Anomaly-Based Detection of Cyberattacks on Line Current Differential Relays

Ahmad Mohammad Saber, Amr Youssef, Davor Svetinovic, Hatem H. Zeineldin, Ehab F. El-Saadany

Research output: Contribution to journalArticlepeer-review

13 Scopus citations


Currently, the architecture of Line Current Differential Relays (LCDRs) is designed to respond to internal faults on the protected line using local and remotely-communicated current measurements. However, this architecture cannot distinguish between real faults and cyber-induced attacks whose goal is to cause false tripping of the line protected by the LCDR. In this paper, we propose an Anomaly-Based Scheme (ABS) for detecting false-tripping attacks against LCDRs, in the form of relay attacks, replay attacks, general false-data-injection attacks, and time-synchronization attacks. The ABS employs the Isolation Forest algorithm, which is trained on features determined from local current measurements to confirm real faults and differentiate them from false-tripping attacks. No trip command will be issued unless the sensed fault is confirmed as a non-attack by the ABS. The performance of the proposed ABS is tested and validated using the IEEE 9-bus benchmark in PSCAD/EMTDC environment. Simulation results show that the proposed ABS: (i) can accurately detect different categories of cyberattacks, (ii) does not negatively impact the accuracy of the fault-detection function, and (iii) is robust to the change in the power system's operating point.

Original languageBritish English
Pages (from-to)4787-4800
Number of pages14
JournalIEEE Transactions on Smart Grid
Issue number6
StatePublished - 1 Nov 2022


  • Anomaly detection
  • cyber-physical security
  • isolation forest
  • line current differential relays
  • power systems
  • protection
  • smart grid


Dive into the research topics of 'Anomaly-Based Detection of Cyberattacks on Line Current Differential Relays'. Together they form a unique fingerprint.

Cite this