ANOMALY DETECTION IN ELECTRICITY CYBER INFRASTRUCTURES Xuan Jin, John Bigham, Julian Rodaway, David Gamez, Chris Phillips Electronic Engineering Department, Queen Mary, University of London 1 Keywords: Electricity cyber infrastructure, anomaly detection, invariant induction, artificial ants Abstract: This paper presents a novel anomaly detection methodology for the protection of electricity critical infrastructures that learns the normal behaviour of the system, builds up a profile and detects anomalous operations which deviate from the profile. This can be used to identify attacks, failures and accidents and it can also be used to improve state estimation, correct topology errors and inform the operators about potential discrepancies between their view of the network and its actual state. This paper will cover two of the anomaly-detecting techniques that we have been developing for electricity networks - invariant induction and simulated ants – and a Bayesian methodology for integrating the output of these detectors. The results presented in this paper demonstrate that this technique could make a significant contribution to the security of electricity critical infrastructures. 1. Introduction With the increasing interconnectivity between electricity management network, corporate network and the internet, electricity cyber infrastructures are becoming more and more exposed to outside attackers. This tendency has been accelerated by the widespread introduction of commercial off the shelf software and standard TCP/IP networks. Although traditional intrusion detection systems, anti-virus software and firewalls are used to protect the infrastructure, these signature-based solutions have a limited ability to detect and defend against rapidly emerging new attacks, as the spread of Slammer into a nuclear control centre 1 Electronic Engineering Department, Queen Mary University of London, Mile End Road, London E1 4NS. Contact author: xuan.jin@elec.qmul.ac.uk