Identification and Correction of False Data Injection Attacks against AC State Estimation using Deep Learning

08/04/2020 ∙ by Fayha ALmutairy, et al. ∙ The University of Vermont 0

recent literature has proposed various detection and identification methods for FDIAs, but few studies have focused on a solution that would prevent such attacks from occurring. However, great strides have been made using deep learning to detect attacks. Inspired by these advancements, we have developed a new methodology for not only identifying AC FDIAs but, more importantly, for correction as well. Our methodology utilizes a Long-Short Term Memory Denoising Autoencoder (LSTM-DAE) to correct attacked-estimated states based on the attacked measurements. The method was evaluated using the IEEE 30 system, and the experiments demonstrated that the proposed method was successfully able to identify the corrupted states and correct them with high accuracy.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Abstract

New advances in technology have greatly improved the monitoring and controlling of power networks, but these advances leave the system open to cyber attacks. One common attack is known as a False Data Injection Attacks (FDIAs), which poses serious threats to the operation and control of power grids. Hence, recent literature has proposed various detection and identification methods for FDIAs, but few studies have focused on a solution that would prevent such attacks from occurring. However, great strides have been made using deep learning to detect attacks. Inspired by these advancements, we have developed a new methodology for not only identifying AC FDIAs but, more importantly, for correction as well. Our methodology utilizes a Long-Short Term Memory Denoising Autoencoder (LSTM-DAE) to correct attacked-estimated states based on the attacked measurements. The method was evaluated using the IEEE 30 system, and the experiments demonstrated that the proposed method was successfully able to identify the corrupted states and correct them with high accuracy.

Ii Introduction

Power systems and power grid networks are critical components in our modern-day electrical infrastructure [12]. As such, ensuring both the physical and cyber security of these systems is of utmost importance. The use of information technology in power systems offers various benefits such as improved monitoring and controlling capability as well as allowed for the integration of renewable energy sources. But with these advantages come new risks. In recent years, cyber threats have been recognized as the most significant and dangerous threats to our power systems as a result of the increased dependency on information technology [14].

State estimation is an important power system application used to estimate the state of power transmission networks through a set of sensor measurements and network topology information [5]. The state estimator collects data about sensor measurements from the Supervisory Control and Data Acquisition (SCADA) system, including information about bus voltages, active and reactive power injection at each bus, and power flow in branches [2]. It also removes all noise and error [12], as well as estimates the state of the power network[5]. These estimations are then used by network operators to ensure that the power grid is running in the desired states, allowing them to take corrective control actions if needed, and plan for any emergencies [5] [22].

One of the most serious types of attacks on state estimation is a new one: False Data Injection Attacks (FDIAs). These attacks target the state estimation of the power grid by tampering with the data that are transmitted through communication lines [1] [17]. FDIAs occur when an attacker introduces incorrect data or measurements into the system, which will reduce the control the system’s operator has over the system, thus altering the state of the system [2]. It poses serious threats to the operations and control of power systems as it can evade the existing bad data detection (BDD) systems [4]. In addition, FDIAs can affect deregulated energy markets and result in severe economic loses [12].

To address FDIAs, protection-based strategies, and detection-based strategies for defending the power systems have been proposed in the literature [2]

. Multiple detection-based methods have been proposed. The most advanced methods use deep learning approaches such as Convolutional Deep Belief Network (CDBN) in

[8]

, Recurrent Neural Network (RNN) in

[2], Deep Neural Network (DNN) in [1]

, and Convolutional Neural Network (CNN) and Long-Short Term Memory (LSTM) in

[13][4] to address the problem. While substantial progress has been made in FDIAs detection, the complexity of the problem continues to present challenges to those in the power systems community. [12] uses a statistical approach to address FDIAs, correcting measurements before feeding them to the state estimator. One limitation of this method is the challenge of being scalable as it involves a complicated threshold scheme that would need to be applied to each scenario to detect the attack. Nevertheless, the scarcity of studies that have attempted to go a step further beyond attack detection and correct the errors resulting from FDIAs makes this field a promising one for future research [7].

Inspired by the significant success of deep learning (DL) methods in detecting attacks, in this paper, we present a new methodology for AC FDIAs identification and correction using DL to both identify and correct attacked measurements. With this method, we introduce the LSTM Denoising Autoencoder (LSTM-DAE) to reconstruct the signal such that it detects the anomaly and can then return it to its normal state. The new correction method was evaluated using the IEEE 30 system, and the experiments showed that the proposed method was successfully able to identify the corrupted states and correct them with high accuracy.

The remainder of this paper is organized as follows: Section II provides an overview of the state estimation process used in control centers and the false data injection attacks. Section III introduces the methodology of attack identification and correction using the LSTM-DAE. Section IV presents the case study, while Section V shows the simulation results of the case study with a brief discussion of the efficiency of the method used. Conclusions and suggestions for future work are presented in Section VI.

Iii Brief summary of State Estimation and FDIAs

Iii-a State Estimation

State estimation is a power system application used to estimate the state of power transmission networks through a set of sensor measurements and network topology information [5]. Network operators use the estimations of the current state to ensure that the power grid is running in the desired states, take corrective control actions, if needed, and plan for any emergencies [5] [22].

There are two types of state estimation based on the power flow models of the network, namely DC and AC state estimations. A DC state estimation is a linear state estimation that is considered as a simplified version of the more complex AC or nonlinear state estimation. The major differences between DC and AC state estimations are: 1) in the DC state estimation, the solution is obtained in a closed form, while in the AC state estimation, it is obtained through iteration; 2) DC state estimation is based on active power flow analysis while the AC state estimation is based on reactive power flow analysis; and 3) in the DC state estimation, the only variables are the voltage phase angles, however, in the AC state estimation both the voltage phase angles and magnitudes are system variables [19].

For DC state estimation, the relationship between the network’s measurement and its state can be expressed by the following equation [5]:

(1)

where is the sensor measurements, is the true states of the system, is the Jacobian matrix where

is a vector of m linear functions linking measurement to states, and

is the random errors in the measurement.

Since the DC model is a linear estimation of the network state, then the estimated system state can be expressed as:

(2)

Where W is a diagonal matrix that consists of the measurement weights. As for the AC state estimation, since the power flows are nonlinearly dependent, the relationship between the network’s measurement and its state can be expressed by the following equation [10]:

(3)

where is a function vector that establishes the relationships between measured values and state variables. Consequently, the estimated state variables are determined from the following optimization function:

(4)

Iii-B FDIAs

False data injection attacks can be defined as those in which an attacker changes the sensor’s measurements, which in turn changes the estimated value of the state variables without being flagged by the state estimator’s bad measurement detection algorithms. FDIAs can be either random or targeted [5]. In random attacks, the attacker injects arbitrary errors into the estimates of state variables while in targeted attacks, specific errors are injected into the estimates of specific state variables. A more significant categorization, however, is based on the extent of the knowledge that the attacker has about the network prior to launching the attack. As such, FDIAs can be either complete or incomplete.

As the name suggests, with complete FDIAs, the attacker has complete knowledge of the power network’s topology and transmission-line admittance values, allowing him or her to design a false data injection attack vector [18]. This type of attack is rare since the attacker is operating with limited resources and restricted physical access to the power grid. Incomplete attacks, the most common type, occurs when the attacker does not possess complete knowledge about the network’s parameters and design [15]. For more information on complete and incomplete attacks see[23].

In this research, we deal with complete attacks, assuming that the attacker has the full knowledge required to carry out the attack. The attacker’s full knowledge makes detection of the attack more difficult.

Iv The Proposed LSTM-DAE Method

Fig. 1: LSTM Denoising Autoencoder Architecture.
Fig. 2: The Proposed Identification and Correction scheme for FDIAs.

Autoencoder, in general, is a neural network that is trained in order to learn a high-level representation of data by reducing data dimensionality. This is accomplished by having two main parts which are an encoder part h = f(x) and a decoder part r = g(h). While vanilla Autoencoder is only useful to compress and decompress data without losing useful information [3], Denoising Autoencoders (DAE) [21], which is a special type of Autoencoder, can also learn to remove the noise from the corrupted input by recovering the original undistorted input. The DAE showed better representation more than the other Autoencoder types as the network learns a higher level of representation that is relatively robust to noise.

In this research, we aim to correct data affected by FDIAs. Inspired by the DAE and due to the sequential nature of the data, we are proposing a special type of RNN Autoencoder, namely, LSTM-DAE, to correct data after FDIA.

To do so, instead of feeding the original input , we feed a noisy corrupted version of it

, which is, in our case, the attacked states. Then, the loss function in that case is

L(x,g(f())) as the reconstructed version of the original input is computed from the corrupted input .

LSTM, on the other hand, is a modified version of vanilla RNN, called gated RNN, which takes advantage of the sequential information to estimate the output [20], while having the ability to preserve long-term memory relations [9]. This is done by having three different types of gates, which are forget gate, input gate, and output gate. When they are combined together, the LSTM can be trained without worrying about losing information from the long-term memory or not capturing all the available information from the short-term memory. Adding all this together, the proposed model consists of DAE stacking multiple layers of LSTM, where the input is a corrupted version of the data (Attack), and the output is the correct version of it (Normal).

The architecture is composed of three main parts, which are the encoder and the decoder, with a bridge between them. The first part consists of three parts, which are the input sample along with two LSTM layers. The input sample is a matrix whose dimensions are the timestep window w

and the number of states. The first LSTM layer of the encoder part consists of 128 units, and the Rectified Linear Unit (ReLU) is used as the activation function because it is the state-of-the-art activation function that can capture complex relations between the input and the output

[16]. The second LSTM layer of the encoder part consists of 64 units with also a ReLU activation function.

Following that, the bridge between the encoder and the decoder is represented by a Repeat Vector layer to reshape the output of the second LSTM layer in the encoder part so it can be fed into the first LSTM layer in the decoder part. This is achieved by repeating the output of the second LSTM layer in the encoder a number of times equal to the window size, which is 5 in this case.

For the decoder part, it starts with an LSTM layer with 128 units and a ReLU function as the activation function. This is followed by a Dense layer, which is a normal Neural Network, but it is wrapped in a Time Distributed layer to apply the Dense layer to every temporal slice of the input of the layer. Finally, the output of the Dense layer is the corrected states after training. The flow of the architecture can be seen in Figure 1.

Our system works by correcting the samples online, such that the corrected sample is fed back to the states’ queue in order to correct the next attacked state. Thus, the step window w which represents the input of the model is divided into normal samples () and an attacked sample (). To ensure that the model is immune to the noise coming from the corrected sample, Additive White Gaussian Noise (AWGN) is added to the states in the normal samples while training. This will guarantee that our system can handle the noise generated from the correction process.

Our system assumes a perfect FDIAs detection; thus, our proposed model focuses on identification and correction. Our system identifies the attacked states by processing the corrected states from the proposed system. A direct comparison is applied between the corrected and attacked states after applying thresholds for theta and voltage to identify the attacked states. If any state value exceeds these thresholds, this indicates that state as an attacked state. The scheme of the process is illustrated in Figure 2.

V Case Study

In this research, we validated our results on the IEEE-30 bus system using real-world load data found on the Independent Electricity System Operator (IESO) website[11]. Specifically, we trained our system on the data from 2002 to 2007 and tested it on the data from 2013 to 2015 to ensure that our system is not load dependent.

For FDIAs construction, we implemented the same methodology described in [23]. To train and evaluate our system, timesteps samples were sequentially sampled from the normal dataset, and the last sample in the window has been attacked such that it is not detected by the state estimator. Thus, samples are normal , and the last sample is the attacked state vector . Using this setup, 200,000 of samples have been constructed. We trained, evaluated, and tested our system with a ratio of 60/20/20, respectively.

For our experiments, we found that the best window size setting is 5. For the evaluation metric, we used the Root Mean Square Error (RMSE) to calculate the difference between the normal and the attacked values

[6]. Other metrics were also tested, such as Mean Absolute Error (MAE) and Mean Square Error (MSE), but RMSE gave the most easily interpretable results.

All the results and simulations were conducted on Nvidia K-80 GPU along with 16 GB of RAM. The LSTM-DAE was constructed using Keras, which is a top-level library built on top of TensorFlow for a computational speed boost.

Fig. 3: Model Loss (RMSE)

The results showed that our model is capable of capturing the temporal-spatial behavior of the data. As shown in Figure 3

, the loss of both the training and validation sets was monitored while training the model, and the results revealed that the RMSE was gradually decreasing until it reached less than 0.0013 on the validation data after 15 epochs. The RMSE reported on the testing set was 0.001 based on the best validation model. Then, to validate that the model was capable of reconstructing any attacked state, a random sample was taken from the test set and the normal, attacked, and the corrected states’ values were measured. This is visualized in Figure

4, as the attacked state number 42 was successfully reconstructed with high accuracy. Moreover, the RMSE values were calculated for all the 60 states to ensure once again that the model was capable of reconstructing any attacked state. The results in Figure 5 show that this was achieved as the maximum RMSE was less than 0.0025, which is very low.

Fig. 4: Reconstruction of a random sample for 5 random states
Fig. 5: RMSE values for all states

Finally, the difference between the actual states and the corrected one was calculated for all the states and timesteps in the test dataset. It was found that the maximum difference is less than 0.004, and most of the differences are between 0 and 0.002. In order to visualize this, a histogram graph was plotted in Figure 6.

Surprisingly, our model is capable of almost reconstructing the attacked states to their normal values with a very low reconstruction error rate. Based on the reconstruction high accuracy, we were able to identify the source of the attack with a simple threshold mechanism, which gave us 100 percent identification accuracy. We believe that our model has enough capacity to capture the behavior of the system in its steady-state given a real-world load on unseen load data. These very promising results have encouraged us to pursue research to model the state estimation itself using our approach.

Fig. 6: Histogram of the difference between actual and corrected statse.

Vi Conclusion

In this paper, we proposed a new FDIAs identification and correction for AC state estimation. While some papers tackled the detection of FDIAs, little work has been done on identifying and correcting these attacks. The proposed method consists of an LSTM-DAE, which can capture the temporal-spatial dependencies. We validated our model on the IEEE 30-bus system using real-world load data. The results showed the model was able to identify the attacked states and correct them with high accuracy.

References

  • [1] M. Ashrafuzzaman, Y. Chakhchoukh, A. A. Jillepalli, P. T. Tosic, D. C. de Leon, F. T. Sheldon, and B. K. Johnson (2018-06) Detecting stealthy false data injection attacks in power grids using deep learning. In 2018 14th International Wireless Communications & Mobile Computing Conference (IWCMC), pp. 219–225. Cited by: §II, §II.
  • [2] A. Ayad, H. E. Z. Farag, A. Youssef, and E. F. El-Saadany (2018-12) Detection of false data injection attacks in smart grids using recurrent neural networks. In 2018 IEEE Power & Energy Society Innovative Smart Grid Technologies Conference (ISGT), pp. 1–5. Cited by: §II, §II, §II.
  • [3] P. Baldi (2012)

    Autoencoders, unsupervised learning, and deep architectures

    .

    Journal of Machine Learning Research-Proceedings Track

    27, pp. 37–50.
    Cited by: §IV.
  • [4] S. Basumallik, S. Eftekharnejad, N. Davis, and JBrian. K. Johnson (2017-09) Impact of false data injection attacks on pmu-based state estimation. In 2017 North American Power Symposium (NAPS), pp. 1–6. Cited by: §II, §II.
  • [5] R. B. Bobba, K. M. Rogers, Q. Wang, H. Khurana, K. Nahrstedt, and T. J. Overbye (2010-04) Detecting false data injection attacks on dc state estimation. In 1st Workshop Secure Control Syst. (CPSWEEK), pp. 9. Cited by: §II, §III-A, §III-A, §III-B.
  • [6] T. Chai and R. R. Draxler (2014) Root mean square error (rmse) or mean absolute error (mae)?. Neural computation 7, pp. 1525–1534. Cited by: §V.
  • [7] Y. Guan and X. Ge (2018-03) Distributed attack detection and secure estimation of networked cyber-physical systems against false data injection attacks and jamming attacks. IEEE Transactions on Signal and Information Processing over Networks 4, pp. 48–59. Cited by: §II.
  • [8] Y. He, G. J. Mendis, and J. Wei (2017-09) Real-time detection of false data injection attacks in smart grid: a deep learning-based intelligent mechanism. IEEE Trans. Smart Grid 8, pp. 2505–2516. Cited by: §II.
  • [9] S. Hochreiter and J. Schmidhuber (1997) Long short term memory. Neural computation 9, pp. 1735–1780. Cited by: §IV.
  • [10] G. Hug and J. A. Giampapa (2012-09) Vulnerability assessment of ac state estimation with respect to false data injection cyber-attacks. IEEE Transactions on Smart Grid 3, pp. 1362–1370. Cited by: §III-A.
  • [11] IESO Http://www.ieso.ca/power-data/data-directory.. External Links: Link Cited by: §V.
  • [12] K. Khanna, B. K. Panigrahi, and A. Joshi (2018-03) AI-based approach to identify compromised meters in data integrity attacks on smart grid. IET Generation, Transmission & Distribution 12, pp. 1052–1066. Cited by: §II, §II, §II, §II.
  • [13] X. N. J. Li and J. Sun (2018-08) Dynamic detection of false data injection attack in smart grid using deep learning. arXiv:1808.01094 [cs]. Cited by: §II.
  • [14] G. Liang, J. Zhao, F. Luo, S. R. Weller, and Z. Y. Dong (2017-07) A review of false data injection attacks against modern power systems. IEEE Transactions on Smart Grid 8, pp. 1630–1638. Cited by: §II.
  • [15] X. Liu, Z. Bao, D. Lu, and Z. Li (2015-07) Modeling of local false data injection attacks with reduced network information. IEEE Transactions on Smart Grid 6, pp. 1686–1696. Cited by: §III-B.
  • [16] V. Nair and G. E. Hinton (2010)

    Rectified linear units improve restricted boltzmann machines

    .
    ICML, pp. 8. Cited by: §IV.
  • [17] R. Nawaz, M. A. Shahid, I. M. Qureshi, and M. H. Mehmood (2018-04) Machine learning based false data injection in smart grid. In 2018 1st International Conference on Power, Energy and Smart Grid (ICPESG), pp. 1–6. Cited by: §II.
  • [18] Md. A. Rahman and H. Mohsenian-Rad (2012-12) False data injection attacks with incomplete information against smart power grids. In 2012 IEEE Global Communications Conference (GLOBECOM), pp. 3153–3158. Cited by: §III-B.
  • [19] Md. A. Rahman and H. Mohsenian-Rad (2013-12) False data injection attacks against nonlinear state estimation in smart power grids. In 2013 IEEE Power & Energy Society General Meeting, pp. 1–5. Cited by: §III-A.
  • [20] A. Sherstinsky (2018-11) Fundamentals of recurrent neural network (rnn) and long short-term memory (lstm) network. arXiv:1808.03314 [cs, stat]. Cited by: §IV.
  • [21] P. Vincent, H. Larochelle, Y. Bengio, and P. Manzagol (2008) Extracting and composing robust features with denoising autoencoders. In Proceedings of the 25th international conference on Machine learning - ICML ’08, pp. 1096–1103. Cited by: §IV.
  • [22] Q. Yang, J. Yang, W. Yu, D. An, N. Zhang, and W. Zhao (2014-03) On false data-injection attacks against power system state estimation: modeling and countermeasures. IEEE Transactions on Parallel and Distributed Systems 25, pp. 717–729. Cited by: §II, §III-A.
  • [23] J. J. Q. Yu, Y. Hou, and V. O. K. Li (2018-07) Online false data injection attack detection with wavelet transform and deep neural networks. IEEE Transactions on Industrial Informatics 14, pp. 3271–3280. Cited by: §III-B, §V.