Cyber-Physical anomaly detection Using Machine learning

Three main contributions of this paper

1. Cyber-physical anomaly detection system (CPADS) using pmu measurements and network
packet data and application of Variational Mode Decomposition (VMD) and Decision Tree (DT)
2. Rule-based feature selection using Filter and Wrapper method for classification
3. Detailed performance during both cyber and physical events using Hardware-in-loop (HIL)

Using this CPADS a centralized Remedial action scheme (CRAS) is developed which operates in
following steps;

1. CRAS collects PMU data at regular intervals

1.1. Relay status
1.2. Line flows
1.3. Generator outputs
2. It gets triggered during line outage and it checks the operation transfer capability(OTC) limit of
critical adjacent lines in that zone
3. If line flow exceeds their OTC limit, then CRAS curtails the generation which prevents thermal
overloading in adjacent lines
4. CRAS restores the generation once a fault is cleared.

Types of events:

1. Cyber events
1.1. Generation altering attacks
1.1.1.Pulse attacks
1.1.2.Ramp attacks
1.2. Malicious Tripping attack
1.3. False data injection attacks(FDI)
1.4. Denial of service attacks(DOS)
1.5. Coordinated cyber attack
1.5.1.FDI attack followed by a Malicious tripping attack
1.5.2.FDI followed by a pulse or ramp attack
2. Physical events
2.1. Line faults
2.1.1.Symmetrical
2.1.2.Asymmetrical

Proposed architecture and methodology:

The whole Power system is divided into different substation zones as Zone A, Zone B, …….. ,Zone N.
The CRAS consists of multiple anomaly detectors such as Anomaly detector A, Anomaly detector B,
………,Anomaly Detector N for different zones. The input to the anomaly detector are of three kinds
given below;

1. Local PMU measurements (𝑋𝑙𝑎 )

a. Positive sequence generator bus voltage (𝑉𝑔𝑎 )
b. Generator frequency (𝐹𝑔𝑎 )
c. Positive, Negative and zero sequence bus voltage at sending and receiving end of
critical transmission lines (𝑉1𝑎 , 𝑉2𝑎 , 𝑉0𝑎 )𝑖 , (𝑉1𝑎 , 𝑉2𝑎 , 𝑉0𝑎 )𝑗
2. PMU network properties (𝐶𝑙𝑎 )
 a. Packet size (𝑠𝑘𝑎 ) with a timestamp (𝑡𝑘𝑎 ) of incoming synchrophasor network packets
from different substation zones
3. Redundant PMU measurements (𝑋𝑟𝑎 )
a. Same measurements as local pmu from other substation zones

Mathematically,
Cyber
𝑋𝑎 = [ 𝑋⏟ ⏞
𝑙𝑎 , 𝐶𝑙𝑎 , 𝑋
⏟𝑟𝑎 ]
Local Redundant
𝑋𝑙𝑎 = [𝑉𝑔𝑎 , 𝐹𝑔𝑎 , (𝑉1𝑎 , 𝑉2𝑎 , 𝑉0𝑎 )𝑖 , (𝑉1𝑎 , 𝑉2𝑎 , 𝑉0𝑎 )𝑗 ]
𝐶𝑙𝑎 = [𝑠𝑘𝑎 , 𝑡𝑘𝑎 ]

Offline process Online process

Generation of data Local substation Zone Other Substation

set using HIL set-up Zone

Local PMU Network Information

Data Pre-processing
Measurements
1. Data cleaning
2. Normalization Same Process as
3. Feature Variation Mode Local substation zone
selection Decomposition

Select Input Features

Model training Using

Event Classification Event classification
Decision Tree
using DT

Normal FDI DOS Line Pulse/

Offline Model Testing Fault Ramp Different events
s attack
s

Rule based decision logic

Normal Single cyber Coordinated Line faults

attack Cyber
attacks
Offline Process:

1. Labelled data set generation

a. Library of datasets is generated using a HIL set-up. Real time simulation of various
cyber-physical situations (cyber-attacks and faults)are done with assigned labels.
b. 𝐿𝑚 = (𝑈, 𝑉)𝑚 of 𝐿 samples for a classification model 𝑚 where 𝑈 = [𝑓1 , 𝑓2 , … , 𝑓𝑝 ] is a
set of p features and 𝑉 is a set of labels corresponding to 𝑈.
2. Data pre-processing (eliminate irrelevant features)
a. Data cleaning
𝑍
b. Data normalization 𝑓𝑖 [𝑗]𝑗=1 𝑖 ∈ {1, 𝑃} enhances smoothness and improves
homogeneity among features
c. Rule based feature selection
i. Filter method: Best First Search (BFS): select relevant feature from 𝑈 which
are weakly corelated among them and strongly corelated to 𝑉.
ii. Wrapper method: Pearson’s corelation coefficient technique to quantify
degree of corelation among features of 𝑈.
3. Training Module
a. A random decision tree classifier generates tree branches by splitting 𝐿𝑚 ′′ into small
subsets until each part contains samples of one class label only

Online process:

1. Derived Feature computation: Transient disturbances due to cyber-attack and line faults
might look similar from a power system prospective. But They have unique signature
embedded in PMU measurements. So its important to calculate some derived features
′ ′ ]) ′ 𝑑𝑋𝑙𝑎
([𝑋𝑙𝑎 , 𝐶𝑙𝑎 from local pmu measurements ([𝑋𝑙𝑎 , 𝐶𝑙𝑎 ]) where 𝑋𝑙𝑎 = [|𝑋𝑙𝑎 |2 , Δ𝑋𝑙𝑎 , 𝑑𝑡
] is
computed from 𝑋𝑙𝑎 as given below;
|𝑋𝑙𝑎 |2 = [|𝑉𝑔𝑎 |2 , |𝐹𝑔𝑎 |2 , [|𝑉120𝑎 |]2𝑖 , [|𝑉120𝑎 |]2𝑗 ]
Δ𝑋𝑙𝑎 = [Δ𝑉𝑔𝑎 , Δ𝐹𝑔𝑎 , Δ[𝑉1𝑎 , 𝑉2𝑎 , 𝑉0𝑎 ]𝑖𝑗 ]
𝑑𝑋𝑙𝑎 𝑑𝑉𝑔𝑎 𝑑𝐹𝑔𝑎 [𝑑𝑉1𝑎 , 𝑑𝑉2𝑎 , 𝑑𝑉0𝑎 ]𝑖𝑗
=[ , , ]
𝑑𝑡 𝑑𝑡 𝑑𝑡 𝑑𝑡
′
And 𝐶𝑙𝑎 is computed as follows.
′
𝐶𝑙𝑎 = [𝑀(Δ𝑠𝑘𝑎 ), 𝑀(Δ𝑡𝑘𝑎 ), 𝑆(Δ𝑠𝑘𝑎 ), 𝑆(Δ𝑡𝑘𝑎 )]
𝑙
1
𝑀(𝑥) = (∑   𝑥𝑖 )
𝑙
𝑖=1

Here 𝑀(Δ𝑠𝑘𝑎 ) is moving average of change in packet size and 𝑀(Δ𝑡𝑘𝑎 ) is moving average of
time difference between two consecutive packets and 𝑆(Δ𝑠𝑘𝑎 ), 𝑆(Δ𝑡𝑘𝑎 ) are their standard
deviations.

2. Variational Mode Decomposition (VMD) based feature extraction:

a. Extract distinctive features by decomposing a multi-component signal into sub-signals
which are called band-limited intrinsic mode functions (IMFs).
b. A VMD function is defined to calculate K decomposed modes,
{mode 1, mode 2 ⋯ mode 𝐾} = {𝑢1 ⋯ 𝑢𝐾 } from Ns samples as
{𝑢1 , 𝑢2 , … 𝑢𝐾 } = vmd (𝑢(𝑡), 𝛼, 𝐾, 𝑇𝑜𝑙)
 ′
where 𝛼 is bandwidth constraint, 𝑢(𝑡) ∈ (𝑋𝑙𝑎 , 𝑋𝑟𝑎 ), 𝐾 is mode count and 𝑇𝑜𝑙 is
convergence tolerance limit.
c. Below given VMD of Phase angle difference of voltages of two buses during a ramp
attack and a pulse attack using 4 decomposed modes.

Here (A) and (B) represent time series values of phase angle difference of two bus voltages
during a pulse and a ramp attack on a generator. Mode 1 of VMD provides rough estimation
of states whereas Mode 2,3,4 represent extracted medium and high frequency components
of the original signals which signifies higher order transients presence in the original content.

Advantage of this method:

1. Since false prediction may lead CRAS to take inappropriate action, accuracy of the anomaly
detector is very important. VMD-DT exhibits superior performance.
2. VMD based feature selection helps to find relevant features embedded in the PMU
measurements during both cyber and physical events.
3. In order to tune the Machine learning parameters ,cross validation is used which improves
classifier performance.
4. Processing time is in the range of Micro-seconds which is acceptable for back-up decision.