0% found this document useful (0 votes)
50 views11 pages

A Deep and Scalable Unsupervised Machine Learning System For Cyber-Attack Detection in Large-Scale Smart Grids

Uploaded by

Hue Jass
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
50 views11 pages

A Deep and Scalable Unsupervised Machine Learning System For Cyber-Attack Detection in Large-Scale Smart Grids

Uploaded by

Hue Jass
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

SPECIAL SECTION ON DIGITAL FORENSICS THROUGH MULTIMEDIA SOURCE INFERENCE

Received April 27, 2019, accepted May 17, 2019, date of publication May 31, 2019, date of current version July 2, 2019.
Digital Object Identifier 10.1109/ACCESS.2019.2920326

A Deep and Scalable Unsupervised Machine


Learning System for Cyber-Attack Detection
in Large-Scale Smart Grids
HADIS KARIMIPOUR 1 , (Member, IEEE), ALI DEHGHANTANHA 1 , (Senior Member, IEEE),
REZA M. PARIZI 2 , (Member, IEEE), KIM-KWANG RAYMOND CHOO3 , (Senior Member, IEEE),
AND HENRY LEUNG 4 , (Fellow, IEEE)
1 University of Guelph, Guelph, ON N1G 2W1, Canada
2 Kennesaw State University, GA 30060, USA
3 University of Texas at San Antonio, TX 78249, USA
4 University of Calgary, Calgary, AB T2N 1N4, Canada

Corresponding author: Ali Dehghantanha ([email protected])

ABSTRACT Smart grid technology increases reliability, security, and efficiency of the electrical grids.
However, its strong dependencies on digital communication technology bring up new vulnerabilities that
need to be considered for efficient and reliable power distribution. In this paper, an unsupervised anomaly
detection based on statistical correlation between measurements is proposed. The goal is to design a scalable
anomaly detection engine suitable for large-scale smart grids, which can differentiate an actual fault from
a disturbance and an intelligent cyber-attack. The proposed method applies feature extraction utilizing
symbolic dynamic filtering (SDF) to reduce computational burden while discovering causal interactions
between the subsystems. The simulation results on IEEE 39, 118, and 2848 bus systems verify the
performance of the proposed method under different operation conditions. The results show an accuracy
of 99%, true positive rate of 98%, and false positive rate of less than 2%

INDEX TERMS Anomaly, cyber-attack, smart grid, statistical property, machine learning, unsupervised
learning.

I. INTRODUCTION the importance of cyber-attack analysis to maintain a sta-


Today’s power systems consist of a network of sensors and ble and reliable operation of the power supply. A cyber-
generators that allow two way communication within the attack can result in overload that will damage the equipment,
system’s infrastructure as well as reliable energy production or false demand request which can result in lots of energy
through integration of Distributed Energy Resources (DERs) generated [2]–[4]. Besides, a malicious attack can also cause
and Advanced Metering Infrastructure (AMI). While this false negatives, i.e., false overload condition in a power sys-
complex communication system has tremendous advantage, tem. Other disruptions in different parts of the smart grid,
by improving energy efficiency, reliability, and manageabil- electric vehicle infrastructure, is also possible. It is shown
ity, it increases the system’s vulnerabilities to cyber-attacks in [5], [6] that malicious attacks by blocking communications
due to the tremendous number of devices and access points with a device can stop services in substation computers.
that operate outside the traditional administrative domain. Therefore, real time cyber-attack detection is paramount for
Since failures in the power grid may lead to catastrophic the reliable performance of the critical infrastructure includ-
events, it is highly important to investigate the effects of ing smart grids. Online and continuous system monitoring
cyber-attacks in a power system. is a requirement to detect targeted cyber-attacks and achieve
As reported in [1], lack of system awareness is the main attack resilience [7].
reason in the North American blackouts, which highlight In general, individual sensors in a large-scale network are
the main target of security compromises. A compromised
The associate editor coordinating the review of this manuscript and insider can easily access information stored in a compro-
approving it for publication was Zhen Qin. mised node. In theory, key revocation of any compromised
2169-3536 2019 IEEE. Translations and content mining are permitted for academic research only.
80778 Personal use is also permitted, but republication/redistribution requires IEEE permission. VOLUME 7, 2019
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

node is possible by applying an authentication mechanism to PGMs, Dynamic Bayesian Networks (DBN) are useful tools
sensor networks. However, authentication approaches based which can represent complex systems evolving in time using
on cryptography or security gateway design, such as the one the causal relationships between system components [25].
described in [8], [9], are infeasible due to the computation Moreover, new techniques should be developed to handle
and storage constraints of the system. The existing studies the complex and high dimensional data to maintain the
within the smart power grid context mainly focus on the net- robustness, scalability and accuracy of the attack detection
working security of the cyber elements [10]–[12], advanced mechanisms. To reduce the computational burden in large
anomaly detection techniques [13], [14], and secure control data sets, feature extraction can be used to transform the
theories based on different state estimation techniques [15]. original features into a more meaningful representation by
A detailed analysis about presence of cyberattack in a power reconstructing its inputs and it involves reducing the amount
system is described in [16]. of resources required [26], [27]. Detection techniques that do
Although the above mentioned solutions are capable of not rely on pre-classified training data are essential, as there
immunizing the power systems, majority of them are math- exists anomalies which cannot be measured or simulated.
ematically too expensive, physically impractical and not In this work, we propose a smart grid anomaly detection
scalable for large-scale complex network. Nowadays, huge method to extract the patterns of changes in FDI attacks. The
amount of data is generated all over the grids which increase revealed features are employed to detect the attacks in real-
accessibility for real-time system monitoring. Exploring time. Symbolic Dynamic Filtering (SDF) is used to build a
these data greatly enhances the performance monitoring, computationally efficient feature extraction scheme to dis-
diagnosis, and prognosis of anomaly in complex systems. cover causal interactions between the smart grids sub-systems
Historical data describing the system’s operation can help through DBN. Mutual Information (MI), DBN and learn-
identify anomalies and potential attacks. However, tradi- ing algorithms are used to detect unobservable cyber-attacks
tional Bad Data Detection (BDD) techniques are not prepared based on free energy as the anomaly index. Our goal is to
for real time computational and storage issues due to the capture dependencies between variables through associating
large-volume of data generated in the smart grid. These chal- of a scalar energy to each variables, which serves as a measure
lenges opens up the possibility of using data analytical tech- of compatibility. The scalability of the proposed technique is
niques, such as Machine Learning (ML), to tackle complex examined on various IEEE test systems which was modeled
structure data sets with AI to detect and prevent cyber-attacks. on PSS/E software. The results show high accuracy and low
ML algorithms can be used to analyze various combinations false alarm under different operation conditions. It should be
of measurements through AMI, states, and control actions mentioned that the proposed method does not only relies on
by learning their patterns [17], [18]. It can detect False Data the pattern in the training data sets but It also uses the concept
Injection (FDI) attack by learning the non-linear, complex of free energy to differentiate between the energy level in
relationship between measurements. This can be done in the attacked and normal data sets. Therefore, even new and
a similar fashion to successful techniques applied to other unseen attacked can be detected.
power system problems as seen in the research literature [19]. The main contributions of this work are as follows:
There are limited studies on the application of ML on • Formulation of an unsupervised approach to detect an
cyber-security of the smart grids. Several ML algorithms are anomaly in smart grids without labeling data sets.
tested and compared in [20] for detection of FDI attacks. • Proposing a scalable method by reducing computational
General conclusions was made about the success of machine burden through data reduction by SDF.
learning in classifying FDI attacks. [21] proposed a hybrid • Developing a strong learning model based on DBN.
intrusion detection method based on common path mining • Proposing a model-free approach, which can be
method to detect abnormal power system events from PMU employed in hierarchical and topological networks for
data, relays, and energy management system (EMS) logs. different attack scenarios.
A cyber-attack detection techniques based on the correla-
tion between two PMU parameters using Pearson corre- The rest of the paper is organized as follows. Mathematical
lation coefficient was used in [22]. This method analyzed formulations are described in Section II. Proposed cyber-
the change of correlation between two PMU parameters attack detection method is presented in Section III. Section IV
using Pearson correlation coefficient. Authors in [20] uti- discusses the case studies and simulation results followed by
lized Gaussian process combined with ML to model the the conclusion in Section V.
attack strategy for anomaly detection. In [23] a supervised
ML–based scheme is proposed to detect a cyber-deception II. MATHEMATICAL MODELING
assault in the state estimation process. A deep learning A. GENERATOR’S MODEL
method which recognize important features of FDI attacks in In this work, smart grid is modeled as a multi-agent, cyber-
real-time is also proposed in [24]. physical system where each of these agents include a genera-
Performance of the existing, data-driven attack detection tor, a measurement device, a distributed control agent, and an
techniques can be improved using Probabilistic Graphical energy storage system that can inject or absorb real power in
Models (PGM) to model complex system behavior. Among the system [28]. The dynamic and static state of the system

VOLUME 7, 2019 80779


H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

are described as follows: where Gik = Gki and Bik = Bki are the conductance and
susceptance between generators i and k, respectively.
ẋ = f (x, u, η) In this work, the goal is to learn and predict the
z = h (x, u, ε) (1) dynamic behavior of the smart power grid (where gener-
ators are modeled as explained in this section) to detect
where x is the system state including the dynamic state of
anomaly/cyber-attacks. SDF, DBN, and RBM are used to
the generator (e.g. rotor speed and rotor angle) and the static
develop a computationally efficient tool for discovering the
state of the network (voltage magnitude and phase angle). f (.)
interactions between the subsystems.
describes the non-linear, dynamic behavior of the generators
and h (.) is the measurements non-linear function. u and z
B. ATTACK REPRESENTATION
represent the output and measurements vector, respectively.
Traditionally, the integrity of the state estimation process
The 4-th order (two-axis) model of generator i’s can be
is verified through BDD method by computing the L-norm
described as [29]:
of measurement residual [31]. The presence of bad data is
δ̇i = s 1ωi determined if
ωs
ω̇i = (PMi − PEi − Di 1ωi ) z − H x̂ > Tr (5)
2Hi
0 1  0  0
 
where z ∈ RN is the measurement vector, x̂ ∈ RD is the
Ėqi = 0 −Eqi − Xdi − Xdi Idi + Vfi
Tdi estimated state vector, and H ∈ RN ×D is the Jacobian matrix.
0 1  0  0
  A threshold Tr is pre-defined to maintain the accuracy of
Ėdi = 0 −Edi + Xqi − Xqi Iqi the state estimation. Aside from the fact that cyber-attacks
Tqi
0 0 bypass the existing BDD technique, measurement redun-
Eqi = Vqi + Rai Iqi + Xdi Idi dancy required for BDD approaches makes them impractical
0 0
Edi = Vdi + Rai Idi − Xqi Iqi (2) for smart grid technology. In intelligent cyber-attacks, specif-
ically FDI attacks, the goal of the adversary is to control a
where ()˙ denotes the time derivative. Generator parameters subset of the measurements and manipulate the state variables
are described using Table 1. arbitrarily. It can be done by injecting a false data vector za ∈
RN which by pass traditional BDD techniques. Suppose the
TABLE 1. Generator parameter description. malicious attack intentionally manipulates the meter readings
by za . Accordingly, the attack- incurred measurement change
can be written as:
 

x + ca  + qa + 
z = H x̂ + za +  = H b (6)
 
| {z }
x̂a

where  is the measurement noise, and x̂a is the faulty esti-


mated state.
The injected false data (za ) can be decomposed into two
parts a = Hca and qa , where ca ∈ RD is an injected vector
of data which bypass BDD tests since it lies in the column
space of H, and qa is the only detectable part that lies in
−1 T
the complementary space where H H T H H qa = 0.
In other words, the stealth attack vectors (za ) always exists
even if the adversary can get partial access to the network
topology and line parameters to construct malicious attacks
For synchronous generator i, excitation system controls that completely lie in (H ), i.e., qa = 0, thereby bypassing the
the field voltage, the mechanical torque is controlled by the existing BDD methods [32].
associated speed governor, and the electrical output can be The following assumptions are considered in the model of
calculated as follows: the attack:
0 0
 0 0

PEi = Edi Idi + Eqi Iqi + Xqi − Xdi Idi Iqi . (3) • In this work, the assumption is that the attacker has lim-
ited resources and could only manipulate limited number
Let Ei denote the internal voltage of generator i, then PEi can of measurement readings. This could be either power
be expressed as [30]: injection or power flow data, for a time period Ta ⊆ T .
N
X This is a realistic assumption because, in the context
PEi = |Ei | |Ek | (Gik cos (δi −δk )+Bik sin (δi − δk )) (4) of power networks it is not realistic to assume that all
k=1 sensors report faulty measurements at the same time.

80780 VOLUME 7, 2019


H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

Moreover, in reality, compromising all measurements


results in huge cost and effort for attackers.
• Complete knowledge of the system is literally impos-
sible for an outsider. Therefore, the attacker has par-
tial knowledge of the system topology and security
mechanisms. Such knowledge can be obtained by sta-
tistical analysis of data sent from the remote terminal
units (RTUs) to the control center or by physically cap-
turing the security information embedded in a node.
In this work, strategic sparse FDI attack with least absolute
shrinkage and selection operator (LASSO) is considered.
Jacobian matrix (H ) is decomposed based on a row-wise
approach. A sub Matrix H S = Hji ,: , HjN −|S|,: , of H is FIGURE 1. Illustration of the steps to generate DBN using SDF-based
feature extraction.
created to represent the secure measurements, where Hji ,:
is the ji -th row of H, such that H S ca = 0. Likewise, sub-
matrix H A is constructed for attacked measurements. Finally,
reduce the computational burden by: 1) selecting a subset
the attacker’s strategy is defined in a way to find a solution ca
of measurements through feature selection and SDF, and
which optimize following objective function:
2) by domain decomposition and data processing on several
Minimize H A ca subsystems in parallel, rather than dealing with whole system
0 at once.
Subject to H S ca = 0,
kca k∞ ≥ τ, (7) A. SYMBOLIC DYNAMIC FILTERING
In the proposed feature extraction method based on SDF,
where τ ≥ 0 is a given constant. The optimization problems the time series data are first converted into symbol sequences,
is solved using LASSO and Regressor Selection algorithms. and then DBN are defined from these sequences to compress
More details about the attack construction is available in [33]. the information into low-dimensional statistical patterns. The
The goal of the attacker is to manipulate rotor speed and phase space of the system in Eq. (1) is divided into a finite
angle through FDI attack by hacking into the communication number of cells. A compact region  is identified by intro-
T0 , . . . , B −1 } consisting of m
network. Hence, ∀t ∈ Ta , for generator i, the effect of FDI ducing a partition B ≡ {B
attacks on the system state can be written as: mutually exclusive (i.e., Bj Bk = ∅ ∀j 6 = k) and exhaus-
tive ( j=0−1 Bj = ) cells. The dynamic system describes
S
xia (t) = xi (t) + γi xi (t) + Ci (8)
the time-series data as O ≡ {β0 , . . . ,β −1 } ,βi ∈ ,
where the γi is a constant coefficient and Ci represents a which passes through the cells of the partition B [34], [35].
constant bias in the attacked states. In other word, the attacker To understand the concepts of partitioning and mapping
is interested to alter the system state by γi and Ci . Considering into the symbol alphabet, consider the system shown in
that, the attacker will design za in a way that the attack vector Fig. 1 [34].
remains unobservable for the operator and traditional BDD Consider the cell visited by a trajectory as a random vari-
methods. In the experiments, we assume that the attacker has able S with symbol value s ∈ A. Symbol alphabet is the
access to λ measurements, which are randomly chosen to set A of different symbols that mark the elements in
generate a λ-sparse attack vector. the partition. Every initial state β0 ∈  produce a series of
symbols which can be defined by mapping from the phase
III. PROPOSED ENERGY-BASED CYBER-ATTACK space into the symbol space as follows:
DETECTION β0 → si0 si1 . . . sik (9)
In this section, a cyber-attack detection framework is pro-
posed which utilize DBN modeling, feature extraction Eq. (8) is called symbolic dynamics. The symbolization
through MI and RBM for data training. DBN and MI are process converts multi-dimensional space into a symbol
applied to smart grid test systems with extensive measure- sequence, and then into a DBN.
ments, and the RBM is used to capture the patterns in system
behaviour that are extracted by the unsupervised DBN model B. DYNAMIC BAYESIAN NETWORKS
(data are not labeled). DBNs are probabilistic graphical models that can demon-
The proposed data driven framework for anomaly detection strate system’s state as a set of variables, and model the
is depicted in Fig. 2. At first, the system is partitioned into probabilistic dependencies of the variables between time
several sub-systems. Then causal dependency between nom- steps. In this work, a high order DBN on ξ variables xt =
inal characteristics of subsystems are learned using SDF. The {x1,t , . . . , xξ,t } at different time points t = 1, . . . , T is
proposed method is a computationally efficient tool, which considered. Each xi,t represents the expression of state i at

VOLUME 7, 2019 80781


H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

FIGURE 2. Proposed framework for cyber-attack detection using unsupervised learning.

time t. Symbol sequence is extracted from the variables set by other. MI between state sequences qA and qB can be written
SDF. To find the occurrence probability for a new symbol sn , as Importance metric I AB as follows:
we assume that the DBN satisfies the L-th order Markov      
property: I AB = I qB ; qA
k+1 k+1 = H q B
k+1 − H qB
|q
k+1 k
A
(13)

P sn |sn−1 . . . sn−L . . . s0 = P sn |sn−1 . . . sn−L (10)


 
where,
Thus, a state transition matrix 5 which describes the L-th
  XQB    
H qB k+1 = − P qB
k+1 = i log 2 P qB
k = i
order Markov chain can be defined based on the training data. i=1
  XQA    
The order of the model is set based on trial an error. Let the H qB |qA
= − P qA
= i H qB
|q A
= i
k+1 k i=1 k k+1 k
state at time instant k be denoted as qk . The ij-th element of
5 can be defined as follows:
  XQB  
H qBk+1 |qak = i = − P qBk+1 = j|q A
k = i
j=1
5ij , P qk+1 = si |qk = sj

(11) 
B A

× log2 P qk+1 = j|qk = i
In this work, since we are dealing with several time series,
we use a modified version of Markov chain (xL-th order More details about the MI-based causality can be found
Markov chain) [36] to predict the occurrence probability for a in [32]. The variation of the MI matrix (I AB ) between two-
new symbol in a series A using the last L symbol for another time periods can be driven as:
series B. 5A and 5B are defined for L-th order Markov
δ (I ) = ItAB − ItAB (14)
representing sub-systems A and B, respectively. The same 1 2

way, causal dependencies of A on B and B on A can be Large δ means a strong predictive and informative link in AP
represented by cross state transition matrices 5AB and 5BA , or RP that can be used to distinguish the two kinds of end
respectively. uses.
Features from L-th order Markov chain are known as Once the models are ready, patterns of system’s behaviour
the atomic patterns (APs) and the one for xL-th order are learned by the RBM. Test data are used to compute the
Markov chain are referred as the relational patterns (RPs). likelihood of the learned features. In this work, we used
State-transition matrices 5AB and 5BA , can be described as: Restricted Boltzmann Machine (RBM) for this purpose.
 
πklAB , P qB A
n+1 = l|qn = k ∀n
  C. RESTRICTED BOLTZMANN MACHINE
πijBA , P qA n+1 = j|qB
n = i ∀n (12) Boltzmann Machine is a generative method to model the
unknown distribution of data. Unlike most of the Machin
where j, kQA and i, lQB , QA and QB are the state vector Learning techniques that only discriminate some data vectors
related to sequence A and B, respectively. in favor of others, Boltzmann Machine can also generate
Given a multivariate time series, the symbol sequences new data with given joined distribution, as well as pattern
S is generated with partitioning. After that, a high order completion in case of missing inputs. It is also considered
DBN is used to define the subsequent states and transition more feature-rich and flexible. RBM belongs to the class of
probabilities between the vertices. We use MI criteria to stochastic Energy-based Models (EM) [38]. In EM, each state
extract important feature of an AP or an RP. MI develops a of the system is associated to an specific energy level. Such
generalized linear correlation coefficient that measures the a system can be described by a network of stochastic binary
relationship between two random variables. A non-zero value neurons (a set of visible variables v = {v1 , . . . ,vN }) which
in MI means the two variables are independent towards each are connected a set of hidden variables h = {h1 , . . . ,hK }.

80782 VOLUME 7, 2019


H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

System’s state can be described based on joint configurations and under cyber-attack condition (F (vca )), can be calculated
of the visible and hidden variables. It is proved that model using Eq. (14). A symmetric RE distance can be defined
estimation in RBM amounts to maximize the likelihood of the as [38],
training data with low-energy state. As a result, an anomaly
REd (PkQ) = RE(PkQ) + RE(QkP) (20)
will appear as a configuration with low probability or high-
energy [39]. Given binary variables v and hidden variables h, which can be used as an index for cyber-attack/anomaly
the joint probability of a state (Pr (v, h)) can be described detection. This index will be compared with a Detection
based on the energy of that state (En (v, h)), with a Boltzmann Threshold (DT) to detect the cyber-attack. Too low thresholds
distribution function: may results in many false attack detection, while too high
exp(−En(v, h)) thresholds may lead to unidentified attack. In this work, most
Pr (v, h) = P (15) of the RE values calculated through training are assumed to
v,h exp(−En(v, h))
be normal, while a few of them are outliers. To find the DT,
where the normal distribution is used as the baseline. The assump-
N K N
!
X X X tion is that 95% of the data are within  two standard devi-
En (v, h) = − ai vi + bk + wik vi hk (16) ations of the mean. ∀ DT g satisfying RE i :DT g ≥ RE i =
i=1 k=1 i=1 0.95|{RE i }|, i = 1, 2, . . . , n that, DT = min{DT } where RE i
g
where a, b, and w are model parameters which are calculated is the i-th RE in the training data. Then, anomaly is detected
through maximization of the probability of the training data when RE (t) ≥ DT . The steps can be summarized as follows:
with low-energy state. • Transform time series data to symbolic sequence.
Data density can be rewritten as: • Model the subsystems and their interactions using DBN.
• Evaluate the information based metric values using MI
X
Pr (v) ∝ exp(−En(v, h)) = exp(−F(v)) (17)
(I ij ).
h
• Generate a binary vector of length L using I ij , and assign
where F (v) is known as free-energy and can be rewritten as: a state 0 or 1 to each I ij .
F (v) = − log (Pr (v)) + constant (18) • Use RBM with visible nodes corresponding to APs and
RPs to learn the behaviour pattern.
Therefore, free energy can be used as the anomaly index • Detect anomaly by calculating the occurrence probabil-
to rank data instances in linear time. The trained RBM is ity of the current observation based on trained RBM.
employed to identify cyber-attack based on the probability The anomaly detection process algorithm is described
and energy level of event. Anomaly is represented by an event in Fig.3.
with high energy or low probability. The assumption is that
cyber-attacks change the interaction among the sub-systems
and results in different patterns in DBN. For simplicity of
training, I AB can be normalized into binary states (0 and 1
for low and high values, respectively) for APs and RPs.
Finally, changes in the parameters related to the accepted
patterns are used to identify cyber-attacks. A distribution of
free energy is used to detect low probability events or cyber-
attacks based on distance metric. For the normal operation
condition, free energy will have similar distribution to that of
the training data. The assumption is that the training data are
mostly collected from normal operation condition. Therefore,
the learnt RBM can effectively capture the normal operation
of the system.
To quantify the difference between the energy distributions
in training and test data, Relative Entropy (RE) metric is used.
The relative entropy between two probability distributions is a
measure of the distance between them. RE for two probability
distributions P and Q on a finite set X, can be described
as [35], [36],
X P(x) FIGURE 3. Proposed algorithm for anomaly detection.
RE(PkQ) = P(x) log (19)
Q(x)
X
where P and Q refer to the distribution of free energies in IV. CASE STUDIES AND SIMULATION RESULTS
the normal situation and under cyber-attack, respectively. In this section a case studies under different operation con-
Free energies in the normal operation condition (F (vn )) dition are simulated to validate performance of the proposed

VOLUME 7, 2019 80783


H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

method. Case 1 is modeled as a multi-agent cyber-physical data are collected are from the normal conditions. It should
system based on IEEE-39 bus model where each agent be mentioned that collected data are labeled as normal or
includes a generator as described in Section II, a measurement anomalous. Training data are used to obtain the baseline for
device, a distributed control agent, and an energy storage the normal condition which will be used for selecting the
system as shown in Fig.4. Energy storage represent the energy threshold for the anomaly. A moving window in a subset
that can be fed into the system by different micro grid or of the training data (with distribution P) is used to compute
renewable sources. The same analysis is performed for all the distribution Q representing the dynamic behavior of the
case studies, however, for the sake of space only the results system. In order to measure the distance between Q and P,
of Case 1 are included in this section. the RE metric is applied in each subset. Similar setting is used
for the testing data. Finally, the two RE are compared to detect
anomalous condition (cyber-attack in our case).
The attack strategy is designed to overload lines 6-31 and
11-12. The attack region is shown in Fig. 4. Normalized
measurement residual under normal operation condition, due
to fault, and due to cyber-attacks are presented in Fig.5 for
Case 1. It can be seen that all the measurements residuals
due to cyber-attacks have almost the same magnitude as
the measurement residual under normal operation condition
which implies that conventional residual test cannot detect
the stealthy cyber-attacks. It should be noted that faults will
results in significant residual in the measurement residual as
shown in Fig. 5. In case of a fault in the system, the operator
will be notified and clear the fault. Therefore, the fault will
not affect the states of the system.

FIGURE 4. IEEE 39 bus system under cyber-attack in line 6-31 and 11-12.

A. TEST SYSTEM
Details of the case studies are listed in Table 2 and adapted
from Matpower [42]. All case studies are assumed to be fully
observable. To make sure about the accuracy of the historical
data a level of security is added to the measurement model.
Large-scale power grids contain thousands of meters which FIGURE 5. Measurement residual before and after cyber-attack on Case 1.
makes the protection of measurements highly expensive.
In order to reduce the cost, we identify the critical meters to In Fig. 6, the variation in the lower plot is in an acceptable
protect them based on optimal PMU placement [31]. We also zone. However, in the top plot, the variation significantly
assume that the system topologies remain unchanged over the increases during the attack between 35-65 samples. This
typical days. Case studies are implemented in Matlab R2017a indicates that there is a potential case of cyber-attack that has
and carried out on a PC with a Core(TM) i7-7700 CPU, gone unnoticed in bad data detection. Therefore, estimated
3.6 GHz, and a RAM of 32.00 GB. states with high error could be fed into the rest of the system,
which may result in irreparable damages.
TABLE 2. Units for magnetic properties.

B. ACCURACY, FALSE POSITIVE AND TRUE POSITIVE


In the smart grid analysis, the major concern is not only the
detection of cyber-attacks, but also the ability to avoid false
alarms. Therefore, performance of the proposed method is
analyzed based on the True Positives (TP), the True Negatives
(TN), the False Positives (FP), and the False Negatives (FN),
By exploring the MI index, dependency between a subset which are defined in Table 3.
of variables that influence each other in the normal condi- The learning abilities and memorization properties of the
tion is used for anomaly detection. The model generated by algorithms are measured by the False Positive Rate (FPR),
RBM represent the normal system since most of the collected True Positive Rate (TPR), and Accuracy (Acc) values, which

80784 VOLUME 7, 2019


H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

FIGURE 8. TPR and ACC under single and multiple cyber-attack for two
different detection thresholds on Case 1.

FIGURE 6. Variation on state estimation error, a) without cyber-attack, b)


with cyber-attack on Case 1.
and multiple attack (MA) on state variables δ2 , δ4 . For each
case DT was varied from 0.25DT to 1.5 DT, where DT is
TABLE 3. Units for magnetic properties.
the threshold defined in Section III. As can be seen from
the figure, FPR decreases sharply with increase in detection
threshold. This indicates that, when the threshold is too low,
the algorithm becomes too aggressive in attack detection, thus
suffering from high false-alarm rate.
In addition, as the figure shows, magnitude of the attack
and number of attacks does not affect the FPR significantly.
are defined as [43]: Moreover, it can be seen that for threshold larger than DT,
FPR becomes negligible (i.e., under 2%). Therefore, DT is
FP used as the threshold for the proposed method. Similar trend
FPR =
TN + FP was observed in the trend of changes in FPR vs. the threshold
TP for other states.
TPR =
TP + FN 2) Effect of Attack Magnitude on TPR and ACC-
TP + TN Fig. 8 shows the variation of TPR and ACC as a function of
ACC = (21)
TP + TN + FP + FN attack magnitude for two attack scenarios on state variables
Low FPR of 0% means that none of the secure measure- δ2 , δ4 . 1 (1% of the original measurement) and 10 (10%
ments are misclassified as attacked. TPR of 100% clarifies of the original measurement) indicate low and high attack
that none of the attacked measurements are misclassified as magnitudes, respectively. Medium magnitude (here indicated
secure. Accuracy of 100% means that each measurement by 5) is the regular type of attack on the literature. To verify
classified as attacked is an attacked measurement, and each the effect of detection threshold on TPR and ACC, the results
measurement classified as secure is a secure measurement. are plotted for two different thresholds.
1) Effect of Threshold on FPR- Fig. 7 shows the variation of As shown in Fig.8, by increasing the attack magnitude,
FPR as a function of detection threshold for single attack (SA) TPR and ACC quickly approached 100%. In addition, it can
be seen that a very high threshold adversely affects the TPR
and impacts the minimum size detectable attack. The results
show that DT defined in Section III can effectively detect
an attack with medium and higher strength with almost 99%
accuracy and 98% TPR. A similar trend was observed in the
changes of TPR and ACC vs. the attack magnitude for all
states. Summary of the results for different case studies are
reported in Table 4.
3) Effect of Attack Sparsity on TPR and ACC- to analyze
the effect of attack sparsity, attacks with different sparsity
λ/N ∈ [0, 1] are generated. N represents the total number of
measurements in the system. As shown in Fig. 9, both TPR
and ACC increase as the number of contaminated measure-
FIGURE 7. FPR under single and multiple cyber-attack for two different ments increases. Here, sparsity 1 means all measurements are
attack magnitudes on Case 1. manipulated by the attacker. The figure shows that proposed

VOLUME 7, 2019 80785


H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

TABLE 4. Summary of results for single attack with medium attack


magnitude (average).

FIGURE 9. TPR and ACC under single and multiple cyber-attack for
different attack sparsity on Case 1.

algorithm has very high TPR (94%) and ACC (90%) when
only 35% of the measurements are manipulated. Once half of
the measurements are attacked, which is a realistic assump-
tion for successful attack implementation from the attacker’s
perspective, the algorithm is highly effective with 99% TPR
and 98% ACC. FIGURE 10. Detector out put under a) normal condition, b) random
attack, c) single cyber-attack, d) multiple cyber-attack on Case 1.
C. PERFORMANCE ANALYSIS UNDER DIFFERENT
OPERATION CONDITION
To validate efficieny of the proposed method, four different
scenarios are considered:1) normal condition without attack, cost function. In an optimal state estimation, we evaluate
2) random attack, 3) single FDI attack on 6-31, 4) multi- the cost function based on the residual of the measurements.
ple, simultaneous FDI attacks on lines 6-31 and 11-12. Pro- In the normal operation condition, without bad data in the
posed method is compared with the two most popular BDD system, the cost function follows a normal distribution with
approaches; LNR test and Chi-Square test. The threshold zero mean. Under a random attack, the cost function will pass
is set to 3σ while σ is the standard deviation, to minimize the threshold for optimal state estimation. Therefore, both
the false positives due to the noise, thus FPR due to noise LNR and chi-square tests will trigger the alarm successfully.
is less than 1% [44]. For accurate and detailed comparison, In case of single or multiple FDI attacks, as can be seen
the threshold is normalized for all detectors. The same crite- in Fig. 10 (c) and (d), the cost function for both LNR and
rion is considered for setting threshold in LNR test. For more Chi-Square detector stayed in the true range of predefined
information about LNR and Chi-Square test refer to [20]. thresholds. Both approaches resulted in their normalized
Detector’s output are depicted in Fig. 10. residue values below the specified threshold and thus they
As shown in Fig. 10 (a), in normal operation condition, the were unable to detect the attack in the system. However, in the
output of all detectors is under the threshold which specifies same setup, output of the proposed detector is above the given
that there is no trace of bad data or cyber-attack in the system. threshold and can trigger the alarm. The main reason is that
Fig. 10 (b) shows that all methods are able to detect the the LNR test and Chi-Square test are based on residual of the
random attack. Since the attack is unintelligent, it will leave measurement vector while cyber-attacks are carefully crafted
its trace in the data sets and the operator will be informed of to bypass the statistical detector with no trace in residual
an attack presence. The random bad data, which was injected vector. Similar results were observed for all case studies.
to the measurement set, results in significant changes in the Average detection time for all case studies was 1ms with
measurement residual vector, which leads to the increase in 0.2ms deviations.

80786 VOLUME 7, 2019


H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

In general, any type of FDI attack in line or system topol- [14] X. He, L. Chu, R. C. Qiu, Q. Ai, and Z. Ling, ‘‘A novel data-driven situation
ogy results in the same changes in the network with minor awareness approach for future grids—Using large random matrices for big
data modeling,’’ IEEE Access, vol. 6, pp. 13855–13865, 2018.
modification. Therefore, the proposed method can success- [15] A. Farraj, E. Hammad, and D. Kundur, ‘‘A distributed control paradigm
fully detect various FDI attacks from different sources. Fur- for smart grid to address attacks on data integrity and availability,’’ IEEE
thermore, since the proposed scheme analyze the patterns Trans. Signal Inf. Process. Over Netw., vol. 4, no. 1, pp. 70–81, Mar. 2018.
[16] I. Friedberg, X. Hong, K. Mclaughlin, P. Smith, and P. C. Miller, ‘‘Eviden-
between the compromised data and the normal data, its suc- tial network modeling for cyber-physical system state inference,’’ IEEE
cess rate does not depends on the attack scenarios. Access, vol. 5, pp. 17149–17164, 2017.
[17] A. Azmoodeh, A. Dehghantanha, M. Conti, and K.-K. R. Choo, ‘‘Detecting
crypto-ransomware in IoT networks based on energy consumption foot-
V. CONCLUSION print,’’ J. Ambient Intell. Humanized Comput., vol. 9, no. 4, pp. 1141–1152,
In the context of smart grid anomaly detection, the solutions 2018.
proposed in the literature are mainly offline approaches with [18] N. Milosevic, A. Dehghantanha, and K.-K. R. Choo, ‘‘Machine learning
aided Android malware classification,’’ Comput. Elect. Eng., vol. 61,
restriction to deal with dynamically evolving cyber threats. pp. 266–274, Jul. 2017.
This paper propose a real time and computationally efficient [19] H. Karimipour and V. Dinavahi, ‘‘Robust massively parallel dynamic state
tool for anomaly detection that utilizing feature extraction estimation of power systems against cyber-attack,’’ IEEE Access, vol. 6,
pp. 2984–2995, Dec. 2017.
scheme and time series partitioning to discover causal inter- [20] M. Ozay, I. Esnaola, F. T. Y. Vural, S. R. Kulkarni, and H. V. Poor,
actions between the subsystems. DBN concept and learning ‘‘Machine learning methods for attack detection in the smart grid,’’ IEEE
algorithms based on Boltzmann Machine are used to detect Trans. Neural Netw. Learn. Syst., vol. 27, no. 8, pp. 1773–1786, Aug. 2016.
[21] S. Pan, T. Morris, and U. Adhikari, ‘‘Developing a hybrid intrusion detec-
unobservable attacks based on free energy as the anomaly tion system using data mining for power systems,’’ IEEE Trans. Smart
index. Performance of the proposed algorithm was evaluated Grid, vol. 6, no. 6, pp. 3104–3113, Nov. 2015.
on different IEEE test systems and under different operation [22] J. Landford, R. Meier, R. Barella, X. Zhao, E. Cotilla-Sanchez, R. B. Bass,
and S. Wallace, ‘‘Fast sequence component analysis for attack detection in
conditions for several measures (TPR, FPR, and ACC). The synchrophasor networks,’’ in Proc. 5th Int. Conf. Smart Cities Green ICT
results demonstrated that the system achieves an accuracy of Syst. (SmartGreens), Rome, Italy, 2016.
99%, TPR of 98% and FPR of less than 2%. [23] S. Ahmed, Y. Lee, S.-H. Hyun, and I. Koo, ‘‘Feature selection–based
detection of covert cyber deception assaults in smart grid communications
networks using machine learning,’’ IEEE Access, vol. 6, pp. 27518–27529,
REFERENCES 2018.
[1] J. E. Dagle, ‘‘Postmortem analysis of power grid blackouts—The role of [24] Y. He, G. J. Mendis, and J. Wei, ‘‘Real-time detection of false data injection
measurement systems,’’ IEEE Power Energy Mag., vol. 4, no. 5, pp. 30–35, attacks in smart grid: A deep learning-based intelligent mechanism,’’ IEEE
Sep./Oct. 2006. Trans. Smart Grid., vol. 8, no. 5, pp. 2505–2516, Sep. 2017.
[2] Z. Huang, C. Wang, T. Zhu, and A. Nayak, ‘‘Cascading failures in smart [25] D. Codetta-Raiteri and L. Portinale, ‘‘Dynamic Bayesian networks for fault
grid: Joint effect of load propagation and interdependence,’’ IEEE Access, detection, identification, and recovery in autonomous spacecraft,’’ IEEE
vol. 3, pp. 2520–2530, 2015. Trans. Syst., Man, Cybern. Syst., vol. 45, no. 1, pp. 13–24, Jan. 2015.
[3] Y. Cai, Y. Li, Y. Cao, W. Li, and X. Zeng, ‘‘Modeling and impact analysis [26] S. Mohammadi, H. Mirvaziri, M. Ghazizadeh-Ahsaee, and H. Karimipour,
of interdependent characteristics on cascading failures in smart grids,’’ Int. ‘‘Cyber intrusion detection by combined feature selection algorithm,’’
J. Elect. Power Energy Syst., vol. 89, pp. 106–114, Jul. 2017. J. Inf. Secur. Appl., vol. 44, pp. 80–88, Feb. 2019.
[4] H. Karimipour and V. Dinavahi, ‘‘On false data injection attack against [27] C. A. Murthy, ‘‘Bridging feature selection and extraction: Compound
dynamic state estimation on smart power grids,’’ in Proc. IEEE Int. Conf. feature generation,’’ IEEE Trans. Knowl. Data Eng., vol. 29, no. 4,
Smart Energy Grid Eng. (SEGE), Aug. 2017, pp. 388–393. pp. 757–770, Apr. 2017.
[5] G. Dondossola, J. Szanto, M. Masera, and I. N. Fovino, ‘‘Effects of inten- [28] H. Karimipour and V. Dinavahi, ‘‘Extended Kalman filter-based paral-
tional threats to power substation control systems,’’ Int. J. Crit. Infrastruct., lel dynamic state estimation,’’ IEEE Trans. Smart Grid, vol. 6, no. 3,
vol. 4, nos. 1–2, pp. 129–143, 2008. pp. 1539–1549, May 2015.
[6] T. Morris, S. Pan, J. Lewis, J. Moorhead, N. Younan, R. King, M. Freund, [29] J. D. Glover, M. Sarma, and T. Overbye, Power System Analysis and
and V. Madani, ‘‘Cybersecurity risk testing of substation phasor measure- Design, 5th ed. Boston, MA, USA: Cengage, 2011.
ment units and phasor data concentrators,’’ in Proc. CSIIRW, Oct. 2011, [30] A. R. Bergen and V. Vittal, Power Systems Analysis, 2nd ed.
Art. no. 24. Upper Saddle River, NJ, USA: Prentice-Hall, 2000.
[7] A. Ameli, A. Hooshyar, E. El-Saadany, and A. M. Youssef, ‘‘Attack detec- [31] A. Abur and A. Gómez-Expósito, Power System State Estimation: Theory
tion and identification for automatic generation control systems,’’ IEEE and Implementation. New York, NY, USA: Marcel Dekker, 2004.
Trans. Power Syst., vol. 33, no. 5, pp. 4760–4774, Sep. 2018. [32] Y. Liu, P. Ning, and M. K. Reiter, ‘‘False data injection attacks against state
[8] H. H. Pajouh, R. Javidan, R. Khayami, D. Ali, and K.-K. R. Choo, ‘‘A two- estimation in electric power grids,’’ ACM Trans. Inf. Syst. Secur., vol. 14,
layer dimension reduction and two-tier classification model for anomaly- no. 13, pp. 1–33, May 2011.
based intrusion detection in IoT backbone networks,’’ IEEE Trans. Emerg. [33] M. Ozay, I. Esnaola, F. T. Yarman Vural, S. R. Kulkarni, and H. V. Poor,
Topics Comput., to be published. ‘‘Sparse attack construction and state estimation in the smart grid: Central-
[9] R. Khan, K. Mclaughlin, D. Laverty, and S. Sezer, ‘‘Design and imple- ized and distributed models,’’ IEEE J. Sel. Areas Commun., vol. 31, no. 7,
mentation of security gateway for synchrophasor based real-time control pp. 1306–1318, Jul. 2013.
and monitoring in smart grid,’’ IEEE Access, vol. 5, pp. 11626–11644, [34] A. Ray, ‘‘Symbolic dynamic analysis of complex systems for anomaly
Jun. 2017. detection,’’ Signal Process., vol. 84, no. 7, pp. 1115–1130, 2004.
[10] R. Xu, R. Wang, Z. Guan, L. Wu, J. Wu, and X. Du, ‘‘Achieving efficient [35] C. Rao, A. Ray, S. Sarkar, and M. Yasar, ‘‘Review and comparative eval-
detection against false data injection attacks in smart grid,’’ IEEE Access, uation of symbolic dynamic filtering for detection of anomaly patterns,’’
vol. 5, pp. 13787–13798, Jul. 2017. Signal, Image Video Process., vol. 3, no. 2, pp. 101–114, 2009.
[11] C.-C. Sun, A. Hahn, and C.-C. Liu, ‘‘Cyber security of a power grid: State- [36] S. Sarkar, S. Sarkar, K. Mukherjee, A. Ray, and A. Srivastav, ‘‘Multi-sensor
of-the-art,’’ Int. J. Elect. Power Energy Syst., vol. 99, pp. 45–56, Jul. 2018. information fusion for fault detection in aircraft gas turbine engines,’’
[12] X. Liu, N. Xiong, N. Zhang, A. Liu, H. Shen, and C. Huang, ‘‘A trust with J. Aerosp. Eng., vol. 227, no. 12, pp. 1988–2001, Dec. 2013.
abstract information verified routing scheme for cyber-physical network,’’ [37] T. M. Cover and J. A. Thomas, Elements of Information Theory, 2nd ed.
IEEE Access, vol. 6, pp. 3882–3898, 2018. Hoboken, NJ, USA: Wiley, 2006.
[13] C. Alcaraz, C. Fernandez-Gago, and J. Lopez, ‘‘An early warning system [38] C. Liu, A. Akintayo, Z. Jiang, G. P. Henze, S. Sarkar, ‘‘Multivariate
based on reputation for energy control systems,’’ IEEE Trans. Smart Grid, exploration of non-intrusive load monitoring via spatiotemporal pattern
vol. 2, no. 4, pp. 827–834, Dec. 2011. network,’’ Appl. Energy, vol. 211, pp. 1106–1122, Feb. 2018.

VOLUME 7, 2019 80787


H. Karimipour et al.: A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids

[39] C. Liu, S. Ghosal, Z. Jiang, and S. Sarkar, ‘‘An unsupervised anomaly KIM-KWANG RAYMOND CHOO received the
detection approach using energy-based spatiotemporal graphical model- Ph.D. degree in information security from Queens-
ing,’’ Cyber-Phys. Syst., vol. 3, nos. 1–4, pp. 66–102, 2017. land University of Technology, Australia, in
[40] B. J. Frey and N. Jojic, ‘‘A comparison of algorithms for inference and 2006. He currently holds the Cloud Technology
learning in probabilistic graphical models,’’ IEEE Trans. Pattern Anal. Endowed Professorship at The University of Texas
Mach. Intell., vol. 27, no. 9, pp. 1392–1416, Sep. 2005. at San Antonio (UTSA). In 2016, he was named
[41] D. J. C. MacKay, Information Theory, Inference and Learning Algorithms. the Cybersecurity Educator of the Year –APAC
Cambridge, U.K.: Cambridge Univ. Press, 2003.
(Cybersecurity Excellence Awards are produced in
[42] R. D. Zimmerman, C. E. Murillo-Sánchez, and R. J. Thomas,
cooperation with the Information Security Com-
‘‘MATPOWER: Steady-state operations, planning, and analysis tools for
power systems research and education,’’ IEEE Trans. Power Syst., vol. 26, munity on LinkedIn), and in 2015, he and his team
no. 1, pp. 12–19, Feb. 2011. won the Digital Forensics Research Challenge organized by Germany’s
[43] W. Dixon and F. Massey, Introduction to Statistical Analysis, vol. 344. University of Erlangen-Nuremberg. He is the recipient of the 2018 UTSA
New York, NY, USA: McGraw-Hill, 1969. College of Business Col. Jean Piccione and Lt. Col. Philip Piccione Endowed
[44] A. Abur and A. Gómez-Expósito, Power System State Estimation: Theory Research Award for Tenured Faculty, Outstanding Associate Editor of 2018
and Implementation. New York, NY, USA: Marcel Dekker, 2004. for IEEE ACCESS, British Computer Society’s 2019 Wilkes Award Runner-
up for his paper published in the 2018 volume of The Computer Journal
(Oxford University Press, 2019), the EURASIP Journal on Wireless Commu-
nications and Networking (JWCN) Best Paper Award, the IEEE TrustCom
2018 Best Paper Award, ESORICS 2015 Best Research Paper Award, 2014
HADIS KARIMIPOUR received the Ph.D. degree Highly Commended Award by the Australia New Zealand Policing Advisory
in energy system from the Department of Elec- Agency, Fulbright Scholarship in 2009, 2008 Australia Day Achievement
trical and Computer Engineering, University of Medallion, and British Computer Society’s Wilkes Award in 2008. He is
Alberta, in 2016. Before joining the University of also a Fellow of the Australian Computer Society and Co-Chair of the
Guelph, she was a Postdoctoral Fellow with the IEEE Multimedia Communications Technical Committee’s Digital Rights
University of Calgary, working on cyber security Management for Multimedia Interest Group.
of the smart power grids. She is currently an Assis-
tant Professor with the School of Engineering,
Engineering Systems and Computing Group, Uni-
versity of Guelph, Ontario. Her research interests
include large-scale power system state estimation, cyber-physical modeling,
cyber-security of the smart grids, and parallel and distributed computing. She
serves as the Chair of the IEEE Women in Engineering (WIE) and chapter
Chair of the IEEE Information Theory in Kitchener-Waterloo section.

ALI DEHGHANTANHA received the Ph.D.


degree in security in computing, and has a number
of professional certifications including CISSP and
CISM. He is the Director of Cyber Science Lab
with the University of Guelph, Ontario, Canada.
His lab is focused on building AI-powered solu-
tions to support cyber threat attribution, cyber
threat hunting, and digital forensics tasks in the
Internet of Things (IoT), industrial IoT, and Inter- HENRY LEUNG is a Professor with the Depart-
net of Military of Things (IoMT) environments. ment of Electrical and Computer Engineering,
He has served for more than a decade in a variety of industrial and academic University of Calgary. Before joining this uni-
positions with leading players in cyber-security and artificial intelligence. versity, he was with the Department of National
Prior to joining the University of Guelph, he has served as a Senior Lecturer Defense (DND) of Canada as a Defense Scientist.
with the University of Sheffield, U.K., and as an EU Marie-Curie Interna- He conducted research and development of auto-
tional Incoming Fellow with the University of Salford, U.K. mated surveillance systems, which can perform
detection, tracking, identification, and data fusion
automatically as a decision aid for military oper-
REZA M. PARIZI received the B.Sc. and M.Sc. ators. His current research interests include big
degrees in computer science in 2005 and 2008, data analytic, chaos and nonlinear dynamics, information fusion, machine
respectively, and the Ph.D. degree in software learning, signal and image processing, robotics, and the Internet of Things.
engineering in 2012. He is a Faculty with the He has published extensively in the open literature on these topics. He
College of Computing and Software Engineering, has over 200 journal papers and 200 refereed conference papers. He has
Kennesaw State University (KSU), GA, USA. He been the Associate Editor of various journals such as the IEEE CIRCUITS
is a Consummate Technologist and Cybersecurity AND SYSTEMS MAGAZINE, International Journal on Information Fusion, the
Researcher with an entrepreneurial spirit. He is IEEE Signal Processing Letters, and the IEEE TRANSACTIONS ON CIRCUITS AND
the member of the IEEE Blockchain Community, SYSTEMS. He has also served as Guest Editors for the special issue Intelligent
the IEEE Computer Society, and ACM. Prior to Transportation Systems for the International Journal on Information Fusion
joining KSU, he was an Associate Professor with New York Institute of and Cognitive Sensor Networks for the IEEE Sensors Journal. He is the Topic
Technology. His research interests include R&D in decentralized computing, Editor on Robotic Sensors of the International Journal of Advanced Robotic
the IoT, and emerging issues in the practice of secure software-run world Systems. He is the Editor of the Springer book series on Information Fusion
applications. and Data Science.

80788 VOLUME 7, 2019

You might also like