Recommended articles：

Global Energy Interconnection
Volume 4, Issue 2, Apr 2021, Pages 184192
Dynamic loadaltering attack detection based on adaptive fading Kalman filter in power systems
Keywords
Abstract
This paper presents an effective and feasible method for detecting dynamic loadaltering attacks (DLAAs) in a smart grid.First, a smart grid discrete system model is established in view of DLAAs.Second, an adaptive fading Kalman filter (AFKF) is designed for estimating the state of the smart grid.The AFKF can completely filter out the Gaussian noise of the power system, and obtain a more accurate state change curve (including consideration of the attack).A Euclidean distance ratio detection algorithm based on the AFKF is proposed for detecting DLAAs.Amplifying imperceptible DLAAs through the new Euclidean distance ratio improves the DLAA detection sensitivity, especially for very weak DLAA attacks.Finally, the feasibility and effectiveness of the Euclidean distance ratio detection algorithm are verified based on simulations.
0 Introduction
Owing to the development of artificial intelligence and improvements living standards, people have increasingly higher requirements for power quality.In this context, smart grids have emerged.A smart grid combines a traditional power system with smart technology.It collects data and information and combines it with power equipment to monitor and control a power system in real time [1].The smart grid power transmission process can be divided into power generation, power transmission, distribution, power consumption, dispatch, and communication [2].With improvements in science and technology, power systems have become increasingly complex.The modern power system is a typical cyberphysical system.Today, with the rapid development of cyberphysical systems, power cyberphysical systems must keep pace with the times, and continuously improve [3].Power systems are becoming increasingly complex, and combining a power system with smart devices can lead to security risks in any link [4], such as vulnerability to denialofservice attacks [5].There are many potential cyberattacks for smart grids, including those based on integrity tampering [6], availability jamming [7], replay, wormholes [8], false data injection, password pilfering, and masquerading [9].
A loadaltering attack (LAA) is a cyberphysical attack on the consumer side of a power system [10].A static LAA changes the load of the attacked load.A dynamic LAA (DLAA) not only changes the load of the attacked load, but also changes its trajectory [11].This article mainly focuses on a DLAA detection method for a smart grid.In [12], the principle and influence of the DLAA were analyzed.Based on optimizing the pole placement, a protection system was proposed to protect the power system from DLAAs.In [13], using smart meter data, a DLAA was analyzed from the perspective of the frequency domain, and a DLAA detection method was proposed.In [14], a robust slidingmode observer was designed for providing complete attack detection.However, the detection methods used in [13] and [14] required valid measurement data.When the measurement data contained random noise, the above methods were no longer practical.In contrast, the adaptive fading Kalman filter (AFKF)based detection method adopted in this study can filter noise and detect system attacks.Moreover, the method is more sensitive to weak and imperceptible attack signals.Existing studies have indicated that there are many difficulties in detecting DLAAs.Under these circumstances, we focus on a detection method for DLAAs.Based on the design of the AFKF, we focus on applying the AFKF to DLAA detection in a smart grid.The Kalman filter (KF) is a dynamic state estimator, and is optimal for providing linear system state estimations in the context of Gaussian noise.It is mainly used for target tracking, inertial navigation systems, and other fields.In recent years, it has been frequently used for power systems.The KF has many forms; these can be applied not only to linear systems, but also to nonlinear systems [15].In power systems, the KF is mainly used for parameter estimation and attack detection and has achieved good results, as described in [16] and [17].However, when a system modeling distortion leads to filter divergence, the AFKF (an improved filter based on KF) has strong robustness to the uncertainty of the system model, and can ensure the convergence of the filter [18].
Aiming at a power system with noise under a DLAA attack, we established a discrete mathematical model for the power system.An AFKF filter noise estimation state was designed, and a Euclidean distance ratio detection algorithm was proposed based on the AFKF design to detect DLAAs.Finally, simulation results were used to verify the feasibility of the detection algorithm, especially for DLAA attacks that are not easily detectable.The main contributions of this study are summarized as follows.
i) The power system linear continuous mathematical model is transformed into a discrete model, and the process noise covariance and observation noise covariance are considered.
ii) A new Euclidean distance ratio algorithm is proposed for detecting DLAAs using the AFKF, based on comparing the threshold and distance ratio.
Paper organization.Section 1 discusses the establishment of the smart grid system model and DLAA attack model.In Section 2, an AFKF is designed, and a new distance ratio detection algorithm is proposed based on the AFKF.Section 3 discusses the simulations performed in this study.Finally, in Section 4, the conclusions are drawn.
Notations.Rn represents an ndimensional real space.E[.] denotes a mathematical expectation.N a b( , ) represents a Gaussian distribution with a mean a and covariance b.
1 System model and problem setup
In this section, a discrete power system mathematical model and DLAA attack model are established, and a complete detection scheme is described.
1.1 Smart grid model
In the design, we consider a power system with n generator buses and m load buses, in which the generator buses are denoted as Ψ={g1 , g2, …, gn} and load buses are denoted as Φ={b1 , b 2 , …, bm}.Each generator bus connects to a single generator.We can establish the mathematical model for the linear continuous system of the power system as follows [12]:
In the above, δ(t R)∈ n is the voltage phase angle at all generator buses, ω(t R)∈ n represents the frequency deviation of the generator bus, θ(t R)∈ n is the voltage angle, and PL ( t ) represents the load power demand vector.The Laplace matrix is as follows:
KI and KP are diagonal matrices, the diagonal terms of which are the integral controller coefficient and proportional controller coefficient of the generator on the generator bus, respectively.M and D are the diagonal matrices of the inertia coefficient and damping coefficient of the generator, respectively, and I R∈ n is the identity matrix.
By eliminating the voltage angle variables, we can obtain a nonsingular state space expression for the power system, as follows:
1.2 Dynamic loadaltering attack (DLAA)
The classifications of the closedloop DLAA are shown in Fig.1.Fig.1(a) shows an openloop DLAA attack that relies on historical data to achieve the DLAA.Fig.1(b) and Fig.1(c) show a singlepoint closedloop DLAA and multipoint closedloop DLAA, respectively; these require realtime monitoring of the power system frequency through sensors to achieve the DLAA.In this study, we focus on detecting singlepoint and multipoint closedloop DLAAs.
Fig.1 Three examples of dynamic loadaltering attacks: a) openloop dynamic loadaltering attack (DLAA), b) singlepoint closedloop DLAA, c) multipoint closedloop DLAAs
The frequency feedback is obtained from the sensor bus s.Then, the attacker uses the frequency regulation to control the load power PLi [9].The DLAA sequence in load bus i is as follows:
Here, is the proportional gain of the attack controller.
We consider that the load at a load bus i ∈Φ is hacked by a closedloop D_LAA; ωs is the frequency deviation between the frequency of the sensor bus s and nominal value, and ∈Li is the vulnerable part of the load at bus i.Then, we can model the compromised power consumption level at bus i as follows:
In the above, PLi is the safe part of the load on bus i.The smart grid statespace model under attack becomes as follows:
Here, is the power system state vector, and f L(t) is the DLAA signal in the power system, whereThe system matrices and and it can be seen from (5) that the attacker can affect the stability of the system by adjusting its control matrix, affecting the system matrix and system poles.
Considering the information transmission, we can divide the power system into a physical layer and information layer, which are connected through a communication channel for transmitting communication data.In the field of communication, all of the data are discrete.Therefore, we can rewrite the above linear continuous system model into a discrete statespace model, as follows:
In the above, w ( k ) ～ N ( 0,Q) is the process Gaussian noise, and Q＞0 is a positive definite symmetrical matrix.
The discrete form of the DLAA model (4) is as follows:
The smart grid model under the DLAA can be rewritten as follows:
Here, can be obtained by discretization of an accurate linear timeinvariant system.T is the sampling period,y (k) is the measurement output vector, H is the output matrix, is the measurement noise, R ＞0 is a positive definite symmetrical matrix, and w (k) and v ( k) are independent of each other.
1.3 Scheme summary
The detection scheme used in this study is illustrated in Fig.2.After establishing the mathematical model for the power system, an AFKF was designed to filter the noise and estimate the system state.Finally, based on the AFKF, an Euclidean distance ratio detection algorithm was proposed for detecting DLAAs.
2 DLAA detection
Fig.2 DLAA detection scheme (AFKF: adaptive fading Kalman filter)
This section is divided into two parts: the design of the AFKF and the Euclidean distance ratio detection algorithm based on the AFKF.
2.1 Adaptive fading Kalman filter (AFKF) design method
Even if the system model is not very accurate, the AFKF can maintain the filter convergence.A DLAA affects the stability of the system by influencing the control matrix; this can be explained to a certain extent based on its effects on the system model.Therefore, the AFKF can be used to estimate the system state more accurately.
The measurement output vector y(k) is the filter input, and the calculation process for the AFKF is as follows:
In the above, is the a priori estimation.and is the posterior estimation.x0 is the initial state, where independent of w(k) and v(k).Here, ε(k) is the innovation sequence.It expresses the deviation between the measurement and predicted position.Q(k) is the covariance of w(k) at k, and R(k) is the covariance of v (k) at k.P (kk1) and P(k) are the predicted covariance and estimated covariance, respectively.η(k)≥1 is the adaptive suboptimal fading factor.K(k) is the filter gain.P0 is the initial value of P(k), and
When the KF is working, the parameter error of the system has a greater impact on its performance.This may lead to a decrease in the performance of the KF, and may even cause nonconvergence in the calculation process.The values of the parameters x0, Q, and R in this study are approximate values, which may cause the Kalman filter to work abnormally.Adding a fading factor of η can ensure the convergence of the Kalman filter, and compensate for the adverse effects caused by inaccurate parameters.
The convergence criterion for the AFKF is as follows: The value of η(k) is updated only when the AFKF does not converge.Based on [19][20], by minimizing the defined criterion function, we can obtain the selection method for η(k), as follows:
After adding the forgetting factor (which is larger than 1), the weight of the measured data at time k is enhanced.In the iteration in the KF algorithm, the forgetting factor outweighs the influence of the most recent measurement at each time step, and correspondingly fades the memory of the past data.Accordingly, the cumulative error caused by the model parameter errors is avoided.
2.2 DLAA detection algorithm
In the process of using the AFKF to estimate the system state, based on the designed system model, we can predict the current state based on the state estimate at the previous moment, so as to obtain the current moment state prediction value Assuming that the system is safe and reliable before time k, we denote the deviation between the estimated state vector and predicted vector at k as e (k), which is determined as follows:
Similarly, we define the deviation of the state estimation vector and state prediction vector at k1 as follows:
As the 2norm of a vector is also called the Euclidean distance, we define the Euclidean distance of e (k) at k as γ(k), which is determined as follows:
Similarly, the Euclidean distance of e (k1)is as follows:
In this section, we define the Euclidean distance ratio at k as follows:
If Q and R take fixed values, after the AFKF converges to a steady state, P and K will reach the steadystate values and the value of the suboptimal fading factor η(k) will not be updated.Thus, e (k) converges, and Even if there is a deviation between e ( k) and e ( k1), the deviation will be within a small range, and we can choose a reasonable threshold rth.When the power system is operating normally, the Euclidean distance ratio does not exceed this threshold.
If the power system is attacked by DLAA at k, then the corresponding calculations are as follows:
In the above,f L( k) is the DLAA vector.The Euclidean distance of e L( k ) at time k is expressed as follows:
The Euclidean distance ratio of the attack with DLAA at k becomes as follows:
At this point, the value of rL ( k ) will be significantly greater than rth.
When the Euclidean distance ratio r (k) is greater than the threshold rL ( k ), it is considered that the power system is under attack, and the alarm device is activated.
Owing to the particularity of the power system, when the power system is operating normally, the state of the power system will not change suddenly.This causes the threshold to be a within a small (limited) range of values when the system is operating normally.Because the KF reaches a steady state and converges, the relevant parameters of the filter are fixed constants, and the state estimation error converges, i.e., e (k )≈e ( k1).It can be seen that the threshold is close to 1, and we can choose a threshold close to 1.In the actual application process, appropriate adjustments can be made based on experience.
3 Simulation example
In this section, we consider a smart grid system with three generators and six buses as an example for determining the system parameters and initial values of the filters.Different methods were used to inject closedloop DLAAs into the smart grid, and to verify the effectiveness of the detection algorithm through simulations.
3.1 DLAA detection algorithm
First, for the continuous linear system mathematical model of the system with three generators and six buses, for all load buses i ∈Φ, it was considered that PLi =1 p. u .In addition, the other system parameters of the smart grid were taken from [12].The discrete sampling time T was set to 0.001, the mathematical model of the above linear continuous system was discretized, and the relevant parameters of the discrete mathematical model for the system were determined as follows:
In the above, w (k) and v (k) are random numbers with a mean value of 0 and amplitude of 0 0.0001.After adjusting Q and R, Q and R were selected as follows:
The initial values of the filter and smart grid system were set as follows: x0 = [ 0.045; 0.058; 0.07; 0.002;0.1;0.01]; η0 =1.At the same time, we selected the threshold as rth =1.2.Assuming that the loads on load buses 5 and 6 were controllable and vulnerable, we used different methods to inject closedloop DLAAs into the smart grid system, and verified the effectiveness of the detection algorithm through simulations.
3.2 DLAA detection
As discussed in this section, we injected closedloop DLAAs into load buses 5 and 6 of the smart grid, and verified the effectiveness of the previous detection algorithm based on the simulation results.It one example, it was assumed that the attacker installed the sensor on bus s = 1; the attack parameters on load buses 5 and 6 are listed in Table 1.
Table 1 Closedloop dynamic loadaltering attack (DLAA) parameters and start time
Attack case Victim load Start time and DLAA parameters Case 1 5 t=3s: f p u 5 1 L =+3 0.01( .)ω t=6s: f p u 5 1 L =+5 0.06( .)ω Case 2 5, 6 t=3s: f p u 5 1 L =+5 0.06( .)ω t=6s: f p u 6 1 L =+2 0.1( .)ω
3.2.1 Case 1: Singlepoint closedloop DLAA detection
In this case, it was considered that only the load on load bus 5 was attacked.We began to inject a closedloop into load bus 5 at t = 3 s, and changed the attack parameter toat t = 6 s.The simulation results are presented in.Fig.3 and Fig.4.
Fig.3 Simulation result for smart grid under singlepoint closedloop DLAA
Fig.3(a) shows the change curve of load 5 under the DLAA for different amplitudes of attack parameters.Fig.3(b) shows the system frequency measured values and AFKF estimated values of the smart grid under the singlepoint closedloop DLAA.The AFKF estimate accurately reflects the frequency fluctuations of the smart grid under the DLAA.From the simulation results, it can be determined that when the smart grid is attacked by a singlepoint closedloop DLAA, the greater the attack parameter value, the greater the load overshoot and system frequency fluctuation.
Fig.4 Detection result for singlepoint closedloop DLAA
The detection results for the singlepoint closedloop DLAA are shown in Fig.4.The Euclidean distance ratios are 1.7735 and 18.4013 at t = 3.001 s and t = 6.001 s, respectively, far exceeding the threshold of 1.2.The greater the attack parameter value, the greater the Euclidean distance ratio.When the attacker injects the DLAA attack into the smart grid, the Euclidean distance ratio always exceeds the threshold, thereby activating the alarm device.
3.2.2 Case 2: Multipoint closedloop DLAAs detection
In this case, it was considered that the loads on the load bus 5 and 6 were attacked.We began to inject closedloop into load bus 5 and 6 at t = 3 s and t = 6 s, respectively.The simulation results are shown in Fig.5 and Fig.6.
Fig.5 Simulation result for smart grid under multipoint closedloop DLAAs
Fig.5(a) shows the load changes of the load buses 5 and 6 under the multipoint closedloop DLAAs, and Fig.5(b) shows the frequency change in the AFKFestimated values for the smart grid under the multipoint closedloop DLAAs.From the simulation results, it can be determined that when the smart grid is attacked by multipoint closedloop DLAAs, every time, the attacked load variation and system frequency will both produce overshoots; nevertheless, the system can quickly return itself to normal.However, as the number of attacked loads increases, the overshoot will become larger.
The detection results for the multipoint closedloop DLAAs are shown in Fig.6.The Euclidean distance ratios are 10.2325 and 1.7027 at t = 3.001 s and t = 6.001 s, respectively, far exceeding the threshold of 1.2.Thus, the system automatically activates the alarm, every time.
Fig.6 Detection results for multipoint closedloop DLAAs
4 Conclusion
The greater the load attacked in the smart grid, the greater the impact of the closedloop DLAA on the system.The detection algorithm proposed in this study, based on the AFKF, can detect an attack in time when a DLAA is injected.In many cases, DLAA attacks lead to system state changes that are not evident; nevertheless, the proposed Euclidean distance ratio algorithm can still detect them.The larger the attack parameters, the larger the distance ratio.We can estimate the attack condition of the system according to the change in the distance ratio.
Acknowledgements
This work was supported by the Science and Technology Project of the State Grid Shandong Electric Power Company: Research on the vulnerability and prevention of the electrical cyberphysical monitoring system based on interdependent networks; the National Natural Science Foundation of China (61873057); and the Education Department of Jilin Province (JJKH20200118KJ).
Declaration of Competing Interest
We declare that we have no conflict of interest.
References

[1]
Muhammed ZG, Das R (2020) Cybersecurity on smart grid: Threats and potential solutions.Computer Networks, 169:107094 [百度学术]

[2]
Zakaria EM, Naima K, Hassan EG, et al (2018) Cybersecurity in smart grid: Survey and challenges.Computers & Electrical Engineering, page S0045790617313423 [百度学术]

[3]
Wang HZ, Ruang JQ, Zhou B, et al (2019) Dynamic data injection attack detection of cyber physical power systems with uncertainties.IEEE transactions on industrial informatics / a publication of the IEEE Industrial Electronics Society [百度学术]

[4]
Gunduz MZ, Das R (2018) A comparison of cybersecurityoriented testbeds for iotbased smart grids.In: Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS) general meeting [百度学术]

[5]
Liu J, Xiao Y, Li S, et al (2012) Cyber security and privacy issues in smart grids.IEEE Communications Surveys & Tutorials, 14(4):981997 [百度学术]

[6]
Gunduz MZ, Das R (2018) Analysis of cyberattacks on smart grid applications.In: Proceedings of the 2018 International Conference on Artificial Intelligence and Data Processing (IDAP), 2018 [百度学术]

[7]
Lopez C, Sargolzaei A, Santana H, et al (2015) Smart grid cyber security: An overview of threats and countermeasures.Journal of Power and Energy Engineering, 9(007):632647 [百度学术]

[8]
Procopiou A, Komninos N (2016) Current and future threats framework in smart grid domain.In: Proceedings of the Annual IEEE International Conference on Cyber Technology in Automation, Control, and Intelligent Systems [百度学术]

[9]
Yang Y, Littler T, Sezer S, et al (2012) Impact of cybersecurity issues on smart grid.In: Proceedings of the 2011 2nd IEEE PES International Conference and Exhibition on Innovative Smart Grid Technologies, 2012 [百度学术]

[10]
Yankson S, Ghamkhari M (2019) Transactive energy to guard against a zeroday load altering attack on power distribution systems.In: Proceedings of the IEEE International Conference on Smart Energy Grid Engineering, 2019 [百度学术]

[11]
Amini S, Pasqualetti F, MohsenianRad H (2016) Dynamic load altering attacks against power system stability: Attack models and protection schemes.IEEE Transactions on Smart Grid, PP (99):11 [百度学术]

[12]
Amini S, MohsenianRad H, Pasqualetti F (2015) Dynamic load altering attacks in smart grid.In 2015 IEEE Power Energy Society Innovative Smart Grid Technologies Conference (ISGT), pages 15, 2015 [百度学术]

[13]
Amini S, Pasqualetti S, MohsenianRad H (2015) Detecting dynamic load altering attacks: A datadriven timefrequency analysis.In 2015 IEEE International Conference on Smart Grid Communications (Smart Grid Comm), pages 503508, 2015 [百度学术]

[14]
Su QY, Li SQ, Gao YC, et al (2021) Observerbased detection and reconstruction of dynamic load altering attack in smart grid, Journal of the Franklin Institute,2021.02.008 [百度学术]

[15]
Ren P, LevAri H, Abur A (2016) Robust continuousdiscrete extended Kalman filter for estimating machine states with model uncertainties.In: Proceedings of the Power Systems Computation Conference, 2016 [百度学术]

[16]
Rouhani A, Ali A (2018) Constrained iterated unscented Kalman filter for dynamic state and parameter estimation.IEEE Transactions on Power Systems, 33(99):24042414 [百度学术]

[17]
Hadis K, Henry L (2010) Relaxationbased anomaly detection in cyberphysical systems using ensemble Kalman filter.IET CyberPhysical Systems: Theory & Applications, 5(1):4958 [百度学术]

[18]
Zhao YF, Xu J, Wang X, et al (2018) The adaptive fading extended Kalman filter soc estimation method for lithiumion batteries.Energy Procedia, 145:357362 [百度学术]

[19]
Xia QJ, Rao M, Ying YQ, et al (1994) Adaptive fading Kalman filter with an application.Automatica, 30(8):13331338 [百度学术]

[20]
Ding WD, Wang JL, Chris R, et al (2007) Improving adaptive Kalman estimation in gps/ins integration.Journal of Navigation, 60(3):517529 [百度学术]
Fund Information
supported by the Science and Technology Project of the State Grid Shandong Electric Power Company: Research on the vulnerability and prevention of the electrical cyberphysical monitoring system based on interdependent networks； the National Natural Science Foundation of China (61873057)； the Education Department of Jilin Province (JJKH20200118KJ)；
supported by the Science and Technology Project of the State Grid Shandong Electric Power Company: Research on the vulnerability and prevention of the electrical cyberphysical monitoring system based on interdependent networks； the National Natural Science Foundation of China (61873057)； the Education Department of Jilin Province (JJKH20200118KJ)；