Smart grids increasingly rely on digital communication, expanding the attack surface beyond the reach of conventional network intrusion-detection systems. Physics-based monitoring can detect anomalies that bypass traffic inspection, but most prior methods only provide binary detection and do not identify attackers or describe associated network behaviour. This paper presents a two-stage cyber-physical detection and attribution pipeline for the IEEE 14-bus smart grid. In Stage 1, a four-layer GATv2 model analyses sliding windows of PLC sensor data and operates as a binary anomaly detector (Benign vs. Attack), achieving 96.39 +/- 1.26% accuracy, macro-F1 0.949 +/- 0.019, recall 0.992 +/- 0.007, and ROC-AUC 0.994 +/- 0.005 (mean +/- std, 5 seeds, tuned configuration). GATv2 achieves the highest recall among all tested binary classifiers (Random Forest: 0.970; SVM: 0.860; KNN: 0.988 at low AUC 0.759), the primary metric in safety-critical intrusion detection where a missed attack is more dangerous than a false alarm. A Welch t-test across five independent seeds confirms that GATv2 and RF are statistically equivalent in accuracy (t=-2.030, p=0.096). A six-class ablation study reveals that Backdoor is physically near-invisible (F1 =0.238, lowest among all classes), motivating the network attribution stage. In Stage 2, triggered only after anomaly detection, a LightGBM model trained on 27 network-traffic features attributes the attack campaign, reaching 83.05 +/- 0.00% accuracy and macro-F1 0.819 +/- 0.002 across all six cyber classes. A final enrichment stage correlates anomaly windows with network events to extract attacker IP and MAC information, suspicious ports, Modbus manipulation signals, and connection-rate anomalies, producing a structured forensic report. Ablations and visual analyses show that graph-based physical sensing and statistical network attribution are complementary. To the best of our knowledge, this is the first work to combine topology-aware GNN physical detection, multi-class cyber attribution, and automated forensic enrichment in a single pipeline evaluated on this dataset.
Graph-Attentive Cyber–Physical Attack Detection and Forensic Attribution in Smart Grids: A Two-Stage Pipeline Combining Physical Anomaly Detection with Network Traffic Analysis
Danilo Greco;
2026-01-01
Abstract
Smart grids increasingly rely on digital communication, expanding the attack surface beyond the reach of conventional network intrusion-detection systems. Physics-based monitoring can detect anomalies that bypass traffic inspection, but most prior methods only provide binary detection and do not identify attackers or describe associated network behaviour. This paper presents a two-stage cyber-physical detection and attribution pipeline for the IEEE 14-bus smart grid. In Stage 1, a four-layer GATv2 model analyses sliding windows of PLC sensor data and operates as a binary anomaly detector (Benign vs. Attack), achieving 96.39 +/- 1.26% accuracy, macro-F1 0.949 +/- 0.019, recall 0.992 +/- 0.007, and ROC-AUC 0.994 +/- 0.005 (mean +/- std, 5 seeds, tuned configuration). GATv2 achieves the highest recall among all tested binary classifiers (Random Forest: 0.970; SVM: 0.860; KNN: 0.988 at low AUC 0.759), the primary metric in safety-critical intrusion detection where a missed attack is more dangerous than a false alarm. A Welch t-test across five independent seeds confirms that GATv2 and RF are statistically equivalent in accuracy (t=-2.030, p=0.096). A six-class ablation study reveals that Backdoor is physically near-invisible (F1 =0.238, lowest among all classes), motivating the network attribution stage. In Stage 2, triggered only after anomaly detection, a LightGBM model trained on 27 network-traffic features attributes the attack campaign, reaching 83.05 +/- 0.00% accuracy and macro-F1 0.819 +/- 0.002 across all six cyber classes. A final enrichment stage correlates anomaly windows with network events to extract attacker IP and MAC information, suspicious ports, Modbus manipulation signals, and connection-rate anomalies, producing a structured forensic report. Ablations and visual analyses show that graph-based physical sensing and statistical network attribution are complementary. To the best of our knowledge, this is the first work to combine topology-aware GNN physical detection, multi-class cyber attribution, and automated forensic enrichment in a single pipeline evaluated on this dataset.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
