*1.3. Contributions*

A model based on machine learning is presented in this study for detecting system behaviors by analyzing historical data and related log data. Although unsupervised learning is beneficial for detecting zero-day attacks since it requires no training in attack scenarios, it is also vulnerable to false positives [17]. Furthermore, supervised learning can clearly improve the detection's confidence. The experiments are then performed using the supervised machine learning approach. The main contributions in this paper are summarized as follows:


Following are the remaining sections of the study. A detailed explanation of the methodology is provided in Section 2. The results of the classification are discussed in Section 3. The conclusion appears in Section 4.

## **2. Model Structure**

Scenarios where disturbances and attacks happen in the electric grid, as well as the meaning of features in the data set, are presented in this part. The suggested model and data processing are detailed here.

#### *2.1. Introduction to Power System Framework Configuration*

The suggested data set consisting of measurements associated with normal, fault, and cyber-attack behavior, and so on [18–20]. The electrical network block diagram is shown in Figure 1 [21]. Relay, control panel, snort, and PMU/synchronous are primarily used for recording measurement data. Following are some of the most significant components. Power generators are shown by P1 and P2, and the intelligent electronic device (IED) is relay R1, which could switch breaker1 (BR1) on or off. Transmission lines (TLs) are represented by L1 and L2. The phasor data concentrator is shown by PDC that stores and displays Synchron-phasor data as well as records historical data. The IED incorporates a distance protection mechanism that can trip the breaker if it detects faults. Due to the absence of internal verification approaches for detecting changes, the breaker will be tripped regardless of whether the fault is valid or not. BR1-4 can be tripped by manually sending relevant commands to IEDs. In the event that lines or other components are to be maintained, the manual override will be necessary.

**Figure 1.** The power system framework configuration.

This experiment applied a data set that contains 128 features recorded using PMUs 1 to 4 and relay snort alarms and logs (Relay and PMU have been combined). A synchronous phasor, or PMU, measures electric waves on a power network using a common time source. A total of 29 features could be measured by every PMU. The data set also contains 12 columns of log data from the control panel and one column of an actual tag. There are three main categories of scenarios in the multiclass classification data set: No Events, Events, Intrusion, and Natural Events. Table 1 summarizes the scenarios, and a brief explanation of each category is provided in the data set.

(a) SLG fault: A fault occurs whenever the current, voltage frequency of the system changes abnormally, and many faults in electrical systems occur in line-to-ground and line-to-line (LL). The simulated SLG faults are represented as short circuits at diverse points along the TL in the data set.


**Table 1.** Explanation of scenarios.

