Professional Documents
Culture Documents
1. Cyber-physical anomaly detection system (CPADS) using pmu measurements and network
packet data and application of Variational Mode Decomposition (VMD) and Decision Tree (DT)
2. Rule-based feature selection using Filter and Wrapper method for classification
3. Detailed performance during both cyber and physical events using Hardware-in-loop (HIL)
Using this CPADS a centralized Remedial action scheme (CRAS) is developed which operates in
following steps;
Types of events:
1. Cyber events
1.1. Generation altering attacks
1.1.1.Pulse attacks
1.1.2.Ramp attacks
1.2. Malicious Tripping attack
1.3. False data injection attacks(FDI)
1.4. Denial of service attacks(DOS)
1.5. Coordinated cyber attack
1.5.1.FDI attack followed by a Malicious tripping attack
1.5.2.FDI followed by a pulse or ramp attack
2. Physical events
2.1. Line faults
2.1.1.Symmetrical
2.1.2.Asymmetrical
The whole Power system is divided into different substation zones as Zone A, Zone B, …….. ,Zone N.
The CRAS consists of multiple anomaly detectors such as Anomaly detector A, Anomaly detector B,
………,Anomaly Detector N for different zones. The input to the anomaly detector are of three kinds
given below;
Mathematically,
Cyber
𝑋𝑎 = [ 𝑋⏟ ⏞
𝑙𝑎 , 𝐶𝑙𝑎 , 𝑋
⏟𝑟𝑎 ]
Local Redundant
𝑋𝑙𝑎 = [𝑉𝑔𝑎 , 𝐹𝑔𝑎 , (𝑉1𝑎 , 𝑉2𝑎 , 𝑉0𝑎 )𝑖 , (𝑉1𝑎 , 𝑉2𝑎 , 𝑉0𝑎 )𝑗 ]
𝐶𝑙𝑎 = [𝑠𝑘𝑎 , 𝑡𝑘𝑎 ]
Online process:
1. Derived Feature computation: Transient disturbances due to cyber-attack and line faults
might look similar from a power system prospective. But They have unique signature
embedded in PMU measurements. So its important to calculate some derived features
′ ′ ]) ′ 𝑑𝑋𝑙𝑎
([𝑋𝑙𝑎 , 𝐶𝑙𝑎 from local pmu measurements ([𝑋𝑙𝑎 , 𝐶𝑙𝑎 ]) where 𝑋𝑙𝑎 = [|𝑋𝑙𝑎 |2 , Δ𝑋𝑙𝑎 , 𝑑𝑡
] is
computed from 𝑋𝑙𝑎 as given below;
|𝑋𝑙𝑎 |2 = [|𝑉𝑔𝑎 |2 , |𝐹𝑔𝑎 |2 , [|𝑉120𝑎 |]2𝑖 , [|𝑉120𝑎 |]2𝑗 ]
Δ𝑋𝑙𝑎 = [Δ𝑉𝑔𝑎 , Δ𝐹𝑔𝑎 , Δ[𝑉1𝑎 , 𝑉2𝑎 , 𝑉0𝑎 ]𝑖𝑗 ]
𝑑𝑋𝑙𝑎 𝑑𝑉𝑔𝑎 𝑑𝐹𝑔𝑎 [𝑑𝑉1𝑎 , 𝑑𝑉2𝑎 , 𝑑𝑉0𝑎 ]𝑖𝑗
=[ , , ]
𝑑𝑡 𝑑𝑡 𝑑𝑡 𝑑𝑡
′
And 𝐶𝑙𝑎 is computed as follows.
′
𝐶𝑙𝑎 = [𝑀(Δ𝑠𝑘𝑎 ), 𝑀(Δ𝑡𝑘𝑎 ), 𝑆(Δ𝑠𝑘𝑎 ), 𝑆(Δ𝑡𝑘𝑎 )]
𝑙
1
𝑀(𝑥) = (∑ 𝑥𝑖 )
𝑙
𝑖=1
Here 𝑀(Δ𝑠𝑘𝑎 ) is moving average of change in packet size and 𝑀(Δ𝑡𝑘𝑎 ) is moving average of
time difference between two consecutive packets and 𝑆(Δ𝑠𝑘𝑎 ), 𝑆(Δ𝑡𝑘𝑎 ) are their standard
deviations.
Here (A) and (B) represent time series values of phase angle difference of two bus voltages
during a pulse and a ramp attack on a generator. Mode 1 of VMD provides rough estimation
of states whereas Mode 2,3,4 represent extracted medium and high frequency components
of the original signals which signifies higher order transients presence in the original content.
1. Since false prediction may lead CRAS to take inappropriate action, accuracy of the anomaly
detector is very important. VMD-DT exhibits superior performance.
2. VMD based feature selection helps to find relevant features embedded in the PMU
measurements during both cyber and physical events.
3. In order to tune the Machine learning parameters ,cross validation is used which improves
classifier performance.
4. Processing time is in the range of Micro-seconds which is acceptable for back-up decision.