{"id":7245,"date":"2026-06-24T10:17:36","date_gmt":"2026-06-24T08:17:36","guid":{"rendered":"https:\/\/dbis.rwth-aachen.de\/dbis\/?p=7245"},"modified":"2026-06-24T10:17:38","modified_gmt":"2026-06-24T08:17:38","slug":"developing-an-explainable-anomaly-detection-system-forsmart-grids-by-incorporating-structural-and-operational-gridknowledge","status":"publish","type":"post","link":"https:\/\/dbis.rwth-aachen.de\/dbis\/index.php\/2026\/developing-an-explainable-anomaly-detection-system-forsmart-grids-by-incorporating-structural-and-operational-gridknowledge\/","title":{"rendered":"Developing an Explainable Anomaly Detection System forSmart Grids by Incorporating Structural and Operational GridKnowledge"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><strong>Thesis Type<\/strong><strong><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Master<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Student: <\/strong>Sebastian Miller<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Status<\/strong><strong><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In Progress<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Background<\/strong><strong><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Supervisory control and data acquisition (SCADA) systems are increasingly connected through information and communication technologies, exposing smart grids to cyberattacks and operational disruptions. Conventional signature-based intrusion detection systems (IDSs) reliably identify known attacks but cannot detect previously unseen patterns, while statistical and machine-learning-based IDSs may achieve high detection rates but often provide limited transparency and generate false positives. Moreover, both classes frequently struggle with process-related attacks in which individually legitimate commands are executed in an unusual sequence and only become harmful over time. In energy distribution grids, this limitation is particularly critical because operators must not only recognize an anomaly but also understand which component or operational action caused it. The IEC 60870-5-104 communication protocol, together with structural and operational knowledge represented in a Smart Grid Architecture Model (SGAM)-aligned knowledge graph, offers a basis for developing a process-aware and explainable detection approach.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Objectives<\/strong><strong><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The objective of this master&#8217;s thesis is to develop and evaluate an explainable, process-aware anomaly detection system for smart grids. The approach combines sequential pattern mining of IEC 60870-5-104 communication data with an RDF-based graph model of grid structure, device roles, communication relationships, and grid-operator actions. The system shall learn frequent sequences from normal operation, identify anomalous or rare sequences in attack scenarios, and use the knowledge graph to indicate likely affected devices and explain deviations from the expected control flow. A secondary objective is to create a reproducible dataset of normal and process-related attack scenarios and to compare the proposed approach with established process-state-aware IDSs through the IPAL framework.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Tasks<\/strong><strong><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The student first conducts a focused literature review on anomaly detection in SCADA and smart-grid environments, explainable intrusion detection, process-aware detection, sequential pattern mining, SGAM-based modeling, and IEC 60870-5-104 traffic analysis. Based on this review, the student derives a precise requirement specification covering the available input data, the required level of event abstraction, explainability criteria, supported attack classes, and evaluation metrics. In parallel, the student becomes familiar with the FIT smart-grid co-simulation environment and the existing SGAM-aligned RDF ontology. Selected grid-operator actions, such as state estimation, feed-in management, transformer tap switching, topology changes, and load shedding, are modeled or linked in the ontology so that expected operational sequences and participating device types can be queried.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The core technical work comprises the creation of simulation scenarios for normal operation and representative process-related attacks, the extraction of IEC 60870-5-104 communication data from PCAP files, and the semantic enrichment of the extracted records. The student maps sender addresses and Information Object Addresses to concrete devices and locations through SPARQL queries, removes redundant status reports, and defines a reproducible event-abstraction scheme for discrete and continuous process values. Based on these events, the student implements a sequential pattern mining method, with particular emphasis on rare sequential patterns, and develops logic for comparing anomalous sequences with frequent reference patterns. The resulting detector shall use graph knowledge to distinguish similar device types, relate events to operator actions, and generate an explanation that highlights deviations and likely affected components.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The approach is implemented as a documented prototype that accepts simulation data and a corresponding knowledge graph, generates event sequences, detects anomalies, and produces human-readable diagnostic output. For evaluation, the student creates a dataset containing training data from normal operation and test data with several attack scenarios. Using IPAL, the prototype is compared with selected process-state-aware IDSs such as PASAD, Seq2Seq-NN, or TABOR. Detection accuracy, false-positive behavior, robustness to different abstraction parameters, and computational effort are assessed quantitatively; the usefulness of the generated explanations and device-level localization is assessed qualitatively. All results are documented, including the ontology extensions, extraction and abstraction rules, algorithm specification, prototype architecture, dataset and scenario definitions, evaluation design, limitations, and recommendations for future online deployment.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Prerequisites<\/strong><strong><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Basic knowledge of IT security, network protocols, and industrial control or SCADA systems; interest in smart grids and cyber-physical energy systems; programming skills, preferably in Python, for PCAP processing and data analysis; and willingness to work with graph-based data models, RDF\/SPARQL, and simulation environments. Experience with anomaly detection, pattern mining, IEC 60870-5-104, or semantic-web technologies is helpful but not required. The student should be able to work methodically, document technical decisions clearly, and evaluate a prototype using reproducible experiments.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>References (MLA)<\/strong><strong><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CEN-CENELEC-ETSI Smart Grid Coordination Group. <em>Smart Grid Reference Architecture<\/em>. 2012.<\/li>\n\n\n\n<li>Rahman, A., et al. &#8220;Finding Anomalies in SCADA Logs Using Rare Sequential Pattern Mining.&#8221; <em>International Conference on Network and System Security<\/em>, Springer, 2016, pp. 499-506.<\/li>\n\n\n\n<li>Van Der Velde, D., \u00d6. Sen, and I. Hacker. &#8220;Towards a Scalable and Flexible Smart Grid Co-Simulation Environment to Investigate Communication Infrastructures for Resilient Distribution Grid Operation.&#8221; <em>2021 International Conference on Smart Energy Systems and Technologies (SEST)<\/em>, IEEE, 2021, pp. 1-6.<\/li>\n\n\n\n<li>Wolsing, K., et al. &#8220;IPAL: Breaking Up Silos of Protocol-Dependent and Domain-Specific Industrial Intrusion Detection Systems.&#8221; <em>Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses<\/em>, 2022, pp. 510-525.<\/li>\n\n\n\n<li>Lin, C.-Y., and S. Nadjm-Tehrani. &#8220;Understanding IEC-60870-5-104 Traffic Patterns in SCADA Networks.&#8221; <em>Proceedings of the 4th ACM Workshop on Cyber-Physical System Security<\/em>, 2018, pp. 51-60.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Thesis Type Master Student: Sebastian Miller Status In Progress Background Supervisory control and data acquisition (SCADA) systems are increasingly connected through information and communication technologies, exposing smart grids to cyberattacks and operational disruptions. Conventional signature-based intrusion detection systems (IDSs) reliably identify known attacks but cannot detect previously unseen patterns, while statistical and machine-learning-based IDSs may [&hellip;]<\/p>\n","protected":false},"author":59,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[21],"tags":[],"class_list":["post-7245","post","type-post","status-publish","format-standard","hentry","category-thesis"],"acf":[],"_links":{"self":[{"href":"https:\/\/dbis.rwth-aachen.de\/dbis\/index.php\/wp-json\/wp\/v2\/posts\/7245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dbis.rwth-aachen.de\/dbis\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dbis.rwth-aachen.de\/dbis\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dbis.rwth-aachen.de\/dbis\/index.php\/wp-json\/wp\/v2\/users\/59"}],"replies":[{"embeddable":true,"href":"https:\/\/dbis.rwth-aachen.de\/dbis\/index.php\/wp-json\/wp\/v2\/comments?post=7245"}],"version-history":[{"count":1,"href":"https:\/\/dbis.rwth-aachen.de\/dbis\/index.php\/wp-json\/wp\/v2\/posts\/7245\/revisions"}],"predecessor-version":[{"id":7246,"href":"https:\/\/dbis.rwth-aachen.de\/dbis\/index.php\/wp-json\/wp\/v2\/posts\/7245\/revisions\/7246"}],"wp:attachment":[{"href":"https:\/\/dbis.rwth-aachen.de\/dbis\/index.php\/wp-json\/wp\/v2\/media?parent=7245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dbis.rwth-aachen.de\/dbis\/index.php\/wp-json\/wp\/v2\/categories?post=7245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dbis.rwth-aachen.de\/dbis\/index.php\/wp-json\/wp\/v2\/tags?post=7245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}