A Deep and Scalable Unsupervised Machine Learning System For Cyber-Attack Detection in Large-Scale Smart Grids
A Deep and Scalable Unsupervised Machine Learning System For Cyber-Attack Detection in Large-Scale Smart Grids
Received April 27, 2019, accepted May 17, 2019, date of publication May 31, 2019, date of current version July 2, 2019.
Digital Object Identifier 10.1109/ACCESS.2019.2920326
ABSTRACT Smart grid technology increases reliability, security, and efficiency of the electrical grids.
However, its strong dependencies on digital communication technology bring up new vulnerabilities that
need to be considered for efficient and reliable power distribution. In this paper, an unsupervised anomaly
detection based on statistical correlation between measurements is proposed. The goal is to design a scalable
anomaly detection engine suitable for large-scale smart grids, which can differentiate an actual fault from
a disturbance and an intelligent cyber-attack. The proposed method applies feature extraction utilizing
symbolic dynamic filtering (SDF) to reduce computational burden while discovering causal interactions
between the subsystems. The simulation results on IEEE 39, 118, and 2848 bus systems verify the
performance of the proposed method under different operation conditions. The results show an accuracy
of 99%, true positive rate of 98%, and false positive rate of less than 2%
INDEX TERMS Anomaly, cyber-attack, smart grid, statistical property, machine learning, unsupervised
learning.
node is possible by applying an authentication mechanism to PGMs, Dynamic Bayesian Networks (DBN) are useful tools
sensor networks. However, authentication approaches based which can represent complex systems evolving in time using
on cryptography or security gateway design, such as the one the causal relationships between system components [25].
described in [8], [9], are infeasible due to the computation Moreover, new techniques should be developed to handle
and storage constraints of the system. The existing studies the complex and high dimensional data to maintain the
within the smart power grid context mainly focus on the net- robustness, scalability and accuracy of the attack detection
working security of the cyber elements [10]–[12], advanced mechanisms. To reduce the computational burden in large
anomaly detection techniques [13], [14], and secure control data sets, feature extraction can be used to transform the
theories based on different state estimation techniques [15]. original features into a more meaningful representation by
A detailed analysis about presence of cyberattack in a power reconstructing its inputs and it involves reducing the amount
system is described in [16]. of resources required [26], [27]. Detection techniques that do
Although the above mentioned solutions are capable of not rely on pre-classified training data are essential, as there
immunizing the power systems, majority of them are math- exists anomalies which cannot be measured or simulated.
ematically too expensive, physically impractical and not In this work, we propose a smart grid anomaly detection
scalable for large-scale complex network. Nowadays, huge method to extract the patterns of changes in FDI attacks. The
amount of data is generated all over the grids which increase revealed features are employed to detect the attacks in real-
accessibility for real-time system monitoring. Exploring time. Symbolic Dynamic Filtering (SDF) is used to build a
these data greatly enhances the performance monitoring, computationally efficient feature extraction scheme to dis-
diagnosis, and prognosis of anomaly in complex systems. cover causal interactions between the smart grids sub-systems
Historical data describing the system’s operation can help through DBN. Mutual Information (MI), DBN and learn-
identify anomalies and potential attacks. However, tradi- ing algorithms are used to detect unobservable cyber-attacks
tional Bad Data Detection (BDD) techniques are not prepared based on free energy as the anomaly index. Our goal is to
for real time computational and storage issues due to the capture dependencies between variables through associating
large-volume of data generated in the smart grid. These chal- of a scalar energy to each variables, which serves as a measure
lenges opens up the possibility of using data analytical tech- of compatibility. The scalability of the proposed technique is
niques, such as Machine Learning (ML), to tackle complex examined on various IEEE test systems which was modeled
structure data sets with AI to detect and prevent cyber-attacks. on PSS/E software. The results show high accuracy and low
ML algorithms can be used to analyze various combinations false alarm under different operation conditions. It should be
of measurements through AMI, states, and control actions mentioned that the proposed method does not only relies on
by learning their patterns [17], [18]. It can detect False Data the pattern in the training data sets but It also uses the concept
Injection (FDI) attack by learning the non-linear, complex of free energy to differentiate between the energy level in
relationship between measurements. This can be done in the attacked and normal data sets. Therefore, even new and
a similar fashion to successful techniques applied to other unseen attacked can be detected.
power system problems as seen in the research literature [19]. The main contributions of this work are as follows:
There are limited studies on the application of ML on • Formulation of an unsupervised approach to detect an
cyber-security of the smart grids. Several ML algorithms are anomaly in smart grids without labeling data sets.
tested and compared in [20] for detection of FDI attacks. • Proposing a scalable method by reducing computational
General conclusions was made about the success of machine burden through data reduction by SDF.
learning in classifying FDI attacks. [21] proposed a hybrid • Developing a strong learning model based on DBN.
intrusion detection method based on common path mining • Proposing a model-free approach, which can be
method to detect abnormal power system events from PMU employed in hierarchical and topological networks for
data, relays, and energy management system (EMS) logs. different attack scenarios.
A cyber-attack detection techniques based on the correla-
tion between two PMU parameters using Pearson corre- The rest of the paper is organized as follows. Mathematical
lation coefficient was used in [22]. This method analyzed formulations are described in Section II. Proposed cyber-
the change of correlation between two PMU parameters attack detection method is presented in Section III. Section IV
using Pearson correlation coefficient. Authors in [20] uti- discusses the case studies and simulation results followed by
lized Gaussian process combined with ML to model the the conclusion in Section V.
attack strategy for anomaly detection. In [23] a supervised
ML–based scheme is proposed to detect a cyber-deception II. MATHEMATICAL MODELING
assault in the state estimation process. A deep learning A. GENERATOR’S MODEL
method which recognize important features of FDI attacks in In this work, smart grid is modeled as a multi-agent, cyber-
real-time is also proposed in [24]. physical system where each of these agents include a genera-
Performance of the existing, data-driven attack detection tor, a measurement device, a distributed control agent, and an
techniques can be improved using Probabilistic Graphical energy storage system that can inject or absorb real power in
Models (PGM) to model complex system behavior. Among the system [28]. The dynamic and static state of the system
are described as follows: where Gik = Gki and Bik = Bki are the conductance and
susceptance between generators i and k, respectively.
ẋ = f (x, u, η) In this work, the goal is to learn and predict the
z = h (x, u, ε) (1) dynamic behavior of the smart power grid (where gener-
ators are modeled as explained in this section) to detect
where x is the system state including the dynamic state of
anomaly/cyber-attacks. SDF, DBN, and RBM are used to
the generator (e.g. rotor speed and rotor angle) and the static
develop a computationally efficient tool for discovering the
state of the network (voltage magnitude and phase angle). f (.)
interactions between the subsystems.
describes the non-linear, dynamic behavior of the generators
and h (.) is the measurements non-linear function. u and z
B. ATTACK REPRESENTATION
represent the output and measurements vector, respectively.
Traditionally, the integrity of the state estimation process
The 4-th order (two-axis) model of generator i’s can be
is verified through BDD method by computing the L-norm
described as [29]:
of measurement residual [31]. The presence of bad data is
δ̇i = s 1ωi determined if
ωs
ω̇i = (PMi − PEi − Di 1ωi ) z − H x̂ > Tr (5)
2Hi
0 1 0 0
where z ∈ RN is the measurement vector, x̂ ∈ RD is the
Ėqi = 0 −Eqi − Xdi − Xdi Idi + Vfi
Tdi estimated state vector, and H ∈ RN ×D is the Jacobian matrix.
0 1 0 0
A threshold Tr is pre-defined to maintain the accuracy of
Ėdi = 0 −Edi + Xqi − Xqi Iqi the state estimation. Aside from the fact that cyber-attacks
Tqi
0 0 bypass the existing BDD technique, measurement redun-
Eqi = Vqi + Rai Iqi + Xdi Idi dancy required for BDD approaches makes them impractical
0 0
Edi = Vdi + Rai Idi − Xqi Iqi (2) for smart grid technology. In intelligent cyber-attacks, specif-
ically FDI attacks, the goal of the adversary is to control a
where ()˙ denotes the time derivative. Generator parameters subset of the measurements and manipulate the state variables
are described using Table 1. arbitrarily. It can be done by injecting a false data vector za ∈
RN which by pass traditional BDD techniques. Suppose the
TABLE 1. Generator parameter description. malicious attack intentionally manipulates the meter readings
by za . Accordingly, the attack- incurred measurement change
can be written as:
x + ca + qa +
z = H x̂ + za + = H b (6)
| {z }
x̂a
time t. Symbol sequence is extracted from the variables set by other. MI between state sequences qA and qB can be written
SDF. To find the occurrence probability for a new symbol sn , as Importance metric I AB as follows:
we assume that the DBN satisfies the L-th order Markov
property: I AB = I qB ; qA
k+1 k+1 = H q B
k+1 − H qB
|q
k+1 k
A
(13)
way, causal dependencies of A on B and B on A can be Large δ means a strong predictive and informative link in AP
represented by cross state transition matrices 5AB and 5BA , or RP that can be used to distinguish the two kinds of end
respectively. uses.
Features from L-th order Markov chain are known as Once the models are ready, patterns of system’s behaviour
the atomic patterns (APs) and the one for xL-th order are learned by the RBM. Test data are used to compute the
Markov chain are referred as the relational patterns (RPs). likelihood of the learned features. In this work, we used
State-transition matrices 5AB and 5BA , can be described as: Restricted Boltzmann Machine (RBM) for this purpose.
πklAB , P qB A
n+1 = l|qn = k ∀n
C. RESTRICTED BOLTZMANN MACHINE
πijBA , P qA n+1 = j|qB
n = i ∀n (12) Boltzmann Machine is a generative method to model the
unknown distribution of data. Unlike most of the Machin
where j, kQA and i, lQB , QA and QB are the state vector Learning techniques that only discriminate some data vectors
related to sequence A and B, respectively. in favor of others, Boltzmann Machine can also generate
Given a multivariate time series, the symbol sequences new data with given joined distribution, as well as pattern
S is generated with partitioning. After that, a high order completion in case of missing inputs. It is also considered
DBN is used to define the subsequent states and transition more feature-rich and flexible. RBM belongs to the class of
probabilities between the vertices. We use MI criteria to stochastic Energy-based Models (EM) [38]. In EM, each state
extract important feature of an AP or an RP. MI develops a of the system is associated to an specific energy level. Such
generalized linear correlation coefficient that measures the a system can be described by a network of stochastic binary
relationship between two random variables. A non-zero value neurons (a set of visible variables v = {v1 , . . . ,vN }) which
in MI means the two variables are independent towards each are connected a set of hidden variables h = {h1 , . . . ,hK }.
System’s state can be described based on joint configurations and under cyber-attack condition (F (vca )), can be calculated
of the visible and hidden variables. It is proved that model using Eq. (14). A symmetric RE distance can be defined
estimation in RBM amounts to maximize the likelihood of the as [38],
training data with low-energy state. As a result, an anomaly
REd (PkQ) = RE(PkQ) + RE(QkP) (20)
will appear as a configuration with low probability or high-
energy [39]. Given binary variables v and hidden variables h, which can be used as an index for cyber-attack/anomaly
the joint probability of a state (Pr (v, h)) can be described detection. This index will be compared with a Detection
based on the energy of that state (En (v, h)), with a Boltzmann Threshold (DT) to detect the cyber-attack. Too low thresholds
distribution function: may results in many false attack detection, while too high
exp(−En(v, h)) thresholds may lead to unidentified attack. In this work, most
Pr (v, h) = P (15) of the RE values calculated through training are assumed to
v,h exp(−En(v, h))
be normal, while a few of them are outliers. To find the DT,
where the normal distribution is used as the baseline. The assump-
N K N
!
X X X tion is that 95% of the data are within two standard devi-
En (v, h) = − ai vi + bk + wik vi hk (16) ations of the mean. ∀ DT g satisfying RE i :DT g ≥ RE i =
i=1 k=1 i=1 0.95|{RE i }|, i = 1, 2, . . . , n that, DT = min{DT } where RE i
g
where a, b, and w are model parameters which are calculated is the i-th RE in the training data. Then, anomaly is detected
through maximization of the probability of the training data when RE (t) ≥ DT . The steps can be summarized as follows:
with low-energy state. • Transform time series data to symbolic sequence.
Data density can be rewritten as: • Model the subsystems and their interactions using DBN.
• Evaluate the information based metric values using MI
X
Pr (v) ∝ exp(−En(v, h)) = exp(−F(v)) (17)
(I ij ).
h
• Generate a binary vector of length L using I ij , and assign
where F (v) is known as free-energy and can be rewritten as: a state 0 or 1 to each I ij .
F (v) = − log (Pr (v)) + constant (18) • Use RBM with visible nodes corresponding to APs and
RPs to learn the behaviour pattern.
Therefore, free energy can be used as the anomaly index • Detect anomaly by calculating the occurrence probabil-
to rank data instances in linear time. The trained RBM is ity of the current observation based on trained RBM.
employed to identify cyber-attack based on the probability The anomaly detection process algorithm is described
and energy level of event. Anomaly is represented by an event in Fig.3.
with high energy or low probability. The assumption is that
cyber-attacks change the interaction among the sub-systems
and results in different patterns in DBN. For simplicity of
training, I AB can be normalized into binary states (0 and 1
for low and high values, respectively) for APs and RPs.
Finally, changes in the parameters related to the accepted
patterns are used to identify cyber-attacks. A distribution of
free energy is used to detect low probability events or cyber-
attacks based on distance metric. For the normal operation
condition, free energy will have similar distribution to that of
the training data. The assumption is that the training data are
mostly collected from normal operation condition. Therefore,
the learnt RBM can effectively capture the normal operation
of the system.
To quantify the difference between the energy distributions
in training and test data, Relative Entropy (RE) metric is used.
The relative entropy between two probability distributions is a
measure of the distance between them. RE for two probability
distributions P and Q on a finite set X, can be described
as [35], [36],
X P(x) FIGURE 3. Proposed algorithm for anomaly detection.
RE(PkQ) = P(x) log (19)
Q(x)
X
where P and Q refer to the distribution of free energies in IV. CASE STUDIES AND SIMULATION RESULTS
the normal situation and under cyber-attack, respectively. In this section a case studies under different operation con-
Free energies in the normal operation condition (F (vn )) dition are simulated to validate performance of the proposed
method. Case 1 is modeled as a multi-agent cyber-physical data are collected are from the normal conditions. It should
system based on IEEE-39 bus model where each agent be mentioned that collected data are labeled as normal or
includes a generator as described in Section II, a measurement anomalous. Training data are used to obtain the baseline for
device, a distributed control agent, and an energy storage the normal condition which will be used for selecting the
system as shown in Fig.4. Energy storage represent the energy threshold for the anomaly. A moving window in a subset
that can be fed into the system by different micro grid or of the training data (with distribution P) is used to compute
renewable sources. The same analysis is performed for all the distribution Q representing the dynamic behavior of the
case studies, however, for the sake of space only the results system. In order to measure the distance between Q and P,
of Case 1 are included in this section. the RE metric is applied in each subset. Similar setting is used
for the testing data. Finally, the two RE are compared to detect
anomalous condition (cyber-attack in our case).
The attack strategy is designed to overload lines 6-31 and
11-12. The attack region is shown in Fig. 4. Normalized
measurement residual under normal operation condition, due
to fault, and due to cyber-attacks are presented in Fig.5 for
Case 1. It can be seen that all the measurements residuals
due to cyber-attacks have almost the same magnitude as
the measurement residual under normal operation condition
which implies that conventional residual test cannot detect
the stealthy cyber-attacks. It should be noted that faults will
results in significant residual in the measurement residual as
shown in Fig. 5. In case of a fault in the system, the operator
will be notified and clear the fault. Therefore, the fault will
not affect the states of the system.
FIGURE 4. IEEE 39 bus system under cyber-attack in line 6-31 and 11-12.
A. TEST SYSTEM
Details of the case studies are listed in Table 2 and adapted
from Matpower [42]. All case studies are assumed to be fully
observable. To make sure about the accuracy of the historical
data a level of security is added to the measurement model.
Large-scale power grids contain thousands of meters which FIGURE 5. Measurement residual before and after cyber-attack on Case 1.
makes the protection of measurements highly expensive.
In order to reduce the cost, we identify the critical meters to In Fig. 6, the variation in the lower plot is in an acceptable
protect them based on optimal PMU placement [31]. We also zone. However, in the top plot, the variation significantly
assume that the system topologies remain unchanged over the increases during the attack between 35-65 samples. This
typical days. Case studies are implemented in Matlab R2017a indicates that there is a potential case of cyber-attack that has
and carried out on a PC with a Core(TM) i7-7700 CPU, gone unnoticed in bad data detection. Therefore, estimated
3.6 GHz, and a RAM of 32.00 GB. states with high error could be fed into the rest of the system,
which may result in irreparable damages.
TABLE 2. Units for magnetic properties.
FIGURE 8. TPR and ACC under single and multiple cyber-attack for two
different detection thresholds on Case 1.
FIGURE 9. TPR and ACC under single and multiple cyber-attack for
different attack sparsity on Case 1.
algorithm has very high TPR (94%) and ACC (90%) when
only 35% of the measurements are manipulated. Once half of
the measurements are attacked, which is a realistic assump-
tion for successful attack implementation from the attacker’s
perspective, the algorithm is highly effective with 99% TPR
and 98% ACC. FIGURE 10. Detector out put under a) normal condition, b) random
attack, c) single cyber-attack, d) multiple cyber-attack on Case 1.
C. PERFORMANCE ANALYSIS UNDER DIFFERENT
OPERATION CONDITION
To validate efficieny of the proposed method, four different
scenarios are considered:1) normal condition without attack, cost function. In an optimal state estimation, we evaluate
2) random attack, 3) single FDI attack on 6-31, 4) multi- the cost function based on the residual of the measurements.
ple, simultaneous FDI attacks on lines 6-31 and 11-12. Pro- In the normal operation condition, without bad data in the
posed method is compared with the two most popular BDD system, the cost function follows a normal distribution with
approaches; LNR test and Chi-Square test. The threshold zero mean. Under a random attack, the cost function will pass
is set to 3σ while σ is the standard deviation, to minimize the threshold for optimal state estimation. Therefore, both
the false positives due to the noise, thus FPR due to noise LNR and chi-square tests will trigger the alarm successfully.
is less than 1% [44]. For accurate and detailed comparison, In case of single or multiple FDI attacks, as can be seen
the threshold is normalized for all detectors. The same crite- in Fig. 10 (c) and (d), the cost function for both LNR and
rion is considered for setting threshold in LNR test. For more Chi-Square detector stayed in the true range of predefined
information about LNR and Chi-Square test refer to [20]. thresholds. Both approaches resulted in their normalized
Detector’s output are depicted in Fig. 10. residue values below the specified threshold and thus they
As shown in Fig. 10 (a), in normal operation condition, the were unable to detect the attack in the system. However, in the
output of all detectors is under the threshold which specifies same setup, output of the proposed detector is above the given
that there is no trace of bad data or cyber-attack in the system. threshold and can trigger the alarm. The main reason is that
Fig. 10 (b) shows that all methods are able to detect the the LNR test and Chi-Square test are based on residual of the
random attack. Since the attack is unintelligent, it will leave measurement vector while cyber-attacks are carefully crafted
its trace in the data sets and the operator will be informed of to bypass the statistical detector with no trace in residual
an attack presence. The random bad data, which was injected vector. Similar results were observed for all case studies.
to the measurement set, results in significant changes in the Average detection time for all case studies was 1ms with
measurement residual vector, which leads to the increase in 0.2ms deviations.
In general, any type of FDI attack in line or system topol- [14] X. He, L. Chu, R. C. Qiu, Q. Ai, and Z. Ling, ‘‘A novel data-driven situation
ogy results in the same changes in the network with minor awareness approach for future grids—Using large random matrices for big
data modeling,’’ IEEE Access, vol. 6, pp. 13855–13865, 2018.
modification. Therefore, the proposed method can success- [15] A. Farraj, E. Hammad, and D. Kundur, ‘‘A distributed control paradigm
fully detect various FDI attacks from different sources. Fur- for smart grid to address attacks on data integrity and availability,’’ IEEE
thermore, since the proposed scheme analyze the patterns Trans. Signal Inf. Process. Over Netw., vol. 4, no. 1, pp. 70–81, Mar. 2018.
[16] I. Friedberg, X. Hong, K. Mclaughlin, P. Smith, and P. C. Miller, ‘‘Eviden-
between the compromised data and the normal data, its suc- tial network modeling for cyber-physical system state inference,’’ IEEE
cess rate does not depends on the attack scenarios. Access, vol. 5, pp. 17149–17164, 2017.
[17] A. Azmoodeh, A. Dehghantanha, M. Conti, and K.-K. R. Choo, ‘‘Detecting
crypto-ransomware in IoT networks based on energy consumption foot-
V. CONCLUSION print,’’ J. Ambient Intell. Humanized Comput., vol. 9, no. 4, pp. 1141–1152,
In the context of smart grid anomaly detection, the solutions 2018.
proposed in the literature are mainly offline approaches with [18] N. Milosevic, A. Dehghantanha, and K.-K. R. Choo, ‘‘Machine learning
aided Android malware classification,’’ Comput. Elect. Eng., vol. 61,
restriction to deal with dynamically evolving cyber threats. pp. 266–274, Jul. 2017.
This paper propose a real time and computationally efficient [19] H. Karimipour and V. Dinavahi, ‘‘Robust massively parallel dynamic state
tool for anomaly detection that utilizing feature extraction estimation of power systems against cyber-attack,’’ IEEE Access, vol. 6,
pp. 2984–2995, Dec. 2017.
scheme and time series partitioning to discover causal inter- [20] M. Ozay, I. Esnaola, F. T. Y. Vural, S. R. Kulkarni, and H. V. Poor,
actions between the subsystems. DBN concept and learning ‘‘Machine learning methods for attack detection in the smart grid,’’ IEEE
algorithms based on Boltzmann Machine are used to detect Trans. Neural Netw. Learn. Syst., vol. 27, no. 8, pp. 1773–1786, Aug. 2016.
[21] S. Pan, T. Morris, and U. Adhikari, ‘‘Developing a hybrid intrusion detec-
unobservable attacks based on free energy as the anomaly tion system using data mining for power systems,’’ IEEE Trans. Smart
index. Performance of the proposed algorithm was evaluated Grid, vol. 6, no. 6, pp. 3104–3113, Nov. 2015.
on different IEEE test systems and under different operation [22] J. Landford, R. Meier, R. Barella, X. Zhao, E. Cotilla-Sanchez, R. B. Bass,
and S. Wallace, ‘‘Fast sequence component analysis for attack detection in
conditions for several measures (TPR, FPR, and ACC). The synchrophasor networks,’’ in Proc. 5th Int. Conf. Smart Cities Green ICT
results demonstrated that the system achieves an accuracy of Syst. (SmartGreens), Rome, Italy, 2016.
99%, TPR of 98% and FPR of less than 2%. [23] S. Ahmed, Y. Lee, S.-H. Hyun, and I. Koo, ‘‘Feature selection–based
detection of covert cyber deception assaults in smart grid communications
networks using machine learning,’’ IEEE Access, vol. 6, pp. 27518–27529,
REFERENCES 2018.
[1] J. E. Dagle, ‘‘Postmortem analysis of power grid blackouts—The role of [24] Y. He, G. J. Mendis, and J. Wei, ‘‘Real-time detection of false data injection
measurement systems,’’ IEEE Power Energy Mag., vol. 4, no. 5, pp. 30–35, attacks in smart grid: A deep learning-based intelligent mechanism,’’ IEEE
Sep./Oct. 2006. Trans. Smart Grid., vol. 8, no. 5, pp. 2505–2516, Sep. 2017.
[2] Z. Huang, C. Wang, T. Zhu, and A. Nayak, ‘‘Cascading failures in smart [25] D. Codetta-Raiteri and L. Portinale, ‘‘Dynamic Bayesian networks for fault
grid: Joint effect of load propagation and interdependence,’’ IEEE Access, detection, identification, and recovery in autonomous spacecraft,’’ IEEE
vol. 3, pp. 2520–2530, 2015. Trans. Syst., Man, Cybern. Syst., vol. 45, no. 1, pp. 13–24, Jan. 2015.
[3] Y. Cai, Y. Li, Y. Cao, W. Li, and X. Zeng, ‘‘Modeling and impact analysis [26] S. Mohammadi, H. Mirvaziri, M. Ghazizadeh-Ahsaee, and H. Karimipour,
of interdependent characteristics on cascading failures in smart grids,’’ Int. ‘‘Cyber intrusion detection by combined feature selection algorithm,’’
J. Elect. Power Energy Syst., vol. 89, pp. 106–114, Jul. 2017. J. Inf. Secur. Appl., vol. 44, pp. 80–88, Feb. 2019.
[4] H. Karimipour and V. Dinavahi, ‘‘On false data injection attack against [27] C. A. Murthy, ‘‘Bridging feature selection and extraction: Compound
dynamic state estimation on smart power grids,’’ in Proc. IEEE Int. Conf. feature generation,’’ IEEE Trans. Knowl. Data Eng., vol. 29, no. 4,
Smart Energy Grid Eng. (SEGE), Aug. 2017, pp. 388–393. pp. 757–770, Apr. 2017.
[5] G. Dondossola, J. Szanto, M. Masera, and I. N. Fovino, ‘‘Effects of inten- [28] H. Karimipour and V. Dinavahi, ‘‘Extended Kalman filter-based paral-
tional threats to power substation control systems,’’ Int. J. Crit. Infrastruct., lel dynamic state estimation,’’ IEEE Trans. Smart Grid, vol. 6, no. 3,
vol. 4, nos. 1–2, pp. 129–143, 2008. pp. 1539–1549, May 2015.
[6] T. Morris, S. Pan, J. Lewis, J. Moorhead, N. Younan, R. King, M. Freund, [29] J. D. Glover, M. Sarma, and T. Overbye, Power System Analysis and
and V. Madani, ‘‘Cybersecurity risk testing of substation phasor measure- Design, 5th ed. Boston, MA, USA: Cengage, 2011.
ment units and phasor data concentrators,’’ in Proc. CSIIRW, Oct. 2011, [30] A. R. Bergen and V. Vittal, Power Systems Analysis, 2nd ed.
Art. no. 24. Upper Saddle River, NJ, USA: Prentice-Hall, 2000.
[7] A. Ameli, A. Hooshyar, E. El-Saadany, and A. M. Youssef, ‘‘Attack detec- [31] A. Abur and A. Gómez-Expósito, Power System State Estimation: Theory
tion and identification for automatic generation control systems,’’ IEEE and Implementation. New York, NY, USA: Marcel Dekker, 2004.
Trans. Power Syst., vol. 33, no. 5, pp. 4760–4774, Sep. 2018. [32] Y. Liu, P. Ning, and M. K. Reiter, ‘‘False data injection attacks against state
[8] H. H. Pajouh, R. Javidan, R. Khayami, D. Ali, and K.-K. R. Choo, ‘‘A two- estimation in electric power grids,’’ ACM Trans. Inf. Syst. Secur., vol. 14,
layer dimension reduction and two-tier classification model for anomaly- no. 13, pp. 1–33, May 2011.
based intrusion detection in IoT backbone networks,’’ IEEE Trans. Emerg. [33] M. Ozay, I. Esnaola, F. T. Yarman Vural, S. R. Kulkarni, and H. V. Poor,
Topics Comput., to be published. ‘‘Sparse attack construction and state estimation in the smart grid: Central-
[9] R. Khan, K. Mclaughlin, D. Laverty, and S. Sezer, ‘‘Design and imple- ized and distributed models,’’ IEEE J. Sel. Areas Commun., vol. 31, no. 7,
mentation of security gateway for synchrophasor based real-time control pp. 1306–1318, Jul. 2013.
and monitoring in smart grid,’’ IEEE Access, vol. 5, pp. 11626–11644, [34] A. Ray, ‘‘Symbolic dynamic analysis of complex systems for anomaly
Jun. 2017. detection,’’ Signal Process., vol. 84, no. 7, pp. 1115–1130, 2004.
[10] R. Xu, R. Wang, Z. Guan, L. Wu, J. Wu, and X. Du, ‘‘Achieving efficient [35] C. Rao, A. Ray, S. Sarkar, and M. Yasar, ‘‘Review and comparative eval-
detection against false data injection attacks in smart grid,’’ IEEE Access, uation of symbolic dynamic filtering for detection of anomaly patterns,’’
vol. 5, pp. 13787–13798, Jul. 2017. Signal, Image Video Process., vol. 3, no. 2, pp. 101–114, 2009.
[11] C.-C. Sun, A. Hahn, and C.-C. Liu, ‘‘Cyber security of a power grid: State- [36] S. Sarkar, S. Sarkar, K. Mukherjee, A. Ray, and A. Srivastav, ‘‘Multi-sensor
of-the-art,’’ Int. J. Elect. Power Energy Syst., vol. 99, pp. 45–56, Jul. 2018. information fusion for fault detection in aircraft gas turbine engines,’’
[12] X. Liu, N. Xiong, N. Zhang, A. Liu, H. Shen, and C. Huang, ‘‘A trust with J. Aerosp. Eng., vol. 227, no. 12, pp. 1988–2001, Dec. 2013.
abstract information verified routing scheme for cyber-physical network,’’ [37] T. M. Cover and J. A. Thomas, Elements of Information Theory, 2nd ed.
IEEE Access, vol. 6, pp. 3882–3898, 2018. Hoboken, NJ, USA: Wiley, 2006.
[13] C. Alcaraz, C. Fernandez-Gago, and J. Lopez, ‘‘An early warning system [38] C. Liu, A. Akintayo, Z. Jiang, G. P. Henze, S. Sarkar, ‘‘Multivariate
based on reputation for energy control systems,’’ IEEE Trans. Smart Grid, exploration of non-intrusive load monitoring via spatiotemporal pattern
vol. 2, no. 4, pp. 827–834, Dec. 2011. network,’’ Appl. Energy, vol. 211, pp. 1106–1122, Feb. 2018.
[39] C. Liu, S. Ghosal, Z. Jiang, and S. Sarkar, ‘‘An unsupervised anomaly KIM-KWANG RAYMOND CHOO received the
detection approach using energy-based spatiotemporal graphical model- Ph.D. degree in information security from Queens-
ing,’’ Cyber-Phys. Syst., vol. 3, nos. 1–4, pp. 66–102, 2017. land University of Technology, Australia, in
[40] B. J. Frey and N. Jojic, ‘‘A comparison of algorithms for inference and 2006. He currently holds the Cloud Technology
learning in probabilistic graphical models,’’ IEEE Trans. Pattern Anal. Endowed Professorship at The University of Texas
Mach. Intell., vol. 27, no. 9, pp. 1392–1416, Sep. 2005. at San Antonio (UTSA). In 2016, he was named
[41] D. J. C. MacKay, Information Theory, Inference and Learning Algorithms. the Cybersecurity Educator of the Year –APAC
Cambridge, U.K.: Cambridge Univ. Press, 2003.
(Cybersecurity Excellence Awards are produced in
[42] R. D. Zimmerman, C. E. Murillo-Sánchez, and R. J. Thomas,
cooperation with the Information Security Com-
‘‘MATPOWER: Steady-state operations, planning, and analysis tools for
power systems research and education,’’ IEEE Trans. Power Syst., vol. 26, munity on LinkedIn), and in 2015, he and his team
no. 1, pp. 12–19, Feb. 2011. won the Digital Forensics Research Challenge organized by Germany’s
[43] W. Dixon and F. Massey, Introduction to Statistical Analysis, vol. 344. University of Erlangen-Nuremberg. He is the recipient of the 2018 UTSA
New York, NY, USA: McGraw-Hill, 1969. College of Business Col. Jean Piccione and Lt. Col. Philip Piccione Endowed
[44] A. Abur and A. Gómez-Expósito, Power System State Estimation: Theory Research Award for Tenured Faculty, Outstanding Associate Editor of 2018
and Implementation. New York, NY, USA: Marcel Dekker, 2004. for IEEE ACCESS, British Computer Society’s 2019 Wilkes Award Runner-
up for his paper published in the 2018 volume of The Computer Journal
(Oxford University Press, 2019), the EURASIP Journal on Wireless Commu-
nications and Networking (JWCN) Best Paper Award, the IEEE TrustCom
2018 Best Paper Award, ESORICS 2015 Best Research Paper Award, 2014
HADIS KARIMIPOUR received the Ph.D. degree Highly Commended Award by the Australia New Zealand Policing Advisory
in energy system from the Department of Elec- Agency, Fulbright Scholarship in 2009, 2008 Australia Day Achievement
trical and Computer Engineering, University of Medallion, and British Computer Society’s Wilkes Award in 2008. He is
Alberta, in 2016. Before joining the University of also a Fellow of the Australian Computer Society and Co-Chair of the
Guelph, she was a Postdoctoral Fellow with the IEEE Multimedia Communications Technical Committee’s Digital Rights
University of Calgary, working on cyber security Management for Multimedia Interest Group.
of the smart power grids. She is currently an Assis-
tant Professor with the School of Engineering,
Engineering Systems and Computing Group, Uni-
versity of Guelph, Ontario. Her research interests
include large-scale power system state estimation, cyber-physical modeling,
cyber-security of the smart grids, and parallel and distributed computing. She
serves as the Chair of the IEEE Women in Engineering (WIE) and chapter
Chair of the IEEE Information Theory in Kitchener-Waterloo section.