A Detection Method for Group Fixed Ratio Electricity Thieves Based on Correlation Analysis of Non-Technical Loss

Owing to the contagiousness of theft behaviors among customers, collaborative energy theft, such as village fraud, has become particularly common. In this study, a bunch of electricity thieves that steal energy at a constant ratio were considered. Conventional correlation-sorting-based methods may have some trouble handling these electricity thieves when they exist in the same area. To overcome such limitation, we firstly establish the mathematical model of non-technical loss (NTL) and the load data of fixed ratio electricity thieves (FRETs). Subsequently, an interesting correlation trend, which can be exploited to locate FRETs, was observed and analyzed. Based on this trend, we propose a correlation analysis-based detection method. It adopts a standardized covariance to measure the correlation between the NTL and user data. The detection of FRETs is realized by solving a combinatorial optimization problem. A corresponding framework in practice was also designed. Finally, numerical experiments based on a realistic dataset and an electricity theft dataset from an electricity theft emulator (ETE) are conducted to validate the effectiveness and superiority of the proposed method in terms of accuracy, stability, and scalability.

Anomaly degree of user i.

I. INTRODUCTION
Transmission loss in a power grid includes technical loss (TL) and non-technical loss (NTL) [1]. TL is the normal loss in the process of power transmission, such as the copper and core losses in transformers. NTL is the remaining loss that cannot be explained theoretically after the TL is removed. Abnormal power consumption behavior, such as electricity theft, is one of the main sources of NTL [1]. In addition, electricity theft can seriously harm the economic performance of power suppliers and cause safety problems, such as equipment damage, power outages, and casualties. For example, the annual bills of stolen electricity in the USA were almost $ 10 billion in 2017 based on a report by the Northeast Group [2]. In China, the State Grid Corporation has also retrieved theft bills of nearly 13 billion RMB in the past three years. Fixed-ratio electricity thieves (FRETs) refer to malicious users stealing energy in constant proportion. Most physically meter-tampering users, such as voltage-reducing, current-decreasing, and power factor diminishing users, are FRETs [3]. Although there have been many nonlinear false data injections (FDIs) via cyberattacks, the high thresholds of the techniques involved in cyberattacks make them less common than FRETs. This is especially true in rural areas of some developing countries [4]. In addition, owing to the contagiousness of theft behavior among customers, malicious users have recently tended to conduct electricity theft in groups. Corresponding cases include collaborative fraud of the entire village [5] and collective minor fraud [6] have been reported. For the above reasons, FRETs are the bugs in the very vitals of power utilities and need to be addressed urgently.
Advanced metering infrastructure, which consists of smart meters and sophisticated communication networks, provides massive amounts of electricity data of users. Thus, technologies such as data mining and artificial intelligence are more appropriate for electricity theft identification [7]. Current data-driven electricity theft detection methods can be classified into three groups [8]: A. GAME THEORY-BASED Electricity theft is supposed to be a game between power utilizes and energy thieves in the game-theory-based methods [9], [10]. By formulating a model involving all players in this game, the difference in bills between electricity thieves and normal users can be derived with the theory of Nash equilibrium. This type of method can be used to learn the interactions of different players under different situations, but it is not practically applicable because of the complexity of the modeling.

B. POWER-CONSUMPTION-PATTERN-BASED
This method assumes that the load patterns of electricity thieves deviate from those of normal users. Thus, techniques such as deep learning and machine learning can be adopted to analyze the load profiles of customers for electricity theft identification. Deep-learning-based methods require massive amounts of labeled electricity consumption data for model training. Examples include support vector machines (SVM) [11], convolutional neural networks (CNNs) [12] and other artificial neural networks, which were investigated in [13]- [15]. The accuracy of these supervised methods can be as high as 100% in experiments; however, they only work well when vast reliable samples of electricity theft can be acquired. On the other hand, machine learning-based methods focus on information without labels, that is, outliers deviating from the normal majority. In [16], a method called spatial clustering of applications with noise (DBSCAN) was used to locate abnormal users by calculating their anomaly degree. Zheng et al. [17] utilized clustering by fast search and find of density peaks (CFSFDP) to identify nonlinear FDIs.

C. SYSTEM-STATE-BASED
The measurements of voltage, current, and other variables should satisfy the physical equations of the power grid. Therefore, the data for these variables should be consistent. However, the meter tempering behaviors of electricity thieves may ruin this consistency and cause some abnormalities (i.e., NTL and voltage limit violation). This kind of method utilizes this fact to locate fraudulent users. For instance, Leite and Sanches Mantovani [18] exploited the concept of state estimation to monitor the bias between the estimated and measured voltages. Once the bias was detected, the sources of the NTL were located using a pathfinding procedure based on the A-Star algorithm. Another method of this type attempts to detect bypassing users using a data analytical technique derived from the three-phase state estimator [19]. Although state-based methods are capable of locating malicious users (i.e., bypassing individuals), which is beyond the capability of other types of methods, their excellent performance requires accurate information of the topology and parameters of the network. This information is not likely to be available in general situations because of the regular alternation of the network topology. The most practically feasible approach of this type is [20], in which a linear detection model requiring only active power and voltage magnitude measurements was formulated; however, it only can detect three-phase malicious users.
Recently, some hybrid methods combing the traits of power patterns and system states have been proposed [21]. And perhaps, the most directly relevant works are [22],in which a central meter recording the aggregated consumption of users in the neighborhood is deployed. Salinas et al. [22] realized the detection for FRETs by calculating the sparest solution of a set of underdetermined linear equations. However, obtaining a solution with low sparsity is still a challenging problem, and its sparsity may not be sufficiently low.
Based on the above brief review, current data-driven electricity detection methods may face their own problems in practice. First, game-theory-based methods are not practically applicable owing to the difficulty of formulating a model involving all players. Second, deep learning-based methods demand massive, trustworthy samples for model training. However, the unbalanced dataset and contaminated samples [25] significantly affect their accuracies. Moreover, they may mistake some normal activities such as meter installation and climate change as theft behaviors. Third, unsupervised methods do not specialize in detecting FRETs because their attacks are linear, and the tampered data are almost identical to the ground truth data after normalization (this will be discussed in Section IV-C).
Our work is an extension and perfection of the research presented in [23] and [24], where they were trying to detect FRETs by correlation-based method. In [23] and [24] the maximum information coefficient (MIC) and a combined correlation coefficient were used respectively to measure the correlation between the NTL and meter readings of users. And a stronger correlation indicated more suspicious FRETs. This correlation-sorting-based method performs well under the scenario of one or two FRETs in the same area. However, when it comes to multiple FRETs, it usually has poor true positive rate. To effectively identify multiple FRETs in the same area, we proposed a detection method based on nontechnical loss covariance (NTLC). The main contributions of this study are as follows: 1) We derive the mathematical model between NTL and the load data of FRETs, and adopt standardized covariance to measure the correlation between them.
2) We observe an increasing trend of correlation between the NTL and load data of FRETs with data superposition. A theoretical validity analysis of this trend is conducted to make it exploitable for the detection of FRETs.
3) We put forward a searching approach that needs neither training samples nor accurate information about the topology and parameter of network to catch the FRETs effectively. 4) We conduct numerous extensive tests using a realistic dataset and electricity theft dataset from an electricity theft emulator (ETE). Comparisons with other state-of-theart methods demonstrate the merits of the presented method in detecting FRETs.

II. PROBLEM STATEMENT AND MODELING
In this section, we describe the applicable scenario and the problem that this study focuses on. The mathematical model between the NTL and load of the FRETs is then established. The main purpose is to provide justifications of the search algorithm presented in the next section. Figure 1 illustrates a typical distribution network, where a transformer supplies power to multiple areas simultaneously, and each area contains a group of adjacent users. Our method is applicable when a gateway meter is installed in each area to record the aggregated ground-truth consumption of the users monitored by it. Owing to the fine security of the gateway meter and stable topology within the area, the NTL of the area can be directly calculated by subtracting the sum of the kWh measurements of all registered users in the area from the electricity consumption W t recorded by the gateway meter, i.e.,

A. DESCRIPTION OF APPLICABLE SCENE
where A is the set of all users in area A;ũ i,t is the recorded electricity consumption of user i during time instance t; and ω t is the NTL of the area. For areas equipped with no gateway meters, their NTL can also be calculated indirectly using NTL evaluation methods [26], [27] with high precision. Therefore, in this case, the proposed method is feasible. Suppose that there are several electricity thieves in area A. Assume that all smart meter function well, which means that the errors of the benign users' meters are within the normal range. Let us denote the set of fraudulent users as C, whose size is m. The remaining benign uses are denoted as B, whose size is n. Note that A = B ∪ C. The problem this study attempts to address is how to find all these electricity thieves when C contains only FRETs.

B. MATHEMATICAL MODEL OF NTL AND FRETS' DATA
Assume that user i and his ground-truth load data is u i,t . If i is a FRET, the attack is linear, i.e., whereũ i,t is the recorded load data, α i ∈ (0, 1) is a constant, and represents the ratio ofũ i,t to u i,t . Because the gateway meter cannot be tampered with by fraudulent users, the NTL ω t caused by them satisfies (3) when C only contains FRETs: Let us vectorize the recorded load data and NTL data for one day to obtain the load (3), we can derive thatũ i | i∈C and ω satisfy (4). (4) shows that when C contains only FRETs, the NTL vector ω can be linearly represented by the recorded load vectorsũ i | i∈C , and the representation coefficients depend only on β i . Thus, the correlation between ω andũ i when i ∈ C should be stronger than the correlation when i ∈ B, i.e., where Corr(·) is a correlation measurement for two vectors, such as Pearson correlation coefficient (PCC)ρ(·). Equation (5) is strictly true when only one or two FRETs exist within the same area. However, when it comes to the scenario of a group of FRETs, in which ω is jiontly determined by thẽ u i of all FRETs, (5) may not be valid.
With an area containing four FRETs in Figure 2, the load curves of the four FRETs are clearly dissimilar to the NTL curve. In addition, the PCCs in Table 1 show that the linear correlation between the NTL and load data of any single FRET is not strong. In this case, traditional correlationsorting-based methods are disadvantageous. The example in Figure 2 also reveals that if we add up the load vectors of all FRETs to obtain a combined vectorũ C = i∈Cũ i , ω, and u C may have an extremely strong correlation. Moreover, with each superposition of the FRET load vector, the combined vector and ω become more correlated, as shown in Table 1:  If this increasing trend of correlation revealed in (6) is not an individual case, it can be exploited to capture the entire group of FRETs.

C. VALIDITY ANALYSIS OF THE TREND
To exploit the above trend for locating FRETs, we must understand its prerequisite. In this section, we analyze the validity of such correlation trend and provide a theoretical foundation for our method. We first normalize all vectors by (7) to obtain ω * andũ * i i∈A Because the normalization makes all the vectors under the same dimension, the value of covariance can also measure the correlation of two vectors [28]. Thus, we merely need to explore the precondition of (8) to analyze the validity of the above trend.
where cov(·) is the function of covariance.
To demonstrate (8), we must introduce the matrix of covariance between every recorded load vectorũ * i when i ∈ C, VOLUME 10, 2022 as follows.
whereφ i denotes the i-th column vector of˜ . After normalization, ω * ,ũ * i i∈C , and β * also satisfy the linear equations in (10).
. Therefore, the recorded load vectorũ * i of FRET i can be expressed as shown in (11).
where e i is an m-dimensional column vector whose i-th element is 1 and the remaining elements are 0. Then, based on the property of covariance, we can obtain the covariance between ω * andũ * i using (12).
where e i,j is an m-dimensional column vector whose i-th and j-th elements are 1, and the remaining elements are 0. We can then obtain the covariance between ω * andũ * i+j from Comparing (13) and (14), the increment of covariance caused by the superposition ofũ * j is given by Based on (15), this increment depends only on the ratio vector β * and the column vectorφ j of the j-th column of matrix . Because every element β * i of β * is above zero, when the elements ofφ j are non-negative, the increment β T * φj must be positive and cov(ω * ,ũ * i+j ) must be greater than cov(ω * ,ũ * i ). Similarly, we can deduce that when every element of˜ is non-negative, every increment caused by the superposition of FRETs is greater than 0. Under these circumstances, equation (8) is strictly true. Finally, we prove the precondition of the above trend, which is: In short, if the recorded load vectors of any two FRETs are positively correlated, the correlation between the combined load vector and ω becomes stronger with each superposition of FRET data. Although this trend may not always be true in every situation, the precondition in (16) is not very difficult to satisfy or approximately satisfy. Therefore, we believe that this trend can be exploited to detect FRET.

III. METHODOLOGY AND DETECTION FRAMEWORK
In this section, we explain our method based on the above correlation trend. Two practical problems are also considered and analyzed. Finally, we design the framework of the method for future practical applications.

A. DETECTION FOR FRETS
Based on the validity analysis in Section II, when the condition in (16) is met, the covariance between the NTL and data of FRETs exhibits an increasing trend with data superposition. Therefore, the detection of FRETs is limited to finding the bunch of users with such a trend. However, this trend is not exclusive to FRET. To locate FRETs precisely and effectively, another significant trait is needed.
Let us denote any user set with the above increasing trend as P * . That is, when the load vectors of users in P * are superposed one by one in a certain order, the covariance between the NTL vector and the superposed vector continues to increase. It is clear that C belongs to P * when the condition in (16) is satisfied. According to (10), ω * is determined only byũ * i i∈C . Thus, if we add up all vectors of C to obtaiñ u * C = i∈Cũ * i , the cov(ω * ,ũ * C ) should be the maximum of the covariances between ω * and the combined vectors u * P * = i∈P * ũ * i of all P * with the above trend, that is, Therefore, the detection of FRETs can be transformed into an optimization problem: find a user set from all P * with the above increasing trend to maximize the covariance between ω * and its combined vector, that is, The best solution to (18) is denoted as P * max . When the condition in (16) is satisfied, P * max is nearly identical to C. To obtain P * max , we first decompose (18) into m + n subproblems. Each subproblem can be described as follows: For user i, find a user set containing it and with the increasing trend to maximize the covariance between ω * and its combined vector, that is, where P * i is any one set containing user i and with the increasing trend. The best solution to sub-problem of user i is denote as P * i max By searching every P * i max , the optimal global solution P * max can be easily obtained. We propose a searching approach illustrated in Figure 3 to seek the P * i max of user i. Corresponding procedures are as follows.

1) FIRST-ORDER OPTIMIZATION
If j belongs to (A − {i}) and cov(ω * ,ũ * i ) ≤ cov(ω * ,ũ * i +ũ * j ), the corresponding j is denoted as j 1 , and i → j 1 is the firstorder incremental path (IP) of user i. The j 1 that causes the cov(ω * ,ũ * i +ũ * j 1 ) to increase the most is denoted as j 1max . The corresponding IP i → j 1max refers to the first-order maximum incremental path (MIP) of user i. The goal of the first-order optimization is to find i → j 1max .

4) ENDING CONDITION
After k-order optimization, if k = m+n−1, which means that the search process has already traversed all users, or if there is no IP when conducting (k + 1)-order optimization, which means that the covariance no longer increases, the search process is terminated.
Once the ending condition is triggered, the optimization search is terminated, and P * i max is composed of the users along the MIP of every order, that is, It is worthwhile to explain that the search for IP of every order ensures that the obtained P * i max possesses the increasing trend, and the search for MIP of every order ensures that the covariance increases the most. Thus, the P * i max sought by the procedure above is guaranteed to be the best solution for (20).
For every user i, the corresponding P * i max is determined according to the search procedure above. The global solution P * max is the P * i max with the greatest cov(ω * ,ũ * P * i max ). Once the P * max is obtained, the detection for FRETs is accomplished.

B. PROBLEMS IN PRACTICE
Before introducing the detection framework of the proposed method, two practical problems must be considered. The first problem is the computational complexity of the search algorithm. From the search progress, the computational complexity depends on two factors: the number of users to be detected and the ending order when conducting the search for P * i max for every user i. The number of users was unregulated. Therefore, to increase the serviceability of the data scales, it is only possible to control the ending order when conducting a search for P * i max . We slack the ending condition in Section III by setting an optional cut-off order K . The ending condition is adjusted as follows: After k-order optimization, if k = K −1, or if there is no IP when conducting (k + 1)-order optimization, the search process is terminated. Compared with the original ending condition, it cuts off the following searching process for P * i max by setting K to a suitable value, which saves a lot of time, especially when conducting a search P * i max for benign users. A comparison between our search algorithm (with and without K ) and other detection methods in terms of computational complexity is presented in Section IV-D.
On the other hand, fraudulent customers may steal electricity at non-fixed ratios. When an area contains a certain number of non-FRETs, the proposed method may be invalid. To address this problem, we set up a scene judgment part to block our method in cases where fraudulent users were not FRETs. Becauseũ * i i∈C and ω * become increasingly less satisfying the linear equations in (10) as the number of non-FRETs increases, the linear correlation between ω * and the combined load vectorũ * P * max = i∈P * maxũ * i search by our method should be increasingly weaker. This can be verified by the value variations of cov(ω * ,ũ * P * max ) and ρ(ω * ,ũ * P * max ) in Table 2, which provides the basis for scene judgment. Because the value of PCC is fixed between -1 and 1, ρ(ω * ,ũ * P * max ) is more suitable as the standard for scene judgement. After P * max is found, calculate ρ(ω * ,ũ * P * max ) and compare it with the threshold θ. When ρ(ω * ,ũ * P * max ) > θ, we believe that fraudulent users are mainly FRETs, and P * max is given as the suspicious user set C sus ; when ρ(ω * ,ũ * P * max ) ≤ θ, we believe that this is not the target scene, and the void set ∅ is given as C sus to block the method. After numerous experiments, it is suggested that the value of θ should be set as 0.96-0.98 to achieve a favorable result in the real unknown scene.
P.S. The total number of users in an area is 80, and the total number of electricity thieves in per area is 8.

C. DETECTION FRAMEWORK
Based on the above principle and methodology, the corresponding detection framework is designed with three modules: preprocessing, detection, and judgment, as shown in Figure 4.
For an area that contains m + n different users with their M -day load profiles, the preprocessing module first vectorizes the load profiles each day to obtain the daily load vectors u i,d For everyũ i,d , and the missing data are recovered as follows:

Algorithm of NTLC
Input: User set A, normalized load vectorsũ * i i∈A , NTL vector ω and parameters K and θ. Output: Set of suspicious users C sus . Step1: For every user i in A: Set the best solution of the sub-problem of i as P * i max = {i}; Do: For every user j in A: Add user j into P * i max ; While the ending condition is not triggered; Step2: Set the best solution of problem (18) as P * max = ∅; For every user i in A: where mean(ũ i,d ) is the average value ofũ i,d . In addition, there were some individual erroneous data under certain conditions. Therefore, the preprocessing module also recovers those data by the following equation according to ''threesigma rule of thumb''.
where σ (ũ i,d ) is the standard deviation ofũ i,d . Next, the daily NTL vector ω d is calculated using (3). Subsequently, all vectors are standardized to obtainũ * i,d and ω * d according to (9).
The detection module usesũ * i,d and ω * d on the same day as the input. For every d, its suspect set C sus,d is calculated according to NTLC algorithm. Then, the judgment module calculates the anomaly degree γ i of user i by counting the number of times M i that user i belongs to C sus,d in M days, that is, From (23), the higher the γ i is, the more suspicious user i is. Finally, a certain number of users with the highest γ i are chosen for on-site inspection.

IV. VALIDATION AND EVALUATION
A. DATASET

1) BENIGN DATA
We utilize a realistic electricity usage dataset from the State Grid Corporation of China (SGCC) to conduct the experiments. Because all the users in this dataset are from areas whose transmission loss rates are less than 3% per month, their load data are measured synchronously and can be considered ground truth. Detailed information on this dataset is presented in Table 3. In particular, it consists of the load profiles of 3000 single-phase customers and 500 threephase customers over 285 days (from April 1, 2019, to December 31, 2019). Every load profile per day is composed of kWh measurements every 15 min.

2) FRAUDULENT DATA
We rely on the electricity theft emulator (ETE) of the China Electric Power Research Institute to generate fraudulent data. This emulator, as shown in Figure 5, consists of two sectors: the load control sector and meter sector. Let us explain how fraudulent data are generated by ETE using one example. By inputting the time series of the voltage, current, and power factor according to the benign dataset, the load control sector can emulate the power usage processes of real customers. Meanwhile, smart meters in the meter sector record the data of emulated customers. If the meter is physically tampered, for example, the voltage coil of this meter is connected to a diode, the readings of this meter are the fraudulent data of such malicious user who tamper with their meters in this way. By tampering with smart meters in different ways, this emulator can precisely emulate all sorts of real physical attacks, which are far more reliable than artificially summarized FDIs. Fraudulent samples generated by this emulator are shown in Figure 6.
In this study, we mainly adopt voltage-reducing, currentdecreasing and power factor diminishing these linear physical attacks to generate fraudulent data of FRETs.

B. EVALUATION METRICS AND COMPARISONS
We adopt the area under the curve (AUC) [29] and mean average precision (MAP) [30], which are two widely used classification evaluation metrics to assess the performance of the proposed method. The AUC is defined as the area under the receiver operating characteristic curve (ROC). According to [12], it can be calculated as follows: where m is the number of fraudulent users, n is the number of benign users, and rank i is the rank of user i in ascending order according to the anomaly degree γ i . MAP is typically used to estimate the quality of information retrieval. To calculate the MAP, we need to define P@S, as in (25).   where Y s is the number of electricity thieves among the top S suspicious users. Given a certain number of R, MAP@R can be calculated as in (26).
where r is the number of electricity thieves among the top R suspicious users, and S i is the position of the i-th electricity thieve. It can be inferred that both AUC and MAP@R are between 0 and 1, and a higher value indicates a better performance.
To analyze the merits and demerits of the proposed method, we use some state-of-the-art methods for comparison. 1) PCC [31]: A famous bivariate correlation measurement.
2) MIC [31]: A metric that can measure strength of nonlinear correlation of two vectors.
3) CFSFDP [32]: A novel clustering algorithm based on density and distance. In [17], it was adopted to calculate the anomaly degrees of users. 4) Local outlier factor (LOF) [33]: a widely used method of local-density-based outlier method.

C. PERFORMANCE OF THE DETECTION FOR FRETS
In this part, the load profiles of all 500 three-phase users from Aug.1, 2019 to Sep.31, 2019, were utilized to conduct the experiments. We randomly and evenly divided 500 threephase users into ten areas. Six users in each area were randomly chosen as FRETs, whose load profiles were tampered with via ETE. Therefore, each area contains 50 users, and the ratio of FRETs is 12%, which is very high. The test was repeated 100 times with different combinations of areas and random selection of FRETs. Table 4 shows the best values of AUC and MAP@40 for the five methods in the 100 experiments. Figure 7(a) shows the average scores for the five methods. To analyze the impact of normalization on the performance of power pattern-based methods in detecting FRETs, we also present the evaluation metrics of CFSFDP and LOF without normalization. It is evident that the highest MAP@40 of the powerpattern-based methods is only 0.343, whereas the lowest MAP@40 of the correlation-based methods is 0.726. At the same time, the gap in AUC between these two methods was also large. This result demonstrates that correlationbased methods are far more capable of detecting FRETs than outlier-based methods. This is because normalization makes the tampered data almost identical to the ground truth data. Therefore, the patterns of the FRETs cannot differ from the normal patterns after normalization. However, the evaluation metrics of CFSFDP and LOF dropped without normalization. It seems that non-normalization of data cannot help improve their accuracy when detecting FRETs. Furthermore, comparison among the correlation-based methods shows that both the AUC and MAP@40 of NTLC are above 0.95, which increases by nearly 25% based on PCC (0.787, 0.758) and MIC (0.768, 0.737). This indicates that the proposed method improves the performance of correlation-based methods in detecting FRETs. Figure 7(b) shows the standard deviation σ of AUC and MAP@40 in 100 experiments for the five methods. The σ auc of the 5 methods are all distributed between 0.04 and 0.06 and are not much different. On the other hand, the values of σ MAP@40 are distributed between 0.09 and 0.19, in which σ MAP@40 of outlier-based methods is lower than that of correlation-based methods. Nevertheless, the σ MAP@40 of LLC is 0.12, which is lower than those of the other two correlation-based methods. From the experiments in this part, we can conclude that the NTLC method improves both the accuracy and stability of correlation-based methods for detecting FRETs.

D. COMPARISON OF TIME CONSUMPTION
In this part, we mainly test the time consumption of the five methods under three different data scales: 15500 load profiles, 30500 load profiles, and 76500 load profiles. To evaluate the impact of the ending order K on the time consumption and accuracy of our method in detecting FRETs, we also conducted tests on NTLC with different K values (K = 20, 15, 10, 5, and 3). The other experimental settings, such as the number of users in one area and the number of FRETs, are the same as in Section IV. All tests were performed on an AMD Ryzen 95900@4.7GHz desktop computer with 64GB RAM. All five methods were developed on PyCharm using Python 3.8. The average time consumption and evaluation metrics are shown in Figure 8.
Among these methods, MIC and PCC have the lowest time consumption, which is less than 25s for all data scales. The CSFDPF and NTLC without K are the most time-consuming methods. It takes NTLC 93.75s to complete the detection  of 76500 load profiles, which is nearly five times as long as the MIC consumption. With an increase in the data scale, the time consumption of NTLC increased geometrically. The results suggest that the proposed method indeed faces the problem of long-time consumption when handling large-scale data.
To address this problem of NTLC, we set the parameter of the ending-order K . It can be observed from Figure 8 that when K varies from 20 to 15, the time consumption of NTLC decreased not too much. This indicates that a higher K does not affect the time consumption of NTLC. However, as K decreased continuously, time consumption dropped off obviously. When K = 5, the time consumption of the NTLC was at the same level as that of the LOF. Meanwhile, the AUC and MAP@40 of NTLC did not decrease significantly during this process. The MAP@40 of NTLC remains above 0.85 when K was 3. The results demonstrate that we can control the time consumption of NTLC to a reasonable level (between LOF and MIC) without significant loss of accuracy when handling large-scale data by setting the value of K to a suitable level.

E. IMPACT OF NUMBER OF FRETS
To explore the impact of the number of FRETs on the above five methods, we held 50 users per area and changed the number of FRETs from 1 to 15 (step size of 2). Figure 9 shows the results of the five methods used in this study. For CFSFDP and LOF, we only present their results with normalization. The AUC and MAP@40 of the power pattern-based methods remained stable and did not change with the number of FRETs. This is the reason why the tampered load curves of FRETs are almost identical to the ground truth curves after normalization, and the outliers have already been decided from the beginning, regardless of how many users are chosen to be tampered with. In contrast, the scores of the correlationbased methods changed with the number of FRETs. To be specific, with a small number of FRETs, the three correlationbased methods have fairly closed and high AUCs. However, as the number of FRETs increased, the AUC of PCC and MIC decreased rapidly and gradually deviated from that of the LLC. Overall, the AUC damping of PCC and MIC are 0.231, from 0.92 to 0.689, and 0.251, from 0.911 to 0.654, respectively, while that of NTLC is only 0.111, from 0.998 to 0.887. The MAP@40 of these three methods exhibited the same behavior. The analysis above indicates that the number of FRETs indeed has a negative impact on the accuracy of PCC and MIC, for which these two methods are not applicable to the scenario of multiple FRETs. Although the scores of NTLC decreased slightly in the whole process, they remained at a very high level. Therefore, the proposed method performed superiorly in detecting group FRETs.

F. IMPACT OF CORRELATION OF FRETS
The analysis in Section II proves that when the load vectors of any two FRETs are positively correlated, the suspicious user set C sus output by the LLC method is nearly identical to the set of fraudulent users C. In this part, we explore the performance of the NTLC method when the sufficient condition is not fully met. For this purpose, we use the average PCC, which is the mean value of the PCCs between every user, to measure the correlation of a set of FRETs. Ten sets of FRETs with ten different average PCCs that were approximately evenly distributed between -1 and 1 were found. Figure 11 shows the AUCs of the five methods for detecting these 10 sets of FPET users.
The AUC of the outlier-based method behaved exactly as in previous tests for the same reason. In contrast, the curves of the correlation-based methods show that as the correlation of FPET users changes from positive to negative, the AUC of these three methods decreases differently. Further analyzing the curve of LLC, we can see that setting 0 as a boundary when the average PCC is above 0, which means that the FPET users are positively correlated, the AUC of LLC hardly decreases significantly. However, when the average PCC is below 0, which means that the FPET users are negatively correlated, the AUC reduction of LLC evidently increases. This shows that negatively correlated FPET users can affect the accuracy of the LLC method. Even so, the lowest AUC of LLC was 0.784, which significantly outperformed the other methods. Thus, the proposed method is more robust from this perspective.

V. CONCLUSION
This study proposes an NTLC-based method to detect FRETs and verifies the effectiveness of this method using a real consumption dataset provided by SGCC. The main conclusions are as follows: 1) We established a mathematical model between the NTL and load data of FRETs. We then observe that their correlation becomes increasingly strong with data superposition. The precondition for this trend is that the load data of any two FRETs are positively correlated.
2) Based on this trait, we realize the detection of FRETs and UPUs by searching a set of users who have the maximum covariance with NTL from all sets that have the above increasing trend. We also analyzed two problems of the proposed method in practice and took corresponding measures to address them.
3) We conducted a series of tests via comparisons with other state-of-the-art methods regarding accuracy, stability, and scalability. The results indicate that the proposed method has superior and stable performance in detecting FRETs, particularly when it comes to multiple FRETs in one area. In addition, the parameter K is able to reduce the time consumption of the presented method without too much loss of accuracy. In addition, the performance of the proposed method when the precondition is not fully met was also tested.
There are also some limitations to the proposed method. First, the proposed method analyzes only electricity consumption data, which may contain limited information. In addition to meter reading data, other information such as climatic factors (temperature), regional factors, and electric factors (current and voltage) are worth studying in the future. Second, our method does not specialize in detecting nonlinear FDI, which has also been adopted by cyber-attacks. Therefore, it is worthwhile to investigate ways to supplement the detection of nonlinear FDI with multiple types of information. However, it is the fact that there is no one-fit-all solution to handle all sorts of FDIs, the NTLC method is of high value to power utilities for easing the severity of collaborative fraud. RUNAN   He is currently an Associate Professor with the School of Electrical and Electronic Engineering, NCEPU. Moreover, he was a Visiting Scholar with the Energy Systems Research Laboratory, Department of Electrical and Computer Engineering, Florida International University (FIU), Miami, FL, USA, from December 2018 to December 2019. He has authored and coauthored more than 100 articles in peer-reviewed journals and major international conferences. Furthermore, he has 20 patents awarded in the area of electric machine design, control, and energy-saving technologies. His research interests include electrical motors design, diagnosis, energy analysis, and energy-saving technologies of electric machines and drive systems, wireless power transfer, and data mining in power systems. VOLUME 10, 2022