the created association rule, AI #0, 1, and 2 are the A/B/C current and AI #3 and 5 are power points that are proportional to each other. Therefore, it can be seen that a reasonable association rule has been created in which all five points are increased and decreased. AI #9, 10, and 11 can also confirm that a reasonable association rule has been created with data points that are proportional to each other with A/B/C phase currents. However, AI #9, 10, and 11 have a lower confidence level of 0.7 than that of AI #0, 1, and 2 because the analysis information shows that AI #9, 10, and 11 have a small amount of change, which causes a greater error from rounding down. For AI #4, 6, 7, 8, and 12, the rules were written based on engineering information. AI #4 and 6 are cases in which the Apriori algorithm could not extract the associated field because of data error of rounding down. AI #4 is a reactive power, AI #3 is an active power, and AI #5 is an apparent power.
AI# 3, 4, and 5 have an Eq. (1) relationship. Therefore, we added AI #3 and 5 to AI #4. AI #6 is a power factor that has an Eq. (2) relationship. Therefore, we added AI #3 and 5 to AI #6. AI #7 is a frequency and was independently added because there is no analog input related to frequency. AI #8 is a reclosing operation and AI #12 is a power factor of IED #3. AI #8 and 12 are constant value and there is no other analog input related to these analog inputs. Therefore, learning with AI #8 and 12 is impossible and AI #8 and 12 were excluded.

B. NORMAL DATA LEARNING RATE AND ANOMALY DETECTION RESULTS
The threshold value used in the header-based anomaly detection model is a Z score of 1.65 (95%) for the 5-min frequency of anomaly detection in the training data. The detection results are listed in Table 5. The normal behavior pattern of 137 lengths was well learned and all three types of CMB attacks were detected. All three types of attacks were detected as abnormal because they were not mapped to the 1-hot vector because they were types of instructions not found in the training dataset. However, if integrity data polling of the reconnaissance attack was a commonly used environment, it would not be possible to perfectly detect it. Fig. 15 shows the result of the DR attack detection. If the frequency of the anomaly detection exceeds a threshold, the anomaly detection system alerts and sets the frequency to 0. In the case of DR attacks, attack detection was performed well but some abnormal network traffic on normal operation CPS was classified as abnormal behavior. We analyzed and found that this was the case in which network traffic congestion occurred during the process of reestablishing the session and the TCP reconnection was not normally performed for a long time. Therefore, the proposed technique also identifies communication problems on the network of the control system under normal operation, which can be utilized in terms of network state management. The initial threshold used in the payload-based anomaly detection model is the maximum prediction error rate of the actual value and the predicted value during the training phase. Table 6 shows the results of payload anomaly detection. The total is the result of anomaly detection when anomaly is detected on any AI prediction result. Higher thresholds do not detect precise FDI (a) attacks. In the case of FDI (b), an attack can be immediately detected according to an analog point. However, even if an attack cannot be immediately detected, all attacks are detected because of the continuous change in the value. In the case of FDI (c), it was immediately detected because of the great change in value. Because AI #6, a power factor of Rule group #3, has only values of 0 and 1, and the value does not frequently change, all values were predicted well with threshold 0 for normal data. However, the FDI attacks on AI #6 were not detected at all and the FDI attacks on rule group 3 were detected by AI #3 and 4 which were added through rule revision. It was found that fraction information is needed for effective learning of the power factor, AI #3. The threshold can be lowered for higher immunity to attacks such as those FDI (a). To detect a 10% level of an FDI (a) attack, the threshold also requires a level of 10%. The last column of Table 6 lists the normal behavior accuracy when the threshold is set at 10% and 15%, respectively. It is difficult to detect 10% FDI (a) attacks due to the low accuracy of normal behavior, and it was found that a 15-20% level of FDI (a) attacks can be detected.

C. DISCUSSION
We analyze the proposed technique in terms of 1) SCADA system function, 2) CPS network traffic characteristic, 3) result analysis and management and 4) CPS-specific attack detection result.

1) SCADA SYSTEM FUNCTION
Function of a SCADA system can be seen as data acquisition and control through a network. Therefore, the main requirement of an intrusion detection system is the detection of an anomaly from the network packet flow and payload. Anomaly detection from the network packet flow ensures normal data transmission through the network by detecting abnormal behavior such as missing data transmission and abnormal packets preventing reassembly of segment packets. Anomaly detection on the payload detects an FDI attack that transmits an abnormal value and abnormal behavior, ensuring the validity of the received data. The proposed technique detects abnormal behavior of network traffic flow patterns using a header-based technique to ensure normal data transmission through the network. In addition, by verifying the validity of the data transmitted through the network using the BRNN model via each associated payload field, the proposed technique was found to satisfy the functional considerations of the SCADA system.

2) CPS NETWORK TRAFFIC CHARACTERISTICS
Depending on each CPS environment, various abnormal traffic exists in the CPS network traffic itself under normal operation. Older legacy systems often contain slower communication lines. In this case, packets are easily dropped when instantly crowded. For security reasons, there are cases in which the port is changed through aperiodic session reconnection. In addition, commands such as the unsolicited response of DNP3 are aperiodic and the number of commands can be low such that they may not be considered in learning or may be determined abnormal data. It is difficult to separately process various abnormal traffics for each type according to the CPS environment. Therefore, an abnormal behavior detection technique should be able to address abnormal traffic in this normal operating environment. When an anomaly detection engine is applied to an actual CPS, its processing speed should not be slower than the CPS network packet transmission rate such that packets to be analyzed will not accumulate and normal operation will be possible. The proposed technique generates prediction data using the BRNN technique and the determination of abnormal behavior is performed using a threshold value based on the number of abnormal network traffic per unit time in the normal control system traffic. Therefore, it has partial immunity to abnormal traffic occurring in the normal control system traffic. In terms of real-time processing capability, the deep learning technique has an advantage of taking a long time for learning but a short time for determining; it will be applied to and validated in a real power system through port mirroring.

3) RESULT ANAYLSIS AND MANAGEMENT
To utilize the actual intrusion detection system, the interpretation of the detection result should be easy. For this purpose, it should be possible to distinguish whether a behavior actually analyzed as abnormal is a falsely detected normal behavior or a truly detected abnormal behavior by presenting the reason why it is deemed abnormal behavior. In addition, when a false detection occurs, there should be a tuning method for reducing the false detection and improving accuracy. The proposed technique facilitates analysis of the result of the learning engine because the predicted value of the BRNN does not indicate abnormal or normal but generates the field value of the actual packet. For the false detection management, in the CPS environment in which the network communication pattern does not mainly change, false detection of abnormal behavior detection on headers is infrequent. If the unusual commands used for rare events such as maintenance do not belong to the 1-hot vector of the trained model, it will be determined as abnormal. If this frequently occurs, it needs to re-learn from the learning dataset containing the command or make an exception rule. In addition, if the communication periodicity is changed, re-learning is required because the pattern of communication flow itself has changed. If the pattern of communication flow is frequently disturbed by network instability, the threshold needs to be set higher to reduce false positives. In the case of an actual DR attack, because the attack must be continuously executed for its effectiveness, even if the threshold is set high, a DR attack can be detected. In the case of payload anomaly detection, because field values which are predicted as real values are compared, the more uncertain the change pattern, the higher the prediction error rate. In this case, the threshold will be set higher but FDI attacks that manipulate field values may not be detected. Therefore, for data points that require more sensitive countermeasures against FDI attacks, it is better to create an exception rule that eliminates false positives of the same type by analyzing false positives rather than setting the thresholds higher; however, it is necessary to verify the validity of the proposed technique by applying a real field for a long time.

4) RESULT ANAYLSIS AND MANAGEMENT
The verification of proposed technique was performed using various power system-specific attack data, including real power system using CPS network traffic, CMB, FDI, and DR. Five types of CMB attacks including reconnaissance, DoS and abnormal firmware upload were detected by header-based anomaly detection using 1-hot vector as header whitelist. Three types of FDI attacks were performed and multiple data FDI attacks were detected through payloadbased BRNNs. In case of single data FDI, only attack with large changes in values exceeding 20% were detected. But a single FDI attack that manipulates a small change in value is not worth it as an attack and even if the attacker performs continuous attacks with small change, proposed technique can eventually detect it, as with FDI (c), (d). Three types of DR attacks manipulating FIN, FIR, SEQ were performed and it is detected by header-based anomaly detection using anomaly frequency based threshold. Few false detection were analyzed as network congestion, therefore proposed technique also identifies communication problems on the network of the control system under normal operation.

VII. CONCLUSION
The recent cyberattacks targeting the CPS are advanced attacks that use CPS protocol packets. Therefore, the CPS requires an abnormal behavior detection system at a network-traffic level. In this study, we propose an IEEE 1815.1-based network intrusion detection system to address CPS cyberattacks in an IEEE 1815.1-based network, a new network structure of the power system using CPS. The proposed technique performs header-and payload-based abnormal behavior detection to guarantee the main functions of the CPS of SCADA system and improves accuracy by using a BRNN. This facilitates the interpretation of results. In addition, we validate the proposed technique using IEEE 1815.1-based Korea power system network data and CPS-specific attack data such as an CMB attack that performs reconnaissance, DoS and abnormal firmware upload, an FDI attack that falsifies acquisition data, and a DR attack that prevents data acquisition. Five types of CMB attacks, three types of FDI and DR attacks were successfully detected. By using the proposed technique, we can detect not only attacks using various unauthorized commands, but also advanced attacks such as FDI through existing commands, so that we can measure advanced CPS cyberattacks. In future research, we will verify the suitability of the tuning scheme and test the real-time processing capability by applying the proposed technique to the actual field using port mirroring. Table 7-10.