I Introduction
The power system is increasingly equipped with sensors and communication infrastructures. This enables smarter grid operations, but also makes possible novel cyber attack scenarios that manipulate power system measurements instead of directly disrupting ICT infrastructure or stealing valuable data. Although the typical bad data detection (BDD) within state estimation (SE) can detect erroneous measurements and some “basic” attacks, welldesigned attacks can remain stealthy and bypass the BDD, such as the stealthy false data injection attacks (FDIAs) [liu2011false]. These stealthy measurements manipulation attacks severely threaten both the economic dispatching and security control of the power system [liu2015analyzing, jia2013impact].
Several techniques have been proposed to deal with stealthy FDIAs. In [manandhar2014detection]
, the authors have proposed a Kalman filter estimator together with a chisquare detector. Other statistical methods, such as sequential detection using Cumulative Sum (CUSUM)type algorithms were designed in
[Li2015]. The recent work [Zhao2018] has proposed a detector utilizing the statistical consistency of measurements, presuming that the system is observable by a minimal set of secure phasor measurement units. These methods, however, can be limited by the prior assumption that measurements fit specific distributions, or parts of the sensors are secure, while absolute security is unattainable [Pan2019a].Moreover, it is increasingly recognised that the distribution of normal power system states is not easily characterised using standard parametric distributions [sun2016evaluating]. The need to operate in a complex stochastic environment has led to the deployment of datadriven methods. For example, distancebased algorithms like nearest neighbour (kNN) were used to cluster normal and corrupted measurement states [tian2014anomaly]. Nevertheless, the very high dimensionality of measurements (from the physical, cyber and market domains) results in data sparsity, where manipulated measurements may be masked by the noise of multiple irrelevant dimensions. This can make detection using a highdimensional distancebased algorithm computationally inefficient or even invalid [aggarwal2015outlier].
Alternative datadriven approaches to FDIA detection have been proposed in the form of supportvector machine (SVM)based classifiers
[he2017real] and deep neural networkbased classifiers [james2018online]. Both are supervised machine learning algorithms that classify measurements into normal and manipulated data on the basis of labeled training data. However, due to the infrequent occurrence (or more likely: absence) of FDIAs in historical data, the training data set is highly unbalanced, so that it must be augmented by simulated training data. Moreover, in this way, the detector only learns to detect known attacks, which is a significant weakness in a fastevolving field with resourceful and potentially wellequipped attackers.This paper bridges the identified gap by proposing a detection approach based on an autoencoder neural network. The main contributions of this paper are listed below:

We propose an autoencoderbased detection approach for FDIAs. It learns to identify anomalous system states (and therefore possible attacks) using only SCADAtype power flow measurements for a large range of normal operating conditions. Therefore it is wellsuited to the inherent data imbalance in FDIA detection applications.

We define a case study on the IEEE 118bus system, including a model to generate ‘normal’ data. We formulate two FDIA scenarios by considering comprehensive factors of the adversaries’ purpose, capacity, and knowledge and utilize indicators to evaluate the FDIA detection performance of our proposed mechanism. The experimental results demonstrate the mechanism has a satisfactory detection accuracy.
Ii State Estimation and Data Attacks
In this section, we briefly review the state estimation and bad data detection technique and formulate the FDIA problem.
Iia State estimation
The power system we consider has buses and transmission lines. The vector represents phase angles, excluding the angle of the reference bus. In this paper, a DC power flow model is assumed, in which the reactive power is neglected and bus voltages are assumed to be 1 (p.u.). The vector of active power injections is related to the angle vector ,
(1) 
where is the branch active power flow vector, is a diagonal matrix of transmission line reactances and is the branchtonode incidence matrix [gonzalez2014powerfactory]. In the following, we shall use the power injection vector as the system state . It is functionally equivalent to the more commonly used phase angle vector , but it allows for more elegant generation and detection of FDIAs.
We consider a system where the active power injections and line flows are measured with some error. Thus the system model for measurement and state can be written by
(2) 
where the measurement noise vector denotes independent zeromean Gaussian variables with the covariance matrix and the measurement vector
indicates measured power injection and line power flow with noise. Identity matrix
and distribution factor matrix are parts in corresponding to the power injection and line power flow, respectively. According to (1), the distribution factor matrix can be described as . Given the observation of the measurements , the state estimate is solved by the weighted least squares (WLS) approach [sandberg2010security] as(3) 
IiB Bad data detection and stealth FDIAs
The vector is then utilized to estimate the power injection and line power flow measurements by . In bad data detection, a residual is defined to describe the difference between the actual and the estimated measurements, namely . This naturally gives rise to a BDD scheme that identifies bad data by comparing the 2norm of with a certain threshold , i.e. an alarm is triggered if .
We denote as the nonzero false data vector injected into measurement vector . The manipulated measurement vector can be described as . Here the vector is defined as the deviation of the estimated state before and after the attack. The corrupted system state can be denoted as . According to (3), the falsified state estimate can be written by
(4)  
and the corresponding after the attack can be expressed as
(5) 
If , then the manipulated residual equals the original residual . Thus the attacker manipulates the measurements with the residual unchanged and keeps stealthy with respect to this physicsbased BDD scheme. This remains true if , as long as is still satisfied.
For our FDIA detection study, we consider one attack scenario from the perspective of an adversary that manipulates load patterns [jia2013impact], for example in order to hide excessive power consumption or to reduce apparent power consumption for economic motives. The adversary needs to corrupt the power generation and power flow accordingly to avoid detection by BDD. The attack scenario will be detailed in section IV.
Iii FDIA Detection Mechanism
In this section, we propose an FDIA detection mechanism based on the autoencoder algorithm. We first analyze the specific characteristics and advantages of the method for identifying FDIAs in the context of the power system. Then, we explain the attack detection principle of the autoencoderbased mechanism in detail. Finally, we describe the complete training and detection process of our proposed mechanism.
Iiia Autoencoderbased attack detector
FDIA detection is essentially a classification problem with the objective of distinguishing false data from data that is considered ‘normal’. What the SVMbased [he2017real] and deep neural networkbased classifiers [james2018online]
have in common is to treat FDIA detection as a supervised learning task. However, supervised learning requires a training data set with representative examples of normal system operation and attacks. Such data sets are in short supply, because of the rarity of attacks, unwillingness to share data, and evolving attacks. As a result, it is difficult to learn a satisfactory discriminator of ‘normal’ and ‘attack’ scenarios on this basis
[duan2016new].Instead, we propose to approach FDIA detection as a oneclass classification problem, where the detector is trained on examples of only ‘normal’ operation data. Observations with features that deviate substantially from those in the training data will be considered anomalies, in this case as ‘potential attacks’. There are two main advantages to this approach. First, the autoencoderbased mechanism avoids the need to gather or generate attack data to create balanced data sets for training the classifiers. Second, by focusing on what is normal only, the proposed mechanism is naturally prepared for unknown attack patterns.
Autoencoders learn the most important features of the training data (i.e. normal power system measurements) by sending the measurements through an information bottleneck while attempting to reconstruct the training data with minimal error [sakurada2014anomaly]. The structure of the autoencoder algorithm is depicted in Fig. 1. The dimension reduction process of mapping the dimensional input data to the code in the bottleneck layer through hidden layers to is named the encoder. Afterwards, the decoder decompresses the code to dimensional output data. Weight matrices
and bias vectors
are utilized in the encoding and decoding process as(6a)  
(6b) 
where and denote weight matrices for encoding and decoding process respectively, and are bias vectors, and
represents a nonlinear elementwise activation function.
refers to the input data vector, is the data in the bottleneck layer and vector stands for the output data.IiiB Training and detection process
The residual associated with a training observation is given by . The reconstruction error is expressed as the ratio of the length of to the input data dimension and the objective of the training process is to minimize the mean value of the sum of all reconstruction errors as
(7) 
where denotes the total number of the observations used for training. By training the autoencoder on training data that is considered normal, it learns to efficiently encode the features of this data in the bottleneck layer . Data that deviates from the training data in a structural way is therefore highly likely to have a larger reconstruction error.
The training and FDIA detection process of the proposed mechanism is depicted in Fig. 2. In the training stage, the algorithm iteratively updates the value of weight matrices and bias vectors until the function converges. At the end of the training process, the reconstruction errors for the validation set are sorted in ascending order. A threshold equals to the percentile is then chosen, for example at the value where an ‘inflection point’ occurs in the error distribution. A possible FDIA is detected when, for a measurement in the test set, the reconstruction error exceeds the threshold .
Iv Case Study
In this section, we evaluate the detection performance of the proposed mechanism using a case study on the IEEE 118bus system. First, we describe the process of modelling normal operating conditions and explain how to create anomalous attack scenarios. Then, we describe and analyse the loadtargeted attack scenario. For this scenarios, we will first quantify the detection performance of our proposed detection mechanism. Specifically, the detection probability, false positive rate, false negative rate are tested. Next, the detection performance of our detector will be compared with a conventional BDD detector. To do so, we introduce “knowledge limited” attacks that both detectors can potentially detect. Notably, the “knowledgelimited” attacks are more of interest in reality as the attacker may have an inaccurate (e.g. outdated or estimated) system model.
Iva Modeling normal operating conditions
With the longterm secure and stable operation, the power system has a large number of normal operating conditions which involve a significant volume of loads, power generations and power flows data set. Trained by these data, the proposed mechanism will acquire the data pattern which represents the model of normal system operating conditions.
In the IEEE 118bus system, electricity is supplied by generators, transmitted via branches and ultimately consumed by loads. We generate ‘normal’ (i.e. physically feasible and economically reasonable) power system states and corresponding measurements by using optimal power flow solutions. Second order polynomial cost functions were assumed for generators, i.e., . Hence the economic dispatch is solved with the objective to minimize the total generation cost. The solutions are implicitly parameterized by the nodal load and generation cost parameter as
(8)  
where the injection is determined by the mapping of load and generation onto the nodes.
Normal operating conditions are generated using a data set that contains a total of 43,717 historical hourly loads from 32 European countries between 2013 and 2017 [Muehlenpfordt2019]. These time series were used to generate a 99 load point time series as follows. The national load time series are first divided by 1000, to obtain reasonable magnitudes for individual buses. Then each load point is assigned a random linear combination of the 32 sources by sampling from the Dirichlet distribution with vector valued parameter
, which generates a uniform distribution on the
simplex. Additionally, a normally distributed variation with a standard deviation of
5 of the measured value is added to each measurement.An additional source of randomness was created by randomly sampling the generating cost coefficients of the 54 generators as follows. Coefficients were sampled uniformly in the range and uniformly in the range . These values span the range of generators included in the IEEE 9bus system supplied with Matpower [zimmerman1997matpower].
The procedure above was used to generate snapshot injections , which were converted into line flow measurements using . In this investigation, line transmission limits and generator capacities are not enforced, as the focus of this work is on the recognition of load, generation and power flow patterns. This results in a 339dimensional measurement vector for training, containing 99, 54 and 186dimensional data of loads, power generations and line power flows, respectively. Independent measurement noise
is added using a truncated Gaussian distribution with zero mean, standard deviation of 0.33% and an absolute value less than 1
of the original value [he2013online]. The generated data set was divided into a training set , a validation set and testing set .The autoencoder network contains 4 hidden layers in the encoder with dimensions of 339, 256, 128 and 64, respectively. The bottleneck layer has 32 nodes, and the decoder maps the 32dimensional data to a 339dimensional output through 4 hidden layers with the same dimensions as the encoder. In this paper, we used the sigmoid activation function between the second and penultimate hidden layer and the Adam Optimizer [kingma2014adam] to iteratively optimize the value of weight matrices and bias vectors . The batch size and learning rate for training was 256 and
respectively and 2000 training epochs were used. Training and testing of the autoencoder was conducted using
tensorflow on the Google Colab environment using the GPU option.IvB Creating attack scenarios
We develop feasible FDIAs from the perspective of the adversaries. To gain economic profit, attackers inject false data into the grid by using the acquired knowledge of the targeted power system. In the context of this paper, this knowledge is represented by the incidence matrix (topology) and the reactance matrix of the transmission lines. Moreover, we assume some meters are strictly protected, and an attack cannot manipulate infinite measurements, thus the capacity of an attacker is limited by the attackable measurement set [liu2011false] and the maximum number of the measurements that the attacker can corrupt simultaneously.
In the following, we quantify the factors described above. According to the attack capacity, the adversary selects a set of attacked loads . The attacker then determines the change rate of each selected load and calculates the total load change , in which equals the change of each load. Similarly, the attack selects a set of attacked generators . Next, the attack determines ratios of the power generating’s change amount and normalizes the ratios to get the power generations’ change . Here represents the cardinality of .
(9a)  
All load changes and generation changes , together with zeros that denote buses with unchanged injection make up the power injection change vector . Besides, similar to (2), the attacker then utilizes the knowledge of the topology and grid parameters to coordinately calculate power flows change vector .  
(9b) 
Afterwards, the attack vector consists of the change vector of loads, power generations and line power flows.
The FDIA manipulates the original data of loads, power generations and line power flows. The pattern of the corrupted data may deviate from that of normal operating conditions, which enables it to be detected by the autoencoder if the reconstruction error exceeds .
IvC Loadtargeted attack for economic profit
IvC1 Detection effectiveness validation
We first validate the effectiveness of the trained detector. In this experiment, we observe the change of the reconstruction error before and after a false data injection attack and compare it with the threshold . A common scenario for an attack happens when the adversary gets the data of a local area and utilizes it to manipulate the neighboring measurements. Here, we select 12 hours’ operating data from 9:00 to 20:00 on December 31st, 2017 as an example. Assuming the attacker gets the three loads’ profile of bus 108, 109, 110, at 14:00, to gain economic profit, an attack is launched by injecting false data to decrease the power demand of the loads by 10 as , and respectively. Accordingly, to balance the power of loads and generations, the attacker decreases the nearby power injection of two generators connected to bus number 110 and 111 with the ratio . Based on (9b), the corresponding transmission line power flows are obtained. The experiment result is depicted in Fig. 3.
From the result, we can observe that before the attack, the reconstruction error of normal operating data is in the range of and , and they are lower than the threshold learned in the training process shown in the subsection B of Section III. To be specific, after observing the reconstruction error distribution of the validation data, the threshold is set as percentile due to the occurrence of the ‘inflection point’ where the cumulative distribution curve of the reconstruction error flattens out from the steep rise. After manipulation by the false data injection, the reconstruction error at 14:00 increases from to , which exceeds the threshold and triggers an alarm. The detector thus recognizes an anomaly in the corrupted measurements, which deviate from measurements taken in normal operating conditions. This result demonstrates that the autoencoder is capable of FDIA detection in at least some scenarios.
IvC2 General detection performance
In addition to the oneoff effectiveness demonstrated above, we are also interested in its statistical detection performance. This is tested by launching a larger number of FDIAs at various times and with various false load data injection magnitudes. Here the magnitude is defined as the percentage of load reduction in targeted nodes. For the sake of comparison, the attack targets remained the same as these utilized in the last experiment. In this experiment, we launch an attack at 2:00, 14:00 and 21:00 in each day of 2017 by reducing reported loads between 1 to 30 and observing the detection performance. The detection probability is the ratio of detected attacks to all the launched attacks, namely the true positive rate. The results are shown in Fig. 4.
Because the load demands at 2:00, 14:00 and 21:00 differ significantly, the resulting power system states (including flows) are also substantially different. However, the result shows, under the same false load injection magnitude, the detection probabilities differ only slightly. This demonstrates that the autoencoder learns the intrinsic relationship of the loads, power generations and power flows from different operating conditions, leading to robust detection results.
In addition, we launch 8760 attacks, one for each hour of 2017, by decreasing the power demand of the same buses by 15. Besides, we use the hourly normal operating data in 2017 as a control group. The result is shown in Table I.
Normal Data  Attack Data  

True Negative  True Positive  (8199)  
False Positive  (307)  False Negetive  (561) 
From the experiment result, we can find that the detection probability (true positive rate) is 93.6, which denotes a satisfactory detection performance. As mentioned in the first experiment, the threshold was used, corresponding to a 3% misclassification rate in the validation set. It is worth noting that the false positive rate is comparable to the 3.5 observed in Table I. This result suggests that the autoencoder has a good generalization capability and does not overfit.
IvC3 Detection performance comparison
In the above experiments, our proposed autoencoderbased detector has succeeded in generating a diagnosis signal in the presence of FDIAs which can keep stealthy from the viewpoint of BDD. In the second experiment, we compare our detector with BDD in detection of ‘unstealthy’ FDIAs. Such attacks have the possibility to be detected by the BDD while the detectability is intimately related to the topology or parameter errors in the construction of FDIAs by the attacker. Thus in what follows there exist knowledge deviations in the system model acquired by the attacker in computing the attack vector of (9). In particular, we explore the case that the attacker knows the exact topology of the network but inaccurate line reactance in (1). This can be described by
(10) 
where is the identity matrix and is a diagonal matrix whose elements denote the reactance deviation ratio  which we will refer to as the knowledge deviation ratio. In this experiment, we range the magnitude of the deviations from to , with randomly sampled signs for each element. According to the explanation of (2), this will lead to an erroneous distribution factor matrix and thus obtain inaccurate power flow values. We keep the attack target unchanged from the previous experiments and set the false load data injection magnitude on the selected three loads by decreasing them by 15. The results are shown in Fig. 5. As the level of knowledge deviation increases from 1 to 20, the detection probability of BDD rises from 0.038 to 0.548, but it remains lower than the detection performance of the autoencoder.
V Conclusion
In this paper, we propose an FDIA detection mechanism based on an autoencoder neural network. The main contribution is that, distinct from existing approaches, the approach learns the internal dependency of ‘normal’ operation data, which avoids the need for gathering or generating attack data for training the classifiers and thus effectively overcomes the inherent unbalanced training data set challenge in power system. The results demonstrate that the mechanism is able to robustly detect stealthy FDIAs. Moreover, it still outperforms a BDD scheme when the attacker has only approximate knowledge of the network parameters.
In future work, we aim to investigate applications to larger system and systems with additional nonlinearities (e.g. AC power flow). Also, the performance of different autoencoder topologies will be compared.
Comments
There are no comments yet.