Expert Systems With Applications 238 (2024) 122291

Contents lists available at ScienceDirect

Expert Systems With Applications

journal homepage: www.elsevier.com/locate/eswa

Machine learning based smart intrusion and fault identification (SIFI) in

inverter based cyber-physical microgrids
R. Divya a, *, S. Umamaheswari a, Albert Alexander Stonier b
a
Department of Electrical and Electronics Engineering, Mahendra Engineering College, Namakkal, Tamil Nadu 637 503, India
b
School of Electrical Engineering, Vellore Institute of Technology, Vellore, Tamil Nadu 632 014, India

A R T I C L E I N F O A B S T R A C T

Keywords: The paper presents a machine learning based Smart Intrusion and Fault Identification (SIFI) method to identify
Attacks the cyber-physical abnormalities in an inverter-based cyber-physical microgrid (CPM). The SIFI method utilizes
Cyber-physical microgrid an ensemble classifier (EC) to assimilate the decisions from three distinct classifiers (C4.5 decision tree, random
DoS attack
forest (RF), and forest by penalizing attributes (FPA)). The proposed method employs a voting mechanism to
Ensemble classifier
Faults
classify and localize abnormal events for improved accuracy. The paper investigates the effects of cyberattacks
Malicious data injection (Denial-of-Service (DoS) and Malicious Data Injection (MDI) attacks) and physical abnormalities caused by line
faults in microgrids. To train the classifiers, SIFI employs dataset with statistical attributes extracted from
measurements. The renewable alternative power systems simulation (RAPSim) software tool is utilized to model
the proposed system. The effectiveness of the presented model is assessed with respect to mean value error
(MVE). The efficiency of the classifier is demonstrated by comparing its performance with other classifiers in
terms of the MVE. For physical abnormalities identification and localization, the approach provides enhanced
outputs with the MVE of 0.157% and 0.162% correspondingly. For identifying MDI anomalies, the model pro­
vides better results with a lower error rate. For DoS anomaly detection, the model provides better classification
performance with 0.136% error. The extensive empirical analysis proves that the anticipated ensemble classifier-
based SIFI model yields the minimum MVE for identifying physical faults and cyberattacks. Furthermore, the
effectiveness of the proposed method is identified by considering a case study in which the SIFI method out­
performs well for the MDI and DoS cyber-attacks in the CPM.

1. Introduction micro-generation units (e.g., turbines, photo-voltaic panels, fuel cells,

A profound transformation of power systems is in progress to deliver
reliable, affordable, and sustainable electrical supply to all. As the
building block of a modern smart power system, a cyber-physical
microgrid (CPM) aims to distribute dependable and efficient electrical
power while preserving a great level of environmental sustainability
globally. CPM integrates cutting-edge computing and communication
technologies to devise distributed control of electrical components and
achieve optimized operation. However, the coordinated control struc­
tures of CPM open the door to the possibility of security threats. As the
building block of modern smart power systems, microgrids contain a
hierarchical structure with two distinct layers such as the physical layer
to achieve energy flow to meet local load demands and the cyber layer
which is responsible for information flow among the microgrid elements
using the sparse communication network. The physical layer includes
etc.), energy storage systems (ESS), and controllable end-user loads
(energy consumers) as stated by (Wang et al., 2017).
The majority of the micro-generating units in a CPM generate DC
power and therefore inverter circuits are indispensable to supply the AC
loads (Ali et al., 2021; Jayachandran et al., 2021). The cyber layer
comprises of communication agents which are equipped with routers,
links, local controllers, and intelligent algorithms, aiming to address
various challenges faced by microgrid operators and consumers. An
agent is a capable entity that carries out computations and enforces
data-exchange protocols. Essentially, the agent assesses system param­
eters, verifies constraints to initiate interactions with nearby agents, and
subsequently sends signals to the corresponding controller (Yang et al.,
2018). Any contingencies or disruptions in the communication network
have an impact on the functionality of the physical devices. Therefore,
the reliable and trustworthy operation of CPM heavily relies on the

* Corresponding author.
E-mail addresses: [email protected] (R. Divya), [email protected] (S. Umamaheswari), [email protected] (A.A. Stonier).

https://doi.org/10.1016/j.eswa.2023.122291
Received 4 May 2023; Received in revised form 7 October 2023; Accepted 20 October 2023
Available online 28 October 2023
0957-4174/© 2023 Elsevier Ltd. All rights reserved.
R. Divya et al.
effectiveness of communication agents and local controllers.
CPM has the tendency to operate in grid interactive and islanded
modes, while in the former, the system voltage and frequency (v/f) is
controlled by the main grid (Yaqub et al., 2021). The CPM can operate in
the isolated mode owing to the unintended abnormalities or intended
scheduling. An ordered control configuration has been extensively used
to ensure reliable and efficient operation of microgrids. In a standalone
mode of operation, the primary controllers preserve the system stability
by retaining v/f values in a definite range (Wan et al., 2021). Conse­
quently, uninterrupted reliable electrical energy is delivered to cus­
tomers. But it might not bring the CPM to the standard working
conditions; hence, an extra level of control is mandatory to stabilize the
v/f. This is achieved by an auxiliary controller which reimburses the
abnormalities due to the primary controller (Tran et al., 2019). Primary
controllers are generally installed as the local controllers at each
generating unit within the CPM. This control level always subsists and
takes necessary steps during abnormalities.
Active and reactive power droop methods are used to achieve syn­
chronized control of these primary local controllers (Pinto et al., 2021).
Hence, the effectiveness of the primary controller is based on the per­
formance of such controllers, which targets to adjust the allotted per­
centage of reactive and active powers (Mathesh & Saravanakumar,
2023). But, owing to the inherent properties of sag controller, certain v/f
errors always occur which may weaken the usual operation of the
microgrids (Xing et al., 2019). Hence, an auxiliary (secondary) con­
trolling mechanism is required to handle the v/f abnormalities.
In centralized secondary control, the measured real-time data,
including current and voltage measurements of various buses are
transferred and studied in a centralized node. Consequently, it has
higher possibility of single-point failure problems and consumes higher
bandwidth (Ullah et al., 2021). To handle such issues, a decentralized
auxiliary controller is implemented where each generating unit has its
local controller and only needs data from itself and its neighboring
agents, rather than the data from the system for the calculation. Hence, a
decentralized controlling mechanism is more reliable and efficient than
centralized control systems. The auxiliary controllers work with a longer
time frame related to primary controller. This enables the isolation
process and development of the primary and auxiliary control levels (Hu
& Bhowmick, 2020). Even though CPM aims to increase the potentials
and reactivity of the power system for achieving distributed exploitation
of energy resources and localized supply–demand tradeoff, it opens door
to the likelihood of security threats. The cyber-physical anomalies
hamper the ability of CPM to monitor and control its performance
effectively and securely.
Generally, the devices employed in the physical layer are vulnerable
to a variety of random failures and faults. The physical faults are
occurred on the physical side rendering a portion or the entire CPM
inoperative by causing damage to the costly apparatus and interrupting
the service delivery to the customer (Aslani et al, 2021). Ensuring a
reliable protection system is crucial to maintain uninterrupted and
consistent power supply, particularly in the presence of faults. In the
case of inverter-based CPM, conventional protective relays prove inad­
equate in safeguarding the system due to the low fault current (Mishra
et al., 2015). The faults much related to line and ground are the most
common faults (Kar & Samantaray, 2016). A fault protection model
needs an efficient fault identification scheme that includes algorithms to
classify and identify faults effectively. Such a strategy makes the whole
protection process more reliable by classifying the faults and applying a
suitable mitigation technique to reduce the restoration time and cost.
Cyberattacks occur when an adversary seeks to infiltrate the
communication network by either introducing incorrect information or
disrupting the communication links between agents (Risbud et al.,
2018). Malicious data injection (MDI) and Denial-of-Service (DoS) are
the most common attacks in CPM, which may disrupt the enactment and
robustness of the power grid. MDI threats are instigated by modifying
the measured quantities that may destabilize the CPM and mess up the
2
Expert Systems With Applications 238 (2024) 122291
interaction between different CPM agents. The attackers may inject
incorrect data into the network to achieve power theft, load shedding,
and blocking data. In case of electricity theft, invaders attempt to report
less power consumption to the control room to reduce the billing
amount. In case of load shedding, the intruders aim to report more
power consumption to the grid operator. When an operator finds that
current consumption is greater than rated power generation, they may
shut down some load to circumvent the heat up of turbines and gener­
ators. The invader can ensure that the operator remains unaware of load
variations by either blocking or introducing delays in the network links.
DoS is a source-exhausting threat that utilizes the weaknesses of the
communication network and directs countless inoperable requests to
consume the assets of targeted elements; hence, the communication
network or server cannot operate effectively (Srikantha & Kundur,
2015). More precisely, DoS threats make the authorized customers
inaccessible for getting their services by exploiting the bandwidth re­
sources. Conventionally, such threats can be simply identified by the
network monitors by checking their distribution rates (Sureshbabu
et al., 2022). However, an efficient protection method is required to
endure the normal operation of the CPMs. Thus, the application of
intrusion and fault identification method is a crucial task for the stable
and reliable operation of CPM. With the advent of controlling and
computational methods, several abnormality identification approaches
(Ghiasi et al., 2023; Hasan et al., 2023; Mololoth et al., 2023; Nafees
et al., 2023).
Panigrahi et al., 2018 presented an artificial neural network (ANN)
based fault detection and classification method in the microgrid. The
work mainly focuses in modelling a 3-bus and 14-bus CPM with different
micro-generation units in MATLAB/Simulink software. The anticipated
model is analyzed by relating its effectiveness with other state-of-the-art
methods under various operating conditions. A unique discrete wavelet
transforms (DWT) to detect the microgrid faults is enumerated by
(Rahman Fahim et al., 2020). This hierarchical structure with restricted
Boltzmann machine (RBM) layers helps the system to learn the likeli­
hood distribution on incoming data. RBM layers are trained to optimize
ANN parameters so that it can minimize prediction error. Using a vast
learning dataset of previously measured values, a deep learning (DL)
approach selects global ideal values to categorize and characterize
cyberattacks. A deep neural network (DNN) is used to identify the
cyberattacks in power grid (He et al., 2017). It uses machine learning to
help microgrid operators spot irregularities. Parizad & Hatziadoniu,
2022 introduced an extremely randomized tree method for silent
cyberattack identification in CPM. This method uses the kernel principal
component analysis algorithm to lessen the dimension of feature space.
Kar et al., 2015 introduced a smart differential protection approach
to identify cyberattacks in CPM. This method preprocesses the abnormal
voltage and current measurements through discrete Fourier transform
(DFT) and it detects the distressed attributes at either terminal of the
corresponding feeder. Also, differential attributes are calculated from
the corresponding attributes and are employed to construct the decision
tree (DT) for providing a final decision. The established method is
evaluated in mesh and radial topology for off-grid and grid-tied modes.
Moreover, few more machine learning methods like Support vector
machine (SVM) (Justin et al., 2017), Random Forest (RF) (Wang et al.,
2019), Naive Bayes (NB) (Wang et al., 2021), decision tree (DT)
(Yeboah-Ofori, 2020), and C4.5 (Ravinder & Kulkarni, 2023) are used
for fault detection in micro grids.
From the literature, the following research gaps were identified:
• The data sharing process in cooperative control method makes the
system vulnerable to malfunctions and cyberattacks. The distorting
effects of faults and incursion in one generator may spread to
neighboring generators through cooperative control method and
damage the entire system
• There are still challenges regarding the identification of anomalies
within the control structures used in the CPM
R. Divya et al.
Fig. 1. Structure of cyber-physical microgrid.
• The conventional algorithms such as SVM, ANN and DWT has some
limitations like increased training time, sensitive to the choice of
hyperparameters, prone to overfitting and information loss due to
the discrete nature of the transform. Therefore, these algorithms are
not suited for accurate identification of faults in CPM
• Moreover, physical and cyber abnormalities caused by DoS threats
are not considered in most of the literature works
From the problem identification the objectives are framed. The key
contributions are:
• To develop a machine learning (ML) based smart intrusion and fault
identification method for cyber-physical abnormalities in an
inverter-based CPM with distributed cooperative control mechanism
• To introduce an ensemble classifier to the developed SIFI model to
classify and localize cyber-physical anomalies
• To implement the SIFI method for two types of cyberattacks (i.e., DoS
and MDI attacks) in a CPM
• To develop the proposed SIFI model in RAPSim simulator and test the
system with DoS and MDI cyber attacks
• To compare the performance of the developed system with SVM, RF,
C4.5, and NB classifiers for similar scenarios
The paper is organized as follows: Introduction regarding the CPM
and the relevant studies on intrusive and fault events used in CPM are
3
Expert Systems With Applications 238 (2024) 122291
explored in Section I. The proposed work is described in Section II.
Section III explains the modelling of CPM and the impact of abnormal­
ities in the system. The testing in RAP simulator and its evaluation
procedure is discussed in Section IV. Section V presents the training
procedure of EC, Section VI presents the results and discussion, Section
VII presents a case study on the developed method with the CPM and
conclusion in presented in Section VIII.
2. Proposed system
This section provides a detailed description of the proposed system.
In this work, an islanded inverter-based CPM system with DCCS is
considered. The vulnerable settings for allowing faults and cyberattacks
in the CPM are simulated.
2.1. The proposed cyber-physical microgrid
The islanded inverter-based CPM consists of distributed energy
sources (e.g., solar photovoltaic, fuel-cells, and micro-turbines), energy
storage systems (ESS), and controllable loads for analysis. A typical CPM
includes two layers such as physical and cyber layers is illustrated in
Fig. 1.
The physical layer is responsible to generate energy through
distributed resources (i.e., isolated mode) or receiving power from the
primary grid (i.e., grid-tied mode). It is also in-charge to supply that
R. Divya et al.
Fig. 2. Information flow in a DCCS of the CPM.
power to the associated loads. The inverters operate as interfaces be­
tween controllable loads and distributed generators. The cyber layer
enables communication among the physical elements using a sparse
network. The traditional centralized secondary control needs an effec­
tive network to connect all the distributed generators with the central
controller. The DCCS architecture is used to overcome the potentially
undependable characteristics of a centralized controlling scheme. In this
work, DCCS is used at the secondary level to alleviate the v/f fluctua­
tions of the CPM triggered by the primary controller.
The effects of the f and V fluctuations due to the main control on the
information flow in a DCCS of the CPM are analyzed. Indeed, simulating
information flow in CPM is more challenging endeavour because each
agent in DCCS requires local state information and must iteratively ex­
change with neighboring agents. Therefore, the DCCS consists of three
subsystems to achieve information flow including state estimation unit,
communication and iterative calculation unit, and action control unit.
In the physical layer, the physical state variables are measured and
are employed to regulate the energy flow within the system. The cyber
layer measures cyber state variables through iterative calculation and
other algebraic variables. The sensors in the state estimation unit esti­
mate the real-time measurements and transfer them to the computing
unit. After processing those data, the computing unit transfers these
onboard estimates to the controllers using a network link. Fig. 2 illus­
trates the units involved in information flow. The loads are inter­
connected to the bus through relays as shown in Fig. 3.
2.2. Abnormalities in CPM
Two types of abnormalities including anomalies due to physical
faults and irregularities due to malicious attacks such as DoS and un­
truthful data injection are considered. Physical faults are categorized
into shunt and series faults. Open conductor faults are detected by
calculating the phase voltage. The increased phase voltage denotes the
4
Expert Systems With Applications 238 (2024) 122291
series faults in the system. These faults are divided into two categories,
including single open circuit and double open circuit faults. These faults
hardly happen in practice. Shunt faults can be detected by monitoring
each phase current. The increased current values represent the shunt
(short circuit) faults which are then classified into symmetrical and
asymmetrical faults.
The LLL and LLL-G faults are some well-known symmetrical faults.
Line-ground, line-line and LL-G are some examples of asymmetrical
faults. The addition of incorrect information in a network link is known
as malicious (or false) data injection. Generally, the invaders attempt to
inject incorrect information into the information flow of CPM to reduce
the decision-making ability of the controller. By performing MDI attacks
or sending wrong information to the microgrid operators, the intruders
try to report more power consumption to the grid operator to trigger
load shedding and unnecessary tripping. In some cases of malevolent
threat, power factor lagging may be informed to the controller, which
consecutively activates the controller to assimilate negative kVARs to
stabilize unity power factor in the system pushing the CPM to work on
leading power factor. Then, this leading power factor can raise the
voltage level at the secondary distribution system that can destroy the
household appliances.
In case of electricity theft, invaders attempt to report less power
consumption to the operator to achieve financial benefits by reducing
the billing amount. By blocking or adding delay in network link invader
can make sure that operator has not aware of load variations. DoS threat
utilizes the weaknesses of the communication network and directs
countless inoperable requests to consume the assets of targeted ele­
ments; hence, the communication network or server cannot operate
effectively. Therefore, an effective intrusion and fault detection model is
required for the stable and reliable operation of CPM.
R. Divya et al. Expert Systems With Applications 238 (2024) 122291

Fig. 3. A CPM with four generators.

2.3. Smart intrusion and fault detection approach classifiers.

A smart intrusion and fault identification approach is intended to 2.3.1. Ensemble classifier for identifying faults and attacks
identify faults and cyberattacks in CPM. The proposed approach in­ In this work, an ensemble classifier is implemented to identify
tegrates EC with voting mechanism to aggregate decisions from network abnormalities in CPM. Ensemble classifier is a predominant

Fig. 4. The structure of the EC classifier.

5
R. Divya et al.
approach to solve classification problems related to the fault and
intrusive activities in CPM. The ensemble approach provides predictions
with better accuracy and reliability by employing and assimilating
several sovereign classification algorithms (Hakak et al., 2021). The
conventional fields for implementing ensemble classifiers are compu­
tational reason, statistical reason, and representational problem. For
instance, in some cases, there is a problem when the classification is a
laborious and computationally rigorous task for a single classification
algorithm to state a suitable postulate.
In some cases, an individual classification algorithm may produce an
incorrect result when the database is not adequate to train the model. In
some other cases, a single classification algorithm is not enough to
represent the research problem. Therefore, in few ensembles’ classifi­
cation model, diverse and good classification algorithms are combined
to form collaborative methods (Irtaza et al., 2018). Collaborative
methods have been employed to improve the correctness of the classi­
fication in several applications, such as the detection of intrusions.
Bagging and boosting are the most renowned techniques in collaborative
classification. Generally, they yield better outcomes, and are extensively
used to design numerous ensemble classifiers (Zhukov et al., 2019).
Bagging is a method to reduce the prediction error by producing an
extra dataset for training using combinations with replications to
generate multiple datasets of the raw data. Boosting is an iterative
method that optimizes the weight of a sample according to the previous
results. If new data was predicted wrongly, it attempts to assign more
weight to this sample. In general, boosting creates robust predictive
models. Also, the other well-known collaborative learning method
including the voting mechanism is employed for improving the effec­
tiveness of the classifiers (Peppes et al., 2021). Ensemble classifier has
several advantages like improved accuracy, reduces overfitting,
handling complex relationships, robustness, and model diversity. On the
other hand, they also have few limitations like increased computational
complexity, higher training and model maintenance costs, interpret­
ability challenges, and increased storage requirements.
The proposed work implements an ensemble classification model
that integrates three classifiers, viz. FPA, RF and C4.5 to improve the
accuracy of the classification model. This classification approach ex­
ploits the voting mechanism through the average of likelihoods (AOL).
The basic structure of EC classifier is illustrated in Fig. 4.
C4.5 Decision Tree: It is a basic classification algorithm used to
build a DT from a database by the Iterative Dichotomiser 3 (ID3) algo­
rithm (Hssina et al., 2014). C4.5 determines the optimum partition to
achieve highest the gain ratio (G R ) by analyzing each node in the DT.
The gain ratio is calculated using the expression given in Eq. (1).
G(f )
G R (f ) = (1)
Split data(f )
For prediction, a feature with the maximum G R is considered as a
splitting feature for the node. Information gain G(f) denotes the amount
of in decision in the database d is decreased once it is splitted by
designated feature f. The uncertainty in d is computed by entropy as
given in Eq. (2).
∑ assure the weight range. If the feature exists in the root node, ω = 1 is
Entropy(d) = − prop(cl)log2 prop(cl) (2)
c∈C
where c is the set of classes in the dataset and prop(cl) is the percentage
of the samples of class cl inthe dataset. The term Splitdata denotes exactly
how the samples are splitted by the selected features as defined in Eq.
(3).
( )
∑ (6)
n
|dk | |dk |
Split data(f ) = − log2 (3)
k=1
|d| |d|
where |dk |
|d| denotes the weight of kth split in the dataset.
Besides, the C4.5 classifier can categorize both streaming and
6
Expert Systems With Applications 238 (2024) 122291
discrete features and can overlook hidden data values. The potential
benefits of using a C4.5 decision tree for monitoring include interpret­
ability, rule extraction, efficient computation, and handling complex
relationships. It’s important to note that C4.5 decision trees also have
limitations. They may suffer from overfitting, especially if the tree be­
comes too complex or the dataset has noisy or unbalanced classes.
Regularization techniques like pruning and setting appropriate tree
depth can help mitigate the limitations.
Random Forest classifier: It is a DT-based classifier introduced by
Breimanis. It constructs multiple DTs to accept several input parameters
deprived of any omission and labels them according to their status.
Every DT in the forest offers a vote for the most frequent class in input
samples. This classification algorithm employs only a smaller number of
variables related to the other techniques (e.g., ANN, SVM, etc.). In this
classification algorithm, a forest can be defined by Eq. (4).
{r(x, φk )k = 1, 2, 3⋯.i⋯ } (4)
Where r is a function of random forest classifier, {φk } denotes arbitrary
vectors and every DT has a vote for the most prevalent class at input
parameter x. The key to the success of this classifier is forest formation.
The RF classifier generates a bootstrapped subset to train DTs. There­
fore, each DT exploits around 2/3 of the learning database. The idle
samples are known as the out-of-bag instances and are utilized for inner
cross-validation procedures to compute the performance of prediction.
Additionally, the RF classifier has reduced processing complexity, and it
is unaware of the parameters and outliers. As well, the over-fitting
problem is not as much of single DT-based classifiers and it is not
essential to prune DT which is a challenging and onerous procedure
(Feng et al., 2015). The potential benefits of using a random forest
classifier for monitoring include high accuracy, robustness to noise,
feature importance analysis, handling complex relationships, scalability,
and generalization capability. These advantages make random forests a
powerful tool for monitoring tasks, especially in situations where ac­
curacy and flexibility are crucial. While random forest classifiers offer
numerous advantages, they also have limitations. They can be compu­
tationally expensive, especially with a large number of trees or complex
datasets. Additionally, interpreting the results of a random forest may be
less intuitive compared to individual decision trees.
Forest by Penalizing Attributes: Contrasting some archetypal
classifiers, FPA uses a subdivision. This classifier creates a set of DTs
with maximum accuracy according to the potential of all non-class
features present in a database (Adnan & Islam, 2017). Consequently,
weight assignment and weight intensification strategies are imple­
mented to increase predictability. FPA will compute the weights of the
features that exist in the newest DT randomly. The weight range (W) can
be computed using the expression given in Eq. (5).
⎛ [ 1
] ⎞
⎜
0.00, e− ω , ω = 1
⎟
Wω = ⎝ [ ] ⎠ (5)
1 1
e− ω− 1 + τ, e− ω , ω > 1
where ω represents the feature level and the factor τ is employed to
chosen. If the attribute presents at a leaf node, ω = 2 is chosen. Simi­
larly, to define the adversarial effect of holding weights that do not
extant in the newest DT, FPA has a method to progressively improve the
weight of features. Consider a feature fi is verified at level ω of the Tk− 1
th DT with weight Wi and height h. The increase in weight ∂i is calcu­
lated by Eq. (6).
1 − Wi
∂i =
(h + 1) − ω
The actual performance and benefits of FPA are feature relevance se­
lection, dimensionality reduction, improved interpretability and
robustness to irrelevant features but these FPA also have certain limi
R. Divya et al. Expert Systems With Applications 238 (2024) 122291

Fig. 5. The configuration of CPM with DCCS at the auxiliary controller and susceptible points for abnormalities.

tations like parameter sensitivity, limited exploration of feature in­ DCCS at the secondary level to alleviate the frequency and voltage
teractions and risk of overfitting. For a specific monitoring task FPA fluctuations in the microgrid is considered. The distributed controller is
would depend on the characteristics of the dataset, the choice of the implemented by forming a sparse network among all the distributed
evaluation metric, and the underlying assumptions of the method. generators through a communication digraph (G) which is defined by
Voting Mechanism: The contribution of individual classifier in the Eq. (8).
ensemble method is called the vote for a particular class, i.e., normal or
G = {X, A, M} (8)
malevolent activity. It exploits several classification algorithms and uses
a grouping rule for aggregating results. Maximum likelihood, minimum Which contains n number of nodes as X = {x1 , x2 , x3 ⋯.xn }, a set of arcs
likelihood, the product of probabilities, the average of likelihoods, and A⊂{X × X}, and M represents the discrete state of the system, adjacency
majority voting are employed as aggregation rules. This study applies an matrix Y = [ynm ] ∈ Rn×n , where ynm is defined by Eq. (9).
average of likelihoods (AOL) technique to derive the final decision. In {
this method, the class label is selected according to the highest value of > 0, if (xn , xm ) ∈ A
ynm = (9)
AOL. Let m is the number of classifiers C = {C1 , C2 , ⋯.Cm } with c classes 0, if (xn , xm ) ∕
∈A
Ω = {Ω1 ,Ω2 ,⋯.Ωc }. Here,m = 3 and c = 15 are selected. A classifier Ci :
Rn →[0, 1]c accepts an input sample xi ∈ Rn and provides the output as The adjacent nodes can share data through communication agents
ρci (W1 |x), ρci (W2 |x), ⋯.ρci (Wc |x), where ρci (Wk |x) denotes the likelihood which is implemented at every bus. The node m is an adjacent node to n
assigned by Ci that input sample x fits into class Wk . Let AV k is the AOL if (xn , xm ) ∈ A. The primary controller is installed locally at generating
assigned by the classification algorithms for every class. It can be units through a basic droop controller as shown in Fig. 5. The frequency
defined as given in Eq. (7). and voltage droop characteristics are given by Eq. (10).
{
1 ∑ ωn = ωRef − ηfd Pn
(10)
m
AV k = ρ (Wk |x) (7) v0 = vRef − ηvd Qn
m i=1 ci

where , Pn and Qn presents the active and reactive power of the sys­
Consider AV = [av1 , av2 , ⋯avc ] is the set of AOLs for c classes and x is
tem;ωRef and vRef are the reference values of primary frequency and
allotted to the weight Wc if AV k is having the highest value in AV.
voltage, ωn is the operating frequency of node n.
The droop gains of voltage and frequency are denoted by ηvd and ηfd ,
3. Modelling of CPM and anomalies
correspondingly.
In CPM, the physical elements are connected to form a network for The direct and quadrature components voltage references (vdn Ref ,
Ref
generating, distributing, and utilizing electrical energy. The point where vqn ), and angular frequency are given by Eq. (11).
different physical elements are connected in a CPM are called as nodes ⎧
dP ( )
⎪
(e.g., distributed generating modules, ESS, feeders, and the loads). This ⎪
⎨
dt
= ωcn vdn idn + vqn iqn − ωcn Qn
section discusses the simulation of CPM, faults, and cyber abnormalities (11)
⎪ ( )
in the CPM. ⎩ dQ = ωcn vqn idn + vdn iqn − ωcn Qn
⎪
dt

3.1. Modelling of CPM where vdn and vqn are direct and quadrature output voltage of active and
reactive power, respectively.idn and iqn are direct and quadrature output
In the context of DCCS, the process of data sharing is always current of active and reactive powers. The filter cut-off frequency is
mandatory to realize the objective of coordinated control. In this work, a represented by ωcn . The secondary controller selects ωRef and vRef so as to

7
R. Divya et al. Expert Systems With Applications 238 (2024) 122291

Fig. 6. The destabilizing effects of a) L-G fault b) L-L fault c) LL-G fault on the
Fig. 7. The destabilizing effects of a) L-G fault b) L-L fault c) LL-G fault on the
phase current.
phase voltage.

8
R. Divya et al. Expert Systems With Applications 238 (2024) 122291

voltages differ from their standard values which may disrupt the oper­
ation of the CPM considerably.

3.2.1.1. Impact of cyberattacks. MDI anomalies are instigated by

spoofing the network and changing the weights of measurements in the
DCCS of a CPM. These cyberattacks tend to alter the parameters of CPMs
that harm the expensive electrical apparatus. GPS spoofing is a typical
means of MDI anomaly that can undermine the designated CPM by
varying the values of the phasor measurement unit. To make the MDI
attacks untraceable, the content of malevolent data is designated with
the scope of standard system operating conditions. The developed
anomaly detection approach effectively identifies such threats. Eq. (13)
defines the feedback signal of a controller under MDI anomaly.
S(an (t) ) = an (t) + φn (t) (13)

where S(an (t) ) is the feedback signal after wrong information φn (t) is
inserted by the adversary in the nth normal feedback signal of the action
controller an (t)(Bidram et al., 2013). In the proposed work, four
different scenarios of MDI attacks are considered by varying φn (t), to
evaluate the reliability of the suggested abnormality detection approach
as given below (Pöchacker et al., 2014):

• Periodic MDI attacks: It is one of the monotonous threats where in

the adversary introduces a sinusoidal signal to the feedback signal
which repeats with a fixed amplitude γ and signal time period (ωt).
The inserted wrong information is defined in Eq. (14), where t0
represents the moment of injection of cyber attack.
{
an (t) + γsin(ωt)an (t), ift ≥ t0
S(an (t) ) = (14)
0, otherwise

• Non-periodic MDI attacks: In this attack, an invariant multiple ∂ of

the required signal an (t) is injected into S(an (t) ) at a definite time
interval. The use of an invariant multiple (∂) of the controller’s signal
is important because it introduces a controlled and predictable dif­
Fig. 8. The destabilizing effects of a)3ϕ (LL-G) fault b) 3ϕ (L-L-L) fault on the
ference in the input signals to the system. By carefully selecting this
phase voltage. invariant multiple, the attacker can manipulate the system’s
response in a way that exposes patterns or vulnerabilities that can be
exploited to deduce information about the secret key.
the frequency and voltage of each distributed generator synchronizes
with their reference values (ωRef , vRef ) as given in Eq. (12).
The injection of the invariant multiple helps to amplify the differ­
〈 ⃦ ⃦
lim⃦ωo − ωRef ⃦ = 0 ences between the inputs and magnify the resulting differences in the
→∞ ⃦ ⃦ (12) system’s outputs. This amplification enhances the attacker’s ability to
lim⃦vo − vRef ⃦ = 0
→∞ observe and analyze the differential behavior of the system, which is
crucial for successful MDI attacks. The non periodic MDI attack is
For further details about the large signal dynamics and DCCS arrange­
defined as given in Eq. (15).
ment, is presented in (Yeboah-Ofori, 2020).
{
an (t) + ∂an (t), ift ≥ t0
S(an (t) ) = (15)
an (t), otherwise
3.2. Impact of abnormalities

• Non-periodic substitution MDI attacks: In this anomaly, the adver­

In this work, we consider two forms of abnormalities as physical
sary substitutes the required signal an (t) with a constant multiple (∂)
abnormalities due to system faults and cyberattacks due to DoS and
of the required signal an (t) completely at a definite time interval t0
FDIA. Details of these abnormalities are given in the following sections.
during the operation is defined as given in Eq. (16).
{
3.2.1. Impact of physical abnormalities on 3ϕ output currents and voltages ∂an (t), ift ≥ t0
S(an (t) ) = (16)
of the CPM an (t), otherwise
The most common faults in 3ϕ electrical energy systems are L-G, L-L,
LL-G, LLL, and LLL-G. These faults are hazardous and can damage
expensive electrical apparatus in the grid and leading to power blackout • Concurrent attacks: In this type, both non-periodic and periodic
and costly repair. A smart fault identification tactic helps us find the anomalies are instigated by concurrent insertion of incorrect infor­
fault reduce the restoration time. The proposed SIFI model can classify mation is defined as given in Eq. (17).
{
and localize network abnormalities effectively. The undermining im­ ∂an (t) + γsin(ωt)an (t), ift ≥ t0
pacts of physical abnormalities on 3ϕ output currents and voltages of the S(an (t) ) = (17)
0, otherwise
CPM are illustrated in Figs. 6–8.
It can be observed that when an abnormality befalls, the currents and The denial-of-service threat is instigated by capturing the network

9
R. Divya et al. Expert Systems With Applications 238 (2024) 122291

Fig. 9. Schematic diagram of the developed system in simulation software.

links or inundating the network until the designated node is unable to {

reply. Consequently, the communication agents in the CPM cannot 1, ifCisjammed
μn (t0 ) = (19)
0, ifCisnotjammed
interact with their control center or the adjacent nodes. The DoS threat
can target the particular maneuver in the CPM by compromising the
where C is the communication link in the cyber layer.
communication between sensing elements and the controller. In the
proposed work CPM with DCCS is applied as the auxiliary controller.
4. Testing and evaluation of the proposed system
The cooperative control is based on the data exchange protocols of each
distributed generator in the CPM. The DoS threat can be modeled as
A CPM with four micro-generating units is considered to assess the
given in Eq. (18).
effectiveness of SIFI model for identifying faults and cyberattacks. The
Kn = μn (t0 )[Ln ] + μm (t0 )[Lm ] (18) generators are represented by a voltage source inverter that delivers 3ϕ
AC output using the LC filter. They are connected via electrical lines.
where Kn denotes one of the compromised target nodes, Ln and Lm are When creating the model using the simulator, the faults and cyber­
adjacent nodes of the target node Kn . The terms μn (t0 ) and μm (t0 ) are the attacks are triggered in the CPM as discussed in the subsequent sections.
gain factors. The indexes n and m denote one of the distributed gener­
ators in the CPM considered in this work. (t1 <t0 < t2 ) is the time interval
for the incidence of an anomaly. The value of the gain factor is defined as 4.1. Simulation model
given in Eq. (19).
The simulations are performed in the RAP Sim simulator where the

10
R. Divya et al. Expert Systems With Applications 238 (2024) 122291

Table 1 ⎧
Parameters of microgrid system in RAP Sim software. ⎪
⎪
⎪
⎪
⎪ 1∑b
Parameter Value
⎪
⎪ σ = Vr→A ph
⎪ Vr→A
⎪
ph
b i=1
⎪
⎪
300V ⎨
vRef 1∑b
Line 12 (0.23 + j318μ) Ω σIr→A = Ir→A ph (22)
⎪
⎪
ph
b i=1
Line 23 (0.35 + j1847μ) Ω ⎪
⎪
⎪
Line 34 (0.23 + j318μ) Ω
⎪
⎪
⎪ 1∑b
⎪
⎪ σPr→A = Pr→A ph
C filter 50 μF ⎪
⎩
ph
b i=1
L filter 1.35 mH
Load 2 kW − 10 kW
The sum of the mean values of the selected attributes is given in Eq. (23).
∑
CPM with DCCS is implemented (Habibi et al, 2020). Fig. 9 presents the Xb = σWr→A ph (23)
simulation diagram of the proposed system. This simulator enables basic
( )
models for different distributed energy sources and loads within a CPM. where Wr→A ∈ Vr→Aph , Ir→Aph , Pr→Aph for all three phases, and (1 < b)
ph
Furthermore, it can simulate the enactment of the distributed generators ∑
bearing some atmospheric in decision in mind. The simulator can for each trial at the inverter in the CPM. Based on that, the value of
perform an energy flow study which aids in studying the effect of the σ Wr→A ph shows the difference between genuine and malicious activities
distributed generators on the CPM. and optimizes the performance by reducing the number of selected at­
Table 1 shows the designing parameters of the designated CPM. After tributes. For every trial, 16 attributes (i.e., 8 attributes at two load sites)
creating the model on RAP Sim, the faults and cyberattacks are triggered are measured as given in Fig. 3. These attributes are employed to train
in the system. the proposed classification algorithms for attack detection. Xb is used to
distinguish normal and malicious activities in the established CPM sys­
4.2. Training and testing dataset tem. The output of all the distributed generators under normal operating
( )
conditions follows the reference Xb ref defined by the CPM operator is
The database is created by performing the time series simulation of calculated by Eq. (24).
the designated CPM. The empirical analysis is carried out under
different operating scenarios with varying load demands (3 kW to 10 limXb (t) = Xb ref (t) (24)
t→∞
kW) and various abnormalities at diverse sites. Both the faults and
cyberattacks are considered for the simulation. The selection of appro­ However, a cyberattack in the CPM leads to deviation from the value
priate attributes to train the proposed classification algorithms is an of Xb ref which is represented as given in Eq. (25).
indispensable process in the proposed method. For fault detection, the
root mean square (RMS) values of current (Ir→F ) and voltage (Vr→F ) (De = Xb ref (t)
limXb (t) ∕ (25)
t→∞
Las Morenas et al., 2023) are calculated at protective relays 1 and 2, as
illustrated in Fig. 3. These values are selected as the predominant at­ According to Equations (24) and (25), the trained EC differentiates
tributes for fault identification and localization. The mean value of normal and abnormal events effectively. The difference in output cur­
phase voltage (σVr→F ph ) and current (σ Ir→F ph ) under fault conditions are rent and voltage due to load variation under usual operating conditions
is for a short time and is anticipated to return to the normal values
measured as defined in Eq. (20).
⎧ within the restoration time. But if the CPM undergoes a malicious threat,
⎪ then it will not return to the reference values.
⎪
⎪ 1∑b
⎪
⎨ σVr→F ph = b i=1 Vr→F ph
⎪ To provide a mathematical demonstration of a cyberattack in a
(20) cyber-physical microgrid leading to a deviation from the reference value
⎪
⎪
⎪ 1∑b of the attributes, considering the case of a cyberattack targeting the
⎪
⎪ σ Ir→F ph = I r→F ph
⎩ b i=1 active power attribute. The demonstration been made on how the
cyberattack can manipulate the active power measurements, causing a
where , ph denotes the phase and b is the number of attributes (1 < b) deviation from the reference value. The reference value of the active
considered in the CPM.The mean values of phase voltages and currents power as Pref , and the measured value of the active power as Pmeas are
are often considered as attributes for the diagnostic of faults due to their denoted. In normal operating conditions, we expect Pmeas to be close to
informative characteristics and diagnostic relevance. While mean values Pref . However, during a cyberattack, an adversary can manipulate the
are valuable attributes for fault diagnosis, it is important to note that measurements to achieve their malicious goals.
they may not capture all the details or dynamics of the waveform. Other Let us assume that the cyberattack modifies the measured active
attributes, such as harmonics, asymmetry, or transients, (Dubey & Jena, power value according to the following equation:
2023; Rangarajan et al., 2023) may also be considered depending on the
Pmeas = Pref + δ
specific fault diagnostic approach or application requirements. None­
theless, mean values offer a straightforward and effective means of
Where, Pmeas is the measured active power value, Pref is the reference
assessing the overall behavior of phase voltages and currents, making
value of the active power and δ represents the deviation caused by the
them widely used in fault diagnosis and monitoring applications. The
cyberattack. The value of δ can be positive or negative, depending on
sum of the mean values of selected attributes is defined by Eq. (21).
whether the cyberattack aims to increase or decrease the measured
∑
Xb = σ Ur→F ph (21) active power value. The magnitude of δ determines the extent of the
deviation from the reference value.
where Ur→F ph ∈ (Vr→F ph , Ir→F ph ). Similarly, for identifying cyber ab­ For example, if the cyberattack aims to increase the measured active
normalities, the RMS values of active power (Pr→A ) voltage (Vr→A ), and power by 10% of the reference value, we can express it as: Pmeas = Pref +
current (Ir→A ) (Hamed Haghshenas et al., 2022) at each inverter are 0.1*Pref = 1.1*Pref . In this case, the measured active power will deviate
selected as the predominant attributes and are given in Eq. (22). from the reference value by 10%.
Similarly, if the cyberattack aims to decrease the measured active
power by 5% of the reference value, we can express it as:

11
R. Divya et al.
Fig. 10. The undermining effect of MDI threat on the output voltage
of generators.
Pmeas = Pref − 0.05*Pref = 0.95*Pref . In this case, the measured active
power will deviate from the reference value by − 5% (indicating a
decrease).
By manipulating the measured active power value, the cyberattack
can deceive the system operators or control algorithms, leading to
erroneous decision-making or suboptimal control actions. This deviation
from the reference value can trigger alarms, indicate abnormal behavior,
and prompt further investigation to identify and mitigate the cyber­
attack. It is important to note that this mathematical demonstration
focuses on the manipulation of a single attribute (active power). In re­
ality, cyberattacks can target multiple attributes simultaneously, leading
to more complex deviations and potential cascading effects within the
cyber-physical microgrid. The impact of malicious data injection in the
∑
voltage sensor of distributed generators with respect to σVr→A ph is
illustrated in Fig. 10.
The incorrect information is inserted at the time (t + δt). Until time
‘t’ the output of each generating module is following the anticipated
operating point. Nonetheless, right after the malicious attack, the output
differs from the reference value. The deviation of measured output
voltage from the reference after introducing the malicious attack is
calculated using the Eq. (26).
⃒ ⃒
db = ⃒Xb ref (t) − Xb (t + δt) ⃒ (26)
where Xb ref (t) and Xb (t + δt) are the summations of RMS values of
voltages before and after the attack. The error magnitude is denoted by
the term db . When the MDI threat happens at Node 1 of the CPM, the
variation in the output of Node 1 is the maximum as compared to all
other nodes. This provides the maximum db for the compromised node.
These statistics are exploited by the proposed classification algorithm to
detect the node which is under the threat.
5. The training procedure for EC
The developed EC used in the SIFI model is trained by a dataset with
a set of attributes. This dataset is created by a time series simulation of
the proposed CPM. The learning procedure for the proposed classifier is
given below:
1. A dataset is generated for learning as well as for optimizing the pa­
rameters of the EC. The attribute set of the dataset includes the past
history gained from various simulations for different attacks as well
as the real-world data which includes both normal system behaviour
and diverse examples of actual cyberattacks.
12
Expert Systems With Applications 238 (2024) 122291
2. The learning parameters are fine-tuned using offline learning and are
applied later to classify the new data sample. For fault detection, the
input feature vector is defined by Eq. (27).
[ ∑ ∑ ]T
σ Ur→F ph = σ Vr→Fph ; σIr→Fph ; σ Vr→Fph ; σIr→Fph (27)
li li li li
where σUr→F ph
∈ R1×16 , the phase ph ∈ {a, b, c}, and li ∈ {load1, load2}.
For fault identification, the output vector Zpc = zj ∈ R1×4 is used where j
represents the type of physical anomalies, i.e., L-G, L-L, LL-G, LLL and
LLL-G faults. To locate the fault, this model uses the output vector Zpl =
zk ∈ R1×4 , where k designates the defective phase and the place of the
abnormality existence.
3. For detection of cyberattacks, the input feature vector is used as
defined by Eq. (28).
[∑ ∑ ∑ ]T
σ Wr→A ph = Vr→A ph ; Ir→A ph ; Pr→A ph (28)
where σ Wr→A ph
∈ R1×12 and the phase ph ∈ {a, b, c}. The output vector for
cyberattack detection is Zc = zinv ∈ R1×4 , where inv is the index of the
particular inverter under malicious activity.
4. The input dataset is divided into training and testing subsections
through k-fold cross-validation to evade the overfitting issue related
to the training process.
After training and optimizing parameters, the proposed SIFI
approach is validated by evaluating its effectiveness for new input data.
5.1. Training and testing cases
The training parameters are enhanced through the time series sim­
ulations of CPM as given in Fig. 3, considering the following four
different cases:
1. Variable load: Un, where n ∈ {3–––10} kW
2. Location: Li ∈ {load 1, load 2}
3. Fault type: Li G, Li Li , Li Li G, Li Li Li , Li Li Li G, where i ∈ {a, b, c}
4. Cyberattack type: (MDIij , DoSi ), where i ∈ {1, 2, 3, 4}, for one of the
inverters in the CPM, and i ∈ {case1, case2, case3, case4} gives mali­
cious data injection threat scenarios considered in this study
For conducting experiments, 10 ms as sampling time I selected over a
run time of 10 s (Hong et al., 2014). For cyber-attacks, 3ϕ voltages,
currents, and active power are measured at each generator. The
communication link in the CPM is visible to all the four MDI as well as
DoS attacks. Experimentations are carried out for usual and abnormal
situations, with abnormality beginning at 5 s for each scenario. Three
levels of load variations are considered to analyze the impact of load
fluctuations. This engenders around 30,000 instances for each gener­
ator. From these instances, required numerical attributes are selected to
create the feature space for the training process. Each class is allocated a
unique statistical label to classify the attacks happening at each gener­
ator. For fault detection, the reaction of the CPM is analyzed for both
genuine and abnormal conditions. The physical faults (i.e., L-G, L-L, LL-
G, LLL and LLL-G) are considered since the system response differs with
each type of fault. In order to localize the faults, abnormalities are
further classified by considering each phase, (i.e.,Li G, Li Li , Li Li G,
Li Li Li , Li Li Li G, where i ∈ {a, b, c}).
6. Results and discussion
The simulation outputs infer the recital of the established EC-based
SIFI model, which can distinguish transient activity due to load
R. Divya et al. Expert Systems With Applications 238 (2024) 122291

Table 2
The enactment of different classifiers with MVE.
Classifier LG LL LLG LLL LLLG

SVM 0.152 0.264 0.081 0.223 0.345

RF 0.247 0.248 0.341 0.447 0.587
C4.5 0.208 0.219 0.308 0.512 0.543
NB 0.545 0.217 0.297 0.715 0.743
EC 0.069 0.212 0.061 0.198 0.214

Fig. 12. Comparison of results for fault localization with respect to mean ab­
solute error.

Fig. 11. Comparison of results for fault identification with respect to mean
absolute error.

variation and real abnormality. Moreover, the outputs of various sce­

narios carried out on the test CPM proved that the examined SIFI model
can categorize and localize different faults and intrusive activities. EC
also effectively identified the compromised generator in the CPM. As
compared with offline simulators, online simulators proved the superi­
ority of the proposed SIFI model in terms of processing efficacy. More­
over, by considering the empirical evaluations, comparative analysis, Fig. 13. Comparison of results for fault localization with respect to mean ab­
execution time, computational complexity, benchmarking against solute error for 3ϕ faults.
resource constraints and scalability analysis of the SIFI model in the real-
time simulation of faults and malicious attacks, it is mostly preferable for
real-time solicitations. The effectiveness of the classifier is demonstrated Table 3
by comparing its performance with other advanced classification algo­ The performance of classifiers with respect to MVE for localizing Li G and Li Li
rithms like SVM (Marathe, 2017), basic C4.5 (Ravinder & Kulkarni, faults.
2023), basic RF (Wang et al., 2019), and Naive Bayes (NB) (Wang et al., Algorithm LaG LbG LcG LaLb LbLc LaLc
2021) classifiers in terms of the mean value of absolute error. SVM 0.232 0.344 0.161 0.303 0.425 0.293
RF 0.246 0.371 0.464 0.570 0.710 0.472
6.1. Physical faults C4.5 3.337 2.533 0.987 1.125 1.137 0.482
NB 0.545 0.432 2.843 0.425 0.226 0.347
EC 0.142 0.134 0.226 0.147 0.225 0.146
Faults are triggered at load 1 and load 2 in the CPM as given in Fig. 3.
There are five physical abnormalities i.e., Li G, Li Li , Li Li G, Li Li Li and
Li Li Li G are taken into account at designated load sites with three levels The performance of the SIFI approach for fault localization with
of load demands for each phase. The CPM is running under usual and respect to MVE, at all the four generators, is shown in Figs. 12 and 13.
abnormal operating environments. The outputs of various classifiers for The results of different classifiers obtained for Li G and Li Li fault local­
fault identification and classification are evaluated with respect to the ization is listed in Table 3. For Li G fault, the SIFI model out-performs
mean value of error (MVE) as given in Eq. (29). other classifiers in terms of MVE. The proposed model provides better
results (0.167 %) in terms of average MVE related to SVM (0.246 %), RF
MVE = Totaldatapoints + (Actualvalue − forecastedvalue)
(0.360 %), C4.5 (2.286 %), and NB (1.273 %) algorithms. For Li G fault,
1∑
MVE = ̂
|Z − Z| (29)
m
Table 4
The results obtained by different classifiers at four nodes of test CPM are The performance of classifiers with respect to MVE for localizing 3ϕ fault.
given in Table 2. The results of fault identification with respect to MVE Algorithm LaLbG LbLcG LaLcG LaLbLc
are illustrated in Fig. 11. The minimum average MVE of the projected SVM 0.227 0.339 0.156 0.298
EC-based SIFI model provides superior results (0.15 %) for fault iden­ RF 0.239 0.364 0.457 0.563
tification as compared to other classifiers using SVM, RF, C4.5, and NB C4.5 0.335 0.331 0.385 0.823
algorithms having average MVE of 0.21 %, 0.37 %, 0.36 %, and 0.50 %, NB 0.246 0.332 0.343 0.395
EC 0.133 0.125 0.117 0.138
correspondingly.

13
R. Divya et al. Expert Systems With Applications 238 (2024) 122291

Table 5
The performance of classifiers with respect to MVE for different MDI attack.
Algorithm Node 1 Node 2

Case 1 Case 2 Case 3 Case 4 Case 1 Case 2 Case 3 Case 4

SVM 1.201 2.154 0.915 1.221 1.018 0.648 1.418 1.627

RF 2.421 2.654 3.478 4.523 6.363 7.123 7.256 7.356
C4.5 1.614 1.242 0.894 1.391 0.859 0.948 0.749 0.849
NB 3.514 8.512 8.323 3.654 1.247 1.735 0.845 0.677
EC 0.831 0.674 0.597 0.576 0.839 0.839 0.587 0.586

Table 6
The performance of classifiers with respect to MVE for different MDI attack.
Algorithm Node 3 Node 4

Case 1 Case 2 Case 3 Case 4 Case 1 Case 2 Case 3 Case 4

SVM 1.302 2.137 0.715 1.281 1.711 0.748 1.618 1.627

RF 3.214 3.147 3.258 4.159 5.214 6.897 7.143 7.147
C4.5 1.023 1.896 0.846 1.013 0.745 1.479 1.574 1.587
NB 5.236 8.365 8.142 3.547 1.549 1.735 1.475 1.246
EC 1.235 0.674 0.597 1.247 1.546 1.245 0.874 0.472

Fig. 14. Comparison of results for fault localization at Node 1 and Node 2 with
respect to mean absolute error.
the SIFI model outperforms other classifiers in terms of MVE. The pro­
posed model provides better results (0.173 %) in terms of average MVE
related to SVM (0.340 %), RF (0.584 %), C4.5 (0.915 %), and NB (0.333
%) algorithms.
The fault localization results of different classifiers obtained for 3ϕ
faults such as Li Li G and Li Li Li are listed in Table 4. For Li Li G, the pro­
posed model provides better results (0.125 %) in terms of average MVE
related to SVM (0.241 %), RF (0.353 %), C4.5 (0.351 %), and NB (0.307
%) algorithms. For Li Li Li fault, our SIFI model outperforms other clas­
sifiers in terms of MVE. Whereas in case of 3ϕ Li Li Li type fault locali­
zation, the proposed SIFI outdoes other classification models in terms of
MVE (0.138 %) related to SVM (0.298 %), RF (0.563 %), C4.5 (0.823 %),
and NB (0.395 %) algorithms.
6.2. MDI attacks
Different data injection scenarios are considered in this work at each
generator of the test CPM. Under these attacks, the output voltage of the
targeted generating unit differs from the standard value. The calculated
MVE for different MDI attacks by various classifiers is given in Tables 5
and 6. In MDI anomalies, the adversary starts inserting wrong infor­
mation into the feedback voltage signals of the controller at Node 1 with
an = 0.5, beginning with t = 5 s. The CPM runs under normal conditions
for the period (0 < t < 5)s, then an identical MDI anomaly is instigated
Fig. 15. Comparison of results for fault localization with respect to mean ab­
solute error.
for the rest of the generators in the CPM.
The effectiveness of the method is related to SVM, RF, C4.5, and NB
classifiers with respect to MVE, and results are shown in Figs. 14 and 15.
The lower MVE represents the higher performance of the proposed SIFI
technique.
For Node 1, the MVE gained by the proposed EC-based SIFI method is
0.669 % is less than MVE achieved by SVM, RF, C4.5, and NB, 1.372 %,
3.269 %, 1.285 %, and 6 %, correspondingly. For Node 2, the MVE
achieved by the proposed EC-based SIFI method is 0.712 % is less than
MVE achieved by SVM, RF, C4.5, and NB, 1.177 %, 7.024 %, 0.851 %,
and 1.126 %, correspondingly. For Node 3, the MVE gained by the
proposed EC-based SIFI method is 0.938 % is less than MVE achieved by
SVM, RF, C4.5, and NB, 1.358 %, 3.445 %, 1.194 %, and 6.322 %,
correspondingly. For Node 4, the MVE achieved by the proposed EC-
based SIFI method is 1.034 % is less than MVE achieved by SVM, RF,
C4.5, and NB, 1.426 %, 6.6 %, 1.346 %, and 1.501 %, correspondingly.
The DoS threat is introduced by jamming the network link between
Node 1 and its adjacent nodes (i.e., Node 2 and Node 4). The CPM runs
under normal condition by choosing μnm = 1 for (0 < τ < 3) s, until the
interaction between Node 1 and Node 2 is disturbed by varying μn = 0
for (3 < τ < 4)s, and eventually link between Node 1 and Node 4 is
jammed by setting μm = 0 for (4 < τ < 5)s. To carry out these experi­
ments, three levels of load demands are utilized.

14
R. Divya et al. Expert Systems With Applications 238 (2024) 122291

Table 7 parameters required for testing the developed system. In the simulation
The performance of classifiers with respect to MVE for different DoS attack. of the case study, the controller is activated for a time duration of
Algorithm MVE 0 − 0.5s,a load capacity of 10kW +5kvar is activated for a time duration
of 2 − 4s, the SIFI model is activated for the time duration of 3 − 5s.
Node 1 Node 2 Node 3 Node 4
Table 8 presents the parameters used for the case study.
SVM 0.251 0.371 0.348 0.405 Fig. 18 presents the testing of the CPM without the SIFI algorithm or
RF 0.546 0.572 0.641 0.614
C4.5 0.791 0.473 0.533 0.202
normal operating condition. Fig. 19 presents the output of the voltage
NB 0.521 0.541 0.242 0.203 and reactive power of the CPM when a MDI attack is introduced at the
EC 0.119 0.191 0.132 0.105 node A1 without the use of any fault identification algorithm. It is
observed that the output voltage and reactive power is adjusted for the
DG1, whereas the average voltage and reactive power parameters
converge to the values of normal operating condition during the MDI
attack. Therefore, the operator in the CPM cannot identify the cyber-
attack in the system. Fig. 20 presents the implementation of SIFI when
the CPM is subjected to MDI attack.
From Fig. 20 it is observed that at a time duration of 3s the MDI
attack happens and there exists a mutual energy sharing among the
uninfected DGs. The affected DG1is identified by the SIFI method. Due
to the inefficient operation, the cooperative controller is activated so
that the reactive power adjusts according to the droop characteristics.
Therefore, the reactive power is controlled using the SIFI based DCCS
controller.
It is observed that the reactive power is reducing very fast as well as
the reactive power is being absorbed by the neighboring DGs. Therefore,
voltage sag and instability arise in the entire CPM. Fig. 21 presents the
implementation of SIFI when the CPM is subjected to DoS attack. During
the initiation of DoS attack at node A1, the neighboring nodes are also
affected due to the transfer of data to individual neighboring nodes. The
algorithm identifies the weak node and mitigates the DoS attack by
Fig. 16. Comparison of results for DoS attacks with respect to mean abso­
lute error.

Table 8
The performance comparison of the SIFI method with other classi­
Parameters used for the Case study.
fiers is given in Table 7 with respect to MVE. The SVM classifier provides
0.344 % of MVE in the classification of DoS attacks. The NB classifier Type Parameter Value Parameter Value

provides similar result with 0.521 % MVE at Node 1. The result provided — Voltage 380V Frequency 50Hz
by the C4.5 classifier is slightly higher MVE, i.e., around 0.499 %. DG Cooperative Controller coefficient Connection impedances
n1, n2 1 × 10 − 5 Zc1 0.2 +j0.3Ω
Similarly, the RF classifier produces 0.593 % of MVE as shown in Fig. 16.
n3 0.5 × 10 − 5 Zc2 0.1 +j0.22Ω
n4, n5 1.5 × 10 − 5 Zc3 0.08 +j0.15Ω
7. Case study m1 − m5 7.5 × 10 − 4 Zc4 0.15 + j0.28Ω
—— Zc5 0.05 + j0.13Ω
To investigate the effectiveness of the proposed algorithm a CPM is Load Load1 10kW + 5kvar Load2 10kW + 5kvar
Line Zl1 0.05 + j0.1Ω Zl2 0.13 + j0.2Ω
presented in Fig. 17. The five DGs of equal capacity is controlled using a Zl3 0.03 + j0.1Ω Zl4 0.08 + j0.13Ω
distributed cooperative control mechanism. Table 8 presents the

Fig. 17. Schematic of the CPM for the Case Study.

15
R. Divya et al.
Fig. 18. Testing of CPM without the SIFI method.
Fig. 19. Initializing MDI attack in CPM without the SIFI method.
activating the DCCs controller. Fig. 22 presents the output of the voltage
and reactive power of the CPM when a DoS attack is introduced at the
node A1.
8. Conclusion
In this work, a smart intrusion and fault detection method using a
machine learning approach is developed that effectively classifies
different physical faults and cyberattacks in the CPM with distributed
cooperative controllers. This method exploits EC to classify and localize
cyber-physical abnormalities including physical faults, malicious data
injection, and DoS attacks. The optimum numerical attributes selected
from the time series simulation of the CPM having various distributed
generators, under normal and abnormal operations are employed to
16
Expert Systems With Applications 238 (2024) 122291
Fig. 20. Mitigation of MDI attack using SIFI-DCCS controller.
Fig. 21. Initializing DoS attack in CPM without the SIFI method.
train the classifier. According to the training feature vector, the type of
attack and the targeted generating units are detected. The performance
of the EC-based SIFI model is evaluated on the RAP Sim simulator by
relating its classification results to other advanced classification algo­
rithms such as SVM, basic C4.5, basic RF, and Naive Bayes in terms of
MVE. The extensive empirical analysis proved that the proposed
ensemble classifier-based SIFI model yields the minimum MVE for
identifying physical faults and cyberattacks. For physical abnormalities
identification and localization, our approach provides enhanced outputs
with an MVE of 0.157 % and 0.162 %, correspondingly. For identifying
MDI anomalies, SIFI model provides better results with a lower error
rate. For DoS anomaly detection, SIFI model provides better classifica­
tion performance with a 0.136 % error. This demonstrated the perfor­
mance of our SIFI approach for the detection of physical faults and
cyberattacks in the CPM under normal and abnormal operating
R. Divya et al.
Fig. 22. Mitigation of DoS attack using SIFI-DCCS controller.
scenarios. In the training phase, the SIFI method uses a labeled dataset
that includes instances of both faults and cyberattacks. It trains a model,
such as a machine learning algorithm or a rule-based system, using the
extracted features. The model learns the patterns and characteristics
associated with different types of faults and cyberattacks. The effec­
tiveness of the SIFI method relies on the quality of the training data, the
selection of appropriate features, and the chosen classification or
decision-making approach. Continuous monitoring, periodic updates,
and adaptation to new attack techniques are essential for maintaining
the effectiveness of the SIFI method over time.
CRediT authorship contribution statement
R. Divya: Writing – original draft, Conceptualization, Methodology,
Software. S. Umamaheswari: Supervision, Writing – review & editing.
Albert Alexander Stonier: Software, Writing – review & editing.
Declaration of Competing Interest
The authors declare that they have no known competing financial
interests or personal relationships that could have appeared to influence
the work reported in this paper.
Data availability
Data will be made available on request.
References
Adnan, M. N., & Islam, M. Z. (2017). Forest PA: Constructing a decision forest by
penalizing attributes used in previous trees. Expert Systems with Applications, 89,
389–403. https://doi.org/10.1016/j.eswa.2017.08.002
Ali, S., Zheng, Z., Aillerie, M., Sawicki, J. P., Pera, M. C., & Hissel, D. (2021). A review of
DC Microgrid energy management systems dedicated to residential applications.
Energies, 14(14), 4308. https://doi.org/10.3390/en14144308
Aslani, M., Hashemi-Dezaki, H., & Ketabi, A. (2021). Reliability evaluation of smart
microgrids considering cyber failures and disturbances under various cyber network
topologies and distributed generation’s scenarios. Sustainability, 13(10), 5695.
https://doi.org/10.3390/su13105695
Bidram, A., Davoudi, A., Lewis, F. L., & Guerrero, J. M. (2013). Distributed cooperative
secondary control of microgrids using feedback linearization. IEEE Transactions on
Power Systems, 28(3), 3462–3470. https://doi.org/10.1109/TPWRS.2013.2247071
17
Expert Systems With Applications 238 (2024) 122291
De Las Morenas, J., Moya-Fernández, F., & López-Gómez, J. A. (2023). The Edge
Application of Machine Learning Techniques for Fault Diagnosis in Electrical
Machines. Sensors, 23(5), 2649.
Dubey, K., & Jena, P. (2023). A Novel High Impedance Fault Detection Technique in
Smart Active Distribution Systems. IEEE Transactions on Industrial Electronics.
Feng, Q., Liu, J., & Gong, J. (2015). UAV remote sensing for urban vegetation mapping
using random forest and texture analysis. Remote Sensing, 7(1), 1074–1094. https://
doi.org/10.3390/rs70101074
Ghiasi, M., Niknam, T., Wang, Z., Mehrandezh, M., Dehghani, M., & Ghadimi, N. (2023).
A comprehensive review of cyber-attacks and defense mechanisms for improving
security in smart grid energy systems: Past, present and future. Electric Power Systems
Research, 215, Article 108975.
Habibi, M. R., Baghaee, H. R., Dragičević, T., & Blaabjerg, F. (2020). False data injection
cyber-attacks mitigation in parallel DC/DC converters based on artificial neural
networks. IEEE Transactions on Circuits and Systems II: Express Briefs, 68(2), 717–721.
https://doi.org/10.1109/TCSII.2020.3011324
Hakak, S., Alazab, M., Khan, S., Gadekallu, T. R., Maddikunta, P. K. R., & Khan, W. Z.
(2021). An ensemble machine learning approach through effective feature extraction
to classify fake news. Future Generation Computer Systems, 117, 47–58. https://doi.
org/10.1016/j.future.2020.11.022
Hamed Haghshenas, S., Abul Hasnat, M., & Naeini, M. (2022). A Temporal Graph Neural
Network for Cyber Attack Detection and Localization in Smart Grids. arXiv e-prints,
arXiv-2212.
Hasan, M. K., Habib, A. A., Shukur, Z., Ibrahim, F., Islam, S., & Razzaque, M. A. (2023).
Review on cyber-physical and cyber-security system in smart grid: Standards,
protocols, constraints, and recommendations. Journal of Network and Computer
Applications, 209, Article 103540.
He, Y., Mendis, G. J., & Wei, J. (2017). Real-time detection of false data injection attacks
in smart grid: A deep learning-based intelligent mechanism. IEEE Transactions on
Smart Grid, 8(5), 2505–2516. https://doi.org/10.1109/TSG.2017.2703842
Hong, Y. Y., Wei, Y. H., Chang, Y. R., Lee, Y. D., & Liu, P. W. (2014). Fault detection and
location by static switches in microgrids using wavelet transform and adaptive
network-based fuzzy inference system. Energies, 7(4), 2658–2675. https://doi.org/
10.3390/en7042658
Hssina, B., Merbouha, A., Ezzikouri, H., & Erritali, M. (2014). A comparative study of
decision tree ID3 and C4. 5. International Journal of Advanced Computer Science and
Applications, 4(2), 13–19. https://doi.org/10.14569/SpecialIssue.2014.040203
Hu, J., & Bhowmick, P. (2020). A consensus-based robust secondary voltage and
frequency control scheme for islanded microgrids. International Journal of Electrical
Power & Energy Systems, 116, Article 105575. https://doi.org/10.1016/j.
ijepes.2019.105575
Irtaza, A., Adnan, S. M., Ahmed, K. T., Jaffar, A., Khan, A., Javed, A., & Mahmood, M. T.
(2018). An ensemble based evolutionary approach to the class imbalance problem
with applications in CBIR. Applied Sciences, 8(4), 495. https://doi.org/10.3390/
app8040495
Jayachandran, M., Reddy, C. R., Padmanaban, S., & Milyani, A. H. (2021). Operational
planning steps in smart electric power delivery system. Scientific Reports, 11(1),
17250. https://doi.org/10.1038/s41598-021-96769-8
Justin, V., Marathe, N., & Dongre, N. (2017, February). Hybrid IDS using SVM classifier
for detecting DoS attack in MANET application. In 2017 International Conference on I-
SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC) (pp. 775-778). IEEE.
Kar, S., & Samantaray, S. R. (2016). In December). High impedance fault detection in
microgrid using maximal overlapping discrete wavelet transform and decision tree (pp.
258–263). IEEE. https://doi.org/10.1109/ICEPES.2016.7915940.
Kar, S., Samantaray, S. R., & Zadeh, M. D. (2015). Data-mining model based intelligent
differential microgrid protection scheme. IEEE Systems Journal, 11(2), 1161–1169.
https://doi.org/10.1109/JSYST.2014.2380432
Mathesh, G., & Saravanakumar, R. (2023). A novel digital control scheme for power
management in a hybrid energy-source environment pertaining to electric vehicle
applications. Frontiers in Energy Research, 11, 1130401. https://doi.org/10.3389/
fenrg.2023.1130401
Mishra, D. P., Samantaray, S. R., & Joos, G. (2015). A combined wavelet and data-mining
based intelligent protection scheme for microgrid. IEEE Transactions on Smart Grid, 7
(5), 2295–2304. https://doi.org/10.1109/TSG.2015.2487501
Mololoth, V. K., Saguna, S., & Åhlund, C. (2023). Blockchain and machine◦ learning for
future smart grids: A review. Energies, 16(1), 528.
Nafees, M. N., Saxena, N., Cardenas, A., Grijalva, S., & Burnap, P. (2023). Smart grid
cyber-physical situational awareness of complex operational technology attacks: A
review. ACM Computing Surveys, 55(10), 1–36.
Panigrahi, B. K., Ray, P. K., Rout, P. K., Mohanty, A., & Pal, K. (2018). Detection and
classification of faults in a microgrid using wavelet neural network. Journal of
Information and Optimization Sciences, 39(1), 327–335.
Parizad, A., & Hatziadoniu, C. J. (2022). Cyber-attack detection using principal
component analysis and noisy clustering algorithms: A collaborative machine
learning-based framework. IEEE Transactions on Smart Grid, 13(6), 4848–4861.
Peppes, N., Daskalakis, E., Alexakis, T., Adamopoulou, E., & Demestichas, K. (2021).
Performance of machine learning-based multi-model voting ensemble methods for
network threat detection in agriculture 4.0. Sensors, 21(22), 7475. https://doi.org/
10.3390/s21227475
Pinto, J., Carvalho, A., & Morais, V. (2021). Power sharing in island microgrids. Frontiers
in Energy Research, 8, Article 609218. https://doi.org/10.3389/fenrg.2020.609218
Pöchacker, M., Khatib, T., & Elmenreich, W. (2014). In May). The microgrid simulation tool
RAPSim: Description and case study (pp. 278–283). IEEE. https://doi.org/10.1109/
ISGT-Asia.2014.6873803.
R. Divya et al.
Rangarajan, S. S., Shiva, C. K., Sudhakar, A. V. V., Subramaniam, U., Collins, E. R., &
Senjyu, T. (2023). Avant-garde solar plants with artificial intelligence and
moonlighting capabilities as smart inverters in a smart grid. Energies, 16(3), 1112.
Rahman Fahim, S., Sarker, K. S., Muyeen, S. M., Sheikh, M. R. I., & Das, S. K. (2020).
Microgrid fault detection and classification: Machine learning based approach,
comparison, and reviews. Energies, 13(13), 3460. https://doi.org/10.3390/
en13133460
Ravinder, M., & Kulkarni, V. (2023, January). A Review on Cyber Security and Anomaly
Detection Perspectives of Smart Grid. In 2023 5th International Conference on Smart
Systems and Inventive Technology (ICSSIT) (pp. 692-697). IEEE. doi: 10.1109/
ICSSIT55814.2023.10060871.
Risbud, P., Gatsis, N., & Taha, A. (2018). Vulnerability analysis of smart grids to GPS
spoofing. IEEE Transactions on Smart Grid, 10(4), 3535–3548. https://doi.org/
10.1109/TSG.2018.2830118
Srikantha, P., & Kundur, D. (2015, February). Denial of service attacks and mitigation for
stability in cyber-enabled power grid. In 2015 IEEE Power & Energy Society Innovative
Smart Grid Technologies Conference (ISGT) (pp. 1-5). IEEE. doi: 10.1109/
ISGT.2015.7131827.
Sureshbabu, P. S., Subramanian, G., Stonier, A. A., Peter, G., & Ganji, V. (2022). Design
and analysis of a photovoltaic-powered charging station for plug-in hybrid electric
vehicles in college campus. IET Electrical Systems in Transportation, 12(4), 358–368.
https://doi.org/10.1049/els2.12060
Tran, T. S., Nguyen, D. T., & Fujita, G. (2019). The analysis of technical trend in islanding
operation, harmonic distortion, stabilizing frequency, and voltage of islanded
entities. Resources, 8(1), 14. https://doi.org/10.3390/resources8010014
Ullah, S., Khan, L., Jamil, M., Jafar, M., Mumtaz, S., & Ahmad, S. (2021). A finite-time
robust distributed cooperative secondary control protocol for droop-based islanded
ac microgrids. Energies, 14(10), 2936.
18
Expert Systems With Applications 238 (2024) 122291
Wan, X., Tian, Y., Wu, J., Ding, X., & Tu, H. (2021). Distributed event-triggered
secondary recovery control for islanded microgrids. Electronics, 10(15), 1749.
https://doi.org/10.3390/electronics10151749
Wang, L., Xu, P., Qu, Z., Bo, X., Dong, Y., Zhang, Z., & Li, Y. (2021). Coordinated cyber-
attack detection model of cyber-physical power system based on the operating state
data link. Frontiers in Energy Research, 9, Article 666130. https://doi.org/10.3389/
fenrg.2021.666130
Wang, D., Wang, X., Zhang, Y., & Jin, L. (2019). Detection of power grid disturbances and
cyber-attacks based on machine learning. Journal of Information Security and
Applications, 46, 42–52. https://doi.org/10.1016/j.jisa.2019.02.008
Wang, C., Zhang, T., Luo, F., Li, F., & Liu, Y. (2017). Impacts of cyber system on
microgrid operational reliability. IEEE Transactions on Smart Grid, 10(1), 105–115.
https://doi.org/10.1109/PESGM40551.2019.8973782
Xing, L., Mishra, Y., Guo, F., Lin, P., Yang, Y., Ledwich, G., & Tian, Y. C. (2019).
Distributed secondary control for current sharing and voltage restoration in DC
microgrid. IEEE Transactions on Smart Grid, 11(3), 2487–2497.
Yang, X., Zhang, Y., He, H., Ren, S., & Weng, G. (2018). Real-time demand side
management for a microgrid considering uncertainties. IEEE Transactions on Smart
Grid, 10(3), 3401–3414. https://doi.org/10.1109/TSG.2018.2825388
Yaqub, R., Ali, M., & Ali, H. (2021). DC Microgrid Utilizing Artificial Intelligence and
Phasor Measurement Unit Assisted Inverter. Energies, 14(19), 6086. https://doi.org/
10.3390/en14196086
Yeboah-Ofori, A. (2020). Classification of malware attacks using machine learning in
decision tree. International Journal of Security, 11(2), 10–25.
Zhukov, A., Tomin, N., Kurbatsky, V., Sidorov, D., Panasetsky, D., & Foley, A. (2019).
Ensemble methods of classification for power systems security assessment. Applied
Computing and Informatics, 15(1), 45–53.