AI-Driven Anomaly Detection On SCADA-Bearing Fiber Networks: A Machine Learning Framework for Real-Time Intrusion Detection in Electric Utility Environments

Abstract

This study developed and evaluated an AI-driven anomaly detection framework for SCADA-bearing fiber networks in electric utility environments, emphasizing real-time intrusion detection performance. An experimental quantitative design was implemented using a dataset of 58,420 observations, where 42,115 records (72.08%) represented normal operations and 16,305 records (27.92%) represented anomalous events, including 6,120 denial-of-service cases, 3,845 command manipulation instances, 2,960 replay attacks, and 3,380 communication disruptions. The proposed framework was assessed using multiple machine learning and deep learning models across performance metrics such as accuracy, precision, recall, F1-score, false positive rate, false negative rate, and detection latency. The CNN-LSTM model achieved the highest performance with 96.84% accuracy, 95.72% precision, 97.91% recall, and 96.80% F1-score, while maintaining a low false positive rate of 3.12% and a detection latency of 0.028 seconds. In comparison, Random Forest achieved 94.26% accuracy and 94.88% recall, while Support Vector Machine achieved 92.73% accuracy and 93.02% recall. Feature optimization improved the CNN-LSTM model accuracy to 97.42% and reduced latency from 0.028 to 0.024 seconds. Sub-group analysis revealed that denial-of-service attacks were detected with 98.63% recall, while replay attacks showed lower recall at 94.88%. Statistical analysis confirmed significant differences among models with F-values exceeding 18.72 and large effect sizes up to 1.42. The findings demonstrated that integrating SCADA control signals, network traffic, and fiber-optic features improved detection performance by over 1.5% compared to network-only models. Overall, the framework provided a highly accurate and efficient solution for real-time intrusion detection in SCADA-bearing fiber networks.