Detection Scheme for Tampering Behavior on Distributed Controller of Electric-Thermal Integrated Energy System Based on Relation Network

Zhu, Chaoqun; Li, Jie; Shen, Jie; Zhou, Lei; Zhang, Xiaoming; Zhu, Dan; Li, Yafei

doi:https://doi.org/10.1155/2022/9594267

Computational Intelligence and Neuroscience

On this page

Abstract Introduction Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Safe and Fair Machine Learning for Neuroscience

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 9594267 | https://doi.org/10.1155/2022/9594267

Detection Scheme for Tampering Behavior on Distributed Controller of Electric-Thermal Integrated Energy System Based on Relation Network

Chaoqun Zhu,¹Jie Li,¹Jie Shen,¹Lei Zhou,¹Xiaoming Zhang,¹Dan Zhu,¹and Yafei Li¹

Academic Editor: Shahid Mumtaz

Received13 Jun 2022

Revised26 Jul 2022

Accepted02 Aug 2022

Published27 Aug 2022

Abstract

In recent years, with the development of smart grid, the power systems and other energy systems are gradually forming integrated energy systems. The electric-thermal integrated energy system is a mature integrated energy system at present. The electric-thermal integrated energy system uses modern communication technology to realize the comprehensive regulation of electric energy and thermal energy, which greatly improves the efficiency of energy use. However, this also greatly increases the risk of malicious tampering with the energy dispatch system. In this paper, we study the regulation of electric-thermal integrated energy systems considering false data injection attacks. First, we establish a compromised model of an electric-thermal integrated energy system considering false data injection attacks. Then, we designed vulnerable variable observers for different tampering scenarios to observe the tampered variables. Finally, considering the relationship between the observed data and the measured data, we design a tampering behavior detection method based on relation network. The simulation results verify the effectiveness of the detection method proposed in this paper.

1. Introduction

The electric-thermal integrated energy system (ETIES) is an important part of the integrated energy system. With the aid of the advanced network information technology and innovative operation and management models, ETIES integrates electrical and thermal energy in the region, realizes operation optimization and coordinated control among various heterogeneous energy sub-networks through energy coupling equipment, and effectively improves energy conversion efficiency and promotes sustainable energy while meeting the diverse energy needs of users [1–3]. However, ETIES based on distributed optimization architecture is a highly integrated information-physical energy system. The information system of ETIES is bound to endure a huge threat of cyber attacks while exchanging a large amount of information data [4, 5].

The spread of malicious attacks in the communication network will destroy the environment of network communication, make the economic operation of the system impossible, even destroy the stability of the system [6, 7]. In [8], the authors propose that the measurement equipment in the cyber physical system suffer from multiple types of cyber-attacks, and summarizes the current mainstream attack defense schemes based on learning-based methods. In [9], the authors propose that the energy-water nexus with multiple sensors may be vulnerable to cyber-attacks. To deal with the potential threats, an observer-based attack detection method is proposed. As a typical information-physical system, the monitoring and control of power system highly depends on the accuracy of measured data [10]. When the measurement data is compromised, the operation stability and security of the power system will be greatly reduced, thus threatening social security and social economy. To enhance the resilience of the sensors in power systems, the attack defense scheme based on the features of the measured data is proposed. This type of attack detection scheme enables cyber physical system to maintain good detection performance under cyber-attacks.

False data injection attack (FDI attack) is a new form of attack that has appeared in recent years to undermine the credibility of the operational data of integrated energy systems [11, 12]. When the attacker has the ability to inject data streams into the data transmission channel of the integrated energy system, attack vectors can be constructed targeting the vulnerabilities of the traditional bad data detection methods and identification methods of the integrated energy system, and arbitrarily manipulate the data of the attacked data channel of the integrated energy system. The flow changes the real data of the system into false data, which affects the real-time operation status of the power system, thus threatening the stable, safe and economic operation of the power system. Therefore, it is necessary to improve the attack defense capability of monitoring node sensors to resist the damage to the system caused by cyber-attacks [13, 14].

At present, there are two main perspectives in the research on considering the existence of FDI attacks in the system. On the one hand, from the perspective of FDI attackers, researchers design an optimal attack strategy that can improve the probability of successful attack and attack effect. Reference [15] studies the attack vector construction method from the attacker’s point of view. Combining the norm and norm of the attack vector, an attack evaluation index to measure the attack effect and attack cost is proposed. References [16–18] considered the scenarios where the measurement data in the actual system has different security protection levels, and proposed a corresponding minimum attack vector construction method. In order to reduce the attack cost and improve the attack efficiency, the literature [19, 20] designed an attack vector construction method based on the minimum cut set with the goal of making the energy system lose its ability to observe the external environment. At the same time, other attack scenarios can also be considered when constructing false data injection attack vectors. The attacker in [21] used traditional attack methods such as worms to break through the firewall and obtained the control authority of the basic equipment, and then launched a false data injection attack to tamper with the state variables of the energy system, thereby causing cascading failures of associated equipment. Reference [22] proposed a form of attack based on false data injection attacks to attack the topology of power systems—Man-in-the-middle attacks (MITM attacks). In this form of attack, the attacker eavesdrops on the data transmission terminals of the power system, and spoofs the status of the power system equipment by injecting false data. At this time, the communication mode between data transmission terminals changes from direct communication in normal state to relay communication through third-party devices, and the reliability of the association state between devices will be destroyed. Reference [23] demonstrates the attack effect of a multi-level MITM attack with the help of a simulation platform. The simulation results show that this type of attack can mislead the control center to make a wrong assessment of the current energy system topology by controlling the switch state between the devices, and trigger misoperations to cause power system physical layer accidents. Reference [24] added a data frame attack to the man-in-the-middle attack based on the normalized residual search method. Different from traditional false data injection attacks, which aim to maintain the concealment of false data, the main purpose of this type of attack is to deliberately launch bad data detection (BDD) to make real data be regarded as false data, thereby disturbing state estimation of energy system.

On the other hand, researchers propose defense strategies against network attacks from the perspective of system defense. References [25, 26] use Petri nets to describe the information flow between data interaction terminals in a power cyber-physical system and propose a cooperative intrusion detection algorithm against false data injection attacks. The analysis model based on Petri net can clearly describe the transient and steady-state reliability of power system under multiple attack events. The detection of false data injection attacks based on machine learning algorithms is also a research direction that domestic and foreign researchers focus on. Reference [27] considered the behavior characteristics of false data injection attacks against load frequency control systems, and designed an intelligent attack detection algorithm based on multi-layer perceptrons to effectively identify false data injection attacks. Reference [28] considered the behavior characteristics of false data injection attack on power system transmission lines, using programmable logic controller as a detection method. The computing node of the algorithm is tested, and the classifier of machine learning is used to realize the identification of false data injection attacks. This distributed attack detection algorithm can effectively reduce decision-making delay and improve attack detection efficiency. Reference [29] proposed an unsupervised attack detection scheme based on the isolation forest algorithm, and used the principal component analysis method to extract the features of the power system variables, thereby reducing the dimensionality problem in the machine learning process. Reference [30] considered the problem of a small number of abnormal samples in the process of machine learning training, and proposed an intelligent attack detection algorithm using the support vector description domain to detect false data injection attacks in the load frequency control system. Reference [31] considered the false data injection attack form for load forecasting, proposed a machine learning-based load forecasting anomaly detection method, and estimated the false data injection attack type through naive Bayesian classification.

Similar to the original social power supply, heating and other systems, in the operation process of ETIES, one of the most concerned issues is how to realize the economic scheduling of the system, that is, how to comprehensively allocate the capacity distribution between multiple energy units on the premise of meeting the system security constraints, so as to minimize the economic cost of the system, and then realize the dual guarantee of system operation in terms of security and economy. The economic scheduling method of ETIES can be divided into centralized method and distributed method. Although the centralized method has high efficiency in information processing, it has some problems, such as high communication cost and sensitivity to single point of failure. The distributed method can use the sparse communication network structure to realize the decentralized cooperation of various equipment components of the system, which has less communication burden, stronger robustness and privacy. Therefore, in recent years, experts and scholars at home and abroad have proposed many ETIES economic scheduling methods based on distributed optimization.

However, it is worth noting that although the above method can effectively solve the distributed economic scheduling problem of ETIES, its premise is that the system operates in an ideal network communication environment, that is, a large number of interactive measurement and control data can be reliably transmitted on the communication line. However, ETIES based on distributed optimization architecture is an energy system with high integration of information and physics. While the information system of ETIES interacts with a large amount of information and data, it is bound to suffer from a huge threat of network attack. The spread of malicious attacks in the communication network will destroy the bad environment of network communication, make the economic operation of the system impossible, and even destroy the stability of the system, resulting in the paralysis of the energy supply system.

ETIES is a large system with electrical-thermal coupling characteristics, and its structure and operation are much more complex than traditional power systems. Therefore, malicious attackers need to adopt more complex and targeted strategies according to system conditions when attacking ETIES. So far, most of the research on the impact of network attacks on system performance is carried out on a single power system, and there is no research on the impact of network attacks on the operational security of ETIES. The distributed scheduling of ETIES depends on the security and reliability of the communication network, and network attacks will inevitably affect the scheduling process of ETIES, thereby affecting the performance of the system.

Aiming at this research gap, the motivation of the paper is to enhance the safety and security of the electric-thermal integrated energy system by studying the ETIES model under FDI attacks and designing an attack detection method based on machine learning algorithm.

The main contributions of the paper are three fold:(1)We establish attack templates in the electric-thermal integrated energy system and discuss the impact of false data injection attacks on the integrated energy system.(2)In the electric-thermal integrated energy system under FDI attack, we propose an observer-based method for observing vulnerable variables of the system, so that the compromised variables can be effectively observed.(3)Using the observation data obtained by the observer, we propose a relation network-based attack detection algorithm to detect FDI attacks in integrated energy systems.

The scope of the paper is shown as follows: first, the compromised model of the electric-thermal integrated energy system is discussed in this paper; Then, based on the variables in the system, a machine-learning-based attack detection method is studied to identify the FDI attacks on ETIES.

The remaining part of this paper is organized as follows: in Section 2, the model of the compromised electric-thermal integrated energy system under FDI attacks is established. In Section 3, the observer of the vulnerable variables is designed. In Section 4, the attack detection method based on relation network is designed. In Section 5, simulations are designed and the results are discussed. In Section 6, conclusions are stated.

1.1. Indices and Variables

: Incremental cost of power only device.

: incremental cost of combined heat and power device.

: thermal incremental cost of combined heat and power device.

: thermal incremental cost of heat only device.

: electric power mismatch of power only device.

: electric power mismatch of combined heat and power device.

: thermal power mismatch of combined heat and power device.

: thermal power mismatch of heat only device.

: attack vector.

: electric output power of power only device.

: electric output power of combined heat and power device.

: thermal output power of combined heat and power device.

: thermal output power of heat only device.

: state vector of the system.

: augmented state vector of the system.

: observation of augmented state vector.

: estimation error.

: data vector in the measured data set.

: data vector in the observed data set.

: feature vectors of measured data.

: feature vectors of observed data.

: prototype of the measured data feature vector in class .

: prototype of the observed data feature vector in class .

: number of samples in class of measured data feature vectors.

: number of samples in class of observed data feature vectors.

: concatenation module in relation network.

: relation module in relation network.

: similarity score in relation network.

: objective function in relation network.

: labels for measured data.

: labels for observed data.

: evaluation index of accuracy.

: evaluation index of the probability of detecting correctly.

: evaluation index of success ratio.

: evaluation index of probability of identifying normal cases.

: trade off between and .

1.2. Abbreviations

ETIES: electric-thermal integrated energy system.

FDI: false data injection.

MITM: man-in-the-middle.

BDD: bad data detection.

DDCA: distributed energy double-consensus algorithm.

POD: power only device.

CHP: COMBINED heat and power.

RELU: rectified linear unit.

2. FDI Attacks against Compromised Electric-Thermal Integrated Energy System and Countermeasures

In this section, we propose the FDI attacks against electric-thermal integrated energy system and study the countermeasures by designing the attack detection scheme. First, we introduce the basics of the energy management control strategy of electric-thermal integrated energy system, and propose the compromised model as the first step to mitigate FDI attacks. Second, based on the compromised model, we design observers to detect the variables compromised by FDI attacks. Finally, based on the observed data obtained by the proposed observers and the measured data obtained by measurement in ETIES, we propose an attack detection method to identify the safety status of ETIES.

2.1. Basics of Compromised Electric-Thermal Integrated Energy System

The typical distributed energy management method of electric-thermal integrated energy system is to use distributed energy double-consensus algorithm (DDCA). DDCA employs two different consensus protocols. One of the consensus protocols is used to calculate the incremental cost corresponding to the optimal solution of the ETIES economic dispatch problem. Another consensus protocol aims to estimate the amount of electrical/thermal local power mismatch for coordinating device output. The two protocols of DDCA use different but strongly coupled consistency variables to calculate the electric/thermal incremental cost, electric/thermal output power and electric/thermal local power mismatch corresponding to the optimal solution of ETIES economic dispatching problem, so as to finally realize the distributed economic dispatching of ETIES. ETIES scheduling depends on the information exchange and local calculation between each unit and its neighbors. Each energy unit contains a distributed controller for operation.

The attacker can attack the incremental cost estimator and the output power decision of the energy unit in DDCA, thereby affecting the output power of the unit in the energy unit. Inspired by reference [32], the compromised incremental cost estimator and output power decision-maker studied in this paper can be written aswherewhere is the consistency algorithm update matrix in DDCA, which is determined by the adjacency relationship between the current energy unit and the surrounding energy unit; is the algorithm convergence rate adjustment matrix in DDCA; is the corresponding attack weight matrix.

The compromised output power decision-maker studied in this paper can be written aswherewhere is the cost coefficient matrix; is the corresponding attack weight matrix.

It can be learned that FDI attacks can change the power output of the energy unit by tampering with the state variables of different modules in the ETIES, which has an impact on the power balance of the integrated energy system. In the next section, observers for different attack intrusion locations are designed to observe the FDI attacks.

3. Design of Observers for Detecting Compromised Variables in ETIES

3.1. Observer Design of Incremental Cost Estimator under FDI Attacks

In this part, we focus on the observer for compromised incremental cost estimator. The compromised system can be expressed as

Taking the attack vector at time as an additional state, we can obtain the augmented state vector . The following augmented system can be establishedwhere

The following observer of the augmented system is designedwhere represents the state vector of the dynamic system (4); , and are the gain matrices with appropriate dimensions.

Theorem 1. When the compromised system has a state observer in the form equation (5), it needs to meet the following requirements: (1) ; (2) There are symmetric positive definite matrices P and W satisfying

Proof. Proof. Consider nonsingular matrices and such thatBased on Sylvester inequality, we can deriveTherefore, we can deriveWhen the matrix to be designed isThen the matrix is a nonsingular matrix. Let the matrix beThere exists . The relationship between matrix and matrix is satisfiedThen according to Moore Penrose theorem, it can be seen that is a kind of generalized inverse matrix of , and hasAmong them, is a freely selected matrix, and the main purpose of parameter selection is to make a nonsingular matrix.
For the system estimation error, we can deriveThusSelect the following Lyapunov functionWe can deriveIf there exists matrix P and matrix L satisfyingThen according to Schur complement theorem and Lyapunov stability theory, it can be obtained that and is convergent. Let , then inequality equation (21) is equivalent to inequality equation (9).
The proof is completed. It can be learned that the defender can observe the system variables through the observer proposed in this paper when the incremental cost estimator is compromised.

3.2. Observer Design of Output Power Decision-Maker under FDI Attacks

In this part, we focus on the observer for compromised output power decision-maker. The compromised system can be expressed as

Taking the attack vector as an additional state, we can obtain the augmented state vector . The following augmented system can be establishedwhere

Similarly, for this augmented system, we can also construct an observer in the form of formula (8). Conditions for the existence of observer are stated in Theorem 1. Due to space limitation, the proof of the existence of the observer is not repeated in this subsection. It can be learned that the observer design method based on augmented system can be effectively applied to the situations where incremental cost estimator or output power decision-maker is compromised.

3.3. Observer Design in Situations of Multiple Modules being Compromised considering Uncertainties

In this part, multipoint FDI attacks are considered: the attacker can launch FDI attacks on incremental cost estimator and output power decision-maker simultaneously. The compromised system can be expressed aswhere and are unknown input vectors caused by uncertainties of system; and are known constant coefficient matrices with appropriate dimensions. Taking the attack vector as an additional state, we can obtain the augmented state vector . The following augmented system can be establishedwhere

The following augmented system can be establishedwhere represents the state vector of the dynamic system equation (26); , , , and are the gain matrices with appropriate dimensions. The estimation error can be defined as .

The derivative of the estimation error can be calculated as

If the following relationships can be held:

The derivative of the estimation error can be expressed as

The proof of the necessary conditions for the existence of the observer for the augmented system (26) can be found in [33] and omitted in here.

Theorem 2. For the augmented system 23, there exists a robust observer in the form of equation (24) such that where , if there exists a positive definite matrix and matrix , such thatwhere , , , , and .

Proof. Proof. Take the following Lyapunov function candidate for system (30)one hasIf , from equations (32) and (34) one has . The error dynamic is asymptotically stable.
LetWe can deriveBased on equations (32) and (36), we can deriveIn view of the fact that and , we can derivewhich is equivalent to . The proof is completed.
Based on the proposed observer, we can derive the observed data of the variables and the measured data of those in DDCA. For the defender, it is necessary to identify the similarities between the measured data and the observed data under normal situations and distinguish the differences under the compromised situations.

4. Detection Scheme against FDI Attack considering Dual Source Data

In this section, we study the attack detection scheme against FDI attacks based on the observed data of the variables and the measured data of those in DDCA. A relation-based detection network is proposed to extract the similarity of the dual source data. We design the machine-learning-based detection scheme based on the following considerations:(i)The method of calculating dual source data vector similarity based on traditional Euclidean distance requires too much prior knowledge level of defenders. In this paper, we use an embedding module and a relation module to extract the similarity of the dual source data automatically.(ii)Traditional machine learning methods need the distance of data vector in feature space to identify, which means that large scale of training data set is needed. In this paper, we skip the learning of feature distance and directly learn the relationship between dual source data, so as to effectively reduce the demand for the size of data set.

As is shown in Figure 1, the detection network contains measured data set, observed data set, Embedding module, and relation module. The data in the observed data set can reflect the current real operating state of the DDCA system, and the data in the measured data set may be tampered with. As to the attack detection network, we identify the attack by comparing the observed data with measured data. The measured data set consists of the compromised data set and the normal data set. When the data for comparison comes from the compromised data set, the relationship between dual source data is strong similarity. When the data for comparison comes from the normal data set, the relationship between two dual data is weak similarity.

As to the datasets, the data vectors in each dataset consists of the time series data of target variables in DDCA, including the data of incremental cost and those of output power. The data vector in the measured data set is written as . The data vector in the observed data set is written as . The embedding module, which consists of full connect layers and rectified linear units (ReLUs), is used to extract the features of samples with a nonlinear function . Compared with the traditional manual feature extraction method, the feature extraction by full connect layers can reduce the prior knowledge requirements of attack detection network for attack features. Rectified linear units are used to improve the generalization ability of the embedding module. The feature vectors of measured data and observed data generated by the embedding module can be expressed as and . To alleviate the over fitting problem of the embedding module, class prototype of each feature vector class is adopted. The prototype of the measured data feature vectors and the prototype of the observed data feature vectors can be expressed as

We can derive the class feature vector by concatenating the prototypes in depth dimension. The relation module is used to extract the similarity between the concatenations with a nonlinear relation function . The similarity can be written as

To train the attack detection model, mean square error (MSE) is used as the objective function .

If the measured data is compromised, then and is closed to 0. If the measured data is normal, then and is closed to 1.

Pseudocode for the proposed detection scheme is provided in Figure 2. First, input samples of variables of interest in DDCA as measured data set. Label the compromised data and the normal data. Then, use the proposed observer to observe the variables and form the observed data set. Then, obtain the feature vectors and prototype vectors in order with the help of the proposed module. Based on the relation feature vector concatenated by prototype vectors, calculate the similarity score using relation module. Based on the proposed objective function, optimize the model parameters with the stochastic gradient descent optimizer. After training the model, sample the incoming data, calculate the similarity and output the type of the test data.

5. Case Study

In this section, simulations are carried out to illustrate the effectiveness of the proposed observer and attack detection network of the variables in DDCA. The Barry Island electricity and heating networks is used as the tested system. The structure and parameters of the system can be found in [34].

5.1. Performance of the Observer for the Compromised System

In the DDCA system, the coefficient matrices are

The attack vector is , where

First, we illustrate the performance of observer against false data injection attacks on incremental cost estimator. The attack target variable is . Based on the method proposed in Section 1, the observed data of the variable can be obtained. The simulation result of the dual source data is shown in Figure 3. The observation error is shown in Figure 4. It can be learned that when the attack volume is a static value, the observed data can effectively track the measured data. When the attack volume changes, there is a certain observation error between the observed data and the measured data, because the changed attack volume is equivalent to the changing disturbance volume. The difference between the observed data and the measured data will be an important basis for the attack detection network to identify whether the system is compromised.

Then, the performance of observer against false data injection attacks on output power decision-maker is studied. The attack target variable is . Based on the method proposed in Section 2, the observed data of the state variable in DDCA can be obtained. The simulation results are shown in Figures 5 and 6.

It can be learned that the FDI attacks on electric output power in the output power decision-maker makes the measured incremental cost data different from the observed ones. Compared with the FDI attacks on incremental cost estimator, the impact of FDI attacks on output power decision-maker can be reflected by the variables in incremental cost estimator.

To illustrate the performance of the proposed observer in situations of multiple modules being compromised, we analysis the simulation results considering the situation that and are compromised simultaneously. Based on the method proposed in Section 3, the observed data of the variable can be obtained. The simulation results are shown in Figures 7 and8. It can be learned that there are obvious differences between the measured data and the observed data. The difference of dual source data is affected by the attack volume, as well as the system noise, disturbance and delay. Therefore, it is necessary to identify whether the system is compromised based on the attack detection scheme.

5.2. Performance of the Observer for the Relation-Based Attack Detection Scheme

In this subsection, we evaluate the performance of the proposed attack detection scheme. In the embedding module, there are three full connect layers and rectified linear units. The batch size of the relation network is chosen as 20. In the measured data set, there are 500 normal sample data and 500 compromised data from the historical database. In the observed data set, 1000 observed data are generated based on the proposed method studied in Section B. The simulations are carried out on a personal computer with Intel processor core i7, cache 3.4 GHz, NVIDIA GTX 2060, and random-access memory (RAM) 32 GB.

To evaluate the performance of the relation-based attack detection scheme, the following metrics are used:(1)Accuracy: where represents the number of true positive detection results; represents the number of true negative detection results; represents the number of false positive detection results; represents the number of false negative detection results.(2)The probability of detecting correctly:(3)Success ratio:(4)Probability of identifying normal cases:(5)Trade off between and : where is the trade-off coefficient. Details about the performance metrics can be found in [31].

To illustrate the effectiveness of the proposed detection scheme, six methods are adopted for comparison: (1) The proposed relation-based attack detection scheme (ME1); (2) Attack detection scheme using relation network without prototype module (ME2); (3) Attack detection scheme using multi-layer perception (ME3); (4) Attack detection scheme using signal forecasting method (ME4); (5) Attack detection scheme using support vector machine (ME5); (6) Attack detection scheme using clustering artificial bee colony algorithm (ME6).

The simulation results are shown in Figure 9. Compared with other attack detection scheme, the attack detection scheme (ME1) proposed in this paper has better performance in each algorithm evaluation index, that is, the proposed detection scheme can effectively detect false data injection attacks on variables in DDCA. The better performance of the proposed attack detection scheme mainly comes from the fact that the relation-based attack detection network focuses on exploiting the differences between normal data and compromised data, while the other attack detection schemes focus on exploiting the features. If the common features of normal data and compromised data are learned by the other attack detection schemes, it will have a negative impact on the performance of the attack detection schemes.

5.3. Stability and Reliability of the Relation-Based Attack Detection Scheme

In order to further investigate the stability of the detection performance of the proposed attack detection scheme, the performance of the attack detection scheme with different proportion of training sets is studied: at an interval of 5%, samples with a proportion from 40% to 80% are selected as the training sets. The simulation results are shown in Figure 10. It can be seen that although the performance of the proposed attack detection scheme will decline with the sample size, and the performance of some training sample sizes is inferior to other schemes, its overall attack detection performance is basically in the first echelon, which verifies that the attack detection scheme still has excellent detection effect under the sample size discussed in this section.

(a)

(b)

(c)

(d)

Considering the insufficient samples of compromised data in practice, we further discuss the reliability and stability under different positive and negative sample ratios. In this section, the ratio of positive samples to negative samples is 1 : 1, 1 : 2, 1 : 5 and 1 : 10 respectively. The specific performance verification effect is shown in Figure 11. It can be learned that when the number of positive samples is smaller than the number of negative samples, the performance of the proposed attack detection scheme will decline to a certain extent, but the overall performance still has certain advantages over other detection schemes. The decline of detection performance is mainly due to the fact that the attack detection network can not fully learn the difference between positive and negative samples.

(a)

(b)

(c)

(d)

Considering that the detection scheme proposed in this paper depends on the real-time data of the sensors, we further study the impact of measurement noise and measurement delay on the attack detection performance in the process of collecting sensor data. We design two metrics, security noise and security delay, to evaluate the detection performance of the proposed attack detection method. Safe noise (delay) refers to the maximum noise (delay) that can be tolerated when the detection accuracy (MA) reaches a specified threshold.

Safe noise and safe delay considering different threshold of MA are in Table 1. It can be learned that the safe noise (delay) decreases with the increase of the threshold. It can be seen that when there are high requirements for the accuracy of the detection scheme, the data required by the detection scheme is also more ideal. Noise and delay have a significant impact on the detection effect. Correspondingly, if the requirements for detection performance are appropriately reduced, the proposed detection scheme has a certain tolerance to noise and delay. As a remedy, the defender should also consider using a variety of detection schemes to cross check the attack behavior, so as to improve the overall accuracy.

6. Conclusions and Discussions

6.1. Conclusions

In this article, false data injection attacks on distributed controller of electric-thermal integrated energy system and countermeasures are studied. Observers of variables in DDCA are designed to track the compromised data. The proposed observer can achieve the observation considering different attack targets in DDCA. Based on the observed data and the measured data, we proposed a relation-based attack detection scheme to identify the false data injection attacks.

The simulation results show that the attack detection scheme has better performance than the current mainstream scheme under multiple evaluation indexes. The better detection performance of the proposed scheme is attributed to its direct judgment of the difference between normal data pairs and compromised data pairs, which reduces the learning of other unnecessary or incorrect features. For the stability of the proposed scheme, compared with other schemes, the proposed scheme can maintain better detection performance with less proportion of training sets.

Therefore, we believe that the proposed attack detection scheme can achieve good performance against FDI attacks on ETIES.

6.2. Discussions

It can be seen that the limitation of the proposed method used in this paper is that it requires real-time data of the system, which makes the defender have a certain dependence on the real-time sensor communication network. As to practical implementation, the challenge is how to deal with the large-scale destruction of more sensors by attackers. In such a scenario, the trusted data available in this paper will be reduced, and the ability to identify attacks will be reduced.

A possible mitigation approach is to stop using the real-time data obtained by the sensors of the system. As an alternative, the defender can use the system model and historical data to generate prediction data for real-time data, and use the predicted data combined with the algorithm proposed in this paper to identify cyber attacks. It can be seen that this research idea further reduces the dependence on real-time sensors, thereby reducing the uncertainty under large-scale attacks.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare no conflicts of interest.

Acknowledgments

This work is supported by the National Grid Corporation of China project “All-electric Campus.”

References

A. Qian and H. Ran, “Key technologies and challenges for multi-energy complementarity and optimization of integrated energy system,” Automation of Electric Power Systems, vol. 42, no. 4, pp. 2–10, 2018.
View at: Google Scholar
J. Li, J. Fang, Q. Zeng, and Z. Chen, “Optimal operation of the integrated electrical and heating systems to accommodate the intermittent renewable sources,” Applied Energy, vol. 167, pp. 244–254, 2016.
View at: Publisher Site | Google Scholar
J. Li, M. Zhu, and Y. Huang, “Classification and location scheme selection of coupling components in integrated electrical and heating systems with renewable energy,” CSEE Journal of Power and Energy Systems, vol. 6, no. 3, pp. 619–629, 2019.
View at: Google Scholar
Y. Ding, Y. Jiang, and Y. Song, “Review of risk assessment for energy internet, part i: physical level,” Proceedings of the CSEE, vol. 36, no. 14, pp. 3806–3817, 2016.
View at: Google Scholar
J. Yibao, S. Yonghua, D. Yi, G. Chuangxin, and J. Wende, “Review of risk assessment for energy internet part t ii: information and market level,” Proceedings of the CSEE, vol. 36, pp. 4023–4025, 2016.
View at: Google Scholar
M. S. Mahmoud, H. M. Khalid, and M. M. Hamdan, Cyberphysical Infrastructures in Power Systems: Architectures and Vulnerabilities, Academic Press, Massachusetts, MA, USA, 2021.
W. He, W. Xu, X. Ge, Q.-L. Han, W. Du, and F. Qian, “Secure control of multi-agent systems against malicious attacks: a brief survey,” IEEE Transactions on Industrial Informatics, vol. 18, no. 6, pp. 3595–3608, 2022.
View at: Publisher Site | Google Scholar
Y. Miao, C. Chen, L. Pan, Q.-L. Han, J. Zhang, and Y. Xiang, “Machine learning–based cyber attacks targeting on controlled information: a survey,” ACM Computing Surveys, vol. 54, no. 7, pp. 1–36, 2022.
View at: Publisher Site | Google Scholar
H. M. Khalid, S. M. Muyeen, and J. C.-H. Peng, “Cyber-attacks in a looped energy-water nexus: an inoculated sub-observer-based approach,” IEEE Systems Journal, vol. 14, no. 2, pp. 2054–2065, 2020.
View at: Publisher Site | Google Scholar
C. Chen, Y. Wang, M. Cui et al., “Data-driven detection of stealthy false data injection attack against power system state estimation,” IEEE Transactions on Industrial Informatics, p. 1, 2022.
View at: Publisher Site | Google Scholar
Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks against state estimation in electric power grids,” ACM Transactions on Information and System Security, vol. 14, no. 1, pp. 1–33, 2011.
View at: Publisher Site | Google Scholar
M. Molnár and I. Vokony, “Impact analysis of false data injection attacks on distribution system state estimation,” in Proceedings of the IEEE International Conference on Environment and Electrical Engineering and 2021 IEEE Industrial and Commercial Power Systems Europe (EEEIC/I&CPS Europe), pp. 1–6, IEEE, Bari, Italy, September 2021.
View at: Publisher Site | Google Scholar
H. M. Khalid and J. C.-H. Peng, “A bayesian algorithm to enhance the resilience of wams applications against cyber attacks,” IEEE Transactions on Smart Grid, vol. 7, no. 4, pp. 2026–2037, 2016.
View at: Publisher Site | Google Scholar
H. M. Khalid and C. H. Peng, “Immunity toward data-injection attacks using multisensor track fusion-based model prediction,” IEEE Transactions on Smart Grid, vol. 8, no. 2, pp. 697–707, 2017.
View at: Google Scholar
H. Sandberg, A. Teixeira, and K. H. Johansson, “On security indices for state estimators in power networks,” in Proceedings of the Preprints of the First Workshop on Secure Control Systems, CPSWEEK 2010, Stockholm, Sweden, January 2011.
View at: Google Scholar
K. C. Sou, H. Sandberg, and K. H. Johansson, “Electric power network security analysis via minimum cut relaxation,” in Proceedings of the 50th IEEE Conference on Decision and Control and European Control Conference, pp. 4054–4059, IEEE, Orlando, FL, USA, December 2011.
View at: Publisher Site | Google Scholar
G. Dán and H. Sandberg, “Stealth attacks and protection schemes for state estimators in power systems,” in Proceedings of the first IEEE international conference on smart grid communications, pp. 214–219, IEEE, Gaithersburg, MD, USA, October 2010.
View at: Publisher Site | Google Scholar
T. T. Kim and H. V. Poor, “Strategic protection against data injection attacks on power grids,” IEEE Transactions on Smart Grid, vol. 2, no. 2, pp. 326–333, 2011.
View at: Publisher Site | Google Scholar
O. Kosut, L. Jia, R. J. Thomas, and L. Tong, “Malicious data attacks on smart grid state estimation: attack strategies and countermeasures,” in Proceedings of the first IEEE international conference on smart grid communications, pp. 220–225, IEEE, Gaithersburg, MD, USA, October 2010.
View at: Publisher Site | Google Scholar
K. C. Sou, H. Sandberg, and K. H. Johansson, “Computing critical -tuples in power networks,” IEEE Transactions on Power Systems, vol. 27, no. 3, pp. 1511–1520, 2012.
View at: Google Scholar
Z. E. Mrabet, N. Kaabouch, H. E. Ghazi, and H. E. Ghazi, “Cyber-security in smart grid: survey and challenges,” Computers & Electrical Engineering, vol. 67, no. 11, pp. 469–482, 2018.
View at: Publisher Site | Google Scholar
J. Kim and L. Tong, “On topology attack of a smart grid: undetectable attacks and countermeasures,” IEEE Journal on Selected Areas in Communications, vol. 31, no. 7, pp. 1294–1305, 2013.
View at: Publisher Site | Google Scholar
D. Deb, S. R. Chakraborty, M. Lagineni, and K. Singh, “Security analysis of MITM attack on SCADA network,” Machine Learning, Image Processing, Network Security and Data Sciences, Springer, Berlin, Germany, 2020.
View at: Google Scholar
J. Kim, L. Tong, and R. J. Thomas, “Data framing attack on state estimation,” IEEE Journal on Selected Areas in Communications, vol. 32, no. 7, pp. 1460–1470, 2014.
View at: Publisher Site | Google Scholar
X. Liu, P. Zhu, Y. Zhang, and K. Chen, “A collaborative intrusion detection mechanism against false data injection attack in advanced metering infrastructure,” IEEE Transactions on Smart Grid, vol. 6, no. 5, pp. 2435–2443, 2015.
View at: Publisher Site | Google Scholar
B. Li, R. Lu, K.-K. R. Choo, W. Wang, and S. Luo, “On reliability analysis of smart grids under topology attacks: a stochastic petri net approach,” ACM Transactions on Cyber-Physical Systems, vol. 3, no. 1, pp. 1–25, 2019.
View at: Publisher Site | Google Scholar
C. Chen, K. Zhang, K. Yuan, L. Zhu, and M. Qian, “Novel detection scheme design considering cyber attacks on load frequency control,” IEEE Transactions on Industrial Informatics, vol. 14, no. 5, pp. 1932–1941, 2018.
View at: Publisher Site | Google Scholar
P. Xun, P. Zhu, Z. Zhang, P. Cui, and Y. Xiong, “Detectors on edge nodes against false data injection on transmission lines of smart grid,” Electronics, vol. 7, no. 6, pp. 89–103, 2018.
View at: Publisher Site | Google Scholar
S. Ahmed, Y. Lee, S.-H. Hyun, and I. Koo, “Unsupervised machine learning-based detection of covert data integrity assault in smart grid networks utilizing isolation forest,” IEEE Transactions on Information Forensics and Security, vol. 14, no. 10, pp. 2765–2777, 2019.
View at: Publisher Site | Google Scholar
W. Bi, K. Zhang, Y. Li, K. Yuan, and Y. Wang, “Detection scheme against cyber-physical attacks on load frequency control based on dynamic characteristics analysis,” IEEE Systems Journal, vol. 13, no. 3, pp. 2859–2868, 2019.
View at: Publisher Site | Google Scholar
M. Cui, J. Wang, and M. Yue, “Machine learning-based anomaly detection for load forecasting under cyberattacks,” IEEE Transactions on Smart Grid, vol. 10, no. 5, pp. 5724–5734, 2019.
View at: Publisher Site | Google Scholar
Q. Sun, R. Fan, Y. Li, B. Huang, and D. Ma, “A distributed double-consensus algorithm for residential we-energy,” IEEE Transactions on Industrial Informatics, vol. 15, no. 8, pp. 1–4842, 2019.
View at: Publisher Site | Google Scholar
Z. Gao, X. Liu, and M. Z. Chen, “Unknown input observer-based robust fault estimation for systems corrupted by partially decoupled disturbances,” IEEE Transactions on Industrial Electronics, vol. 63, no. 4, pp. 1–2547, 2015.
View at: Publisher Site | Google Scholar
X. Liu, J. Wu, N. Jenkins, and A. Bagdanavicius, “Combined analysis of electricity and heat networks,” Applied Energy, vol. 162, pp. 1238–1250, 2016.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Chaoqun Zhu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

197

Downloads

329

Citations