Applying domain-specific knowledge to construct features for detecting distributed denial-of-service attacks on the GOOSE and MMS protocols.

Electric substation automation systems based on the IEC 61850 standard predominantly employ the GOOSE and MMS protocols. Because GOOSE and MMS messages are not encrypted, an attacker can observe packet header information in protocol messages and inject large numbers of spoofed messages that can flood a substation automation system. Sophisticated machine-learning-based intrusion detection systems are required to detect these types of distributed denial-of-service attacks. However, the performance of machine-learning-based classifiers is hindered by the relative lack of features that express GOOSE and MMS protocol behavior.