Proactive Detection of Cyber-Physical Grid Attacks: A Pre-Attack Phase Identification and Analysis Using Anomaly-Based Machine Learning Models

Cyber-physical power systems (CPPS), such as smart grids, are increasingly vital to modern infrastructure but are also highly vulnerable to sophisticated cyber-attacks. Traditional security measures often detect these attacks only after significant damage has occurred, highlighting the need for proactive approaches that can identify potential threats before they fully manifest. This research presents a comprehensive investigation into the use of machine learning models for the early detection of cyber-attacks in a smart grid environment, with a particular focus on identifying pre-attack phases. We employed several unsupervised learning algorithms, including Isolation Forest, K-Means Clustering, DBSCAN, and One-Class SVM, to analyze a time series dataset that simulates normal operations and various attack scenarios. Among these models, Isolation Forest demonstrated superior performance, achieving an Area Under Curve (AUC) score of 1.0, accuracy of 100%, and a sensitivity of 100% in detecting anomalies. DBSCAN also performed well, with an AUC of 0.79 and accuracy of 97.3%, although it exhibited a slightly higher false positive rate compared to Isolation Forest. To detect pre-attack phases, we focused on the anomaly scores generated by the Isolation Forest model. By adjusting the sensitivity threshold, we identified periods of abnormal behavior that precede actual attacks. A threshold of 0.3 for anomaly scores provided a balanced detection, revealing multiple pre-attack phases while maintaining a low false positive rate. However, a higher threshold of 0.97, while reducing false positives, resulted in the detection of fewer pre-attack phases, indicating that the attacks may occur more abruptly without significant pre-attack indicators. These findings underscore the potential of machine learning models in enhancing the security of cyber-physical systems by not only detecting attacks but also providing early warnings through the identification of pre-attack phases. This proactive approach could significantly mitigate the impact of cyber-attacks on critical infrastructure, offering a valuable tool for cybersecurity professionals in safeguarding these systems.