- Email: [email protected]
Developing graphical detection techniques for maintaining state estimation integrity against false data injection attack in integrated electric cyber-physical system
Developing Graphical Detection Techniques for Maintaining State Estimation Integrity Against False Data Injection Attack in Integrated Electric Cyber-Physical System
Journal Pre-proof
Developing Graphical Detection Techniques for Maintaining State Estimation Integrity Against False Data Injection Attack in Integrated Electric Cyber-Physical System Yuancheng Li, Yuanyuan Wang PII: DOI: Reference:
S1383-7621(19)30512-0 https://doi.org/10.1016/j.sysarc.2019.101705 SYSARC 101705
To appear in:
Journal of Systems Architecture
Received date: Revised date: Accepted date:
8 July 2019 20 November 2019 18 December 2019
Please cite this article as: Yuancheng Li, Yuanyuan Wang, Developing Graphical Detection Techniques for Maintaining State Estimation Integrity Against False Data Injection Attack in Integrated Electric Cyber-Physical System, Journal of Systems Architecture (2019), doi: https://doi.org/10.1016/j.sysarc.2019.101705
This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2019 Elsevier B.V. All rights reserved.
Developing Graphical Detection Techniques for Maintaining State Estimation Integrity Against False Data Injection Attack in Integrated Electric Cyber-Physical System Yuancheng Lia , Yuanyuan Wanga,∗ a North
China Electric Power University, 2 Beinong Road, Huilongguan Town, Changping District, Beijing, China 102206
Abstract The merging of power grid, information, and communication technology promotes the intelligent development of smart grid, which is also more prone to cyber attack threats. Especially, the intelligently designed False Data Injection (FDI) attacks severely disturb the normal management and state estimation operations in power system. In this paper, the graphical detection technology which uses Graph Network (GN) is developed for detecting tampered measurements without external knowledge and manual preprocess of historical data. To solve the detection of FDI attacks location issue from the diversified dimensionality in power systems, the Capsule Network combined with GN is developed, which can extract preserve the detailed properties around each note such as location, direction, connection, etc. To evaluate the superior performance of proposed method, the proposed detection technology is carried out through standard IEEE 30-bus and IEEE 118-bus systems. The simulation results demonstrate that the proposed method can detect FDI attacks accurately with different attack sparsity and magnitude of disturbances. ∗ This work was supported in part by the Fundamental Research Funds for the Central Universities of China under Grant 2017XS071. Part of this research was conducted during Yuanyuan Wang’s visit at University of Essex supported by the Postgraduate International Visit Funding of North China Electric Power University. ∗∗ Corresponding author Email address: [email protected] (Yuanyuan Wang)
Preprint submitted to Journal of Systems Architecture
December 28, 2019
Keywords: smart grid security, graphical detection, graph network, capsule network, FDI attacks detection, integrated electric cyber-physical system, state estimation
1. Introduction Power system has become more intelligent and more informative recently. Smart grid has been provided with advanced network communication technology that can realize the real-time acquisition and transmission of power state 5
information. These information is collected from smart meters and Phasor measurement units (PMUs), and the management system can sent control commands to power stations, distribution units, dispatching centers, and electricity markets whenever necessary. Such commands highly improve the efficiency of power system. The development of smart grid makes the electric power net-
10
work and the underlying information and communications technology system supporting its management functionalities highly coupled, which is considered as an integrated electric cyber-physical system (ECPS) [1]. As an ECPS, smart grid faces the huger threat of network attack for the closer dependence on communication network [1, 2, 3, 4]. With the smart gird more open to the outside
15
networks, using internet-based protocols in the information and communication system, it is more hard to maintain the Energy management system and Supervisory Control and Data Acquisition (EMD/SCADA) system in a normal and secure state. Malicious attacker can invade power system to change present state by remote network connection[5, 13]. In particular, enterprise networks
20
and even individual users are allowed to connected to the smart grid information infrastructure to facilitate data sharing [6, 7]. In 2009, [8] firstly defined that the False Data Injection (FDI) attacks could circumvent bad data detection (BDD) system and introduce arbitrary errors to state estimators without being detected. FDI attacks affect state estimation
25
accuracy and threat control center security through tampering measurements collected by the Supervisory Control and Data Acquisition (SCADA) system [9].
2
The experiment results in [5] shows that the FDI attacks can produce a large bias from nominal values in state estimators without triggering the BDD alarm [10]. [11] shows that FDI attack could be conducted by directly tampering with 30
field device measurements or intruding in the control center database, or indirectly by the man-in-the-middle attacks on communication links between remote terminal units and control centers. Even worse, FDI attacks not only cheats state estimations, distorts controls and operations of the target power system, but also causes serious damage to market operation [12], security constrained
35
economic dispatch [14, 15], automatic generation control [16, 17], Var/voltage control [18], automatic voltage control [19], supervisory control and data acquisition system[20], electricity price market [21, 22], etc. [23] shows that the FDI attacks can cause a cascading failure resulting in a severe system-wide blackout when power system operators do not respond quickly and effectively to power
40
overflows. Therefore, the effectively FDI attacks detection in real time becomes a vital and essential mission, which is important for ensuring the safe operation in smart grids. The existed paper has recently studied different methods to detect FDI attack[24, 25, 26, 27, 28, 29, 30, 31]. In [24], Rawat et al. adopted Kalman
45
filter estimation to calculate the variation of measurements, and identified attacks by Chi-square detector and cosine similarity matching approaches. Cosine similarity matching approaches has robustness when it served as detector of FDI attacks and other attack in smart grid. In [25], Pal et al. proposed the detection method based on evaluation of equivalent impedances in transmission lines. In
50
[26], Moslemi et al. proposed a high-speed and dispersed approach based on maximum likelihood estimation to detect FDI attack. The near chordal sparsity of grid is used to establish an effective detection frame, then, the problem is divided into local maximum likelihood estimation. In [27], Tang et al. tested the generalized likelihood ratio to detect the FDI attacks and estimate the
55
power state by autoregressive process-based noise modeling. In addition, exploiting the hypothesis of similar observation of samples, the author detected FDI attacks with principal component analysis. In [28], Yang et al. proposed 3
Gaussian-Mixture-based FDI attacks detection model that is independent of pre-set threshold and external knowledge. The proposed method clusters the 60
history measurements to minify the scope of normal data, and learns the maximum and minimum of single cluster. In [29], the Euclidean Distance has been used to detect FIDA. In [30], Krishna et al. proposed an Kullback-Leibler (KL) divergence-based attack detector. Besides, there are some studies about FDI attacks detection which exploit
65
machine learning algorithms[32, 33, 34, 35, 36, 37, 38]. In [35], Esmalifalak et al. point out that statistics can be used to identify the concealed attacks which exist in routine operations of power system. The authors proposed two machine learning-based algorithms to detect attack. One of the algorithms adopted supervised learning and tagged data to train the distributed support
70
vector machine (SVM) model which has superiorly fast convergence on account of multiplier-based alternating direction method. The other algorithm measures deviation without training data. Both of the algorithms adopted principal component analysis (PCA) in order to reduce the high-dimension of processing data and computational complexity. In [36], the validities of detector about straight
75
and hidden FDI attacks with supervised learning classifier have been compared. Yan J et al. designed three types of FDI attacks detector with supervised learning-based classification methods that detected straight and hidden FDI attacks under the models of balance and imbalance corresponding to different resources and scales of attacks. In [37], Waghmare et al. proposed a two-stages
80
FDI attacks detector which includes SVM and PCA methods. At first stage, the high dimension of measurements reduced to lower dimension by PCA. Thus, the FDI attacks are detected in the lower dimensional data by SVM at second stage. In [38], the density ratio estimation-based machine learning method has been used to detect FDI attack. Compared with SVM, the proposed method
85
has been improved, and does not need models of attack. In recently, the deep learning algorithm-based FDI attacks detectors have been proved practicable and effective. G. J. Mendis et al. proposed several deep learning methods to detect FDI attacks [39, 40, 42]. In [39], the proposed 4
deep learning-based cyber-physical protocol can identify and alleviate the in90
formational deterioration in Wide Area Monitoring Systems (WAMSs) which interrupts the maintenance of transient stability. In [40], deep learning algorithm was used to identify the behavioral characteristics of attack in historical measurements, and to achieve the real time detection of FDI attacks with capture capabilities.
95
Comparing with traditional machine learning, deep learning has a significant difference. Traditional machine learning often needs to extract features by manual work previously, then vectorize the features, input to training model finally. The process need extravagant preliminary work. However, deep learning usually adopts the end-to-end style of learning. The data just needs slight normaliza-
100
tion and whitening before transport to training model without manual work. In the condition of complex power system and massive measurements, feature extraction is extremely difficult and time-consuming, but it can autocomplete by deep learning network. Accordingly deep learning algorithms provide better solutions of the problems with which traditional machine learning methods
105
deal hardly. Therefore, in this paper, we focus on the improvement of detection accuracy for FID attacks with deep learning algorithm. In this paper, we first characterize a power network in a double directed graph, which is inputted into the Graph network (GN) based detection technology to identify the normal and tampered measurements. The GN algorithm
110
can classify the tampered measurements form attacked buses and transmission lines. The graph blocks in GN can handle the power network graph better than standard neural networks like Convolutional Neural Networks (CNNs) and Recurrent Neural Networks (RNNs), which is very redundant when computing [41]. The GN with a simple architecture can also perform well. [7],[31].
115
The above graphical detection technique works well if the FDI attacks occurs occasionally and the power system does not change frequently. However, there certainly many cases in which the power system frequent changes load, power generation, and system topology over time. Thus, the developed detection technique using the capsule scheme, the Caps-GN algorithm, is explored to detect 5
120
the FDI attacks location. The Caps-GN algorithm combines Capsule Network and GN. Compared with scalar-based graphical neural network, vector-based capsule neural network which use routing mechanism to generate high-level features can preserve the detailed information of power system properties more efficiently, such as location, direction, connection, etc.
125
The main contributions of this paper are summarized as follows: (1) We study the FDI attacks detection from a graphical perspective in this paper. By exploiting the graphical structures of power network solution, the proposed GN based detection technology obtains great accuracy with significantly reduced complexity.
130
(2) The location detection technique using Capsule Network is explored to detect the FDI attacks location and monitor the security smart grid in real time, even when power system frequent changes in load, power generation, and system topology over time. (3) The Caps-GN algorithm adopted in this paper keeps stable and precise
135
attack location detection rate when attack sparsity and magnitude of disturbances is changed. (4) We use standard IEEE 30-bus and IEEE 118-bus test systems to evaluate the efficiency of the proposed detection scheme. Our simulation results demonstrate that the proposed detection technique can effectively detect
140
the tampered measurements for different FDI attacks test-cases, and the detection accuracy are higher than other deep learning algorithms. The remainder of this paper is formatted as follows. Section 2 presents some primaries about state estimation and FDI attacks. Section 3 develops the graph algorithms to solve the detection problem. Section 4 proposes the location mon-
145
itoring FDI attacks process of the Caps-GN based algorithm. Section 5 presents and analyzes the simulation results from cases based on IEEE-30 and IEEE-118 system. Finally, the relevant conclusion and the future work is summarized in section 6.
6
2. Problem Formulation 150
The SCADA in power system collects power voltage, power flow, load from sensors to estimate real states of the power system. The measurements are transported to state estimator, whose outputs are used as inputs of the optimal power flow (OPF) function. Then, the results of OPF are taken as control commands of generators and other controllable devices in subsystem of trans-
155
mission, distribution, dispatching, etc [43]. Since the accurate and reliable state information of power grid is needed in the tasks of contingency analysis, unit commitment, calculation of LMPs, the state estimation is crucial to the security and stable operation of smart grid. Models of the physical power systems, state estimation, bad data detection schemes are introduced briefly here.
160
2.1. Physical Power System Suppose there are n + 1 buses and l branches in the system. In non-linear AC power flow model, active power and reactive power flows from bus i to bus j are denoted as follows:
165
Pij = Vi2 gij − Vi Vj (gij cosθij + bij sinθij ),
(1)
Qij = −Vi2 bij − Vi Vj (gij sinθij − bij cosθij ),
(2)
and active power and reactive power injection at bus i are denoted as follows: Pi =
X
Pij
j∈Ωi
=Vi
X
j∈Ωi
Qi =
X
Vj (−gij cosθij − bij sinθij ) + Vi2
gij ,
X
bij ,
j∈Ωi
Qij
j∈Ωi
=Vi
(3)
X
X
j∈Ωi
Vj (−gij sinθij + bij cosθij ) − Vi2
(4)
j∈Ωi
where j ∈ Ωi is the set of all neighbor buses to the ith bus. Vi and Vj represents voltage magnitude on bus i and bus j respectively [46]. θi and θj represents 7
phase angle on bus i and bus j, respectively, and θij = θi − θj denotes phase 170
different angle between bus i and bus j. gij is conductance of the line between bus i and bus j. bij is reactance of the line between bus i and bus j. Standard linear approximation assume that voltage amplitudes of each bus are fixed and equal to 1 p.u., all shunt susceptance and series resistances are dismissed, and the different of phase angle between each connected buses are
175
very small, so that reactive power can be ignored. Thus, in DC power flow model, active power which flows from bus bus i to bus j can be formulated as equation (5). Pij = Vi Vj bij sin(θi − θj ) ∼ = bij (θi − θj ),
(5)
and active power injection at bus i to bus j can be formulated as equation (6). Pi =
X
j∈Ωi
Pij , ∀i ∈ Ωi ,
(6)
2.2. State estimation 180
At certain time, the measurements are collected form power system with n + 1 buses and l branches. Let z ∈ Rm denotes measurements vector. The
state vector is denoted as x ∈ Rn , m > n, including 2n + 1 state variables from the reference buses. In AC power flow model, the full nonlinear power flow equations and a large amount of measurements are needed to implement 185
the state estimation, which can be generally described as equation (7). z = h(x) + e,
(7)
where z = [z1 , z2 , z3 , ..., zm ]T ∈ Rm is measurement vector which contains active and reactive power injections at each bus, Pi and Qi , active and reactive power flows of all branches, Pij and Qij in power system. x = [θ2 , θ3 , ..., θn+1 , V1 , V2 , ..., Vn+1 ]T ∈ Rn is system state variable vector which contains bus voltages magnitudes
190
Vi and phase angles θi [44]. e = [e1 , e2 , e3 , ..., em ]T ∈ Rm ∼ N (0m×n , Σe ) is the vector of random measurement errors which obey Gaussian distribution. Its average value is zero vector 0m×n and covariance matrix is Σe = diag(σ11 , σ11 , ..., σmm ) ∈ Rm with diagonal elements proportional to variance 8
of each measurement noise. h(·) stands for non-linear relation between mea195
surement vector z and the system state variable x. h(·) reflects the topology structure of power grid and parameters of transmission lines. With state vector x just consists of phase angle and Vi = 1 in DC power flow model, the state estimation is easier to solve. The linear relation between measurements and states can be expressed as equation (8). z = Hx + e,
200
(8)
where Jacobian matrix H ∈ Rm×n depends on the topology structure of power
grid, line susceptance, and meter placement [45]. e ∼ N (0, σ 2 ) denots the
measurement errors obey the Gaussian distribution. Its mean value is 0 and standard deviation is σ. Jacobian matrix H can be constructed as equation (9). Ti ADAT H= Tl DAT
205
(9)
where the stacked identity matrices Ti ∈ Rn×n and Tl ∈ Rl×l indicate which bus power injection and line power flow have been measured, respectively.D is a diagonal matrix with diagonal entries reciprocal to lines reactance. A is the adjacency matrix defined as equation (10). −1, if arc i starts at node j A(i, j) = 1, if arc j starts at node i 0, otherwise,
(10)
For linear modal, the close-form of estimated state vector x ˆ based on maxi-
210
mum similarity principle can obtained by equation (11). x ˆ = (H T ΛH)−1 H T Λz,
(11)
where Λ is diagonal matrix. Λii = σ 2 is Diagonal element. 2.3. Bad data detection schemes In traditional power system, the bad data detection (BDD) schemes are used to detect the faulty measurements caused by adversary attacks, topological 9
215
errors, or faulty sensors, so that some state estimation errors determined by faulty measurements can be avoided. The residue r used for threshold test in the bad data detection algorithm is calculated by equation (12). r = z − h(ˆ x),
(12)
where r corresponds to the difference between the measurements vector z and the estimated state result value h(ˆ x). When residue r is non-less than thresh220
old τ , the measurements are labeled as abnormality which may be caused by incorrect operation, attack on sensors, or topological disorder. The BDD most commonly uses equation (13) to identifies the faulty measurements. This test is called Largest Normalized Residue test based on l∞ -norm of the measurement
225
residual r, normalized so that each element has unit variance [47]. k ri k2 maxm ≥ τ, f aulty measurements i=1 % ri k ri k2 maxm < τ, normal measurements i=1 % ri
(13)
where ri , i = 1, 2, ..., m denotes the elements of residue r. %ri is the standard deviation of the ith residual error ri [48]. τ is a predetermined threshold determined by the known error distributions and the theory of χ2 testing. `2 − norm calculation k . k2 stands for the magnitude. 2.4. False data injection attacks
230
The attackers invade RTUs or communication network from where attackers inject false data to measurements in order to influence the state estimation in smart grid, as shown in Fig.1. The FDI attacker can the predesigned attack vector a by manipulating certain measurements or system state variables, i.e., bus phase angle θ and bus voltage magnitude V as shown in equation (3)-(2). An
235
attacker can inject an attack vector a to compromise the original measurements as equation (14). zˆa = z + a = Hx + a + e
10
(14)
Remote Terminal Unites
Remote Terminal Unites
…
…
… Communication network
Remote Terminal Unites
Remote Terminal Unites
…
False Data Injection Attack
Communication network
Optimal power flow
State Estimation
… Bad Data Detection
Contingency analysis Control Center
Figure 1: False Data Injection Attacks in Smart Grid
where a = (a1 , a2 , ..., am )T ∩ a 6= 0. According to[8], the attack vector a can be formulated by equation (15). a = Hc,
(15)
where c = (c1 , c2 , ..., cn )T ∩ c 6= 0 is an arbitrary vector. 240
The estimated state vector x ˆ is changed as equation (16) with the false data injection. xˆa = (H T ΛH)−1 H T Λza = x ˆ + c,
(16)
but the residue r remains unchange after attack and it still less than threshold 11
τ, ra =k zˆa − H x ˆa k2 =k z + a − H(ˆ x + c) k2
(17)
=k z − H x ˆ + a − Hc k2 =k z − H x ˆ k2 = r, so that the FDI attacks can circumvent and be undetectable for the traditional 245
BDD detection.
3. Graphical Detection Technology 3.1. Graphical power network The power network can be characterized in a double directed graph, as shown in Fig. 2. In this graph, the vertices and edges represent buses and transmission 250
lines, respectively. We use vj to denote the buses, esi and eri to denote the indices of the sender and receiver buses, respectively, for transmission line ei , and N e to denote the set of edges connected to the edges incident to bus vj . The measured power network of a sensor r is denoted as Gr which consists of the buses and transmission lines measured by the sensor r. The graph G = ∪Gr = (u, V, E) is
255
the measured full power network, where V = ∪vj , j = 1 : N v is the set of buses, and E = ∪(ei , esi , eri ), i = 1 : N e and E ∈ {0, 1}N
v
×N v
is the adjacency matrix
of transmission line. If there is an edge from vi to vj , then Eij = 1 otherwise Eij = 0. u ∈ RN
v
×d
represents the features of each buses. d is the number of
feature channels. 260
3.2. Graph network based detection technology The above mentioned graphical power is inputted into the graph network (GN) algorithm to detect which buses is tampered by FDI attacks, as shown in Fig. 3. At each layer of the GN, the convolution operation of GN block is applied to each node in graph as well as its neighbors and the new representation of
265
each node is computed through the activation function and regularization., This
12
Bus 1 Bus 3
Bus 2
Bus 26
Bus 13
Bus 25
Bus 15 Bus 4
Bus 23
Bus 12 Bus 14
Bus 5 Bus 11
Bus 18
Bus 16
Bus 30
Bus 7 Bus 9
Bus 17
Bus 27 Bus 19
Bus 20
Bus 29
Bus 10 Bus 6
Bus 22
Bus 24
Bus 21
Bus 8
Bus 28
Figure 2: The double directed graph of IEEE 30-bus system
procedure includes three update functions φ and three aggregation functions ρ, which can be written as follows: e0i = φ(ei , esi , eri , u) := f (ek , vrk , vsk , u) vj0 = φ(¯ e0j , vj , u) := f (¯ e0i , vi , u) u0 = φ(¯ e0 , v¯0 , u) := f (¯ e0 , v¯0 , u),
X e¯0i = ρe→v (Ei0 ) := e0k {k:rk =i} X 0 e→u 0 e¯ = ρ (E ) := e0k k X 0 v→u 0 u (V ) := vi0 , ¯ =ρ i
(18)
where Ei0 = ∪(e0i , esi , eri ), i = 1 : N e , V 0 = ∪vj0 , j = 1 : N v , and E 0 = ∪Ei0 . Graph Convolutions des No
Bus 3 Bus 2
Regularization s de Activation No Function
Graph Convolutions
Bus 4
Bus 1
Predictions: Bus Attacked Lables
Bus 5 Bus 8
des
No
Bus 7
Bus 6 Bus 11
Bus 10 Bus 9
Bus 12 Bus 13
Bus 14
Input: IEEE 14-bus transmission Network
Figure 3: Proposed model for attack detection in smart grid.
The updates in a GN block is shown in Algorithm 1. 13
Algorithm 1 Calculation procedures of the GN block in graph detection algorithm 1: function GN(E, V, u) 2: 3:
e0i = φ(ei , esi , eri , u);
4:
end for
5:
for i ∈ (1, ..., N n ) do
6:
let Ei0 = ∪(e0i , esi , eri ), i = 1 : N e ;
7:
e0i = ρe→v (Ei0 );
8:
vj0 = φ(¯ e0j , vj , u);
9: 10: 11:
270
for i ∈ (1, ..., N e ) do
end for let V 0 = ∪vj0 , j = 1 : N v ; let E 0 = ∪Ei0 ;
12:
e¯0 = ρe→u (E 0 );
13:
u ¯0 = ρv→u (V 0 );
14:
u0 = φ(¯ e0 , v¯0 , u);
15:
return (E 0 , V 0 , u0 )
16:
end function The process of graph network based detection shows in Fig.4. The recently
collected measurements of power system are inputted into GN detector to identify whether FDI attacks exist. If the attacked probability is high enough in output of network model, it indicates that attacker launched FDI attacks in power system, then detector sends alarm signal to operator.
275
4. Location Detection Technology Those operations in graphical detector can detect the FDI exist or not through capture node features in the form of scalar, but they are not suffice to preserve the note location properties efficiently. To construct high-quality FDI attack detector, it is important to not only detect the presence of different
280
measurements but also preserve the detailed properties around each bus such 14
Original Measurements Measurements Collection
State Estimation FDIA
Tampered Measurements This moment The next moment
Power Flow
st
Topology Parameters
st+1
st+2
Graphical Power Network
…
FDI Attacks Detection
The Graph Network based Detection Technology
Controlled Devices
Control Execution
FDI attacks exist? No
Control Center
Delete attacked measurements
Yes
Alarm to operator
Mark the attacked buses Install PMU Defense Strategy
Figure 4: Proposed model for attack detection in smart grid.
as location, direction, connection, etc. According to [49], compared with scalarbased graphical neural network, vector-based capsule neural network which use routing mechanism to generate high-level features can preserve the information of power system properties more efficiently. Thus, this paper proposes the 285
Capsule Graph Network (Cpas-GN) technology to detect FDI attacks location in smart grid. The direction of capsules reflects the detailed properties of the features and the length of capsules reflects the probability of the presence of different features. The transmission of information between layers follows Dynamic Routing mechanism [50]. Dynamic Routing is applied to update weights 15
290
between capsules from one layer to the next layer so that the properties captured by node capsules can be propagated to suitable graph capsules. Thus, the power network is modeled as multiple graph capsules, and then modeled as multiple class capsules. Different graph capsules reflect the properties of the graph from different aspects.
295
The Graph Network combined with Capsule technique is one of the contributions in this paper. As far as we know, the Graph Network algorithm is firstly be applied to the false data injection attacks detection. In this paper, we characterize the power network into a double directed graph as the input of the Graph Network. The block scheme in Graph Network can handle dynamic
300
changes of power system very well since the structure in power system may be modified frequently in reality. None of these researches are same with the paper [52]. The only common of our paper and the theirs is we both use the Capsule technique to improve our algorithm. However, we use the Capsule technique to keep the buses position in power system for detection the attack location, which
305
is totally for different purposes. Please note that the original work of Capsule technique is cited in the appropriate location. Figure 5 shows a simplified version of how the Caps-CN is used to generate high-quality capsules which then can be applied to detection task of FDI attacks location.
310
At first, multi-scale node features from different layers are extract by the note features extractor in [51]. The extracted features are represented in the small group of neurons which are called capsules and each node corresponds to an active capsule. The multi-layer capsules technic is considerably better tan convolution network at recognization. The procedure of is showed as equation
315
(19).
Xp ˜ −1 E ˜2D ˜ −1 Gli Wijl ), Gl+1 = f ( D j
(19)
i
where Gli ∈ RN
v
×d
is the ith bus features at the layer l, d is the number of
feature channels. Wijl ∈ Rd×d ∈ is the weights matrix which serves as the feature channel filter from the ith channel at the lth layer to the jth channel at the
16
G1
G2
GL−1
GL
{
{
{
{
GN
{
Nv
C1
C2
CL
Nv d
{
Primary Capsules
CL−1
∑
Cl
l
Reshape N
Attention
v
d
∑
Nv ∑
Cl
Cl
l
l
Node-based Normalization
Nv d
{
∑
Cl
l
Routing Graph Capsules
h0
h1
h2
hP−2 hP−1
Routing
Class Capsules
Normal Tampered
Figure 5: Framework of Caps-GN.
l+1th layer. f (·) is a nonlinear activation function which setted as f (·) = tanh(·) 320
v v ˜ = E + I, and in this paper. E ∈ {0, 1}N ×N is the adjacency matrix, E P ˜ = ˜ D j Eij , where I is identity matrix.
The iterative routing-by agreement mechanism is applied after local primary
capsules obtaining the features extracted from all GN layers: the lower-level capsule send its output to higher level capsules. Unlike the max-pooling in 325
CNN, the dynamic routing mechanism keeps the precise position of the note in the graph network. The location information is coded in the output vector of capsules. The number of primary capsules depends on the size of input power net-
17
works. To make the generated graph capsules independent to the size of input, 330
before generating graph capsules with primary capsules, the attention module is applied to scale the original primary capsules and the node-based normalization is applied to generate attention value in each feature channel. Let Cl denotes the number of feature channels at the l-th layer of GN, and d de-
335
notes the dimension of each primary capsule. As shown in Figure 5, the numP P ber of input of attention module is d × l Cl and the output is l Cl . Let
Sn = {s11 , ..., s1C1 , ..., sLCL }, slc ∈ Rd denotes the set of local primary capsules. The scaling procedure is showed as equation (20). P || i s˜j || P shrunk(s(i,j) ) = s(i,j) 1 + || i s˜j ||2 where s˜ ∈ Rd×
P
l
Cl
(20)
is concatenate operation which concatenates all primary
capsules S . s(i,j) ∈ R1×d is the jth capsule of the node i. Next, we multiply n
340
the normalized value with the primary capsules to obtain scaled capsules. The results of this step is S ∈ RN
v
×
P
l
Cl ×d
.
After the attention module and the node-based normalization, as shown in Figure 5, the dynamic routing module is used to preserve the location information of each node during the output of low-level capsules transported to the 345
higher-level capsules. The low-level capsules of different nodes in same layer share the transform matrix. The iterative dynamic routing process is showed as equation (21). v(n,i)j = [sT(i,j) Wijn ||sT(i,Pl Cl ) Wjp ],
(21)
where v(n,i)j ∈ R1×(dn +dp ) is the vector output of graph capsule j from the ith feature channel of the nth node. sT(i,j) ∈ Rd× 350
P
l
Cl
is its input. T ∈ RN
v
×N v
is
the transform matrix calculated form the adjacency matrix E for determining the higher-level capsules. Wijn ∈ Rd×dn and Wjp ∈ Rd×dp are transform weights matrixes. P is the defined number of input low-level capsules. The dynamic routing mechanism is shown in Algorithm 2. To use the generated graph capsules for classification, the dynamic routing
355
is iteratively used to generate final class capsules C ∈ RK×d . Let K = 2 for the 18
Algorithm 2 Dynamic routing mechanism Input: the set of low-level capsules S, the set of transform matrices W, and the number of iterations t; Output: the set of high-level capsules H; 1: 2:
function Routing(t, S, W) for all low-level capsule i in S: vj|i = sTi Wij ;
3:
for all low-level capsule i and all ligher-level capsule j: rij ← 0;
4: 5:
for t iterations do for all low-level capsule i in layer l: r˜i ← sof tmax(ri );
6:
7:
for all ligher-level capsule j in layer l + 1: P sj ← i r˜ij vij ;
for all ligher-level capsule j:
hj ← squash(sj ) in layer l + 1; 8:
for all low-level capsule i to all ligher-level capsule j: rij ← rij + hTj vij ;
9:
end for
10:
return all set of hj ;
11:
end fuction;
P number of final classes of attacks exist or not. ri = j rij . According to [50], the separate margin loss function is calculated as equation (22). Lossclass =
P
+ k {Tk max(0, m
− ||ck ||)2
+λ(1 − Tk )max(0, ||ck || − m− )2 },
(22)
where Tk = 1 iff detection result k is present and m+ = 0.9 and m− = 0.1. The λ = 0.5 down-weighting of the loss for absent detection classes stops the 360
initial learning from reducing the lengths of the activity vectors of all the class capsules. The total loss is simply the sum of the losses of all class capsules. 19
5. Simulation and analysis We employe standard IEEE 30-bus and IEEE 118-bus systems to validate the efficiency of the proposed algorithms. We utilize the Matpower tool to gen365
erate the configuration of the standard IEEE 30-bus and IEEE 118-bus systems and specifically the Jacobian matrix, and the training process of the Recursive Neural Network (RNN), Deep Belief Nets (DBN), CNN-Gated Recurrent Unit (CNN-GRU), GN and Caps-GN algorithms run on TensorFlow platform. The attack strength of FDI attacks are considered two important indexes.
370
One of indexes is sparsity that means the quantity of attacked measurements. The other index is variance of magnitude of disturbances which means the absolute deviation between attacked data and the normal data. The proposed method of detection also is test from these two aspects. Usually, κ represents the sparsity of attack [8, 53]. p = κ/M represents the proportion of tampered
375
data in all measurements. σa2 is the variance of magnitude of disturbances. The proportion of tampered data p is accumulate from 0.05 to 1.00 by adding 0.05 each time. The variance of magnitude of disturbances σa2 is set as 0.005, 0.05, 0.5 respectively. 5.1. Numerical Detection Accuracy Table 1
Attacked Value Normal Value detect as attacked value
TP
FP
detect as normal value
TN
FN
Table 2: The mean values of numerical detection precision and recall on the IEEE 30-bus Algorithm σa2
RNN 0.005
0.05
DBN 0.5
0.005
CNN-GRU
0.05
0.5
0.005
0.05
GN 0.5
0.005
0.05
0.5
precision 99.388% 99.354% 98.551% 99.390% 99.325% 98.651% 97.959% 97.869% 96.723% 99.398% 99.311% 98.040% recall
97.216% 94.759% 90.824% 98.231% 96.417% 94.886% 91.564% 81.376% 80.857% 98.458% 96.986% 95.168%
20
Table 3: The mean values of numerical detection precision and recall on the IEEE 118-bus Algorithm σa2
RNN 0.005
0.05
DBN 0.5
0.005
CNN-GRU
0.05
0.5
0.005
0.05
GN 0.5
0.005
0.05
0.5
precision 96.515% 95.363% 92.529% 97.131% 96.701% 93.764% 97.075% 96.806% 96.541% 98.381% 97.245% 97.439% recall
380
95.763% 93.732% 90.547% 97.643% 96.282% 93.963% 81.644% 79.748% 76.354% 97.343% 96.026% 94.974%
In this part, the detection accuracy of four methods are compared and analyzed. First, the indexes of the numerical detection accuracy is defined as follows, acurracy =
TP + TN , TP + TN + FP + FN
(23)
TP , TP + FP
(24)
precision =
recall =
TP , TP + FN
(25)
where TP (true positive), TN (true negative), FP (false positive) and FN (false negative) are defined as Table 1. 385
Fig.6 and Fig.7 exhibit the exactitudes of FDI attacks detection with different sparsity and magnitude of disturbances, and Table 2 and Table 3 show the mean values of numerical detection precision and recall on IEEE-30 and IEEE118 bus system, respectively. The main aspect of GN is to extract highlevel feature representation for data which can be used for node labeling. We
390
apply the GN to learn the feature representation of power network model for FDI attacks detection problem. From Table 2 and Table 3, we find that the detection precision of all algorithms decrease with the increase magnitude of false data. However, RNN, DBN, CNN-GRU show lower detection accuracy and higher recall to our GN
395
method. Although those three method can deal with false data injection detection problem, their performance at different σa2 are still inferior to GN. When the σa2 set as 0.005, 0.05, 0.5, our method always perform better with the precision higher than 98.04%, 97.245% and the recall higer than 95.168%, 94.974%
21
on IEEE 30-bus and IEEE 118-bus, respectively. 400
In IEEE-30 bus system, the exactitudes of FDI attacks detection are all above 92.6% with Four different methods of detection. The proposed method has the highest degree of exactitude from all three methods. When magnitude of disturbances becomes bigger, the exactitudes of RNN and DBN fluctuates frequently. When variance of magnitude of disturbances is settled as 0.005, 0.05,
405
0.5, the exactitudes of RNN fluctuates at the range of [0.93,0.97], [0.94,0.97], [0.94,0.974] respectively, and the exactitudes of DBN fluctuates at the range of [0.935,0.98], [0.945,0.974], [0.96,0.977] respectively. Additionally, in most cases, the exactitudes of RNN slightly higher than DBN’s. As Fig.6 shows, the exactitudes of the DN based method has an advantage over RNN, DBN and
410
CNN-GRU, and it maintains an average above 98% with tiny fluctuation which makes sure the stable and accurate detection of FDA attacks. Besides, as shown in Fig.6a, in the condition of σa2 = 0.005, all exactitudes of four algorithms show a tendency toward ascent. They had been improved from 93.2%, 93.6%, 96.5% to 96.8%, 98%, 99%. When the magnitude of disturbances
415
becomes bigger, the tendency that exactitudes of FDI attacks detection increase with sparsity of attack becoming more intensive is not obvious. Although there is trifling improvement, the difference is insignificant. In IEEE-118 bus system, the exactitudes of FDI attacks detection are all above 95.4% with four different methods of detection. Similar with IEEE-30
420
bus system, the GN based method has higher degree of exactitude than other three methods, and its’ exactitudes of FDI attacks detection maintains an average above 98.2% basically. With the magnitude of disturbances increasing, exactitudes of RNN, DBN and CNN-GRU fluctuate milder than the case of IEEE-30 bus system, but both of them are still not as well as the GN in the
425
aspect of stabilization. As shown in Fig.7a, the exactitudes of FDI attacks detection also increase with sparsity of attack becoming more intensive when σa2 = 0.005, and exactitudes of RNN, DBN, CNN-GRU, and GN base detector improve from 95.5%, 95.7%, 98.2% to 97.5%, 98.2%, 99.5%, respectively. However, different with 22
1.00
Exactitude of Detection
0.99 0.98 0.97 0.96 0.95 0.94
RNN y1vs x DBN y2vs x CNN-GRU y4 vs x GNvs x y3-
0.93 0.92 0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
0.9
1.0
0.9
1.0
Sparsity of Attack
(a) σa2 = 0.005 1.00
Exactitude of Detection
0.99
0.98
0.97
0.96 RNNvs x 1y1DBNvs x 1y2CNN-GRU 1y4 vs x GN vs x 1y3-
0.95
0.94 0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Sparsity of Attack
(b) σa2 = 0.05
Exactitude of Detection
0.99
0.98
0.97
0.96 RNN vs x 10y1DBN vs x 10y2CNN-GRU 10y4 vs x GN vs x 10y3-
0.95
0.94 0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Sparsity of Attack
(c) σa2 = 0.5 Figure 6: Results of FDI attacks detection on IEEE-30 bus system.
23
1.00
Exactitude of Detection
0.99
0.98
0.97
RNN y1vs x DBN y2vs x CNN-GRU y4 vs x GNvs x y3-
0.96
0.95 0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
0.9
1.0
0.9
1.0
Sparsity of Attack
(a) σa2 = 0.005 1.00
Exactitude of Detection
0.99
0.98
0.97
RNN y1vs x DBN y2vs x CNN-GRU y4 vs x GNvs x y3-
0.96
0.95 0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Sparsity of Attack
(b) σa2 = 0.05 1.00
Exactitude of Detection
0.99
0.98
0.97
RNN y1vs x DBN y2vs x CNN-GRU y4 vs x GNvs x y3-
0.96
0.95 0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Sparsity of Attack
(c) σa2 = 0.5 Figure 7: Results of FDI attacks detection on IEEE-118 bus system.
24
430
IEEE-30 bus system, the rise of exactitudes relatively gentle. In Fig.7b and Fig.7c, the exactitudes of FDI attacks detection is stable. It means the detector can accurately identify the tampered measurements no matter how limited it is. 5.2. Locaion Detection Accuracy To analyze detection accuracy of false data injection location, two indexes
435
are defined as follows: TR =
FL =
nsd
,
(26)
,
(27)
ntamperd nf d nnormal
where nsd , ntamperd , nf d and nnormal are defined as Table 4. Table 4
nsd
the number of successful detection of the injected data locations
ntamperd
the number of locations with false data
nf d
the number of false detection of the attack-free locations
nnormal
the number of location with no attack
We compare the developed detection method, Caps-GN, with GN based detection method. Table 2 and Table 3 show the mean T R and F L values of location detection with different σa2 on IEEE-30 and IEEE118 bus system, 440
respectively. As the results clearly shown, the developed detection method can be accurately detect the locations of the FDI attacks at lower F L values, which avoid the false alarm that many locations where no injection occurs are also detected as FDI attacks. The T R results of Caps-GN is higher than GN, which means that the higher accuracy of Caps-GN for detecting the location of FDI
445
attacks. Furthermore, the F L results of Caps-GN is lower than GN, so the improved detection method can identify the location of the actual attack, which will safeguard the normal operation of the smart grid. In case of the intentional terrorist FDI attacks scenarios, we investigate the performance of GN and Caps-GN based attack location detection algorithm 25
Table 5: The mean T R and F L values of location detection on the IEEE 30-bus
Algorithm σa2
GN 0.005
0.05
Caps-GN 0.5
0.005
0.05
0.5
TR
87.789% 79.462% 76.895% 99.576% 99.143% 98.078%
FL
12.254% 18.675% 21.146% 1.528%
3.138%
3.991%
Table 6: The mean T R and F L values of location detection on the IEEE 118-bus
Algorithm σa2
450
GN 0.005
0.05
Caps-GN 0.5
0.005
0.05
0.5
TR
83.545% 77.678% 76.067% 99.467% 98.496% 97.154%
FL
18.828% 21.562% 24.677% 2.372%
3.834%
5.261%
when increase scale FDI attacks appears. To analyze the performance of these two detection method, we increase 5 attacked meters each time, from 0 to 50. Based on the experiment results shown in Fig. 8, it can be clearly discover that with the increase of FDI attacks scale, the Caps-GN detection method has better performances than CN detection method. Although the false alarm rates
455
of both algorithm are in an acceptable range, the rate of false alarm of CN detection method becomes obviously lager when the number attacked meters more than 15. In summary, the developed detection method can identify FIA attacks better with increase attack scale, thus it is more efficient deal with various intentional terrorist cyber and physical attacks scenarios.
460
6. Conclusion and future work In this paper, the FDI attacks in smart grid is considered. This attacks aim at tampering measurements to produce a large bias from nominal values in state estimators and threat control center security. After analyzing the FDI attacks, the graphical detection technique based on GN and location detection technique
465
based on Caps-GN are proposed to solve the problem of FDI attacks detection in smart grid. The results of simulation prove the proposed methods has obvious 26
Mean rate of false alarm
2×10
−3
1×10
−3
GN vs attacked meters GN Caps-GN vs attacked meters Caps-GN
0 0
5
10
15
20
25
30
35
40
45
50
The number of attacked meters
Figure 8: The mean values of false alarm with the increase of FDI attack scale on GN and Caps-GN.
advance than existing schemes in the aspect of accuracy and stability. Specifically, the Caps-GN based detector can identify the location of FID attacks and performs better with increase attack scale. To a certain extent, promptly de470
tecting attack can protect the security of smart grid effectively. In future, the defensive scheme against false data injection attack will be continually studied.
References References [1] Q. Yang, L. Jiang, W. Hao, B. Zhou, P. Yang, and Z. Lv, “PMU Placement 475
in Electric Transmission Networks for Reliable State Estimation Against False Data Injection Attacks,” IEEE Internet of Things Journal, vol. 4, no. 6, pp. 978–1986, Dec. 2017, 10.1109/JIOT.2017.2769134. [2] A. Hahn, A. Ashok, S. Sridhar, and M. Govindarasu, “Cyber-Physical Security Testbeds: Architecture, Application, and Evaluation for Smart Grid,”
480
IEEE Transactions on Smart Grid, vol. 4, no. 2, pp. 847–855, Jun. 2013, 10.1109/TSG.2012.2226919. [3] H. He, J. Yan, “Cyber-Physical Attacks and Defences in the Smart Grid: A Survey,” IET Cyber-Physical Systems: Theory & Applications, vol. 1, no. 1, pp. 13–27, Dec. 2016, 10.1049/iet-cps.2016.0019. 27
485
[4] S. A. Foroutan, F. R. Salmasi, “Detection of False Data Injection Attacks Against State Estimation in Smart Grids based on A Mixture Gaussian Distribution Learning Method,” IET Cyber-Physical Systems: Theory & Applications, vol. 2, no. 4, pp. 161–171, Dec. 2017, 10.1049/iet-cps.2017.0013. [5] G. Liang, J. Zhao, F. Luo, S. R. Weller and Z. Y. Dong, “A Review
490
of False Data Injection Attacks Against Modern Power Systems,” IEEE Transactions on Smart Grid, vol. 8, no. 4, pp. 1630–1638, Jul. 2017, 10.1109/TSG.2015.2495133. [6] R. Punmiya and S. Choe, “Energy Theft Detection Using Gradient Boosting Theft Detector With Feature Engineering-Based Preprocessing,” IEEE
495
Transactions on Smart Grid, vol. 10, no. 2, pp. 2326–2329, 2019. [7] L. Zhang, X. Wang, Y. Jiang, M. Yang, T. Mak, and A. K. Singh, “Effectiveness of HT-assisted sinkhole and blackhole denial of service attacks targeting mesh networks-on-chip,” Journal of Systems Architecture, vol. 89, pp. 84–94, 2018, 10.1016/j.sysarc.2018.07.005.
500
[8] Y. Liu, P. Ning, and M. K. Reiter, “False Data Injection Attacks Against State Estimation in Electric Power Grids,” in Proc. ACM conference on Computer and communications security, Chicago, Illinois, USA, 2009, pp. 21–32. [9] B. Li, T. Ding, C. Huang, J. Zhao, Y. Yang, and Y. Chen, “Detecting False
505
Data Injection Attacks Against Power System State Estimation With Fast Go-Decomposition (GoDec) Approach,” IEEE Transactions on Industrial Informatics, vol. 15, no. 5, pp. 2892–2904, 2019. [10] R. Deng and H. Liang, “False Data Injection Attacks With Limited Susceptance Information and New Countermeasures in Smart Grid,” IEEE
510
Transactions on Industrial Informatics, vol. 15, no. 3, pp. 1619–1628, 2019. [11] Z. Li, M. Shahidehpour, A. Alabdulwahab, and A. Abusorrah, “Bilevel Model for Analyzing Coordinated Cyber-Physical Attacks on Power Sys28
tems,” IEEE Transactions on Smart Grid, vol. 7, no. 5, pp. 2260–2272, Sep. 2016. 515
[12] L. Xie, Y. Mo, and B. Sinopoli, “Integrity data attacks in power market operations,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 659–666, Dec. 2011. [13] G. Liang, S. R. Weller, J. Zhao, F. Luo and Z. Y. Dong, “The 2015 Ukraine Blackout: Implications for False Data Injection Attacks,” IEEE
520
Transactions on Power Systems, vol. 32, no. 4, pp. 3317–3318, Jul. 2017, 10.1109/TPWRS.2016.2631891. [14] Y. Yuan, Z. Li, and K. Ren, “Modeling load redistribution attacks in power systems,” IEEE Transactions on Smart Grid, vol. 2, no. 2, pp. 382–390, Jun. 2011.
525
[15] Y. Yuan, Z. Li, and K. Ren, “Quantitative analysis of load redistribution attacks in power systems,” Transactions on Parallel and Distributed Systems, vol. 23, no. 9, pp. 1731–1738, Sep. 2012. [16] R. Tan, H. H. Nguyen, E. Y. S. Foo, D. K. Y. Yau, Z. Kalbarczyk, R. K. Iyer, and H. B. Gooi, “Modeling and Mitigating Impact of False Data
530
Injection Attacks on Automatic Generation Control,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 7, pp. 1609–1624, Jul. 2017, 10.1109/TIFS.2017.2676721. [17] S. Sridhar and M. Govindarasu, “Model-based attack detection and mitigation for automatic generation control,” IEEE Transactions on Smart Grid,
535
vol. 5, no. 2, pp. 580–591, Mar. 2014. [18] S. Sridhar and G. Manimaran, “Data integrity attack and its impacts on voltage control loop in power grid,” in Proc. IEEE Power & Energy Society General Meeting, Detroit, MI, USA, 2011, pp. 1–6. [19] Y. Chen, S. Huang, F. Liu, Z. Wang, X. Sun, “Evaluation of Reinforce-
540
ment Learning-Based False Data Injection Attack to Automatic Voltage 29
Control,” IEEE Transactions on Smart Grid, vol. 10, no. 2, pp. 2158–2169, Mar. 2019, 10.1109/TSG.2018.2790704. [20] Y. Zhang, L. Wang, Y. Xiang, C. Ten, “Power System Reliability Evaluation With SCADA Cybersecurity Considerations,” IEEE Trans545
actions on Smart Grid, vol. 6, no. 4, pp. 1707–1721, July. 2015, 10.1109/TSG.2015.2396994. [21] A. Tajer, “False Data Injection Attacks in Electricity Markets by Limited Adversaries: Stochastic Robustness,” IEEE Transactions on Smart Grid, vol. 10, no. 1, pp. 128–138, Jan. 2019, 10.1109/TSG.2017.2733346.
550
[22] J. Lin, W. Yu, X. Yang, “Towards Multistep Electricity Prices in Smart Grid Electricity Markets,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 1, pp. 286–302, Jan. 2016, 10.1109/TPDS.2015.2388479. [23] R. Deng, G. Xiao, R. Lu, H. Liang, and A. V. Vasilakos, “False Data
555
Injection on State Estimation in Power Systems: Attacks, Impacts, and Defense: A Survey,” IEEE Transactions on Industrial Informatics, vol. 13, no. 2, pp. 411–423, 2017. [24] D. B. Rawat, C. Bajracharya, “Detection of False Data Injection Attacks in Smart Grid Communication Systems,” IEEE Signal Processing Letters,
560
vol. 22, no. 10, pp. 1652–1656, Oct. 2015, 10.1109/LSP.2015.2421935. [25] S. Pal, B. Sikdar, and J. Chow, “Classification and Detection of PMU Data Manipulation Attacks Using Transmission Line Parameters,” IEEE Transactions on Smart Grid, pp.1–10, Mar. 2017, 10.1109/TSG.2017.2679122. [26] R. Moslemi, A. Mesbahi, and J. M. Velni, “A Fast, Decentral-
565
ized Covariance Selection-based Approach to Detect Cyber Attacks in Smart Grids,” IEEE Transactions on Smart Grid, pp.1–12, Mar. 2017, 10.1109/TSG.2017.2675960.
30
[27] B. Tang, J. Yang, S. Kay, and H. He, “Detection of false data injection attacks in smart grid under colored Gaussian noise,” in Proc. IEEE Con570
ference on Communications and Network Security (CNS), Philadelphia, PA, USA, 2016, pp. 172–179. [28] X. Yang, X. Zhang, J. Lin, W. Yu, and P. Zhao, “A Gaussian-Mixture Model Based Detection Scheme against Data Integrity Attacks in the Smart Grid,” in Proc. International Conference on Computer Communication and
575
Networks (ICCCN), Waikoloa, HI, USA, 2016, pp. 1–9. [29] Y. Zhou, Z. Miao, “Cyber attacks, detection and protection in smart grid state estimation,” in Proc. North American Power Symposium (NAPS), Denver, CO, USA, 2016, pp. 1–6. [30] V. B. Krishna, K. Lee, G. A. Weaver, R. K. Lyer, and W. H. Sanders,
580
“F-DETA: A Framework for Detecting Electricity Theft Attacks in Smart Grids,” in Proc. IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Toulouse, France, 2016, pp. 407–418. [31] O. Boujelben, and M. Bahoura, “Efficient FPGA-based architecture of an automatic wheeze detector using a combination of MFCC and SVM
585
algorithms,” Journal of Systems Architecture, vol. 88, pp. 54–64, 2018, 10.1016/j.sysarc.2018.05.010. [32] C. Lai, C. Yeh, C. Tu, and S. Hung, “Fast profiling framework and race detection for heterogeneous system,” Journal of Systems Architecture, vol. 81, pp. 83–91, 2017, 10.1016/j.sysarc.2017.10.010.
590
[33] B. Li, Y. Lin, and S. Zhang, “Multi-Task Learning for Intrusion Detection on web logs,” Journal of Systems Architecture, vol. 81, pp. 92–100, Nov. 2017, 10.1016/j.sysarc.2017.10.011. [34] R. Lazcano, D. Madronal, R. Salvador, K. Desnos, M. Pelcat, R. Guerra, H. Fabelo, S. Ortega, S. Lopez, G.M. Callico, E. Juarez, and C. Sanz, “Porting
595
a PCA-based hyperspectral image dimensionality reduction algorithm for 31
brain cancer detection on a manycore architecture,” Journal of Systems Architecture, vol. 77, pp. 101–111, 2017, 10.1016/j.sysarc.2017.05.001. [35] M. Esmalifalak, L. Liu, N. Nguyen, R. Zheng, and Z. Han, “Detecting Stealthy False Data Injection Using Machine Learning in Smart 600
Grid,” IEEE Systems Journal, vol. 11, no. 3, pp. 1644–1652, Aug. 2014, 10.1109/JSYST.2014.2341597. [36] J. Yan, B. Tang, and H. He, “Detection of false data attacks in smart grid with supervised learning,” in Proc. International Joint Conference on Neural Networks(IJCNN), Vancouver, BC, Canada, 2016, pp. 1395–1402.
605
[37] S. Waghmare, F. Kazi, and N. Singh, “Data driven approach to attack detection in a cyber-physical smart grid system,” in Proc. Indian Control Conference (ICC), Guwahati, India, 2017, pp. 271–276. [38] Y. Chakhchoukh, S. Liu, M. Sugiyama, and H. Ishii, “Statistical outlier detection for diagnosis of cyber attacks in power state estimation,” in Proc.
610
2016 IEEE Power and Energy Society General Meeting (PESGM), Boston, MA, USA, 2016, pp. 1–5. [39] J. Wei, G. J. Mendis, “A deep learning-based cyber-physical strategy to mitigate false data injection attack in smart grids,” in Proc. Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-
615
SG), Vienna, Austria, 2016, pp. 1–56. [40] Y. He, G. J. Mendis, and J. Wei, “Real-Time Detection of False Data Injection Attacks in Smart Grid: A Deep Learning-Based Intelligent Mechanism,” IEEE Transactions on Smart Grid, vol. 8, no. 5, pp. 2505–2516, Sept. 2017, 10.1109/TSG.2017.2703842.
620
[41] J. Zhou, G. Cui, Z. Zhang, C. Yang, Z. Liu, L. Wang, C. Li, and M. Sun, “Graph Neural Networks: A Review of Methods and Applications,” in arXiv:1812.08434, 2018.
32
[42] J. Li, L. Liu, C. Zhao, K. Hamedani, R. Atat, and Y. Yi, “Enabling Sustainable Cyber Physical Security Systems Through Neuromorphic Computing,” 625
IEEE Transactions on Sustainable Computing, vol.3 , no. 2, pp. 112–125, Jun. 2017, 10.1109/TSUSC.2017.2717807. [43] L. Zhang, A. Bose, A. Jampala, V. Madani, and J. Giri, “Design, Testing, and Implementation of a Linear State Estimator in a Real Power System,” IEEE Transactions on Smart Grid, vol. 8, no. 4, pp. 1782–1789, Jul. 2017,
630
10.1109/TSG.2015.2508283. [44] J.J. Grainger, W.D. Stevenson, Power system analysis, (McGraw-Hill, 1994) [45] A.J. Wood, B.F. Wollenberg, Power generation, operation, and control, (John Wiley & Sons, 2012)
635
[46] Q.Yang, J. Yang, W. Yu, D. An, N. Zhang, W. Zhao, “On False DataInjection Attacks against Power System State Estimation: Modeling and Countermeasures,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 3, pp.717–729, Mar. 2014, 10.1109/TPDS.2013.92. [47] F. C. Schweppe, J. Wildes, “Power system state estimation, parts I, II and
640
III,” IEEE Transactions on Power Apparatus and Systems, vol. PAS-89, no. 1, pp. 120–135, Jan. 1970, 10.1109/TPAS.1970.292678. [48] K. Manandhar, X. Cao, F. Hu, Y. Liu, “Detection of faults and attacks including false data injection attack in smart grid using kalman filter,” IEEE Transactions on Control of Network Systems, vol. 1, no. 4, pp.370–
645
379, Dec. 2014, 10.1109/TCNS.2014.2357531. [49] G. E. Hinton, S. Sabour, and N. Frosst, “Matrix capsules with EM routing,” in International Conference on Learning Representations, Oct. 2018. [50] S. Sabour, N. Frosst, and G. E. Hinton, “Dynamic routing between capsules,” in Advances in Neural Information Processing Systems (NIPS), pp.
650
3856–3866, 2017. 33
[51] T. N. Kipf and M. Welling, “Semi-supervised classification with graph convolutional networks,” in International Conference on Learning Representations, 2017. [52] X. Zhang, L. Chen, “Capsule Graph Neural Network,” in ICLR 2019 Con655
ference Blind Submission, Mar. 2019. [53] M. Ozay, I. Esnaola, F. T. Y. Vural, S. R. Kulkarni, H. V. Poor, “Machine Learning Methods for Attack Detection in the Smart Grid,” IEEE Transactions on Neural Networks and Learning Systems, vol. 27, no. 8, pp. 1773–1786, Mar. 2016, 10.1109/TNNLS.2015.2404803.
34
660
Yuancheng Li received the Ph.D. degree in automation system pattern recognition and intelligent system from the University of Science and Technology of China, Hefei, China, in 2003. From 2004 to 2005, he was a Postdoctoral Research Fellow with the Digital Media Laboratory, Beihang University, Beijing, China. Since 2005, he has been
665
with the North China Electric Power University, where he is currently a Professor in information security of power industry control system and the Dean of the Institute of Smart Grid and Information Security. From 2009 to 2010, he was a Postdoctoral Research Fellow with the Cyber Security Laboratory, College of Information Science and Technology, Pennsylvania State University,
670
State College, PA, USA. He has hosted and participated in several research projects for the National Natural Science Foundation of China, National 863 Plan projects. He has authored more than 70 articles, and more than ten inventions. His research interests include power grid security, state estimation, information security, cloud computing, big data security, and cloud security.
35
Yuanyuan Wang received the M.S. degree in software
675
engineering in 2016 from North China Electric Power University, Beijing, China. She is currently pursuing the Ph.D. degree with the Institute of Smart Grid and Information Security, the School of Control and Computer Engineering, North China Electric Power University. 680
She is a Visiting Ph.D. Student with the School of Computer Science and Electronic Engineering, University of Essex, Colchester, U.K. Her research interests include smart grid security, data attack, information security, data mining, and machine learning.
36
We declare that we do not have any commercial or associative interest that represents a conflict of interest in connection with the paper submitted.
Journal Pre-proof
Developing Graphical Detection Techniques for Maintaining State Estimation Integrity Against False Data Injection Attack in Integrated Electric Cyber-Physical System Yuancheng Li, Yuanyuan Wang PII: DOI: Reference:
S1383-7621(19)30512-0 https://doi.org/10.1016/j.sysarc.2019.101705 SYSARC 101705
To appear in:
Journal of Systems Architecture
Received date: Revised date: Accepted date:
8 July 2019 20 November 2019 18 December 2019
Please cite this article as: Yuancheng Li, Yuanyuan Wang, Developing Graphical Detection Techniques for Maintaining State Estimation Integrity Against False Data Injection Attack in Integrated Electric Cyber-Physical System, Journal of Systems Architecture (2019), doi: https://doi.org/10.1016/j.sysarc.2019.101705
This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2019 Elsevier B.V. All rights reserved.
Developing Graphical Detection Techniques for Maintaining State Estimation Integrity Against False Data Injection Attack in Integrated Electric Cyber-Physical System Yuancheng Lia , Yuanyuan Wanga,∗ a North
China Electric Power University, 2 Beinong Road, Huilongguan Town, Changping District, Beijing, China 102206
Abstract The merging of power grid, information, and communication technology promotes the intelligent development of smart grid, which is also more prone to cyber attack threats. Especially, the intelligently designed False Data Injection (FDI) attacks severely disturb the normal management and state estimation operations in power system. In this paper, the graphical detection technology which uses Graph Network (GN) is developed for detecting tampered measurements without external knowledge and manual preprocess of historical data. To solve the detection of FDI attacks location issue from the diversified dimensionality in power systems, the Capsule Network combined with GN is developed, which can extract preserve the detailed properties around each note such as location, direction, connection, etc. To evaluate the superior performance of proposed method, the proposed detection technology is carried out through standard IEEE 30-bus and IEEE 118-bus systems. The simulation results demonstrate that the proposed method can detect FDI attacks accurately with different attack sparsity and magnitude of disturbances. ∗ This work was supported in part by the Fundamental Research Funds for the Central Universities of China under Grant 2017XS071. Part of this research was conducted during Yuanyuan Wang’s visit at University of Essex supported by the Postgraduate International Visit Funding of North China Electric Power University. ∗∗ Corresponding author Email address: [email protected] (Yuanyuan Wang)
Preprint submitted to Journal of Systems Architecture
December 28, 2019
Keywords: smart grid security, graphical detection, graph network, capsule network, FDI attacks detection, integrated electric cyber-physical system, state estimation
1. Introduction Power system has become more intelligent and more informative recently. Smart grid has been provided with advanced network communication technology that can realize the real-time acquisition and transmission of power state 5
information. These information is collected from smart meters and Phasor measurement units (PMUs), and the management system can sent control commands to power stations, distribution units, dispatching centers, and electricity markets whenever necessary. Such commands highly improve the efficiency of power system. The development of smart grid makes the electric power net-
10
work and the underlying information and communications technology system supporting its management functionalities highly coupled, which is considered as an integrated electric cyber-physical system (ECPS) [1]. As an ECPS, smart grid faces the huger threat of network attack for the closer dependence on communication network [1, 2, 3, 4]. With the smart gird more open to the outside
15
networks, using internet-based protocols in the information and communication system, it is more hard to maintain the Energy management system and Supervisory Control and Data Acquisition (EMD/SCADA) system in a normal and secure state. Malicious attacker can invade power system to change present state by remote network connection[5, 13]. In particular, enterprise networks
20
and even individual users are allowed to connected to the smart grid information infrastructure to facilitate data sharing [6, 7]. In 2009, [8] firstly defined that the False Data Injection (FDI) attacks could circumvent bad data detection (BDD) system and introduce arbitrary errors to state estimators without being detected. FDI attacks affect state estimation
25
accuracy and threat control center security through tampering measurements collected by the Supervisory Control and Data Acquisition (SCADA) system [9].
2
The experiment results in [5] shows that the FDI attacks can produce a large bias from nominal values in state estimators without triggering the BDD alarm [10]. [11] shows that FDI attack could be conducted by directly tampering with 30
field device measurements or intruding in the control center database, or indirectly by the man-in-the-middle attacks on communication links between remote terminal units and control centers. Even worse, FDI attacks not only cheats state estimations, distorts controls and operations of the target power system, but also causes serious damage to market operation [12], security constrained
35
economic dispatch [14, 15], automatic generation control [16, 17], Var/voltage control [18], automatic voltage control [19], supervisory control and data acquisition system[20], electricity price market [21, 22], etc. [23] shows that the FDI attacks can cause a cascading failure resulting in a severe system-wide blackout when power system operators do not respond quickly and effectively to power
40
overflows. Therefore, the effectively FDI attacks detection in real time becomes a vital and essential mission, which is important for ensuring the safe operation in smart grids. The existed paper has recently studied different methods to detect FDI attack[24, 25, 26, 27, 28, 29, 30, 31]. In [24], Rawat et al. adopted Kalman
45
filter estimation to calculate the variation of measurements, and identified attacks by Chi-square detector and cosine similarity matching approaches. Cosine similarity matching approaches has robustness when it served as detector of FDI attacks and other attack in smart grid. In [25], Pal et al. proposed the detection method based on evaluation of equivalent impedances in transmission lines. In
50
[26], Moslemi et al. proposed a high-speed and dispersed approach based on maximum likelihood estimation to detect FDI attack. The near chordal sparsity of grid is used to establish an effective detection frame, then, the problem is divided into local maximum likelihood estimation. In [27], Tang et al. tested the generalized likelihood ratio to detect the FDI attacks and estimate the
55
power state by autoregressive process-based noise modeling. In addition, exploiting the hypothesis of similar observation of samples, the author detected FDI attacks with principal component analysis. In [28], Yang et al. proposed 3
Gaussian-Mixture-based FDI attacks detection model that is independent of pre-set threshold and external knowledge. The proposed method clusters the 60
history measurements to minify the scope of normal data, and learns the maximum and minimum of single cluster. In [29], the Euclidean Distance has been used to detect FIDA. In [30], Krishna et al. proposed an Kullback-Leibler (KL) divergence-based attack detector. Besides, there are some studies about FDI attacks detection which exploit
65
machine learning algorithms[32, 33, 34, 35, 36, 37, 38]. In [35], Esmalifalak et al. point out that statistics can be used to identify the concealed attacks which exist in routine operations of power system. The authors proposed two machine learning-based algorithms to detect attack. One of the algorithms adopted supervised learning and tagged data to train the distributed support
70
vector machine (SVM) model which has superiorly fast convergence on account of multiplier-based alternating direction method. The other algorithm measures deviation without training data. Both of the algorithms adopted principal component analysis (PCA) in order to reduce the high-dimension of processing data and computational complexity. In [36], the validities of detector about straight
75
and hidden FDI attacks with supervised learning classifier have been compared. Yan J et al. designed three types of FDI attacks detector with supervised learning-based classification methods that detected straight and hidden FDI attacks under the models of balance and imbalance corresponding to different resources and scales of attacks. In [37], Waghmare et al. proposed a two-stages
80
FDI attacks detector which includes SVM and PCA methods. At first stage, the high dimension of measurements reduced to lower dimension by PCA. Thus, the FDI attacks are detected in the lower dimensional data by SVM at second stage. In [38], the density ratio estimation-based machine learning method has been used to detect FDI attack. Compared with SVM, the proposed method
85
has been improved, and does not need models of attack. In recently, the deep learning algorithm-based FDI attacks detectors have been proved practicable and effective. G. J. Mendis et al. proposed several deep learning methods to detect FDI attacks [39, 40, 42]. In [39], the proposed 4
deep learning-based cyber-physical protocol can identify and alleviate the in90
formational deterioration in Wide Area Monitoring Systems (WAMSs) which interrupts the maintenance of transient stability. In [40], deep learning algorithm was used to identify the behavioral characteristics of attack in historical measurements, and to achieve the real time detection of FDI attacks with capture capabilities.
95
Comparing with traditional machine learning, deep learning has a significant difference. Traditional machine learning often needs to extract features by manual work previously, then vectorize the features, input to training model finally. The process need extravagant preliminary work. However, deep learning usually adopts the end-to-end style of learning. The data just needs slight normaliza-
100
tion and whitening before transport to training model without manual work. In the condition of complex power system and massive measurements, feature extraction is extremely difficult and time-consuming, but it can autocomplete by deep learning network. Accordingly deep learning algorithms provide better solutions of the problems with which traditional machine learning methods
105
deal hardly. Therefore, in this paper, we focus on the improvement of detection accuracy for FID attacks with deep learning algorithm. In this paper, we first characterize a power network in a double directed graph, which is inputted into the Graph network (GN) based detection technology to identify the normal and tampered measurements. The GN algorithm
110
can classify the tampered measurements form attacked buses and transmission lines. The graph blocks in GN can handle the power network graph better than standard neural networks like Convolutional Neural Networks (CNNs) and Recurrent Neural Networks (RNNs), which is very redundant when computing [41]. The GN with a simple architecture can also perform well. [7],[31].
115
The above graphical detection technique works well if the FDI attacks occurs occasionally and the power system does not change frequently. However, there certainly many cases in which the power system frequent changes load, power generation, and system topology over time. Thus, the developed detection technique using the capsule scheme, the Caps-GN algorithm, is explored to detect 5
120
the FDI attacks location. The Caps-GN algorithm combines Capsule Network and GN. Compared with scalar-based graphical neural network, vector-based capsule neural network which use routing mechanism to generate high-level features can preserve the detailed information of power system properties more efficiently, such as location, direction, connection, etc.
125
The main contributions of this paper are summarized as follows: (1) We study the FDI attacks detection from a graphical perspective in this paper. By exploiting the graphical structures of power network solution, the proposed GN based detection technology obtains great accuracy with significantly reduced complexity.
130
(2) The location detection technique using Capsule Network is explored to detect the FDI attacks location and monitor the security smart grid in real time, even when power system frequent changes in load, power generation, and system topology over time. (3) The Caps-GN algorithm adopted in this paper keeps stable and precise
135
attack location detection rate when attack sparsity and magnitude of disturbances is changed. (4) We use standard IEEE 30-bus and IEEE 118-bus test systems to evaluate the efficiency of the proposed detection scheme. Our simulation results demonstrate that the proposed detection technique can effectively detect
140
the tampered measurements for different FDI attacks test-cases, and the detection accuracy are higher than other deep learning algorithms. The remainder of this paper is formatted as follows. Section 2 presents some primaries about state estimation and FDI attacks. Section 3 develops the graph algorithms to solve the detection problem. Section 4 proposes the location mon-
145
itoring FDI attacks process of the Caps-GN based algorithm. Section 5 presents and analyzes the simulation results from cases based on IEEE-30 and IEEE-118 system. Finally, the relevant conclusion and the future work is summarized in section 6.
6
2. Problem Formulation 150
The SCADA in power system collects power voltage, power flow, load from sensors to estimate real states of the power system. The measurements are transported to state estimator, whose outputs are used as inputs of the optimal power flow (OPF) function. Then, the results of OPF are taken as control commands of generators and other controllable devices in subsystem of trans-
155
mission, distribution, dispatching, etc [43]. Since the accurate and reliable state information of power grid is needed in the tasks of contingency analysis, unit commitment, calculation of LMPs, the state estimation is crucial to the security and stable operation of smart grid. Models of the physical power systems, state estimation, bad data detection schemes are introduced briefly here.
160
2.1. Physical Power System Suppose there are n + 1 buses and l branches in the system. In non-linear AC power flow model, active power and reactive power flows from bus i to bus j are denoted as follows:
165
Pij = Vi2 gij − Vi Vj (gij cosθij + bij sinθij ),
(1)
Qij = −Vi2 bij − Vi Vj (gij sinθij − bij cosθij ),
(2)
and active power and reactive power injection at bus i are denoted as follows: Pi =
X
Pij
j∈Ωi
=Vi
X
j∈Ωi
Qi =
X
Vj (−gij cosθij − bij sinθij ) + Vi2
gij ,
X
bij ,
j∈Ωi
Qij
j∈Ωi
=Vi
(3)
X
X
j∈Ωi
Vj (−gij sinθij + bij cosθij ) − Vi2
(4)
j∈Ωi
where j ∈ Ωi is the set of all neighbor buses to the ith bus. Vi and Vj represents voltage magnitude on bus i and bus j respectively [46]. θi and θj represents 7
phase angle on bus i and bus j, respectively, and θij = θi − θj denotes phase 170
different angle between bus i and bus j. gij is conductance of the line between bus i and bus j. bij is reactance of the line between bus i and bus j. Standard linear approximation assume that voltage amplitudes of each bus are fixed and equal to 1 p.u., all shunt susceptance and series resistances are dismissed, and the different of phase angle between each connected buses are
175
very small, so that reactive power can be ignored. Thus, in DC power flow model, active power which flows from bus bus i to bus j can be formulated as equation (5). Pij = Vi Vj bij sin(θi − θj ) ∼ = bij (θi − θj ),
(5)
and active power injection at bus i to bus j can be formulated as equation (6). Pi =
X
j∈Ωi
Pij , ∀i ∈ Ωi ,
(6)
2.2. State estimation 180
At certain time, the measurements are collected form power system with n + 1 buses and l branches. Let z ∈ Rm denotes measurements vector. The
state vector is denoted as x ∈ Rn , m > n, including 2n + 1 state variables from the reference buses. In AC power flow model, the full nonlinear power flow equations and a large amount of measurements are needed to implement 185
the state estimation, which can be generally described as equation (7). z = h(x) + e,
(7)
where z = [z1 , z2 , z3 , ..., zm ]T ∈ Rm is measurement vector which contains active and reactive power injections at each bus, Pi and Qi , active and reactive power flows of all branches, Pij and Qij in power system. x = [θ2 , θ3 , ..., θn+1 , V1 , V2 , ..., Vn+1 ]T ∈ Rn is system state variable vector which contains bus voltages magnitudes
190
Vi and phase angles θi [44]. e = [e1 , e2 , e3 , ..., em ]T ∈ Rm ∼ N (0m×n , Σe ) is the vector of random measurement errors which obey Gaussian distribution. Its average value is zero vector 0m×n and covariance matrix is Σe = diag(σ11 , σ11 , ..., σmm ) ∈ Rm with diagonal elements proportional to variance 8
of each measurement noise. h(·) stands for non-linear relation between mea195
surement vector z and the system state variable x. h(·) reflects the topology structure of power grid and parameters of transmission lines. With state vector x just consists of phase angle and Vi = 1 in DC power flow model, the state estimation is easier to solve. The linear relation between measurements and states can be expressed as equation (8). z = Hx + e,
200
(8)
where Jacobian matrix H ∈ Rm×n depends on the topology structure of power
grid, line susceptance, and meter placement [45]. e ∼ N (0, σ 2 ) denots the
measurement errors obey the Gaussian distribution. Its mean value is 0 and standard deviation is σ. Jacobian matrix H can be constructed as equation (9). Ti ADAT H= Tl DAT
205
(9)
where the stacked identity matrices Ti ∈ Rn×n and Tl ∈ Rl×l indicate which bus power injection and line power flow have been measured, respectively.D is a diagonal matrix with diagonal entries reciprocal to lines reactance. A is the adjacency matrix defined as equation (10). −1, if arc i starts at node j A(i, j) = 1, if arc j starts at node i 0, otherwise,
(10)
For linear modal, the close-form of estimated state vector x ˆ based on maxi-
210
mum similarity principle can obtained by equation (11). x ˆ = (H T ΛH)−1 H T Λz,
(11)
where Λ is diagonal matrix. Λii = σ 2 is Diagonal element. 2.3. Bad data detection schemes In traditional power system, the bad data detection (BDD) schemes are used to detect the faulty measurements caused by adversary attacks, topological 9
215
errors, or faulty sensors, so that some state estimation errors determined by faulty measurements can be avoided. The residue r used for threshold test in the bad data detection algorithm is calculated by equation (12). r = z − h(ˆ x),
(12)
where r corresponds to the difference between the measurements vector z and the estimated state result value h(ˆ x). When residue r is non-less than thresh220
old τ , the measurements are labeled as abnormality which may be caused by incorrect operation, attack on sensors, or topological disorder. The BDD most commonly uses equation (13) to identifies the faulty measurements. This test is called Largest Normalized Residue test based on l∞ -norm of the measurement
225
residual r, normalized so that each element has unit variance [47]. k ri k2 maxm ≥ τ, f aulty measurements i=1 % ri k ri k2 maxm < τ, normal measurements i=1 % ri
(13)
where ri , i = 1, 2, ..., m denotes the elements of residue r. %ri is the standard deviation of the ith residual error ri [48]. τ is a predetermined threshold determined by the known error distributions and the theory of χ2 testing. `2 − norm calculation k . k2 stands for the magnitude. 2.4. False data injection attacks
230
The attackers invade RTUs or communication network from where attackers inject false data to measurements in order to influence the state estimation in smart grid, as shown in Fig.1. The FDI attacker can the predesigned attack vector a by manipulating certain measurements or system state variables, i.e., bus phase angle θ and bus voltage magnitude V as shown in equation (3)-(2). An
235
attacker can inject an attack vector a to compromise the original measurements as equation (14). zˆa = z + a = Hx + a + e
10
(14)
Remote Terminal Unites
Remote Terminal Unites
…
…
… Communication network
Remote Terminal Unites
Remote Terminal Unites
…
False Data Injection Attack
Communication network
Optimal power flow
State Estimation
… Bad Data Detection
Contingency analysis Control Center
Figure 1: False Data Injection Attacks in Smart Grid
where a = (a1 , a2 , ..., am )T ∩ a 6= 0. According to[8], the attack vector a can be formulated by equation (15). a = Hc,
(15)
where c = (c1 , c2 , ..., cn )T ∩ c 6= 0 is an arbitrary vector. 240
The estimated state vector x ˆ is changed as equation (16) with the false data injection. xˆa = (H T ΛH)−1 H T Λza = x ˆ + c,
(16)
but the residue r remains unchange after attack and it still less than threshold 11
τ, ra =k zˆa − H x ˆa k2 =k z + a − H(ˆ x + c) k2
(17)
=k z − H x ˆ + a − Hc k2 =k z − H x ˆ k2 = r, so that the FDI attacks can circumvent and be undetectable for the traditional 245
BDD detection.
3. Graphical Detection Technology 3.1. Graphical power network The power network can be characterized in a double directed graph, as shown in Fig. 2. In this graph, the vertices and edges represent buses and transmission 250
lines, respectively. We use vj to denote the buses, esi and eri to denote the indices of the sender and receiver buses, respectively, for transmission line ei , and N e to denote the set of edges connected to the edges incident to bus vj . The measured power network of a sensor r is denoted as Gr which consists of the buses and transmission lines measured by the sensor r. The graph G = ∪Gr = (u, V, E) is
255
the measured full power network, where V = ∪vj , j = 1 : N v is the set of buses, and E = ∪(ei , esi , eri ), i = 1 : N e and E ∈ {0, 1}N
v
×N v
is the adjacency matrix
of transmission line. If there is an edge from vi to vj , then Eij = 1 otherwise Eij = 0. u ∈ RN
v
×d
represents the features of each buses. d is the number of
feature channels. 260
3.2. Graph network based detection technology The above mentioned graphical power is inputted into the graph network (GN) algorithm to detect which buses is tampered by FDI attacks, as shown in Fig. 3. At each layer of the GN, the convolution operation of GN block is applied to each node in graph as well as its neighbors and the new representation of
265
each node is computed through the activation function and regularization., This
12
Bus 1 Bus 3
Bus 2
Bus 26
Bus 13
Bus 25
Bus 15 Bus 4
Bus 23
Bus 12 Bus 14
Bus 5 Bus 11
Bus 18
Bus 16
Bus 30
Bus 7 Bus 9
Bus 17
Bus 27 Bus 19
Bus 20
Bus 29
Bus 10 Bus 6
Bus 22
Bus 24
Bus 21
Bus 8
Bus 28
Figure 2: The double directed graph of IEEE 30-bus system
procedure includes three update functions φ and three aggregation functions ρ, which can be written as follows: e0i = φ(ei , esi , eri , u) := f (ek , vrk , vsk , u) vj0 = φ(¯ e0j , vj , u) := f (¯ e0i , vi , u) u0 = φ(¯ e0 , v¯0 , u) := f (¯ e0 , v¯0 , u),
X e¯0i = ρe→v (Ei0 ) := e0k {k:rk =i} X 0 e→u 0 e¯ = ρ (E ) := e0k k X 0 v→u 0 u (V ) := vi0 , ¯ =ρ i
(18)
where Ei0 = ∪(e0i , esi , eri ), i = 1 : N e , V 0 = ∪vj0 , j = 1 : N v , and E 0 = ∪Ei0 . Graph Convolutions des No
Bus 3 Bus 2
Regularization s de Activation No Function
Graph Convolutions
Bus 4
Bus 1
Predictions: Bus Attacked Lables
Bus 5 Bus 8
des
No
Bus 7
Bus 6 Bus 11
Bus 10 Bus 9
Bus 12 Bus 13
Bus 14
Input: IEEE 14-bus transmission Network
Figure 3: Proposed model for attack detection in smart grid.
The updates in a GN block is shown in Algorithm 1. 13
Algorithm 1 Calculation procedures of the GN block in graph detection algorithm 1: function GN(E, V, u) 2: 3:
e0i = φ(ei , esi , eri , u);
4:
end for
5:
for i ∈ (1, ..., N n ) do
6:
let Ei0 = ∪(e0i , esi , eri ), i = 1 : N e ;
7:
e0i = ρe→v (Ei0 );
8:
vj0 = φ(¯ e0j , vj , u);
9: 10: 11:
270
for i ∈ (1, ..., N e ) do
end for let V 0 = ∪vj0 , j = 1 : N v ; let E 0 = ∪Ei0 ;
12:
e¯0 = ρe→u (E 0 );
13:
u ¯0 = ρv→u (V 0 );
14:
u0 = φ(¯ e0 , v¯0 , u);
15:
return (E 0 , V 0 , u0 )
16:
end function The process of graph network based detection shows in Fig.4. The recently
collected measurements of power system are inputted into GN detector to identify whether FDI attacks exist. If the attacked probability is high enough in output of network model, it indicates that attacker launched FDI attacks in power system, then detector sends alarm signal to operator.
275
4. Location Detection Technology Those operations in graphical detector can detect the FDI exist or not through capture node features in the form of scalar, but they are not suffice to preserve the note location properties efficiently. To construct high-quality FDI attack detector, it is important to not only detect the presence of different
280
measurements but also preserve the detailed properties around each bus such 14
Original Measurements Measurements Collection
State Estimation FDIA
Tampered Measurements This moment The next moment
Power Flow
st
Topology Parameters
st+1
st+2
Graphical Power Network
…
FDI Attacks Detection
The Graph Network based Detection Technology
Controlled Devices
Control Execution
FDI attacks exist? No
Control Center
Delete attacked measurements
Yes
Alarm to operator
Mark the attacked buses Install PMU Defense Strategy
Figure 4: Proposed model for attack detection in smart grid.
as location, direction, connection, etc. According to [49], compared with scalarbased graphical neural network, vector-based capsule neural network which use routing mechanism to generate high-level features can preserve the information of power system properties more efficiently. Thus, this paper proposes the 285
Capsule Graph Network (Cpas-GN) technology to detect FDI attacks location in smart grid. The direction of capsules reflects the detailed properties of the features and the length of capsules reflects the probability of the presence of different features. The transmission of information between layers follows Dynamic Routing mechanism [50]. Dynamic Routing is applied to update weights 15
290
between capsules from one layer to the next layer so that the properties captured by node capsules can be propagated to suitable graph capsules. Thus, the power network is modeled as multiple graph capsules, and then modeled as multiple class capsules. Different graph capsules reflect the properties of the graph from different aspects.
295
The Graph Network combined with Capsule technique is one of the contributions in this paper. As far as we know, the Graph Network algorithm is firstly be applied to the false data injection attacks detection. In this paper, we characterize the power network into a double directed graph as the input of the Graph Network. The block scheme in Graph Network can handle dynamic
300
changes of power system very well since the structure in power system may be modified frequently in reality. None of these researches are same with the paper [52]. The only common of our paper and the theirs is we both use the Capsule technique to improve our algorithm. However, we use the Capsule technique to keep the buses position in power system for detection the attack location, which
305
is totally for different purposes. Please note that the original work of Capsule technique is cited in the appropriate location. Figure 5 shows a simplified version of how the Caps-CN is used to generate high-quality capsules which then can be applied to detection task of FDI attacks location.
310
At first, multi-scale node features from different layers are extract by the note features extractor in [51]. The extracted features are represented in the small group of neurons which are called capsules and each node corresponds to an active capsule. The multi-layer capsules technic is considerably better tan convolution network at recognization. The procedure of is showed as equation
315
(19).
Xp ˜ −1 E ˜2D ˜ −1 Gli Wijl ), Gl+1 = f ( D j
(19)
i
where Gli ∈ RN
v
×d
is the ith bus features at the layer l, d is the number of
feature channels. Wijl ∈ Rd×d ∈ is the weights matrix which serves as the feature channel filter from the ith channel at the lth layer to the jth channel at the
16
G1
G2
GL−1
GL
{
{
{
{
GN
{
Nv
C1
C2
CL
Nv d
{
Primary Capsules
CL−1
∑
Cl
l
Reshape N
Attention
v
d
∑
Nv ∑
Cl
Cl
l
l
Node-based Normalization
Nv d
{
∑
Cl
l
Routing Graph Capsules
h0
h1
h2
hP−2 hP−1
Routing
Class Capsules
Normal Tampered
Figure 5: Framework of Caps-GN.
l+1th layer. f (·) is a nonlinear activation function which setted as f (·) = tanh(·) 320
v v ˜ = E + I, and in this paper. E ∈ {0, 1}N ×N is the adjacency matrix, E P ˜ = ˜ D j Eij , where I is identity matrix.
The iterative routing-by agreement mechanism is applied after local primary
capsules obtaining the features extracted from all GN layers: the lower-level capsule send its output to higher level capsules. Unlike the max-pooling in 325
CNN, the dynamic routing mechanism keeps the precise position of the note in the graph network. The location information is coded in the output vector of capsules. The number of primary capsules depends on the size of input power net-
17
works. To make the generated graph capsules independent to the size of input, 330
before generating graph capsules with primary capsules, the attention module is applied to scale the original primary capsules and the node-based normalization is applied to generate attention value in each feature channel. Let Cl denotes the number of feature channels at the l-th layer of GN, and d de-
335
notes the dimension of each primary capsule. As shown in Figure 5, the numP P ber of input of attention module is d × l Cl and the output is l Cl . Let
Sn = {s11 , ..., s1C1 , ..., sLCL }, slc ∈ Rd denotes the set of local primary capsules. The scaling procedure is showed as equation (20). P || i s˜j || P shrunk(s(i,j) ) = s(i,j) 1 + || i s˜j ||2 where s˜ ∈ Rd×
P
l
Cl
(20)
is concatenate operation which concatenates all primary
capsules S . s(i,j) ∈ R1×d is the jth capsule of the node i. Next, we multiply n
340
the normalized value with the primary capsules to obtain scaled capsules. The results of this step is S ∈ RN
v
×
P
l
Cl ×d
.
After the attention module and the node-based normalization, as shown in Figure 5, the dynamic routing module is used to preserve the location information of each node during the output of low-level capsules transported to the 345
higher-level capsules. The low-level capsules of different nodes in same layer share the transform matrix. The iterative dynamic routing process is showed as equation (21). v(n,i)j = [sT(i,j) Wijn ||sT(i,Pl Cl ) Wjp ],
(21)
where v(n,i)j ∈ R1×(dn +dp ) is the vector output of graph capsule j from the ith feature channel of the nth node. sT(i,j) ∈ Rd× 350
P
l
Cl
is its input. T ∈ RN
v
×N v
is
the transform matrix calculated form the adjacency matrix E for determining the higher-level capsules. Wijn ∈ Rd×dn and Wjp ∈ Rd×dp are transform weights matrixes. P is the defined number of input low-level capsules. The dynamic routing mechanism is shown in Algorithm 2. To use the generated graph capsules for classification, the dynamic routing
355
is iteratively used to generate final class capsules C ∈ RK×d . Let K = 2 for the 18
Algorithm 2 Dynamic routing mechanism Input: the set of low-level capsules S, the set of transform matrices W, and the number of iterations t; Output: the set of high-level capsules H; 1: 2:
function Routing(t, S, W) for all low-level capsule i in S: vj|i = sTi Wij ;
3:
for all low-level capsule i and all ligher-level capsule j: rij ← 0;
4: 5:
for t iterations do for all low-level capsule i in layer l: r˜i ← sof tmax(ri );
6:
7:
for all ligher-level capsule j in layer l + 1: P sj ← i r˜ij vij ;
for all ligher-level capsule j:
hj ← squash(sj ) in layer l + 1; 8:
for all low-level capsule i to all ligher-level capsule j: rij ← rij + hTj vij ;
9:
end for
10:
return all set of hj ;
11:
end fuction;
P number of final classes of attacks exist or not. ri = j rij . According to [50], the separate margin loss function is calculated as equation (22). Lossclass =
P
+ k {Tk max(0, m
− ||ck ||)2
+λ(1 − Tk )max(0, ||ck || − m− )2 },
(22)
where Tk = 1 iff detection result k is present and m+ = 0.9 and m− = 0.1. The λ = 0.5 down-weighting of the loss for absent detection classes stops the 360
initial learning from reducing the lengths of the activity vectors of all the class capsules. The total loss is simply the sum of the losses of all class capsules. 19
5. Simulation and analysis We employe standard IEEE 30-bus and IEEE 118-bus systems to validate the efficiency of the proposed algorithms. We utilize the Matpower tool to gen365
erate the configuration of the standard IEEE 30-bus and IEEE 118-bus systems and specifically the Jacobian matrix, and the training process of the Recursive Neural Network (RNN), Deep Belief Nets (DBN), CNN-Gated Recurrent Unit (CNN-GRU), GN and Caps-GN algorithms run on TensorFlow platform. The attack strength of FDI attacks are considered two important indexes.
370
One of indexes is sparsity that means the quantity of attacked measurements. The other index is variance of magnitude of disturbances which means the absolute deviation between attacked data and the normal data. The proposed method of detection also is test from these two aspects. Usually, κ represents the sparsity of attack [8, 53]. p = κ/M represents the proportion of tampered
375
data in all measurements. σa2 is the variance of magnitude of disturbances. The proportion of tampered data p is accumulate from 0.05 to 1.00 by adding 0.05 each time. The variance of magnitude of disturbances σa2 is set as 0.005, 0.05, 0.5 respectively. 5.1. Numerical Detection Accuracy Table 1
Attacked Value Normal Value detect as attacked value
TP
FP
detect as normal value
TN
FN
Table 2: The mean values of numerical detection precision and recall on the IEEE 30-bus Algorithm σa2
RNN 0.005
0.05
DBN 0.5
0.005
CNN-GRU
0.05
0.5
0.005
0.05
GN 0.5
0.005
0.05
0.5
precision 99.388% 99.354% 98.551% 99.390% 99.325% 98.651% 97.959% 97.869% 96.723% 99.398% 99.311% 98.040% recall
97.216% 94.759% 90.824% 98.231% 96.417% 94.886% 91.564% 81.376% 80.857% 98.458% 96.986% 95.168%
20
Table 3: The mean values of numerical detection precision and recall on the IEEE 118-bus Algorithm σa2
RNN 0.005
0.05
DBN 0.5
0.005
CNN-GRU
0.05
0.5
0.005
0.05
GN 0.5
0.005
0.05
0.5
precision 96.515% 95.363% 92.529% 97.131% 96.701% 93.764% 97.075% 96.806% 96.541% 98.381% 97.245% 97.439% recall
380
95.763% 93.732% 90.547% 97.643% 96.282% 93.963% 81.644% 79.748% 76.354% 97.343% 96.026% 94.974%
In this part, the detection accuracy of four methods are compared and analyzed. First, the indexes of the numerical detection accuracy is defined as follows, acurracy =
TP + TN , TP + TN + FP + FN
(23)
TP , TP + FP
(24)
precision =
recall =
TP , TP + FN
(25)
where TP (true positive), TN (true negative), FP (false positive) and FN (false negative) are defined as Table 1. 385
Fig.6 and Fig.7 exhibit the exactitudes of FDI attacks detection with different sparsity and magnitude of disturbances, and Table 2 and Table 3 show the mean values of numerical detection precision and recall on IEEE-30 and IEEE118 bus system, respectively. The main aspect of GN is to extract highlevel feature representation for data which can be used for node labeling. We
390
apply the GN to learn the feature representation of power network model for FDI attacks detection problem. From Table 2 and Table 3, we find that the detection precision of all algorithms decrease with the increase magnitude of false data. However, RNN, DBN, CNN-GRU show lower detection accuracy and higher recall to our GN
395
method. Although those three method can deal with false data injection detection problem, their performance at different σa2 are still inferior to GN. When the σa2 set as 0.005, 0.05, 0.5, our method always perform better with the precision higher than 98.04%, 97.245% and the recall higer than 95.168%, 94.974%
21
on IEEE 30-bus and IEEE 118-bus, respectively. 400
In IEEE-30 bus system, the exactitudes of FDI attacks detection are all above 92.6% with Four different methods of detection. The proposed method has the highest degree of exactitude from all three methods. When magnitude of disturbances becomes bigger, the exactitudes of RNN and DBN fluctuates frequently. When variance of magnitude of disturbances is settled as 0.005, 0.05,
405
0.5, the exactitudes of RNN fluctuates at the range of [0.93,0.97], [0.94,0.97], [0.94,0.974] respectively, and the exactitudes of DBN fluctuates at the range of [0.935,0.98], [0.945,0.974], [0.96,0.977] respectively. Additionally, in most cases, the exactitudes of RNN slightly higher than DBN’s. As Fig.6 shows, the exactitudes of the DN based method has an advantage over RNN, DBN and
410
CNN-GRU, and it maintains an average above 98% with tiny fluctuation which makes sure the stable and accurate detection of FDA attacks. Besides, as shown in Fig.6a, in the condition of σa2 = 0.005, all exactitudes of four algorithms show a tendency toward ascent. They had been improved from 93.2%, 93.6%, 96.5% to 96.8%, 98%, 99%. When the magnitude of disturbances
415
becomes bigger, the tendency that exactitudes of FDI attacks detection increase with sparsity of attack becoming more intensive is not obvious. Although there is trifling improvement, the difference is insignificant. In IEEE-118 bus system, the exactitudes of FDI attacks detection are all above 95.4% with four different methods of detection. Similar with IEEE-30
420
bus system, the GN based method has higher degree of exactitude than other three methods, and its’ exactitudes of FDI attacks detection maintains an average above 98.2% basically. With the magnitude of disturbances increasing, exactitudes of RNN, DBN and CNN-GRU fluctuate milder than the case of IEEE-30 bus system, but both of them are still not as well as the GN in the
425
aspect of stabilization. As shown in Fig.7a, the exactitudes of FDI attacks detection also increase with sparsity of attack becoming more intensive when σa2 = 0.005, and exactitudes of RNN, DBN, CNN-GRU, and GN base detector improve from 95.5%, 95.7%, 98.2% to 97.5%, 98.2%, 99.5%, respectively. However, different with 22
1.00
Exactitude of Detection
0.99 0.98 0.97 0.96 0.95 0.94
RNN y1vs x DBN y2vs x CNN-GRU y4 vs x GNvs x y3-
0.93 0.92 0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
0.9
1.0
0.9
1.0
Sparsity of Attack
(a) σa2 = 0.005 1.00
Exactitude of Detection
0.99
0.98
0.97
0.96 RNNvs x 1y1DBNvs x 1y2CNN-GRU 1y4 vs x GN vs x 1y3-
0.95
0.94 0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Sparsity of Attack
(b) σa2 = 0.05
Exactitude of Detection
0.99
0.98
0.97
0.96 RNN vs x 10y1DBN vs x 10y2CNN-GRU 10y4 vs x GN vs x 10y3-
0.95
0.94 0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Sparsity of Attack
(c) σa2 = 0.5 Figure 6: Results of FDI attacks detection on IEEE-30 bus system.
23
1.00
Exactitude of Detection
0.99
0.98
0.97
RNN y1vs x DBN y2vs x CNN-GRU y4 vs x GNvs x y3-
0.96
0.95 0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
0.9
1.0
0.9
1.0
Sparsity of Attack
(a) σa2 = 0.005 1.00
Exactitude of Detection
0.99
0.98
0.97
RNN y1vs x DBN y2vs x CNN-GRU y4 vs x GNvs x y3-
0.96
0.95 0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Sparsity of Attack
(b) σa2 = 0.05 1.00
Exactitude of Detection
0.99
0.98
0.97
RNN y1vs x DBN y2vs x CNN-GRU y4 vs x GNvs x y3-
0.96
0.95 0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Sparsity of Attack
(c) σa2 = 0.5 Figure 7: Results of FDI attacks detection on IEEE-118 bus system.
24
430
IEEE-30 bus system, the rise of exactitudes relatively gentle. In Fig.7b and Fig.7c, the exactitudes of FDI attacks detection is stable. It means the detector can accurately identify the tampered measurements no matter how limited it is. 5.2. Locaion Detection Accuracy To analyze detection accuracy of false data injection location, two indexes
435
are defined as follows: TR =
FL =
nsd
,
(26)
,
(27)
ntamperd nf d nnormal
where nsd , ntamperd , nf d and nnormal are defined as Table 4. Table 4
nsd
the number of successful detection of the injected data locations
ntamperd
the number of locations with false data
nf d
the number of false detection of the attack-free locations
nnormal
the number of location with no attack
We compare the developed detection method, Caps-GN, with GN based detection method. Table 2 and Table 3 show the mean T R and F L values of location detection with different σa2 on IEEE-30 and IEEE118 bus system, 440
respectively. As the results clearly shown, the developed detection method can be accurately detect the locations of the FDI attacks at lower F L values, which avoid the false alarm that many locations where no injection occurs are also detected as FDI attacks. The T R results of Caps-GN is higher than GN, which means that the higher accuracy of Caps-GN for detecting the location of FDI
445
attacks. Furthermore, the F L results of Caps-GN is lower than GN, so the improved detection method can identify the location of the actual attack, which will safeguard the normal operation of the smart grid. In case of the intentional terrorist FDI attacks scenarios, we investigate the performance of GN and Caps-GN based attack location detection algorithm 25
Table 5: The mean T R and F L values of location detection on the IEEE 30-bus
Algorithm σa2
GN 0.005
0.05
Caps-GN 0.5
0.005
0.05
0.5
TR
87.789% 79.462% 76.895% 99.576% 99.143% 98.078%
FL
12.254% 18.675% 21.146% 1.528%
3.138%
3.991%
Table 6: The mean T R and F L values of location detection on the IEEE 118-bus
Algorithm σa2
450
GN 0.005
0.05
Caps-GN 0.5
0.005
0.05
0.5
TR
83.545% 77.678% 76.067% 99.467% 98.496% 97.154%
FL
18.828% 21.562% 24.677% 2.372%
3.834%
5.261%
when increase scale FDI attacks appears. To analyze the performance of these two detection method, we increase 5 attacked meters each time, from 0 to 50. Based on the experiment results shown in Fig. 8, it can be clearly discover that with the increase of FDI attacks scale, the Caps-GN detection method has better performances than CN detection method. Although the false alarm rates
455
of both algorithm are in an acceptable range, the rate of false alarm of CN detection method becomes obviously lager when the number attacked meters more than 15. In summary, the developed detection method can identify FIA attacks better with increase attack scale, thus it is more efficient deal with various intentional terrorist cyber and physical attacks scenarios.
460
6. Conclusion and future work In this paper, the FDI attacks in smart grid is considered. This attacks aim at tampering measurements to produce a large bias from nominal values in state estimators and threat control center security. After analyzing the FDI attacks, the graphical detection technique based on GN and location detection technique
465
based on Caps-GN are proposed to solve the problem of FDI attacks detection in smart grid. The results of simulation prove the proposed methods has obvious 26
Mean rate of false alarm
2×10
−3
1×10
−3
GN vs attacked meters GN Caps-GN vs attacked meters Caps-GN
0 0
5
10
15
20
25
30
35
40
45
50
The number of attacked meters
Figure 8: The mean values of false alarm with the increase of FDI attack scale on GN and Caps-GN.
advance than existing schemes in the aspect of accuracy and stability. Specifically, the Caps-GN based detector can identify the location of FID attacks and performs better with increase attack scale. To a certain extent, promptly de470
tecting attack can protect the security of smart grid effectively. In future, the defensive scheme against false data injection attack will be continually studied.
References References [1] Q. Yang, L. Jiang, W. Hao, B. Zhou, P. Yang, and Z. Lv, “PMU Placement 475
in Electric Transmission Networks for Reliable State Estimation Against False Data Injection Attacks,” IEEE Internet of Things Journal, vol. 4, no. 6, pp. 978–1986, Dec. 2017, 10.1109/JIOT.2017.2769134. [2] A. Hahn, A. Ashok, S. Sridhar, and M. Govindarasu, “Cyber-Physical Security Testbeds: Architecture, Application, and Evaluation for Smart Grid,”
480
IEEE Transactions on Smart Grid, vol. 4, no. 2, pp. 847–855, Jun. 2013, 10.1109/TSG.2012.2226919. [3] H. He, J. Yan, “Cyber-Physical Attacks and Defences in the Smart Grid: A Survey,” IET Cyber-Physical Systems: Theory & Applications, vol. 1, no. 1, pp. 13–27, Dec. 2016, 10.1049/iet-cps.2016.0019. 27
485
[4] S. A. Foroutan, F. R. Salmasi, “Detection of False Data Injection Attacks Against State Estimation in Smart Grids based on A Mixture Gaussian Distribution Learning Method,” IET Cyber-Physical Systems: Theory & Applications, vol. 2, no. 4, pp. 161–171, Dec. 2017, 10.1049/iet-cps.2017.0013. [5] G. Liang, J. Zhao, F. Luo, S. R. Weller and Z. Y. Dong, “A Review
490
of False Data Injection Attacks Against Modern Power Systems,” IEEE Transactions on Smart Grid, vol. 8, no. 4, pp. 1630–1638, Jul. 2017, 10.1109/TSG.2015.2495133. [6] R. Punmiya and S. Choe, “Energy Theft Detection Using Gradient Boosting Theft Detector With Feature Engineering-Based Preprocessing,” IEEE
495
Transactions on Smart Grid, vol. 10, no. 2, pp. 2326–2329, 2019. [7] L. Zhang, X. Wang, Y. Jiang, M. Yang, T. Mak, and A. K. Singh, “Effectiveness of HT-assisted sinkhole and blackhole denial of service attacks targeting mesh networks-on-chip,” Journal of Systems Architecture, vol. 89, pp. 84–94, 2018, 10.1016/j.sysarc.2018.07.005.
500
[8] Y. Liu, P. Ning, and M. K. Reiter, “False Data Injection Attacks Against State Estimation in Electric Power Grids,” in Proc. ACM conference on Computer and communications security, Chicago, Illinois, USA, 2009, pp. 21–32. [9] B. Li, T. Ding, C. Huang, J. Zhao, Y. Yang, and Y. Chen, “Detecting False
505
Data Injection Attacks Against Power System State Estimation With Fast Go-Decomposition (GoDec) Approach,” IEEE Transactions on Industrial Informatics, vol. 15, no. 5, pp. 2892–2904, 2019. [10] R. Deng and H. Liang, “False Data Injection Attacks With Limited Susceptance Information and New Countermeasures in Smart Grid,” IEEE
510
Transactions on Industrial Informatics, vol. 15, no. 3, pp. 1619–1628, 2019. [11] Z. Li, M. Shahidehpour, A. Alabdulwahab, and A. Abusorrah, “Bilevel Model for Analyzing Coordinated Cyber-Physical Attacks on Power Sys28
tems,” IEEE Transactions on Smart Grid, vol. 7, no. 5, pp. 2260–2272, Sep. 2016. 515
[12] L. Xie, Y. Mo, and B. Sinopoli, “Integrity data attacks in power market operations,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 659–666, Dec. 2011. [13] G. Liang, S. R. Weller, J. Zhao, F. Luo and Z. Y. Dong, “The 2015 Ukraine Blackout: Implications for False Data Injection Attacks,” IEEE
520
Transactions on Power Systems, vol. 32, no. 4, pp. 3317–3318, Jul. 2017, 10.1109/TPWRS.2016.2631891. [14] Y. Yuan, Z. Li, and K. Ren, “Modeling load redistribution attacks in power systems,” IEEE Transactions on Smart Grid, vol. 2, no. 2, pp. 382–390, Jun. 2011.
525
[15] Y. Yuan, Z. Li, and K. Ren, “Quantitative analysis of load redistribution attacks in power systems,” Transactions on Parallel and Distributed Systems, vol. 23, no. 9, pp. 1731–1738, Sep. 2012. [16] R. Tan, H. H. Nguyen, E. Y. S. Foo, D. K. Y. Yau, Z. Kalbarczyk, R. K. Iyer, and H. B. Gooi, “Modeling and Mitigating Impact of False Data
530
Injection Attacks on Automatic Generation Control,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 7, pp. 1609–1624, Jul. 2017, 10.1109/TIFS.2017.2676721. [17] S. Sridhar and M. Govindarasu, “Model-based attack detection and mitigation for automatic generation control,” IEEE Transactions on Smart Grid,
535
vol. 5, no. 2, pp. 580–591, Mar. 2014. [18] S. Sridhar and G. Manimaran, “Data integrity attack and its impacts on voltage control loop in power grid,” in Proc. IEEE Power & Energy Society General Meeting, Detroit, MI, USA, 2011, pp. 1–6. [19] Y. Chen, S. Huang, F. Liu, Z. Wang, X. Sun, “Evaluation of Reinforce-
540
ment Learning-Based False Data Injection Attack to Automatic Voltage 29
Control,” IEEE Transactions on Smart Grid, vol. 10, no. 2, pp. 2158–2169, Mar. 2019, 10.1109/TSG.2018.2790704. [20] Y. Zhang, L. Wang, Y. Xiang, C. Ten, “Power System Reliability Evaluation With SCADA Cybersecurity Considerations,” IEEE Trans545
actions on Smart Grid, vol. 6, no. 4, pp. 1707–1721, July. 2015, 10.1109/TSG.2015.2396994. [21] A. Tajer, “False Data Injection Attacks in Electricity Markets by Limited Adversaries: Stochastic Robustness,” IEEE Transactions on Smart Grid, vol. 10, no. 1, pp. 128–138, Jan. 2019, 10.1109/TSG.2017.2733346.
550
[22] J. Lin, W. Yu, X. Yang, “Towards Multistep Electricity Prices in Smart Grid Electricity Markets,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 1, pp. 286–302, Jan. 2016, 10.1109/TPDS.2015.2388479. [23] R. Deng, G. Xiao, R. Lu, H. Liang, and A. V. Vasilakos, “False Data
555
Injection on State Estimation in Power Systems: Attacks, Impacts, and Defense: A Survey,” IEEE Transactions on Industrial Informatics, vol. 13, no. 2, pp. 411–423, 2017. [24] D. B. Rawat, C. Bajracharya, “Detection of False Data Injection Attacks in Smart Grid Communication Systems,” IEEE Signal Processing Letters,
560
vol. 22, no. 10, pp. 1652–1656, Oct. 2015, 10.1109/LSP.2015.2421935. [25] S. Pal, B. Sikdar, and J. Chow, “Classification and Detection of PMU Data Manipulation Attacks Using Transmission Line Parameters,” IEEE Transactions on Smart Grid, pp.1–10, Mar. 2017, 10.1109/TSG.2017.2679122. [26] R. Moslemi, A. Mesbahi, and J. M. Velni, “A Fast, Decentral-
565
ized Covariance Selection-based Approach to Detect Cyber Attacks in Smart Grids,” IEEE Transactions on Smart Grid, pp.1–12, Mar. 2017, 10.1109/TSG.2017.2675960.
30
[27] B. Tang, J. Yang, S. Kay, and H. He, “Detection of false data injection attacks in smart grid under colored Gaussian noise,” in Proc. IEEE Con570
ference on Communications and Network Security (CNS), Philadelphia, PA, USA, 2016, pp. 172–179. [28] X. Yang, X. Zhang, J. Lin, W. Yu, and P. Zhao, “A Gaussian-Mixture Model Based Detection Scheme against Data Integrity Attacks in the Smart Grid,” in Proc. International Conference on Computer Communication and
575
Networks (ICCCN), Waikoloa, HI, USA, 2016, pp. 1–9. [29] Y. Zhou, Z. Miao, “Cyber attacks, detection and protection in smart grid state estimation,” in Proc. North American Power Symposium (NAPS), Denver, CO, USA, 2016, pp. 1–6. [30] V. B. Krishna, K. Lee, G. A. Weaver, R. K. Lyer, and W. H. Sanders,
580
“F-DETA: A Framework for Detecting Electricity Theft Attacks in Smart Grids,” in Proc. IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Toulouse, France, 2016, pp. 407–418. [31] O. Boujelben, and M. Bahoura, “Efficient FPGA-based architecture of an automatic wheeze detector using a combination of MFCC and SVM
585
algorithms,” Journal of Systems Architecture, vol. 88, pp. 54–64, 2018, 10.1016/j.sysarc.2018.05.010. [32] C. Lai, C. Yeh, C. Tu, and S. Hung, “Fast profiling framework and race detection for heterogeneous system,” Journal of Systems Architecture, vol. 81, pp. 83–91, 2017, 10.1016/j.sysarc.2017.10.010.
590
[33] B. Li, Y. Lin, and S. Zhang, “Multi-Task Learning for Intrusion Detection on web logs,” Journal of Systems Architecture, vol. 81, pp. 92–100, Nov. 2017, 10.1016/j.sysarc.2017.10.011. [34] R. Lazcano, D. Madronal, R. Salvador, K. Desnos, M. Pelcat, R. Guerra, H. Fabelo, S. Ortega, S. Lopez, G.M. Callico, E. Juarez, and C. Sanz, “Porting
595
a PCA-based hyperspectral image dimensionality reduction algorithm for 31
brain cancer detection on a manycore architecture,” Journal of Systems Architecture, vol. 77, pp. 101–111, 2017, 10.1016/j.sysarc.2017.05.001. [35] M. Esmalifalak, L. Liu, N. Nguyen, R. Zheng, and Z. Han, “Detecting Stealthy False Data Injection Using Machine Learning in Smart 600
Grid,” IEEE Systems Journal, vol. 11, no. 3, pp. 1644–1652, Aug. 2014, 10.1109/JSYST.2014.2341597. [36] J. Yan, B. Tang, and H. He, “Detection of false data attacks in smart grid with supervised learning,” in Proc. International Joint Conference on Neural Networks(IJCNN), Vancouver, BC, Canada, 2016, pp. 1395–1402.
605
[37] S. Waghmare, F. Kazi, and N. Singh, “Data driven approach to attack detection in a cyber-physical smart grid system,” in Proc. Indian Control Conference (ICC), Guwahati, India, 2017, pp. 271–276. [38] Y. Chakhchoukh, S. Liu, M. Sugiyama, and H. Ishii, “Statistical outlier detection for diagnosis of cyber attacks in power state estimation,” in Proc.
610
2016 IEEE Power and Energy Society General Meeting (PESGM), Boston, MA, USA, 2016, pp. 1–5. [39] J. Wei, G. J. Mendis, “A deep learning-based cyber-physical strategy to mitigate false data injection attack in smart grids,” in Proc. Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-
615
SG), Vienna, Austria, 2016, pp. 1–56. [40] Y. He, G. J. Mendis, and J. Wei, “Real-Time Detection of False Data Injection Attacks in Smart Grid: A Deep Learning-Based Intelligent Mechanism,” IEEE Transactions on Smart Grid, vol. 8, no. 5, pp. 2505–2516, Sept. 2017, 10.1109/TSG.2017.2703842.
620
[41] J. Zhou, G. Cui, Z. Zhang, C. Yang, Z. Liu, L. Wang, C. Li, and M. Sun, “Graph Neural Networks: A Review of Methods and Applications,” in arXiv:1812.08434, 2018.
32
[42] J. Li, L. Liu, C. Zhao, K. Hamedani, R. Atat, and Y. Yi, “Enabling Sustainable Cyber Physical Security Systems Through Neuromorphic Computing,” 625
IEEE Transactions on Sustainable Computing, vol.3 , no. 2, pp. 112–125, Jun. 2017, 10.1109/TSUSC.2017.2717807. [43] L. Zhang, A. Bose, A. Jampala, V. Madani, and J. Giri, “Design, Testing, and Implementation of a Linear State Estimator in a Real Power System,” IEEE Transactions on Smart Grid, vol. 8, no. 4, pp. 1782–1789, Jul. 2017,
630
10.1109/TSG.2015.2508283. [44] J.J. Grainger, W.D. Stevenson, Power system analysis, (McGraw-Hill, 1994) [45] A.J. Wood, B.F. Wollenberg, Power generation, operation, and control, (John Wiley & Sons, 2012)
635
[46] Q.Yang, J. Yang, W. Yu, D. An, N. Zhang, W. Zhao, “On False DataInjection Attacks against Power System State Estimation: Modeling and Countermeasures,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 3, pp.717–729, Mar. 2014, 10.1109/TPDS.2013.92. [47] F. C. Schweppe, J. Wildes, “Power system state estimation, parts I, II and
640
III,” IEEE Transactions on Power Apparatus and Systems, vol. PAS-89, no. 1, pp. 120–135, Jan. 1970, 10.1109/TPAS.1970.292678. [48] K. Manandhar, X. Cao, F. Hu, Y. Liu, “Detection of faults and attacks including false data injection attack in smart grid using kalman filter,” IEEE Transactions on Control of Network Systems, vol. 1, no. 4, pp.370–
645
379, Dec. 2014, 10.1109/TCNS.2014.2357531. [49] G. E. Hinton, S. Sabour, and N. Frosst, “Matrix capsules with EM routing,” in International Conference on Learning Representations, Oct. 2018. [50] S. Sabour, N. Frosst, and G. E. Hinton, “Dynamic routing between capsules,” in Advances in Neural Information Processing Systems (NIPS), pp.
650
3856–3866, 2017. 33
[51] T. N. Kipf and M. Welling, “Semi-supervised classification with graph convolutional networks,” in International Conference on Learning Representations, 2017. [52] X. Zhang, L. Chen, “Capsule Graph Neural Network,” in ICLR 2019 Con655
ference Blind Submission, Mar. 2019. [53] M. Ozay, I. Esnaola, F. T. Y. Vural, S. R. Kulkarni, H. V. Poor, “Machine Learning Methods for Attack Detection in the Smart Grid,” IEEE Transactions on Neural Networks and Learning Systems, vol. 27, no. 8, pp. 1773–1786, Mar. 2016, 10.1109/TNNLS.2015.2404803.
34
660
Yuancheng Li received the Ph.D. degree in automation system pattern recognition and intelligent system from the University of Science and Technology of China, Hefei, China, in 2003. From 2004 to 2005, he was a Postdoctoral Research Fellow with the Digital Media Laboratory, Beihang University, Beijing, China. Since 2005, he has been
665
with the North China Electric Power University, where he is currently a Professor in information security of power industry control system and the Dean of the Institute of Smart Grid and Information Security. From 2009 to 2010, he was a Postdoctoral Research Fellow with the Cyber Security Laboratory, College of Information Science and Technology, Pennsylvania State University,
670
State College, PA, USA. He has hosted and participated in several research projects for the National Natural Science Foundation of China, National 863 Plan projects. He has authored more than 70 articles, and more than ten inventions. His research interests include power grid security, state estimation, information security, cloud computing, big data security, and cloud security.
35
Yuanyuan Wang received the M.S. degree in software
675
engineering in 2016 from North China Electric Power University, Beijing, China. She is currently pursuing the Ph.D. degree with the Institute of Smart Grid and Information Security, the School of Control and Computer Engineering, North China Electric Power University. 680
She is a Visiting Ph.D. Student with the School of Computer Science and Electronic Engineering, University of Essex, Colchester, U.K. Her research interests include smart grid security, data attack, information security, data mining, and machine learning.
36
We declare that we do not have any commercial or associative interest that represents a conflict of interest in connection with the paper submitted.