Professional Documents
Culture Documents
AMIDS A Multi-Sensor Energy Theft Detection Framework For Advanced Metering Infrastructures
AMIDS A Multi-Sensor Energy Theft Detection Framework For Advanced Metering Infrastructures
Abstract—The advanced metering infrastructure (AMI) is a of techniques to detect theft-related behavior while reducing
crucial component of the smart grid, replacing traditional analog false positives. In particular, AMIDS uses an attack graph
devices with computerized smart meters. Smart meters have not based information fusion technique to conceptually combine
only allowed for efficient management of many end-users, but
also have made AMI an attractive target for remote exploits and collected evidences from three types of AMI-specific informa-
local physical tampering with the end goal of stealing energy. tion sources: 1) cyber-side network- and host-based intrusion
While smart meters posses multiple sensors and data sources detection systems; 2) on-meter anti-tampering sensors; and 3)
that can indicate energy theft, in practice, the individual methods power measurement-based anomalous consumption detectors
exhibit many false positives. In this paper, we present AMIDS, an through nonintrusive load monitoring (NILM). The main con-
AMI intrusion detection system that uses information fusion to
combine the sensors and consumption data from a smart meter tributions of this paper are as follows:
to more accurately detect energy theft. AMIDS combines meter • We present an information fusion solution which makes
audit logs of physical and cyber events with consumption data use of an AMI-specific attack graph to identify energy
to more accurately model and detect theft-related behavior. Our theft attempts with minimum number of false positives.
experimental results on normal and anomalous load profiles show
that AMIDS can identify energy theft efforts with high accuracy. • We leverage data mining techniques to identify energy
Furthermore, AMIDS correctly identified legitimate load profile theft through nonintrusive load monitoring. We designed
changes that more elementary analyses classified as malicious. two algorithms: a supervised approach that can identify
individual appliance consumption and an unsupervised
approach that learns by clustering load events.
I. I NTRODUCTION • We build a realistic household load simulator that we used
The Advanced Metering Infrastructure (AMI) is changing to evaluate the different individual detection techniques
the way electricity is measured, consumed, and even dis- and the information fusion solution through the injection
tributed. Digital smart meters remotely report not only fine- of realistic energy theft attacks.
grained energy consumption data, but also logs of events indi-
II. R ELATED W ORK
cating malfunctions, misconfigurations, and potential physical
tampering. These monitoring capabilities, coupled with large- Several solutions to energy theft have been proposed re-
scale AMI data aggregation promise to significantly mitigate cently [9]. A popular approach has been to apply support-
the problem of energy theft, an especially pervasive problem vector machine (SVM) to energy consumption profiles [8],
in developing countries. [20]. This approach consists of training an SVM from a
However, the recent nation-wide AMI deployment effort historical dataset and then testing the SVM on a different
has had quite an opposite effect by fueling concerns about dataset to find anomalies in the customer energy consumption.
new ways to steal power, e.g., through remote smart meter [8] reports an accuracy of 98.4% based on a training set of
compromise. For instance, in 2009, the FBI reported a wide 440 instances and a testing set of 220 customers. The same
and organized energy theft attempt that may have cost up authors extended their approach in [10] to leverage a hybrid
to 400 million dollars annually to a utility following an neural-network model and encoding technique in order to
AMI deployment [1]. Indeed, AMI significantly increases the automatically set the many parameters required by the model.
attack surface that utilities have to protect by introducing new A different approach is shown in [4]. Here, the focus is
cyber threats on physically-accessible devices [18]. Penetration on identifying problematic metering installations, e.g., due to
testing efforts have shown vulnerabilities in smart meters that malfunction or energy theft, through a central observer meter
could lead to stealthy energy fraud. Additionally, remote meter in each neighborhood. Neighborhood energy use is compared
reading eliminates the monthly visit by technicians to record with individual customer loads using a model of N linearly
consumptions and to visually inspect meters. independent equations. This model is solved using matrix
As a result, the need for an efficient monitoring solution inversion and recursive statistical methods, i.e., least squares.
to detect energy theft attempts in AMI has never been more This approach is limited by its reliance on linear independence
critical. In this paper, we introduce AMIDS, an integrated of equations and zero resistance of power lines.
cyber-physical intrusion detection system to identify malicious A radically different approach is taken in [7] by using
energy theft attempts. AMIDS differs from previous solutions a harmonic generator to actively deteriorate appliances of
by evaluating multiple AMI data sources under a combination customers who steal energy. Sensors monitor consumption
values, identify suspicious non-technical losses, disconnect
This material is based upon work supported by the Department of Energy genuine customers, operate the harmonic generator for few
under Award Number DE-OE0000097. seconds, and reconnect everyone. An important limitation of
355
15000 30
Consumtion Report
25
Daily Profiles
20
10000 15
10
5000 5
0
5 10 15 20 25
Appliances
0
1000 2000 3000 4000 5000 0.4
Minutes
Probability Density
4 0.3
x 10
1
0.2
Edge Magnitudes
0.5 0.1
0 0
2 4 6 8 10 12 14 16 18 20
Microwave Usage Frequency
−0.5
Fig. 2. Learned Normal Appliance Usage Profiles
−1
1000 2000 3000 4000 5000
Minutes incidents of 25 different home appliances, and 2) the identified
Fig. 1. A Sample 4-Day Load Profile and Identified Edges edges within the same trace. The NILM works by solving the
following binary integer programming problem to determine
two power measurement-based detection solutions based on which devices contributed to a given edge.
supervised and unsupervised machine learning techniques. The
min BT x
algorithms are based on Naive Bayes learning that employs
s.t. Qx ≤ eti + δ
the method of maximum likelihood and is known to be one (4)
−Qx ≤ −eti + δ
of the most effective and efficient classification algorithms in
x≥0
complex real-world situations.
We review the Naive Bayes algorithm briefly, and then where B = [1, 1, · · · , 1]2·|A|×1 ; Q = [Q p ; −Q p ] , in which Q p
discuss our two load-based energy theft detection solutions. is an |A|-dimensional vector of power appliance consumption
Formally, the probability model for a classifier is a conditional profiles, and [a; b] represents the concatenation of the vectors
model Pr(C|F1 , F2 , · · · , Fn ) over a dependent class variable C a and b. This integer programming problem is solved to
that takes on a binary value, 0 (legitimate power consumer) get the 2 · |A|-dimensional binary vector x, where an element
and 1 (anomalous power measurements). Fi represents the i-th represents whether its corresponding appliance contributed to
feature. Using a Bayes’ theorem, the edge eti . Here, δ is a small threshold value to account for
measurement noise. The objective of the optimization is to
Pr(C) · Pr(F1 , F2 , · · · , Fn |C) minimize number of incidents per edge. This is a reasonable
Pr(C|F1 , F2 , · · · , Fn ) = (1)
P(F1 , F2 , · · · , Fn ) assumption as many near-simultaneous appliance events are
can be derived, and given the independence assumption, unlikely [12].
n Once the set of appliances contribution to each edge is
1
Pr(C|F1 , F2 , · · · , Fn ) = P(C) · ∏ Pr(Fi |C), (2) identified, AMIDS learns based on the daily frequency of each
Z i=1 appliance fa . Thus, over an n-day learning phase, a usage
profile matrix
where Z is a constant scaling factor representing the evidence.
Given the above probability model, the Bayesian classifier fa1 ,d1 fa2 ,d1 · · · fa|A| ,d1
combines this model with a decision rule. In particular, the fa1 ,d2 fa2 ,d2 · · · fa|A| ,d2
hypothesis with the maximum a posteriori is picked:
Uhi = . .. .. .. (5)
n
.. . . .
C( f1 , f2 , · · · , fn ) = arg max P(C = c) · ∏ P(Fi = fi |C = c). fa1 ,dn fa2 ,dn · · · fa|A| ,dn
c∈{0,1} i=1
(3) per household hi is saved. Each column is then used to
Supervised Anomaly Detection. The supervised technique calculate the probability mass distribution Phi ,a j (v) v ∈ Z that
labels each on or off edge in the load profile according to appliance a j is used v times per day in household hi . This
its appliance of origin. The algorithm then determines which completes the profiling phase. Figure 3 shows our implemen-
appliances a ∈ A are missing from power measurements, i.e., if tation results: 1) home appliance usage frequency reports of a
the mode of theft bypassed some appliances around the meter. single household over 20 days (each line represents a single
The algorithm has two learning phases. First, a database of day); and 2) the empirical probability mass distribution of the
appliance signatures is created and stored for use by a Non- microwave usage frequency per day.
Intrusive Load Monitor (NILM). The NILM uses this database The calculated profiles (distributions) are used for anomaly
to identify appliance usage in the home over time. Second, detection purposes with the Bayesian classifier. The objective
AMIDS learns the daily usage frequencies of each individual is to mark a given day-long smart meter measurements as
appliance using appliance data provided by the NILM. More normal or anomalous based on that household’s profile. In
specifically, the power consumption time series are analyzed particular, the prior class probability P(C) in Equation (3)
and the (edges) E = (et0 , et1 , · · · , etn ) corresponding to on/off can be obtained from existing energy theft data [2], and
events are identified and recorded. Each edge magnitude the conditional distributions are obtained from the learned
represents one or more appliance events. Figure 1 shows 1) a profiles. Here, a features Fi is the daily usage frequency of
sample power consumption time series of a single household appliance i. Figure 3 shows our evaluation results for the
generated by our implementation that simulated turn on/off supervised detection of anomalous power measurements. In
356
where B = [1, 1, · · · , 1]2·|A|×1 ; Q = [Q p ; −Q p ]1 , in which Q p
0.2
Pr[kW] (1)
0.1
is an |A|-dimensional vector that represent power consump-
[Q p ; −Q p ]1 , Consequently,
0.2
(1)
whereprofiles
tion B = [1,of1, ·individual
· · , 1]2·|A|×1home ; Q = appliances. in which Q p 0
0 10 20 30 40 50 60 70 80
Pr[kW]
0.1
is anabove
the |A|-dimensional vector thatisrepresent topower consump- kW (cluster 1)
B =integer · ·programming solved 1 get in the 2 · |A|- 0.2
(1)
where
tion profiles [1,of1, ·individual
, 1]2·|A|×1home ; Q = appliances. [Q p ; −Q p ] , Consequently, which Qp 0
0 10 20 30 40 50 60 70 80
dimensional binary vector x, in which each element represents
Pr[kW]
0.1
is an vector that represent power consump- kW (cluster 1)
30
(2)
whether B a=particular · · , appliance has = contributed
[Q p ; −Q p ] ,to inthe which Qetpi
0.2
(1)
Normal Day
Pr[kW]
(2) Pr[kW]
δ
10
(2)
whether thata particular appliance has contributed to the edge eti
0
0 5 10 15 20 25
00
value
tion profiles accounts
of individual for thex,possible
home measurement
appliances. noise.
Consequently, The
Appliances
00 10 20 30 40 50 60 70 80
dimensional binary vector in which each element represents
Pr[kW]
10 20 30 40 50 60 70 80
δ
1
objectiveaboveaofparticular
the optimization ishas tois contributed
minimize
solved tonumber of2 ·inci-
0.8
Pr[kW]
dimensional
through on/off
0.2
binary
incidents. x,isina which comparatively each element small represents
threshold kW (cluster 2)
objective of the optimization is to minimize number of inci- 0.4
(3)
0
0.5
probability that manyfor appliances hasgetcontributed
turned on/off simultane-
(2)
0 5 10 15 20 25
whether
value thata edge.
particular
accounts appliance to the edgeThe e 0
theti
0 10 20 30 40 50 60 70 80
dents per ThisFurthermore, a reasonable assumption because
Pr[kW]
(3) Pr[kW]
30
0.2
ously
through is very
on/off low.
incidents. δ is a according
comparatively to our
small empirical
threshold
kW (cluster 2)
Corrupted Profile
(3)
20
probability
observations, lack appliances turnedusually on/off simultane- 00
Pr[kW]
dents a reasonable assumption because the
10
0.2
ously
many is very
possible low.
large Furthermore,
appliance according
combinations to
for our
a empirical
given edge
kW
kW (cluster
(cluster 3)
2)
objective of the optimization is to minimize number of inci-
0
0 5 10 15 20 25 0.4
probability
observations, thatlack many of appliances
Appliances
Pr[kW]
0.5
dents
ously per edge.low. ThisFurthermore,
is a reasonable assumption because the
0.2
Normality Probability
kW (cluster 3)
is very according to
forour empirical
0.4
(4)
0.3
0.4
(3)
Once
observations, the
probability thatlack0.2
set of
many ofappliances
appliances
such contribution
minimization get turnedusually to each
on/off simultane- edge
results is
in
0
0 10 20 30 40 50 60 70 80
Pr[kW]
magnitude.AMIDS creates a daily basis profile of each house-
(4) Pr[kW]
0.1 0.1
0.2
identified,
ously
many is very
possible low. Furthermore, according to our empirical
kW (cluster 3)
(4)
0 5 10 15 20 25
Once of number
appliances contribution to each edge fisa
Home Appliances
00
hold and
observations, 3. calculates lackDay ofProfile such of times
minimization each appliance usually is used in
results
0 10 20 30 40 50 60 70 80
Pr[kW] Pr[kW]
0.1 0 10 20 30 40 50 60 70 80
magnitude.
Fig.
identified, Normal
AMIDS creates a and
daily Classification
basis profile Probability
of each house-
kW
kW (cluster
(cluster 4)
3)
during
many Once individual
possible
the setlarge days. Over an
appliance combinations
of number
appliances n-day
contribution learning for phase,
to each a given a usage
edge
0.2
is edge forfisa
0
hold
particular,
profile andthe calculates
matrixfirst and second of times
graphs show each aappliance normal trace used Fig. 4. Unsupervised Learning of kW
Basline (solid), Legitimate (dashed), and
0 10 20 30 40 50 60 70 80
magnitude.
0.1
identified, AMIDS creates a daily basis profile of each house- Fig.0.21. Unsupervised Learning of Basline, Legitimate,
(cluster 4) and Malicious Profiles
during
a single individualover
household days.a Over day and an n-day the posteriorlearning phase, a usage
to distribution
Malicious × Profiles.
Pr[kW] (4)
Once the set ofnumber appliances contribution eachis edge used fisa
0
hold
profile
for individual and calculates
matrix appliances. fa1 ,dAs 1
of
fa2times
shown ,d1 in · each
· · thefappliance
athird
|A| ,d1 and fourth
0 10 20 30 40
Legitimate,
kW (cluster 4)
60 70
357
Attack Graph’s State Notion [Privileges | Consequences]
Attacker’s Privileges
Ø: No Access/Control on the Meter
Cyber Consequences
CM/CN: Meter/End2End Confidentiality
Physical Consequences
T: Tampered with (e.g., broken into) number of uses, and durations of uses of each device. The
M: Administrative Access on the Meter IM/IN: Firmware/Network Integrity
AM/AN: Meter/Network Availability
D: Meter Disconnected
R: Meter Terminal Inversion time of day and duration fields each have a time granularity
Ac5
Ac6
Ø | IN
Ø | AN
AD1
AD1
of one minute, giving us minute level load profiles. Previous
Ac2 M | IM AD1-5 work has shown that refrigerators loads follow roughly a 70
minute cycle and power is only drawn for half of that duration
Ac1 M|Ø
Ac4 M|A AD1 Goal State (Energy Theft)
358
TABLE II
M ULTI - SENSOR E NERGY-T HEFT D ETECTION USING THE AMIDS F RAMEWORK
Attack Graph States ([Privilege|Consequence], as defined in Figure 5)
Step 7→ Observation ∅|∅ ∅|T ∅|TCM M|TCM M|TCM IM M|CM IM M|TCM AM ∅|AN ∅|IN M|∅ M|IM M|A ∅|D ∅|R ∅|CM M|CM M|CM AM Goal state
A p5 7→ O7 0 0.65 0 0 0 0 0 0.06 0.06 0.06 0 0 0.06 0.06 0.06 0 0 0
Attack 1
TABLE III
E MPIRICAL D ETECTION R ESULTS FOR S EVERAL ATTACK S TEPS types of energy theft attempts accurately using individually
Cyber Physical Data Modification inaccurate sensors.
Appliance Bypass (A p6 )
Meter Disconnect (A p3 )
R EFERENCES
Intercept Comm. (Ac5 )
Network Exploit (Ac1 )
Mal-Reduction (Ad3 )
Meter Breakin (A p1 )
Legit-Occupant
[2] Electricity thefts surge in bad times. Available at http://www.usatoday.
Legit-Replace
Legit-Season
com/money/industries/energy/2009-03-16-electricity-thefts N.htm.
[3] M. Armstrong, M.C. Swinton, H. Ribberink, I. Beausoleil-Morrison, and
J. Millette. Sythetically derived profiles for representing occupant-driven
electric loads in canadian housing. Journal of Building Performance
Detection Simulation, 2(1):15–30, 2009.
Cyber IDSs X X X - - - - - - -
[4] CJ Bandim, JER Alves Jr, AV Pinto Jr, FC Souza, MRB Loureiro,
CA Magalhaes, and F. Galvez-Durand. Identification of energy theft
Physical IDSs - - - X X X - - - - and tampered meters using a central observer meter: a mathematical
Supervised - - - - X × X X X X approach. In IEEE/PES Transmission and Distribution Conference and
Unsupervised - - - - X X X × × X Exposition, volume 1, pages 163–168, 2003.
AMIDS (HMM) X X X X X X X X X X [5] R. Berthier and W.H. Sanders. Specification-based intrusion detection
for advanced metering infrastructures. In IEEE Pacific Rim International
Symposium on Dependable Computing, pages 184–193, 2011.
made through information fusion of (i) cyber IDS alerts, (ii) [6] A. Cassandra. Exact and approximate algorithms for partially observ-
physical tampering alerts, and (iii) load-based IDS alerts, as able Markov decision processes. PhD thesis, Brown University, 1998.
[7] S. Depuru, L. Wang, and V. Devabhaktuni. A conceptual design using
compared to the accuracy of the individual methods. Table III harmonics to reduce pilfering of electricity. In IEEE Power and Energy
shows the results of running the individual IDSs as well as Society General Meeting, pages 1–7, 2010.
[8] S. Depuru, L. Wang, and V. Devabhaktuni. Support vector machine
the combined HMM approach on a single-occupant dwelling. based data classification for detection of electricity theft. In IEEE/PES
A check mark means that the correct action was taken, and Power Systems Conference and Exposition, pages 1–8, 2011.
[9] S.S.S.R. Depuru, L. Wang, V. Devabhaktuni, and N. Gudi. Measures
an × indicates a false positive or false negative. A dash and setbacks for controlling electricity theft. In IEEE North American
indicates that the experiment did not apply. As can be seen, Power Symposium, pages 1–8, 2010.
[10] S.S.S.R. Depuru, L. Wang, V. Devabhaktuni, and P. Nelapati. A
the combined approach eliminates the false positives of the hybrid neural network model and encoding technique for enhanced
individual approaches. Alerting capabilities for the cyber and classification of energy consumption data. In IEEE Power and Energy
Society General Meeting, pages 1–8, 2011.
physical IDSes were validated experimentally on real meters [11] C. Goh and J. Apt. Consumer strategies for controlling electric water
in the TCIPG testbed [24]. In particular, we disconnected and heaters under dynamic pricing. Carnegie Mellon Electricity Industry
Center Working Paper, 2004.
reversed meters and checked that alerts were generated. We [12] G.W. Hart. Nonintrusive appliance load monitoring. Proceedings of the
also collected a week of meter traffic in a mesh network of nine IEEE, 80(12):1870–1891, 1992.
[13] M. LeMay and C. Gunter. Cumulative attestation kernels for embedded
meters and made connection attempts towards meters using a systems. Computer Security–ESORICS 2009, pages 655–670, 2009.
[14] Mikhail A. Lisovich, Deirdre K. Mulligan, and Stephen B. Wicker.
rogue software client in order to test our implementation of Inferring personal information from demand-response systems. IEEE
the ANSI C12.22 specification-based IDS. Security and Privacy, 8(1):11–20, 2010.
[15] Betsy Loeff. Deputizing data: Using ami for revenue protection. Utility
Of particular instances are the three Legit cases designed to Automation and Engineering, 2008.
cause false positives in the load-based approaches. Indeed, the [16] S. McLaughlin, D. Podkuiko, and P. McDaniel. Energy theft in the
advanced metering infrastructure. Critical Information Infrastructures
unsupervised learning algorithm identified two as malicious Security, pages 176–187, 2010.
behavior. The lack of any cyber or physical IDS alerts in these [17] S. McLaughlin, D. Podkuiko, S. Miadzvezhanka, A. Delozier, and
P. McDaniel. Multi-vendor penetration testing in the advanced metering
cases resolved these false positives in the combined approach. infrastructure. In Proceedings of the Annual Computer Security Appli-
An additional false negative by the supervised approach was cations Conference, pages 107–116. ACM, 2010.
[18] Stephen McLaughlin, Dmitry Podkuiko, and Patrick McDaniel. Energy
also resolved. While additional field testing is necessary, these theft in the advanced metering infrastructure. In Proceedings of the
results show that the HMM approach used by AMIDS is an international conference on Critical information infrastructures security,
pages 176–187. Springer-Verlag, 2010.
effective solution for combining smart meter data sources to [19] A. Molina-Markham, P. Shenoy, K. Fu, E. Cecchet, and D. Irwin. Private
identify energy theft behaviors. memoirs of a smart meter. In Proceedings of the 2nd ACM Workshop
on Embedded Sensing Systems for Energy-Efficiency in Building, pages
61–66, 2010.
VII. C ONCLUSIONS [20] J. Nagi, KS Yap, SK Tiong, SK Ahmed, and AM Mohammad. Detection
In this paper, we presented AMIDS, an integrated intrusion of abnormalities and electricity theft using genetic support vector
machines. In IEEE TENCON Region 10 Conference, pages 1–6, 2008.
detection solution to identify malicious energy theft attempts [21] E. Quinn. Smart metering and privacy: Existing law and competing
in advanced metering infrastructures. AMIDS makes use of policies. A report for the Colorado Public Utilities Commission, 2009.
[22] L.R. Rabiner. A tutorial on hidden Markov models and selected
different information sources to gather sufficient amount of applications in speech recognition. Proceedings of the IEEE, 77(2):257–
evidence about an on-going attack before marking an activity 286, 1989.
[23] Alfredo Rial and George Danezis. Privacy-Preserving Smart Metering.
as a malicious energy theft. Our experimental results show that Technical Report MSR-TR-2010-150, Microsoft Research, 2010.
[24] T. Yardley. Keynote address: Developing a testbed for the smart grid.
through an effective information fusion and using the corre- In IEEE Conference on Local Computer Networks, pages 1–1, 2010.
lation among the triggered alerts, AMIDS can detect various
359