Unsupervised Machine Learning for Anomaly Detection in Synchrophasor Network Traffic

In this paper, the k-means algorithm is applied to IEEE C37.118.2 synchrophasor network traffic data to model the expected packet features under normal operating conditions. Once the model is trained, anomalies in the data are introduced using packet manipulation and packet injection. Anomalies in this research are defined as any packets in the network traffic from an unknown IP address, irregularities in the byte length of the synchrophasor data, or any packet with a network latency longer than is characteristic of the network. The trained model detects these simulated anomalies by assigning each test packet to a trained cluster centroid and determining if the distortion of the test packet qualifies it as an anomaly. This paper describes the problems and opportunities that arise from smart grid technologies, why using machine learning for anomaly detection is essential in control system environments, and how the model is developed to detect anomalies.