Earth-Mover-Distance-Based Detection of False Data Injection Attacks in Smart Grids

Abstract

The high integration of power information physical system improves the efficiency of power transmission, but it also brings new threats to power grid. False data injection attacks can use traditional bad data to detect vulnerabilities and maliciously tamper with measurement data to affect the state estimation results. In order to achieve a higher security level for power systems, we propose an earth mover distance method to detect false data injection attacks in smart grids. The proposed method is built on the dynamic correlation of measurement data between adjacent moments. Firstly, a joint-image-transformation-based scheme is proposed to preprocess the measurement data variation, so that the distribution characteristics of measurement data variation are more significant. Secondly, the deviation between the probability distribution of measurement data variation and the histogram are obtained based on the earth’s mover distance. Finally, a reasonable detection threshold is selected to judge whether there are false data injection attacks. The proposed method is tested using IEEE 14 bus system considering the state variable attacks on different nodes. The results verified that the proposed method has a high detection accuracy against false data injection attacks.

1. Introduction

In recent years, sensing, communication, and control technologies have been able to realize the seamless integration in smart grids. Hence, the physical and network fields of the power system are deeply integrated to form a cyber-physical system [1]. After collecting measurement data through remote terminal units (RTUs), the smart grid relies on the state estimation algorithm to achieve its regulation. Thus, the main purpose of cyberattacks is to undermine or to mislead the state estimation mechanism, leading to incorrect decision-making in the energy management system (EMS). In a highly complex and automated environment, a cyber-attack may propagate to the entire system, triggering grid paralysis, mass outage incidents, and so on, such as the massive power outage that occurred in Venezuela on 7 March 2019 [2].

False data injection attacks (FDIAs), as a covert cyber-attack method, pose a huge challenge to the safe and stable operation of smart grids by illegally hacking into power systems to tamper with measurement data and thus undermine data integrity [3,4,5]. In [6], Liu et al. first proposed the concept of FDIAs and mentioned that attackers can use power system topology and parameter information to construct a well- designed attack vector that bypasses traditional bad data detections (BDDs) and destroys the integrity of smart grid information. Since attackers can construct extremely hidden FDIAs without relying on system configuration information, it is difficult for traditional model-based detection methods and boundary protection systems to handle such FDIAs. In order to run the power grid safely and steadily, an effective FDIAs testing scheme needs to be studied and developed, which has been intensively studied by many researchers.

From the perspective of defenders, some methods have been improved for the state estimation algorithm in the study of FDIAs detection. The improved state estimation methods mainly include residual detection method [7], measurement transformation detection method [8], and some detection methods related to the use of Kalman filters [9,10]. The FDIAs detection method based on state estimation is mainly used for static analysis and detection of attacks at specific moments. When the power system fluctuates, it is prone to missed detection and false detection [11].

The increase in the deployment of wide-area measurement system provides massive data for the analysis of power system data. Therefore, artificial intelligence technology should be gradually increased in the FDIAs detection, mainly including support vector machine [12], extreme learning machine [13], fuzzy c-means clustering [14], deep learning [15,16], integrated learning [17], etc. The advantages of such methods are that they do not need to solve complex power system time domain equations and their calculation speed is fast. However, the disadvantage is that the test results are highly dependent on the training process of the model. Improper selection of training samples can directly affect detection performance.

Since the power system is in continuous dynamic operation and a space-time correlation exists between different measurement data or state variables, most attacks are continuous. Therefore, it is feasible to consider using historical data for trajectory prediction analysis to detect FDIAs, which mainly includes statistical consistency detection, sequence consistency detection and sensor trajectory prediction.

Kurt et al. [18] used the generalized cumulative sum (CUSUM) algorithm for quickest detection of FDIAs. This method is robust to time-varying state, attack and attacked instruments in both centralized and distributed environments. Similarly, Li et al. [19] proposed a sequence detector based on a broad analogy for sequential detection of FDIAs in the smart grid. This detector is significantly superior to first order CUSUM detector in terms of robustness and average detection delay performance. In [20], Malhotra et al. proposed a stacked LSTM prediction network to effectively detect time series anomalies or failures, modeling the prediction error as a multivariate Gaussian distribution to evaluate abnormal behavior. By analyzing and learning the original measurement data, [21,22] used different methods to detect abnormal data which did not conform to the historical measurement distribution, which however failed to detect false data matching the historical measurement distribution. Khalid et al. [23] proposed multi- sensor track fusion-based model prediction for malicious attacks in PMUs, which can use smoothing algorithm based on Kalman particle filter to detect attacks at each monitoring node. The online FDIAs detection process of SCADA and PMU hybrid measurement is proposed in [24], which can effectively find the spatial hidden FDIAs based on multi-matching state prediction. However, when conditions such as load mutation or equipment failure occur, the state prediction results are seriously misaligned and thus affect the detection results.

Considering the time correlation of node measurement, Zhao et al. [25] compared prediction data with collected data based on short-term state prediction method, and further built detection index in combination with traditional measurement residual analysis. In order to solve the problem that it is impossible to detect attacks similar to historical data, Gu et al. [26] considered the characteristics of measured data variation and proposed a detection method based on Kullback-Leibler distance (KLD). However, the method failed to detect attacks on some nodes. A real-time detection scheme of FDIAs based on joint transformation is proposed in [27], but the detection accuracy is reduced when the attack is less intense.

The detection method based on trajectory prediction analysis is mainly used to predict the distribution of state variables according to the operation law of the system state and of the historical database. By comparing the running track, various types of FDIAs can be detected effectively. However, there are two problems when the probability density function is used to represent the data running track. One is the problem of overlapping distributions, and the other is the difficulty of detecting historical data replay attacks.

The control center monitors the operation state of the power system in real time to arrange the optimal scheduling and saves the historical running data. Assuming that the database of the historical running state will not be destroyed by FDIAs. For ordinary attacks, the method of judging whether FDIAs have been suffered by comparing whether the difference between current data and historical data is within a reasonable threshold is effective. However, if the attacker has mastered the historical operation data and used the obtained historical data to tamper with the current operation data, then this method of directly comparing the difference between current data and historical data will not be able to determine whether the attack has been suffered. Regardless of how FDIAs are constructed, the fundamental goal is to tamper with measurement data. Based on the statistical characteristics of the differences of measurement data before and after the attack, the research on FDIAs detection methods which do not rely on a specific mathematical model has stronger universal applicability. Therefore, this paper proposes a FDIAs detection method based on Earth-Mover Distance (EMD), which can measure the distance between two probability distributions. The main contributions of this paper can be listed as follows:

(1)

It has been found that the differences between the probability distributions of data variation in different periods may overlap with each other, and the results are unsatisfactory if they are used directly for attack detection. Therefore, Joint Image Transformation (JIT) is used to map the variation of measurement data. The proposed method makes the probability distribution of data variation more significant by stretching and compressing, which provides a data basis for accurate detection of FDIAs.

(2)

Considering the dynamic correlation of adjacent moment measurement data, a FDIAs detection method based on Earth-Mover Distance (EMD) is proposed. The difference between the probability distribution of different measurement data variation is compared through EMD.

(3)

The detection method of this paper has been proven to have high accuracy through case studies.

The rest of this paper is organized as follows: Section 2 describes the background of system model, bad data detection, and false data injection attacks. In Section 3, the method of detecting FDIAs is put forward. Section 4 introduces case simulation. The result analysis is given in Section 5. Section 6 is the summary of this paper.

2. Background

2.1. System Model

Assuming that the grid has N+1 nodes and M measurement devices. Based on the common linear DC model, measurement equation and state equation of discrete linear power system are given as follows:

$$z_t=h\left(x_t\right)+e_t$$

(1)

$$x_t=f\left(x_{t-1}\right)+v_t$$

(2)

where $h(\mathbf{·})$ is the measurement function; $z_t={[z_{1,t}^T,z_{2,t}^T,\dots ,z_{M,t}^T]}^T$ is the measured vector at time $t$; $z_{M,t}={[z_{M,t,1},z_{M,t,2},\dots ,z_{M,t,\lambda }]}^T$ is the measured vector of the M-th measurement device; $e_t={[e_{1,t}^T,e_{2,t}^T,\dots ,e_{M,t}^T]}^T\sim N(0,{\sigma }_e^2{I}_{M\lambda })$ is the measured noise vector; $f(\mathbf{·})$ is the transfer function of state vector $x$ at time $t-1$; $x_t={[x_{1,t},x_{2,t},\dots ,x_{N,t}]}^T$ is the state vector; $v_t={[v_{1,t},v_{2,t},\dots ,v_{N,t}]}^T\sim N(0,{\sigma }_v^2{I}_N)$ is the process noise vector; $I_N$ is the unit matrix.

In (1) and (2), between each time interval $t-1$ and $t$, $\lambda \in \{1,2,3,\dots \}$ is usually small. Therefore, the collected measurement data between time $t-1$ and $t$ needs to be processed at time $t$.

2.2. Bad Data Detection and Identification

System with data acquisition and monitoring control can collect real-time measurement data and make state estimation. In order to eliminate the error caused by non-human factors [28] and ensure the reliability of the state estimation results, there is a built-in BDD scheme in EMS for bad data detection and identification. The essence of the traditional method of detecting and identifying bad data can be summed up as residual method. The residual vector $r$ is first determined by calculation, and then different detection standards are used for judgment. In other words, bad data can be detected by calculating $r$ as follows:

$$\begin{array}{ll}r& =z-\widehat{z}=h\left(x\right)+e-\left(h\left(x\right)+H\left(x-\widehat{x}\right)\right)\\ & =e-H{\left(H^T{R}^{-1}H\right)}^{-1}{H}^T{R}^{-1}e\\ & =\left(I-H{\left(H^T{R}^{-1}H\right)}^{-1}{H}^T{R}^{-1}\right)e\\ & =Se\end{array}$$

(3)

where $r$ is the residual vector; $I$ is the unit matrix; $e$ is the measurement error; $R^{-1}$ is the weight matrix; $S=I-H{\left(H^T{R}^{-1}H\right)}^{-1}{H}^T{R}^{-1}$ is the residual sensitivity matrix of order $m\times m$.

Taking the extremum detection method of objective function [29] as an example. The extremum of objective function established by residual vector is as follows:

$$J\left(\widehat{x}\right)=\left[z-h{\left(\widehat{x}\right)}^T\right]R^{-1}\left[z-h\left(\widehat{x}\right)\right]=r^T{R}^{-1}r$$

(4)

where $J\left(\widehat{x}\right)$ approximates the ${\chi }^2$ distribution of $m-n$ degrees of freedom. Given the detection confidence interval, bad data exists when the detection indicator exceeds the threshold ${\gamma }_0$ and the probability is $p$, where ${\gamma }_0={\chi }_{(m-n),p}^2$, $p=Pr(J\left(\widehat{x}\right)\le {\chi }_{(m-n),p}^2)$. Define the target function detector:

$$D_{J\left(\widehat{x}\right)}(z)=\{\begin{array}{l}1\hspace{1em}\hspace{1em}J\left(\widehat{x}\right)>{\gamma }_0,\hspace{1em}\hspace{1em}\mathrm{bad} \mathrm{data}\\ 0\hspace{1em}\hspace{1em}J\left(\widehat{x}\right)\le {\gamma }_0,\hspace{1em}\hspace{1em}\mathrm{no} \mathrm{bad} \mathrm{data}\end{array}$$

(5)

In order to further eliminate bad data by identifying them, the generally adopted criterion is the “$3\sigma$” principle. When the system has bad data, the measurement corresponding to the maximum residual should be corrected and the above detection process should be repeated until all elements in the residual vector are within the threshold.

2.3. Principle of False Data Injection Attack

Attacker can successfully inject into measurement data by constructing the effective attack vector. Traditional FDIAs are typically given as follows:

$$z_a=z+a=h\left(x\right)+a+e$$

(6)

where $a$ is the injected false data attack vector; $z_a$ is the attacked measurement vector; $x$ is the estimation vector of original measurement vector $z$ without attack.

If $z$ can bypass the traditional bad data detector based on residuals, then $a$ can also bypass BDD, satisfying the following equation:

$$a=Hc$$

(7)

where $c={\left[c_1,c_2,\cdots ,c_n\right]}^T$ is the arbitrary non-zero vector of $n\times 1$, which represents the vector that is deviated by the system state vector after FDIAs. $x_a={\left(H^T{R}^{-1}H\right)}^{-1}{H}^T{R}^{-1}{z}_a$ $=x+c$ is the vector of $n\times 1$, which represents the state estimator of $z_a$. The purpose of FDIAs is to mislead the system operator to take $x_a$ as the state vector, so the expressions of $z_a$ and residual $r_a$ are respectively as follows:

$$z_a=Hx+Hc+e=H\left(x+c\right)+e=H{x}_a+e$$

(8)

$$r_a=z_a-Hx=z+a-H\left(x+c\right)=z-Hx$$

(9)

At this point, the traditional method of bad data detection and identification fails to FDIAs, which allows attacker to tamper with the measurement data at will.

3. Methodology

3.1. Proposed Schemes

By designing the attack vector, the measurement and state of the power system can be tampered with, which causes the measurement residuals are very small or even not. However, this method makes the system residuals still less than the threshold of BDD mechanism, resulting in the success of FDIAs. Earth-mover distance (EMD), also known as Wasserstein distance or bulldozer distance, was first introduced by Rubner et al. [30] and used to measure color and texture differences. The EMD-based detection method proposed in this paper is completely independent of the residuals of state estimation. EMD can measure the difference between the probability distribution of measurement data variation under normal operating conditions and under FDIAs. Specifically, the value of EMD is proportional to the difference in the distribution of the two data used to detect the system FDIAs. Successful detection of injected false data is indicated when a large range of EMD is obtained.

The proposed method consists of the following parts: get the grid measurement data, process the measurement data variation by joint image transformation (JIT), calculate EMD, and select the threshold for attack detection. The specific detection process is shown in Figure 1.

This method determines whether the current system is suffering from FDIAs by analyzing the temporal variation of the measurement data and comparing the distance between the probability distributions of the measurement data variation between adjacent moments in different time periods. When FDIAs exist, the probability distribution of detection data variation will deviate from the probability distribution of the measurement data variation under normal operating conditions, which will lead to the deviation from the normal value of EMD.

3.2. Earth-Mover Distance

In the measurement space, EMD is a metric that can be used to determine the similarity between two histograms of probability distributions by calculating the distance between them. The advantage is that it can reflect smoothly the specific differences between the two probability distributions, which is how they change from one distribution to the other. In fact, EMD is used to calculate the optimal solution of the mobility solution in the transportation problem, as shown in Figure 2. It is assumed that goods need to be transported from $P$ factories to $Q$ warehouses, where $P$ factories have m piles of goods and $Q$ warehouses have n storage spaces. Now, all the piles of goods in the factories should be moved to the storage spaces of the warehouses with the minimum work. It can be expressed as follows:

$$\begin{array}{l}P=\left\{\left(p_1,w_{p_1}\right),\dots ,\left(p_m,w_{p_m}\right)\right\}\\ Q=\left\{\left(q_1,w_{q_1}\right),\dots ,\left(q_n,w_{q_n}\right)\right\}\end{array}$$

(10)

where the weight of $p_i$ is $w_{p_i}$, and the capacity of $q_j$ is $w_{q_j}$. Define the ground distance matrix $D={[d_{ij}]}_{m\times n}$, where $d_{ij}$ represents the distance from $p_i$ to $q_j$. Therefore, we want to find a matrix flow $F={[f_{ij}]}_{m\times n}$, where that $f_{ij}$ represents the number of flows from $p_i$ to $q_j$, thereby minimizing the overall cost function:

$$\mathrm{WORK}\left(P,Q,F\right)={\displaystyle \sum _{i=1}^m{\displaystyle \sum _{j=1}^n{d}_{ij}{f}_{ij}}}$$

(11)

where distance $d_{ij}$ is predefined and transport volume $f_{ij}$ is the only variable in the upper formula. $f_{ij}$ meets the following four constraints:

(1)

It can be moved from $P$ to $Q$ and cannot be moved from $Q$ to $P$.

$$f_{ij}\ge 0\hspace{1em}\hspace{1em}1\le i\le m,1\le j\le n$$

(12)

(2)

The sum of supply weights moved from $p_i$ to $Q$ cannot exceed total weight $w_{p_i}$.

$${\displaystyle \sum _{j=1}^n{f}_{ij}}\le w_{p_i}\hspace{1em}\hspace{1em}1\le i\le m$$

(13)

(3)

The sum of supply weights gained by $q_j$ in $Q$ cannot exceed total capacity $w_{q_j}$.

$${\displaystyle \sum _{i=1}^m{f}_{ij}}\le w_{q_i}\hspace{1em}\hspace{1em}1\le j\le n$$

(14)

(4)

The total number of movements to the minimum of the total supply weight in $P$ and the total capacity in $Q$.

$${\displaystyle \sum _{i=1}^m{\displaystyle \sum _{j=1}^n{f}_{ij}}}=\min \left({\displaystyle \sum _{i=1}^m{w}_{p_i}},{\displaystyle \sum _{j=1}^n{w}_{q_j}}\right)$$

(15)

Therefore, EMD can also be defined as a normalized expression of the minimum cost of moving from one probability distribution to another:

$$\mathrm{EMD}\left(P,Q\right)=\frac{{\displaystyle \sum _{i=1}^m{\displaystyle \sum _{j=1}^n{d}_{ij}{f}_{ij}}}}{{\displaystyle \sum _{i=1}^m{\displaystyle \sum _{j=1}^n{f}_{ij}}}}$$

(16)

In addition, EMD can also be expressed as follows:

$$\mathrm{EMD}\left(P,Q\right)=\underset{\gamma \sim {\displaystyle \prod \left(P,Q\right)}}{\inf }{E}_{\left(x,y\right)\sim \gamma }\left[\Vert x-y\Vert \right]$$

(17)

where $P$ and $Q$ are the edge distributions of ${\displaystyle \prod \left(P,Q\right)}$. $\gamma$ obeys the joint distribution. Samples x and y can be obtained according to $\left(x,y\right)\sim \gamma$, and then the distance expectation $E_{\left(x,y\right)\sim \gamma }\left[\Vert x-y\Vert \right]$ can be calculated. Therefore, in the union distribution collection, EMD is defined as the lower bound $\underset{\gamma \sim {\displaystyle \prod \left(P,Q\right)}}{\inf }{E}_{\left(x,y\right)\sim \gamma }\left[\Vert x-y\Vert \right]$.

As shown in Figure 2, according to the selected path planning, the distance expectation is the consumption required to move the elements in $P$ to $Q$, while EMD is the minimum consumption under the optimal path planning. EMD naturally extends the concept of distance between individual elements to the distance between element collections or distributions. Therefore, EMD also satisfies the characteristics of distance measurement, that is, the three characteristics of distance: non-negativity, symmetry, and triangular inequality.

3.3. Joint Image Transformation Technology

In the field of image processing, joint image transformation (JIT) is commonly used to enhance image quality. Power-law (Gamma) transformation and logarithmic transformation are one of the most widely used image transformation technologies [31]. In this paper, JIT is applied to the measurement system to preprocess the variation of measurement data and change the mapping of the variation range of measurement data, which can improve the resolution (scale) of probability distribution function, solve the problem that the probability distribution of measurement data variation is difficult to detect FDIAs and improve the accuracy of attack detection.

The measured data collected at t time are processed, and the range of measured data before and after transformation is represented by r and s respectively. Therefore, it can be shown as follows:

$$\{\begin{array}{l}r=z(t)-z(t-1)\\ s=T(r)\end{array}$$

(18)

$T(r)$ is the image transformation function which represents the transition relationship between input and output values. In this paper, power-law and logarithmic transformations are used in combination. Power-law transformation is used to process the map of measurement data variation when setting the detection threshold. Logarithmic transformation is used to handle the map of measurement data variation when calculating the attack.

(1)

Power-Law transformation

$$s=c{r}^{\gamma }$$

(19)

where $c$ and $\gamma$ are positive constants. If $\gamma >1$, power-law transformation can map small range of input measurement data variation into wide range. Similarly, it can also map the broader range into narrower range. Here, power-law transformation is used to map a wide range of measured data variation as input to a narrower range of measured data variation output.

(2)

Logarithmic transformation

$$s=c\log (1+r)$$

(20)

where c is scale proportional constant. In the field of image processing, logarithmic transformation transforms the brightness by expanding the value of dark pixels in the image and compressing the higher brightness value. Here, logarithmic transform is used to map a narrow range of measured data variation as input to a wider range of measured data variation output.

3.4. Threshold Determination

Threshold indicates the tolerance of a detection method to the difference in the probability distribution of measurement data variation. Choosing the appropriate threshold is key to affecting detection accuracy. In order to accurately detect FDIAs, a large number of normal measurements near the current moment is needed. The EMD range obtained by the difference between the probability distribution of measurement variation in the previous period and the probability distribution of benchmark measurement variation is marked as range A. The EMD range obtained by the difference between the probability distribution of measurement variation need to be detected and the probability distribution of benchmark measurement variation is marked as range B. Considering that range A and range B have overlapping regions. In other words, the data in the overlapping area cannot determine whether they are false data. Therefore, this paper uses 99% confidence interval to determine the attack detection threshold.

The distance between the probability distribution of benchmark measurement variation and the probability distribution of measurement variation one month before attack is denoted as ${\mathrm{EMD}}_1$. Selected threshold is the value of its sample set. Mean and standard deviation are calculated according to the size and quantity of each distance value. Assuming the mean is $\mu$, the standard deviation is $\sigma$. The upper interval limit of 99% confidence level of ${\mathrm{EMD}}_1$ is used as FDIAs detection threshold. Therefore, threshold can indicate as follows:

$$\epsilon =Max\{\left(\mu -n_{\alpha /2}\sigma ,\mu +n_{\alpha /2}\sigma \right)\}$$

(21)

where $n_{\alpha /2}$ corresponds to the standard score of coverage area within the distribution of non-confidence level. The resulting detection threshold depends on the network topology. When topological changes are considered, the historical measurement dataset is updated based on the topology change. Therefore, for different network topology, the detection threshold is different

The distance between the probability distribution of benchmark measurement variation and the probability distribution of measurement variation in attack is denoted as ${\mathrm{EMD}}_2$. Compare ${\mathrm{EMD}}_2$ with $\epsilon$ to determine if the power system has been attacked by false data injection. If the threshold $\epsilon$ is exceeded, FDIAs are currently present. Similarly, if the resulting EMD range is small, which means no more than the threshold $\epsilon$, the current measurement data is normal. As shown below:

$$\{\begin{array}{l}\{{\mathrm{EMD}}_2\}\le \epsilon ,\hspace{1em}\hspace{1em}\mathrm{no} \mathrm{attack}\\ \{{\mathrm{EMD}}_2\}>\epsilon ,\hspace{1em}\hspace{1em}\mathrm{attack}\end{array}$$

(22)

4. Case Simulation

4.1. Test System

In order to simulate the real power system operation as much as possible, the real load data are integrated into MATPOWER to test the performance of the detection method. The simulation environment is Matlab2017a. This paper is based on the IEEE 14 bus system, as shown in Figure 3. The measurement data used in the test is the load data of the New York Independent System Operator (NYISO) in 2012, which includes 11 regions, as the actual power profile, as shown in Figure 4. The time interval of actual load data is 5 min, that is, about 288 power values per day. Due to the lack of system state data, system state data can be generated based on NYISO load data. In other words, the system state data can be obtained by MATPOWER flow calculation and the system measurement data can be calculated by the measurement equation. Then, the proposed method can be evaluated based on these data. Consider each bus of IEEE 14 bus system as a node and set No. 1 as a balanced node. The specific process of data per 5 min interval is as follows:

(1)

Correspond the NYISO regional loads (CAPITL, CENTRL, DUNWOD, GENESE, HUD VL, LONGIL, MHK VL, MILLWD, N.Y.C., NORTH, WEST) to 11 load nodes:

$$\left(\begin{array}{ccccccccccc}2& 3& 4& 5& 6& 9& 10& 11& 12& 13& 14\\ 1& 2& 3& 4& 5& 6& 7& 8& 9& 10& 11\end{array}\right)$$

where, the first line is the node number of IEEE14 bus system. The second line is the corresponding NYISO region number.

(2)

Standardize the NYISO load data according to IEEE 14 standard system of active power of initial load node and generator node, so that the test system runs within the initial value range of the state. Due to the lack of system node reactive load, it is assumed that the system has a constant power factor to calculate the reactive power of each node at a 5min interval.

(3)

Calculate the ratio of new total load to initial total load of IEEE14 standard system to change the active and reactive power, and then obtain the active and reactive power every 5min interval. Here, it is assumed that the growth rate of active power from generator is the same as that of the total load, which can be adjusted by the system operator who knows the power generation plan in advance.

(4)

Calculate the power flow to get the system state vector, that is, the voltage and phase angle of each node.

(5)

Calculate measurement vector according to the measurement equation $z=h\left(x\right)+e$.

4.2. Simulate FDIAs

Attackers could launch different attacks depending on the attack model. Thus, there may be a single affected state or multiple affected states. By injecting malicious attacks into the meter, the attacker can alter the measurement data used for state estimation. Therefore, this paper IEEE 14 system has 68 measurements per time step, including node active and reactive power injection, transmission line active and reactive power. For example, if the target is to inject -10% false data into the state ${\theta }_2$, the attack vector can be expressed as:

$$c=[\underset{V_{[1\times N_{bus}]}}{\underbrace{0\dots ,0}},\underset{{\theta }_{[1\times (N_{bus}-1)]}}{\underbrace{-0.1{\theta }_2,0,\dots ,0}}]$$

(23)

To verify this method, FDIAs are simulated using the attack algorithm proposed in [32]. It is known that there are 27 state vectors (14 voltage amplitudes and 13 phase angles) in the IEEE14 bus system. FDIAs are simulated for different node state variables of the system. The state vector after attack is expressed as $x_{bad}=\widehat{x}+c$, and the measurement corresponding to the state variables of the manipulated system is shown as:

$$z_{bad}=h\left(x_{bad}\right)+e$$

(24)

4.3. Probability Distribution of Measurement Variation

The power system is a quasi-static system, which means that the measurement data collected from RTUs should change slowly. At the same time, there is a correlation between the variation of historical data at adjacent times and that of current operational data at adjacent times. The measurement data is expressed as $z(t)$ at time $t$. Therefore, the measurement data variation is defined as $z(t)-z(t-1)$. Figure 5 is the histogram of probability distribution of measurement variation from January to October 2012, at which there is no FDIAs. As can be seen from the histogram, most of measurement variations are very small, which are close to zero.

In the absence of FDIAs, the probability distribution of measurement variation between months is similar. Power-law transformation is used to deal with measurement variation in November 2012, so that the probability distribution histogram of measurement variation before and after transformation without FDIAs is obtained, as shown in Figure 6. After power-law transformation, the range of measurement variation is smaller, which makes the setting of detection threshold more accurate.

However, when an attacker injects false data into power system, the probability distribution histogram is offset. In order to illustrate the effect of FDIAs on measurement variation, the experiment simulates the state ${\theta }_2$ of each day in December 2012 with a +5% false data injection attack. Logarithmic transformation will be used to deal with measurement variation at this time, to obtain measurement variation before and after attack of the probability distribution histogram, as shown in Figure 7. It shows that FDIAs affect the probability distribution of measurement variation.

4.4. Detection Metric and Detection Threshold

EMD, as a similarity metric, quantifies the difference between two probability distributions. Therefore, it can be tested as a detection indicator for FDIAs detection. EMD contains the probability distributions $P$ and $Q$ based on measurement variation between adjacent moments. Among them, $Q$ comes from the probability distribution of benchmark measurement variation (obtained from Figure 5). $P$ includes $P_1$ and $P_2$, which respectively come from the probability distribution of measurement variation in the previous period (obtained from Figure 6) and the probability distribution of measurement variation need to be detected (obtained from Figure 7). The EMD histogram without attack can be obtained by $Q$ and $P_1$, and the EMD histogram with FDIAs can be obtained by $Q$ and $P_2$, as shown in Figure 8.

Figure 8a is the EMD histogram between the probability distribution of measurement variation under normal operating conditions, which is used to calculate threshold, where the EMD range is (0.09 to 2.62). At the same time, Figure 8b shows the EMD range (3.22 to 5.91) for FDIA in December.

It is clear that FDIA will increase EMD and make the EMD histogram shift to the right. Meanwhile, there is little overlap between EMD histograms in Figure 8, indicating that EMD is an ideal indicator for detecting FDIAs. In other words, there are almost no missing and mis-testing problems with FDIAs based on Earth-Mover Distance.

Assuming that network topology of the test system remains unchanged. It is known from the EMD range without attack that the mean is $\mu =0.38$ and the standard deviation is $\sigma =0.21$. By searching the normal distribution z value table, it can be seen that ${\mathrm{z}}_{\alpha /2}=2.58$ when the confidence level is 99%, so the detection threshold is $\epsilon =\mu {+\mathrm{z}}_{\alpha /2}\sigma =0.9218$.

Compare the threshold with the EMD range obtained by the probability distribution of measurement variation need to be detected. It can be seen that the EMD values are all greater than the threshold $\epsilon$, then FDIAs are detected.

4.5. Effect of JIT on Detection Accuracy

Both transformations contain parameters $c$ and $\gamma$. Among them, the measurement data variation $s_2$ after logarithmic transformation is proportional to $c$. In order to select the appropriate parameters, a set of $c$ values can be preset firstly, and then the detection rate under different $\gamma$ values can be obtained by changing the size of $\gamma$. Then, in order to analyze the influence of $c$ on the performance of the proposed method, a value of $\gamma$ can be set first, and the detection rate under different $c$ values can be obtained by changing the size of $c$, so as to find the relatively optimal parameters $c$ and $\gamma$, as shown in Figure 9.

It shows that $\gamma$ needs to be greater than 1 to have a higher check-out rate (CO%). As shown in Figure 9a, when FDIAs are injected into all nodes, a fixed set of $c$ is taken to obtain CO% at different $\gamma$ values. As can be seen from line figure, on the one hand, CO% is smaller at $\gamma <1$, while CO% is higher at $\gamma \ge 1$. On the other hand, for $c$ is 1.5 or 2, CO% is 100% when $\gamma$ is 1.2 to 1.5.

Similarly, in order to analyze the effect of $c$ on the performance of the proposed detection method, the size of $c$ can be changed on the basis of preset $\gamma$ value. As shown in Figure 9b, take $\gamma =1.2$ to observe CO% under different $c$. With the increase of $c$, CO% is increased. When $c\ge 1$, CO% is higher. Therefore, it is desirable to consider CO% under different $c$ and different $\gamma$ values, $c=1.5,\gamma =1.2$ can be taken as the parameter of JIT technology.

5. Results Analysis

This paper introduces the damage degree D, which is defined as the difference between true measurement and attacked measurement. D is generated by different injection attack intensity (IA%). That is, each time FDIAs are initiated, the system state is reduced or increased by a certain percentage of its original value. For example, 0D indicates no attack (IA% = 0), 10D indicates attack intensity is 0.1 (IA% = +10%). Different IA% of single-state and multi-state variables are simulated to observe the influence of different D on the EMD range of the probability distribution of the variation of the measured data to be detected in December, as shown in

Table 1. Consider the range of EMD under different attack intensity.

Attack State	Attack Intensity (IA%)	EMD Range
No attack	0D	(0.08~2.37)
${\theta }_5$	1D	(0.88~3.34)
	5D	(2.61~4.38)
	10D	(2.98~4.83)
${\theta }_5,{\theta }_9,{\theta }_{10}$	1D	(2.35~5.31)
	5D	(5.90~7.67)
	10D	(6.46~8.02)

. Wherein, the EMD value is very small in attack-free. At the same time, when injecting false data that can evade BDD, the EMD range is shifted to the right, and the offset of the EMD range increases as the attack intensity increases.

In order to test the accuracy of this method on FDIAs detection, and to further observe the impact of D on attacking the state variables of different nodes, FDIA with different damage degrees is simulated for each node state variable. The result is expressed in the form of undetected rate (UD%), which is equal to the number of undetected samples divided by the total number of samples. In other words, the overlapping areas between the two EMD histograms represent UD samples.

The results are compared with [26] and [27]. In [26], based on KL dispersion, FDIAs are detected by using the difference between the probability distribution of measurement variation directly. [27] is based on joint transformation technology to detect FDIAs. In this paper, the direct detection of FDIAs based on EMD and the detection based on EMD&JIT are both simulated and verified. The results show that the FDIAs detection accuracy based on EMD&JIT is better, as shown in

Table 2. FDIAs test results for each node.

State	KLD[26] UD% for IA%				Joint Transformation[27] UD% for IA%
	5D	10D	–5D	–10D	5D	10D	–5D	–10D
${\theta }_2$	2	0	1	0	0	0	0	0
${\theta }_3$	56	32	55	22	0.03	0.02	0. 16	0.14
${\theta }_4$	0	0	0	0	0	0	0	0
${\theta }_5$	0	0	0	0	0	0	0	0
${\theta }_6$	0	0	0	0	0	0	0	0
${\theta }_7$	70	61	70	58	0	0	0	0
${\theta }_8$	95	95	96	96	46.6	0	46.6	0
${\theta }_9$	0	0	0	0	0	0	0	0
${\theta }_{10}$	0	0	0	0	0	0	0	0
${\theta }_{11}$	0	0	0	0	0	0	0	0
${\theta }_{12}$	2	0	1	0	0	0	0	0
${\theta }_{13}$	0	0	0	0	0	0	0	0
${\theta }_{14}$	7	0	5	0	0	0	0	0
State	EMD UD% for IA%				EMD&JIT UD% for IA%
	5D	10D	–5D	–10D	5D	10D	–5D	–10D
${\theta }_2$	0	0	0	0	0	0	0	0
${\theta }_3$	0.01	0	0.01	0	0	0	0	0
${\theta }_4$	0	0	0	0	0	0	0	0
${\theta }_5$	0	0	0	0	0	0	0	0
${\theta }_6$	0	0	0	0	0	0	0	0
${\theta }_7$	0	0	0	0	0	0	0	0
${\theta }_8$	1.02	0.92	1.02	0.92	0	0	0	0
${\theta }_9$	0	0	0	0	0	0	0	0
${\theta }_{10}$	0	0	0	0	0	0	0	0
${\theta }_{11}$	0	0	0	0	0	0	0	0
${\theta }_{12}$	0.03	0	0.03	0	0	0	0	0
${\theta }_{13}$	0	0	0	0	0	0	0	0
${\theta }_{14}$	0	0	0	0	0	0	0	0

.

In this test, 8992 samples are set for each attack. Each row in Table 2 represents a target system state. FDIAs with +5%, +10%, −5%, −10% attack intensity and normal condition without attack are simulated for each target node state. When the attack intensity is 0D, the simulation results show that 99% of the test samples are determined to be attack-free, indicating that none of the four methods in the table is likely to misjudge an unattacked measurement as false data. However, FDIAs detection method based on KL dispersion has a certain degree of UD% on nodes 2, 3, 7, 8, 12 and 14. Meanwhile, FDIAs detection method based on JIT has UD% on nodes 3 and 8. In addition, FDIAs detection method based directly on EMD has improved, but UD% still exists for nodes 3, 8 and 12. Differently, FDIAs detection method based on EMD&JIT has UD% of close to 0% for all target node state attacks. Therefore, it is shown that for all nodes in power system, the proposed method can detect the vast majority of attack samples, which also reflects the high detection accuracy.

6. Conclusions

FDIAs pose a great threat to power grid operation. In this paper, a new method is proposed to detect FDIAs in smart grids. This detection method is based on the earth-mover distance concept which considers the dynamic correlation of measured data variation at adjacent times. In this paper, EMD is used to measure the deviation between the probability distributions of different measurement variation. 99% confidence interval is considered to set the attack detection threshold. FDIAs are detected by comparing EMD under attack with the preset detection threshold. Furthermore, JIT is used to map the probability distribution of measurement variation to make its distribution characteristics more significant, so as to improve the detection accuracy of FDIAs. It is shown with the simulation results that this method can detect FDIAs for each node well, which has high detection rate and low false detection rate.