Electrical and Computer Engineering Department. University of Houston ... of power grid as well as sparse nature of observable malicious attacks, we formulate ...
Detection of False Data Injection in Power Grid Exploiting Low Rank and Sparsity Lanchao Liu∗ , Mohammad Esmalifalak ∗ , and Zhu Han∗ ∗ Electrical
and Computer Engineering Department University of Houston, Houston, TX, 77004
Abstract—Smart grids are vulnerable to cyber attacks because of the inevitable coupling between cyber and physical operations. Diagnosing such malicious false data attack has significant importance to ensure reliable operations of power grids. This task is challenging, however, when attackers inject bad data into power systems that are able to circumvent the traditional maximum residual detection method. By noticing the intrinsic low rank structure of temporal erroneous-free measurements of power grid as well as sparse nature of observable malicious attacks, we formulate the false data detection problem as lowrank matrix recovery and completion problem, which is solved by convex optimization that minimizes a combination of the nuclear norm and the l1 norm. To efficiently solve this mixed-norm optimization, the method of augmented Lagrange multipliers is applied, which offers provable optimality and convergence rate. Numerical simulation results both on the synthetic and real data validate the effectiveness of the proposed mechanism.
I. I NTRODUCTION Power systems are undergoing significant changes because of increasing demand in reliable, sustainable and economical electricity services. Technological advances in telecommunication make it possible for near online monitoring and control operations in future electric power systems [1]. State estimation (SE) [2], which identifies current operating state of power system, is one of the key functions in building realtime models of electricity networks that is necessary to the establishment of the Energy Management Systems (EMS). The measurements used in the state estimator are active and inactive power flow and injection in most of lines and buses. These measurements are typically transmitted to a Energy Control Center (ECC) and processed by the Supervisory Control And Data Acquisition (SCADA) system. The results of SE provide the real-time state of the power system thus facilitates efficient monitoring of power system operations. Currently, the accuracy of the state estimation is under the threat of false data in power systems. In power systems, the EMS collects the measurement data from remote meters on buses or transmission lines and estimate the system states roughly every 15 minutes. A linear estimation model can be used to estimate the states in the power system, whose measurements at that time instance are represented by an one dimension vector. False data is caused mainly due to the untended measurement abnormalities, topology errors, or malicious attacks. The security and reliability of operation are the main goals that control center tries to provide for power networks. Achieving this goal is not successful at all the times and unfortunately some failures cause significant
problems for the producers and consumers of electricity. For example, the 2003 Northeast power blackout showed that even a small failure in a part of the grid (in this case, a small power company in northern Ohio) can have cascading effects that results to billions of dollars economic losses. Nowadays, strong coupling between physical and cyber components gives rise to the cyber-attack treat in power networks. These attacks can result into different failures and power blackouts [3], or economical loss of consumers by changing the optimal operation of power systems. The effects of false data injection to power systems have been studied in [4]–[8]. The false data injection attacks are introduced in [4] to launch undetectable attacks that take advantage the power system configuration. These attacks can change the results of SE, and even modify the results arbitrarily. In [5], [6], it is demonstrated that the false data attack can circumvent the bad data measurement detection in SCADA and leads to profitable financial misconduct in power market. In [7], the independent component analysis is used to launch false data injection without the knowledge of power grid topology. Adversarial strategies for malicious data attacks, both observable and unobservable, as well as countermeasures for control center are investigated in [8], where l1 norm penalty is used on detecting sparse observable malicious data attacks. Other false data detection methods are proposed in [9] and [10]. In [9], the faults in power system states are estimated by exploiting a convex optimization problem, and a sparse fault vector solution is computed by using l1 regularization. In [10], an algorithm is proposed to find sparse unobservable attacks for a power systems. For 3, 4, and 5-sparse unobservable attacks, canonical forms to describe their characterizations are summarized by the authors, and phasor measurement units (PMU) can be used as countermeasures against such attacks. In this paper, we propose a novel mechanism to detect and identify the false data injection attack in power systems. Notice that most of the related works only consider the measurement vector at a time instance, and assume the attack vector is sparse at each time. Instead of considering measurements of the power system at an isolated time, we take a time series of measures into account and aiming at detecting the observable false data injection attack. The proposed mechanism capitalizes two characteristics of the state estimation data in power systems: First, the erroneous-free measurements matrix, whose columns are measurements of the power system at each time instance, is inherently of a low rank structure due to the
intrinsic temporal correlation of power gird states. Second, the malicious attack matrix over time is sparse because of attackers are either constrained to some specific measurement meters or limitations in the resources required to compromise the meters persistently. In our case, we just assume the malicious attack matrix is sparse and do not require every column of it be necessarily sparse, which is a more general assumption compare with the most related work. We formulate the false data injection detection problem as a mixed-norm convex optimization problem, and apply the method of augmented Lagrange multipliers to solve it. The simulation results validate the effectiveness of the proposed mechanism. The rest of the paper is organized as follows. The system model and bad data injection are addressed in Section II. Section III formulates the false data detection problem and adopts the method of augmented Lagrange multipliers. The proposed detection algorithm is tested on both IEEE case studies and Polish networks1 during winter 1999-2000 peak conditions, and the numerical results are given in Section IV. Finally, conclusion closes the paper in Section V.
Fig. 1.
Physical and Cyber layer of a 6-bus power system
∑ injected active power to bus i ( j Pij ). The observation at the control center can be written as
II. S YSTEM M ODEL A. State Estimation in Power system A power system can be broadly divided into three parts: generators, transmission systems and distribution systems. In transmission systems, transmission lines carry the power from generating centers to load centers. Theoretically, the power from bus i to bus j in the transmission system can be approximate2 as [12] Pij =
Vi Vj sin(θi − θj ), Xij
(1)
where Vi is the voltage in bus i, and θi is the phase angle of voltage in bus i. Xij is the reactance of the transmission line between bus i and bus j. Given the assumptions that the voltage phase differences between two buses are sufficiently small and the amplitudes of voltages in buses are near to unity, equation (1) can be further simplified as a linear relation between the voltage phase difference and reactance in the DC power flow analysis, i.e., θi − θj Pij = . Xij
(2)
In power systems, the control center needs to observe the voltage phase angles of all the buses to make real-time decision on operations. However, directly measuring voltage phase angle of a bus is quite difficult. In this regard, the control center measures the active power in a line instead of obtaining the state information of the power system. These measurements can be transmitted active power from bus i to bus j (Pij ), or 1 The Polish network is part of the 7500+ bus European UCTE system and represents 400 KV, 220 KV and 110 KV networks [11]. 2 In general, one can approximate the impedance of a transmission line with its reactance due to the high reactance over resistance (X/R ratio)
z = Hθ + e,
(3)
where z = [z1 , z2 , . . . , zM ]⊤ is the measurement vector, θ = [θ1 , θ2 , . . . , θN ]⊤ is the state vector, and e = [e1 , e2 , . . . , eM ]⊤ is the zero mean Gaussian measurement noise. H is the Jacobian matrix of the power system known to the independent system operator (ISO). An illustration for state estimation of a power system is shown in Fig.1. The measurements used for state estimation are obtained on each transmission line and collected by the energy control center, where the measurements are processed SCADA system. However, some of the measurements may be comprised by the measurement abnormalities or malicious attackers. We will introduce the false data injection in state estimation in Section II-B. B. False Data Injection in State Estimation The observations at the ISO may be faulty due to the measurement abnormalities or malicious bad data injection, which have direct impacts on state estimation in power systems. Denote a = [a1 , a2 , ..., am ] as the malicious bad data, the observed measurements at the ISO can be expressed as za = z0 + a = Hθ + e + a,
(4)
where a is referred to as the attack vector. By exploiting the inconsistency among the good and the bad measurements, we can detect the false data injection by thresholding the measurement residual. The process is described as follows. Given the measurement in (3), the estimated state vector θb can be computed with a Weighted Least Square estimator −1 ⊤ −1 θb = (H⊤ Σ−1 H Σe za , e H)
(5)
where Σe is the covariance matrix of the noise vector e. b the measurement residual After estimating the state vector θ, is calculated using its l2 norm b 2. r = ∥za − b za ∥2 = ∥za − Hθ∥
(6)
Then, the residual is compared with a threshold τ , the hypothesis of being attacked is accepted if max |ri | > τ i
i = 1, 2, ..., m.
(7)
III. P ROPOSED A LGORITHM In power systems, the ISO observes states of the power grid at regular time intervals. At time t, zt is the measurements of the power system observed by the ISO. In presence of false data injection, the measurements zt is contaminated by the attack vector at . We construct a matrix Z for the time-series measurements of the power system states with T columns and M rows, where each column corresponds to the time instance of measurements and each row corresponds to measurements for a certain time interval, respectively. The obtained timeseries observations can be expressed as Za = Z0 + A,
(8)
where Z0 = [z1 , z2 , . . . , zT ] ∈ RM ×T is the measurements of the power state, and A = [a1 , a2 , . . . , aT ] ∈ RM ×T is the false data matrix. Since the states of a power system usually change gradually, the temporal patterns among the states of the power grids renders the measurement matrix Z typically low-rank. In addition, due to the capability limitation of the attacker, the attacks are either constrained to some specific measurement meters or unable to compromise measurement meters persistently. Hence, only a small fraction of the observations are supposed to be anomalous at a given time instant, and the attack only lasts for a short periods compared with the measurement period T . This implies that the false data injection matrix is sparse across both rows and columns. Hence, we can detect the false data injection matrix from the measurement matrix by solving the following convex optimization problem: min ∥Z0 ∥∗ + λ∥A∥1 ,
max(m,n)
Initialize: Y[0] = 0; Z0[0] = 0; A[0] = 0; µ0 > 0; α > 0; k = 0; while not converge do Z0[k+1] = Z0[k] ; A[k+1] = A[k] ; j = 0; while not converge do [j+1] [j] A[k+1] = Sλu−1 {Za −Z0 [k+1] + u−1 [k] Y[k] }; [k]
(U, S, V) = svd(Za −A[k+1] + u−1 [k] Y[k] ); [j]
Note that the performance of this maximum residue bad data detection method relies on the choice of τ . An inappropriate choice of τ will deteriorate the effectiveness of this mechanism. Moreover, the threshold-based detection methods only consider isolated time instance state estimation of power systems, and ignore the relations among consecutive measurements. Further, the pattern of the attack has not been taken into consideration. In the following section, we proposed a false data injection detection method in smart grid exploiting the low rank structure of time-series state estimations and sparsity of the attack pattern.
Z0 ,A
Algorithm 1 Proposed false data detection algorithm Input: Za ∈ Rm×n ; λ = √ 1 ;
s.t.
Za = Z0 + A,
(9)
where ∥Z0 ∥∗ is the nuclear norm of Z0 , which is the sum of its singular values, and ∥A∥1 is the l1 norm of A, which is the sum of absolute values of its entries. λ is a regularization
Z0 [k+1] = USu−1 {S}V⊤ ; [k] j = j + 1; end while Y[k+1] = Y[k] + u[k] (Za − Z0[k+1] − A[k+1] ); µ[k+1] = αµ[k] ; k = k + 1; end while return Z0[k] ; A[k] Output Z0[k] ; A[k] [j+1]
parameter. The optimization problem in (9) called Robust Principle Component Analysis (PCA) [13], which has been extensively studied in the fields of compressive sensing [14] and matrix completion [15], and can be solved by many off-the-shelf convex optimization algorithms. Motivated by [16], we proposed an algorithm utilizes the techniques of the augmented Lagrange multipliers to detect the false data matrix A as well as recover the measurement matrix Z0 . The augmented Lagrange multipliers are used to solve the constrained optimization problems as follows: min f (X),
s.t.
h(X) = 0,
(10)
where f : Rn → R and h : Rn → Rm . The augmented Lagrangian function is defined as µ L(X, Y, µ) = f (X) + ⟨Y, h(X)⟩ + ∥h(X)∥22 , (11) 2 where µ is a positive scalar, and Y is the Lagrangian multipliers. ⟨Y, h(X)⟩ denotes the trace of Y⊤ h(X). The optimization problem in (10) can be solved in an iterative way via the method of augmented Lagrange multipliers. More details about the augmented Lagrange multipliers technique can be found in [17]. For the optimization problem in (9), we reform it as: f (Z0 , A) = ∥Z0 ∥∗ + λ∥A∥1 , h(Z0 , A) = Za − Z0 − A,
(12)
and then the Lagrangian function is L(Z0 , A, Y, µ) = ∥Z0 ∥∗ + λ∥A∥1 + ⟨Y, Za − Z0 − A⟩ µ (13) + ∥Za − Z0 − A∥22 . 2 The value of λ is set to √ 1 , where m and n are max(m,n)
dimensions of measurement matrix Za . With k = 1, 2, . . . ,
ROC for classification
ROC for classification 1 0.9
0.8
0.8
0.8
0.7
0.7
0.7
0.6 0.5 0.4
0.6 0.5 0.4
0.3
0.3
0.2
0.2 Proposed algorithm PCA Least square
0.1 0
0
0.2
0.4 0.6 False positive rate
0.8
1
0
0.6 0.5 0.4 0.3 0.2
Proposed algorithm PCA Least square
0.1
(a) Performance for case IEEE 57 bus Fig. 2.
True positive rate
1 0.9
True positive rate
True positive rate
ROC for classification 1 0.9
0
0.2
0.4 0.6 False positive rate
0.8
(b) Performance for case IEEE 118 bus
Proposed algorithm PCA Least square
0.1 1
0
0
0.2
0.4 0.6 False positive rate
0.8
1
(c) Performance on power flow data for Polish system during winter peak conditions, 1999-2000
ROC curves of the proposed algorithm versus PCA-base method and maximum residue bad data detection method
indexing iterations, Z0 and A are optimized according to: Z0[k+1] = arg min L(Z0 , A[k] , u[k] , Y[k] ),
(14)
A[k+1] = arg min L(Z0[k] , A, u[k] , Y[k] ),
(15)
Z0
A
During each iteration of the optimization, both the Lagrangian multipliers Y and µ are updated, which improves the performance of the algorithm. Y[k+1] = Y[k] + u[k] (Za − Z0[k+1] − A[k+1] ),
(16)
µ[k+1] = αµ[k] ,
(17)
where α is a positive constant. It has been proved in [18] that the method of augmented Lagrange multipliers has a Q-liner converges speed, which outperforms the iterative thresholding and interior point solver technique. Also, to achieve the optimal solution, it is unnecessary to make the penalty parameter µ to approach infinity. Moreover, the analysis of the convergence and implementation of augmented Lagrange multipliers [18] are relatively simple. The proposed algorithm for false data detection in power system is illustrated in Algorithm. 1. IV. N UMERICAL S IMULATION In this section, we evaluate the performance of the proposed algorithm on both synthetic and real data. The synthetic data are power flow data for IEEE 57 bus and IEEE 118 bus test cases, generated by the MATPOWER. The real data are power flow data for Polish system during winter peak conditions, 1999-2000. To generate the synthetic data, we suppose the loads on each bus in the power system is uniformly distributed between 50% and 150% of its base load. When the state estimation measurements are collected, a small portion ε of the measurements are compromised by malicious attackers with an arbitrary amount of injection data. Here, we suppose the locations of the attack are chosen randomly. Totally a number of T time instances measurements are obtained for analysis. The real data case represents the Polish 400, 220 and 110kV networks during winter 1999-2000 peak conditions.
A. Receiver Operating Characteristic Analysis First we analyse the receiver operating characteristic (ROC) of the proposed algorithm, and compare it with traditional maximum residue bad data detection method and PCA 1 detection method. The number of measurements collected for IEEE 57 bus are 80 and we obtained measurements for 288 time instances that results in a measurement matrix Za of size 80 × 288. Similarity, the measurement matrix for IEEE 118 bus is 186 × 288. The ROC curves for IEEE 57 bus and IEEE 118 bus cases are depicted in Fig. 2(a) and Fig. 2(b), respectively. The true positive means that algorithm detects the malicious attack successfully at right time instance and location. From the figures, it is apparent that even at a low false positive rate, the proposed algorithm can detected the false data accurately. For example, when the false positive rate pf = 0.0005, the true positive rate pd = 0.95 for case IEEE 57 bus, and when the false positive rate pf = 0.004, the true positive rate pd = 0.97 for case IEEE 118 bus. To highlight the performance of proposed algorithm, its performance is compared with the traditional maximum residue bad data detection method and PCA-based method. Fig. 2(a) and in Fig. 2(b) show that the proposed algorithm outperforms the other two methods. The maximum residue bad data detection method ignores the correlation between consecutive time instance measurements, and depends on the choice of threshold, which both deteriorate the performance. The PCA method considers the correlation of time series measurements. It assumes the high dimensional data lie near a much lower-dimensional linear subspace. However, it requires a prior estimation of anomalyfree measurement matrix, and the performance breaks down under the corruptions of malicious attack. Different from the previous two methods, the proposed algorithm exploits the low rank structure of the anomaly-free measurement matrix, and the fact that malicious attacks are quite spare, which renders a better performance. 1 For ∑K si ∑1 N s i 1
PCA, we remain the largest K singular values of the matrix such that > 95%.
1 0.9 0.8
True positive rate
0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0.1
Case IEEE 57 bus Case IEEE 118 bus 0.15
0.2
0.25 0.3 Sparsity ratio S/M
0.35
0.4
Fig. 3. Performance of the proposed algorithm at different sparsity ratio for IEEE 57 bus and IEEE 118 bus test cases
B. Performance v.s. Sparse Ratio In this section, we vary the sparsity level of a and test the performance of the proposed algorithm. Let S denotes the number of malicious attack in a and M denotes the length of a. So only S out of M entries in a are non-zero. We represent S/M as the sparsity ratio and vary it from 0.1% to 0.4%. The performance of the proposed algorithm is shown in Fig. 3. From Fig. 3, the true positive rate is quite high at low sparsity ratio. Particularly, when the sparsity ratio is 0.1, the true positive rates are 94.8% and 97.3% for IEEE 57 bus and IEEE 118 bus, respectively. When the sparsity ratio increases, the true positive rates decreases, which means the proposed algorithm may not be able to handle the situation when attackers attack the power system massively. It is because that when the attack matrix are not sparse enough, the mixednorm minimization are not able to separate the low rank anomaly-free matrix and attack matrix. Pay attention to that the performance for IEEE 117 bus are better than IEEE 57 bus case, which because, the larger measurement matrix size provides more information for the algorithm to detect the false data injection. Also, the “phase transition” phenomena happens for both case studies. After a certain sparsity ratio, the performance deteriorates quickly. C. Performance on Real Data The real data case represents the Polish 400, 220 and 110kV power system networks during winter 1999-2000 peak conditions. The measurement matrix Za is 2896 × 288 and the sparsity ratio of the attack matrix is 15%. The performances on real data are consistent with previous synthetic cases. In Fig. 2(c), the proposed algorithm can detect the malicious attacks effectively and accurately, which outperforms the traditional maximum residue bad data detection method and PCA-based detection method. V. C ONCLUSION AND F UTURE W ORK Detection of the false data injection is of significant importance for effective and reliable operations in power systems.
In this paper, we propose a method that exploits the temporal correlation of the time-series state measurements, as well as the sparse nature of the malicious attacks, to detect the false data injection in power grids. We formulate the false data detection problem as a combination of the nuclear norm and the l1 norm minimization problem, and utilize the method of augmented Lagrange multipliers to solve it. The performance of the proposed algorithm is validated on both synthetic and real data, and the effect of the sparsity of the attack matrix is also analyzed. Simulation results show that the proposed algorithm can effectively detect the false data in power systems, and outperforms the traditional maximum residue bad data detection method and PCA-based detection methods both on the synthetic and real data. R EFERENCES [1] Z. Han, D. Niyato, W. Saad, T. Basar, and A. Hjorungnes, Game Theory in Wireless and Communication Networks: Theory, Models and Applications, Cambridge University Press, UK, 2011. [2] A. Abur and A. G. Exposito, Power System State Estimation: Theory and Implementation, Marcel Dekker, Inc., 2004 [3] S. Gorman, “Effect Of Stealthy Bad Data Injection On Network Congestion In Market Based Power System,” The Wall Street Journal, Apr. 8, 2009. [4] Y. Liu, M. K. Reiter, and P. Ning, “False Data Injection Attacks Aainst State Estimation in Electric Power Grids,” the 16th ACM Conference on Computer and Communications Security, Chicago, IL, USA, Nov. 2009. [5] M. Esmalifalak, Z. Han, and L. Song “Effect Of Stealthy Bad Data Injection On Network Congestion In Market Based Power System”, IEEE Wireless Communications and Networking Conference, Paris, France, Apr. 2012. [6] L. Xie, Y. Mo, and B. Sinopoli. “False Data Injection Attacks in Electricity Markets,” IEEE International Conference on Smart Grid Communications, Nov. 2010. [7] M. Esmalifalak, H. Nguyen, R. Zheng, and Z. Han. “Stealth False Data Injection using Independent Component Analysis in Smart Grid,” IEEE International Conference on Smart Grid Communications, Brussels, Belgium, Oct. 2011. [8] O. Kosut, L. Jia, R. J. Thomas, and L. Tong, “Malicious Data Attacks on Smart Grid State Estimation: Attack Strategies and Countermeasures,” IEEE International Conference on Smart Grid Communications, Gaithersburg, MD, Oct. 2010. [9] D. Gorinevsky, S. Boyd, and S. Poll, “Estimation of Faults in DC Electrical Power System,” American Control Conference, St. Louis, Missouri, Jun. 2009. [10] A. Giani, E. Bitar, M. Garcia, M. McQueen, P. Khargonekar, and K. Poolla, “Smart Grid Data Integrity Attacks: Characterizations and Countermeasuresp,” IEEE International Conference on Smart Grid Communications, Brussels, Belgium, 17-20 Oct. 2011 [11] R. D. Zimmerman, C. E. Murillo-Snchez, and R. J. Thomas,“MATPOWER Steady-State Operations, Planning and Analysis Tools for Power Systems Research and Education”, IEEE Trans-actions on Power Systems, vol. 26, no. 1, pp. 12-19, Feb. 2011. [12] J. J. Grainger and W. D. Stevenson Jr, Power system analysis, vol. 621, 1994, McGraw-Hill. [13] E. Candes, X. Li, Y. Ma, and J. Wright, “Robust Principal Component Analysis?”, Journal of the ACM, vol. 58, no. 5, pp. 1-37, May. 2011. [14] Z. Han, H. Li and W. Yin, Compressive Sensing for Wireless Communication, Cambridge University Press, UK, 2012. [15] E. J. Cands and B. Recht, “Exact matrix completion via convex optimization,” Communications of the ACM, vol. 55, no. 6, pp.111-119, June 2009. [16] Z. Lin, M. Chen, L. Wu, and Y. Ma, “The Augmented Lagrange Multiplier Method for Exact Recovery of Corrupted Low-Rank Matrices”, UIUC Tech. Report UILU-ENG-09-2215, 2009. [17] D. P. Bertsekas, Nonlinear Programming, Athena Scientific, Belmont, MA, 1999. [18] D. P. Bertsekas, Constrained Optimization and Lagrange Multiplier Method, Academic Press, NY, 1982.
