LLM-Based Framework Shows High Accuracy in Detecting Cyberattacks on Transformer Relays

Global: LLM-Based Detection of Cyberattacks on Transformer Relays

A new study demonstrates that compact large language models can be adapted to identify cyberattacks targeting transformer current differential relays (TCDRs), which are critical components in modern digital substations. The research, authored by a team of engineers and computer scientists, outlines a framework that converts multivariate time‑series current measurements into structured natural‑language prompts for analysis. Testing was conducted on publicly available datasets, and the results were reported in a preprint posted to arXiv in January 2026.

Background on TCDR Vulnerabilities

Transformer current differential relays monitor phase currents on both the input and output sides of power transformers to detect internal faults. Cyber adversaries can manipulate these measurements, causing false tripping or masking genuine faults, which threatens grid reliability. Existing detection methods rely on traditional machine‑learning classifiers that may struggle with the high dimensionality and temporal dependencies of relay data.

Transforming Sensor Data into Textual Prompts

The proposed framework first “textualizes” the multivariate current signals by describing phase‑wise measurements and their temporal relationships in natural‑language format. These prompts are then fed to compact, locally deployable LLMs, enabling the models to process the information without requiring extensive computational resources on the substation edge.

Model Fine‑Tuning and Performance

DistilBERT, GPT‑2, and a LoRA‑enhanced DistilBERT were fine‑tuned on the generated prompts. According to the authors, DistilBERT achieved the highest detection rate, correctly identifying up to 97.62% of cyberattacks while preserving perfect fault detection accuracy (100%). The other models also performed competitively, surpassing several state‑of‑the‑art machine‑learning and deep‑learning baselines.

Robustness Across Attack Scenarios

Evaluations included a variety of complex attack vectors, such as combined time‑synchronization and false‑data injection attacks, as well as realistic measurement noise levels. The authors report that the LLM‑based detectors remained stable across prompt formulation variations and maintained high detection rates even under noisy conditions.

Interpretability Through Attention Mechanisms

Because the models employ attention mechanisms, the framework provides intrinsic interpretability. Visualizations of attention weights highlighted the most influential time‑phase regions of the relay measurements, offering operators insight into why a particular event was flagged as malicious.

Dataset Release and Reproducibility

The full dataset used for training and evaluation has been made publicly available alongside the preprint, facilitating independent verification and further research. The authors emphasize that open access to the data supports reproducibility and encourages community‑wide advancements in substation cybersecurity.

Implications for Future Substation Security

If adopted, the framework could enable utilities to deploy lightweight, interpretable AI detectors directly at the edge, enhancing the resilience of digital substations against sophisticated cyber threats. The study suggests that compact LLMs represent a practical alternative to larger, more resource‑intensive models for real‑time security monitoring.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.