Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2
A Review on Cyber Security and Anomaly
Detection Perspectives of Smart Grid
M. Ravinder
Research Scholar,
2023 5th International Conference on Smart Systems and Inventive Technology (ICSSIT) | 978-1-6654-7467-2/23/$31.00 ©2023 IEEE | DOI: 10.1109/ICSSIT55814.2023.10060871
De pt. of Information Technology,
MPSTME, NMIMS University,
Mumbai, Maharashtra, India
Email: ravinder.m013@nmims.edu.in
Abstract- The substantial study that has been done
for almost ten years on various power system issues
has led to the smart grid (SG), which is now being
adapted in nations all over the world. Utilities play
an important role as operators of critical
infrastructure systems and provides of essential
services. Cyber-attacks may damage power grid
due to which widespread infrastructure failures
may occur. The adoption of smart communication
in such critical components, on the other hand,
quickly raised a cyber-security risk that needed to
be addressed. The cyber threat causes great danger
to smart applications and may lead to the physical
damage too. This study assesses and reports on
cutting-edge methods for identifying cyber-attacks
in SG areas, with a particular emphasis on
machine learning-based systems.
Keywords- SG, anomaly, security,
consumption, and energy theft.
I. INT RODUCT ION
Autonomous and intelligent applications are at high
risk due to the current state of the cyber threat
landscape. A cyber-attack is any action taken by
cybercriminals with malicious goals in mind. The
prime agenda of to launch a cyber-attack using various
methods is to steal data, destroy information, change
the data, disable the nodes, and achieve financial gain.
The STUXNET attack in 2009, which targeted the
Iranian nuclear reactor in Tatanz, was one of the
earliest known cyberattacks to really cause physical
harm in [1]. According to estimates, the amount of
damage that was shown cost Iran's nuclear programme
five years of advancement. The worm had a high level
of intelligence, and it was able to bypass the
precautions that had been put in place to secure the
operational technology network. There was a Cyber
Attack in year 2013 on Hydropower Generation in
New York, USA. A Cyber Attack was identified in
December, 2014 on Korea Hydro and Nuclear Co
Limited In Dec 2016 Ukraine power grid was
attacked, attack was based installation of Black-energy
3 malware. This resulted in switching off of 30
substations and affected 2,30,000 people.
Various ways of cyber-attacks on power systems
network can target on phasor measurement units,
phasor data concentrator, Intelligent electronic
devices, smart meters, computer network, servers and
communication networks. Isolating a network from
the Internet does not, however, usually provide
978-1-6654-7467-2/23/$31.00 ©2023 IEEE
Authorized licensed use limited to: ULAKBIM UASL - Altinbas Universitesi. Downloaded on April 04,2023 at 17:28:51 UTC from IEEE Xplore. Restrictions apply.
Vikram Kulkarni
SMIEEE, Assistant Professor
Dept. of Information Technology,
MPSTME, NMIMS University,
Mumbai, Maharashtra, India
Email: vikram.kulkarni@nmims.edu
sufficient security [2] . As a result, more sophisticated
techniques have been created that focus on observing
and identifying abnormal network behaviour through
the correlation of numerous data sources and the use
of machine learning in [3]. In the perspective of
anomaly detection, this study discusses about various
methods available for identifying cyberattacks on SG
in this survey.
The discussion of these numerous techniques and
methodologies is built upon anomaly detection. In
section II, presents the summary of SG and contrasting
it with the conventional power system. The threat
model depicted in the third section simulates the threat
agents and attack surfaces of the SG. Then, in the
section after that, section IV, we'll discuss a number of
data sources that were used as input. This study
examines the popular machine learning-based
anomaly detection techniques in the context of SG in
power
part V, which comes after section IV. Last but not
least, we summarise key gaps and potentially
unresolved issues in section VI to conclude the survey.
II. SMART GRID
The SG will alter both how customers receive their
energy and how they might recoup their costs from the
system. Traditional power grids frequently only have
one communication channel connecting the power
plant to the grid's final consumers. This topology has
certain drawbacks, though:
 Having trouble achieving electricity
demand expectations with the current
infrastructure.
 Balancing the produced energy's load
because it must be utilised right away.
 Difficulties in boosting the ability to meet
demand
 Manual inspection of the
electromechanical metering system is
required.
The SG design, on the other hand, combines a wide
range of elements, including distributed sensors,
automated billing systems, smart digital metering
systems, and renewable energy stations. Through a
variety of methods, a user can contribute to the system
and the generation of electricity (thus receiving the
credit from this contribution).
The numerous vertical domains may communicate
with each other in both ways thanks to SG, which
improves the grid's dependability and functionality.
Dynamic brakes and distributed power storage within
the power producing elements would communicate
692
 Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2
with one another to boost or lower the amount of
power generation, depending on how much power was
being utilised by the grid, accordingly. A crucial
component of the grid's information flow system is
communication. It can be done using wired media or
solely using electronic signals (wireless). Modern
control features are required to monitor the grid's
health state and detect any alteration that might be
made to reach this objective
The topic of time series anomaly detection in smart
grids was surveyed by the authors' Zhang et al. [4],
with an emphasis on supervised, unsupervised, and
neural network ML approaches. However, we believe
that thorough studies on anomaly identification in the
SG are still lacking in the literature, which is what
initially motivated us to conduct this investigation. We
look at the data points that are existing in an SG
environment, assess the threats to SG from the
standpoint of cyber-attack vectors, and evaluate the
various machine learning algorithms that have been
proposed to prevent such attacks.
III. THREAT MODELING
Smart technology in SG includes smart metering,
IoT, intelligent electronics devices (IED’s), automated
relays, and dynamic power controllers devices have
opened up a new attack surface. Due to the lack of
privacy and security safeguards in the devices, smart
grid operators may be at risk. After taking advantage
of a weakness in the network that allows Ukraine's
electrical firms to communicate with one another, the
crooks went on to the nation's industrial control
systems (ICS). The attack made use of the malicious
programme known as Black Energy [5]. This malware
included a wiper component, which damaged the
master boot record and destroyed the contents of
specific folders on target systems, making the system
unavailable. The human machine interface (HMI) was
disabled using this technique, and it was also claimed
that the server's uninterruptible power supply (UPS)
were planned to be disconnected.
Different threats to SG systems are represented by
various attack surfaces. Examples of these attack
vectors from the literature are given in Table I.
False data injection (FDI) is the introduction of
inaccurate data, either on the consumer side or the
producer side leading in energy theft and manipulating
energy tariff. The integrity of the data is compromised
by this kind of attack [6], [7].
 Attacks that deprive users of services (denial of
service, or "DoS") involve attacking the dynamic
breaker or any controller with demands until it
reaches its breaking point in [8],
 Attacks on circuit breakers known as "load drop
attacks" have the potential to alter the load
distribution and ultimately cause a failure in
residential structures [9].
 Attackers can trip one line of transmission in a
relay setting attack by compromising the other
line [10], [11].
978-1-6654-7467-2/23/$31.00 ©2023 IEEE
Authorized licensed use limited to: ULAKBIM UASL - Altinbas Universitesi. Downloaded on April 04,2023 at 17:28:51 UTC from IEEE Xplore. Restrictions apply.
TABLE I. AT T ACK VECT OR
S.No Attack Vector References
False Data [6],[7],[13],[16],[17],[26],
1
Injection (FDI) [32]
2 Energy Theft [12],[24],[33]
3 Load Attack [9]
Relay Setting [11]
4
Attack
IV. SOURCES OF DATA
A wide range of data points are reviewed in this
part, and the outcomes are summarised in table II. Due
to the SG ecosystem's diversity of components and
wide range of manufacturers even if the device being
used is of the same type, having multiple
manufacturers make it can result in a non-unified data
structure. In order for the data to be utilised as input in
the machine learning model, it is necessary for the
data to first undergo pre-processing. In table II, we
present some illustrations of varied datas ets that have
been the subject of discussion in the scholarly
literature.
TABLE II. DAT A SET S USED IN DAT A PROCESSING
S.NO Data Source References
State Estimation [6],[16],[17],[25],[26][3
1
2]
2 Energy Consumption [11],[31]
3
Phase Measurement [22]
Unit (PMU)
You can engineer the extraction of features from
data sources, which requires prior domain knowledge
(Power/Cyber), or you can use machine learning-based
algorithms to extract features from data sources. The
extraction of characteristics from SG data sources was
accomplished using a variety of methodologies. For
instance, the researchers [12] used semi-supervised
learning while the authors of [13] used neural
networks. The process of feature extraction also
included Principle Component Analysis (PCA), a well-
known model that is utilised on a regular basis for the
purpose of dimensionality reduction in [14],[15] and
[16]. Additionally, in order to enhance the model's
processing efficiency and optimise the selection of
features, methods including Cuckoo Search, Generic
Algorithm, and Practical Swarm Optimization were
used in [17].
A. Advanced Metering Infrastructure
The count response variables in the data sources
provided by the SG's Advanced Metering
Infrastructure (AMI) reflect the total number of
instances of an event that can be either binary or fault
or mistake that occurs during a time span in [18].
These incidents are worth nothing by itself;
nevertheless, taken as a whole, they can show an
unusual trend. The transferred data was encrypted
using homomorphic encryption (HE) to safeguard the
privacy of the consumer's power usage statistics, which
Smart Meters generally communicate in plaintext [19].
The adoption of smart meters and the infrastructure
that supports them can help to ease communication
between customers and power distribution units. The
Smart Meter error count at the customer's premises was
used as a data source with the aim of finding anomalies
693
 Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2
[20]. The mistake count might have been lost in the the amount of electricity that is consumed, the model is
transmission, though. There has been speculation that trained to combine past data that is obtained from the
the data is based on Bernoulli distribution, which is day-to-day electrical consumption of consumers. This
subject to the system's anomalous state. To account for data is acquired in order to create the model.
the missing error count, this has been done.
AMI network traffic is considered by Tomasz
Additionally, the dataset [19] from The Pecan Street
Project, which contained the data on local load Andrysiak, et al. [15] using a number of statistical
methodologies, one of which being Cook's. AMI
management produced by SM at consumers, was fed
into the anomaly detection algorithm. In addition, network traffic was examined for anomalies using
Cook's distance, and any outlier data was removed to
abnormalities in power consumption are found using
the consumption and billing data generated by the AMI make the network traffic normal. After smoothing the
data with Holt's model, one may then make predictions
between SM and utility companies.
about time series using another model.. Bollinger
Equipment power consumption data produces Bands were used to identify any potential
information about the power usage of linked devices, abnormalities when the normalised data and the actual
including the DC power supply and relay protection in readings were compared. It has been proposed to
[11]. Electricity generation panels known as update the normalised model to take into account the
photovoltaics (PV) were used as data points. In variability of the data.
addition, meteorological information such as IR TABLE III. A SURVEY OF DIFFERENT MACHINE
radiation, temperature, wind speed, and direction can LEARNING T ECHNIQUES
be used to provide contextual information. In addition, Machine
Techniques References
a technique for assessing the voltage signals at certain Learning
grid nodes using the IEC 61750-9-2 LE protocol was Fourier Transform [18]
proposed in [10]. The nodes are to provide three-phase Statistical
Cooks Distance [15]
voltage measurements via TCP connection can become Statistical [13]
weak points. Optics [20]
K-Nearest Nieghbor KNN [11],[17],[25]
B. Phase Measurement Unit Decision Tree DT [11] ,[27]
A Phase Measurement Unit (PMU) is used in a SG Support Vector Machine [7],[11], [17]
Supervised
(SVM)
to monitor the voltage phase angle and perform
Gradient Boosting [24]
diagnostic and control duties in [21]. Additionally, the
Random Forest [28] ,[29]
ML model that was reported in [22] used the micro- Semi- Autoencoders- Generative [26]
PMU data that was collected by the Lawrence Supervised Adversarial Network
Berkeley National Laboratory as input. E Forrest [11],[16]
DBN,RBM [6]
C. Other Sources Unsupervised
One Class Support Vector [27],[23]
In order to provide measurements from loads, Machine (OCSVM)
capacitor banks, transmission lines, and generators for Auto Encoders [7],[31],[35]
use as data sources using IEEE buses, Abdulrahman Convolutional neural [29] ,[33]
Takiddin et al [6] proposed modelling an SG. Huge network (CNN)
amounts of data, including IP addresses, port numbers, Artificial Neural Network [12] ,[17]
lengths of data in smart home networks, and data Recurrent Neural Network [31],[32]
communication, are stored in the utility centre. Data (RNN)
Deep Learning
Long Short Term Memory [1],[6],[31]
can be gathered on an hourly basis to look for DoS
(LSTM)
attack patterns.
GRU [31]
Minimum Description [3]
V. ANOMALY DETECTION ALGORITHMS
Length
In this section of the manuscript, we'll look at a Minimum Steiner Tree [36]
number of methods that are widely used in the SG
system for finding abnormalities. Table III below B. Supervised Learning
provides a quick reference breakdown of the various Regression and classification, which are both
research methodologies into their core steps. achieved by training on labelled datasets, are the main
areas of interest for problem-solving in supervised
A. Statistical Technique machine learning (ML). A supervised ML is the
The Fourier Transformation is used as an example Support Vector Machine (SVM). To maximise the
of statistical analysis of data to discover irregularities separation between two or more classes, this model
in [18]. This type of analysis has a tendency to present creates a hyperplane. SVM is used in the process of
the data as a function of time or place. Analysing data classifying electricity usage in [11]. The SVM model
from a wide variety of domains can be really helpful. shown in [18],[30] takes as its input the data that is
The departure of the time threshold serves as the necessary for performing state estimation. The four
foundation for anomaly identification, which distinct supervised machine learning methods that were
ultimately leads to the creation of a periodic time series utilised are as follows: J-Ripper, One R, Random
model. Forest, and Naive Bayes. The results of the research
showed that Random Forest produced the most
The Gaussian model is widely recognised as being
favourable outcomes. The article [24] analyses and
among the most effective statistical methods for
compares three different types of boosting: mild
modelling any natural observation. In order to model
gradient boosting, categorical boosting, and extreme

978-1-6654-7467-2/23/$31.00 ©2023 IEEE 694

Authorized licensed use limited to: ULAKBIM UASL - Altinbas Universitesi. Downloaded on April 04,2023 at 17:28:51 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2
gradient boosting. The outcomes of this study are used
to suggest a classification method called gradient
boosting. The performance of Light GBM was superior
to that of the other two algorithms.
Similar to this, the K-Nearest Neighbors model
determines the separation between the training and test
sets using either Manhattan or Euclidean distances. K-
Nearest Neighbors is used in this instance to estimate
the state in [17]. Robust K-Nearest Neighbors
technique was suggested by et al. [25] as a way to
lessen the significant sum square errors of data points
that must be handled through state estimation. An
improved variant of the KNN method called Extended
Nearest Neighbor predicts a classification based on
data that is state-driven from an estimate. ENN makes
use of both local and global neighbours to learn the
distribution of classes globally. Neural Networks that
had been trained under supervision were used to the
problem of identifying energy fraud in [12] using the
load profiles that had been generated.
C. Semi-Supervised Learning
When performing machine learning with a semi-
supervised approach, both labelled and unlabelled data
are utilised in order to train the model. As a
consequence of this, the model is less reliant on data
that has been labelled. In [26], there is a proposal for a
fascinating semi-supervised model that makes use of
an auto encoder and a Generative Adversarial
Network. The Generative Adversarial Network (GAN)
fabricates forged data by means of a min-max
adversarial game, in this first neural network acts as
the generator and second acts as the discriminator. This
results in the production of artificial data that is similar
to real data.
D. Unsupervised Learning
Unsupervised learning is not dependent on labelled
data to train the model, in contrast to supervised
machine learning. As a result, the model may be
utilised to more quickly identify anomalies in the SG
environment. An unsupervised machine learning
technique called clustering makes an effort to classify
the data into specified groupings. K-mean, one of the
most well-liked data clustering algorithms, was used to
group IP traffic gathered from the utility centre and the
network for Smart Homes. Isolated Forest was used to
analyse state estimation data in [16] to find FDI
attacks. The system is based on the notion that
abnormal observations, which are defined as
observations with short average route lengths, may be
discriminated from an ensemble of trees from the
dataset. The state of a system can be represented as a
collection of variables using Dynamic Bayesian
Networks (DBN), a kind of probabilistic graphical
model.
The authors in [6], consider a DBN-based
framework is used to calculate the likelihood that a
new symbol will occur, with the assumption that the
model meets the Markov condition. In this case, the
Restricted Boltzmann Machine (RBM), which is
designed to describe ambiguous data distributions, was
utilised to estimate the energy of the bus's systems. The
RBM, which is primarily in charge of identifying
cyberattacks based on these two variables, classifies a
978-1-6654-7467-2/23/$31.00 ©2023 IEEE
Authorized licensed use limited to: ULAKBIM UASL - Altinbas Universitesi. Downloaded on April 04,2023 at 17:28:51 UTC from IEEE Xplore. Restrictions apply.
low probability event with a high energy level as an
anomaly. One-Class Support Vector Machine was
employed in [27], as opposed to SVM, which is often a
supervised machine learning model. This was done in
order to analyse data obtained from a made-up smart
grid setting. The model was demonstrated to be more
effective than the supervised techniques of decision
trees and random forests.
E. Reinforcement Learning
This model makes decisions regarding its
surroundings and is rewarded for wise choices and
penalized for foolish ones. A two-player Markov
multistage game in the SG was used to first propose
this particular machine learning technique in [28].
Each player receives their awards at the conclusion of
each session after taking turns playing the defensive or
offensive roles. The model is utilised to determine
whether or not there was a loss of generation or
disruptions to transmission lines as a result of a
cascaded attack on IEEE 6-bus and IEEE 39-bus.
F. Deep Learning
Deep learning is a technique that can be used in
conjunction with machine learning's supervised and
unsupervised learning classes. In [30], a feedforward
ANN training was executed using the whale
optimization algorithm. This was done so that the
model would have the most accurate weights and
biases possible. This is very useful in categorizing
threats and identifies faults in power system
operations.
The encoder-decoder architecture [31] uses RNN,
and the input is a time series of data on electricity
demand. The method contrasted Gated Recurrent Unit
and LSTM neural networks as the RNN model's
hidden layers. In terms of precision, the GRU
technique outperformed LSTM and was faster to train.
A permutation of the Manhattan distance and edit
distance is suggested to estimate anomalies. RNNs
were employed in [32] to detect FDI attacks using
power state estimation.
Wide-ranging and in-depth convolutional neural
network (CNN) architecture is recommended in [30] as
it is useful method for detecting energy theft. In the
proposed research neural network makes an effort to
acquire global knowledge by analysing data on
everyday consumption in a 1-dimensional space. The
Deep ones have accomplished this by dividing it up
into weekly consumption. The author in [33] proposed
CNN that attempts an effort to forecast both typical
and atypical levels of demand for electricity in two-
dimensional space. In addition, the paillier
homomorphic cryptosystem algorithm was utilised
with CNN over data on energy consumption in order to
prevent energy theft while protecting the privacy of the
users. One of the distinguishing characteristics of auto-
encoders is the complete connectivity of all of its
hidden layers. Auto-encoders are a type of neural
network that may be trained to repeat the properties of
the input in the form of output. Deep auto-encoders,
which are essentially auto-encoders with numerous
buried layers, are utilised in one technique for spotting
anomalies, which is based on the PMU in .The model
is initially trained with the use of historical data;
695
 Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2
afterwards, new samples are incorporated. After then,
the inaccuracy in the model's reconstruction is
calculated so that anomalies can be found.
G. Graphical Models
The practise of discovering abnormalities through
the utilisation of data visualisation is known as graph-
based anomaly detection. The vertices and edges of the
dataset are utilised in the construction of the graph.
The authors of the paper [13] created a network with
nodes representing the devices, the home, the grid, and
the generator and edges representing the presence of
the room and the consumption of gadgets. When it
connects two primary household nodes, the
substructure of a node acts as a representation of a
house. The Minimum Description Length, Graph-
based anomaly detection approach is used to locate the
subgraph with the highest level of repetition. Once this
is accomplished, the subgraph is labelled as typical.
The algorithm then begins its search for the unusual
subgraphs by comparing all of the other subgraphs to
the subgraph that is considered to be the norm. High -
frequency filtering is used to find anomalies; with this
method, results with large numbers indicate the
presence of abnormalities.
In the study [34], a novel approach to the dynamic
graph is presented. This method constructs a graph
from the active devices of the grid by using active grid
buses as vertices and active grid devices as nodes.
Every time the graph is used using this way, it
becomes dynamic. In this method, the Line Outage
Distribution Factor was first used, and then temporal
weighting based on the distance and weights of the
graph, as well as anomaly detection. According to [36],
modelling the system and employing a Minimu m
Steiner Tree—a network with a limited overall
distance between its edges and a predetermined set of
vertices—allows for the identification of FDI assaults.
H. Other Techniques
A rule-based classifier, a voltage gradient classifier,
and a technique for spotting anomalies in low voltage
values were all suggested by the authors in [9]. The
phase voltage values of the samples that are being
received are buffered to a particular window. Voltage
values must be validated and contrasted with EN
50160 in order to satisfy the rule-based classifier.
When the threshold value provided by EN 50160 is
exceeded, the voltage gradient classifier is able to
identify any irregularities that have occurred inside the
voltage window.
A method for identifying unusual occurrences in
the data obtained from the SM load management
system. First, frequent occurrences associated with
each SM in the data are found using association rule
mining in order to provide a list of transactions
(segments). The A priori method is used on the most
frequent items to produce each transaction in a list of
frequent item sets. The item set appearing in more than
one segment is thought to be standard behaviour,
although the additional occurrence might not be. When
performing clustering on the common item set after
taking into account contextual information, such as
whether or not it is a weekend or a weekday, the
entropy minimization strategy is utilised.
978-1-6654-7467-2/23/$31.00 ©2023 IEEE
Authorized licensed use limited to: ULAKBIM UASL - Altinbas Universitesi. Downloaded on April 04,2023 at 17:28:51 UTC from IEEE Xplore. Restrictions apply.
VI. CONCLUSION
The most frequent types of cyberattacks against
smart grids include load drop assaults, denial of service
attacks, and bogus data injection. In this article, we
examined a variety of anomaly detection techniques
that can be used to protect SGs from these attacks. The
findings of applying dimensionality reduction and
feature removal through a procedure were promising in
terms of the ratio of true positives to false positives.
When it comes to anomaly detection in SG,
unsupervised methods are more prevalent than
alternative ones. This is due to the difficulty in
obtaining labelled data in this field of study, which is
one of the reasons unsupervised approaches are
preferred. Furthermore, there is a clear dearth of
research on hybrid techniques in the area. Integrating
two or more anomaly detection techniques is necessary
to get better results. Hybrid approaches demonstrated a
number of benefits over the conventional strategy,
which consisted of either employing either supervised
or just unstructured models. Recent research initiatives
made by the community of researchers in this area and
the expanding cybersecurity industry's solutions to the
user entity behavioural analysis challenge are blatant
signs of this trend. The proactive defensive strategies
used in modern cybersecurity are increasingly
including anomaly detection technologies.
REFERENCE
[1] M. Zhou and P. Musilek, “Real-Time Anomaly Detection in
Distribution Grids Using Long Short -T erm Memory
Network,” 2021 IEEE Electr. Power Energy Conf. EPEC
2021, pp. 208–213, 2021.
[2] S. V. Oprea, A. Bara, and G. D. Ene, “Machine Leaning
Algorithms and T ime Series Feature Extraction Library for
Electricity Consumption Fraud Detection in Smart Grids,”
2021 25th Int. Conf. Syst. Theory, Control Comput. ICST CC
2021 - Proc., pp. 510–514, 2021.
[3] L. Mookiah, C. Dean, and W. Eberle, “Graph-based anomaly
detection on smart grid data,” FLAIRS 2017 - Proc. 30th Int.
Florida Artif. Intell. Res. Soc. Conf., pp. 306–311, 2017.
[4] J. E. Zhang, D. Wu, and B. Boulet, “T ime Series Anomaly
Detection for Smart Grids: A Survey,” 2021 IEEE Electr.
Power Energy Conf. EPEC 2021, pp. 125 –130, 2021.
[5] M. Geiger, J. Bauer, M. Masuch, and J. Franke, “An Analysis
of Black Energy 3, Crashoverride, and T risis, T hree Malware
Approaches T argeting Operational T echnology Systems,”
IEEE Int. Conf. Emerg. T echnol. Fact. Autom. ET FA, vol.
2020-Septe, pp. 1537–1543, 2020.
[6] H. Karimipour, S. Geris, A. Dehghantanha, and H. Leung,
“Intelligent Anomaly Detection for Large-scale Smart Grids,”
2019 IEEE Can. Conf. Electr. Comput. Eng. CCECE 2019,
2019.
[7] Y. He, G. J. Mendis, and J. Wei, “Real-T ime Detection of
False Data Injection Attacks in Smart Grid: A Deep Learning-
Based Intelligent Mechanism,” IEEE T rans. Smart Grid, vol.
8, no. 5, pp. 2505–2516, 2017.
[8] O. Jung, P. Smith, J. Magin, and L. Reuter, “Anomaly
detection in smart grids based on software defined networks,”
SMART GREENS 2019 - Proc. 8th Int. Conf. Smart Cities
Green ICT Syst., no. Smartgreens, pp. 157–164, 2019.
[9] D. Rosch, S. Ruhe, K. Schafer, and S. Nicolai, “Local
anomaly detection analysis in distribution grid based on IEC
61850-9-2 le SV voltage signals,” SEST 2019 - 2nd Int. Conf.
Smart Energy Syst. T echnol., 2019.
[10] J. Zhang and Y. Dong, “Cyber-attacks on remote relays in
smart grid,” 2017 IEEE Conf. Commun. Netw. Secur. CNS
2017, vol. 2017-Janua, pp. 1–9, 2017.
[11] H. Dai, X. Sun, J. Li, G. Zhang, X. Ji, and W. Xu, “Power
Consumption-based Anomaly Detection for Relay Protection,”
Proc. 2020 IEEE 4th Inf. T echnol. Network ing, Electron.
696
 Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2
Autom. Control Conf. ITNEC 2020, no. Itnec, pp. 1139–1143, [29] W. Danilczyk, Y. L. Sun, and H. He, “Smart Grid Anomaly
2020. Detection using a Deep Learning Digital T win,” 2020 52nd
[12] T . Hu, Q. Guo, X. Shen, H. Sun, R. Wu, and H. Xi, “Utilizing North Am. Power Symp. NAPS 2020, 2021.
Unlabeled Data to Detect Electricity Fraud in AMI: A [30] L. Haghnegahdar and Y. Wang, “A whale optimization
Semisupervised Deep Learning Approach,” IEEE T rans. algorithm-trained artificial neural network for smart grid cyber
Neural Networks Learn. Syst., vol. 30, no. 11, pp. 3287–3299, intrusion detection,” Neural Comput. Appl., vol. 32, no. 13,
2019. pp. 9427–9441, 2020
[13] H. Karimipour, A. Dehghantanha, R. M. Parizi, K. K. R. [31] Z. Fengming, L. Shufang, G. Zhimin, W. Bo, T. Shiming, and
Choo, and H. Leung, “A Deep and Scalable Unsupervised P. Mingming, “Anomaly detection in smart grid based on
Machine Learning System for Cyber-Attack Detection in encoder-decoder framework with recurrent neural network,” J.
Large-Scale Smart Grids,” IEEE Access, vol. 7, pp. 80778– China Univ. Posts T elecommun., vol. 24, no. 6, pp. 67–73,
80788, 2019 2017
[14] P. K. Reddy Shabad, A. Alrashide, and O. Mohammed, [32] A. Ayad, H. E. Z. Farag, A. Youssef, and E. F. El-Saadany,
“ Anomaly Detection in Smart Grids using Machine Learning,” “ Detection of false data injection attacks in smart grids using
IECON Proc. (Industrial Electron. Conf., vol. 2021-Octob, pp. Recurrent Neural Networks,” 2018 IEEE Power Energy Soc.
2020–2022, 2021. Innov. Smart Grid T echnol. Conf. ISGT 2018, pp. 1–5, 2018.
[15] T . Andrysiak and Ł. Saganowski, “Anomaly detection for [33] Z. Zheng, Y. Yang, X. Niu, H. N. Dai, and Y. Zhou, “Wide
smart lighting infrastructure with the use of time series and Deep Convolutional Neural Networks for Electricity-Theft
analysis,” J. Univers. Comput. Sci., vol. 26, no. 4, pp. 508– Detection to Secure Smart Grids,” IEEE T rans. Ind.
527, 2020 Informatics, vol. 14, no. 4, pp. 1606–1615, 2018.
[16] S. Ahmed, Y. Lee, S. H. Hyun, and I. Koo, “Unsupervised [34] S. Li, A. Pandey, B. Hooi, C. Faloutsos, and L. Pileggi,
Machine Learning-Based Detection of Covert Data Integrity “Dynamic Graph-Based Anomaly Detection in the Electrical
Assault in Smart Grid Networks Utilizing Isolation Forest,” Grid,” IEEE T rans. Power Syst., vol. 37, no. 5, pp. 3408 –
IEEE T rans. Inf. Forensics Secur., vol. 14, no. 10, pp. 2765 – 3422, 2021.
2777, 2019. [35] A. T akiddin, M. Ismail, U. Zafar, and E. Serpedin, “Deep
[17] J. Sakhnini, H. Karimipour, and A. Dehghantanha, “Smart Autoencoder-Based Anomaly Detection of Electricity T heft
Grid Cyber Attacks Detection Using Supervised Learning and Cyberattacks in Smart Grids,” IEEE Syst. J., pp. 1–12, 2022.
Heuristic Feature Selection,” Proc. 2019 7th Int. Conf. Smart [36] M. H. Ansari, V. T . Vakili, B. Bahrak, and P. T avassoli,
Energy Grid Eng. SEGE 2019, pp. 108–112, 2019. “Graph theoretical defense mechanisms against false data
[18] R. Moghaddass and J. Wang, “A hierarchical framework for injection attacks in smart grids,” J. Mod. Power Syst. Clean
smart grid anomaly detection using large-scale smart meter Energy, vol. 6, no. 5, pp. 860–871, 2018.
data,” IEEE Trans. Smart Grid, vol. 9, no. 6, pp. 5820 –5830,
2018.
[19] Y. Ishimaki, S. Bhattacharjee, H. Yamana, and S. K. Das,
“ T owards privacy-preserving anomaly-based attack detection
against data falsification in smart grid,” 2020 IEEE Int . Conf.
Commun. Control. Comput. T echnol. Smart Grids,
SmartGridComm 2020, 2020.
[20] F. Fathnia, F. Fathnia, and D. B. M. H. Javidi, “Detection of
anomalies in smart meter data: A density-based approach,”
IEEE Proc. 2017 Smart Grid Conf. SGC 2017, vol. 20 18-
Janua, pp. 1–6, 2018.
[21] C. Hannon, D. Deka, D. Jin, M. Vuffray, and A. Y. Lokhov,
“ Real-time Anomaly Detection and Classification in
Streaming PMU Data,” 2021 IEEE Madrid PowerT ech,
PowerT ech 2021 - Conf. Proc., 2021.
[22] A. Barua, D. Muthirayan, P. P. Khargonekar, and M. A. Al
Faruque, “ Hierarchical T emporal Memory Based Machine
Learning for Real-Time, Unsupervised Anomaly Detection in
Smart Grid: WiP Abstract,” Proc. - 2020 ACM/IEEE 11th Int.
Conf. Cyber-Physical Syst. ICCPS 2020, pp. 188–189, 2020,
[23] D. Saraswat, P. Bhattacharya, M. Zuhair, A. Verma, and A.
Kumar, “ AnSMart: A SVM-based anomaly detection scheme
via system profiling in Smart Grids,” Proc. 2021 2nd Int.
Conf. Intell. Eng. Manag. ICIEM 2021, pp. 417–422, 2021.
[24] R. Punmiya and S. Choe, “Energy theft detection using
gradient boosting theft detector with feature engineering-based
preprocessing,” IEEE T rans. Smart Grid, vol. 10, no. 2, pp.
2326–2329, 2019.
[25] Y. Weng, R. Negi, C. Faloutsos, and M. D. Ilic, “Robust Data-
Driven State Estimation for Smart Grid,” IEEE T rans. Smart
Grid, vol. 8, no. 4, pp. 1956–1967, 2017.
[26] Y. Zhang, J. Wang, and B. Chen, “Detecting False Data
Injection Attacks in Smart Grids: A Semi-Supervised Deep
Learning Approach,” IEEE T rans. Smart Grid, vol. 12, no. 1,
pp. 623–634, 2021.
[27] D. L. Marino et al., “Cyber and Physical Anomaly Detection
in Smart-Grids,” Proc. - 2019 Resil. Week, RWS 2019, pp.
187–193, 2019.
[28] Z. Ni and S. Paul, “A Multistage Game in Smart Grid
Security: A Reinforcement Learning Solution,” IEEE T rans.
neural networks Learn. Syst., vol. 30, no. 9, pp. 2684 –2695,
2019.

978-1-6654-7467-2/23/$31.00 ©2023 IEEE 697

Authorized licensed use limited to: ULAKBIM UASL - Altinbas Universitesi. Downloaded on April 04,2023 at 17:28:51 UTC from IEEE Xplore. Restrictions apply.