Research Authors
Fakir Mashuque Alamgir, Sawrav Das, Abdullah Rakib Akand, Anika Fariha, Md. Rafidul Islam, Md. Zakirul Islam Sarker, Nikosi Zuberi, & Mithila Arman
Journal Information
Journal: Scientific Reports | Nature
Timeline: Received: Dec 17, 2025 | Accepted: May 26, 2026
Published: 07 June 2026
DOI: 10.1038/s41598-026-55727-y
Abstract
Real-time cyber-attack intrusion detection faces serious challenges in the smart grid communications infrastructure, as intrusion tactics become more advanced. Traditional rule-driven detection methods are unable to adapt to diverse attack patterns in modern power networks. In this work, a supervised deep learning framework is developed, using a CNN for spatial feature extraction, a BiLSTM for temporal dependency modeling, and an Extra Trees ensemble classifier to produce robust decisions, to achieve real-time intrusion detection on high-frequency smart meter data. The CNN layer extracts hierarchical spatial features from 128-dimensional multi-modal meter measurements (e.g., voltage, current, frequency harmonics), and the BiLSTM component captures temporal dynamics by processing whole sequences of meter data in both forward and backward directions to capture attack-evolution patterns that unidirectional models miss. Attention mechanisms dynamically weight the relevance of temporal features and enhance both prediction accuracy and interpretability. The Extra Trees ensemble provides a robust, low-variance decision output as an alternative to a standard Softmax layer.
The architecture addresses several challenges: class imbalance (2.49:1 ratio), high dimensionality and noisy sensor data from heterogeneous sources, the requirement for real-time (millisecond-level) inference, and the need for explainability. The model was evaluated on 72,073 labeled power-grid logs from the Mississippi State University Power Grid Testbed, including False Data Injection Attacks, denial-of-service, replay, and man-in-the-middle attacks versus normal operation. With stratified five-fold cross-validation, the model achieves accuracy of 92.17% (± 0.27%), precision of 90.58% (± 0.49%), recall of 81.24% (± 0.86%), F1-score of 85.66% (± 0.20%), and ROC-AUC of 95.60% (± 0.14%), with an inference latency of only 12 ms, which is suitable for utility-scale deployment. A comprehensive comparative study against nine imbalance-handling strategies (no handling, class weighting, SMOTE, ADASYN, Borderline-SMOTE, SMOTETomek, SMOTEENN, random over/under-sampling) confirms the chosen weighted-learning strategy as a Pareto-optimal choice for this dataset. Paired McNemar’s tests with Holm correction demonstrate that the proposed model’s improvements over the tested baselines are statistically significant. Ablation studies validate that bidirectional processing increases accuracy by 20.12 pp over a unidirectional CNN-LSTM, and that the Extra Trees head boosts precision by 10.09 pp over the standalone Extra Trees baseline. This work contributes to hybrid deep learning for cyber-physical systems and provides deployment guidance in terms of computational cost and a human-in-the-loop framework. In future work, we will investigate cross-dataset validation, multi-simultaneous attack detection, graph neural networks for fault location, and federated learning toward privacy-preserving collaborative training.
The architecture addresses several challenges: class imbalance (2.49:1 ratio), high dimensionality and noisy sensor data from heterogeneous sources, the requirement for real-time (millisecond-level) inference, and the need for explainability. The model was evaluated on 72,073 labeled power-grid logs from the Mississippi State University Power Grid Testbed, including False Data Injection Attacks, denial-of-service, replay, and man-in-the-middle attacks versus normal operation. With stratified five-fold cross-validation, the model achieves accuracy of 92.17% (± 0.27%), precision of 90.58% (± 0.49%), recall of 81.24% (± 0.86%), F1-score of 85.66% (± 0.20%), and ROC-AUC of 95.60% (± 0.14%), with an inference latency of only 12 ms, which is suitable for utility-scale deployment. A comprehensive comparative study against nine imbalance-handling strategies (no handling, class weighting, SMOTE, ADASYN, Borderline-SMOTE, SMOTETomek, SMOTEENN, random over/under-sampling) confirms the chosen weighted-learning strategy as a Pareto-optimal choice for this dataset. Paired McNemar’s tests with Holm correction demonstrate that the proposed model’s improvements over the tested baselines are statistically significant. Ablation studies validate that bidirectional processing increases accuracy by 20.12 pp over a unidirectional CNN-LSTM, and that the Extra Trees head boosts precision by 10.09 pp over the standalone Extra Trees baseline. This work contributes to hybrid deep learning for cyber-physical systems and provides deployment guidance in terms of computational cost and a human-in-the-loop framework. In future work, we will investigate cross-dataset validation, multi-simultaneous attack detection, graph neural networks for fault location, and federated learning toward privacy-preserving collaborative training.
NATURE | SCIENTIFIC REPORTS | CYBER-PHYSICAL SYSTEMS SECURITY | 2026