Methodology for Management of the Protection System of Smart Power Supply Networks in the Context of Cyberattacks

Abstract

This paper examines an approach that allows one to build an efficient system for protecting the information resources of smart power supply networks from cyberattacks based on the use of graph models and artificial neural networks. The possibility of a joint application of graphs, describing the features for the functioning of the protection system of smart power supply networks, and artificial neural in order to predict and detect cyberattacks is considered. The novelty of the obtained results lies in the fact that, on the basis of experimental studies, a methodology for managing the protection system of smart power supply networks in conditions of cyberattacks is substantiated. It is based on the specification of the protection system by using flat graphs and implementing a neural network with long short-term memory, which makes it possible to predict with a high degree of accuracy and fairly quickly the impact of cyberattacks. The issues of software implementation of the proposed approach are considered. The experimental results obtained using the generated dataset confirm the efficiency of the developed methodology. It is shown that the proposed methodology demonstrates up to a 30% gain in time for detecting cyberattacks in comparison with known solutions. As a result, the survivability of the Self-monitoring, Analysis and Reporting technology (SMART) grid (SG) fragment under consideration increased from 0.62 to 0.95.

1. Introduction

The Self-monitoring, Analysis and Reporting technology (SMART) grid is a power grid technology that uses information and communication networks and technologies to collect information about energy production and energy consumption to automatically improve the efficiency, reliability, economic benefits, and the sustainability of electricity generation and distribution [1,2,3,4,5,6,7,8,9].

The SMART grid has the following features:

• Application of open information and communication networks, protocols and technologies for collecting information on energy production and energy consumption;
• Active bidirectional scheme of interaction in real time of the information exchange between all elements and participants of the network (from power generators to terminal devices of power consumers);
• Coverage of the entire technological chain of the electric power system from energy producers and power distribution networks to the end consumers;
• Constant exchange between the network elements of information about the parameters of electrical energy, modes of consumption and generation, the amount of energy consumed and planned consumption, and commercial information [1].

On the one hand, the use of the SMART grid makes it possible to reduce the cost of the electrical network, solve the problem of technological limitation of electricity when consumed near peak capacities, use a large number of renewable energy sources, and also switch from a centralized topology of the electrical network to a highly distributed topology.

On the other hand, the pace at which the modern field of open information and communication networks, protocols, and technologies is developing exposes the world community to a number of unprecedented threats and vulnerabilities. At the same time, the greatest danger is caused by cyberattacks.

In the past few years, a characteristic trend of our time has been an increase in the number of cyberattacks on critical information infrastructure (CII) and strategic industrial facilities, which can lead to the disabling by attackers of systems that support human life and the emergence of global man-made disasters. The main element of CII is an integrated telecommunication network, including SMART grid (SG) power supply systems, in which controlled objects should allow remote control, and systems for assessing the situation and emergency automation should reduce excessive requirements for the reserves of power and information capacities [2].

The effects of computer attacks, first of all, are aimed at disrupting the performance of the SG protection tools that are combined with a unified management and monitoring system. However, in this system, it is possible to distinguish the following negative features. First, it requires one to have socket specialists who are usually not enough. Secondly, specialists are not able to process all the incoming threat messages during the working day. Finally, energy companies use a large number of various means of protecting information and communications, which are not always conjugated with each other. Considering that information security specialists need to analyze thousands of events daily, the task of viewing and filtering such a number of data, as well as managing the protection tools can be solved only by applying the automation tools. For the continuous monitoring of the state of geographically distributed defense means and the implementation of proactive measures to neutralize cyberattacks, it is necessary to take into account the peculiarities of the SG functioning, the interaction of defense means, the indicators characterizing the effectiveness of its work, and the constantly changing ways of implementing cyberattacks. All this gave rise to the search for new methods of managing the SG protection system in the context of cyberattacks [3,10,11,12,13].

Considering that the behavior of the SG protection system in the context of cyberattacks can be represented as a sequence of random events with a finite or countable number of outcomes, it can be assumed that well-tested Markov chains can be used to describe it. However, the Markov process mechanisms lose their meaning when analyzing complex, multifaceted systems, such as the SG protection system, in which processes can proceed not only sequentially, but also contain events independent of each other.

In this work, in order to study the SG protection system as the system in an antagonistic confrontation (the cyberattacks versus the protection system), we will apply the method of constructing models using flat, or plane, graphs. A flat (planar) graph is a graph that can be included in a plane; that is, it can be drawn on a plane in such a way that its edges intersect only at their endpoints. Flat graphs are widely used as probabilistic automata in modeling structures such as simple cycles, trees, forests, etc.

The results of the modeling of information processes in the SG technological data transmission networks (TDTN) using flat graphs are then used in our methodology for the substantiation and implementation of the architecture of the SG protection system (PS) based on its capabilities to identify and further predict cyberattack impacts.

The analysis showed that one of the most efficient prediction methods is the usage of artificial neural networks with long short-term memory (LSTM). The property of recurrence allows an artificial neural network (ANN) to “refer” to the results of its work in the past and fulfill a predictive analysis. However, the efficiency of LSTM operation largely depends on the quality of the formation of the features and the context of datasets used for the LSNM network learning. For complex systems such as the SG PS, the formation of training datasets very often becomes a very hard problem, making it difficult to use LSNM networks or significantly reducing the effect of their use. It should be noted that the use of open access test datasets for training LSNM networks does not solve this problem, since the computer networks on which the test datasets are formed, as a rule, do not take into account the specifics of TDTN in the SG.

Thus, we can say that the methodology proposed in the paper is aimed at solving the scientific problem of increasing the efficiency of detecting and predicting computer attacks in SG TDTN using LSTM networks by improving the quality of the formation of training datasets based on SG modeling using flat graphs.

Solving this problem requires overcoming a number of current challenges, among which are the following:

• Flat graph-based development and implementation of the formal models, which provide the specifications necessary for constructing a LSTM network and training and testing datasets, i.e., the information resource model, the security threat model, and the PS functioning model;
• Selection and justification of hyperparameters necessary to construct the LSTM network;
• Development of an approach to generate datasets with TDTN information content necessary for training and testing LSTM networks;
• Integration of the developed approaches according to the required criteria into a unified methodology of the SG PS management in the context of cyberattacks.

To overcome the above challenges, the methods of graph theory, probability theory, and machine learning, including deep learning and others, were used. The fairness of the models and approaches developed on their basis was verified as a result of their practical implementation and experiments, for which modern proven software technologies (frameworks and libraries) were used. The results of the experiments have shown that more efficient approaches are needed to provide proactive SG protection.

Therefore, the main contribution of the paper, demonstrating the range of possible applications of flat graphs for describing the features of functioning of the SG protection system under the influence of cyberattacks, as well as LSTM neural networks for making effective management decisions on the implementation of proactive SG protection, is undoubtedly relevant.

In addition, the contribution of the paper is as follows:

• Structures of long-term dependencies in the SG traffic, which allow for revealing its characteristic features in the interests of the early detection of cyberattacks;
• A new approach to cyberattack detection based on the use of flat graphs and LSTM neural networks;
• A software tool that implements the proposed approach;
• A dataset with SG traffic containing anomalies from the impact of cyberattacks;
• An experimental evaluation of the proposed approach.

The novelty of the obtained results lies in the fact that, on the basis of experimental studies, a methodology for managing the SG protection system in conditions of cyberattacks is substantiated. It is based on the specification of the SG protection system by using flat graphs and implementing a neural network with long short-term memory. Such results make it possible to predict with a high degree of accuracy and fairly quickly the impact of cyberattacks, on which the basis of the proactive protection measures can be developed. This is a significant advantage of the proposed method.

The further structure of the paper is as follows. Section 2 reviews related works on the research topic. Section 3 describes the theoretical foundations of the proposed methodology for the management of the SG protection system, based on modeling the protection system and predicting the impact of cyberattacks. Section 4 presents the implementation issues of the proposed methodology. Section 5 outlines the experimental results and its comparative evaluation. Section 6 contains conclusions and further research directions.

2. Related Work

In international practice, the abbreviation SMART stands for “Self-Monitoring, Analysis and Reporting Technology”, i.e., the technology that implies the independent monitoring, analysis and transmission of monitoring results, and network resource management. Typically, the SMART grid refers to the hardware and software architecture that contributes to the efficiency of energy management. Along with the SG, the concepts of the Modern grid, Wise grid, Future grid, Empowered grid, and Intelligrid are used [4,5,6,7]. Sometimes SG systems are called “smart”, “intelligent” or “adaptive-active” power supply systems [8,9].

Security threats of the SG power supply are included in the five most probable risks (together with the risks of epidemics, critical weather conditions, financial collapses, and extreme natural disasters) and in the list of the six most critical factors in terms of possible damage (together with the risks of using weapons of mass destruction, natural disasters, weather anomalies, and the lack of drinking water). That is why the security of SG management [10,11,12,13] is one of the priority directions for development of the energy complex all over the world, as it is critical for their effective functioning.

All of the SG security threats can be characterized by two parameters: firstly, the likelihood of the threat being realized, and, secondly, the potential damage to the energy company (organization, enterprise). Usage of these parameters to select a model of the threats to SG resources allows one to find the “golden mean” when building a protection system, choose network management techniques, and make decisions to minimize risks. Today, there are a huge number of diverse and very common methods for managing SG security systems, which in turn are divided into three main groups.

The first group [14,15,16,17,18] summarizes the methods based on quantitative indicators and criteria. The measure of ranking of the threat models (criterion) is the permissible level of possible damage from information and technical impact on SG resources and the assessment of the profit factor from investments in protective measures. Quantitative methodologies follow the requirements of ISO 27001 and 27002, NIST, and COBIT IV. Although these methodologies take into account a predetermined risk appetite, they do not consider the variability of the SG defense system design. In addition, the disadvantages of these techniques include the complexity of their implementation and the high level of labor costs. The complexity of quantitative methods also lies in the fact that the decision taken for each potential threat must be taken into account in the strategy for eliminating the consequences of a cyberattack [19]. For example, in [20], the quantitative ranking of risks for the SG is taken into account. However, the method of managing the security system through a cloud computing service considered in this work is of interest. Nonetheless, this technique contains a number of negative factors associated with the problems of cloud resources.

The second group of techniques [21,22,23,24] consists of qualitative techniques. The methodologies of this group take into account the security threats to SG resources by quality criterion. Qualitative methods boil down to finding an optimal solution, a balance between the costs of building a protection system and the resulting effect (cost/benefit analysis), i.e., the quality of the protection system. As a rule, the methods use the mathematical apparatus of game theory (matrix games). The disadvantages of qualitative methods include the high complexity of calculating the results of a risk analysis for the financial justification of the feasibility of investing in the implementation of the SG protection system according to one or another threat model, as well as the insufficient visibility of the results of qualitative methods. Techniques using qualitative criteria are similar in nature to the facilitated risk analysis process (FRAP) technique [25,26].

The third approach [27,28,29,30,31] is a combined (mixed) one. It combines the approaches used in both the first and the second groups of techniques. Most often, combined techniques are used in small energy companies. The weaknesses of this group of methods are insufficient analytical data on the predicted damage of the cyberattack impact, as well as the use of a minimum set of factors in risk assessment.

Thus, in [32,33,34,35], a structured approach to assessing the model of threats to the SG information and telecommunications resources, namely CRAMM (Risk Analysis and Management Method from Central Computer and Telecommunication Agency) and MEHARI (MEthod for Harmonized Analysis of Risk) methods, are presented, an integrated representation of the information security threat parameters is employed, but the peculiarities of building the SG protection system are practically not considered.

The information security management methodology of Microsoft Security Assessment Tool (MSAT) [34,36] is interesting not only for its threat model ranking system, but also for the implementation of the information security threat decision-making system and for assessing the effectiveness of the measures taken. However, it is usually implemented on local SG power grids. The MSAT system is based on the Risk Management Manual [23]. It performs the following functions: (1) risk assessment; (2) decision support; (3) implementation of control; and (4) evaluation of the effectiveness of the program. This application (app) is targeted at companies with less than 1000 employees and is designed to help one better understand the potential information security issues.

All of the above approaches to the management of SG protection systems are either based on a deep analysis of the potential risks (probable damage), or a selectively ranked construction of the SG PS. Therefore, we propose an architecture-oriented approach to managing the SG security system that goes beyond the abstract representation and dispenses with the technical details.

Our approach covers the identification and assessment of threats to the impact of cyberattacks, modeling the PS architecture, situational PS management based on a neural network algorithm with long short-term memory, as well as reducing the risks and assessing the effectiveness of the predictions and countermeasures taken. At the end of the paper, we will take a closer look at the proposed active security solutions for SMART grids and their implementation.

3. Theoretical Foundations of the Methodology for Management of the SG Protection System

Many works, for example [37,38], are devoted to the theoretical foundations of the theory of planar (flat) graphs. Therefore, let us consider in more detail their application for building the model of the SG protection system functioning. This model, in turn, includes three models: the model of protected information resources, the cyberattack threat model, and the model of functioning of the SG TDTN protection system.

3.1. Model of Protected Information Resources of SG

The components of the SG TDTN, which contain protected information resources (PIR), are services and software and hardware systems that implement logically complete functionality of the SG TDTN. Information security threats are unique to each element of the system. However, each component of the TDTN must comply with the security policy requirements.

To create a model, we construct an N-root graph ${\mathrm{GT}}_{\mathrm{i}}$, which reflects the PIR of the TDTN (Figure 1). The top of the ${\mathrm{GT}}_{\mathrm{i}}$ graph reflects the main goal of the information and technical impact of an adversary’s cyberattack. By the term “adversary” we mean an attacker (or an organized group of attackers) whose purpose is to disrupt the effective functioning of the SG as a critical infrastructure object that affects the life of society.

The nodes $\left\{{\mathrm{ST}}_{\mathrm{i}.\mathrm{jg}}\right\}$ of the graph ${\mathrm{GT}}_{\mathrm{i}}$ represent the secondary goals (subgoals) of the impact of cyberattacks, and the arcs $\left\{{\mathrm{a}}_{\mathrm{i}.\mathrm{j}}\right\}$ reflect the significance of these subgoals. The subgoals are grouped into groups $\left\{{\mathrm{GT}}_{\mathrm{ij}}\right\}$, which are subgraphs of the graph ${\mathrm{G}}_{\mathrm{i}}$.

The groups disclose one of the aspects of information security (confidentiality ${\mathrm{GT}}_{\mathrm{i}1}$, integrity ${\mathrm{GT}}_{\mathrm{i}2}$, and availability ${\mathrm{GT}}_{\mathrm{i}3}$ of the information), as well as the required parameters of the telecommunications component of the TDTN (intelligence security ${\mathrm{GT}}_{\mathrm{i}4}$, sustainability ${\mathrm{GT}}_{\mathrm{i}5}$, and the TDTN throughput ${\mathrm{GT}}_{\mathrm{i}6}$) that is to be protected. ${\mathrm{GT}}_{\mathrm{i}5}$ can be decomposed into four more oriented subgraph chains characterizing “Noise immunity”, “Reliability”, “Vitality”, and “Cyber resilience” of the TDTN (Figure 2).

In the works [39,40], the mutual influence of noise immunity, survivability, reliability, and cyber-stability of the information resources of technological data transmission networks is described in some detail. Showing that the individual properties of technical systems can be considered together, within the framework of the concept of technical stability, using unified fuzzy logic descriptions, the authors place special emphasis on the complex influence of the balance of all four components ${\mathrm{S}}_1,{ \mathrm{S}}_2,{ \mathrm{S}}_3{ \mathrm{и} \mathrm{S}}_4.$ Let us describe the subgraphs $\left\{{\mathrm{GT}}_{\mathrm{ij}}\right\}$ with the following expressions:

(1)

Confidentiality of information

$${\mathrm{GT}}_{\mathrm{i}1}=\left({\mathrm{GT}}_{\mathrm{i}},{\mathrm{ST}}_{1.1\mathrm{g}},{\mathrm{ST}}_{1.2\mathrm{g}},{\mathrm{ST}}_{1.3\mathrm{g}},{\mathrm{ST}}_{1.4\mathrm{g}},{\mathrm{a}}_{1.1},{\mathrm{a}}_{1.2},{\mathrm{a}}_{1.3},{\mathrm{a}}_{1.4}\right);$$

(1)

(2)

Integrity of information

$${\mathrm{GT}}_{\mathrm{i}2}=\left({\mathrm{GT}}_{\mathrm{i}},{\mathrm{ST}}_{2 .1\mathrm{g}},{\mathrm{ST}}_{2.2\mathrm{g}},{\mathrm{ST}}_{2.3\mathrm{g}},{\mathrm{ST}}_{2.4\mathrm{g}},{\mathrm{a}}_{2.1},{\mathrm{a}}_{2.2},{\mathrm{a}}_{2.3},{\mathrm{a}}_{2.4}\right);$$

(2)

(3)

Availability of information

$${\mathrm{GT}}_{\mathrm{i}3}=\left({\mathrm{GT}}_{\mathrm{i}},{\mathrm{ST}}_{3.1\mathrm{g}},{\mathrm{ST}}_{3.2\mathrm{g}},{\mathrm{ST}}_{3.3\mathrm{g}},{\mathrm{ST}}_{3.4\mathrm{g}},{\mathrm{a}}_{3.1},{\mathrm{a}}_{3.2},{\mathrm{a}}_{3.3},{\mathrm{a}}_{3.4}\right);$$

(3)

(4)

TDTN intelligence security

$${\mathrm{GT}}_{\mathrm{i}4}=\left({\mathrm{GT}}_{\mathrm{i}},{\mathrm{ST}}_{4.1\mathrm{g}},{\mathrm{ST}}_{4.2\mathrm{g}},{\mathrm{ST}}_{4.3\mathrm{g}},{\mathrm{ST}}_{4.4\mathrm{g}},{\mathrm{a}}_{4.1},{\mathrm{a}}_{4.2},{\mathrm{a}}_{4.3},{\mathrm{a}}_{4.4}\right);$$

(4)

(5)

TDTN sustainability

$${\mathrm{GT}}_{\mathrm{i}5}=\left({\mathrm{GT}}_{\mathrm{i}},{\mathrm{ST}}_{5.1\mathrm{g}},{\mathrm{ST}}_{5.2\mathrm{g}},{\mathrm{ST}}_{5.3\mathrm{g}},{\mathrm{ST}}_{5.4\mathrm{g}},{\mathrm{a}}_{5.1},{\mathrm{a}}_{5.2},{\mathrm{a}}_{5.3},{\mathrm{a}}_{5.4}\right);$$

(5)

(6)

TDTN throughput

$${\mathrm{GT}}_{\mathrm{i}6}=\left({\mathrm{GT}}_{\mathrm{i}},{\mathrm{ST}}_{6.1\mathrm{g}},{\mathrm{ST}}_{6.2\mathrm{g}},{\mathrm{ST}}_{6.3\mathrm{g}},{\mathrm{ST}}_{6.4\mathrm{g}},{\mathrm{a}}_{6.1},{\mathrm{a}}_{6.2},{\mathrm{a}}_{6.3},{\mathrm{a}}_{6.4}\right).$$

(6)

In Figure 1, the dotted line delineates the protected information and telecommunication resources. However, this distinction is conditional. In real TDTN, it is rather difficult to separate the rigidly interconnected components of information and telecommunications security.

Each of the directed subgraphs $\left\{{\mathrm{GT}}_{\mathrm{ij}}\right\}$ included in the graph ${\mathrm{GT}}_{\mathrm{i}}$ comprises levels that characterize the assets directly related to the protected resource. We will take into account the following levels:

• Disruption to the functioning of the TDTN (${\mathrm{ST}}_{1.1\mathrm{g}},{ \mathrm{ST}}_{2.1\mathrm{g}},{ \mathrm{ST}}_{3.1\mathrm{g}},{ \mathrm{ST}}_{4.1\mathrm{g}},{ \mathrm{ST}}_{5.1\mathrm{g}},{ \mathrm{ST}}_{6.1\mathrm{g}})$;
• Hardware resource of the TDTN (${\mathrm{ST}}_{1.2\mathrm{g}},{ \mathrm{ST}}_{2.2\mathrm{g}},{ \mathrm{ST}}_{3.2\mathrm{g}},{ \mathrm{ST}}_{4.2\mathrm{g}},{ \mathrm{ST}}_{5.2\mathrm{g}},{ \mathrm{ST}}_{6.1\mathrm{g}})$;
• Software resource of the TDTN (${\mathrm{ST}}_{1.3\mathrm{g}},{ \mathrm{ST}}_{2.3\mathrm{g}},{ \mathrm{ST}}_{3.3\mathrm{g}},{ \mathrm{ST}}_{4.3\mathrm{g}},{ \mathrm{ST}}_{5.3\mathrm{g}},{ \mathrm{ST}}_{6.1\mathrm{g}})$;
• Protected information and telecommunications resource of the TDTN (${\mathrm{ST}}_{1.4\mathrm{g}},{ \mathrm{ST}}_{2.4\mathrm{g}},{ \mathrm{ST}}_{3.4\mathrm{g}},{ \mathrm{ST}}_{4.4\mathrm{g}},{ \mathrm{ST}}_{5.4\mathrm{g}},{ \mathrm{ST}}_{6.4\mathrm{g}})$.

Having determined the specific weight of each of the vertices of the subgraphs ${\mathrm{GT}}_{\mathrm{i}1}, \dots ,{ \mathrm{GT}}_{\mathrm{i}6}$, as well as the price of each of their arcs, we obtain a weighted N-root planar graph for which we can determine the reachability matrix of each vertex of the subgraphs (${\mathrm{ST}}_{\mathrm{i}.1\mathrm{g}},{ \mathrm{ST}}_{\mathrm{i}.2\mathrm{g}}, \dots ,{ \mathrm{ST}}_{\mathrm{i}.\mathrm{ng}}$).

By the terms “specific weight” we mean the importance of a particular protected information and telecommunications resource of the TDTN when choosing a defensive strategy or information security policy. Thus, the specific weight of the vertex to which the path ${\mathsf{\mu }}_1$ leads is calculated as follows:

$${\mathrm{L}}_{\left[\mathsf{\mu }1\right]}={\displaystyle \sum }_{{\mathrm{a}}_{\mathrm{i}.\mathrm{j}}\in {\mathsf{\mu }}_1}{\mathrm{A}}_{\mathrm{ij}},$$

(7)

where ${\mathrm{A}}_{\mathrm{ij}}$ is the weight of the arc ${\mathrm{a}}_{\mathrm{i}.\mathrm{j}}$, belonging to the path ${\mathsf{\mu }}_1$.

3.2. Cyberattack Threat Model

A cyberattack is a planned deliberate impact on the protected information resource, information infrastructure, technical means, or programs that solve the problem of receiving, transmitting, processing, storing, and reproducing protected information in order to cause characteristic functional or structural changes [39].

Targeted or structural changes in the critical infrastructure objects targeted by the cyberattack are to reduce the level of information and telecommunications security of the SG TDTN.

Let us represent the set of possible options for the implementation of the effects of a cyberattack on the TDTN in the form of a concatenation of the graph $\mathrm{M}$ (set of cyberattacks) and the graph $\mathrm{R}$ (set of PIRs), as shown in Figure 3.

Let us represent $M=\left\{m_k,k=1,2\dots ,K\right\}$ in the form of a set of possible options for the implementation of information influences on the TDTN. Let us introduce into consideration $\mathsf{\beta }=\left\{b_n,n=1,2\dots ,N\right\}$ is the set of private scalar indicators of the effectiveness of cyberattacks on the TDTN, for which the normalization condition is valid.

$${\displaystyle \sum _{\mathrm{n}=1}^{\mathrm{N}}{\mathrm{b}}_{\mathrm{n}}}=1,$$

(8)

where n is the private indicator identifier.

Let us denote ${\mathrm{M}}^{\ast }=\left\{m_{k1}\Rightarrow m_{k2}\Rightarrow \dots \Rightarrow m_{k\forall }\right\}$ as a subset of the preferred options for choosing an attacker’s impact strategy, ordered by efficiency, where ∀ is the number of preferred options for implementing a cyberattack. A subset ${\mathrm{M}}^{\ast }$ is defined using the following expression:

$$(\mathrm{M},\mathrm{A},\mathrm{C},\mathrm{E},\mathrm{P},\mathrm{Q},\mathsf{\beta }\}\underset{\mathsf{\phi }}{\to }{\mathrm{M}}^{\ast },$$

(9)

where $\mathsf{\phi }$ is the rule of choosing the subset ${\mathrm{M}}^{\ast }$ from the set $\mathrm{M}$, using the indicator $\mathsf{\beta }$ (optimality criterion).

In the context diagram presented in Figure 3, the vertex $\mathrm{M}$ is composed of vectors of the information and technical impact $\left(\mathrm{E}, \mathrm{Q}, \mathrm{C}\right)$, as well as the information and psychological $\left(\mathrm{A},\mathrm{P}\right)$ impact on the TDTN. Here $\mathrm{E}$ is the vector of the set of indicators of software and technical espionage (intelligence) in relation to the TDTN and protected resources, $\mathrm{Q}$ is the vector of the set of indicators of passive (providing) cyberattacks, $\mathrm{C}$ is the vector of the set of indicators of active cyberattacks on the TDTN resources (destruction, manipulation, blocking, substitution, and so on), $\mathrm{A}$ is the vector of the set of indicators of information tools and methods of influencing the personnel of the TDTN, and $\mathrm{P}$ is the vector of the set of indicators of the psychotronic and cognitive impact on the personnel of the TDTN. In the future, we will not consider the information-psychological impacts (vectors $\mathrm{A}$ and $\mathrm{P}$), taking into account that for the SG this area of impacts refers to the limitations.

Let us represent the threat model for the implementation of cyberattacks in the form of a directed graph $\mathrm{M}$, as shown in Figure 4.

The state of the graph $\mathrm{M}$ is described by the expression

$$\mathrm{M}=\left({\mathrm{M}}_{1\mathrm{j}},{\mathrm{M}}_{1.1\mathrm{j}},{\mathrm{M}}_{1.2\mathrm{j}},{\mathrm{M}}_{1.3\mathrm{j}},{\mathrm{M}}_{1.4\mathrm{j}},{\mathrm{M}}_{1.5\mathrm{j}},{\mathrm{b}}_{1.1},{\mathrm{b}}_{1.2},{\mathrm{b}}_{1.3},{\mathrm{b}}_{1.4},{\mathrm{b}}_{1.5}\right).$$

(10)

We will also use the following expression for shorthand:

$$\mathrm{M}=\left({\mathrm{M}}_{\mathrm{ij}},{\mathrm{B}}_{\mathrm{i}.\mathrm{j}}\right).$$

(11)

In the graph $\mathrm{M}$, the vertices ${\mathrm{M}}_{1.1\mathrm{j}}$ is the object of the threat impact (element of the TDTN); ${\mathrm{M}}_{1.2\mathrm{j}}$ is a protected TDCT resource; ${\mathrm{M}}_{1.3\mathrm{j}}$ is a cyberattack implementation; ${\mathrm{M}}_{1.4\mathrm{j}}$ is a violation of the information security indicators; ${\mathrm{M}}_{1.5\mathrm{j}}$ is a violation of the information and technical characteristics of the TDTN.

Let us consider in more detail the components of the “Threats” graph. The top of the graph ${\mathrm{M}}_{1\mathrm{j}}$ represents a set of threats influenced by the impact of cyberattacks. A variant of the classifier of the vertex ${\mathrm{M}}_{1\mathrm{j}}$ is shown in

Table 1. Classifier of the model of threats.

Intelligence Service	Penetration	Attack	Anchoring
${\mathrm{M}}_{1.1}$—vulnerability detection	${\mathrm{M}}_{1.4}$—activation of hidden malicious code (backdoor)	${\mathrm{M}}_{1.6}$—implementation of undeclared software capabilities	${\mathrm{M}}_{1.9}$—duplication and distribution of malware in the system
${\mathrm{M}}_{1.2}$—system analysis	${\mathrm{M}}_{1.5}$—exploitation of a vulnerability	${\mathrm{M}}_{1.7}$—copying PIRs	${\mathrm{M}}_{1.10}$—masking (hiding) malware in the operating system
${\mathrm{M}}_{1.3}$—exfiltration		${\mathrm{M}}_{1.8}$—destruction (substitution) of the PIRs

.

By detailing this classifier, we will break down each of the stages of a computer attack into implementation options. So, when scouting the ports of the router’s network services (${\mathrm{M}}_{1.1}$), the following actions are used: scanning network services (${\mathrm{M}}_{\mathrm{1.1.1}}$), discovering peripheral devices (${\mathrm{M}}_{\mathrm{1.1.2}}$), discovering network configuration parameters (${\mathrm{M}}_{\mathrm{1.1.3}}$), and so on.

The classifiers of the components of the TDTN threat graph are represented by an undirected flat subgraph ${\mathrm{M}}_2$. Thus, the formal model of threats (Figure 5) consists of a direct compositional sum ($\oplus$) of the graphs ${\mathrm{M}}_1$ (directly the threat) and ${\mathrm{M}}_2$ (classifiers of the components of the graph ${\mathrm{M}}_1$), defined by the following expression:

$${\mathrm{Г}}_{\mathrm{M}}={\mathrm{M}}_1\oplus { \mathrm{M}}_2.$$

(12)

The vertices (classifiers) of the subgraph ${\mathrm{M}}_2$ are united by the edge ${\mathrm{b}}_{2.6}$, which means the characteristic dependence of the classifiers from each other. For example, the component of the classifier ${\mathrm{M}}_{2.5\mathrm{tx}}$ “TDTN throughput” has both forward and reverse connectivity with the component ${\mathrm{M}}_{2.1\mathrm{tx}}$ “border router of the open segment of the TDTN”.

3.3. Protection System Model of the SG TDTN

The protection system model shown in Figure 6 is a kind of barrier between the graphs $\mathrm{M}$ and $\mathrm{GT}$.

In this model, three directed graphs can be distinguished: ${\mathrm{I}}_{\mathrm{M}}$, ${\mathrm{T}}_{\mathrm{i}}$, and ${\mathrm{C}}_{\mathrm{k}}$. Digraph ${\mathrm{I}}_{\mathrm{M}}$ consists of the following nodes: ${\mathrm{I}}_{\mathrm{M}}$—threat identifier; ${\mathrm{I}}_{1\mathrm{m}}$—target of the cyberattack; ${\mathrm{I}}_{2\mathrm{m}}$—channels of influence of the cyberattack; ${\mathrm{I}}_{3\mathrm{m}}$—requirements for the elements of the TDTN protection system; ${\mathrm{I}}_{4\mathrm{m}}$—protection system architecture; ${\mathrm{I}}_{5\mathrm{m}}$—coefficient of efficiency of the TDTN protection means.

The digraph ${\mathrm{T}}_{\mathrm{i}}$ contains, as the vertices, the efficiency coefficients of the TDTN protection means for each protected resource. The digraph ${\mathrm{C}}_{\mathrm{k}}$ contains the channels of the threat’s impact.

The possible channels of threats of the impact of the cyberattack on the resources of the SG TDTN are represented in Figure 7. The protection system model takes into account the following threat channels: physical, program, organizational, technical, and social.

Besides the subgraphs ${\mathrm{T}}_{\mathrm{i}}$ and ${\mathrm{C}}_{\mathrm{k}}$, in the formal threat model, there is a bipartite subgraph ${\mathrm{D}}_{\mathrm{g}}$, which, with its vertices $\left\{{\mathrm{D}}_{\mathrm{x}5\mathrm{g}}\right\}$, characterizes the requirements for the protection means of each PIR, and, with the vertices $\left\{{\mathrm{D}}_{\mathrm{x}5\mathrm{gi}}\right\}$, denotes the chosen defense strategy that excludes the threat (Figure 8).

Thus, the formal model of the protection system not only constitutes a lexicological scheme with the digraph protected resources, but also contains a matrix of requirements for each individual asset protection tool [2,40].

3.4. Model of Functioning of the SG Protection System

Thus, in the model of functioning of the SG protection system, there are three digraph models: a threat model, a protection system model, and a protected information and telecommunication resource model.

The relationship of these digraphs is expressed by the concatenations

$$\mathrm{M}⊢{\mathrm{I}}_{\mathrm{M}}⊢\mathrm{GT}.$$

(13)

The concatenation operation means that there is only one arc that connects one vertex of each graph $\mathrm{M}$, ${\mathrm{I}}_{\mathrm{M}}$, and $\mathrm{GT}$ to each other (Figure 9).

As seen from Figure 9, subgraphs ${\mathrm{D}}_{\mathrm{g}}$, ${\mathrm{C}}_{\mathrm{xk}}$, ${\mathrm{T}}_{\mathrm{xi}}$, and ${\mathrm{M}}_2$ are connected by compositions with their generating digraphs.

Thus, the model of functioning of the SG protection system can be represented by the following expression:

$$\left({\mathrm{M}}_1\oplus {\mathrm{M}}_2\right) ⊢\{({\mathrm{I}}_{\mathrm{M}}\oplus {\mathrm{C}}_{\mathrm{xk}})\left({\mathrm{I}}_{\mathrm{M}}\oplus {\mathrm{T}}_{\mathrm{xi}}\right)\}⊢\mathrm{GT}\perp \left({\mathrm{I}}_{\mathrm{M}}\oplus \mathrm{GT}\oplus { \mathrm{D}}_{\mathrm{g}}\right).$$

(14)

From Expression (14) it can be seen that ${\mathrm{I}}_{\mathrm{M}}$ is a transit graph with respect to the graph $\mathrm{M}$.

Thus, the model of the functioning of the SG protection system is developed as a model of functioning of complex opposing systems. Modeling is focused on solving the problem of distributing a heterogeneous resource among interdependent elements.

The model makes it possible to obtain qualitative assessments of the threat parameters and automate the assessment process, as well as dynamically recalculate the results obtained when the external environment or individual components and systems of the SG TDTN change.

3.5. A Technique for Using a LSTM Neural Network for Early Detection of Cyberattacks

LSTM neural networks are a subtype of the more general recurrent neural networks (RNNs). The main area of RNN usage as a deep learning model is applications with time series and sequential data [41]. LSTM neural networks extend the capabilities of traditional RNNs. They are highly effective in solving problems of classification and the forecasting of time series in conditions of a priori uncertainty of the boundaries of time intervals between events [42]. As a result, LSTM networks are successfully used in many areas related to anomaly detection, in particular, in speech recognition and generation [43,44,45], text document processing [46], intrusion detection [47], etc. Therefore, the idea of using LSTM networks is key in our work.

The key feature of the LSTM networks, such as RNNs as a whole, is their ability to store information or state of a cell for further use in the network (Figure 10).

This makes them especially suitable for analyzing temporal data that changes over time. LSTM networks are used for tasks such as speech recognition, text translation, and in this case, for network anomaly detection.

LSTM can remove information from the cell state. This process is governed by structures called gates. Filters allow information to pass through based on certain conditions. They consist of a sigmoidal neural network layer and a pointwise multiplication operation. The sigmoid layer returns numbers from zero to one that indicate how much of each block of information should be passed down the network. Zero in this case means “do not miss anything”, one means “pass everything”.

Let us consider the LSTM cell operation algorithm step by step:

• The information that can be removed from the cell state is determined. This decision is made by a sigmoidal layer called “the forget gate layer”. It counts ${\mathrm{h}}_{\mathrm{t}-1}$ and ${\mathrm{x}}_{\mathrm{t}}$ and returns a number between 0 and 1 for each value from the cell state. As such, “1” means “keep completely” and “0” means “discard completely”. The calculation is made according to the following formula: ${\mathrm{f}}_{\mathrm{t}}=\mathsf{\sigma }\left({\mathrm{W}}_{\mathrm{i}}\cdot \left[{\mathrm{h}}_{\mathrm{t}-1},{\mathrm{x}}_{\mathrm{t}}\right]+{\mathrm{b}}_{\mathrm{f}}\right)$, where ${\mathrm{f}}_{\mathrm{t}}$—output for forget gate layer, $\mathsf{\sigma }$—sigmoidal transfer function, ${\mathrm{W}}_{\mathrm{i}}$—weight for input layer gate, $\left[{\mathrm{h}}_{\mathrm{t}-1},{\mathrm{x}}_{\mathrm{t}}\right]$—set-theoretic union operation ${\mathrm{h}}_{\mathrm{t}-1}$ and ${\mathrm{x}}_{\mathrm{t}}$, ${\mathrm{b}}_{\mathrm{f}}$—offset for forget gate layer.
• A decision is made about what new information will be stored in the cell state. This stage has two parts.
  • First, a sigmoidal layer called ”the input layer gate” determines which values to update: ${\mathrm{i}}_{\mathrm{t}}=\mathsf{\sigma }\left({\mathrm{W}}_{\mathrm{i}}\cdot \left[{\mathrm{h}}_{\mathrm{t}-1},{\mathrm{x}}_{\mathrm{t}}\right]+{\mathrm{b}}_{\mathrm{i}}\right)$, where ${\mathrm{i}}_{\mathrm{t}}$—output for input gate layer, ${\mathrm{b}}_{\mathrm{i}}$—offset for input gate layer.
  • Then the tanh layer builds a vector of new candidate values ${\tilde{\mathrm{C}}}_{\mathrm{t}}$ that can be added to the cell state: ${\tilde{\mathrm{C}}}_{\mathrm{t}}=\mathsf{\sigma }\left({\mathrm{W}}_{\mathrm{C}}\cdot \left[{\mathrm{h}}_{\mathrm{t}-1},{\mathrm{x}}_{\mathrm{t}}\right]+{\tilde{\mathrm{b}}}_{\mathrm{C}}\right),$ where ${\tilde{\mathrm{C}}}_{\mathrm{t}}$—output for tanh gate layer, ${\mathrm{W}}_{\mathrm{C}}$—weight for tanh layer, ${\tilde{\mathrm{b}}}_{\mathrm{C}}$—offset for tanh layer.
• Updating the old cell state value ${\mathrm{C}}_{\mathrm{t}-1}$ based on ${\mathrm{C}}_{\mathrm{t}}$: ${\mathrm{C}}_{\mathrm{t}}={\mathrm{f}}_{\mathrm{t}}\cdot {\mathrm{C}}_{\mathrm{t}-1}+{\mathrm{i}}_{\mathrm{t}}\cdot {\tilde{\mathrm{C}}}_{\mathrm{t}}$, where ${\mathrm{C}}_{\mathrm{t}}$—state of cell t, ${\tilde{\mathrm{C}}}_{\mathrm{t}}$—possible future state (candidate state) of cell t.
• Generation of output data:
  • Using the sigmoidal layer, it is determined what information will be output from the cell state: ${\mathrm{o}}_{\mathrm{t}}=\mathsf{\sigma }\left({\mathrm{W}}_{\mathrm{o}}\cdot \left[{\mathrm{h}}_{\mathrm{t}-1},{\mathrm{x}}_{\mathrm{t}}\right]+{\mathrm{b}}_{\mathrm{o}}\right),$ where ${\mathrm{o}}_{\mathrm{t}}$—output for output layer gate, ${\mathrm{W}}_{\mathrm{o}}$—weight for output layer gate, ${\mathrm{b}}_{\mathrm{o}}$—offset for the output layer gate.
  • Cell state values are passed through a tanh layer to output values in the −1 to 1 range, and are multiplied with the sigmoidal layer outputs to output only the information required: ${\mathrm{h}}_{\mathrm{t}}={\mathrm{o}}_{\mathrm{t}}·\tan \mathrm{h}\left({\mathrm{C}}_{\mathrm{t}}\right),$ where ${\mathrm{o}}_{\mathrm{t}}$—output for output layer gate, $\tan \mathrm{h}$—hyperbolic tangent.

3.6. Synthesis Technique for the SG Protection System

Despite the fact that the mathematical model of the SG protection system is very abstract, it has a certain advantage. To describe it, only one integral numerical indicator is required—the probability of making a timely error-free decision.

In addition, the integral probability of solving the tasks set by the system is considered in the model as an efficiency criterion, which corresponds to the target settings of the structure. In this case, the vector criterion in the factor space “efficiency—survivability” of the system is considered as an optimization criterion.

We mean that the system has two abstract states: a state when a timely error-free decision $\mathrm{p}\left(\mathrm{t}\right)$ is made, and a state when an erroneous and untimely decision $\left(1-\mathrm{p}\left(\mathrm{t}\right)\right)$ is made (Figure 11).

Thus, the functional ${\mathsf{\varphi }}_1\left(\mathrm{p}\left(\mathrm{t}\right), \mathrm{T}\prime \right)=\frac{1}{2}{\int }_0^{\mathrm{T}\prime }\mathrm{p}\left(\mathrm{t}\right)d\mathrm{t}$ determines the average probability of a timely error-free solution on the time interval ($0, \mathrm{T}\prime$). The mathematical expectation of the probability of a timely error-free decision determines the indicator of the survivability of the SG management system $\mathsf{\beta }\prime =\mathsf{{\rm E}}\left({\mathsf{\varphi }}_1\left(\mathrm{x}\left(\mathrm{t}\right), \mathrm{T}\prime \right)\right)$. The functional ${\mathsf{\varphi }}_2\left(\mathrm{p}\left(\mathrm{t}\right),{ \mathrm{T}}^{″}\right)=\frac{1}{2}{\int }_0^{{\mathrm{T}}^{″}}{\left(\mathrm{p}\left(\mathrm{t}\right)-\mathrm{a}\right)}_{+}d\mathrm{t}$, where the function ${\mathrm{x}}_{+}=\max \left(\mathrm{x}, 0\right)$, $0<a<1$, determines the fraction of time spent by the process above level a, where ${\mathsf{\beta }}^{″}=\mathsf{{\rm E}}\left({\mathsf{\varphi }}_2\left(\mathrm{x}\left(\mathrm{t}\right),{ \mathrm{T}}^{″}\right)\right)$ determines the mathematical expectation of this fraction.

Based on this, the task of synthesizing the SG protection system can be formulated as follows: it is necessary to determine the structure at which

$$\underset{\mathrm{S}\left({\mathrm{m}}_{\mathrm{k}}\right)}{\min }\mathrm{C}={\mathrm{f}}_1\left(\mathrm{S}\left({\mathrm{m}}_{\mathrm{k}}\right)\right), \underset{\mathrm{S}\left({\mathrm{m}}_{\mathrm{k}}\right)}{\max }\mathrm{P}={\mathrm{f}}_2(\mathrm{S}\left({\mathrm{m}}_{\mathrm{k}}\right),\overline{\mathsf{\lambda }},\overline{\mathsf{\mu }},\overline{\mathsf{\phi }}\left(\mathrm{t}\right),\overline{\mathrm{Q}},\overline{\mathsf{\epsilon }},\overline{\mathsf{\delta }})$$

(15)

and restrictions on the main criterion functions are fulfilled

$$\mathrm{P}\ge {\mathrm{P}}_{\min };\mathrm{C}\ge {\mathrm{C}}_{\min },$$

(16)

besides supporting criteria ${\mathrm{K}}_{3\min }\le {\mathrm{K}}_{3\mathrm{k}}\le {\mathrm{K}}_{3\max },$ ${\mathrm{K}}_{\mathrm{pk}}\le {\mathrm{K}}_{\mathrm{pmax}}$, $\forall \mathrm{k}\in \left\{1,\dots , \mathrm{S}\right\}$, respectively, mean the vectors of the intensity of the tasks coming for processing to each element of the protection system, the vectors of the intensity of their solution and the vectors of the lifetimes of situations containing the indicated tasks; vectors $\mathrm{Q}$ and $\mathsf{\epsilon }$ denote the corresponding probabilities of an erroneous solution of tasks by the elements of the protection system, determined by their functional $\mathrm{Q}$ and group tasks, in accordance with the nature of the coordination links in the system, determined by the matrix $\mathsf{\delta }$.

The problem posed is a two-parameter problem of vector optimization with mutually opposite criteria in the factor space “efficiency—survivability”. Its general solution can be found through the use of various methods of scalarization of vector criteria. The essence of the most effective of them comes down to the standardization of criteria and their subsequent additive convolution.

To determine the values of the normalizing criteria for cost and efficiency, direct and inverse optimization problems are considered. The statement of the direct problem is reduced to the following: it is necessary to determine

$$\underset{\mathrm{S}\left({\mathrm{m}}_{\mathrm{k}}\right)}{\max } \mathrm{P}={\mathrm{f}}_2(\mathrm{S}\left({\mathrm{m}}_{\mathrm{k}}\right),\overline{\mathsf{\lambda }},\overline{\mathsf{\mu }},\overline{\mathsf{\phi }}\left(\mathrm{t}\right),\overline{\mathrm{Q}},\overline{\mathsf{\epsilon }},\overline{\mathsf{\delta }})$$

(17)

under restrictions on the main criterion functions and under the restrictions on the auxiliary functions considered above. The inverse problem can be formally represented as follows:

$$\underset{\mathrm{S}\left({\mathrm{m}}_{\mathrm{k}}\right)}{\min }\mathrm{C}\left(\mathrm{S}\left({\mathrm{m}}_{\mathrm{k}}\right)\right), \mathrm{C}={\mathrm{C}}_1+{\sum }_{\mathrm{k}=1}^{\mathrm{S}-1}{\mathrm{m}}_{\mathrm{k}}{\mathrm{C}}_{\mathrm{k}}$$

(18)

with the appropriate restrictions on the main criterion and auxiliary functions. In view of the significant nonlinearity of the criterial function $\mathrm{P}\left(\cdot \right)$ in synthesis problems in the first approximation, it is more convenient to use the parameter $\mathrm{t}$ of the total time losses for solving operational problems.

Then the direct synthesis problem will be as follows:

$$\underset{\mathrm{S}\left({\mathrm{m}}_{\mathrm{k}}\right)}{\min }\mathrm{t}\left(\mathrm{S}\left({\mathrm{m}}_{\mathrm{k}}\right),\overline{\mathsf{\lambda }},\overline{\mathsf{\mu }},\overline{\mathsf{\phi }}\left(\mathrm{t}\right)\right).$$

(19)

At the same time, restrictions on the main criterion auxiliary functions should be carried out. In this case, the criteria $\mathrm{t}\left(\cdot \right) \mathrm{and} \mathrm{P}\left(\cdot \right)$ and, consequently, the solution of the problem, are determined either analytically under the conditions of sufficiently strict constraints, or by the method of statistical modeling.

Direct and inverse problems can be solved within the framework of one optimization procedure, during the implementation of which both the first and the second functionals are fixed. Analytical methods of calculations have a number of indisputable advantages, which include their simplicity, clarity, and the ability to effectively interpret the results. On the basis of statistical calculation methods, data can be obtained that describe the main trends in the changes in the structure of the management system of the SG protection system.

4. Implementation Issues of the SG Protection System Management Methodology

4.1. General Description of the SG Protection System Management Methodology

The proposed methodology for the SG protection system management in conditions of cyberattacks contains three stages.

At the first, auxiliary, stage, the SG information resources and its protection system are modeled, both in conditions of cyberattacks and without them. The modeling is performed by building and using formal models. As a result of this simulation, the values of the transition probabilities are determined. This stage can be called the learning stage. To determine the transition probabilities, the elements of the planar graphs considered above are used.

At the second, main stage, the prediction and detection of cyberattacks are carried out based on the use of a neural network with LSTM. Based on the machine learning methods, the analysis of transition probabilities, as well as anomalies in the functioning of thw SG elements and its protection system, caused by the impact of cyberattacks, is carried out. The recurrent LSTM neural network detects anomalies using a threshold value.

At the third stage, based on predicting and detecting cyberattacks, decisions are made to change the logical structure of the SG protection system and assess the impact of these changes on the overall SG survivability, which can be determined using one of known methods [48].

Let us assume that the TDTN protection system uses m types of protection means and n copies of each ones. Then the probability ${\mathrm{P}}_{\det }$ of reaching the k-th PIR by the attacker is determined by the formula of total probability as a result of solving the following statistical problem:

$${\mathrm{P}}_{\det }={\displaystyle \sum }_{\mathrm{i}=1}^{\mathrm{n}}\mathrm{P}\left({\mathrm{H}}_{\mathrm{i}}\right){\mathrm{Z}}_{\mathrm{i}}\left({\mathrm{N}}_{\mathrm{i}}^{\mathrm{Z}}\right)+{\displaystyle \sum }_{\mathrm{j}=\mathrm{i}+1}^{2^{\mathrm{n}}}\mathrm{P}\left({\mathrm{H}}_{\mathrm{j}}\right){\mathrm{Z}}_{\mathrm{j}}\left({\mathrm{N}}_{\mathrm{j}}^{\mathrm{Z}}\dots {\mathrm{N}}_{\mathrm{n}}^{\mathrm{Z}}\right),$$

(20)

where ${\mathrm{N}}_{\mathrm{i}}^{\mathrm{Z}}$ is a number of crucial nodes of the TDTN connected with PIR of the i-th type, exposed of the cyberattack; ${\mathrm{N}}^{\mathrm{Z}}$ is a total number of crucial nodes of the TDTN connected with all of the protected PIRs; $\mathrm{P}\left({\mathrm{H}}_{\mathrm{i}}\right)$ is the probability of the hypotheses about the achievement of a cyberattack of the protected PIR of the i-th type; ${\mathrm{Z}}_{\mathrm{i}}\left({\mathrm{N}}_{\mathrm{i}}^{\mathrm{Z}}\right)=\frac{({\mathrm{N}}^{\mathrm{Z}}-{\mathrm{N}}_{\mathrm{i}}^{\mathrm{Z}})}{{\mathrm{N}}^{\mathrm{Z}}}$ is the weight of the i-th protection mean for PIR; ${\mathrm{Z}}_{\mathrm{j}}\left({\mathrm{N}}_{\mathrm{j}}^{\mathrm{Z}}\dots {\mathrm{N}}_{\mathrm{n}}^{\mathrm{Z}}\right)={\mathrm{Z}}_{\mathrm{maxj}}+\frac{{\sum }_{\mathrm{j}=1}^{\mathrm{m}-1}{\mathrm{Z}}_{\mathrm{j}}}{\mathrm{n}-\mathrm{m}+1}$ is the total weight of the protective mean used in the SG TDTN protection system.

Basing on the fact that the TDTN protection system includes n protection means, the complete group of events of the cyberattack on a particular protection means will be determined by a set of hypotheses ${\mathrm{H}}_{\mathrm{i}}$, the total number of which is $2^{\mathrm{n}}$.

4.2. Software Implementation

To calculate the strong and weak components of the composition graph, we define the correspondence:

$$\mathrm{G}=\left(\mathrm{X}, \mathrm{A}\right),$$

(21)

where $\mathrm{X}$—nodes of the graph $\mathrm{G}$, denoting states, $\mathrm{A}$—arcs of the graph $\mathrm{G}$, specifying connections between states.

The mixed asymmetric graph $\mathrm{G}$ in accordance with Expression (21) is shown in Figure 12. We use $\mathrm{G}$ as a knowledge model, which is information about the complete alphabet of events (signs of threats, security criteria, incidence of events, and strong and weak components). We also take into account the weight coefficients of the arcs of the graph $\mathrm{G}$ in the knowledge model:

$${\mathrm{L}}_{\left(\mathsf{\alpha }\right)}={{\displaystyle \sum }}_{\left({\mathrm{x}}_{\mathrm{i}},{\mathrm{x}}_{\mathrm{j}}\right)\in \mathsf{\alpha }}{\mathrm{z}}_{\mathrm{ij}},$$

(22)

where $\mathrm{L}$ is the total weight of paths of the mixed antisymmetric graph $\mathrm{G}$, ${\mathrm{z}}_{\mathrm{ij}}$ is the arc (edge) weight, $\mathsf{\alpha }$ is the cardinality of the path.

The mixed asymmetric graph $\mathrm{G}$, shown in Figure 12, reflects the concatenation of the graphs of the “Threat Models” (Figure 4 and Figure 5), “Protection Systems” (Figure 6, Figure 7 and Figure 8), and “Protected Resources” (Figure 1). This transformation allows us to highlight the strong and weak partial subgraphs of the graph $\mathrm{G}$; adjacent arcs; and also set the cost of each oriented route that is necessary to select the optimal security policy.

The software for the proposed methodology is implemented in Python using the Pandas library, which was used to process and analyze the data. The Pandas library is written in the C, Cython, and Python programming languages. The presented library makes Python a powerful tool for data analysis and makes it possible to build pivot tables, perform groupings, and provide convenient access to tabular data at a high level. In addition to the Pandas library, the NumPy library was used, which is a lower-level tool that provides work with high-level mathematical functions, as well as multidimensional arrays (tensors). In general, the software implementation is based on the iterative optimization method. This approach is that each node $\mathrm{x}$ of the graph $\mathrm{G}=\left(\mathrm{X}, \mathrm{A}\right)$ is associated with a sequence of states: ${\mathrm{s}}_{\mathrm{x},\mathrm{t}}\in {\mathrm{S}}^{\mathrm{n}}$, $\mathrm{t}\in \left\{0,\dots \mathrm{m}\right\}$. The states are updated according to the following expression:

$${\mathrm{s}}_{\mathrm{x},\mathrm{t}+1}=\mathrm{F}({\mathrm{s}}_{\mathrm{x},\mathrm{t}},\sum \left(\mathrm{x},\mathrm{a}\right)\in \mathrm{G}, \mathrm{M}\left({\mathrm{s}}_{\mathrm{x},\mathrm{t}},{\mathrm{s}}_{\mathrm{a},\mathrm{t}},{\mathrm{w}}_{\mathrm{x},\mathrm{a}}\right)).$$

(23)

In other words, at the first iterations, for each edge $\mathrm{a}$ of the graph $\mathrm{G}=\left(\mathrm{X}, \mathrm{A}\right)$, the alphabet of events is calculated using the function $\mathrm{M}$ (the event depends on the states of the nodes ${\mathrm{s}}_{\mathrm{x},\mathrm{t}}$ and the weights of the edges ${\mathrm{s}}_{\mathrm{a},\mathrm{t}}$), and then all of the events are summed and the state of the node is updated using the function $\mathrm{F}$ (both functions are parameterized as usual with variable learning parameters). In our case, function $\mathrm{F}$ is implemented by LSTM. Given that, the algorithms for traversing the knowledge model $\mathrm{G}$ take into account the differences between the types of links and estimate the weights of different links ${\mathrm{L}}_{\left(\mathsf{\alpha }\right)}$ from the point of view of the problem of ensuring the security of the protected SMART resources, and do not use a common set of weights that was initially identified during training on the graph.

The LSTM artificial neural network used in the experiment is organized in accordance with the scheme shown in Figure 13.

Hyperparameters of an artificial neural network are configurable parameters that allow one to control the learning process of the model. For example, in neural networks, you determine the number of hidden layers and the number of nodes in each layer. The performance of the model largely depends on the hyperparameters. Hyperparameter tuning, also called hyperparameter optimization, is the process of finding a hyperparameter configuration that leads to better performance. This process usually requires significant computing resources and is performed manually. The presented hyperparameters of the neural network are optimized for our experiment and allow us to configure the network on a limited dataset to search for impacts on the network, to ensure the adequacy of the model.

Hyperparameters of the experimental neural network are: module optimizer—“Adam”; loss function (average absolute error)—“MAE”; the size of the data array for LSTM training is 10; the number of training epochs is 10; activation function (input layer)—“Than”; activation function (output layer)—“Relu”; the number of layers is 7; the dimension of the input/output tensor is 3/3.

The values of the hyperparameters for LSTM are determined a priori. With well-selected hyperparameter values, the LSTM network detects well-known computer attacks with a probability close to 1, and unknown attacks—with a probability exceeding 0.8.

Machine learning methods are implemented using the scikit-learn library, and neural networks are implemented using the Keras framework. The graphs were built using the Matplotlib module based on the obtained dataset. All calculations were performed in the Jupiter notebook integrated development environment. Simulation modeling based on GNS3 software was used to generate traffic.

Cyberattacks, such as distributed denial of service (DDoS), reconnaissance, backdoor, exploits, fuzzers, and “scanning the network and its vulnerabilities”, were taken into account as implemented attacks. Considering the above, the traffic structure, packet header length, flags, checksum, and some others were considered as the main characteristics under study in the dataset.

For the experiment, using the IXIA Perfect Storm tool (Figure 14), a special dataset was generated. It includes the reference traffic and was used to train the system and analyze the traffic without anomalies and the abnormal traffic.

Abnormal traffic included 55.0% of cyberattacks, which are divided into ten types, namely: fuzzers (${\mathsf{\epsilon }}_1$), analysis (${\mathsf{\epsilon }}_2$), backdoors (${\mathsf{\epsilon }}_3$), DDoS (${\mathsf{\epsilon }}_4$), exploits (${\mathsf{\epsilon }}_5$), generic (${\mathsf{\epsilon }}_6$), reconnaissance (${\mathsf{\epsilon }}_7$), shellcode (${\mathsf{\epsilon }}_8$), worms (${\mathsf{\epsilon }}_9$), and “scanning the network and its vulnerabilities” (${\mathsf{\epsilon }}_{10}$).

Cyberattacks were carried out for the following protocols: dns, http, smtp, ftp, ftp-data, pop3, ssh, ssl, snmp, dhcp, radius, and irc. They were used to test the effectiveness of the method under consideration and to identify its merits over other methods.

Determination of the efficiency criterion for the recognition of the cyberattacks (${\mathsf{\mu }}_{\mathrm{P}}$) by the neural network is performed by the formula

$${\mathsf{\mu }}_{\mathrm{P}}={\sum }_{\mathrm{k}=1}^{\mathrm{l}}{\sum }_{\mathrm{m}=1}^{\mathrm{n}}{\mathrm{P}}_{{\mathrm{PA}}_{\mathrm{k}}}\left({\mathsf{\epsilon }}_{{\mathrm{Y}}_{\mathrm{k}}}^{{\mathrm{A}}_{\mathrm{k}}}│{\mathrm{y}}_{\mathrm{k}}\right) \mathrm{K}\left({\mathsf{\epsilon }}_{{\mathrm{Y}}_{\mathrm{m}}}^{{\mathrm{A}}_{\mathrm{m}}}\right),$$

(24)

where $\mathrm{k}=1,\dots ,\mathrm{l}$ is a number of supposed types of cyberattacks $\mathrm{M}=\left({\mathrm{M}}_{\mathrm{ij}},{\mathrm{B}}_{\mathrm{i}.\mathrm{j}}\right)$ (see Table 1); $\mathrm{m}=1,\dots ,\mathrm{n}$ is a number of the supposed attacked SG resources—subgraphs ${\mathrm{GT}}_{\mathrm{i}1}-{\mathrm{GT}}_{\mathrm{i}6}$ (see Figure 3, Figure 4, Figure 5 and Figure 6); ${\mathrm{P}}_{{\mathrm{PA}}_{\mathrm{k}}}$ is a probability of the error-free cyberattack recognition, $\mathrm{k}=1,\dots ,\mathrm{l}$; ${\mathsf{\epsilon }}_{{\mathrm{Y}}_{\mathrm{k}}}^{{\mathrm{A}}_{\mathrm{k}}}$ is a set of the types of the cyberattacks on SG resources under a priori alphabet of attack events (${\mathrm{A}}_{\mathrm{k}}$) and a priori alphabet of signs of cyberattacks (${\mathrm{Y}}_{\mathrm{k}}$); $\left\{{\mathrm{y}}_{\mathrm{k}}\right\}$ are the vectors of signs of cyberattacks, $\mathrm{k}=1,\dots ,\mathrm{l}$; $\mathrm{K}\left({\mathsf{\epsilon }}_{{\mathrm{Y}}_{\mathrm{m}}}^{{\mathrm{A}}_{\mathrm{m}}}\right)$ is a gain function from recognizing attack targets ${\vartheta }_{{\mathrm{Y}}_{\mathrm{n}}}$, which are classified in the alphabet of cyberattacks.

Next, using the Argus and Bro-IDS tools, the data was analyzed and tagged into 44 features with a class label. The total number of records is equal to 82,332.

Table 2. Dataset of network traffic (a sample).

Record Number	Dataset Features													Attack Category
	service	state	dpkts	sbytes	dbytes	ct_dst_src_ltm	is_ftp_login	ct_ftp_cmd	ct_flw_http_mthd	ct_src_ltm	ct_srv_dst	is_sm_ips_ports	label
1	ospf	INT	20	0	1280	1	2	0	0	0	1	1	0	Reconnaissance
2	ospf	INT	20	0	1280	1	2	0	0	0	1	1	0	Reconnaissance
3	ospf	INT	20	0	1280	1	2	0	0	0	1	1	0	Backdoor
4	ospf	INT	20	0	1280	1	2	0	0	0	1	1	0	DoS
5	sctp	INT	2	0	104	1	2	0	0	0	1	1	0	Exploits
...	...	...	...	...	...	...	...	...	...	...	...	...	...	...
82328	udp	INT	2	0	1510	1	1	0	0	0	1	5	0	Fuzzers
82329	udp	INT	4	0	1216	1	1	0	0	0	1	6	0	Fuzzers
82330	udp	INT	4	0	1216	1	1	0	0	0	1	6	0	Fuzzers
82331	tcp	FIN	10	6	590	1	1	0	0	0	1	5	0	Fuzzers
82332	tcp	FIN	10	6	590	1	2	0	0	0	2	4	0	Fuzzers

shows a sample from the resulting dataset with the indication of the main features.

The following features are used in Table 2:

• service—a service used (may be as ospf, http, ftp, smtp, ssh, dns, ftp, udp, tcp etc. or ’-’);
• state—indicates the state and its dependent protocol (ACC, CLO, CON, ECO, ECR, FIN, INT, MAS, PAR, REQ, RST, TST, TXD, URH, and URN or ‘-‘ if the state is not used);
• dpkts—the number of packages from the destination to the source;
• sbytes—the number of bytes in the transaction from the source to the destination;
• dbytes—the number of bytes in the transaction from the destination to the source;
• ct_dst_src_ltm—the number of connections between the same destination address and the initial port in the last 100 connections;
• is_ftp_login—is equal to 1 if the user has access to the file transfer protocol (FTP) session by password, otherwise—0;
• ct_ftp_cmd—the number of connections that have a command on the FTP session;
• ct_src_ltm—the number of connections with the same source address in the 100 last connections;
• ct_srv_dst—the number of compounds containing the same service and destination address in the last 100 connections;
• is_sm_ips_ports—if the source and destination IP addresses are equal and the port numbers are equal, then this variable is 1, otherwise—0;
• label—is equal 0 for normal and 1 for attacked records.

In the dataset, there are nine attack categories: Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode, and Worms.

The Tcpdump tool was used to capture raw, unprocessed traffic. Cyberattacks were carried out using the KaliLinux distribution kit.

As the scenario under study, the traffic corresponding to the SG TDTN of St. Petersburg (Russia) was selected. This network contains 50 high-voltage substations (substations 110–220 kV), 2200 distribution points and transformer substations, as well as more than 80,000 metering devices (Figure 15).

The management of the TDTN elements and management of the network security is carried out from the central communication node (CCN).

The simulated traffic was a set of data of interest to operators and dispatchers of the SG power system. This data contained the following parameters:

• Power factor values;
• Power quality parameters in the entire system;
• Distributed measuring system parameters;
• Equipment condition parameters;
• Parameters of the state of protection means;
• Information about the places of damage and failures;
• Load of transformers and lines;
• Profiles and forecasts of electricity consumption and some other parameters.

5. Experimental Results

5.1. Evaluation of the Management Methodology for the SG Protection System

To solve the problem associated with predicting and detecting a cyberattack, it is very important not only to determine machine learning algorithms or neural networks, but also to highlight the parameters that are most susceptible to anomalous deviation during the course of the attacker’s influence.

Consider a particular case of using the graph $\mathrm{G}=\left(\mathrm{X}, \mathrm{A}\right)$ by a LSTM network. Let us construct a transitive adjacency graph $\mathrm{G}\prime$ to prevent a DDoS attack. Based on the threat model for SG resources, the classifier of the threat model ${\mathrm{X}}_7\left({\mathrm{X}}_{7.1},{\mathrm{X}}_{7.2},{\mathrm{X}}_{7.3},{\mathrm{X}}_{7.4},{\mathrm{X}}_{7.5}\right)$ contains from 1 to n threats. Let ${\mathrm{X}}_{7.1}$ be a DDoS cyberattack type that affects the protected SG resources of the “information availability” (${\mathrm{X}}_{44}$) and “network bandwidth” (${\mathrm{X}}_{59}$) types. Let us formulate a context diagram for a particular case of a cyberattack on the SG resources $\mathrm{G}\prime =\left( \mathrm{X}\prime , \mathrm{A}\prime \right)$, where ${\mathrm{X}}_1$, ${\mathrm{X}}_2,{ \mathrm{X}}_3,\dots ,{\mathrm{X}}_{70}\in \mathrm{X}\prime$ and ${\mathrm{A}}_1$, ${\mathrm{A}}_2,{ \mathrm{A}}_3,\dots ,{\mathrm{A}}_{51}\in \mathrm{A}\prime$ (Figure 16).

After detecting and classifying the attack on the SG resources, the recurrent neural network compares the attack countermeasures. This involves the elements of the ${\mathrm{D}}_{\mathrm{g}}$ subgraph (see Figure 8). The elements of the bipartite subgraph ${\mathrm{D}}_{\mathrm{g}}$ define the protection strategy ${\mathrm{X}}_{16}\left({\mathrm{X}}_{60},{\mathrm{X}}_{61},{\mathrm{X}}_{62},{\mathrm{X}}_{63},{\mathrm{X}}_{64}\right)$ of the SG resources ${\mathrm{X}}_{44}$ of “information availability” and ${\mathrm{X}}_{59}$ of “network bandwidth” against attacks such as ${\mathrm{X}}_{7.1}$ (attacks such as DDoS) based on the requirements of ${\mathrm{X}}_{15}\left({\mathrm{X}}_{67},{\mathrm{X}}_{70}\right)$ to the protection system to prevent attacks such as ${\mathrm{X}}_{7.1}$ (Figure 17):

$${\mathrm{X}}_{44}\oplus {\mathrm{X}}_{67}\oplus {\mathrm{X}}_{16}\left({\mathrm{X}}_{60}\dots {\mathrm{X}}_{64}\right).$$

(25)

When detecting the DDoS cyberattack, each protocol was initially considered separately based on the dataset of the network traffic (Figure 18, Figure 19, Figure 20, Figure 21, Figure 22, Figure 23 and Figure 24).

In Figure 18, Figure 19, Figure 20, Figure 21, Figure 22, Figure 23 and Figure 24, abnormal zones are designated in red, and normal zones are designated in green. Blue lines display network packets. The Y axis displays the length of the network packet, and the X one is a time axis. As can be seen from Figure 18, Figure 19, Figure 20, Figure 21, Figure 22, Figure 23 and Figure 24, it is almost impossible to visually distinguish between normal and abnormal behavior.

We use the LSTM autoencoder to predict anomalies in the time series (Figure 25).

Due to the strong correlation of multivariate time series and the multiscale nature of a process with fast (long-term) and slow (short-term) subprocesses, feedforward neural networks usually perform poorly. A more accurate predictive model can be developed using a neural network with LSTM cells.

Let us look at the training process of the LSTM model (Figure 26).

We disabled data movement during model training by setting the parameter shuffle = False, because order is important in the time series data (you cannot allow random sampling). Figure 27 is a plot of the loss function showing how the model was trained. It can be seen from this graph that the loss function decreases during training.

We used the mean absolute error (MAE) to calculate the “reconstruction error” because it gave us better results compared to the mean square error (MSE) and the root mean square error (RMSE):

$$\mathrm{MAE}=\frac{1}{N}\sum _{t=1}^N\left|Z\left(t\right)-\widehat{Z}\left(t\right)\right|,$$

(26)

$$\mathrm{RMSE}={\left(\frac{1}{N}{\displaystyle \sum }_{t=1}^N{\left(Z\left(t\right)-\widehat{Z}\left(t\right)\right)}^2\right)}^{-2},$$

(27)

where $\mathrm{Z}\left(\mathrm{t}\right)$ is the actual value of the time series, $\hat{\mathrm{Z}}\left(\mathrm{t}\right)$ is the projected value predicted by the algorithm.

In both the MSE and RMSE, the errors are squared before they are averaged, resulting in higher weights assigned to larger errors. This makes the model more sensitive to noise that can cause false alarms. Since our data is inherently noisy, we have determined that an “anomaly” is a spike or trend that lasts at least 5 s. Therefore, in this model, we need a loss function that is more “forgiving” for small spikes in one or two functions.

The simplest way to determine what is an anomaly is as follows: “Anything above a fixed threshold is considered an anomaly, otherwise a normal value.”

By plotting the distribution of the loss function (Figure 28) in the training set, an appropriate threshold value can be determined to identify the anomaly. In doing so, we need to check that this threshold is set above the “noise level”. Any anomalies noted should be statistically significant above the background noise.

Figure 28 shows the recovery error measured by the MAE. From the distribution of losses, a threshold value of 0.001 can be set to detect an anomaly. Figure 29 outlines the threshold value.

Mathematically, the static threshold is calculated as the overall mean plus 2 standard MAE steps for all of the trained data (Figure 30).

Figure 31 depicts the result of the anomaly detection using the neural network.

As can be seen from this figure, the neural network is very sensitive to sudden bursts. The drawing is noisy and full of anomalies, although it is not. “Noise” is seasonality, which tells us that we should use a dynamic threshold that is sensitive to the behavior of the data.

We decided to use the exponential moving average (EMA) threshold to detect anomalies:

$${\mathrm{EMA}}_{\mathrm{n}}=\left(\mathrm{Value}\cdot \frac{\mathsf{\alpha }}{1+\mathrm{N}}\right)+\left({\mathrm{EMA}}_{\mathrm{n}-1}\cdot \left(1-\frac{\mathsf{\alpha }}{1+\mathrm{N}}\right)\right),$$

(28)

where N is the number of values of the original function to calculate the moving average, a is a coefficient that can be selected randomly, ranging from 0 to 1.

Figure 32 shows the average loss of the indicators: the static threshold is highlighted in purple, the moving average threshold is in red, and the exponential average threshold is in green.

After calculating the loss distribution and anomaly threshold, we can visualize the model output (Figure 33). As it can be seen from this figure, the number of false positives has decreased because the trained model was not so sensitive to emissions.

Let us approximate the graph (Figure 34).

An analysis of the experimental results showed that the ability of the recurrent neural network not only to learn, but also to develop rules for resolving collisions associated with the anomalous behavior of traffic controlled by LSTM allows for early warning of intrusions into the SG network from the outside.

Based on these warnings, the synthesis of the management system of the SG protection system is carried out. A timely, error-free decision to change the protection system affects the overall survivability of the management system.

The calculation results showed that before the management decisions were made to change the protection system, the survivability of the SG fragment under consideration was 0.75. After the synthesis of the protection system, the survivability increased to 0.93.

Thus, the proposed method for controlling the active protection of information and telecommunication SG resources allows to not only detect cyberattacks in a timely manner, but also to take measures to control the protection in a mode close to real time.

5.2. Comparative Evaluation of the Management Methodology for the SG Protection System

Formally, the management process can be represented as a tuple $\langle \mathrm{Y}, \mathrm{U}, \mathrm{O}\rangle$, where $\mathrm{Y}$ is a vector of common coordinates that characterizes the system problem and the management goal; $\mathrm{U}$ is a vector of influence; $\mathrm{O}$ is a control object (Figure 35).

The goal of the management process is determined by the relation ${\mathrm{Z}}_{\mathrm{Y}}\subset {\mathrm{K}}_{\mathrm{Y}}$, where ${\mathrm{K}}_{\mathrm{Y}}$ is the aggregate set of $\mathrm{Y}$ values at which the states of the control object meet the requirements, and ${\mathrm{Z}}_{\mathrm{Y}}$ is the aggregate set of $\mathrm{Y}$ values that arise during the operation of the control object.

In real management systems, when there is not enough a priori information about the control object, the action $\mathrm{U}$ is carried out by the controller $\mathrm{P}$ (Figure 36), which is functionally interconnected with the output states of the control object and the independent influences imposed on it. In such a situation, it is necessary, depending on the state of the vectors ${\mathrm{C}}_{\mathrm{o}}$ (side effects on the control object) and ${\mathrm{C}}_{\mathrm{p}}$ (side effects on the controller $\mathrm{P}$), to constantly change the properties and the order of the controller functioning. A generalized diagram of the management process is shown in Figure 36, where ${\mathrm{Q}}_{\mathrm{o}},{ \mathrm{Q}}_{{\mathrm{C}}_{\mathrm{o}}},{ \mathrm{and} \mathrm{Q}}_{{\mathrm{C}}_{\mathrm{p}}}$ are signs-identifiers of the properties of the control object and vectors ${\mathrm{C}}_{\mathrm{o}}$ and ${\mathrm{C}}_{\mathrm{p}}$.

For those management systems that operate under conditions of continuously changing influences, i.e., when the steady-state regime is absent at all (and this is fully true for the SG), we will give a definition of their resilience. A management system is resilient if its output parameters remain limited under conditions of exposure to limited magnitude disturbances. The argument ${\overline{\mathrm{L}}}_{\mathrm{o}}$ reflects in Figure 36 the fact that the properties of $\mathrm{P}$ change when the properties of the control object change as a result of external and internal independent disturbances.

The classical model of a management system is a feedback model with real-time adjustable coefficients. The coefficients of such a controller are adjusted during each control cycle in accordance with the estimated system parameters. A closed-loop control is a process in a system where a controlled (controlled) variable is constantly monitored and compared with a setpoint, i.e., with a reference variable. Depending on the result of such a comparison, the input variable of the system is changed so that the output variable is adjusted to the specified value, regardless of all of the deviations. As a result of such a reaction of the system, a closed flow of actions arises. The use of feedback in the management of the SG protection system makes it possible to take into account information not only about the desired process, but also about the actual process of functioning of all of the components of the protection system.

Another well-known model of a management system is the Lyapunov reference model [49]. Adaptive control systems using the Lyapunov model are designed so that the output of the controlled model matches the output of a predefined model that has the desired characteristics. Such a system should be asymptotically stable, i.e., the controlled system keeps track of the parameters of the reference model with zero error. Moreover, transient processes at the stage of adaptive (learning) control have guaranteed limits.

Let us carry out a comparative analysis of the proposed management system of the SG protection system with those discussed above. Stability, convergence rate, operation under noise conditions (targeted and natural influences), required memory size, etc. were chosen as the comparison criteria. The results of the comparative analysis are presented in

Table 3. The results of the comparative analysis of the management system.

Criterion	Closed-Loop Control with Adjustable Coefficients	Adaptive Control with Reference Model	LSTM Based Management
Convergence rate	+ +	+	+
Resilience of the feedback	−	+ +	+
Tracking error	+	+ +	+
Software interference minimization	+ +	−	+ +
Complexity of the control program	−	+	+
Real-time operation	+	+	+ +
Robustness of the model mismatch	−	+	+ +
System response time	−	+	+ +

. The following symbols are used in the table: “−” is the worst indicator; “+” is the average indicator; “+ +” is the best indicator.

The system response time ($t_R$) when detecting abnormal traffic deviations was measured within the specified limits ($0<t_R<500\mathrm{M}\mathrm{C}$). The system with a neural network core showed the best result of—on average, for 10 epochs of experiments—358.3 ms. For systems with feedback control and adjustable coefficients, as well as adaptive control using a reference model, the response time was 521.4 ms and 476.9 ms, respectively. Thus, it can be seen that the proposed approach demonstrates a gain in time for detecting cyberattacks in comparison with the known solutions up to 30%.

In order to determine the dependence of the cyberattack detection time on the volume of analyzed data, several experiments were carried out using the proposed method for two additional datasets. They differ from the base one, containing, as mentioned above, 82,332 records. The first additional dataset contained about 164,000 (i.e., it was about two times larger than the baseline). The second additional dataset contained approximately 41,000 records (i.e., it was about two times smaller than the base one). The experiments have shown that for the first additional dataset, the average attack detection time was 1150 ms, and for the second—150 ms. Thus, the dependence of the time to detect attacks on the volume of analyzed data has a power-law character with a low exponent. The dependence of the system response time on the amount of processed data is presented in Figure 37.

Figure 37 discusses 3 datasets and 10 neural network learning eras. The Y axis corresponds to the response time of the system (i.e., the cyberattack detection time). The graph has three different dependences that show that the cyberattack detection time is reduced with each learning era. However, additional computing power is required to ensure the model scalability.

To obtain a comparative assessment of the proposed methodology for the accuracy of detecting cyberattacks, work [47] was selected. In this work, an LSTM-based classifier of attacks was studied, and its assessment was carried out at the KDD Cup 1999 dataset. The experiments carried out in [47] showed that the LSTM model has a higher efficiency in detecting and classifying cyberattacks than such well-known classifiers as k-mearest neighbor, support vector machine, multilayer perceptron, decision tree, and naïve Bayes. In [47], the following values were obtained: detection rate (DR) is 98.88% and false alarm rate (FAR) is 10.04%. In our work, the values of these indicators, averaged over all datasets, are: DR = 98.55% and FAR = 8.95%. It can be seen that our values for the accuracy of detecting cyberattacks based on LSTM are close to that of [47], but the experimental conditions are not comparable—we used a more complex data set, which included contemporary attacks, and we believe that our approach allows us to achieve greater confidence by combining the LSTM theory and the flat graph theory.

The experiments included testing the theory first without using the neural network core of the control and management system and then using it. In both cases, the type, duration, and sequence of computer attacks (fuzzers, analysis, backdoors, DDoS, rxploits, generic, reconnaissance, shellcode, worms, and “scanning the network and its vulnerabilities”) on the information and telecommunications resources of the experimental computer network were identical.

The analysis of the experimental results revealed not only characteristic changes in the ”pattern“ of useful traffic, but also the fact that the ability of a recurrent neural network not only to learn, but also to develop rules for resolving collisions associated with abnormal behavior of traffic controlled by LSTM allows us to warn in a timely manner of intrusions into the SG network from the outside. Thus, the proposed method of managing the active protection of SG information and telecommunications resources allows one not only to detect cyberattacks in a timely manner, but also to take measures to control the protection in a mode close to real time.

On the basis of these warnings and recommendations, the synthesis of the SG protection system management system can be carried out. A timely, error-free decision to change the protection system affects the overall survivability of the control system. The calculation results showed that before making management decisions to change the protection system, the survivability of the SG fragment under consideration was 0.75. After the synthesis of the protection system, the survivability increased to 0.93. The efficiency of the protection system increased by 24% per unit of time. According to preliminary calculations, this efficiency will be at least 17% effective under real operating conditions of the SG functioning in comparison with the protection system without an additional control module using LSTM algorithms.

An analysis of the results of a comparative analysis of various management systems shows that the proposed methodology for managing the SG protection system based on the use of LSTM neural networks has a higher efficiency. Despite the fact that each of the considered methods has both positive and negative characteristics, it should be noted that the neural network control method has a number of positive qualities that are poorly implemented in the first two management systems. The dynamics of the system response is of particular importance in the management of the SG TDTN protection system time characteristic of the output variable (∆τ) [50]. As practical experiments show, ∆τ is minimal for LSTM-controlled systems. In addition, the control system based on LSTM is resistant to interference when exposed to cyberattacks.

5.3. Discussion

The experiments showed, first of all, that when predicting the impact of cyberattacks in order to develop control decisions, it is very important not only to determine the machine learning algorithm or the neural network, but also to identify the parameters that are most susceptible to abnormal deviations during the attacker’s exposure. In addition, the experiments demonstrated that the proposed methodology for managing the protection system, using the flat graph specification and a neural network with LSTM, has a fairly high efficiency. The main advantage of this approach is the ability to work in real time, as well as the ability to work with any kind of traffic. Revealing the fact of the impact of cyberattacks is carried out in a few microseconds, depending on the performance of the computer technology.

Other advantages of this approach include the low demands on system resources. In addition, there are practically no restrictions on the linearity of the system in the LSTM-based control system. Such a control system is effective in conditions of interference in the communication channel caused by the impact of cyberattacks. The recurrence properties provide constant additional training and management of the TDTN protection system in real time, which gives it an advantage over other systems.

However, despite the above listed advantages, this method is not a panacea because, at this stage, it is not possible to monitor the tracking errors that occur during the operation of the management systems under the influence of cyberattacks. Insufficient accuracy can lead to a discrepancy between the characteristics of the system and the conditions for the functioning of the management system. In addition, at this stage of implementation, the management program is very complex.

It should be noted that the conducted studies are still only demonstrating the potential and effectiveness of the proposed approach to managing the security system in SG TDTN. The practical implementation and further improvement of this methodology determine further directions of the research.

6. Conclusions

This paper considered the methodology for using flat graphs for modeling a protected resource and a management system, as well as the neural network with LSTM for predicting the impact of cyberattacks on SG TDTN and developing management solutions for the protection system. The methodology proposed allows one not only to form the architecture of the SG TDTN protection system, but also to audit the SG security in real time.

In the simulation, the principle of solving the problems of distributing a heterogeneous resource among interdependent elements was used with the further implementation of the differentiated approach to creating an integrated protection of elements of smart power supply networks. The effectiveness of this method over others was shown, and the possibility of timely management of the protection system of smart power supply networks was substantiated. The issues of software implementation of the proposed approach were considered. The experimental results obtained using the generated datasets confirmed the high efficiency of the proposed approach.

In this paper, we did not consider such subjective parameters as “model complexity” and the model parameter uncertainty. They will primarily depend on the volume of tasks to be solved, the number of reference parameters to be set, the available computing power, data quality, etc. The values of the hyperparameters for LSTM in our research were determined a priori. As it was shown, the LSTM network detects well-known computer attacks with a probability close to 1, and unknown attacks with a probability exceeding 0.8.

Machine learning methods were implemented using the scikit-learn library, and neural networks using the Keras framework. The graphs were built using the Matplotlib module based on the obtained dataset. All of the calculations were performed in the Jupiter notebook integrated development environment. A simulation based on GNS3 software was used to generate traffic.

Cyberattacks, such as DDoS, reconnaissance, backdoor, exploits, fuzzers, and “scanning the network and its vulnerabilities”, were taken into account as implemented attacks. The traffic structure, packet header length, flags, checksum, and some others were considered as the main characteristics under study in the dataset.

The proposed methodology, based on graph models and the practical implementation on LSTM networks, makes it possible not only to detect cyberattacks in a timely manner, but also to take measures for the active protection of SG resources in real or near real time. The use of flat graphs makes it possible to take into account (when modeling the action of an attacker when implementing the cyberattacks) the possibility of applying the means of protection, the state of the information and telecommunications network in SG, and the methods of organizing management and communication. Experiments have shown that the proposed methodology demonstrates up to a 30% gain in time for detecting cyberattacks in comparison with the known solutions. As a result, the survivability of the SG fragment under consideration increased from 0.62 to 0.95.

The main difficulty of the application of the methodology is seen in the complexity of specifying the processes, protocols, and technologies implemented in the SG in the absence of acceptable datasets for learning LSTM networks and in the absence of a common topology for constructing SG TDTN. This defines one of the further areas of research. In addition, further research will be aimed at integrating the proposed methodology into the existing monitoring and management systems for the SG protection system and optimizing the output parameters.