650 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 17, NO.

1, JANUARY 2021

A Machine-Learning-Based Cyber Attack

Detection Model for Wireless Sensor
Networks in Microgrids
Abdollah Kavousi-Fard , Senior Member, IEEE, Wencong Su , Senior Member, IEEE,
and Tao Jin , Senior Member, IEEE

Abstract—In this article, an accurate secured framework it is clear that an intelligent operation of the microgrid is closely
to detect and stop data integrity attacks in wireless sen- tied with secure and reliable monitoring of the local power con-
sor networks in microgrids is proposed. An intelligent sumption and generation. Metering devices such as smart meters
anomaly detection method based on prediction intervals
(PIs) is introduced to distinguish malicious attacks with are the key enablers for the two-way information interaction
different severities during a secured operation. The pro- between the consumers and microgrid decision making units
posed anomaly detection method is constructed based on (either microgrid central control or distributed decision makers),
the lower and upper bound estimation method to provide eventually leading to the efficient and effective operation of
optimal feasible PIs over the smart meter readings at elec-
the microgrid. Therefore, the security of smart meters in the
tric consumers. It also makes use of the combinatorial con-
cept of PIs to solve the instability issues arising from the microgrid plays a significant role in the optimal operation and
neural networks. Due to the high complexity and oscillatory management of these systems.
nature of the electric consumers’ data, a new modified op- With the wide spread growth of microgrids, serious concerns
timization algorithm based on symbiotic organisms search regarding the cyber attacks to these systems involving smart
is developed to adjust the NN parameters. The high accu-
meters’ hacking have emerged. According to a recent report from
racy and satisfying performance of the proposed model are
assessed on the practical data of a residential microgrid. the US Department of Homeland Security, 224 malicious cyber
Index Terms—Microgrid, monitoring, optimization, pre- attacks were reported in local electric power companies during
diction, smart sensor. the years 2013 and 2014 [5]. The malicious attack of Stuxnet
worm to the supervisory control and data acquisition (SCADA)
I. INTRODUCTION system in 2010 could damage part of the industrial electric grids
ICROGRID as a supportive concept for the wide inte- [6]. In 2008, several cyber attacks were reported in European
M gration and deployment of renewable energy sources
such as wind turbine and solar panels has improved the elec-
power utilities trying to penetrate into the system and injecting
false data [7]. Therefore, it is quite unsurprising to see a growing
trical services and transmitted power quality, in the last years. concern regarding the possible cyber attacks threatening the
Microgrid technology brings many benefits to the electric grid vulnerable points of microgrid as a newly introduced technology
including but not limited to higher social welfare, lower costs, in the modern power system. In this way, data integrity attacks
and power losses, higher voltage profile, improved reliability, are among the most destroying and dangerous cyber attacks
less air pollutions, and higher green energy economy [1]–[3]. It which can affect the microgrid operation by injecting false data
is anticipated that the installed microgrid capacity at the United replacing the real monitored data reported by smart meters.
States (US) will reach 30% increase by 2020 [4]. In this situation, Such an attack silently manipulates the transmitted data and
affects the healthy data monitored advanced metering infras-
tructure (AMI) including meters, sensors, or communication
Manuscript received October 29, 2019; revised December 18, 2019 channels. In [8], authors develop a method to determine the
and December 29, 2019; accepted January 2, 2020. Date of publication
January 7, 2020; date of current version October 23, 2020. Paper no. smallest set of attacked metering devices damaging the electric
TII-19-4801. (Corresponding authors: Wencong Su and Tao Jin.) grid observability through a graph-based approach. It tried to
A. Kavousi-Fard is with the Department of Electrical Engineering, provide a trade-off between maximizing the estimation error
Fuzhou University, Fuzhou 350116, China, and also with the Depart-
ment of Electrical and Electronics Engineering, Shiraz University of at the central control and minimizing the probability of cyber
Technology, Shiraz 715555-313, Iran (e-mail: [email protected]). attack. In [9], a Gaussian-based detection model is introduced
W. Su is with the Department of Electrical and Computer Engineering, to limit the data integrity attack in electric grids by defining a
University of Michigan-Dearborn, Dearborn, MI 48128, USA (e-mail:
[email protected]). minimum and maximum value for the measuring parameters.
T. Jin is with the Department of Electrical Engineering, Fuzhou Uni- In [10], the effect of data integrity attacks on the distributed dc
versity, Fuzhou 350116, China (e-mail: [email protected]). power flow algorithms is investigated. Their mechanism fits into
Color versions of one or more of the figures in this article are available
online at http://ieeexplore.ieee.org. the distributed power flow framework to neutralize the severe
Digital Object Identifier 10.1109/TII.2020.2964704 and dangerous cyber attacks. In [11], the possibility of data

1551-3203 © 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: University of Illinois at Chicago Library. Downloaded on January 09,2025 at 18:01:10 UTC from IEEE Xplore. Restrictions apply.
KAVOUSI-FARD et al.: MACHINE-LEARNING-BASED CYBER ATTACK DETECTION MODEL FOR WSNs IN MICROGRIDS 651

TABLE I ability of SOS while avoiding the possibility of trapping in local

REVIEW OF SOME CYBER ATTACKS IN POWER SYSTEM IN RECENT YEARS
optima. The proposed anomaly-based detection model uses the
practical data readings recorded by smart meters in AMI to
construct a sufficient cyber resilient framework for a secured
microgrid operation. To be short, the main contributions of this
article can be summarized inthe groups as follows:
1) introducing an intelligent data anomaly detection model
for secured microgrid operation based on PIs against data
integrity attacks;
2) assessing the effects of attack severity covering stealthy
false data injection to severe data attacks making the
microgrid operation infeasible;
3) proposing a new SOS-based approach to enhance the
LUBE training by accurate adjusting of the setting pa-
rameters;
4) introducing a novel two-phase modification method for
integrity attack in the optimal power flow is first investigated equipping SOS with global and local search mechanisms
and then a resistive framework is constructed to defense the for the optimization applications.
system. Similar works for assessing the data integrity attacks in The feasibility and high accuracy of the proposed model are
power systems are implemented in [12]–[16]. Table I shows a examined on the real datasets gathered by AMIs for a practical
review on some of the well-known cyber attacks in the power residential microgrid with three neighborhood and 114 houses
system in recent years. (aggregated and individual circuits).
While each of the above research works has investigated a spe- The rest of this article is organized as follows. Section II
cific aspect of data integrity attack, none of them has addressed explains cyber security in microgrids and the proposed data in-
this harsh cyber attack in microgrids. In fact, microgrids with tegrity attack model. Section III describes the proposed anomaly
advanced sophisticated AMIs are a very good target for hackers detection model based on combined LUBE. This section also
to implement their malicious attacks. In [17], false data injection explains the two-phase modified SOS optimization algorithm.
attack is investigated in a dc microgrid. In their method, the The simulation results are discussed in Section IV. Finally,
candidate variants are selected and compared with the actual Section V concludes this article.
variants so that any mismatch reveals the existence of a cyber
attack. II. CYBER SECURITY IN MICROGRIDS WITH DATA
Unfortunately, the analysis is limited to the dc microgrid INJECTION ATTACKS
and the method is not smart enough to detect different attack
This section focuses on the microgrid cyber security and then
severities. In addition, the high complexity and nonlinearity of
explains a model for cyber attack in these systems.
microgrid local consumers (residential, industrial, or agricul-
tural) make it impossible to reach all points for comparison.
This article proposes a new intelligent framework to deal with A. Microgrid Cyber Security
the data integrity attack in microgrids and defend them against Microgrid as a small-size power system covers both the gen-
these malicious activities. The proposed framework is capable eration and consumption sides which make it possible to operate
of detecting cyber attacks with different severities (let us call in two operation modes of grid-connected and islanded. Beside
attack strength) by measuring specific features of the micro- the physical layer including different distributed generations
grid and learning their behavior during the normal operation. (DGs) and renewable energy sources, loads and storage units, a
The proposed cyber resilient model is constructed based on microgrid has an interconnected cyber layer mainly dealing with
the lower and upper estimation (LUBE) method to make op- data transmission and decision making based on data gathered
timal prediction interval (PI) with high confidence level [18]. by AMIs. This makes the microgrid a complex cyber–physical
Based on the constructed PIs, any anomaly behavior in the system with a combinatorial nonlinear and correlated structure
local consumer smart meters’ recordings is detected, quickly. which is a very good target for cyber hackers to penetrate into
In order to overcome the instabilities existing in the neural it and apply their malicious purposes. Various factors such as
network (NN) models, the idea of combined NNs is employed. vulnerable sensors, heterogeneous data sources, high volume
Due to the high complexity and nonlinearity of the microgrid interactions within the microgrid and between the microgrid
local consumer’s dataset, a new optimization algorithm based and the main grid (in the grid-connected mode), sensitivity
on symbiotic organisms search (SOS) algorithm is developed to time synchronization and communication delays pose chal-
to find the optimal values of LUBE parameters. SOS is an lenges to the secure and reliable operation of microgrids. In a
evolutionary optimization algorithm which is inspired from the microgrid, AMI is the key layer creating a two-way communi-
symbiotic interaction strategies adopted by organisms to survive cation road between the smart metering devices with specific
and propagate in their ecosystem [19]. In addition, a three-phase IP addresses and the power suppliers and consumers. AMI is
modification method based on crossover and mutation operators in charge of data gathering, data communication, and energy
from genetic algorithm (GA) is introduced to increase the search consumption analysis for optimal running of the microgrid. AMI
Authorized licensed use limited to: University of Illinois at Chicago Library. Downloaded on January 09,2025 at 18:01:10 UTC from IEEE Xplore. Restrictions apply.
652 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 17, NO. 1, JANUARY 2021

Fig. 2. PIs constructed by LUBE model [18].

Fig. 1. Microgrid structure as a cyber–physical layer. to infeasibility of operation and unscheduled shutdowns. The
fact that which of these events may happen at the end for a micro-
grid depends both on the cyber-attack strength and the microgrid
makes the real-time decision making in both the generation and mode of operation. As mentioned before, a microgrid can operate
consumptions sides possible. Based on the transmitted AMI in either grid-connected or islanded mode. In the grid-connected
data, DGs are scheduled at their optimal operating point and mode, the cyber attack to the AMI can increase the microgrid
electric consumers can make appropriate economic decisions costs, feeder power losses, and voltage collapse. In the islanded
for maximum energy saving and actively participating in the mode, the cyber attack can result in more severe results such
market price. Fig. 1 shows the cyber–physical structure of a as loss of generation and demand balance and infeasibility of
microgrid incorporating the AMI. As it can be seen in Fig. 1, operation or shutdown. From the severity point of view, the
through the wired or wireless communication links, the smart cyber-attack strength can be categorized into two different cases.
meters as a key part of AMI collect data from electric consumers, First, a malicious attack with a strong and instantaneous effect
generators, and storage units for decision making and efficient causing the highest damage to the microgrid. Such an attack
operation. Therefore, smart meters are assumed as a gateway for is sensed in the short-time window and can be recognized due
collecting and analyzing the microgrid physical layer situation. to its high magnitude. Second, a malicious attack with smooth
This makes them a vulnerable and potential penetration point and gradual effect causing changes in the long term. The main
to run malicious attacks for affecting the whole microgrid per- purpose of this type of cyber attack is to avoid being detected by
formance. In fact, by compromising the data reported by smart the system and make changes in the microgrid in the long terms.
meters, one can affect the optimal dispatch of DGs and thus In this article, we will analyze both types of cyber attacks on the
reducing the reliability, security, and power quality of electrical microgrid. An intelligent model is also proposed to detect the
services, severely. cyber attack which is explained in detail in the next section. The
proposed anomaly detection model makes use of the PI concept
B. Cyber Attack which represents some smart thresholds which can detect any
In a typical microgrid, the first and main AMI role is to normality in the system.
gather load consumption data and transfer it to the decision
making unit for proper scheduling of generator units. In any III. PROPOSED ANOMALY DETECTION METHOD BASED
situation, a healthy microgrid should satisfy the generation and ON PREDICTION INTERVALS
demand balance equation to avoid unexpected interruptions or This section proposes a new modified anomaly detection
mandatory load shedding. In addition, AMI can play a significant model based on LUBE and modified SOS algorithm to diagnose
role in reducing the total microgrid cost by providing real-time and stop malicious cyber attacks in the microgrid.
data about consumers demand. A microgrid has to increase
the amount of power generation during the peak load hours to
meet the electric needs. Through the accurate estimation of the A. Constructing PI Based on LUBE
load demand provided by AMI, the microgrid can make use The LUBE method makes use of the feedforward NN model
of demand response technology to shift the peak load hours to construct optimal PIs surrounding the forecast target. In order
and thus reduce the total microgrid costs, avoid unnecessary to detect data integrity attack in the smart sensors installed in the
feeder congestion and possible voltage and frequency collapse. microgrid local consumers’ side, each PI is in charge of modeling
This is a valuable and promising strategy as long as accurate the forecast uncertainty existing in the electric consumption
electric load demand information is provided. Unfortunately, data. Each PI is made up of a lower bound (LB) and an upper
AMI being constructed based on communication interfaces is bound (UB) such that any forecast sample will fall between
vulnerable to cyber attacks such that an expert adversary can these two bounds. Fig. 2 shows the conceptual illustration of
manipulate the reported load demand. By hacking the AMI, an the PI construction by LUBE. According to Fig. 2, the LUBE
adversary damages the demand response process and destroy model has two output values; one value constructing the UB and
the generation and demand balance. This can result in further one value constructing the LB. The number of input features as
damaging consequences ranging from additional operating cost well as the LUBE structure are determined according to the
Authorized licensed use limited to: University of Illinois at Chicago Library. Downloaded on January 09,2025 at 18:01:10 UTC from IEEE Xplore. Restrictions apply.
KAVOUSI-FARD et al.: MACHINE-LEARNING-BASED CYBER ATTACK DETECTION MODEL FOR WSNs IN MICROGRIDS 653

Fig. 3. Fuzzy membership function for PICP.

Fig. 4. Fuzzy membership function for PINAW.

data characteristics and complexity. It should be noted that none For each nondominated solution (optimal PI), the fuzzy mem-
of these bounds exist during the NN training process. In order bership value of PICP (μPICP ) and PIAW (μPICP ) are calcu-
to solve this problem and connect the produced PIs with the lated using Figs. 3 and 4. Now, the min–max fuzzy approach
required confidence level, two fitness functions are defined in is employed to extract the most compromised solution from the
the literature [19] which are explained in the rest. set of nondominated solutions as follows [20]:
The first fitness function determines the required confidence  
level of PIs, namely called PI coverage probability (PICP). PICP F (X) = min max |μref,k − μf,k (X)| , k = 1, 2. (4)
x∈Ω k=1,...,n
shows the percentage of forecast points falling in the PIs and is
calculated as follows: Having PICP and PIAW as the fitness functions, the parameter
1 
N n becomes two here. In (4), μf,k shows the fuzzy member-
PICP = εi (1) ship value of kth fitness function. The reference membership
N i=1
functions μref,k are determined by the decision maker in the
where N is the number of samples and εi is a Boolian value that range (0,1] showing the significance of the corresponding fitness
is evaluated as follows: function for the operator. Therefore, the higher μref,k value
 is, the more significance (weighting factor) is assigned to the
1; yi ∈ [LBi , UBi ]
εi = (2) corresponding function.
0; yi ∈
/ [LBi , UBi ] Please note it that PICPmin/max and PIAWmin/max are gener-
ally determined based on the data characteristics. Nevertheless,
where yi is the forecast target. The NN is trained such that the
PICPmax is set 100 which states that all forecast points are in
least requirement for the confidence level of (1−α)% is satisfied.
between the PIs.
Any PI with a lower confidence level is discarded and a new PI
Also, PICPmin = 0 represents a very bad scenario in which
is produced and replaces the low-quality PI.
none of the forecast samples are in the range. For PIAWmin ,
According to (2), PICP is a significant criterion to determine
its value is calculated through the single-objective optimization
the quality of PIs. Nevertheless, a PI with a high PICP and a large
of PIAWmin when PICPmin > PICPworst . Also, the PIAWmax
bandwidth is not applicable for our case. In other words, a very
may vary in the range [1]–[4] multiple of PIAWmin based on
wide PI cannot contain much information about the forecast data
the data features. As mentioned before in Section I, one main
and may get useless. Therefore, a second criterion is needed to
deficiency of NNs is their instable response due the complex
be defined, mainly calculating the PI bandwidth. The PI average
nonlinear structure and random training initialization process.
width (PIAW) is defined to compute the PI bandwidth as follows:
This can affect the performance of LUBE and thus the quality
1 
N of PIs. In other words, any change in the training set can affect the
PIAW = (Ui − Li ) (3) NN response, which is not appropriate in an anomaly detection
NR i=1
model. In order to overcome this issue, here we make use of
where R is the range of the underlying targets used for normal- the combination concept for the forecast PIs. It is demonstrated
izing PIs. in the literature [21] that combinatorial forecast can enhance
As it can be seen from (1)–(3), the PICP and PIAW have a the NN performance, effectively. In a similar way, we first train
conflicting interaction such that improving one can devastate nc NNs using the LUBE approach. This will result in nc PIs
the other one and vice versa. This trend brings to the mind which are sorted according to their quality [which is determined
the idea of multiobjective optimization which needs a proper by (4)]. The first best nb NNs are picked up and employed for
mechanism to optimize both fitness functions. This problem will constructing the combined PI based on the test data. The rest of
get into several optimal points, making the set of nondominated NNs with low quality are discarded. By the use of simple median
solutions. In order to extract the most satisfying solution from or average operators, the final nb PIs are combined to construct
this set, we make use of the fuzzy min–max approach. To this the final combined PI.
end, first proper fuzzy sets are assigned to PICP and PIAW, as Through the above process, the proposed probabilistic model
shown in Figs. 3 and 4. In these figures, the PICPmin/max and can create optimal combined PI for the microgrid electric power
PIAWmin/max show the minimum/maximum values of PICP and consumptions which are monitored by the smart meters in a
PIAW, respectively. real-time manner. As mentioned before in Section II, AMI in
Authorized licensed use limited to: University of Illinois at Chicago Library. Downloaded on January 09,2025 at 18:01:10 UTC from IEEE Xplore. Restrictions apply.
654 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 17, NO. 1, JANUARY 2021

a power system is in charge of transferring data of the smart in this interaction depending on their benefiting level, i.e., ω 1
metering devices and sensors to the central control unit. With and ω 2 .
the aid of AMI, real-time power consumption of the microgrid In the second step, the commensalism interaction is simu-
is monitored and analyzed in the central control unit, which lated. Therefore, a solution Xn is chosen from the population
the result will be the optimal power dispatch of units (it means randomly to improve its position as follows:
optimal operation). The data integrity attack tries to alter the
XnIter+1 = XnIter + ρ3 (Xg − Xn ) . (7)
monitored data of customers’ metering devices in the microgrid
and affect its optimal operation. By constructing optimal PIs for In the last step, the parasitism interaction is simulated. For
each group of consumers, any deterioration from the UB or LB each solution Xn , a random individual is chosen as the host
shows a possible anomaly data injection activity. Due to the high to replace Xn . The above three steps are repeated until the
complexity and nonlinearity of the dataset, a new optimization algorithm converges.
algorithm based on SSO is developed to help the LUBE training The SOS algorithm has special features which makes it a
process for constructing more optimal PIs. This is explained in powerful optimizer for the nonlinear and nonconvex constraint
the next part. In this article, authors have made use of (4) instead optimization problems. Some of the main characteristics of the
of the traditional CWC criterion for constructing optimal PIs. SOS algorithm can be named as simple concept, few adjusting
parameters, ease of implementation, having powerful global
B. Modified Symbiotic Organisms Search Algorithm search mechanisms, and multimodal structure. Nevertheless, the
The LUBE method developed in the last section is employed performance of this algorithm can still be improved by equipping
for constructing optimal PIs around the smart meters record- it with powerful search mechanisms. Therefore, in this article,
ings of the microgrid consumers. This part proposes a new we propose a two-stage modification method to improve the SOS
optimization algorithm to help adjusting the proposed anomaly algorithm performance. Each of these three phases is explained
detection model parameters. SOS was introduced in 2014 for in the rest.
the first time by inspiring the cooperative interactions happening 1) Modification Phase 1: This modification method makes
among different organisms to live and spread in an ecosystem use of Levy flight to construct a powerful local search
[19]. Similar to the other metaheuristic optimization algorithms, XnIter+1 = XnIter + ρ4 ⊕ Le vy(θ). (8)
SOS starts with a random initial population (called ecosystem).
Each member of this ecosystem is an organism representing a Here, the operator Levy(θ) simulates a random walking
promising solution for the optimization problem. The SOS is around the relevant solution as follows:
constructed based on the specific relationships existing among Le vy(θ) ≈ τ̃ = Iter−θ 1 ≤ θ ≤ 3 . (9)
different organisms in an ecosystem. Depending on that, three
core ideas can form the population relationships: 1) mutualism,
2) commensalism, and 3) parasitism. These three types of rela- 2) Modification Phase 2: This modification method makes
tionships are used to update the organisms (solutions) position use of the crossover and mutating operators from the GA
in the ecosystem (population). In a mutualism relationship, both to increase the ecosystem diversity and avoid premature
interacting sides benefit from this event. In the commensalism, convergence. To this end, for each random solution Xn ,
only one side of the interacting parts most benefit from the three dissimilar solutions Xm1 , Xm2 , and Xm3 are chosen
relationship. In the parasitism interactions, one side of the rela- such that nࣔm1 ࣔm2 ࣔm3 . Then, a mutated solution is
tionship (which is most of the time host organism) is harmed. generated as follows:
Using the above three rules, all individuals in the population Xmut = Xm1 + ρ5 (Xm2 − Xm3 )
can enhance their position to improve their adaptation (here
the fitness function) as time passes. To simulate the above Xmut = [xmut,1 , . . . ., xmut,j , . . . ., xmut,d ]. (10)
phenomenon, an initial population of organisms is generated. Now, the crossover operator is employed for generating new
Each solution in this population is a vector representing the test solutions as follows:
LUBE model adjusting parameters. After calculating the fitness 
xmut,j ; ρ5 ≤ ρ6
function for each solution, the best one is stored Xg . From xjTest1
=
now on, the population position is improved through several xg ; ρ5  ρ6
iterations. In the first step, the mutualism interaction is simulated
Xg = [xg,1 , . . . ., xg,j , . . . ., xg,d ] (11)
between any two random organisms Xn and Xm as follows:
  
XnIter + Xm Iter xmut,j ; ρ6 ≤ ρ7
Xn Iter+1
= Xn + ρ1 Xg − ω1 ×
Iter
(5) xj
Test2
=
2 xn ; ρ6  ρ7
 
X old + Xnold Xn = [xn,1 , . . . ., xn,j , . . . ., xn,d ]. (12)
Xm Iter+1
= Xm Iter
+ ρ2 Xg − ω2 × m (6)
2
The best solution among (11) and (12) is compared with Xn
where ρ1 , …,ρ6 are random numbers in the range (0, 1] in this and will replace it if it has a better position. Fig. 5 shows the
article. According to (5) and (6), both organisms are improved flowchart of the proposed MSOS algorithm.

Authorized licensed use limited to: University of Illinois at Chicago Library. Downloaded on January 09,2025 at 18:01:10 UTC from IEEE Xplore. Restrictions apply.
KAVOUSI-FARD et al.: MACHINE-LEARNING-BASED CYBER ATTACK DETECTION MODEL FOR WSNs IN MICROGRIDS 655

Fig. 5. Flowchart of the proposed modified optimization algorithm.

C. Anomaly Detection Model Based on LUBE

and MSOS
As it can be seen from the last parts, the proposed anomaly Fig. 6. Proposed anomaly detection model based on PIs to secure
detection model makes use of PI concept to see whether smart microgrid smart meters.
meter readings of electric consumers in the microgrid is showing
a normal behavior or an abnormal one. Fig. 6 shows the con-
ceptual illustration of the proposed anomaly detection method
to detect data integrity attack in the microgrid. According to
this figure, constructing PIs around the smart meter readings of
the electric consumers can determine the normal or abnormal
behaviors in the system. In the case of cyber security, the
proposed anomaly detection method may make any of these
four decisions: 1) true positive, 2) false positive, 3) true negative,
and 4) false negative. These decisions are made depending on
the real system data and the proposed anomaly detection model
response. The PIs created by the proposed LUBE-based method
will make boundaries which will help detecting anomalies as
shown in the figure.
A decision is said to be positive when it is identified as a Fig. 7. Confusion matrix for the proposed anomaly detection model.
cyber activity. On the opposite, a decision is negative when the
anomaly detection model recognize it as normal behavior. True
for the proposed anomaly detection model as follows:
decision is made when the anomaly detection model has made
a correct decision. Therefore, it is clear that a false decision |Hi |
HR = ; Hi = {X ∈ D |X ∈ CA & X ∈ CO } (13)
shows a wrong response from our cyber-attack detection model. |CA |
Accordingly, it can be deduced that an appropriate anomaly
|FA |
detection model is one with low false rates. Based on these FR = ; FA = {X ∈ D |X ∈ CN & X ∈ CO } (14)
definitions, four different criteria can be defined: hit rate (HR), |CN |
false alarm rate (FR), miss rate (MR), and correct reject rate |Mi |
(CR). To help better understanding of these criteria, Fig. 7 MR = ; Mi = {X ∈ D |X ∈ CA & X ∈ CI } (15)
|CA |
provides the confusion matrix.
Considering CA and CN as the total real malicious data and |CR |
DR = ; CR = {X ∈ D |X ∈ CN & X ∈ CI } (16)
normal data, four criteria of HR, FA, MR, and CR are formulated |CN |

Authorized licensed use limited to: University of Illinois at Chicago Library. Downloaded on January 09,2025 at 18:01:10 UTC from IEEE Xplore. Restrictions apply.
656 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 17, NO. 1, JANUARY 2021

where D is the set of total data received from the smart meter, TABLE II
CHARACTERISTICS OF THE PIS CONSTRUCTED BY THE PROPOSED
CI is the set of inliers, and CO is the set of outliers. By the help ANOMALY DETECTION METHOD
of these four criteria, the performance of the proposed anomaly
detection method can be assessed.
According to the above explanations, the following steps are
needed to construct the proposed anomaly detection model.
Steps 1: Input data including the microgrid data (grid topology,
sensor locations, sampling frequency, load, and generation
values), the MSOS data (the initial population, the termination
criterion, the population size, and objective function), the
anomaly detection model data (the minimum and maximum
values PICPmin/max and PIAWmin/max , the required confi-
dence level, the training dataset, validation dataset, and the
test dataset).
Step 2: Read the recording load data from the microgrid and
store it.
Step 3: Construct the anomaly detection model dataset. Divide
the recorded dataset into training, validating, and testing
group. Determine the appropriate features for input to the
model.
Step 3: Train nc NNs using the LUBE approach. To this end, nc Fig. 8. Comparative plot of the nb NNs and the combined PI using the
PIs are trained and sorted according to their quality. fuzzy fitness function.
Step 4: Optimize the anomaly detection model using the pro-
posed MSOS algorithm. Run the MSOS algorithm as shown
in Fig. 5 to adjust the weighting and biasing factors in in such
LUBE to get into higher fuzzy membership value, which results
that more optimal PIs are constructed by each NNs.
in a lower PIAW and a higher PICP.
Step 5: Construct the combined PIs. In order to increase the
In order to perceive the positive role of combined LUBE in
model robustness and accuracy, the first best nb NNs are
improving the final PI, Fig. 8 shows the PICP values attaining
picked up and employed for constructing the combined PIs.
for the best nb = 10 NNs. According to this figure, except two
Step 6: Compare the microgrid test data with the PIs bandwidth
of NNs which could into higher PICPs, all the other eight NNs
to find the HR, FR, MR, and CR.
have low PICP values (representing less-qualified PIs). Never-
theless, the final combined PI achieved through the proposed
IV. NUMERICAL SIMULATIONS combinatorial approach has appropriate quality, with high PICP
This section examines the performance of the proposed value. This verifies the satisfying performance of the proposed
anomaly detection model to detect cyber attack to the smart combined LUBE method in comparison with the single ones. In
sensors in a practical residential microgrid with 342 houses order to avoid repetition, the final PI is shown later along with
which are divided into three neighborhood, each supporting the data integrity attacks in the same frame (Fig. 9).
114 houses. The electric power consumption of each residential So far, the satisfying performance of the proposed LUBE
neighborhood is recorded by two different types of metering model for constructing optimal PIs is proved. In order to assess
devices. First, aggregated meters which are installed at the front its performance in the face of cyber attacks as well, we need
of each neighborhood. Second, smart meters which are installed to launch a cyber attack to the microgrid. In order to simulate
for each individual house in a neighborhood area. Since in the a cyber attack, the compromised aggregated meter will report
reality, only portion of the houses are equipped with smart meters overload situations, repeatedly. Therefore, attacks of different
and not all of them, here we apply our method only on the aggre- severity are generated every 24 h which will last for around a few
gated meters installed upfront of each neighborhood. It is clear hours depending on the severity. Based on the fact that our smart
that checking the individual smart meters is also quite possible in meters record the data every 30 min, then the attack effect should
the similar way. The metering devises record data every 30 min, be seen in the next few samples. Having the peak load demand of
which are stored in excel files of the anomaly detection model. the aggregated meter as 200 kW, several ranges of data injection
At the first, in order prove the satisfying performance of the attacks in the range 20–200 kW are launched to simulate the
proposed anomaly detection method in constructing optimal PIs severity from a smooth attack (10% overload) to a very severe
around smart meters data readings, Table II shows the optimal attack (100% overload). Fig. 9 shows the performance of the
PIs characteristics generated by the proposed LUBE-MSOS al- anomaly detection model for data integrity attack detection with
gorithm. To have a better comparison, the LUBE model is trained different severities. The attacks are lunched two times (in two
by three different methods of GA, particle swarm optimization successive days) in the microgrid (shown by small red squares)
algorithm, original SOS, and proposed MSOS. As it can be seen such that the attacks of less severity are lunched at the beginning
from this table, the proposed MSOS algorithm could help the and attacks of higher severities are lunched later after sample

Authorized licensed use limited to: University of Illinois at Chicago Library. Downloaded on January 09,2025 at 18:01:10 UTC from IEEE Xplore. Restrictions apply.
KAVOUSI-FARD et al.: MACHINE-LEARNING-BASED CYBER ATTACK DETECTION MODEL FOR WSNs IN MICROGRIDS 657

Fig. 9. Performance of the proposed anomaly detection model for data integrity attacks of different severities. (Green line: upper bound, Blue line:
lower bound, Yellow circles: real smart metering, Red squares: fake data).

TABLE III
CONFUSION MATRIX VALUES FOR DIFFERENT ANOMALY DETECTION MODEL

acceptable response since attacks of high severity can make

the microgrid operation infeasible or forcing to operate in the
islanding mode. On the other hand, attacks of stealthy data
injection can only affect the optimality of the power dispatch
for the power generators. Still, both values are in the acceptable
Fig. 10. Detection rate versus the attack severity using the proposed
anomaly detection model. range and appropriate for a microgrid. It is also seen that the
detection rate is saturated at the attack severity of almost 60%.
This means that any attack with a severity higher than this value
point 80. In Fig. 9, the PI constructed by the proposed optimal is highly detected by the model.
probabilistic framework is depicted to detect the normality in the Finally, the overall performance of the proposed anomaly
dataset. The PCIP and PINAW values of this PI are 91.69504 detection model based on the confusion matrix is shown in
and 23.66935, respectively. As it can be seen from this figure, Table III. In order to get into a better perception about the
in both attacking cases, the constructed PIs could highlight model performance, the simulation results of the conventional
the abnormal smart meter’ readings, properly. In fact, the UB LUBE, LUBE-SOS, and proposed LUBE-MSOS are shown,
generated for the sample points show the highest possible values comparatively. According to these results, the proposed data
that each aggregated customer can get at each time considering integrity attack detection model has shown superior performance
the uncertainty effects. As a result, any value out of the PI shows a over the other models by providing higher HR% and CR%. Such
suspicious case which needs to be assessed, carefully. Still, there a progress in the results shows the significance of optimal setting
is a possibility to assign probability values to samples according of NNs in constructing the more fitting PIs.
to their distance from the PIs.
In order to better see the performance of the proposed method,
the detection rate value versus the attack severity is plotted in V. CONCLUSION
Fig. 10. The detection rate is considered as the percentage of In this article, data integrity attack can endanger the total
smart meter readings which are affected by the adversary and microgrid operation and management by misleading the central
that are recognized as false data, correctly. As can be seen from control unit in correct estimation of the total demand. This can
this figure, at stealthy false data injections, the detection rate result in not only nonoptimal operation of the units, but can
is not very high. But as the injection attack severity increases, also force the microgrid to schedule its units at an infeasible
the detection rate increases to very high values. This is an point, causing mismatch between the generation and demand.
Authorized licensed use limited to: University of Illinois at Chicago Library. Downloaded on January 09,2025 at 18:01:10 UTC from IEEE Xplore. Restrictions apply.
658 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 17, NO. 1, JANUARY 2021

Therefore, this article proposed a highly accurate and intelligent [17] O. A. Beg, T. T. Johnson, and A. Davoudi, “Detection of false-data injection
anomaly detection model for securing the microgrids against attacks in cyber–physical DC microgrids,” IEEE Trans. Ind. Inform.,
vol. 13, no. 5, pp. 2693–2703, Oct. 2017.
data integrity attacks. The proposed method, a modified LUBE, [18] A. Khosravi, S. Nahavandi, D. Creighton, and A. F. Atiya, “A lower upper
and MSOS model, was constructed based on the PI concept to bound estimation method for construction of neural network based pre-
prevent hackers from fake data injection to the central control diction intervals,” IEEE Trans. Neural Netw., vol. 22, no. 3, pp. 337–346,
Mar. 2011.
unit. The proposed MSOS helped to adjust the NNs setting [19] M. Y. Cheng and D. Prayogo, “Symbiotic Organisms Search: A new meta-
parameters and help LUBE for getting into higher PICP and heuristic optimization algorithm,” Comput. Struct., vol. 139 pp. 98–112,
lower PIAW values. The simulation results on the experimental 2014.
[20] T. Niknam, A. Kavousifard, and J. Aghaei, “Scenario-based multiobjective
dataset recorded for a residential microgrid with 342 houses distribution feeder reconfiguration considering wind power using adaptive
including three neighborhood, reveal the satisfying performance modified particle swarm optimization,” IET Renewable Power Gener.,
of the proposed method to detect the fake data injections in vol. 6, no. 4, pp. 236–247, Jul. 2012.
[21] S. Hashem and B. Schmeiser, “Improving model accuracy using optimal
the smart meter readings. Also, it was seen that the proposed linear combinations of trained neural networks,” IEEE Trans. Neural
model shows appropriate performance in the face of malicious Netw., vol. 6, no. 3, pp. 792–794, May 1995.
attacks with different severities ranging from 10% to 100% data
injection. The results of two different criteria of detection rate
and confusion matrix results advocate the accuracy and valuable Abdollah Kavousi-Fard (Senior Member,
performance of the proposed anomaly detection model. IEEE) received the B.Sc. degree from the
Shiraz University of Technology, Shiraz, Iran, in
2009, the M.Sc. degree from Shiraz University,
Shiraz, in 2011, and the Ph.D. degree from
the Shiraz University of Technology, Shiraz, in
REFERENCES 2016, all in electrical engineering.
Dr. Kavousi-Fard is currently an Assistant
[1] W. R. Issa, A. H. El Khateb, M. A. Abusara, and T. K. Mallick, “Con-
Professor with Shiraz University of Technology,
trol strategy for uninterrupted microgrid mode transfer during uninten-
Shiraz, Iran.
tional islanding scenarios,” IEEE Trans. Ind. Electron., vol. 65, no. 6,
He was a Postdoctoral Research Assistant
pp. 4831–4839, Jun. 2018.
with the University of Michigan, Ann Arbor, MI, USA, from 2016 to 2018.
[2] M. Dab, A. Kavousi-Fard, and S. Mehraeen, “Effective scheduling of
He was a Researcher with the University of Denver, Denver, CO, USA,
reconfigurable microgrids with dynamic thermal line rating,” IEEE Trans.
from 2015 to 2016 conducting research on microgrids. His research
Ind. Electron., vol. 66, no. 2, pp. 1552–1564, Feb. 2019.
interests include operation, management and cyber security analysis of
[3] K. W. Hu and C. M. Liaw, “Incorporated operation control of DC mi-
smart grids, microgrid, smart city, electric vehicles, as well as protection
crogrid and electric vehicle,” IEEE Trans. Ind. Electron., vol. 63, no. 1,
of power systems, reliability, artificial intelligence, and machine learning.
pp. 202–215, Jan. 2016.
Dr. Kavousi-Fard is an Editor in Springer, ISTE ISI Journal.
[4] Greentech Media reports, 2018. [Online]. Available: https://www.
utilitydive.com
[5] J. Pagliery, Hackers Attacked the U.S. Energy Grid 79 Times This Year,
2014. [Online]. Available: http://money.cnn.com/2014/11/18/technology/
security/energy-grid-hack/, Accessed on: 10 March 2017. Wencong Su (Senior Member, IEEE) received
[6] R. Langner, “Stuxnet: Dissecting a cyberwarfare weapon,” IEEE Secur. the B.S. degree (with distinction) from Clarkson
Privacy, vol. 9, no. 3, pp. 49–51, May/Jun. 2011. University, Potsdam, NY, USA, in 2008, the M.S.
[7] R. Rashed Mohassel, A. Fung, F. Mohammadi, and K. Raahemifar, “Sur- degree in instrument science and technology
vey on advanced metering infrastructure,” Int. J. Elect. Power Energy Syst., from Virginia Tech, Blacksburg, VA, USA, in
vol. 63, pp. 473–484, 2014. 2009, and the Ph.D. degree in instrument sci-
[8] O. Kosut, L. Jia, R. J. Thomas, and L. Tong, “Malicious data attacks on the ence and technology from North Carolina State
smart grid,” IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 645–658, Dec. 2011. University, Raleigh, NC, USA, in 2013.
[9] X. Yang, P. Zhao, X. Zhang, J. Lin, and W. Yu, “Toward a Gaussian-mixture He is currently an Associate Professor with
model-based detection scheme against data integrity attacks in the smart the Department of Electrical and Computer
grid,” IEEE Internet Things J., vol. 4, no. 1, pp. 147–161, Feb. 2017. Engineering, University of Michigan-Dearborn,
[10] J. Duan, W. Zeng, and M. Y. Chow, “Resilient distributed DC optimal Dearborn, MI, USA. His research interests include power systems, elec-
power flow against data integrity attack,” IEEE Trans. Smart Grid, vol. 9, trified transportation systems, and cyber–physical systems.
no. 4, pp. 3543–3552, Jul. 2018. Dr. Su is an Editor for the IEEE TRANSACTIONS ON SMART GRID and an
[11] Q. Yang et al., “Toward data integrity attacks against optimal power flow Associate Editor for the IEEE ACCESS. He is a registered Professional
in smart grid,” IEEE Internet Things J., vol. 4, no. 5, pp. 1726–1738, Engineer with the the State of Michigan, USA.
Oct. 2017.
[12] T. Kim and H. V. Poor, “Strategic protection against data injection attacks
on power grids,” IEEE Trans. Smart Grid, vol. 2, no. 2, pp. 326–333,
Jun. 2011. Tao Jin (Senior Member, IEEE) was born in
[13] Q. Yang, J. Yang, W. Yu, D. An, N. Zhang, and W. Zhao, “On false Hubei Province, China, in 1976. He received the
data-injection attacks against power system state estimation: Modeling B.S. and M.S. degrees in electrical engineering
and countermeasures,” IEEE Trans. Parallel Distrib. Syst., vol. 25, no. 3, from Yanshan University, Qinhuangdao, China,
pp. 717–729, Mar. 2014. in 1997 and 2001, respectively, and the Ph.D.
[14] Q. Yang, J. Yang, W. Yu, N. Zhang, and W. Zhao, “On a hierarchical false degree in electrical engineering from Shanghai
data injection attack on power system state estimation,” in Proc. IEEE Jiaotong University, Shanghai, China, in 2005.
Global Telecommun. Conf., USA, Dec. 2011, pp. 1–5. He is currently a Research Professor in the
[15] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks against School of Electrical Engineering & Automation
state estimation in electric power grids,” in Proc. 16th ACM Conf. Comput. at Fuzhou University, China.
Commun. Secur., New York, NY, USA, 2009, pp. 21–32. He has worked as a Research Fellow with
[16] Y. Feng, C. Foglietta, A. Baiocco, S. Panzieri, and S. D. Wolthusen, Virginia Polytechnic Institute, Blacksburg, VA, USA and Imperial Col-
“Malicious false data injection in hierarchical electric power grid state lege London, London, U.K. Since 2009, he has been a Researching
estimation systems,” in Proc. 4th Int. Conf. Future Energy Syst., New Professor with Fuzhou University, Fuzhou, China. His research interests
York, NY, USA, 2013, pp. 183–192. include measurement technology and new technologies in smart grid.

Authorized licensed use limited to: University of Illinois at Chicago Library. Downloaded on January 09,2025 at 18:01:10 UTC from IEEE Xplore. Restrictions apply.