Search papers, labs, and topics across Lattice.
This paper introduces FDIFormer, a novel framework for detecting False Data Injection (FDI) attacks in IEC 61850 GOOSE traffic, which traditionally relies on manually engineered features that limit generalizability. By converting protocol packets into structured text representations, FDIFormer leverages fine-tuned pre-trained Transformer models to learn attack patterns directly from the data. The method achieves comparable performance to existing feature-engineered approaches, demonstrating a significant improvement over traditional TF-IDF baselines, thus highlighting the efficacy of using Transformer models in cybersecurity applications for smart grids.
Pre-trained Transformers can effectively detect sophisticated FDI attacks in smart grid communications without the need for complex feature engineering.
Smart grids use communication networks and intelligent electronic devices for reliable, automated power system operation. As these systems become more interconnected, they are increasingly exposed to cyberattacks such as message tampering, false command injection, and denial-of-service attacks. A particularly concerning threat is False Data Injection (FDI), where attackers manipulate communication messages by deleting, modifying, or adding packets. This is especially critical in IEC 61850-based substations, where Generic Object-Oriented Substation Event (GOOSE) messages deliver time-critical protection and control information between devices. Detecting FDI attacks in IEC 61850 GOOSE traffic is challenging because malicious packets closely resemble legitimate communication, and many existing detection methods depend heavily on manually engineered protocol features requiring extensive domain knowledge and limited generalisability. This paper proposes FDIFormer, a feature-engineering-free framework for FDI attack detection using structured textual representations of GOOSE packet sequences and fine-tuned pre-trained Transformer models. The framework converts protocol packets into structured text windows that capture communication behaviour, enabling Transformer models to learn attack-related patterns directly from the data. Evaluated on the QUT-ZSS-2023-GOOSE dataset under a scenario-level three-fold cross-validation strategy, GraphCodeBERT achieves an MCC of 0.595 +/- 0.122, comparable to the strongest feature-engineered baseline, XGBoost (MCC = 0.604 +/- 0.121), while improving MCC by 0.133 over TF-IDF baselines. These findings show that pre-trained Transformer representations offer an effective technique for FDI attack detection in IEC 61850 GOOSE communication without relying on manually engineered protocol features.