Unsupervised cyberattack detection in smart grids: A novel approach integrating horizontal federated learning for the control center and substations

To mitigate the cyber ​​threats in smart grids caused by vulnerabilities in the IEC 60870-5-104 (IEC 104) protocol and to address the gaps in existing detection methods, this paper proposes an unsupervised cyber-attack detection (UCAD) method and a distributed, privacy-preserving detection framework (DUCADF) for the control center and substations. First, UCAD operates without reliance on ground-truth labels. It employs a dynamic pseudo-label generation strategy that utilizes the reconstruction error of a deep autoencoder (DAE) to differentiate between normal and attack data, thereby providing the pseudo-classifier based on Transformer encoder with the necessary pseudo-labels for training. This approach enables UCAD to train directly on mixed datasets, circumventing the common limitation of DAE-based unsupervised methods that require training exclusively on normal samples. Second, UCAD features an end-to-end joint training architecture. By alternately updating the DAE and the pseudo-classifier, the framework empowers the pseudo-classifier to detect attacks autonomously, eliminating the need for manually preset detection thresholds, which are typical in DAE-based variants. Building on this foundation, DUCADF is developed by leveraging the consistency of data feature dimensions across substations and integrating horizontal federated learning with UCAD. This framework enables multiple substations to collaboratively train their local UCAD models while keeping their original data private, thereby enhancing detection performance and safeguarding data privacy. Experiments on the IEC 104 dataset demonstrate that UCAD achieves an F1 score of 0.9612, surpassing the most recent methods—DLSC, DAGMM, SLSDAE, and ATUAD—by 8.56 %, 14.61 %, 28.88 %, and 6.42 %, respectively, thus underscoring its substantial advantages in cyberattack detection.