{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,24]],"date-time":"2025-12-24T12:09:38Z","timestamp":1766578178817,"version":"3.48.0"},"reference-count":43,"publisher":"Oxford University Press (OUP)","issue":"12","license":[{"start":{"date-parts":[[2025,7,8]],"date-time":"2025-07-08T00:00:00Z","timestamp":1751932800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/academic.oup.com\/pages\/standard-publication-reuse-rights"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62402063"],"award-info":[{"award-number":["62402063"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,12,24]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>Due to the frequent sourcing of Intelligent Electronic Devices (IEDs) from third-party sources, they are highly susceptible to targeted attacks on Substation Automation Systems (SASs). However, most current anomaly detection methods are ineffective against insider stealthy attacks, which simulate benign operations to mask malicious behavior. Furthermore, the lack of annotated datasets within current SAS environments hinders the training of various detection methods. Therefore, this paper introduces TranRAT, a lightweight anomaly detection model for insider stealthy attacks in SAS, which employs unsupervised learning and deep Transformer to adapt to scene requirements. TranRAT is designed to detect covert internal attacks initiated by untrusted IEDs within SAS environments. Initially, it identifies and extracts thirteen critical features from Generic Object Oriented Substation Event messages, emphasizing system-wide characteristics over individual device specifics. Subsequently, it applies suitable label expansion strategies to capture temporal correlations and employs attention-based sequence encoders to bolster robust adversarial training. Experimental results demonstrate that TranRAT surpasses baseline methods. Compared to leading models for multivariate time-series data, TranRAT achieves a 15%\u201360% enhancement in F1 scores on complete and limited training datasets, while reducing training duration by up to 99%.<\/jats:p>","DOI":"10.1093\/comjnl\/bxaf083","type":"journal-article","created":{"date-parts":[[2025,6,20]],"date-time":"2025-06-20T07:59:43Z","timestamp":1750406383000},"page":"1909-1925","source":"Crossref","is-referenced-by-count":0,"title":["TranRAT: a lightweight anomaly detection model based on unsupervised learning for insider stealthy attacks in SAS"],"prefix":"10.1093","volume":"68","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4845-4402","authenticated-orcid":false,"given":"Chang","family":"Hu","sequence":"first","affiliation":[{"name":"School of Computer Science, Changsha University of Science and Technology , 45 Chiling Road, Tianxin District, Changsha 410114, Hunan Province ,","place":["China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8827-3884","authenticated-orcid":false,"given":"Zhuoqun","family":"Xia","sequence":"additional","affiliation":[{"name":"School of Computer Science, Changsha University of Science and Technology , 45 Chiling Road, Tianxin District, Changsha 410114, Hunan Province ,","place":["China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-7217-4032","authenticated-orcid":false,"given":"Wenbing","family":"Zhao","sequence":"additional","affiliation":[{"name":"School of Advanced Interdisciplinary Studies, Hunan University of Technology and Business , 569 Yuelu Avenue, Yuelu District, Changsha 410205, Hunan Province ,","place":["China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8173-2881","authenticated-orcid":false,"given":"Mingfeng","family":"Huang","sequence":"additional","affiliation":[{"name":"School of Computer Science, Changsha University of Science and Technology , 45 Chiling Road, Tianxin District, Changsha 410114, Hunan Province ,","place":["China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-8882-4382","authenticated-orcid":false,"given":"Jianyin","family":"Yao","sequence":"additional","affiliation":[{"name":"School of Computer Science, Changsha University of Science and Technology , 45 Chiling Road, Tianxin District, Changsha 410114, Hunan Province ,","place":["China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-1320-9637","authenticated-orcid":false,"given":"Jingren","family":"Pan","sequence":"additional","affiliation":[{"name":"School of Computer Science, Changsha University of Science and Technology , 45 Chiling Road, Tianxin District, Changsha 410114, Hunan Province ,","place":["China"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"286","published-online":{"date-parts":[[2025,7,8]]},"reference":[{"key":"2025122407072809900_ref1","first-page":"1","volume-title":"Proceedings of the 2017 IEEE 11th International Conference on Application of Information and Communication Technologies (AICT), Moscow, Russia, September","author":"Elgargouri","year":"2017"},{"key":"2025122407072809900_ref2","volume-title":"62351\u20131 (2007) Power Systems Management and Associated Information Exchange Data and Communications Security Introduction to Security Issues","author":"IEC"},{"key":"2025122407072809900_ref3","doi-asserted-by":"crossref","first-page":"271","DOI":"10.1109\/TSG.2017.2737826","article-title":"Intelligent electronic devices with collaborative intrusion detection systems","volume":"10","author":"Hong","year":"2017","journal-title":"IEEE Trans Smart Grid"},{"key":"2025122407072809900_ref4","doi-asserted-by":"publisher","first-page":"326","DOI":"10.3390\/electronics8030326","article-title":"Behavior analysis and anomaly detection for a digital substation on cyber-physical system","volume":"8","author":"Kwon","year":"2019","journal-title":"Electronics"},{"key":"2025122407072809900_ref5","doi-asserted-by":"publisher","first-page":"825","DOI":"10.1016\/j.epsr.2016.08.022","article-title":"A new methodology for real-time detection of attacks in IEC 61850-based systems","volume":"143","author":"Silva","year":"2017","journal-title":"Electr Pow Syst Res"},{"key":"2025122407072809900_ref6","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1007\/978-981-10-6364-0_27","volume-title":"Advanced Computational Methods in Energy, Power, Electric Vehicles, and Their Integration: Proceedings of LSMS 2017 and ICSEE 2017, Nanjing, China, 22\u201324 September","author":"Ouyang","year":"2017"},{"key":"2025122407072809900_ref7","first-page":"1","volume-title":"Proceedings of 2021 13th IEEE PES Asia Pacific Power & Energy Engineering Conference (APPEEC)","author":"Wang","year":"2021"},{"key":"2025122407072809900_ref8","doi-asserted-by":"publisher","first-page":"102527","DOI":"10.1016\/j.jisa.2020.102527","article-title":"Anomaly detection in substation networks","volume":"54","author":"Kreimel","year":"2020","journal-title":"J Inf Secur Appl"},{"key":"2025122407072809900_ref9","article-title":"Exathlon: a benchmark for explainable anomaly detection over time series","author":"Jacob","year":"2020"},{"key":"2025122407072809900_ref10","doi-asserted-by":"publisher","first-page":"1409","DOI":"10.1609\/aaai.v33i01.33011409","article-title":"A deep neural network for unsupervised anomaly detection and diagnosis in multivariate time series data","volume":"33","author":"Zhang","year":"2019","journal-title":"Proceedings of the AAAI Conference on Artificial Intelligence"},{"key":"2025122407072809900_ref11","doi-asserted-by":"publisher","first-page":"4","DOI":"10.1016\/j.patrec.2018.06.029","article-title":"Unsupervised feature selection by self-paced learning regularization","volume":"132","author":"Zheng","year":"2020","journal-title":"Pattern Recogn Lett"},{"key":"2025122407072809900_ref12","doi-asserted-by":"publisher","first-page":"106097","DOI":"10.1016\/j.knosys.2020.106097","article-title":"Ensemble feature selection in high dimension, low sample size datasets: parallel and serial combination approaches","volume":"203","author":"Tsai","year":"2020","journal-title":"Knowledge-Based Systems"},{"key":"2025122407072809900_ref13","doi-asserted-by":"publisher","first-page":"113691","DOI":"10.1016\/j.eswa.2020.113691","article-title":"A novel filter feature selection method using rough set for short text data","volume":"160","author":"Cekik","year":"2020","journal-title":"Expert Systems with Applications"},{"key":"2025122407072809900_ref14","doi-asserted-by":"publisher","first-page":"104210","DOI":"10.1016\/j.engappai.2021.104210","article-title":"Review of swarm intelligence-based feature selection methods","volume":"100","author":"Rostami","year":"2021","journal-title":"Eng Appl Artif Intel"},{"key":"2025122407072809900_ref15","doi-asserted-by":"publisher","first-page":"216","DOI":"10.3390\/f12020216","article-title":"Combination of feature selection and catboost for prediction: the first application to the estimation of aboveground biomass","volume":"12","author":"Luo","year":"2021","journal-title":"Forests"},{"key":"2025122407072809900_ref16","doi-asserted-by":"publisher","first-page":"12866","DOI":"10.1109\/TMC.2024.3418826","article-title":"Malicious node detection in wireless weak-link sensor networks using dynamic trust management","volume":"23","author":"Wang","year":"2024","journal-title":"IEEE Trans Mobile Comput"},{"key":"2025122407072809900_ref17","doi-asserted-by":"publisher","first-page":"1633","DOI":"10.3390\/w13121633","article-title":"Change point enhanced anomaly detection for IoT time series data","volume":"13","author":"Apostol","year":"2021","journal-title":"Water"},{"key":"2025122407072809900_ref18","doi-asserted-by":"publisher","first-page":"103912","DOI":"10.1016\/j.ipm.2024.103912","article-title":"TAAD: time-varying adversarial anomaly detection in dynamic graphs","volume":"62","author":"Liu","year":"2025","journal-title":"Inf Process Manag"},{"key":"2025122407072809900_ref19","doi-asserted-by":"publisher","first-page":"104078","DOI":"10.1016\/j.imavis.2020.104078","article-title":"A comprehensive review on deep learning-based methods for video anomaly detection","volume":"106","author":"Nayak","year":"2021","journal-title":"Image and Vision Computing"},{"key":"2025122407072809900_ref20","doi-asserted-by":"publisher","first-page":"10852","DOI":"10.1109\/ACCESS.2022.3145007","article-title":"A hybrid approach toward efficient and accurate intrusion detection for in-vehicle networks","volume":"10","author":"Zhang","year":"2022","journal-title":"IEEE Access"},{"key":"2025122407072809900_ref21","article-title":"Labeled graph generative adversarial networks","author":"Fan","year":"2019"},{"key":"2025122407072809900_ref22","first-page":"1438","volume-title":"Proceedings of the 22nd International Conference on Artificial Intelligence and Statistics","author":"Louppe","year":"2019"},{"key":"2025122407072809900_ref23","doi-asserted-by":"publisher","first-page":"61","DOI":"10.32604\/jnm.2020.010062","article-title":"Edge detection based on generative adversarial networks","volume":"2","author":"Chen","year":"2020","journal-title":"Journal of New Media"},{"key":"2025122407072809900_ref24","doi-asserted-by":"crossref","first-page":"387","DOI":"10.1109\/TASE.2020.3035620","article-title":"Chiller fault diagnosis based on VAE-enabled generative adversarial networks","volume":"19","author":"Yan","year":"2020","journal-title":"IEEE Trans Autom Sci Eng"},{"key":"2025122407072809900_ref25","doi-asserted-by":"publisher","first-page":"4721","DOI":"10.1109\/TIP.2020.2975986","article-title":"Fusion of heterogeneous adversarial networks for single image dehazing","volume":"29","author":"Park","year":"2020","journal-title":"IEEE Trans Image Process"},{"key":"2025122407072809900_ref26","first-page":"1","volume-title":"Proceedings of the 23rd International Conference on Information Fusion, July 2020","author":"Atherfold","year":"2020"},{"key":"2025122407072809900_ref27","article-title":"ETSformer: exponential smoothing transformers for time-series forecasting","author":"Woo","year":"2022"},{"key":"2025122407072809900_ref28","article-title":"Scaleformer: iterative multi-scale refining transformers for time series forecasting","author":"Shabani","year":"2022"},{"key":"2025122407072809900_ref29","article-title":"Time series as images: vision transformer for irregularly sampled time series","volume":"36","author":"Li","year":"2024","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2025122407072809900_ref30","first-page":"403","volume-title":"Proceedings of the Machine Learning for Healthcare Conference, December 2023","author":"Labach","year":"2023"},{"key":"2025122407072809900_ref31","first-page":"6013","article-title":"Attention is all you need","volume":"30","author":"Vaswani","year":"2017","journal-title":"Proceedings of the Advances in Neural Information Processing Systems"},{"key":"2025122407072809900_ref32","doi-asserted-by":"publisher","first-page":"139","DOI":"10.1145\/3422622","article-title":"Generative adversarial networks","volume":"63","author":"Goodfellow","year":"2020","journal-title":"Communications of the ACM"},{"key":"2025122407072809900_ref33","doi-asserted-by":"publisher","first-page":"6629","DOI":"10.1109\/ACCESS.2022.3142022","article-title":"Anomaly detection for insider attacks from untrusted intelligent electronic devices in substation automation systems","volume":"10","author":"Wang","year":"2022","journal-title":"IEEE Access"},{"key":"2025122407072809900_ref34","first-page":"703","volume-title":"Proceedings of the International Conference on Artificial Neural Networks, September 2019","author":"Li","year":"2019"},{"key":"2025122407072809900_ref35","first-page":"3395","volume-title":"Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, August 2020","author":"Audibert","year":"2020"},{"key":"2025122407072809900_ref36","doi-asserted-by":"publisher","first-page":"2941","DOI":"10.14778\/3415478.3415514","article-title":"Graphan: graph-based subsequence anomaly detection","volume":"13","author":"Boniol","year":"2020","journal-title":"Proceedings of the VLDB Endowment"},{"key":"2025122407072809900_ref37","first-page":"1","volume-title":"2015 IEEE Eindhoven PowerTech, Eindhoven, Netherlands, June 2015","author":"Kwon","year":"2015"},{"key":"2025122407072809900_ref38","doi-asserted-by":"publisher","first-page":"4027","DOI":"10.1609\/aaai.v35i5.16523","article-title":"Graph neural network-based anomaly detection in multivariate time series","volume":"35","author":"Deng","year":"2021","journal-title":"Proceedings of the AAAI Conference on Artificial Intelligence"},{"key":"2025122407072809900_ref39","doi-asserted-by":"crossref","first-page":"841","DOI":"10.1109\/ICDM50108.2020.00093","volume-title":"Proceedings of the IEEE International Conference on Data Mining (ICDM), November 2020","author":"Zhao","year":"2020"},{"key":"2025122407072809900_ref40","doi-asserted-by":"crossref","first-page":"387","DOI":"10.1145\/3219819.3219845","volume-title":"Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, July 2018","author":"Hundman","year":"2018"},{"key":"2025122407072809900_ref41","doi-asserted-by":"publisher","first-page":"3028","DOI":"10.14778\/3476311.3476380","article-title":"Opengauss: An autonomous database system","volume":"14","author":"Li","year":"2021","journal-title":"Proceedings of the VLDB Endowment"},{"key":"2025122407072809900_ref42","volume-title":"Proceedings of the International Conference on Learning Representations, February 2018","author":"Zong","year":"2018"},{"key":"2025122407072809900_ref43","first-page":"2828","volume-title":"Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, July 2019","author":"Su","year":"2019"}],"container-title":["The Computer Journal"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/68\/12\/1909\/63705074\/bxaf083.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/68\/12\/1909\/63705074\/bxaf083.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,24]],"date-time":"2025-12-24T12:07:39Z","timestamp":1766578059000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/comjnl\/article\/68\/12\/1909\/8193920"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,8]]},"references-count":43,"journal-issue":{"issue":"12","published-online":{"date-parts":[[2025,7,8]]},"published-print":{"date-parts":[[2025,12,24]]}},"URL":"https:\/\/doi.org\/10.1093\/comjnl\/bxaf083","relation":{},"ISSN":["0010-4620","1460-2067"],"issn-type":[{"value":"0010-4620","type":"print"},{"value":"1460-2067","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2025,12]]},"published":{"date-parts":[[2025,7,8]]}}}