Applying Hoeffding Adaptive Trees for Real-Time Cyber-Power Event and Intrusion Classification

Electricity transmission systems are networked cyber physical systems that are subject to many well-known control, weather, and equipment failure related contingencies which can disrupt power delivery. Cyber-attacks against electric transmission systems are another class of contingency which can disrupt power delivery. Wide area monitoring systems (WAMSs) enhanced with phasor measurement units provide high volume and high velocity power system sensor data which can be combined with traditional power system data sources and cyber data sources to enable real time detection of both types of contingencies. This paper describes research toward a cyber-power event and intrusion detection system (EIDS) which can be used for multiclass or binary-class classification of traditional power system contingencies and cyber-attacks. The continuous streams of high speed data from WAMS pose significant challenges in data storage, management, and handling. Data stream mining addresses the continuous data problem and can deal with very large data sizes. Hoeffding adaptive trees (HAT) augmented with the drift detection method (DDM) and adaptive windowing (AMIN) can effectively be used to classify traditional and cyber contingencies in real time. Experiments performed for this paper demonstrate HAT + DDM + ADWIN provides classification accuracy of greater than 94% for multiclass and greater than 98% for binary class classification for a dataset with artifacts from 45 classes of cyber-power contingencies. Results also show that HAT + DDM + ADWIN has a small memory foot print and a fast evaluation time which enables real time EIDS.