A Novel Detection and Identification Mechanism for Malicious Injection Attacks in Power Systems

Abstract

The integration of advanced sensor technology and control technology has gradually improved the operational efficiency of traditional power systems. Due to the undetectability of these attacks using traditional chi-square detection techniques, the state estimation of power systems is vulnerable to cyber–physical attacks, For this reason, this paper presents a novel detection and identification framework for detecting malicious attacks in power systems from the perspective of cyber–physical symmetry. To consider the undetectability of cyber–physical attacks, a physical dynamics detection model using the unknown input observers (UIOs) and cosine similarity theorem is proposed. Through the design of UIO parameters, the influence of attacks on state estimation can be eliminated. A cosine similarity value-based detection criterion is proposed to replace the traditional detection threshold. To further cut down the effects caused by malicious attacks, an observer combination-based attack identification framework is established. Finally, simulations are given to demonstrate that the proposed security method can detect and identify the injected malicious attacks quickly and effectively.

1. Introduction

As the foundation of the national economy, power systems play an irreplaceable role. In particular, the integration of advanced intelligent sensor fusion technology and robust control technology has significantly improved the operational efficiency of smart grids [1,2]. Meanwhile, two kinds of uncertainties are symmetry and superimposition, which pose new security challenges. In recent years, cyber-physical attacks have proven able to tamper with the operational status of power generation systems [3,4]. By injecting a bank of false data, the above attacks can deceive traditional detection methods. Thus, the above attacks bring a tremendous security risk to power systems [5]. For instance, unknown cyber–physical attacks occurred in Delta Montrose Electric Power Association (DMEA), USA, 2021; and a malicious ransomware attack event occurred in Taiwan, 2022. For this reason, developing an effective detection and identification mechanism is crucial to ensure the normal running of power systems.

Different from traditional network attacks, such as Denial of service attacks (Dos) and random attacks, the emerging cyber-physical attacks can fool the detection mechanism of power systems. In particular, false data injection (FDI) attacks, as one type of cyber-physical attack, were constructed firstly by Liu [6]. Furthermore, Yang et al. tested the covert characteristic of FDI attacks on different IEEE standard bus systems [7]. Based on this, a novel FDI attack that can disable a programmable logic controller without triggering an alarm was constructed [8,9]. In summary, how we may quickly detect and identify FDI attacks is a security issue that the current power grid needs to solve from the perspective of cyber–physical symmetry.

2. Related Works

Responding to the security risk posed by FDI attacks, various detection methods have been studied. Existing detection methods for FDI attacks can be divided into two categories: data-driven methods and model-based methods [10]. By analyzing the characteristics of the history data in power systems, various data-driven detection methods are studied [11,12,13,14,15,16,17,18]. In [11], Raj et al., proposed a novel machine learning detection method for malicious attacks based on threshold and aggregation. By analyzing the physical behavior, an anomaly detection architecture using a neural network was constructed [12]. In [13], a threat model against malicious attacks was established based on data analysis. A novel anomaly detection strategy against malicious attacks was proposed in [14]. In [15], an innovative detection algorithm against malicious attacks based on the Markov chain was proposed. The proposed method can shed light on the security of smart grids. In [16], a detection framework including generalized cumulative sum and relaxed generalized cumulative sum was proposed. A linear regression-based three-network topology independent detection technique for FDI attacks was developed [17]. In [18], a gradient-boosting theft detector was proposed to improve detection performance against malicious attacks. By analyzing the characteristics of power system transmission data, the above data-driven detection methods can effectively judge abnormal data. Meanwhile, due to a lack of consideration for the actual physical dynamic changes in the power system, the performance of these detection methods can be limited. Furthermore, one can find that the effectiveness of the above methods depends on the assumption that the attack sequence is known. Based on this, model-based detection methods are proposed in [19,20,21,22,23,24,25]. In [19], a novel physical dynamic detection architecture against malicious attacks was developed. To address the problem of state estimation under cyber attacks, an adaptive cubature Kalman filter was designed [20]. Considering the undetectability of FDI attacks using traditional chi-square detection techniques, an unscented Kalman filter-based detection model was proposed [21]. In [22], Liu considered a two-step false data injection attack strategy and developed an extended Kalman filter-based detection model. Taking multichannel cyber-attacks into account, Xiahou et al. developed a decentralized detection model [23]. In [24], a hybrid dynamic-state estimation method for FDI attacks was developed based on a physical dynamics model. A novel detection model from the perspective of state estimation was constructed to identify the injected FDI attacks in smart grids [25]. In a word, the above model-based detection methods can effectively respond to injected cyber attacks. As shown in

Table 1. Analysis of detection methods against FDI attacks.

Category	Approach	Advantages	Disadvantages
Data-driven methods	[11,12,13,14,15,16,17,18]	(1) System models are not required (2) Known attack detection is fast	(1) Lots of historical data needed (2) Selection of detection threshold (3) Effect of model error and external disturbance
Model-based methods	[19,20,21,22,23,24,25]	(1) No training required (2) Reduced memory need

, the pros and cons of the above detection works are summarized. From the perspective of cyber–physical symmetry, the following issues need to be addressed:

• How to address the limitation caused by precomputed threshold;
• How to cut down the effect of model error and external disturbance.

Motivated by the above challenges, this paper develops a detection and identification architecture for use against FDI attacks. Taking the changes in the voltage of physical systems into account, a discrete power grid model is constructed. Considering the covert characteristics of FDI attacks, a novel detection model is developed based on the designed unknown input observers (UIOs) and cosine similarity theorem. Uusing the principle of cosine similarity matching, the proposed detection criterion can address the limitation caused by the precomputed detection threshold. Furthermore, an observer combination-based attack identification framework is proposed, using which the influence caused by FDI attacks can be cut down. The main works of this paper are summarized as follows.

• A novel detection model is developed based on the UIOs and cosine similarity theorem. By designing the UIOs to handle the effect of model error and external disturbance, the accuracy of state estimation can be improved. By using the principle of cosine similarity matching, the limitation caused by the precomputed detection threshold can be addressed.
• An observer combination-based attack identification framework is proposed. By introducing the observer combination strategy, the influence caused by the injected FDI attacks can quickly be identified and eliminated.

The outline of this paper is given as follows. In Section 3, we construct a discrete power grid model by considering the three-phase sinusoidal voltage equations. In Section 4, a detection and identification framework is proposed. Section 5 presents the effectiveness of the proposed detection and identification framework. Finally, the conclusion and discussion are given in Section 6.

3. Problem Description

3.1. Three-Phase Voltage-Based Power State Model

According to the work in [26], one can find that attackers try to destroy the stability of power systems by tampering with state variables. As shown in Figure 1, there exist three generators and six buses in the power system. In this paper, we only consider the change in voltage signal caused by FDI attacks. Therefore, a voltage signal-based grid state model is given as follows [26].

$$V_1\left(k\right)=A_{\iota }\cos \left(wk+\theta \right)$$

(1)

$$V_2\left(t\right)=A_{\iota }\cos \left(wt+\theta -\frac{2}{3}\pi \right)$$

(2)

$$V_3\left(k\right)=A_{\iota }\cos \left(wk+\theta -\frac{4}{3}\pi \right)$$

(3)

By using Equations (1)–(3), one can obtain

$$V\left(t\right)=A_{\iota }\ast \cos \left(wt\right)\cos \left(\theta \right)-A_{\iota }\ast \sin \left(wt\right)\sin \left(\theta \right)$$

(4)

Since this paper only studies the change in three-phase voltage, it is assumed that $\omega t$ is relatively constant over time. Then, the state–space grid model in Equation (4) can be rewritten as

$$x_{k+1}=A{x}_k+B{u}_k+{\Delta }_k$$

(5)

$$y_k=C{x}_k$$

(6)

where $x_k={\left[\begin{array}{cc}{x}_1& x_2\end{array}\right]}^T$, $x_1=A_{\iota }\times \cos \theta$, and $x_2=A_{\iota }\times \sin \theta$ are state variables at epoch k, $A=\left[\begin{array}{cc}1& 0\\ 0& 1\end{array}\right]$, $C=\left(\begin{array}{cc}\cos \omega k& -\sin \omega k\end{array}\right)$.

3.2. Problem Formulation

As usual, the commonly used detection methods are based on chi-square detectors. By comparing the measurement residual and measurement output, the operator can determine if there are any abnormalities in the power system. As shown in [27], the detection criterion for abnormal data is given as follows.

$$\left\{\begin{array}{l}\begin{array}{cc}{\lambda }_k=‖z_k-C{\hat{x}}_k‖<\tau & \mathrm{N}\mathrm{o}\mathrm{attack}\end{array}\\ \begin{array}{cc}{\lambda }_k=‖z_k-C{\hat{x}}_k‖\ge \tau & \mathrm{Attack}\end{array}\end{array}\right.$$

(7)

According to the work in [28], the $\tau$ is set to three times the size of the noise, which can then meet a false alarm rate of less than 5%. According to the work in [16], the detection process of chi-square detector is given as follows. Firstly, the residual ${\lambda }_k=‖z_k-C{\hat{x}}_k‖$ can be obtained using the Kalman filter. Secondly, the computation of precomputed threshold $\tau$ is based on noise. Thirdly, operators can judge the injected attacks by comparing the residual and precomputed threshold. The above computation process can be seen in [27].

Making full use of the above detection mechanism, hackers can design a special set of attack sequence $f_k^a$, which needs to satisfy the following constraint.

$$\begin{array}{ll}{\hslash }_k^f& =‖z_k^f-C{\hat{x}}_k^a‖\\ & =‖(z_k+y_k^f)-(C{\hat{\mathit{x}}}_k+\mathcal{l})‖\\ & =‖(z_k-C{\hat{x}}_k)+(y_k^f-\mathcal{l})‖\\ & \le ‖z_k-C{\hat{x}}_k‖+‖y_k^f-\mathcal{l}‖\end{array}$$

(8)

From Equation (8), one can find that the output residual ${\hslash }_k^f$ has not changed if $y_k^f=\mathcal{l}$. In other words, the output residual ${\hslash }_k^f$ under FDI attacks still is smaller than the precomputed detection threshold $\tau$. It is obvious that the injected FDI attacks can fool the above detection methods by using the chi-square detector. Based on this, the malicious attackers can successfully tamper with the operating status of the power system without triggering system alerts.

To sum up, the emergence of attacks poses a huge challenge to existing security mechanisms in power systems. To address this problem, this paper develops a novel detection and identification method based on actual physical state changes. Taking a large-scale power grid, the lth state–space grid model can be described as follows:

$$\left\{\begin{array}{l}{x}_{k+1}^l=A^l{x}_k^l+B^l{u}_k^l+{\Delta }^l{}_k+F^l{f}_k^l\\ y_k^l=C^l{x}_k^l\end{array}\right.$$

(9)

where $f_k^l$ denotes the attack vector in Equation (8). The above parameter definitions are given in Nomenclature. Based on the established problem, a novel detection and identification framework including three steps is proposed from the perspective of cyber–physical symmetry.

4. Detection and Identification Mechanism for FDI Attacks

In this section, a detection and identification framework for FDI attacks is established. Taking the model error and external disturbance into account, we design UIOs to obtain the physical dynamics accurately. Then, a novel detection criterion based on a cosine matching theorem is proposed to address the limitations of the precomputed detection threshold. Finally, an observer combination-based identification method against multiple FDI attacks is developed. The detailed steps are given as follows from the perspective of cyber–physical symmetry.

Step 1: To obtain the accurate state estimation, a bank of UIOs is established to deal with the model error and external disturbance.

Step 2: A cosine theorem-based detection criterion is proposed to replace the precomputed detection threshold.

Step 3: An observer combination-based method is developed to identify the injected FDI attacks.

4.1. UIO-Based State Estimation

Without the injected FDI attacks, the lth state–space grid model can be rewritten as

$$\left\{\begin{array}{l}{x}_{k+1}^l=A^l{x}_k^l{}_k+B^l{u}_k^l+{\Delta }^l{}_k\\ y_k^l=C^l{x}_k^l\end{array}\right.$$

(10)

To ensure the accuracy of state estimation, this paper designs the UIO to handle model error and external disturbance. Before designing the proposed UIO, some assumptions and lemmas are given as follows.

Assumption 1

 ([29]). $\left(C^l,{\tilde{A}}^l\right)$ is a detectable, where ${\tilde{A}}^l=\left(I-K^l{C}^l\right)$.

Lemma 1

 ([30]). Consider a discrete system as

$$\left\{\begin{array}{l}{\xi }_{\kappa +1}^{}={\rm P}{\xi }_{\kappa }+{\rm Z}{\upsilon }_{\kappa }^{}\\ {\psi }_{\kappa }^{}={{\rm X}}^{}{\xi }_{\kappa }^{}+\Theta {\upsilon }_{\kappa }^{}\end{array}\right.$$

(11)

which meets the following robust performance:

$${‖G_{yu}\left(s\right)‖}_{-}>\eta$$

(12)

where $G_{yu}\left(s\right)={\rm X}{\left(\sigma {\rm I}-{\rm P}\right)}^{-1}{\rm Z}+\Theta$, if there exist positive definite matrices $\aleph$ and $\Im$ meeting the following constraint

$${\left[\begin{array}{cc}{\rm P}& {\rm Z}\\ {\rm I}& 0\end{array}\right]}^{{\rm T}}\partial \left[\begin{array}{cc}{\rm P}& {\rm Z}\\ {\rm I}& 0\end{array}\right]+{\left[\begin{array}{cc}{\rm X}& \Theta \\ {\rm I}& 0\end{array}\right]}^T\wp \left[\begin{array}{cc}{\rm X}& \Theta \\ {\rm I}& 0\end{array}\right]<0$$

(13)

where

$$\partial =\left[\begin{array}{cc}-I& 0\\ 0& {ƛ}^{2}I\end{array}\right],\wp =\left[\begin{array}{cc}-\aleph & \Im \\ \Im & \aleph -2\cos \left({\omega }_1\right)\Im \end{array}\right]$$

for the low-frequency range $\left|\omega \right|\le {\omega }_1$.

Lemma 2

 ([31]). If there exists a matrix $\Omega$ meeting the following constraint:

$$\left[\begin{array}{cc}-\Omega & \Omega \left(\sum -\omega I\right)\\ \Omega \left(\sum -\omega I\right)& -{\mathcal{l}}^2\Omega \end{array}\right]<0,$$

(14)

then the eigenvalues of matrix $\sum$ belong to the circular region $\mho \left(\omega ,\mathcal{l}\right)$.

Based on this, the proposed UIO can be established as follows.

$$\left\{\begin{array}{l}{z}_{k+1}^l=H^l{z}_k^l+G^l{B}^l{u}_k^l+U^l{y}_k^l\\ {\hat{x}}_k^l=z_k^l+K^l{y}_k^l\end{array}\right.$$

(15)

Defining estimation error as

$$e_k^l=x_k^l-{\hat{x}}_k^l,$$

(16)

From Equations (9) and (15), one can obtain

$$\begin{array}{l}{e}_{k+1}^l=x_{k+1}^l-{\hat{x}}_{k+1}^l\\ \begin{array}{c}\end{array}=\left(I^l-K^l{C}^l\right)x_{k+1}^l-z_{k+1}^l\\ \begin{array}{c}\end{array}=\left(A^l-K^l{C}^l{A}^l-U_1^l{C}^l\right)e_k^l+\left(A^l-K^l{C}^l{A}^l-U_1^l{C}^l-H_1^l\right)z_k^l\\ \begin{array}{c}\end{array}+\left[\left(A^l-K^l{C}^l{A}^l-K_1^L{C}^l\right)K^l-U_2^l\right]y_k^l+\left[\left(I^l-K^l{C}^l\right)B^l-G^l{B}^l\right]u_k^l\\ \begin{array}{c}\begin{array}{c}\end{array}+\end{array}\left(I^l-K^l{C}^l\right){\Delta }^l+\left(I^l-K^l{C}^l\right)F^l{f}^l\end{array}$$

(17)

Based on the design of UIO, one can obtain

$$\left(\begin{array}{l}\left(I^l-K^l{C}^l\right)B^l-G^l{B}^l=0\\ A^l-K^l{C}^l{A}^l-U_1^l{C}^l-H_1^l=0\\ U_2^l=H^l{K}^l\end{array}\right.$$

(18)

Then, Equation (17) can be rewritten as follows:

$$e_{k+1}^l=H^l{e}_k^l+G^l{\Delta }^l+G^l{F}^l{f}_k$$

(19)

Without FDI attacks, the state residual can be obtained:

$$r_k^l=r_k^l-C^l{x}_k^l=C^l{e}_k^l=H^l{e}_k^l+G^l{\Delta }^l$$

(20)

By designing the UIOs, the effect of model error and external disturbance can be reduced. The corresponding UIOs-based state estimation framework is presented in Figure 2. Then, the following theorem is given to ensure the stability of UIOs.

Theorem 1.

Under Lemma 1 and Lemma 2, there exist matrices $P_1^l={\left(P_1^l\right)}^T>0$, $P_2^l={\left(P_2^l\right)}^T>0$, $P_3^l$ and $P_4^l$ meeting the following constraint.

$$\left[\begin{array}{ccc}-{\kappa }_1{P}_5^l-{\kappa }_1{\left(P_3^l\right)}^T& {\rho }_1& {\rho }_2\\ \ast & {\rho }_3& {\rho }_4\\ \ast & \ast & -\left(I-\vartheta \right)I\end{array}\right]<0$$

(21)

$$\left[\begin{array}{ccc}-\left(1-\sigma \right)P_1^l& 0& {\left(C^l\right)}^T\\ \ast & -\left(\mu -\vartheta \right)I& 0\\ \ast & \ast & -\mu I\end{array}\right]<0$$

(22)

$$\left[\begin{array}{cc}{P}_2^l-{\kappa }_3{P}_3^l-{\kappa }_3{\left(P_3^l\right)}^T& {\rho }_5\\ \ast & -\mathcal{l}{P}_2^l\end{array}\right]<0$$

(23)

where

$$\begin{gathered} {\rho }_1={\left(P_3^l\right)}^T+P_1^l+{\kappa }_1{P}_3^l{\tilde{A}}^l-{\kappa }_1{P}_4^l{C}^l \\ {\rho }_2={\kappa }_1{P}_3^l\left(I^l-K^l{C}^l\right)F^l \\ {\rho }_3=-\sigma P_1^l+P_3^l{\tilde{A}}^l-P_4^l{C}^l+{\left({\tilde{A}}^l\right)}^T{\left(P_3^l\right)}^T-{\left(C^l\right)}^T{\left(P_4^l\right)}^T \\ {\rho }_4=P_3^l\left(I^l-K^l{C}^l\right) \\ {\rho }_5=-{\kappa }_3{P}_3^l{\tilde{A}}^l+{\kappa }_3{P}_4^l{C}^l+{\kappa }_{3}w{P}_3^l \end{gathered}$$

and ${\kappa }_3$, ${\kappa }_3$, ${\kappa }_3$ and $w_1>0$.

Proof. 

Without FDI attacks, we can obtain

$$\left\{\begin{array}{l}{e}_{k+1}^l=H^l{e}_k^l+G^l{\Delta }^l\\ r_k^l=C^l{e}_k^l\end{array}\right.$$

(24)

The Lyapunov function is selected as

$$V_k^l={\left(e_k^l\right)}^T{\Psi }^l{e}_k^l$$

(25)

Based on the work in [32], one can obtain the $L_{\infty }$ performance as

$$index‖r_k^l‖<\sqrt{\mu \left(1-\sigma \right)\sigma V_0^l+\mu \left(1-\sigma +\mu -\vartheta \right){‖{\Delta }^l‖}_{\infty }^2}$$

(26)

$$V_{k+1}<\sigma V_k+\left(1-\sigma \right){\left({\Delta }^l\right)}^T{\Delta }^l$$

(27)

$${\left(r_k^l\right)}^T{r}_k^l<\mu \left(1-\sigma \right)V_k+\mu \left(\mu -\vartheta \right){\left({\Delta }^l\right)}^T{\Delta }^l$$

(28)

Based on Equation (25), one can obtain

$$V_{k+1}^l={\left(e_k^l\right)}^T\left(P_1^l\left({\tilde{A}}^l-U_1^l{C}^l\right)+{\left({\tilde{A}}^l-U_1^l{C}^l\right)}^T{P}_1^l\right)e_k^l+2{\left(e_k^l\right)}^T{P}_1^l\left(I^l-K^l{C}^l\right){\Delta }^l$$

(29)

From Equations (25)–(29), one can obtain

$${\left[\begin{array}{c}{e}_k\\ {\Delta }^l\end{array}\right]}^T\Gamma \left[\begin{array}{c}{e}_k\\ {\Delta }^l\end{array}\right]<0$$

(30)

where

$$\Gamma =\left[\begin{array}{cc}{P}_1^l\left({\tilde{A}}^l-U_1^l{C}^l\right)+{\left({\tilde{A}}^l-U_1^l{C}^l\right)}^T{P}_1^l-\sigma P_1^l& P_1^l\left(I^l-K^l{C}^l\right)\\ P_1^l\left(I^l-K^l{C}^l\right)& -\left(1-\sigma \right)I\end{array}\right]$$

(31)

Since matrix $\Gamma$ is not a LMI, Equation (31) can be rewritten as

$${\chi }_1+{\varphi }_1^T{\phi }_2^T+{\varphi }_1^{}{\phi }_2^{}<0$$

(32)

where

$${\varphi }_1=\left[\begin{array}{cc}{\tilde{A}}^l-U_1^l{C}^l& I^l-K^l{C}^l\end{array}\right]$$

$${\phi }_2^{}={\left[\begin{array}{cc}{\left(P_1^l\right)}^T& 0\end{array}\right]}^T$$

$$\chi =\left[\begin{array}{cc}\sigma P_1^l& 0\\ 0& -\left(1-\sigma \right)I\end{array}\right]$$

Then, Equation (32) can be equivalent to

$$\left[\begin{array}{cc}-{\kappa }_1{P}_3^l-{\left({\kappa }_1{P}_3^l\right)}^T& -{\varphi }_2^T+{\phi }_2^T+{\kappa }_1{P}_3^l{\varphi }_1^{}\\ \ast & {\chi }_1+{\varphi }_2^{}{\varphi }_1+{\varphi }_1^T{\varphi }_2^T\end{array}\right]<0$$

(33)

Multiplying the left and right sides of Equation (30) by $\left[\begin{array}{cc}{\varphi }_1& I\end{array}\right]$, and its transposition, we can obtain Equation (21).

Based on Equation (27), one can obtain

$$\begin{array}{l}{V}_k<{\sigma }^k{V}_k\left(0\right)+\left(1-\sigma \right){\displaystyle \sum _{i=0}^{k-1}{\sigma }^i}{‖{\Delta }^l‖}^2\\ \begin{array}{cc}& <\end{array}{\sigma }^k{V}_k\left(0\right)+{‖{\Delta }^l‖}^2\end{array}$$

(34)

Taking Equation (34) into Equation (28), one can obtain

$${\left[\begin{array}{c}{e}_k\\ {\Delta }^l\end{array}\right]}^T\left[\begin{array}{cc}{\epsilon }^{-1}{\left(C^l\right)}^T{C}^l-\left(1-\sigma \right)P_1^l& 0\\ 0& -\left(1-\sigma \right)I\end{array}\right]\left[\begin{array}{c}{e}_k\\ {\Delta }^l\end{array}\right]<0$$

(35)

By using the Schur complement lemma [33], Equation (22) can be obtained based on Equation (35).

Based on Lemma 2, one can obtain

$$\left[\begin{array}{cc}-P_2^l& P_2^l\left({\tilde{A}}^l-U_1^l{C}^l-\omega I\right)\\ \ast & -{\mathcal{l}}^2{P}_2^l\end{array}\right]<0$$

(36)

By using the Schur complement lemma [28], one can obtain

$${\left({\tilde{A}}^l-U_1^l{C}^l-\omega I\right)}^T{P}_2^l\left({\tilde{A}}^l-U_1^l{C}^l-\omega I\right)-{\mathcal{l}}^2{P}_2^l<0$$

(37)

Equation (37) can be equivalent to

$$\left[\begin{array}{cc}{P}_2^l-{\kappa }_3{P}_3^l-{\left({\kappa }_1{P}_3^l\right)}^T& -{\kappa }_3{P}_3^l\left({\tilde{A}}^l-U_1^l{C}^l-\omega I\right)\\ \ast & {\mathcal{l}}^2{P}_2^l\end{array}\right]<0$$

(38)

Multiplying the left and right sides of in Equation (38) by $\left[\begin{array}{cc}\left({\tilde{A}}^l-U_1^l{C}^l-\omega I\right)& I\end{array}\right]$ and its transposition, we can obtain Equation (23). ☐

Remark 1.

In general, the shortcomings of model-based detection methods, such as model error and external disturbance, will affect the accuracy of state estimation. For this reason, this paper proposes to design the UIOs to attenuate the effects caused by model error and external disturbance.

4.2. Cosine Similarity Theorem-Based Detection Method

In this section, a cosine similarity theorem-based detection criterion is developed. Cosine similarity is a method of calculating correlation, which maps individual indicator data to a vector space and calculates the cosine value of the angle between two vectors as a measure of similarity between two variables. In other words, the value of cosine similarity tends to be 0 if two values are similar. If two values are not similar, the value of cosine similarity tends to be 1.

Using the above cosine similarity theorem, a cosine similarity value (CSV)-based attack detection criterion is proposed as follows.

$$\left\{\begin{array}{l}\begin{array}{cc}\underset{k\to \infty }{\lim }\cos \left(\left|x_k-{\hat{x}}_k\right|\right)={\Xi }_k=0& Normal\end{array}\\ \begin{array}{cc}\underset{k\to \infty }{\lim }\cos \left(\left|x_k-{\hat{x}}_k\right|\right)={\Xi }_k=1& Abnormal\end{array}\end{array}\right.$$

(39)

Based on the designed UIOs, a cosine similarity theorem-based attack detection process is developed as follows.

Step 1: Establish the proposed voltage signal-based grid state model in Equations (2) and (3).

Step 2: Design a bank of the proposed UIOs in Equation (15) to obtain the estimation state.

Step 3: Compute the cosine similarity value based on the cosine similarity theorem.

Step 4: Apply the detection criterion in Equation (39) to detect the injected FDI attacks.

Based on the proposed detection process, the corresponding pseudo-code of the attack detection method is given in Algorithm 1.

Algorithm 1: Cosine similarity theorem-based detection algorithm against FDI attacks

1. $GCM\to \mathrm{Grid}\mathrm{state}\mathrm{model}$; 2. $UIOs\to \mathrm{Unknown}\mathrm{input}\mathrm{observers}$; 3. $ES\to Estimation\mathrm{state}$; 4. $CSV\to cosinesimilarityvalue$ 5. $UIOs\leftarrow GCM$; 6. $ES\leftarrow UIOs$; 7. $CSV\leftarrow ES$ 8. $IF0\leftarrow CSV,\mathrm{No}\mathrm{attacks}$ 9. $ELSEIF\mathrm{attacks}$

4.3. Observer Combination-Based Identification Method

To ensure the stable operation of power systems, an observer combination-based attack identification framework is proposed to minimize the influence of FDI attacks, as shown in Figure 3.

By applying the method of bisection, the proposed identification method can detect and identify multiple attacked nodes. The detailed identification processes are given as follows.

Step 1: Assuming all $y_1\cdots y_N$ outputs are driven by one bank of UIOs, the CSV detector is designed to detect attack nodes.

Step 2: If there exist attack nodes, all $y_1\cdots y_N$ outputs are divided into two parts, which are driven by two banks of UIOs.

Step 3: If there exist attack nodes in $y_1\cdots y_{\raisebox{1ex}{$N$}\!\left/ \!\raisebox{-1ex}{$2$}\right.}$, all $y_1\cdots y_{\raisebox{1ex}{$N$}\!\left/ \!\raisebox{-1ex}{$2$}\right.}$ outputs are divided into two parts, which are driven by two banks of UIOs.

Step 4: If there exist attack nodes in $y_{\raisebox{1ex}{$N$}\!\left/ \!\raisebox{-1ex}{$2$}\right.}\cdots y_N$, all $y_{\raisebox{1ex}{$N$}\!\left/ \!\raisebox{-1ex}{$2$}\right.}\cdots y_N$ outputs are divided into two parts, which are driven by two banks of UIOs.

Step 5: This process is repeated iteratively for each half of the $y_1\cdots y_{\raisebox{1ex}{$N$}\!\left/ \!\raisebox{-1ex}{$2$}\right.}$ or $y_{\raisebox{1ex}{$N$}\!\left/ \!\raisebox{-1ex}{$2$}\right.}\cdots y_N$, if there exist attack nodes.

Step 6: Repeating the above Steps 2–4, the attacked nodes can be detected and identified.

Based on the above the detection and identification framework, operators can quickly respond to the attacked nodes. Then, the corresponding pseudo-code of attack identification method is given in Algorithm 2.

Algorithm 2: Observer combination-based attack identification

1. $y_1\cdots y_N\to All\mathrm{outputs}$ 2. $RIFEH\to repeatediterativelyforeachhalfoftheattackedouputs$ 3. $UIOs\to \mathrm{Unknown}\mathrm{input}\mathrm{observers}$; 4. $CSV\to cosinesimilarityvalue$ 5. $UIOs\leftarrow y_1\cdots y_N$ 6. $IF1\leftarrow CSV,\mathrm{attacks}$; 7. $RIFEH\leftarrow y_1\cdots y_{\raisebox{1ex}{$N$}\!\left/ \!\raisebox{-1ex}{$2$}\right.}\mathrm{and}RIFEH\leftarrow y_{\raisebox{1ex}{$N$}\!\left/ \!\raisebox{-1ex}{$2$}\right.}\cdots y_N$ 8. Else no attacks; 9. Repeat steps 5–7; 10. Output: the attacked nodes.

5. Results

In this section, experiments are carried out to verify the effectiveness of the proposed detection and identification framework on IEEE 6-bus, 39-bus (as shown in Figure 4), and 118-bus power systems. Partial experimental parameters are set as follows: a frequency of 60 Hz and an amplitude of 0.5 V, $‖{\Delta }^l{}_k‖\le 0.05$. In addition, the model matrix parameters and attack sequence can be seen in [26]. In the following, case 1 is used to test the detection of one FDI attack on an IEEE 6-bus power system. Case 2 is used to verify the effectiveness of multiple FDI attacks on an IEEE 39-bus power system. Case 3 is used to verify the effectiveness of multiple FDI attacks on an IEEE 118-bus power system. The simulation environment is simulated using MATLAB 2020b software on a Lenovo Y7000 computer (i7-10875H CPU,16GB, RTX2060).

5.1. Case 1: Detection of One FDI Attack on an IEEE 6-Bus Power System

It is assumed that the first generator is an injected FDI attack by hacker at t = 160 s. By tampering with sensor data, the hacker can fool the detection technique using a Chi-square detector. Based on this, the proposed detection algorithm is applied to obtain the estimated state under FDI attacks, as shown in Figure 5.

As shown in Figure 5, it is obvious that only the state estimation of the first generator has been changed. Compared to first generator, there does not exist the change for other generators. In other words, the hacker has successfully injected false data and changed the voltage state of the first generator. To detect the injected FDI attacks, a traditional chi-square detection technique and the proposed CSV-based attack detection criterion are applied. As shown in Figure 6 and Figure 7, the corresponding detection results for the above two methods are given.

Obviously, one can find that all the detection residuals do not exceed the precomputed threshold, as shown in Figure 6. Namely, the designed FDI attack can deceive the existing chi-square detection technique methods without triggering alerts. Meanwhile, the proposed CSV-based attack detection criterion can judge that the CSV of first generator is 1 at t = 160 s, as shown in Figure 7a. In other words, the proposed detection algorithm can successfully detect the change in voltage on the first generator caused by FDI attack. In summary, the developed CSV-based detection Algorithm 1 can effectively detect the injected FDI attacks in the power system.

5.2. Case 2: Detection and Identification of Multiple FDI Attacks on an IEEE 39-Bus Power System

In this section, we consider the detection and identification of multiple FDI attacks on an IEEE 39-bus power system. As shown in Figure 4, the IEEE 39-bus power system consists of three grid subareas. Of note, the method for dividing power grid areas can be seen in [34]. In addition, the calculation of extended model parameters can be seen in [28]. It is assumed that hacker can inject multiple FDI attacks, such as the first generator bus at $t\in \left(100 \mathrm{s}-160 \mathrm{s}\right)$, sixth generator bus at $t=260 \mathrm{s}$, and thirteenth generator bus at $t=380 \mathrm{s}$. By designing a bank of UIOs for three subareas, the corresponding change in the estimated state can be obtained, as shown in Figure 8. Obviously, one can find that there exist changes on the first and third grid subareas. To identify the attacked generator buses, the proposed Algorithm 2 is applied. Then, the corresponding detection and identification results against FDI attacks are obtained, as shown in Figure 9 and Figure 10.

As shown in Figure 9a, the corresponding detection and identification results indicate that there may exist one or multiple FDI attacks in the first grid subarea. By applying the proposed Algorithm 2, one can find that there may exist one or multiple FDI attacks on the first to third generator buses, as shown in Figure 9b. Similarly, there may exist one or multiple FDI attacks on the fourth to sixth generator buses, as shown in Figure 9c. By using the detection and identification algorithm, we can obtain that there exists one FDI attack in the first and sixth generator bus, as shown in Figure 9d–i. Using a similar process as above, one can find that there may exist attack in the 10th–13th generator buses, as shown in Figure 10a. Through further detection and identification, we can find that the injected FDI attack is on the 12th or 13th generator bus, as shown in Figure 10c. Namely, there does not exist injected FDI attack on the 10th or 11st generator bus, as shown in Figure 10b. Based on the proposed Algorithm 2, we can detect and identify that the injected FDI attack is on the 13th generator bus, as shown in Figure 10d,e.

5.3. Case 3: Detection and Identification of Multiple FDI Attacks on IEEE 118-Bus Power System

In this case, the effectiveness of the proposed method on a large-scale 118-bus system (Figure 11) is demonstrated. It is assumed that hacker can inject multiple FDI attacks, such as the 8th generator bus at $t=120 \mathrm{s}$ and 14th generator bus at $t=180 \mathrm{s}$. Applying the proposed UIO-based state estimation method, one can find that there exist one or multiple FDI attacks in the second grid subarea, as shown in Figure 12. By using the proposed Algorithm 2, the corresponding detection and identification results against FDI attacks are obtained, as shown in Figure 13.

The simulation results indicate that there exist one or multiple FDI attacks on the IEEE 118-bus grid system. Obviously, it is difficult to identify the injected FDI attacks. By applying the proposed method, we can obtain that there may exist FDI attacks in the 8–16th generator buses, as shown in Figure 13a–c. Repeat the Algorithm 2, we can identify the injected FDI attacks on the 8th–9th and 14th–16th generator buses, as shown in Figure 13d–g. Using a similar process as above, the injected FDI attacks on the 8th and 14th generator buses can be identified, as shown in Figure 13h–k. In summary, the simulation results demonstrate that the injected malicious attacks can be detected and identified quickly using the proposed detection and identification algorithm. In addition, the detection and identification time are given, as shown in

Table 2. Detection and identification times.

System	Detection Time (s)	Identification Time (s)
6-bus	0.8	1.2
39-bus	1.5	3.8
118-bus	2.2	4.5

. Compared with the data-driven methods, the proposed method can cut down the time of training data. As the power network grows, the corresponding system parameter dimensions also increase. Thus, the detection time of FDI attacks will increase, as shown in Table 2. Meanwhile, the identification time will increase in comparison with the detection time. In addition, the identification time will be affected by the number of the injected FDI attacks, as shown in Table 2.

6. Conclusions and Discussion

This paper proposes a novel detection and identification mechanism for countering FDI attacks in power systems. A novel detection model using UIOs and a cosine similarity theorem is constructed, using which FDI attacks can be detected. Furthermore, the developed CSV-based attack detection criterion can replace the design of a precomputed threshold. To lessen the impact of attacks on the system, an attack identification method is developed. Through the combination of UIOs, the influence of FDI attacks can minimized quickly. Finally, simulation experiments are carried out to verify the effectiveness of the proposed detection and identification framework on IEEE 6-bus, 39-bus and 118-bus power systems.

It is notable that the proposed method is only applicable to balanced power systems. For unbalanced power systems, operators can predict the state of electricity load using data-driven methods. Future works will further consider this problem by introducing artificial intelligence methods.