SPECIAL SECTION ON DIGITAL FORENSICS THROUGH MULTIMEDIA SOURCE INFERENCE

Received April 27, 2019, accepted May 17, 2019, date of publication May 31, 2019, date of current version July 2, 2019.
Digital Object Identifier 10.1109/ACCESS.2019.2920326

A Deep and Scalable Unsupervised Machine

Learning System for Cyber-Attack Detection
in Large-Scale Smart Grids
HADIS KARIMIPOUR 1 , (Member, IEEE), ALI DEHGHANTANHA 1 , (Senior Member, IEEE),
REZA M. PARIZI 2 , (Member, IEEE), KIM-KWANG RAYMOND CHOO3 , (Senior Member, IEEE),
AND HENRY LEUNG 4 , (Fellow, IEEE)
1 University of Guelph, Guelph, ON N1G 2W1, Canada
2 Kennesaw State University, GA 30060, USA
3 University of Texas at San Antonio, TX 78249, USA
4 University of Calgary, Calgary, AB T2N 1N4, Canada

Corresponding author: Ali Dehghantanha ([email protected])

ABSTRACT Smart grid technology increases reliability, security, and efficiency of the electrical grids.
However, its strong dependencies on digital communication technology bring up new vulnerabilities that
need to be considered for efficient and reliable power distribution. In this paper, an unsupervised anomaly
detection based on statistical correlation between measurements is proposed. The goal is to design a scalable
anomaly detection engine suitable for large-scale smart grids, which can differentiate an actual fault from
a disturbance and an intelligent cyber-attack. The proposed method applies feature extraction utilizing
symbolic dynamic filtering (SDF) to reduce computational burden while discovering causal interactions
between the subsystems. The simulation results on IEEE 39, 118, and 2848 bus systems verify the
performance of the proposed method under different operation conditions. The results show an accuracy
of 99%, true positive rate of 98%, and false positive rate of less than 2%

INDEX TERMS Anomaly, cyber-attack, smart grid, statistical property, machine learning, unsupervised
learning.

I. INTRODUCTION the importance of cyber-attack analysis to maintain a sta-

Today’s power systems consist of a network of sensors and ble and reliable operation of the power supply. A cyber-
generators that allow two way communication within the attack can result in overload that will damage the equipment,
system’s infrastructure as well as reliable energy production or false demand request which can result in lots of energy
through integration of Distributed Energy Resources (DERs) generated [2]–[4]. Besides, a malicious attack can also cause
and Advanced Metering Infrastructure (AMI). While this false negatives, i.e., false overload condition in a power sys-
complex communication system has tremendous advantage, tem. Other disruptions in different parts of the smart grid,
by improving energy efficiency, reliability, and manageabil- electric vehicle infrastructure, is also possible. It is shown
ity, it increases the system’s vulnerabilities to cyber-attacks in [5], [6] that malicious attacks by blocking communications
due to the tremendous number of devices and access points with a device can stop services in substation computers.
that operate outside the traditional administrative domain. Therefore, real time cyber-attack detection is paramount for
Since failures in the power grid may lead to catastrophic the reliable performance of the critical infrastructure includ-
events, it is highly important to investigate the effects of ing smart grids. Online and continuous system monitoring
cyber-attacks in a power system. is a requirement to detect targeted cyber-attacks and achieve
As reported in [1], lack of system awareness is the main attack resilience [7].
reason in the North American blackouts, which highlight In general, individual sensors in a large-scale network are
the main target of security compromises. A compromised
The associate editor coordinating the review of this manuscript and insider can easily access information stored in a compro-
approving it for publication was Zhen Qin. mised node. In theory, key revocation of any compromised
2169-3536 2019 IEEE. Translations and content mining are permitted for academic research only.
80778 Personal use is also permitted, but republication/redistribution requires IEEE permission. VOLUME 7, 2019
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids
node is possible by applying an authentication mechanism to
sensor networks. However, authentication approaches based
on cryptography or security gateway design, such as the one
described in [8], [9], are infeasible due to the computation
and storage constraints of the system. The existing studies
within the smart power grid context mainly focus on the net-
working security of the cyber elements [10]–[12], advanced
anomaly detection techniques [13], [14], and secure control
theories based on different state estimation techniques [15].
A detailed analysis about presence of cyberattack in a power
system is described in [16].
Although the above mentioned solutions are capable of
immunizing the power systems, majority of them are math-
ematically too expensive, physically impractical and not
scalable for large-scale complex network. Nowadays, huge
amount of data is generated all over the grids which increase
accessibility for real-time system monitoring. Exploring
these data greatly enhances the performance monitoring,
diagnosis, and prognosis of anomaly in complex systems.
Historical data describing the system’s operation can help
identify anomalies and potential attacks. However, tradi-
tional Bad Data Detection (BDD) techniques are not prepared
for real time computational and storage issues due to the
large-volume of data generated in the smart grid. These chal-
lenges opens up the possibility of using data analytical tech-
niques, such as Machine Learning (ML), to tackle complex
structure data sets with AI to detect and prevent cyber-attacks.
ML algorithms can be used to analyze various combinations
of measurements through AMI, states, and control actions
by learning their patterns [17], [18]. It can detect False Data
Injection (FDI) attack by learning the non-linear, complex
relationship between measurements. This can be done in
a similar fashion to successful techniques applied to other
power system problems as seen in the research literature [19].
There are limited studies on the application of ML on
cyber-security of the smart grids. Several ML algorithms are
tested and compared in [20] for detection of FDI attacks.
General conclusions was made about the success of machine
learning in classifying FDI attacks. [21] proposed a hybrid
intrusion detection method based on common path mining
method to detect abnormal power system events from PMU
data, relays, and energy management system (EMS) logs.
A cyber-attack detection techniques based on the correla-
tion between two PMU parameters using Pearson corre-
lation coefficient was used in [22]. This method analyzed
the change of correlation between two PMU parameters
using Pearson correlation coefficient. Authors in [20] uti-
lized Gaussian process combined with ML to model the
attack strategy for anomaly detection. In [23] a supervised
ML–based scheme is proposed to detect a cyber-deception
assault in the state estimation process. A deep learning
method which recognize important features of FDI attacks in
real-time is also proposed in [24].
Performance of the existing, data-driven attack detection
techniques can be improved using Probabilistic Graphical
Models (PGM) to model complex system behavior. Among
VOLUME 7, 2019
PGMs, Dynamic Bayesian Networks (DBN) are useful tools
which can represent complex systems evolving in time using
the causal relationships between system components [25].
Moreover, new techniques should be developed to handle
the complex and high dimensional data to maintain the
robustness, scalability and accuracy of the attack detection
mechanisms. To reduce the computational burden in large
data sets, feature extraction can be used to transform the
original features into a more meaningful representation by
reconstructing its inputs and it involves reducing the amount
of resources required [26], [27]. Detection techniques that do
not rely on pre-classified training data are essential, as there
exists anomalies which cannot be measured or simulated.
In this work, we propose a smart grid anomaly detection
method to extract the patterns of changes in FDI attacks. The
revealed features are employed to detect the attacks in real-
time. Symbolic Dynamic Filtering (SDF) is used to build a
computationally efficient feature extraction scheme to dis-
cover causal interactions between the smart grids sub-systems
through DBN. Mutual Information (MI), DBN and learn-
ing algorithms are used to detect unobservable cyber-attacks
based on free energy as the anomaly index. Our goal is to
capture dependencies between variables through associating
of a scalar energy to each variables, which serves as a measure
of compatibility. The scalability of the proposed technique is
examined on various IEEE test systems which was modeled
on PSS/E software. The results show high accuracy and low
false alarm under different operation conditions. It should be
mentioned that the proposed method does not only relies on
the pattern in the training data sets but It also uses the concept
of free energy to differentiate between the energy level in
the attacked and normal data sets. Therefore, even new and
unseen attacked can be detected.
The main contributions of this work are as follows:
• Formulation of an unsupervised approach to detect an
anomaly in smart grids without labeling data sets.
• Proposing a scalable method by reducing computational
burden through data reduction by SDF.
• Developing a strong learning model based on DBN.
• Proposing a model-free approach, which can be
employed in hierarchical and topological networks for
different attack scenarios.
The rest of the paper is organized as follows. Mathematical
formulations are described in Section II. Proposed cyber-
attack detection method is presented in Section III. Section IV
discusses the case studies and simulation results followed by
the conclusion in Section V.
II. MATHEMATICAL MODELING
A. GENERATOR’S MODEL
In this work, smart grid is modeled as a multi-agent, cyber-
physical system where each of these agents include a genera-
tor, a measurement device, a distributed control agent, and an
energy storage system that can inject or absorb real power in
the system [28]. The dynamic and static state of the system
80779
 H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

are described as follows: where Gik = Gki and Bik = Bki are the conductance and
susceptance between generators i and k, respectively.
ẋ = f (x, u, η) In this work, the goal is to learn and predict the
z = h (x, u, ε) (1) dynamic behavior of the smart power grid (where gener-
ators are modeled as explained in this section) to detect
where x is the system state including the dynamic state of
anomaly/cyber-attacks. SDF, DBN, and RBM are used to
the generator (e.g. rotor speed and rotor angle) and the static
develop a computationally efficient tool for discovering the
state of the network (voltage magnitude and phase angle). f (.)
interactions between the subsystems.
describes the non-linear, dynamic behavior of the generators
and h (.) is the measurements non-linear function. u and z
B. ATTACK REPRESENTATION
represent the output and measurements vector, respectively.
Traditionally, the integrity of the state estimation process
The 4-th order (two-axis) model of generator i’s can be
is verified through BDD method by computing the L-norm
described as [29]:
of measurement residual [31]. The presence of bad data is
δ̇i = s 1ωi determined if
ωs
ω̇i = (PMi − PEi − Di 1ωi ) z − H x̂ > Tr (5)
2Hi
0 1  0  0
 
where z ∈ RN is the measurement vector, x̂ ∈ RD is the
Ėqi = 0 −Eqi − Xdi − Xdi Idi + Vfi
Tdi estimated state vector, and H ∈ RN ×D is the Jacobian matrix.
0 1  0  0
  A threshold Tr is pre-defined to maintain the accuracy of
Ėdi = 0 −Edi + Xqi − Xqi Iqi the state estimation. Aside from the fact that cyber-attacks
Tqi
0 0 bypass the existing BDD technique, measurement redun-
Eqi = Vqi + Rai Iqi + Xdi Idi dancy required for BDD approaches makes them impractical
0 0
Edi = Vdi + Rai Idi − Xqi Iqi (2) for smart grid technology. In intelligent cyber-attacks, specif-
ically FDI attacks, the goal of the adversary is to control a
where ()˙ denotes the time derivative. Generator parameters subset of the measurements and manipulate the state variables
are described using Table 1. arbitrarily. It can be done by injecting a false data vector za ∈
RN which by pass traditional BDD techniques. Suppose the
TABLE 1. Generator parameter description. malicious attack intentionally manipulates the meter readings
by za . Accordingly, the attack- incurred measurement change
can be written as:
 

x + ca  + qa + 
z = H x̂ + za +  = H b (6)
 
| {z }
x̂a

where  is the measurement noise, and x̂a is the faulty esti-

mated state.
The injected false data (za ) can be decomposed into two
parts a = Hca and qa , where ca ∈ RD is an injected vector
of data which bypass BDD tests since it lies in the column
space of H, and qa is the only detectable part that lies in

−1 T
the complementary space where H H T H H qa = 0.
In other words, the stealth attack vectors (za ) always exists
even if the adversary can get partial access to the network
topology and line parameters to construct malicious attacks
For synchronous generator i, excitation system controls that completely lie in (H ), i.e., qa = 0, thereby bypassing the
the field voltage, the mechanical torque is controlled by the existing BDD methods [32].
associated speed governor, and the electrical output can be The following assumptions are considered in the model of
calculated as follows: the attack:
0 0
 0 0

PEi = Edi Idi + Eqi Iqi + Xqi − Xdi Idi Iqi . (3) • In this work, the assumption is that the attacker has lim-
ited resources and could only manipulate limited number
Let Ei denote the internal voltage of generator i, then PEi can of measurement readings. This could be either power
be expressed as [30]: injection or power flow data, for a time period Ta ⊆ T .
N
X This is a realistic assumption because, in the context
PEi = |Ei | |Ek | (Gik cos (δi −δk )+Bik sin (δi − δk )) (4) of power networks it is not realistic to assume that all
k=1 sensors report faulty measurements at the same time.

80780 VOLUME 7, 2019

H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids
Moreover, in reality, compromising all measurements
results in huge cost and effort for attackers.
• Complete knowledge of the system is literally impos-
sible for an outsider. Therefore, the attacker has par-
tial knowledge of the system topology and security
mechanisms. Such knowledge can be obtained by sta-
tistical analysis of data sent from the remote terminal
units (RTUs) to the control center or by physically cap-
turing the security information embedded in a node.
In this work, strategic sparse FDI attack with least absolute
shrinkage and selection operator (LASSO) is considered.
Jacobian matrix (H ) is decomposed based on a
row-wise
approach. A sub Matrix H S = Hji ,: , HjN −|S|,: , of H is
created to represent the secure measurements, where Hji ,:
is the ji -th row of H, such that H S ca = 0. Likewise, sub-
matrix H A is constructed for attacked measurements. Finally,
the attacker’s strategy is defined in a way to find a solution ca
which optimize following objective function:
Minimize H A ca
0 at once.
Subject to H S ca = 0,
kca k∞ ≥ τ,
where τ ≥ 0 is a given constant. The optimization problems
is solved using LASSO and Regressor Selection algorithms.
More details about the attack construction is available in [33].
The goal of the attacker is to manipulate rotor speed and
angle through FDI attack by hacking into the communication
network. Hence, ∀t ∈ Ta , for generator i, the effect of FDI
attacks on the system state can be written as:
xia (t) = xi (t) + γi xi (t) + Ci
where the γi is a constant coefficient and Ci represents a
constant bias in the attacked states. In other word, the attacker
is interested to alter the system state by γi and Ci . Considering
that, the attacker will design za in a way that the attack vector
remains unobservable for the operator and traditional BDD
methods. In the experiments, we assume that the attacker has
access to λ measurements, which are randomly chosen to
generate a λ-sparse attack vector.
III. PROPOSED ENERGY-BASED CYBER-ATTACK
DETECTION
In this section, a cyber-attack detection framework is pro-
posed which utilize DBN modeling, feature extraction
through MI and RBM for data training. DBN and MI are
applied to smart grid test systems with extensive measure-
ments, and the RBM is used to capture the patterns in system
behaviour that are extracted by the unsupervised DBN model
(data are not labeled).
The proposed data driven framework for anomaly detection
is depicted in Fig. 2. At first, the system is partitioned into
several sub-systems. Then causal dependency between nom-
inal characteristics of subsystems are learned using SDF. The
proposed method is a computationally efficient tool, which
VOLUME 7, 2019
FIGURE 1. Illustration of the steps to generate DBN using SDF-based
feature extraction.
reduce the computational burden by: 1) selecting a subset
of measurements through feature selection and SDF, and
2) by domain decomposition and data processing on several
subsystems in parallel, rather than dealing with whole system
(7) A. SYMBOLIC DYNAMIC FILTERING
In the proposed feature extraction method based on SDF,
the time series data are first converted into symbol sequences,
and then DBN are defined from these sequences to compress
the information into low-dimensional statistical patterns. The
phase space of the system in Eq. (1) is divided into a finite
number of cells. A compact region  is identified by intro-
T0 , . . . , B −1 } consisting of m
ducing a partition B ≡ {B
mutually exclusive (i.e., Bj Bk = ∅ ∀j 6 = k) and exhaus-
tive ( j=0−1 Bj = ) cells. The dynamic system describes
S
(8)
the time-series data as O ≡ {β0 , . . . ,β −1 } ,βi ∈ ,
which passes through the cells of the partition B [34], [35].
To understand the concepts of partitioning and mapping
into the symbol alphabet, consider the system shown in
Fig. 1 [34].
Consider the cell visited by a trajectory as a random vari-
able S with symbol value s ∈ A. Symbol alphabet is the
set A of different symbols that mark the elements in
the partition. Every initial state β0 ∈  produce a series of
symbols which can be defined by mapping from the phase
space into the symbol space as follows:
β0 → si0 si1 . . . sik (9)
Eq. (8) is called symbolic dynamics. The symbolization
process converts multi-dimensional space into a symbol
sequence, and then into a DBN.
B. DYNAMIC BAYESIAN NETWORKS
DBNs are probabilistic graphical models that can demon-
strate system’s state as a set of variables, and model the
probabilistic dependencies of the variables between time
steps. In this work, a high order DBN on ξ variables xt =
{x1,t , . . . , xξ,t } at different time points t = 1, . . . , T is
considered. Each xi,t represents the expression of state i at
80781
 H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

FIGURE 2. Proposed framework for cyber-attack detection using unsupervised learning.

time t. Symbol sequence is extracted from the variables set by other. MI between state sequences qA and qB can be written
SDF. To find the occurrence probability for a new symbol sn , as Importance metric I AB as follows:
we assume that the DBN satisfies the L-th order Markov      
property: I AB = I qB ; qA
k+1 k+1 = H q B
k+1 − H qB
|q
k+1 k
A
(13)

P sn |sn−1 . . . sn−L . . . s0 = P sn |sn−1 . . . sn−L (10)

where,
Thus, a state transition matrix 5 which describes the L-th
  XQB    
H qB k+1 = − P qB
k+1 = i log 2 P qB
k = i
order Markov chain can be defined based on the training data. i=1
  XQA    
The order of the model is set based on trial an error. Let the H qB |qA
= − P qA
= i H qB
|q A
= i
k+1 k i=1 k k+1 k
state at time instant k be denoted as qk . The ij-th element of
5 can be defined as follows:
  XQB  
H qBk+1 |qak = i = − P qBk+1 = j|q A
k = i
j=1
5ij , P qk+1 = si |qk = sj


(11) 
B A

× log2 P qk+1 = j|qk = i
In this work, since we are dealing with several time series,
we use a modified version of Markov chain (xL-th order More details about the MI-based causality can be found
Markov chain) [36] to predict the occurrence probability for a in [32]. The variation of the MI matrix (I AB ) between two-
new symbol in a series A using the last L symbol for another time periods can be driven as:
series B. 5A and 5B are defined for L-th order Markov
δ (I ) = ItAB − ItAB (14)
representing sub-systems A and B, respectively. The same 1 2

way, causal dependencies of A on B and B on A can be
represented by cross state transition matrices 5AB and 5BA ,
respectively.
Features from L-th order Markov chain are known as
the atomic patterns (APs) and the one for xL-th order
Markov chain are referred as the relational patterns (RPs).
State-transition matrices 5AB and 5BA , can be described as:
 
πklAB , P qB A
n+1 = l|qn = k ∀n
 
πijBA , P qA n+1 = j|qB
n = i ∀n (12)
where j, kQA and i, lQB , QA and QB are the state vector
related to sequence A and B, respectively.
Given a multivariate time series, the symbol sequences
S is generated with partitioning. After that, a high order
DBN is used to define the subsequent states and transition
probabilities between the vertices. We use MI criteria to
extract important feature of an AP or an RP. MI develops a
generalized linear correlation coefficient that measures the
relationship between two random variables. A non-zero value
in MI means the two variables are independent towards each
Large δ means a strong predictive and informative link in AP
or RP that can be used to distinguish the two kinds of end
uses.
Once the models are ready, patterns of system’s behaviour
are learned by the RBM. Test data are used to compute the
likelihood of the learned features. In this work, we used
Restricted Boltzmann Machine (RBM) for this purpose.
C. RESTRICTED BOLTZMANN MACHINE
Boltzmann Machine is a generative method to model the
unknown distribution of data. Unlike most of the Machin
Learning techniques that only discriminate some data vectors
in favor of others, Boltzmann Machine can also generate
new data with given joined distribution, as well as pattern
completion in case of missing inputs. It is also considered
more feature-rich and flexible. RBM belongs to the class of
stochastic Energy-based Models (EM) [38]. In EM, each state
of the system is associated to an specific energy level. Such
a system can be described by a network of stochastic binary
neurons (a set of visible variables v = {v1 , . . . ,vN }) which
are connected a set of hidden variables h = {h1 , . . . ,hK }.

80782 VOLUME 7, 2019

H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

System’s state can be described based on joint configurations and under cyber-attack condition (F (vca )), can be calculated
of the visible and hidden variables. It is proved that model using Eq. (14). A symmetric RE distance can be defined
estimation in RBM amounts to maximize the likelihood of the as [38],
training data with low-energy state. As a result, an anomaly
REd (PkQ) = RE(PkQ) + RE(QkP) (20)
will appear as a configuration with low probability or high-
energy [39]. Given binary variables v and hidden variables h, which can be used as an index for cyber-attack/anomaly
the joint probability of a state (Pr (v, h)) can be described detection. This index will be compared with a Detection
based on the energy of that state (En (v, h)), with a Boltzmann Threshold (DT) to detect the cyber-attack. Too low thresholds
distribution function: may results in many false attack detection, while too high
exp(−En(v, h)) thresholds may lead to unidentified attack. In this work, most
Pr (v, h) = P (15) of the RE values calculated through training are assumed to
v,h exp(−En(v, h))
be normal, while a few of them are outliers. To find the DT,
where the normal distribution is used as the baseline. The assump-
N K N
!
X X X tion is that 95% of the data are within  two standard devi-
En (v, h) = − ai vi + bk + wik vi hk (16) ations of the mean. ∀ DT g satisfying RE i :DT g ≥ RE i =
i=1 k=1 i=1 0.95|{RE i }|, i = 1, 2, . . . , n that, DT = min{DT } where RE i
g
where a, b, and w are model parameters which are calculated is the i-th RE in the training data. Then, anomaly is detected
through maximization of the probability of the training data when RE (t) ≥ DT . The steps can be summarized as follows:
with low-energy state. • Transform time series data to symbolic sequence.
Data density can be rewritten as: • Model the subsystems and their interactions using DBN.
• Evaluate the information based metric values using MI
X
Pr (v) ∝ exp(−En(v, h)) = exp(−F(v)) (17)
(I ij ).
h
• Generate a binary vector of length L using I ij , and assign
where F (v) is known as free-energy and can be rewritten as: a state 0 or 1 to each I ij .
F (v) = − log (Pr (v)) + constant (18) • Use RBM with visible nodes corresponding to APs and
RPs to learn the behaviour pattern.
Therefore, free energy can be used as the anomaly index • Detect anomaly by calculating the occurrence probabil-
to rank data instances in linear time. The trained RBM is ity of the current observation based on trained RBM.
employed to identify cyber-attack based on the probability The anomaly detection process algorithm is described
and energy level of event. Anomaly is represented by an event in Fig.3.
with high energy or low probability. The assumption is that
cyber-attacks change the interaction among the sub-systems
and results in different patterns in DBN. For simplicity of
training, I AB can be normalized into binary states (0 and 1
for low and high values, respectively) for APs and RPs.
Finally, changes in the parameters related to the accepted
patterns are used to identify cyber-attacks. A distribution of
free energy is used to detect low probability events or cyber-
attacks based on distance metric. For the normal operation
condition, free energy will have similar distribution to that of
the training data. The assumption is that the training data are
mostly collected from normal operation condition. Therefore,
the learnt RBM can effectively capture the normal operation
of the system.
To quantify the difference between the energy distributions
in training and test data, Relative Entropy (RE) metric is used.
The relative entropy between two probability distributions is a
measure of the distance between them. RE for two probability
distributions P and Q on a finite set X, can be described
as [35], [36],
X P(x) FIGURE 3. Proposed algorithm for anomaly detection.
RE(PkQ) = P(x) log (19)
Q(x)
X
where P and Q refer to the distribution of free energies in IV. CASE STUDIES AND SIMULATION RESULTS
the normal situation and under cyber-attack, respectively. In this section a case studies under different operation con-
Free energies in the normal operation condition (F (vn )) dition are simulated to validate performance of the proposed

VOLUME 7, 2019 80783

 H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids
method. Case 1 is modeled as a multi-agent cyber-physical
system based on IEEE-39 bus model where each agent
includes a generator as described in Section II, a measurement
device, a distributed control agent, and an energy storage
system as shown in Fig.4. Energy storage represent the energy
that can be fed into the system by different micro grid or
renewable sources. The same analysis is performed for all
case studies, however, for the sake of space only the results
of Case 1 are included in this section.
FIGURE 4. IEEE 39 bus system under cyber-attack in line 6-31 and 11-12.
A. TEST SYSTEM
Details of the case studies are listed in Table 2 and adapted
from Matpower [42]. All case studies are assumed to be fully
observable. To make sure about the accuracy of the historical
data a level of security is added to the measurement model.
Large-scale power grids contain thousands of meters which
makes the protection of measurements highly expensive.
In order to reduce the cost, we identify the critical meters to
protect them based on optimal PMU placement [31]. We also
assume that the system topologies remain unchanged over the
typical days. Case studies are implemented in Matlab R2017a
and carried out on a PC with a Core(TM) i7-7700 CPU,
3.6 GHz, and a RAM of 32.00 GB.
TABLE 2. Units for magnetic properties.
By exploring the MI index, dependency between a subset
of variables that influence each other in the normal condi-
tion is used for anomaly detection. The model generated by
RBM represent the normal system since most of the collected
80784
data are collected are from the normal conditions. It should
be mentioned that collected data are labeled as normal or
anomalous. Training data are used to obtain the baseline for
the normal condition which will be used for selecting the
threshold for the anomaly. A moving window in a subset
of the training data (with distribution P) is used to compute
the distribution Q representing the dynamic behavior of the
system. In order to measure the distance between Q and P,
the RE metric is applied in each subset. Similar setting is used
for the testing data. Finally, the two RE are compared to detect
anomalous condition (cyber-attack in our case).
The attack strategy is designed to overload lines 6-31 and
11-12. The attack region is shown in Fig. 4. Normalized
measurement residual under normal operation condition, due
to fault, and due to cyber-attacks are presented in Fig.5 for
Case 1. It can be seen that all the measurements residuals
due to cyber-attacks have almost the same magnitude as
the measurement residual under normal operation condition
which implies that conventional residual test cannot detect
the stealthy cyber-attacks. It should be noted that faults will
results in significant residual in the measurement residual as
shown in Fig. 5. In case of a fault in the system, the operator
will be notified and clear the fault. Therefore, the fault will
not affect the states of the system.
FIGURE 5. Measurement residual before and after cyber-attack on Case 1.
In Fig. 6, the variation in the lower plot is in an acceptable
zone. However, in the top plot, the variation significantly
increases during the attack between 35-65 samples. This
indicates that there is a potential case of cyber-attack that has
gone unnoticed in bad data detection. Therefore, estimated
states with high error could be fed into the rest of the system,
which may result in irreparable damages.
B. ACCURACY, FALSE POSITIVE AND TRUE POSITIVE
In the smart grid analysis, the major concern is not only the
detection of cyber-attacks, but also the ability to avoid false
alarms. Therefore, performance of the proposed method is
analyzed based on the True Positives (TP), the True Negatives
(TN), the False Positives (FP), and the False Negatives (FN),
which are defined in Table 3.
The learning abilities and memorization properties of the
algorithms are measured by the False Positive Rate (FPR),
True Positive Rate (TPR), and Accuracy (Acc) values, which
VOLUME 7, 2019
H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

FIGURE 8. TPR and ACC under single and multiple cyber-attack for two
different detection thresholds on Case 1.

FIGURE 6. Variation on state estimation error, a) without cyber-attack, b)

with cyber-attack on Case 1.
and multiple attack (MA) on state variables δ2 , δ4 . For each
case DT was varied from 0.25DT to 1.5 DT, where DT is
TABLE 3. Units for magnetic properties.
the threshold defined in Section III. As can be seen from
the figure, FPR decreases sharply with increase in detection
threshold. This indicates that, when the threshold is too low,
the algorithm becomes too aggressive in attack detection, thus
suffering from high false-alarm rate.
In addition, as the figure shows, magnitude of the attack
and number of attacks does not affect the FPR significantly.
are defined as [43]: Moreover, it can be seen that for threshold larger than DT,
FPR becomes negligible (i.e., under 2%). Therefore, DT is
FP used as the threshold for the proposed method. Similar trend
FPR =
TN + FP was observed in the trend of changes in FPR vs. the threshold
TP for other states.
TPR =
TP + FN 2) Effect of Attack Magnitude on TPR and ACC-
TP + TN Fig. 8 shows the variation of TPR and ACC as a function of
ACC = (21)
TP + TN + FP + FN attack magnitude for two attack scenarios on state variables
Low FPR of 0% means that none of the secure measure- δ2 , δ4 . 1 (1% of the original measurement) and 10 (10%
ments are misclassified as attacked. TPR of 100% clarifies of the original measurement) indicate low and high attack
that none of the attacked measurements are misclassified as magnitudes, respectively. Medium magnitude (here indicated
secure. Accuracy of 100% means that each measurement by 5) is the regular type of attack on the literature. To verify
classified as attacked is an attacked measurement, and each the effect of detection threshold on TPR and ACC, the results
measurement classified as secure is a secure measurement. are plotted for two different thresholds.
1) Effect of Threshold on FPR- Fig. 7 shows the variation of As shown in Fig.8, by increasing the attack magnitude,
FPR as a function of detection threshold for single attack (SA) TPR and ACC quickly approached 100%. In addition, it can
be seen that a very high threshold adversely affects the TPR
and impacts the minimum size detectable attack. The results
show that DT defined in Section III can effectively detect
an attack with medium and higher strength with almost 99%
accuracy and 98% TPR. A similar trend was observed in the
changes of TPR and ACC vs. the attack magnitude for all
states. Summary of the results for different case studies are
reported in Table 4.
3) Effect of Attack Sparsity on TPR and ACC- to analyze
the effect of attack sparsity, attacks with different sparsity
λ/N ∈ [0, 1] are generated. N represents the total number of
measurements in the system. As shown in Fig. 9, both TPR
and ACC increase as the number of contaminated measure-
FIGURE 7. FPR under single and multiple cyber-attack for two different ments increases. Here, sparsity 1 means all measurements are
attack magnitudes on Case 1. manipulated by the attacker. The figure shows that proposed

VOLUME 7, 2019 80785

 H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids
TABLE 4. Summary of results for single attack with medium attack
magnitude (average).
FIGURE 9. TPR and ACC under single and multiple cyber-attack for
different attack sparsity on Case 1.
algorithm has very high TPR (94%) and ACC (90%) when
only 35% of the measurements are manipulated. Once half of
the measurements are attacked, which is a realistic assump-
tion for successful attack implementation from the attacker’s
perspective, the algorithm is highly effective with 99% TPR
and 98% ACC.
C. PERFORMANCE ANALYSIS UNDER DIFFERENT
OPERATION CONDITION
To validate efficieny of the proposed method, four different
scenarios are considered:1) normal condition without attack,
2) random attack, 3) single FDI attack on 6-31, 4) multi-
ple, simultaneous FDI attacks on lines 6-31 and 11-12. Pro-
posed method is compared with the two most popular BDD
approaches; LNR test and Chi-Square test. The threshold
is set to 3σ while σ is the standard deviation, to minimize
the false positives due to the noise, thus FPR due to noise
is less than 1% [44]. For accurate and detailed comparison,
the threshold is normalized for all detectors. The same crite-
rion is considered for setting threshold in LNR test. For more
information about LNR and Chi-Square test refer to [20].
Detector’s output are depicted in Fig. 10.
As shown in Fig. 10 (a), in normal operation condition, the
output of all detectors is under the threshold which specifies
that there is no trace of bad data or cyber-attack in the system.
Fig. 10 (b) shows that all methods are able to detect the
random attack. Since the attack is unintelligent, it will leave
its trace in the data sets and the operator will be informed of
an attack presence. The random bad data, which was injected
to the measurement set, results in significant changes in the
measurement residual vector, which leads to the increase in
80786
FIGURE 10. Detector out put under a) normal condition, b) random
attack, c) single cyber-attack, d) multiple cyber-attack on Case 1.
cost function. In an optimal state estimation, we evaluate
the cost function based on the residual of the measurements.
In the normal operation condition, without bad data in the
system, the cost function follows a normal distribution with
zero mean. Under a random attack, the cost function will pass
the threshold for optimal state estimation. Therefore, both
LNR and chi-square tests will trigger the alarm successfully.
In case of single or multiple FDI attacks, as can be seen
in Fig. 10 (c) and (d), the cost function for both LNR and
Chi-Square detector stayed in the true range of predefined
thresholds. Both approaches resulted in their normalized
residue values below the specified threshold and thus they
were unable to detect the attack in the system. However, in the
same setup, output of the proposed detector is above the given
threshold and can trigger the alarm. The main reason is that
the LNR test and Chi-Square test are based on residual of the
measurement vector while cyber-attacks are carefully crafted
to bypass the statistical detector with no trace in residual
vector. Similar results were observed for all case studies.
Average detection time for all case studies was 1ms with
0.2ms deviations.
VOLUME 7, 2019
H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids
In general, any type of FDI attack in line or system topol-
ogy results in the same changes in the network with minor
modification. Therefore, the proposed method can success-
fully detect various FDI attacks from different sources. Fur-
thermore, since the proposed scheme analyze the patterns
between the compromised data and the normal data, its suc-
cess rate does not depends on the attack scenarios.
V. CONCLUSION
In the context of smart grid anomaly detection, the solutions
proposed in the literature are mainly offline approaches with
restriction to deal with dynamically evolving cyber threats.
This paper propose a real time and computationally efficient
tool for anomaly detection that utilizing feature extraction
scheme and time series partitioning to discover causal inter-
actions between the subsystems. DBN concept and learning
algorithms based on Boltzmann Machine are used to detect
unobservable attacks based on free energy as the anomaly
index. Performance of the proposed algorithm was evaluated
on different IEEE test systems and under different operation
conditions for several measures (TPR, FPR, and ACC). The
results demonstrated that the system achieves an accuracy of
99%, TPR of 98% and FPR of less than 2%.
REFERENCES
[1] J. E. Dagle, ‘‘Postmortem analysis of power grid blackouts—The role of
measurement systems,’’ IEEE Power Energy Mag., vol. 4, no. 5, pp. 30–35,
Sep./Oct. 2006.
[2] Z. Huang, C. Wang, T. Zhu, and A. Nayak, ‘‘Cascading failures in smart
grid: Joint effect of load propagation and interdependence,’’ IEEE Access,
vol. 3, pp. 2520–2530, 2015.
[3] Y. Cai, Y. Li, Y. Cao, W. Li, and X. Zeng, ‘‘Modeling and impact analysis
of interdependent characteristics on cascading failures in smart grids,’’ Int.
J. Elect. Power Energy Syst., vol. 89, pp. 106–114, Jul. 2017.
[4] H. Karimipour and V. Dinavahi, ‘‘On false data injection attack against
dynamic state estimation on smart power grids,’’ in Proc. IEEE Int. Conf.
Smart Energy Grid Eng. (SEGE), Aug. 2017, pp. 388–393.
[5] G. Dondossola, J. Szanto, M. Masera, and I. N. Fovino, ‘‘Effects of inten-
tional threats to power substation control systems,’’ Int. J. Crit. Infrastruct.,
vol. 4, nos. 1–2, pp. 129–143, 2008.
[6] T. Morris, S. Pan, J. Lewis, J. Moorhead, N. Younan, R. King, M. Freund,
and V. Madani, ‘‘Cybersecurity risk testing of substation phasor measure-
ment units and phasor data concentrators,’’ in Proc. CSIIRW, Oct. 2011,
Art. no. 24.
[7] A. Ameli, A. Hooshyar, E. El-Saadany, and A. M. Youssef, ‘‘Attack detec-
tion and identification for automatic generation control systems,’’ IEEE
Trans. Power Syst., vol. 33, no. 5, pp. 4760–4774, Sep. 2018.
[8] H. H. Pajouh, R. Javidan, R. Khayami, D. Ali, and K.-K. R. Choo, ‘‘A two-
layer dimension reduction and two-tier classification model for anomaly-
based intrusion detection in IoT backbone networks,’’ IEEE Trans. Emerg.
Topics Comput., to be published.
[9] R. Khan, K. Mclaughlin, D. Laverty, and S. Sezer, ‘‘Design and imple-
mentation of security gateway for synchrophasor based real-time control
and monitoring in smart grid,’’ IEEE Access, vol. 5, pp. 11626–11644,
Jun. 2017.
[10] R. Xu, R. Wang, Z. Guan, L. Wu, J. Wu, and X. Du, ‘‘Achieving efficient
detection against false data injection attacks in smart grid,’’ IEEE Access,
vol. 5, pp. 13787–13798, Jul. 2017.
[11] C.-C. Sun, A. Hahn, and C.-C. Liu, ‘‘Cyber security of a power grid: State-
of-the-art,’’ Int. J. Elect. Power Energy Syst., vol. 99, pp. 45–56, Jul. 2018.
[12] X. Liu, N. Xiong, N. Zhang, A. Liu, H. Shen, and C. Huang, ‘‘A trust with
abstract information verified routing scheme for cyber-physical network,’’
IEEE Access, vol. 6, pp. 3882–3898, 2018.
[13] C. Alcaraz, C. Fernandez-Gago, and J. Lopez, ‘‘An early warning system
based on reputation for energy control systems,’’ IEEE Trans. Smart Grid,
vol. 2, no. 4, pp. 827–834, Dec. 2011.
VOLUME 7, 2019
[14] X. He, L. Chu, R. C. Qiu, Q. Ai, and Z. Ling, ‘‘A novel data-driven situation
awareness approach for future grids—Using large random matrices for big
data modeling,’’ IEEE Access, vol. 6, pp. 13855–13865, 2018.
[15] A. Farraj, E. Hammad, and D. Kundur, ‘‘A distributed control paradigm
for smart grid to address attacks on data integrity and availability,’’ IEEE
Trans. Signal Inf. Process. Over Netw., vol. 4, no. 1, pp. 70–81, Mar. 2018.
[16] I. Friedberg, X. Hong, K. Mclaughlin, P. Smith, and P. C. Miller, ‘‘Eviden-
tial network modeling for cyber-physical system state inference,’’ IEEE
Access, vol. 5, pp. 17149–17164, 2017.
[17] A. Azmoodeh, A. Dehghantanha, M. Conti, and K.-K. R. Choo, ‘‘Detecting
crypto-ransomware in IoT networks based on energy consumption foot-
print,’’ J. Ambient Intell. Humanized Comput., vol. 9, no. 4, pp. 1141–1152,
2018.
[18] N. Milosevic, A. Dehghantanha, and K.-K. R. Choo, ‘‘Machine learning
aided Android malware classification,’’ Comput. Elect. Eng., vol. 61,
pp. 266–274, Jul. 2017.
[19] H. Karimipour and V. Dinavahi, ‘‘Robust massively parallel dynamic state
estimation of power systems against cyber-attack,’’ IEEE Access, vol. 6,
pp. 2984–2995, Dec. 2017.
[20] M. Ozay, I. Esnaola, F. T. Y. Vural, S. R. Kulkarni, and H. V. Poor,
‘‘Machine learning methods for attack detection in the smart grid,’’ IEEE
Trans. Neural Netw. Learn. Syst., vol. 27, no. 8, pp. 1773–1786, Aug. 2016.
[21] S. Pan, T. Morris, and U. Adhikari, ‘‘Developing a hybrid intrusion detec-
tion system using data mining for power systems,’’ IEEE Trans. Smart
Grid, vol. 6, no. 6, pp. 3104–3113, Nov. 2015.
[22] J. Landford, R. Meier, R. Barella, X. Zhao, E. Cotilla-Sanchez, R. B. Bass,
and S. Wallace, ‘‘Fast sequence component analysis for attack detection in
synchrophasor networks,’’ in Proc. 5th Int. Conf. Smart Cities Green ICT
Syst. (SmartGreens), Rome, Italy, 2016.
[23] S. Ahmed, Y. Lee, S.-H. Hyun, and I. Koo, ‘‘Feature selection–based
detection of covert cyber deception assaults in smart grid communications
networks using machine learning,’’ IEEE Access, vol. 6, pp. 27518–27529,
2018.
[24] Y. He, G. J. Mendis, and J. Wei, ‘‘Real-time detection of false data injection
attacks in smart grid: A deep learning-based intelligent mechanism,’’ IEEE
Trans. Smart Grid., vol. 8, no. 5, pp. 2505–2516, Sep. 2017.
[25] D. Codetta-Raiteri and L. Portinale, ‘‘Dynamic Bayesian networks for fault
detection, identification, and recovery in autonomous spacecraft,’’ IEEE
Trans. Syst., Man, Cybern. Syst., vol. 45, no. 1, pp. 13–24, Jan. 2015.
[26] S. Mohammadi, H. Mirvaziri, M. Ghazizadeh-Ahsaee, and H. Karimipour,
‘‘Cyber intrusion detection by combined feature selection algorithm,’’
J. Inf. Secur. Appl., vol. 44, pp. 80–88, Feb. 2019.
[27] C. A. Murthy, ‘‘Bridging feature selection and extraction: Compound
feature generation,’’ IEEE Trans. Knowl. Data Eng., vol. 29, no. 4,
pp. 757–770, Apr. 2017.
[28] H. Karimipour and V. Dinavahi, ‘‘Extended Kalman filter-based paral-
lel dynamic state estimation,’’ IEEE Trans. Smart Grid, vol. 6, no. 3,
pp. 1539–1549, May 2015.
[29] J. D. Glover, M. Sarma, and T. Overbye, Power System Analysis and
Design, 5th ed. Boston, MA, USA: Cengage, 2011.
[30] A. R. Bergen and V. Vittal, Power Systems Analysis, 2nd ed.
Upper Saddle River, NJ, USA: Prentice-Hall, 2000.
[31] A. Abur and A. Gómez-Expósito, Power System State Estimation: Theory
and Implementation. New York, NY, USA: Marcel Dekker, 2004.
[32] Y. Liu, P. Ning, and M. K. Reiter, ‘‘False data injection attacks against state
estimation in electric power grids,’’ ACM Trans. Inf. Syst. Secur., vol. 14,
no. 13, pp. 1–33, May 2011.
[33] M. Ozay, I. Esnaola, F. T. Yarman Vural, S. R. Kulkarni, and H. V. Poor,
‘‘Sparse attack construction and state estimation in the smart grid: Central-
ized and distributed models,’’ IEEE J. Sel. Areas Commun., vol. 31, no. 7,
pp. 1306–1318, Jul. 2013.
[34] A. Ray, ‘‘Symbolic dynamic analysis of complex systems for anomaly
detection,’’ Signal Process., vol. 84, no. 7, pp. 1115–1130, 2004.
[35] C. Rao, A. Ray, S. Sarkar, and M. Yasar, ‘‘Review and comparative eval-
uation of symbolic dynamic filtering for detection of anomaly patterns,’’
Signal, Image Video Process., vol. 3, no. 2, pp. 101–114, 2009.
[36] S. Sarkar, S. Sarkar, K. Mukherjee, A. Ray, and A. Srivastav, ‘‘Multi-sensor
information fusion for fault detection in aircraft gas turbine engines,’’
J. Aerosp. Eng., vol. 227, no. 12, pp. 1988–2001, Dec. 2013.
[37] T. M. Cover and J. A. Thomas, Elements of Information Theory, 2nd ed.
Hoboken, NJ, USA: Wiley, 2006.
[38] C. Liu, A. Akintayo, Z. Jiang, G. P. Henze, S. Sarkar, ‘‘Multivariate
exploration of non-intrusive load monitoring via spatiotemporal pattern
network,’’ Appl. Energy, vol. 211, pp. 1106–1122, Feb. 2018.
80787
 H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids
[39] C. Liu, S. Ghosal, Z. Jiang, and S. Sarkar, ‘‘An unsupervised anomaly
detection approach using energy-based spatiotemporal graphical model-
ing,’’ Cyber-Phys. Syst., vol. 3, nos. 1–4, pp. 66–102, 2017.
[40] B. J. Frey and N. Jojic, ‘‘A comparison of algorithms for inference and
learning in probabilistic graphical models,’’ IEEE Trans. Pattern Anal.
Mach. Intell., vol. 27, no. 9, pp. 1392–1416, Sep. 2005.
[41] D. J. C. MacKay, Information Theory, Inference and Learning Algorithms.
Cambridge, U.K.: Cambridge Univ. Press, 2003.
[42] R. D. Zimmerman, C. E. Murillo-Sánchez, and R. J. Thomas,
‘‘MATPOWER: Steady-state operations, planning, and analysis tools for
power systems research and education,’’ IEEE Trans. Power Syst., vol. 26,
no. 1, pp. 12–19, Feb. 2011.
[43] W. Dixon and F. Massey, Introduction to Statistical Analysis, vol. 344.
New York, NY, USA: McGraw-Hill, 1969.
[44] A. Abur and A. Gómez-Expósito, Power System State Estimation: Theory
and Implementation. New York, NY, USA: Marcel Dekker, 2004.
HADIS KARIMIPOUR received the Ph.D. degree
in energy system from the Department of Elec-
trical and Computer Engineering, University of
Alberta, in 2016. Before joining the University of
Guelph, she was a Postdoctoral Fellow with the
University of Calgary, working on cyber security
of the smart power grids. She is currently an Assis-
tant Professor with the School of Engineering,
Engineering Systems and Computing Group, Uni-
versity of Guelph, Ontario. Her research interests
include large-scale power system state estimation, cyber-physical modeling,
cyber-security of the smart grids, and parallel and distributed computing. She
serves as the Chair of the IEEE Women in Engineering (WIE) and chapter
Chair of the IEEE Information Theory in Kitchener-Waterloo section.
ALI DEHGHANTANHA received the Ph.D.
degree in security in computing, and has a number
of professional certifications including CISSP and
CISM. He is the Director of Cyber Science Lab
with the University of Guelph, Ontario, Canada.
His lab is focused on building AI-powered solu-
tions to support cyber threat attribution, cyber
threat hunting, and digital forensics tasks in the
Internet of Things (IoT), industrial IoT, and Inter-
net of Military of Things (IoMT) environments.
He has served for more than a decade in a variety of industrial and academic
positions with leading players in cyber-security and artificial intelligence.
Prior to joining the University of Guelph, he has served as a Senior Lecturer
with the University of Sheffield, U.K., and as an EU Marie-Curie Interna-
tional Incoming Fellow with the University of Salford, U.K.
REZA M. PARIZI received the B.Sc. and M.Sc.
degrees in computer science in 2005 and 2008,
respectively, and the Ph.D. degree in software
engineering in 2012. He is a Faculty with the
College of Computing and Software Engineering,
Kennesaw State University (KSU), GA, USA. He
is a Consummate Technologist and Cybersecurity
Researcher with an entrepreneurial spirit. He is
the member of the IEEE Blockchain Community,
the IEEE Computer Society, and ACM. Prior to
joining KSU, he was an Associate Professor with New York Institute of
Technology. His research interests include R&D in decentralized computing,
the IoT, and emerging issues in the practice of secure software-run world
applications.
80788
KIM-KWANG RAYMOND CHOO received the
Ph.D. degree in information security from Queens-
land University of Technology, Australia, in
2006. He currently holds the Cloud Technology
Endowed Professorship at The University of Texas
at San Antonio (UTSA). In 2016, he was named
the Cybersecurity Educator of the Year –APAC
(Cybersecurity Excellence Awards are produced in
cooperation with the Information Security Com-
munity on LinkedIn), and in 2015, he and his team
won the Digital Forensics Research Challenge organized by Germany’s
University of Erlangen-Nuremberg. He is the recipient of the 2018 UTSA
College of Business Col. Jean Piccione and Lt. Col. Philip Piccione Endowed
Research Award for Tenured Faculty, Outstanding Associate Editor of 2018
for IEEE ACCESS, British Computer Society’s 2019 Wilkes Award Runner-
up for his paper published in the 2018 volume of The Computer Journal
(Oxford University Press, 2019), the EURASIP Journal on Wireless Commu-
nications and Networking (JWCN) Best Paper Award, the IEEE TrustCom
2018 Best Paper Award, ESORICS 2015 Best Research Paper Award, 2014
Highly Commended Award by the Australia New Zealand Policing Advisory
Agency, Fulbright Scholarship in 2009, 2008 Australia Day Achievement
Medallion, and British Computer Society’s Wilkes Award in 2008. He is
also a Fellow of the Australian Computer Society and Co-Chair of the
IEEE Multimedia Communications Technical Committee’s Digital Rights
Management for Multimedia Interest Group.
HENRY LEUNG is a Professor with the Depart-
ment of Electrical and Computer Engineering,
University of Calgary. Before joining this uni-
versity, he was with the Department of National
Defense (DND) of Canada as a Defense Scientist.
He conducted research and development of auto-
mated surveillance systems, which can perform
detection, tracking, identification, and data fusion
automatically as a decision aid for military oper-
ators. His current research interests include big
data analytic, chaos and nonlinear dynamics, information fusion, machine
learning, signal and image processing, robotics, and the Internet of Things.
He has published extensively in the open literature on these topics. He
has over 200 journal papers and 200 refereed conference papers. He has
been the Associate Editor of various journals such as the IEEE CIRCUITS
AND SYSTEMS MAGAZINE, International Journal on Information Fusion, the
IEEE Signal Processing Letters, and the IEEE TRANSACTIONS ON CIRCUITS AND
SYSTEMS. He has also served as Guest Editors for the special issue Intelligent
Transportation Systems for the International Journal on Information Fusion
and Cognitive Sensor Networks for the IEEE Sensors Journal. He is the Topic
Editor on Robotic Sensors of the International Journal of Advanced Robotic
Systems. He is the Editor of the Springer book series on Information Fusion
and Data Science.
VOLUME 7, 2019