Stealthy false data injection attacks using matrix recovery and independent component analysis in smart grid

Exact state estimation is vital important to maintain common operations of smart grids. Existing researches demonstrate that state estimation output could be compromised by malicious attacks. However, to construct the attack vectors, a usual presumption in most works is that the attacker has perfect information regarding the topology and so on even such information is difficult to acquire in practice. Recent research shows that Independent Component Analysis (ICA) can be used for inferring topology information which can be used to originate undetectable attacks and even to alter the price of electricity for the profits of attackers. However, we found that the above ICA-based blind attack tactics is merely feasible in the environment with Gaussian noises. If there are outliers (device malfunction and communication errors), the Bad Data Detector will easily detect the attack. Hence, we propose a robust ICA based blind attack strategy that one can use matrix recovery to circumvent the outlier problem and construct stealthy attack vectors. The proposed attack strategies are tested with IEEE representative 14-bus system. Simulations verify the feasibility of the proposed method.


Introduction
Security threat in the smart power grid has been on the rise in both physical and cyber spaces [1] [2]. Recently, the cyber security has been identified as a dominating component in the development of power grid. In smart grid, state estimation is a vital important module which is pregnable to cyber attacks, for example, false data injection (FDI) attacks.
FDI attacks were first named in 2009 by Liu et al [3]. [3] shows that such attacks can bypass traditional bad data detector [4] based on residual testing with the knowledge of power network, which makes the claimed attacks undetectable to the power grid system. Furthermore, the false data injection attacks can mislead systems into the unsecure operations, e.g., line overloading [5], power outage [6] [7].
Although the attack strategy is deeply studied where different researchers have investigated different sides of attack construction, in most works it is assumed that the attacker has perfect information regarding the topology and so on even such information is difficult to acquire in practice. Recently, several groups concentrate on the attacks under the presumption that attackers don't have system information. In [8] and [9], an attacking strategy is proposed using independent component analysis (ICA). In the work, it was assumed that the attacker has no prior knowledge of the system information and the stealthy attack was constructed only based on measurement matrix. In 2015, [10] shows that an attacker can construct attack vectors against electricity market based on inferred structural information using independent component analysis. In this paper, at first we demonstrate that the above claimed attack strategy is feasible if the measurements only include Gaussian noises. If there are outliers, bad data detector will detect the attacks. Next, we propose a robust ICA based blind attack strategy that the attacker use matrix recovery to solve the outlier problem, and construct stealthy attack vectors. The equivalent information of the original measurement matrix is recovered using augmented lagrange multiplier (ALM) method. The proposed attack strategies are tested with IEEE 14-bus system. Simulations verify the feasibility of the proposed method.

State estimation and conventional bad data detection
In power grid, transmission lines deliver power to consumers [11].In theory, the transferred power is depended on the difference of voltage between the two buses, and that it's also the line's impendence's function. Generally, the impedance can be approximated with reactance of a transmission line on account of the high reactance over resistance ratio. Active transferred power from bus i to j can be expressed as [12] i P sin( ) where , ij VV are the voltage magnitudes, i , j  are the voltage phase angels, and ij X is the reactance of the transmission line. In DC power flow, the phase differences are assumed small and the voltage magnitudes are close to unity. Therefore, transmitted active power can be expressed as [13]: Now assume that m measurements measure injected or transmitted power in the buses or lines. In this case, voltage angles can be estimated except one reference bus 1 where H is Jacobian matrix, and it is known to the System Operator, but usually unknown to the attackers.
Using the weighted least squares method [14], the system state vector of (4) can be estimated by Due to the topological error or faulty sensors, the residual testing is generally used to compare the difference between real measurements and estimated measurements: Therefore, the expected value and the covariance of the residual are: In this case, the measurement residual has the following result: The bad data detector can't detect the attack as there is no difference between a r and r .It means that the attack is undetectable to the operator.

Stealthy false data injection based on matrix recovery and independent component analysis
The main idea of ICA-based stealthy false data injection is when power loads vary slightly, structural information will be implicit among the power flow measurements.
Usually, state vector is a nonlinear function of the topology H and the power loads y , In [8], the authors use the ICA technique to infer HA and y . The authors adopt FASTICA [16] in the research, which is one of the most broadly used ICA algorithms. The algorithm converges quickly and doesn't rely on the user-defined parameters.
Although the above attack strategy can construct a stealthy attack with low detection rate, it is merely feasible for the measurement matrix with Gaussian noises only. If there are outliers, the traditional bad data detector will detect the attacks. Hence, we propose a robust ICA based blind attack strategy that the attacker use matrix recovery to solve the outlier problem and construct stealthy attack vectors.
Suppose, the measurement matrix containing outliers is written as: where Z represents the original low rank matrix, it is needs to be recovered, E is a sparse matrix, it represents outliers. Now, before constructing attack vectors, the attacker needs to separate Z and E from the measurement matrix containing outliers Zoutlier . It is a matrix recovery problem and the recovery of Z and E can be represented as below: In the above convex optimization problem,   denotes the nuclear norm of a matrix, 1  denotes 1 l norm of a matrix, and  represents a positive weighting parameter [17].In order to figure out this problem, the augmented lagrange multiplier (ALM) [18] approach is adopted as discussed below: The ALM approach can be exploited for usual constraint optimization problems as follows: With the ALM approach, the objective function can be expressed as a lagrangian function: where  is the lagrange multiplier and  is a positive scalar. Considering The optimization process is solved by two update steps, and update E : and  is a soft-thresholding operator, it is defined as [18]:  and  are updated during each iteration as follows: is a positive constant. The optimization process continues till the criteria is satisfied. And the convergence is examined based on the relative error using (25) against a tolerance,  .
Once the algorithm has converged, the original measurement matrix Z is recovered. Then, we can construct stealthy attack vector based on original measurement matrix using independent component analysis. The algorithm is expressed in Algorithm 1.

Results and discussion
First of all, we show the case when attack strategy is generated using ICA. Next we demonstrate that independent component analysis based attacks fail to maintain unobservable in the bad data detection in the presence of outliers. In the end, we separate the sparse outlier matrix and the real measurement matrix using ALM based approach. The real measurement matrix is then used for attack construction. We use Matpower [20] for analysis purposes. . Under Gaussian noise cases, i.e., the signal-to-noise (SNR) is between 15~30 db. And we consider there are 1% outliers of the measurement matrix. Then, if ICA based attack construction is followed when the measurement matrix containing outliers, a high residual value 2.3e 6 is observed. From fig.1(1), we can see that the estimated measurement doesn't follow neither the attacked measurement or original measurement. This experiment validates the fragility of the ICA approach when there are outliers. Here, we carry out the attack strategy using ALM and ICA above and acquire original measurement matrix as show in Fig.2. We can observe from Fig.1(3) that the estimated signal follows the attacked signals. The residual is also below the threshold which makes the attack undetectable in the bad data detector. In Fig.3, we find that the proposed attack strategy follows the nearly same probability as the real (no attack) case and thus remain unobservable.

Conclusion
This paper found that the original ICA-based attack tactic is merely feasible for the measurement matrix with Gaussian noises. When there are outliers, the traditional Bad Data Detector will detect the attacks. Hence, we propose a robust ICA based blind attack strategy that the attacker use matrix recovery to solve the outlier problem and construct stealthy attack vectors. The proposed attack strategies are tested with IEEE 14-bus system. The simulated results confirm that our attack strategy is undetectable.