Wavelet probability distribution mapping for detection and correction of dynamic data injection attacks in WAMS

Highlights

• Dynamic false data injection attacks that by-pass the SE and influence trend-based applications.

• Proposed an unsupervised FDI detection method using relative wavelet energy difference measure.

• Proposed a new FDI correction method using kernel density estimation based mode mapping.

• The proposition is tested for manually configured dynamic FDI attacks in real PMU data.

Abstract

The dependency of synchrophasor technology on shared/dedicated communication networks for data transfer and the lack of security specifications in C37.118 standard makes phasor measurements susceptible to data manipulation attacks. More critically, a false data injection attack could influence both accuracy of state estimates and the evaluation of system dynamics. Typically, false data sequences are modeled as multi-constraint non-linear optimization with random, step, or ramp type distribution. However, a carefully designed attack that mimics the dynamic response of a natural disturbance can hugely impact trends-based applications of synchrophasor-based disturbance monitoring and mode metering. This work designs a multi-channel/multi-sample dynamic injection attack in phasor trends to closely mimic natural disturbances aiming at trends-based applications. Also, the work proposes an un-supervised wavelet probability mapping method for the detection and correction of dynamic false data sequences. The proposed method identifies the attack sequences from disturbances using relative wavelet energy measure and replaces the corrupted sub-sequences with coherent un-corrupted trends using a kernel density estimation-based mode mapping method. The efficacy of the proposed method is validated for simulated injection cases in IEEE-118 bus system using DigSILENT/PowerFactory and real phasor data for the Eastern region of the India grid. The results show that the proposed method exhibits high detection accuracy and low correction error for different categories of dynamic false data cases under real system conditions.

Introduction

Dynamic data from phasor measurement units (PMUs) in a power system are transmitted to phasor data concentrators (PDCs) at various central/regional control centers through dedicated or shared communication infrastructure [1]. Wide area measurement system (WAMS) uses private local/wide area networks with multiple propagations, routing, and firewall steps providing multiple electronic access points for cyber-attackers [2]. Among the different categories of data manipulation attacks, a carefully disguised false data injection (FDI) can bypass the bad data detection of state estimation (SE) resulting in an inaccurate estimate of system state variables and incorrect control actions [3]. Also, in the case of trends-based applications (without additional error processing layer of SE) like event identification [1], mode metering, and coherency identification [4] the manipulation of dynamic PMU data could directly influence the disturbance assessment and oscillation tracking in power system.

For a successful FDI, an adversary needs to carefully design an attack vector that could bypass the bad data detection algorithm of SE. There are different categories of FDI attack models available in the literature based on the attacked device, area of influence, and available information into: (i) FDIs in the measurement channels [5] (ii) FDIs in control inputs [6], [7] (iii) FDIs inducing cascading failures [8], [9], and (iv) FDIs in network parameters [10]. In addition, for trends-based applications using WAMS, a new set of dynamic FDIs are available as: (i) the combined FDIs in SCADA and PMU measurements to introduce random, step, or ramp type attack distribution [5], [6], [7], [8], [9], [10], [11], and (ii) the dynamic FDIs in raw PMU trends with attack sequences modeled as fault replay, noise injection, data repetition, and missing data attacks [12], [13].

The available FDI detection techniques like [5], [6], [7], [8], [9], [10], [11], [12], [13], [14] can be broadly categorized into supervised, unsupervised, and state prediction methods. Most supervised methods like [15], [16] use pre-saved training data through extensive off-line simulations, however, due to non-anticipatory nature of FDIs the training data may not replicate the actual attack scenario. On the other hand, unsupervised methods like [10], [5] use line parameter changes and density-based scanning (DBSCAN) for FDI detection but are restricted to step and ramp type attacks in ambient data. Other methods like [12], [14], [17] use low-rank property of the phasor data for FDI detection requiring excessive tuning effort of hyper-parameters in the model. The state prediction methods like [18] use state forecasting for FDI detection, however, such prediction is challenging under dynamic system conditions. Most of the aforementioned propositions address only the detection aspect and limited methods are available for FDI correction. In [13] FDI correction is done using robust principal component analysis with training example, which is difficult to mimic actual attack scenario. Other methods like [14], [17] use low rank-decomposition of PMU measurement matrix and the linear combination of basis vectors for data correction tackling only the random missing and bad data discrepancies.

In this work, a wavelet-based probability distribution mapping method is proposed for unsupervised detection, localization, and correction of FDI attacks in both static and dynamic PMU trends. In proposition, dynamic FDI attacks are modeled as multi-sample and multi-constraint optimization problems to generate attack sequences with low measurement error and high impact on trends-based applications. The attack structure assumes limited access of adversary to the network information and uses distributed SE concept for designing. For dynamic FDI detection, the paper proposes an unsupervised method that quantifies differences in the time-frequency (TF) energy spectrum of wavelet decomposition for corrupted and un-corrupted measurements. The method uses wavelet multi-resolution analysis to compute a relative wavelet energy difference (RWED) measure, which is distinctly high for static & dynamic FDIs and negligibly low for natural disturbances. For FDI correction the method proposes a N-cut graph partitioning spectral clustering method for segregating FDI outlier groups from normal measurement sets and then, uses a kernel density estimation (KDE) based probability mode mapping method to 1) map the corrupted outliers with coherent normal measurements and 2) replaces the corrupted sub-sequences in FDI outliers with properly scaled un-corrupted sub-sequences in coherent normal measurements. The corrected trends follow the spatial and temporal correlation property of power measurements thereby improving state estimation and trends-based applications. The proposed method is validated for simulated data in the IEEE-118 bus system using DigSilent/PowerFactory and real PMU data for the Eastern region of the India grid.