Possibilistic decision trees for Intrusion Detection in IEC61850 automated substations

This paper details the use of possibilistic decision trees for a lightweight Intrusion Detection System (IDS) to be used in Intelligent Electronic Devices (IEDs) of IEC61850 automated electric substations. Traffic data is captured by performing simulated attacks on IEDs. Data is obtained for two types of genuine user activity and two types of common malicious attacks on IEDs. The genuine user activity includes, casual browsing of IED data and downloading of IED data while a Ping flood Denial of Service (DoS) and password crack attack are performed for malicious attacks. Classification is done using possibilistic decision trees for the logarithmic histogram of the time difference between the arrival of two consecutive packets. The main contribution of this paper is the use of non-specificity for obtaining a continuous valued possibilistic decision tree and its cut points. It also includes the use of mean distance metrics to obtain the possibility distribution for the real attack data.