Wavelet probability distribution mapping for detection and correction of dynamic data injection attacks in WAMS
Introduction
Dynamic data from phasor measurement units (PMUs) in a power system are transmitted to phasor data concentrators (PDCs) at various central/regional control centers through dedicated or shared communication infrastructure [1]. Wide area measurement system (WAMS) uses private local/wide area networks with multiple propagations, routing, and firewall steps providing multiple electronic access points for cyber-attackers [2]. Among the different categories of data manipulation attacks, a carefully disguised false data injection (FDI) can bypass the bad data detection of state estimation (SE) resulting in an inaccurate estimate of system state variables and incorrect control actions [3]. Also, in the case of trends-based applications (without additional error processing layer of SE) like event identification [1], mode metering, and coherency identification [4] the manipulation of dynamic PMU data could directly influence the disturbance assessment and oscillation tracking in power system.
For a successful FDI, an adversary needs to carefully design an attack vector that could bypass the bad data detection algorithm of SE. There are different categories of FDI attack models available in the literature based on the attacked device, area of influence, and available information into: (i) FDIs in the measurement channels [5] (ii) FDIs in control inputs [6], [7] (iii) FDIs inducing cascading failures [8], [9], and (iv) FDIs in network parameters [10]. In addition, for trends-based applications using WAMS, a new set of dynamic FDIs are available as: (i) the combined FDIs in SCADA and PMU measurements to introduce random, step, or ramp type attack distribution [5], [6], [7], [8], [9], [10], [11], and (ii) the dynamic FDIs in raw PMU trends with attack sequences modeled as fault replay, noise injection, data repetition, and missing data attacks [12], [13].
The available FDI detection techniques like [5], [6], [7], [8], [9], [10], [11], [12], [13], [14] can be broadly categorized into supervised, unsupervised, and state prediction methods. Most supervised methods like [15], [16] use pre-saved training data through extensive off-line simulations, however, due to non-anticipatory nature of FDIs the training data may not replicate the actual attack scenario. On the other hand, unsupervised methods like [10], [5] use line parameter changes and density-based scanning (DBSCAN) for FDI detection but are restricted to step and ramp type attacks in ambient data. Other methods like [12], [14], [17] use low-rank property of the phasor data for FDI detection requiring excessive tuning effort of hyper-parameters in the model. The state prediction methods like [18] use state forecasting for FDI detection, however, such prediction is challenging under dynamic system conditions. Most of the aforementioned propositions address only the detection aspect and limited methods are available for FDI correction. In [13] FDI correction is done using robust principal component analysis with training example, which is difficult to mimic actual attack scenario. Other methods like [14], [17] use low rank-decomposition of PMU measurement matrix and the linear combination of basis vectors for data correction tackling only the random missing and bad data discrepancies.
In this work, a wavelet-based probability distribution mapping method is proposed for unsupervised detection, localization, and correction of FDI attacks in both static and dynamic PMU trends. In proposition, dynamic FDI attacks are modeled as multi-sample and multi-constraint optimization problems to generate attack sequences with low measurement error and high impact on trends-based applications. The attack structure assumes limited access of adversary to the network information and uses distributed SE concept for designing. For dynamic FDI detection, the paper proposes an unsupervised method that quantifies differences in the time-frequency (TF) energy spectrum of wavelet decomposition for corrupted and un-corrupted measurements. The method uses wavelet multi-resolution analysis to compute a relative wavelet energy difference (RWED) measure, which is distinctly high for static & dynamic FDIs and negligibly low for natural disturbances. For FDI correction the method proposes a N-cut graph partitioning spectral clustering method for segregating FDI outlier groups from normal measurement sets and then, uses a kernel density estimation (KDE) based probability mode mapping method to 1) map the corrupted outliers with coherent normal measurements and 2) replaces the corrupted sub-sequences in FDI outliers with properly scaled un-corrupted sub-sequences in coherent normal measurements. The corrected trends follow the spatial and temporal correlation property of power measurements thereby improving state estimation and trends-based applications. The proposed method is validated for simulated data in the IEEE-118 bus system using DigSilent/PowerFactory and real PMU data for the Eastern region of the India grid.
Section snippets
State estimation and dynamic FDI attacks
A state estimator (SE) provides accurate estimates of system state variables from a given set of raw measurements infested with data and network errors if the measurement set satisfies observability and redundancy criteria. The traditional state estimation performs real-time network modeling using the digital circuit breaker status from SCADA or PMUs, deduces the network topology, finds fully or partially observable islands, and then estimates the system states from analog measurements. A
Proposed method
This work proposes a data-driven unsupervised approach for the detection, localization, and correction of dynamic multiple FDI attacks in PMU measurements. The available FDI detection methods use supervised machine learning models with dependency on voluminous training examples [15], [16], [17], [18], [19], [20], [21], [22], [23]. Also, the existing solutions are devised for specific types of FDIs like random, step, and ramp type, which exhibit distinct dynamic trends compared to natural
Results
To demonstrate the capability of proposed method, FDI attack vectors are injected in dynamic data trends for simulated disturbance examples for IEEE-118 bus system and real PMU data for India grid. The real PMU disturbance data files are saved at regional phasor data concentrator (PDC) Kolkata for Eastern region of India grid from 12 PMU buses at a reporting rate of 25 frames per secons (fps) (Fig. 7). For calculating RWED, the data window size parameter N is chosen by tracing two variables
Conclusion
This work proposes an unsupervised wavelet energy signature and KDE-based mode mapping technique for the detection, time localization, and correction of dynamic FDI attacks. The proposed FDI detection method using the RWED measure correctly segregates natural disturbances from FDIs even under high data corruption levels and a large set of corrupted PMUs, which is advantageous compared to the existing methods. The detection method shows high detection accuracy of 97.13% for elevated corruption
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (29)
- et al.
Online identification and data recovery for pmu data manipulation attack
IEEE Trans Smart Grid
(2019) - et al.
Ensuring cybersecurity of smart grid against data integrity attacks under concept drift
Int J Electr Power Energy Syst
(2020) - et al.
Real-time multiple event detection and classification in power system using signal energy transformations
IEEE Trans Ind Inform
(2019) - et al.
Enhancing wams communication network against delay attacks
IEEE Trans Smart Grid
(2018) - et al.
Cyber-physical attack-resilient wide-area monitoring, protection, and control for the power grid
Proc IEEE
(2017) - Yadav R, Pradhan AK, Kamwa I. A spectrum similarity approach for identifying coherency change patterns in power system...
- et al.
Modeling and mitigating impact of false data injection attacks on automatic generation control
IEEE Trans Inf Forensics Secur
(2017) - et al.
Fusion state estimation for power systems under dos attacks: A switched system approach
IEEE Trans Syst Man Cybernet Syst
(2019) - et al.
Cascading failure attacks in the power system: A stochastic game perspective
IEEE Inter Things J
(2017) - et al.
Fast screening of high-risk lines under false data injection attacks
IEEE Trans Smart Grid
(2018)