Real-time anomaly-based distributed intrusion detection systems for advanced Metering Infrastructure utilizing stream data mining

The advanced Metering Infrastructure (AMI) is one of the core components of smart grids´ architecture. As AMI components are connected through mesh networks in a distributed mechanism, new vulnerabilities will be exploited by grid´s attackers who intentionally interfere with network´s communication system and steal customer data. As a result, identifying distributed security solutions to maintain the confidentiality, integrity, and availability of AMI devices´ traffic is an essential requirement that needs to be taken into account. This paper proposes a real-time distributed intrusion detection system (DIDS) for the AMI infrastructure that utilizes stream data mining techniques and a multi-layer implementation approach. Using unsupervised online clustering techniques, the anomaly-based DIDS monitors the data flow in the AMI and distinguish if there are anomalous traffics. By comparing between online and offline clustering techniques, the experimental results showed that online clustering “Mini-Batch K-means” were successfully able to suit the architecture requirements by giving high detection rate and low false positive rates.