IEEE SYSTEMS JOURNAL, VOL. 16, NO.

4, DECEMBER 2022 6097

Data-Driven Detection of Stealth Cyber-Attacks

in DC Microgrids
Abdulrahman Takiddin , Graduate Student Member, IEEE, Suman Rath ,
Muhammad Ismail , Senior Member, IEEE, and Subham Sahoo , Member, IEEE

Abstract—Cyber-physical systems such as microgrids contain Ipu Vector notation of per-unit output current of all
numerous attack surfaces in communication links, sensors, and ac- the agents.
tuators forms. Manipulating the communication links and sensors L Laplacian matrix.
is done to inject anomalous data that can be transmitted through
the cyber layer along with the original data stream. The presence W Row-stochastic matrix representing the distri-
of malicious, anomalous data packets in the cyber layer of a dc bution of attack elements in the microgrid.
microgrid can create hindrances in fulfilling the control objectives, c Steady-state reference value.
leading to voltage instability and affecting load dispatch patterns. H1 (s), H2 (s) Secondary layer PI controllers.
Hence, detecting anomalous data is essential for the restoration K Number of agents.
of system stability. This article answers two important research
questions: 1) Which data-driven detection scheme offers the best Mk Set of neighbors of the kth agent.
detection performance against stealth cyber-attacks in dc micro- Vref , Iref Global reference voltage and current quantities
grids? 2) What is the detection performance improvement when for each agent.
fusing two features (i.e., current and voltage data) for training
compared with using a single feature (i.e., current)? Our inves- I. INTRODUCTION
tigations revealed that 1) adopting an unsupervised deep recurrent
C MICROGRIDS facilitate hassle-free integration of re-
autoencoder anomaly detection scheme in dc microgrids offers
superior detection performance compared with other benchmarks.
The autoencoder is trained on benign data generated from a multi-
D newable energy sources [1], helping to achieve lower
levels of carbon-emission through decreased dependence on
source dc microgrid model. 2) Fusing current and voltage data for
training offers a 14.7% improvement. The efficacy of the results fossil fuels (e.g., coal) for power generation [2], [3]. The ability
is verified using experimental data collected from a dc microgrid to function autonomously provides immunity to such systems
testbed when subjected to stealth cyber-attacks. against potential impacts of external faults [4]. The main control
challenges faced by dc microgrids during autonomous operation
Index Terms—Anomaly detection, cybersecurity, dc microgrids,
long short-term memory (LSTM)-autoencoder. are regulation of voltage and load current sharing among the
distributed generators (DGs). These objectives are achieved
through the use of secondary controllers coupled with communi-
NOMENCLATURE cation networks to aid real-time data exchange. Such networks
may have a centralized or distributed topology. However, dis-
H Encoder. tributed secondary control is more reliable as it is not affected
R Decoder. due to single-point failures [5].
X TR Training set. The use of information and communication technology to
x Training row. achieve control objectives exposes the microgrid to manipulative
I(.) Current readings. cyber-attacks [6]. These attacks can target the communication in-
IV(.) Current and voltage readings. frastructure [7], sensor measurements [8], and/or controllers [9].
V̄ Vector notation of average voltage estimate. Malicious manipulation of any of these attack surfaces may
generate anomalous data. In this context, the term anomalous
Manuscript received 16 June 2021; revised 1 April 2022; accepted 10 June data refers to the abnormal elements present in a stream of data
2022. Date of publication 7 July 2022; date of current version 9 December 2022. that do not exhibit the expected behavioral patterns. Though
(Corrasponding author: Abdulrahman Takiddin.) faults can also be the source of such anomalies [10], [11],
Abdulrahman Takiddin is with the Department of Electrical and Computer
Engineering, Texas A&M University, College Station, TX 77843 USA (e-mail: fault-based anomalies are less sophisticated, unlike attack-based
[email protected]). anomalies that can be specially modeled and injected through
Suman Rath is with the Department of Computer Science and Engineer- stealth attacks to inflict the desired level of damage. Such ab-
ing, University of Nevada, Reno, NV 89557 USA (e-mail: rathsuman@
outlook.com). normal elements may propagate through the network to achieve
Muhammad Ismail is with the Department of Computer Science, Tennessee specific objectives such as voltage instability or disruptions in
Tech University, Cookeville, TN 38505 USA (e-mail: [email protected]). optimal load sharing arrangements among DGs. The following
Subham Sahoo is with the Department of Energy, Aalborg University, 9220
Aalborg, Denmark (e-mail: [email protected]). paragraphs depict some of the detection techniques proposed
Digital Object Identifier 10.1109/JSYST.2022.3183140 recently.

1937-9234 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: Tallinn University of Technology. Downloaded on September 16,2024 at 09:53:58 UTC from IEEE Xplore. Restrictions apply.
6098 IEEE SYSTEMS JOURNAL, VOL. 16, NO. 4, DECEMBER 2022

A. Related Works 1) Which data-driven detection scheme offers the best per-
Beg et al. [10] used parametric time–frequency logic to detect formance against stealth cyber-attacks in dc microgrids?
cyber-attack and fault-based anomalies in dc microgrids. The 2) Is adopting a single feature (i.e., current) sufficient for
proposed detector extracts time–frequency information from training the detector, or will fusing two features (i.e.,
training datasets (consisting of anomalous data) and uses the current and voltage data) improve the results, and what
same to identify abnormal elements (present along with the would the detection improvement level be?
normal inputs) during the testing phase. In [12], an attack It turns out that the characteristics of an ideal detector for
detector was presented that can compare groups of elements this application are to present 1) an unsupervised anomaly
on the basis of whether they satisfy certain invariants. Detection detection that needs to be trained using only benign data while
of discrepancies implies the presence of false data. A signal- being able to detect malicious data during the testing phase.
temporal-logic-based anomaly detection strategy has been pre- Such an ability is possible via learning high-quality features
sented in [13]. State-estimation-based anomaly detection tech- from the input (normal) data during the training phase. This
niques have been proposed in [14]–[16]. However, well-crafted enables the detector to effectively find and mark malicious
stealthy cyber-attacks can easily fool state observers [17]–[19]. data elements that do not exhibit the identified features. The
Also, state estimation methods also require prior knowledge detector should have 2) a deep structure to perceive the complex
about the physical structure of the system. Physics-informed patterns within the data. 3) A recurrent mechanism to capture
anomaly detection techniques have been proposed in [20] and the time-series temporal correlations. 4) Feature fusion that
[21], which are particularly focused on distinguishing between incorporates current and voltage data to further improve the
large signal disturbances, such as grid/sensor faults and cyber- detection, as this enables the detector to capture distinct repre-
attacks. sentations from both features. To achieve this, we carry out the
Detection strategies that employ data-driven machine- following contributions.
learning-based tools generally do not require information about 1) We utilize a long short-term memory stacked autoencoder
the physical architecture of the system. Machine-learning- (LSTM-SAE) as a deep recurrent unsupervised anomaly
based techniques perform anomaly detection by comparing detector to identify abnormal data elements in autonomous
live/captured data from the cyber-physical system with predicted dc microgrids. This detector is trained using datasets ob-
values generated on the basis of reference datasets available for tained during normal operation of a K-DG dc microgrid
their training. Such techniques can be broadly categorized into model with distributed network topology.
four types: 1) supervised learning, 2) unsupervised learning, 3) 2) We compare the performance of the proposed LSTM-
reinforcement learning [22], and 4) semisupervised learning- SAE to benchmark detectors including unsupervised au-
based approaches [23]. The main difference between the four toregressive integrated moving average (ARIMA) model,
categories lies in the type of reference datasets used during one-class SVM, and feedforward stacked autoencoder
their training phase. Unlike the other three, supervised learning (F-SAE) that are trained on the benign behavior. We also
models can only be trained using labeled datasets that may or examine the use of supervised two-class SVM, feedfor-
may not be accessible to researchers. Khan et al. [24] sug- ward, convolutional neural network (CNN), and LSTM
gested the use of multiclass support vector machines (SVMs) for classifiers trained and tested on both classes. Sequential
anomaly detection in microgrids. SVMs are examples of super- gird-search hyperparameter optimization is carried out to
vised learning models. In [25], a deep-learning-based anomaly enhance the results.
detection technique has been proposed to identify sensor-level 3) We conduct multiple experiments. In the first one, using
cyber-attacks in dc microgrids. Kavousi et al. [26] have used current datasets, the stacked and recurrent structure of
an improved feedforward neural-network-based approach to the LSTM-SAE model provides an improvement of up
detect anomalies (generated as a consequence of sensor-level to 18.3% in detection rate (DR), 12.7% in false alarm
data integrity attacks) in microgrids. However, the authors have (FA), and 31% in highest difference (HD) compared to the
only considered anomaly detection in the advanced metering benchmark detectors. The second experiment fuses cur-
infrastructure and ignored other potential vulnerabilities (e.g., rent and voltage datasets such that the decision of whether
DG-level sensors). the sample is benign or malicious is based on two data
Unfortunately, the aforementioned works require the avail- sources. Doing so provided a further improvement of up to
ability of labeled data to train the detector. The availability 4.7% in DR, 11.5% in FA, and 14.7% in HD. The accuracy
of such data is not always true, especially for the zero-day of the results is verified further using a dataset obtained
cyber-attack data (attacks that have not been detected before). from an experimental dc microgrid testbed. The results
Also, capturing important features from the data is necessary to are consistent when validated, the detection performance
achieve high detection performance. varies by around ±0.4% in most cases.
The rest of this article is organized as follows. Section II
describes cyber-physical preliminaries of microgrids. Section III
B. Contributions discusses the used datasets. Section IV presents the details about
In order to fill the gap in the literature, this article answers the the cyber-attacks detectors. Section V discusses the experimen-
following two important research questions. tal results. Finally, Section VI concludes this article.

Authorized licensed use limited to: Tallinn University of Technology. Downloaded on September 16,2024 at 09:53:58 UTC from IEEE Xplore. Restrictions apply.
TAKIDDIN et al.: DATA-DRIVEN DETECTION OF STEALTH CYBER-ATTACKS IN DC MICROGRIDS 6099

stated as

uk (t) = akj (xj (t) − xk (t)) (2)
j∈Mk
  
ek (t)

where uk = {uVk , uIk }, ek = {eVk , eIk } (according to the elements

present in x). Additionally, Mk is the set of neighbors of agent
k. To clarify the error formulation in (11), we can simplify it
using

eVk (t) = akj (V̄j (t) − V̄k (t)) (3)

eIk (t) = akj (Ijpu (t) − Ikpu (t)). (4)

A similar extrapolation can be done to represent uk .

Remark I: According to the cooperative synchronization
law [28], consensus will be achieved by all agents (who par-
ticipate in distributed control) using ẋ(t) = −Lx(t) to finally
converge to limt→∞ xk (t) = c, ∀ k ∈ K.
Fig. 1. Control structure of a networked dc microgrid with many agents
operating with a distributed cyber graph under the presence of cyber-attacks. Using (2), the local control inputs necessary to achieve the
control targets (average voltage regulation and proportionate
sharing of load current) can be acquired from the secondary
controller by using the voltage correction terms as (for kth
II. CYBER-PHYSICAL PRELIMINARIES OF MICROGRIDS agent) [29]
This article considers an autonomously operating dc micro-
grid system with K sources. The architecture of the microgrid Average voltage regulation:
is shown in Fig. 1. Each of the sources (interfaced using dc/dc ΔV1k = H1 (s)(Vref − V̄k ). (5)
buck converters for regulated power conversion) is connected to
one another via tie-lines. These elements collectively represent Proportionate current sharing:
the microgrid physical layer. Operation of the power electronic ΔV2k = H2 (s)(Iref − uIk ) (6)
converters occurs in a voltage-controlled mode. Proper voltage
regulation and current sharing are achieved using a coopera- τ  V
where V̄k = Vk + 0 j∈Mk uk dτ . For proportionate current
tive secondary control framework where a local controller is sharing, Iref = 0. Correction terms acquired in (5) and (6) can
associated with each of the DGs [27]. All the local controllers be added to the global reference voltage for the achievement of
are connected through a distributed communication network, local voltage references (for the kth agent) using
which requires each controller to share information only with
k
its neighboring controller(s). Vref = Vref + ΔV1k + ΔV2k . (7)
The cyber layer can be considered as a graph (consisting of
multiple nodes and edges), where each node represents an agent The target objectives mentioned in (3) and (4) are achieved by
and each edge represents a communication link that connects two using (7) as the local reference voltage (for the kth agent).
agents. Elements of the network compose an adjacency matrix, As per the distributed consensus algorithm for a heavily con-
A = [akj ] ∈ RN ×N , where the communication weights may nected digraph (in the dc microgrid) [30], the system objectives
be expressed as akj > 0, if (ψk , ψj ) ∈ E (E denotes an edge [using (1)–(7)] shall converge to
that connects ψk i.e., the local node and ψj i.e., the neighboring
node). Else, akj = 0. The matrix for inbound cyber information lim V̄k (t) = Vref , lim uIk (t) = 0 ∀ k ∈ K. (8)
t→∞ t→∞
can be represented as Z in = diag{ k∈K akj }. The Laplacian
matrix L is said to be balanced if A and Zin are equal (since, As shown by the red symbols in Fig. 1, malicious attackers
L = Zin − A). may try to corrupt the cyber layer in several ways (e.g., false
Each of the controller units can be represented as an agent in data injection, denial of service, etc.) to disturb the achievement
the cyber layer, sending and receiving a group of measurements of the objectives mentioned in (8). In case of a stealth attack, the
attack vector penetrates deep in the control layer by deceitfully
hiding from the system operator. The ability to access multiple
x = {V̄, Ipu } (1) nodes allows such vectors to create disturbances that can be
continued over an elongated stretch of time and enables them
with their respective neighboring agents to attain average volt- to forcefully cause generation outages. This may ultimately
age regulation and proportionate current sharing. Considering result in system shutdown. Hence, identifying the compromised
preliminaries of the communication graph, control input of the node(s) is essential to prevent malware propagation (reducing
local secondary controller (associated with each DG) can be chances of further destabilization).

Authorized licensed use limited to: Tallinn University of Technology. Downloaded on September 16,2024 at 09:53:58 UTC from IEEE Xplore. Restrictions apply.
6100 IEEE SYSTEMS JOURNAL, VOL. 16, NO. 4, DECEMBER 2022

Such attacks can perform coordinated manipulation to fool

the system observer via the following additions in (1):

ua (t) = Lx(t) + Wxattack (9)

where ua , x, and xattack denote the vector representation of

the attacked control input uak = {uVk a , uIa k }, the states xk =
{V̄k , Ikpu }, and the attack elements xattackk = [xVattackk , xIattackk ]T ,
respectively. It should be noted that xattack could be a step,
sawtooth, sinusoidal, or an unbounded signal. Furthermore,
W = [wkj ] depicts a row-stochastic matrix with its elements
expressed by
⎧
1
⎪
⎨− Mk +1 , j ∈ Mk
wkj = 1 + jMk wkj , j = k (10)
⎪
⎩
0, j ∈ Mk , j = k.

The diagonal entries denote the placement of attack elements

in locally measured X. Moreover, the nonzero entries in off-
diagonal elements in W represent the communicated measure-
ments. Using (9), we formalize that an undetectable attack can be Fig. 2. Local voltage and current for each DG. Attack is initiated at t=2 s.
maintained if and only if the sum of the change in state produced
by the attack and the zero input evolution of the state induced
by the attack belong to the system’s weakly unobservable sub- TABLE I
STEALTH ATTACKS IN DC MICROGRIDS IN [29] AND [31]
space. Although Wxattack will always be equal to zero from a
system-level perspective, the change identified across an agent is
suppressed by the opposite shift in the remaining agents, without
contributing any significant dynamics into the system.

III. DATA PREPARATION

An autonomous dc microgrid model (as shown in Fig. 1) B. Malicious Data
with distributed secondary control architecture is designed in
the MATLAB/Simulink environment. The system consists of To obtain the malicious data, the attack vector (shown in
K = 4 DGs connected to each other via tie lines. The simu- Table I) is injected into current and voltage measurements using
lated parameters are found in the Appendix. The datasets are (6). Fig. 2 shows the local voltage and current for each DG when
generated using this virtual test system. DG-level current and subjected to voltage and current attacks after t = 2 s. Despite
voltage measurements are observed and recorded. Benign values the presence of these attacks, the objectives mentioned in (5) are
represent system parameters during normal operation. Mali- achieved, which makes them stealthy in nature. As a result, it
cious values are obtained by modifying certain measurements to is difficult to identify the compromised elements accurately in
model a cyber-attack (as per the stealth attack modeling strategy microgrids, which mandates automated efforts.
mentioned in [29]). The current and voltage measurement blocks For each class, there is an equal number of current and voltage
are used to sense the local current and voltage for each DG. These samples of 5.6 million readings each. For the anomaly detectors,
data are then saved for each DG, where they are cooperating to we split the benign readings into a disjoint train XTR and test
achieve a common objective in (8). The experiments are verified sets using a 2 : 1 ratio, whereas we concatenate the malicious
further using experimental data from a dc microgrid testbed readings with the benign test set to build the final test set X TST .
described in Section V-D2. For the supervised detectors, we concatenate both readings from
both classes and split them into disjoint train XTR and test XTST
sets using the ratio of 2 : 1.
A. Benign Data
To obtain the benign dataset, the simulation model is run
IV. ANOMALY DETECTION
without injecting any bias in voltage and current measurements.
Thus, the system is allowed to operate normally without any This section first discusses common machine-learning-based
manipulations. As shown in Fig. 2, the current and voltage data solutions adopted to detect anomalies along with their limita-
plotted before t = 2 s are benign as it does not contain any tions. Then, it investigates the adoption of an autoencoder-based
bias/attack elements. detection and how it can overcome the limitations.

Authorized licensed use limited to: Tallinn University of Technology. Downloaded on September 16,2024 at 09:53:58 UTC from IEEE Xplore. Restrictions apply.
TAKIDDIN et al.: DATA-DRIVEN DETECTION OF STEALTH CYBER-ATTACKS IN DC MICROGRIDS 6101

A. Benchmark Detectors
This section discusses several machine learning-based cyber-
attacks detectors. For a comprehensive comparative analysis,
we examined detectors with various characteristics including
shallow/deep structure, static/recurrent mechanism, and super-
vised/unsupervised detection mechanism to determine which
sets of characteristics lead to the best detection performance.
Specifically, we investigated the use of ARIMA, one-class SVM,
and F-SAE as anomaly detectors. Then, we examine the use of a
two-class SVM, feedforward neural network, CNN, and LSTM
Fig. 3. Illustration of the LSTM-based stacked autoencoder architecture.
classifiers as supervised detectors.
1) Anomaly Detectors: ARIMA is considered as a shallow
dynamic anomaly detector trained in order to predict future Autoencoders are types of anomaly detectors [33] that operate
patterns using minimum prediction mean-square error (MSE). by learning the behavioral patterns of a (normal) class. The
Then, during testing, it detects abnormal patterns whenever the learned behavioral patterns of that class are then used to identify
MSE exceeds a certain threshold [32]. The one-class SVM is also abnormal deviations from those learned patterns. Herein, we use
a shallow static anomaly detector that is trained only on benign this deviation for anomaly detection. Using anomaly detectors,
data, which is then tested on both benign and malicious samples. specifically autoencoders, is an effective approach that aids in
The F-SAE is a static deep detector that learns the behavioral detecting anomalies using the reconstruction error during the
patterns of benign samples throughout the reconstruction pro- reconstruction process of the data. Using SAEs, the dimen-
cess and detects malicious samples based on their deviation from sionality of the data is reduced during the encoding step and
the benign ones [33]. the data is reconstructed during the decoding step, where the
2) Supervised Detectors: The two-class SVM is a classifier reconstruction error represents the differences among the initial
that is trained on both, benign and malicious samples, which and reconstructed data. SAEs are trained on benign samples
is then tested on both types of samples [34] to make a decision where the parameters of the encoder and decoder are optimized
using a decision boundary. The feedforward [35] model is a static to have minimized reconstruction errors. Let x denote the rows
deep detector that learns the behavior of samples in a singular of the training dataset X TR , H = fΘ (x) for the encoder, and
direction using stacked hidden layers. The CNN model is a deep R = gΘ (x) for the decoder, and Θ denote the SAE parameters
detector that performs convolutions on the time-series data to where
extract relevant features. The LSTM model is a deep recurrent
neural network (RNN) type where information flows in recurrent min C(x, gΘ (fΘ (x))), x ∈ X TR . (11)
Θ
cycles to hold previous knowledge.
There are three main limitations with such models. First, C(x, gΘ (fΘ (x))) represents the cost function (i.e., the MSE),
shallow architectures are not capable of capturing the complex which is responsible for penalizing gΘ (fΘ (x)) due to its devi-
patterns and temporal correlations present in the time-series ation from x. Using the cost function (11), benign data will
datasets. Second, static detectors do not capture well the time- have a smaller reconstruction error compared to malicious data
series nature of the data. Third, the detection of the supervised (anomalies). To detect an anomaly, the reconstruction error has
detectors is limited to see attacks that are part of the training set, to exceed a specific threshold value.
and hence, they are vulnerable to unseen (zero-day) attacks that Herein, we adopt an RNN-based autoencoder, namely, LSTM
are not part of the training set. Such factors negatively affect for two reasons. First, it can enhance the detection performance
the performance of these detectors. Next, we present a deep due to its capability of capturing complex patterns and the
dynamic anomaly detector that detects unseen attacks due to its temporal correlation in the time-series data. Second, it can over-
unsupervised learning nature. come the vanishing gradient problem while learning temporal
correlation over long intervals. Fig. 3 presents the structure of
the deep LSTM-based stacked autoencoder (LSTM-SAE). The
B. Autoencoder-Based Anomaly Detection LSTM-SAE model comprises two LSTM-based RNNs; deep
This section investigates the use of autoencoders for anomaly LSTM encoder and decoder [36], [37] where (x ∈ X TR ) denotes
detection due to two key features. First, autoencoders may be the LSTM encoder’s input, where it encodes the time-series
stacked into several hidden layers, and hence, we can develop a vector in a hidden state. This represents identifying an alternative
deep structure that is capable of extracting more representative representation of the time-series data that is more compact into
and relevant features from our datasets. Second, autoencoders the latent layer [38]. Within the encoder, after the input layer,
can be equipped with a sequence-to-sequence (seq2seq) struc- there are L and Nl hidden LSTM layers and cells, respectively,
ture, and hence, they have the ability to better capture the in each LSTM layer. Within the decoder, the LSTM encoder’s
time-series nature of our datasets. Both of these features help output is carried out as the LSTM decoder’s input, which is
improve the overall detection performance, and to improve it responsible for reconstructing the initial time-series data. During
further, a sequential grid hyperparameter optimization is carried training, the LSTM-SAE aims to minimize the MSE of the
out. input–output reconstruction.

Authorized licensed use limited to: Tallinn University of Technology. Downloaded on September 16,2024 at 09:53:58 UTC from IEEE Xplore. Restrictions apply.
6102 IEEE SYSTEMS JOURNAL, VOL. 16, NO. 4, DECEMBER 2022

An LSTM cell presents a state ct at a time instant t and

produces a hidden state ht as an output. The access to such
a cell is controlled by input iE,t , forget fE,t , and oE,t output gates
in the encoder and additional input iD,t , forget fD,t , and output
oD,t gates. A data sample xt at time t as well as the previous
hidden states of the LSTM cells within the same layer (hE,t−1
in the encoder and hD,t−1 in the decoder) are the LSTM cell’s
external inputs. The cell state (cE,t−1 in the encoder and cD,t−1 in
the decoder) is the LSTM cell’s internal inputs. To activate the
gates, the aforementioned external and internal inputs as well as
the activation functions and bias are initiated. The encoder’s last
timestep presents the h and c states that are fed as the starting
hidden and cell states in the decoder. Algorithm 1 shows the
overall operation mechanism of the LSTM-SAE. Specifically,
lines 9–13 and 18–22 present the calculation of iE/D,t , fE/D,t , and
oE/D,t . The learnable weight matrices and bias vectors are denoted
by W l(·) , U l(·) , V l(·) , and bl(·) . Solving (11) results in obtaining
the optimal learnable parameters.
After training on X TR , the testing is applied on X TST . The cost
function measures the MSE among the initial and reconstructed
data, whenever it is smaller than a specific threshold, the sample
is given the label y = 0 (benign), otherwise, the sample is
assigned the label y = 1 (malicious). The same model is utilized
throughout the different experiments. We generate current and
voltage readings throughout four equal subsets {I1 , I2 , I3 ,
I4 } and {V1 , V2 , V3 , V4 }, respectively. The first experiment
employs current data as an input (single feature) with binary
labels; benign and malicious. The second experiment employs
two features; 1) current and 2) voltage readings. Fusing the
current and voltage datasets results in {IV1 , IV2 , IV3 , IV4 }
with binary labels; benign and malicious. Such a fusion method
is applied where the model considers both the current and voltage
readings during each timestep in an iterative process. This way,
the reconstruction error comes from both readings in order to
determine whether the sample is benign or malicious, which
enhances the detection performance. For all experiments, we
run the detectors on each subset and report the performance
separately.

C. Performance Evaluation of the Detectors

We report three performance metrics to assess the detection
performance. A true positive (TP) sample is a malicious one and is done using a threshold that is compared to the reconstruction
detected as malicious. Similarly, a true negative (TN) sample is error. We determine this threshold according to the median of the
a benign one and detected as benign. In contrast, a false positive interquartile range (IQR) of the receiver operating characteristic
(FP) sample is a benign one, but detected as malicious and a false (ROC) curve. Scores that are smaller than that threshold value
negative (FN) sample is a malicious one, but identified as benign. denote benign samples, whereas scores that are larger than that
The reported performance metrics include detection rate (DR = value represent malicious samples.
TP/(TP+FN)), which specifies the amount of malicious samples
that are detected as malicious, false alarm (FA = FP/(TN+FP)) E. Hyperparameter Optimization
that gives the amount of benign samples detected as malicious,
The selection of the ideal hyperparameter values for the
and highest difference (HD = DR − FA) that subtracts FA from
detectors helps enhance detection performance. L denotes the
DR.
ideal number of LSTM layers, which is the same in both, the
encoder and decoder. Nl denotes the ideal number of neurons
D. Threshold Values
within the LSTM layers. O, D, AH , and AO denote the optimal
To get the performance metrics’ scores, we generate a con- optimizer, dropout rate, hidden activation function, and output
fusion matrix by comparing Y CAL to Y TST . Determining Y CAL activation function, respectively.

Authorized licensed use limited to: Tallinn University of Technology. Downloaded on September 16,2024 at 09:53:58 UTC from IEEE Xplore. Restrictions apply.
TAKIDDIN et al.: DATA-DRIVEN DETECTION OF STEALTH CYBER-ATTACKS IN DC MICROGRIDS 6103

Fig. 4. ROC curves of the investigated detectors. (a) Using current datasets.
(b) Using current and voltage datasets.

B. Threshold Values
For the investigated anomaly detectors, the ROC curves illus-
trated in Fig. 4 are utilized to specify the detectors’ threshold
values to separate benign from malicious samples. Dividing
the curve into three quartiles and obtaining the IQR’s median
lead to the subsequent threshold values: 0.54, 0.45, and 0.59
for the ARIMA-based, one-class SVM, and LSTM-SAE-based
detectors, respectively, in the first experiment (using current
data). In the second experiment (using current and voltage
data), the threshold values are 0.51, 0.43, 0.52, and 0.55 for
the ARIMA-based, one-class SVM, F-SAE, and LSTM-SAE
detectors, respectively. The ROC curve for the two-class SVM
is also plotted in Fig. 4 for comparison.

C. Hyperparameter Optimization

Algorithm 2 shows that the conducted hyperparameter opti- The selection of the ultimate hyperparameter values of the
mization is done using four sequential steps. Since the amount LSTM-SAE model is from L = {2, 3, 4, 5, 6} for the number
of hyperparameters that we are optimizing is large, an exhaus- of layers, N = {200, 300, 400, 500} for the number of neu-
tive grid search might be associated with higher computational rons, O = {SGD, Adam, Adamax } for the optimizer, D =
complexity. Therefore, we implement a grid search that is se- {0, 0.2, 0.4} for the dropout rate, AH = { Relu, Sigmoid, Tanh
quential instead. To select the hyperparameters, cross-validation } for the hidden activation function, AO = { Softmax, Sigmoid}
is conducted over X TR . P ∗ denotes the hyperparameter ultimate for the output activation function.
settings that lead to improving DR against our validation set, For both of the experiments, the ideal hyperparameter com-
where the given setting of hyperparameters results in a specific bination of the LSTM-SAE detector turns out to be as follows.
model (MD). The optimal number of LSTM layers is four, where the optimal
number of neurons in the two encoder layers is (500, 300) with
the inverse order (300, 500) in the decoder’s side. The optimal
V. SIMULATION RESULTS optimizer and dropout rate are Adam and 0.2, respectively.
Herein, we discuss the performance of the benchmark as Sigmoid is the optimal choice for both, the hidden and output
well as the LSTM-SAE models when detecting anomalies. The activation functions. In the ARIMA-based detector, the differ-
results are reported for both of the conducted experiments as encing and moving average values are 1 and 0, respectively.
mentioned in Section IV-B. For the SVM detectors, scale and sigmoid are the ideal kernel
and gamma, respectively. The optimal feedforward parameters
are 6 layers with 300 neurons, Adamax optimizer, 0.2 dropout
A. Computational Complexity rate, and Sigmoid hidden and output activation function. The
Training the examined detectors is conducted offline on an F-SAE model has the same amount of layers and neurons
NVIDIA GeForce RTX 2070 hardware accelerator using Keras as the LSTM-SAE with an SGD optimizer, 0.4 dropout rate,
API. The offline training of benchmark detectors takes 1 h and and Sigmoid and Softmax for the hidden and output activation
the LSTM-SAE takes 1.5 h. The online testing requires 1.6 s to functions, respectively. The LSTM-model has 6 layers with 500
report a decision on a single reading. cells, Adam optimizer, no dropout rate, weight constraint of 5,

Authorized licensed use limited to: Tallinn University of Technology. Downloaded on September 16,2024 at 09:53:58 UTC from IEEE Xplore. Restrictions apply.
6104 IEEE SYSTEMS JOURNAL, VOL. 16, NO. 4, DECEMBER 2022

TABLE II TABLE III

PERFORMANCE USING SIMULATED CURRENT DATASETS PERFORMANCE USING SIMULATED CURRENT AND VOLTAGE DATASETS

Fig. 6. Single-line diagram of the experimental setup shown in Fig. 5.

Fig. 5. Experimental setup of a cooperative dc microgrid comprising of

N = 2 agents controlled by dSPACE MicroLabBox DS1202 supplying power average performance. The average performance of the LSTM-
to the programmable constant power load. SAE-based detector shows that it significantly outperforms
the rest of the detectors. Specifically, the LSTM-SAE-based
detector outperforms the benchmark detectors by 3.5−18.3%,
ReLU and Softmax hidden and output activation function, re- 2.6−12.7%, and 6.1−31% in DR, FA, and HD, respectively.
spectively, as the ideal parameters. Table III summarizes the results of the second experiment,
which reports the performance of the examined detectors using
the four current and voltage datasets. According to the simu-
D. Performance Evaluation
lation results, the LSTM-SAE-based detector also outperforms
This section discusses the detection performance of the exam- the rest of the benchmark detectors by 3.1−16.4%, 3.1−14.1%,
ined detectors using the simulated data discussed in Section III. and 6.3−30.6% in DR, FA, and HD, respectively. The superior
We also use experimental data to validate the performance performance of the LSTM-SAE-based detector is due to its deep
results. structure, which gives it the ability to better capture the complex
1) Simulated Data: Table II presents the results of the first patterns of the data. Also, its recurrent architecture allows it to
experiment, which reports the performance of the developed apprehend the temporal correlations within the time-series data.
detectors using only the four current datasets as well as their Moreover, given its unsupervised anomaly training nature, the

Authorized licensed use limited to: Tallinn University of Technology. Downloaded on September 16,2024 at 09:53:58 UTC from IEEE Xplore. Restrictions apply.
TAKIDDIN et al.: DATA-DRIVEN DETECTION OF STEALTH CYBER-ATTACKS IN DC MICROGRIDS 6105

TABLE IV TABLE V
PERFORMANCE USING EXPERIMENTAL CURRENT DATA PERFORMANCE USING EXPERIMENTAL CURRENT AND VOLTAGE DATA

detection is done on totally unseen data, which means that it can

detect zero-day attacks. offers consistent performance that varies only by around ±0.4%
Fusing the voltage and current data helps in improving the compared to the detection performance using the simulated data.
detection performance of the detectors. Specifically, the average
HD of the detectors has improved by 9.7−14.8%. This is due
to the fact that utilizing the obtained reconstruction error from VI. CONCLUSION
both the current and voltage data helps in increasing the models’ This article answered two important research questions re-
certainty regarding the decision on whether a sample is benign garding data-driven-based approaches for stealth cyber-attack
or malicious. Conducting such a data fusion method provided detection in dc microgrids. Our extensive experiments provide
an improvement of up to 4.6% in DR, 11.5% in FA, and 14.7% the following conclusions: 1) Adopting an LSTM-based stacked
in HD. autoencoder offers superior detection performance compared
2) Validation on Experimental Data: As illustrated in Fig. 5, to benchmark machine-learning-based detectors due to its deep
the multilabeled dataset is obtained from a dc microgrid exper- recurrent structure. Such characteristics help in discovering the
imental testbed that is operating at a voltage reference Vdcref of complex patterns and temporal correlations of the time-series
48 V with N = 2 dc/dc buck converters that are tied radially to a dataset. Also, the LSTM-SAE model can detect unseen attacks
programmable load (voltage-dependent mode). Each converter since it is an unsupervised anomaly detector that is trained
is controlled using the control structure in Fig. 1 by dSPACE only on benign data. Utilizing only current data for training,
MicroLabBox DS1202 (target), with control commands from the LSTM-SAE model offered an improvement of up to 18.3%
the ControlDesk in the PC (host). A single-line diagram of the in DR, 12.7% in FA, and 31% in HD compared to benchmark
experimental setup is shown in Fig. 6. The control strategy is detectors. 2) Performing feature fusion that incorporates current
operated under the presence and absence of stealth cyber-attacks and voltage data for training improved the detection performance
throughout the local and neighboring measurements. The pa- further by up to 4.7% in DR, 11.5% in FA, and 14.7% in HD as
rameters of the experimental testbed are given in the Appendix. it enables the detector to capture distinct representations from
The results shown in Tables IV and V verify the correctness both features. Running the investigated detection schemes on
of our conducted simulations. {I1 , I2 } and {IV1 , IV2 } denote a real testbed offered consistent performance that varies only
the current and voltage readings from the two converters, respec- by ±0.4% compared to the detection performance using the
tively. Running the investigated detection schemes on the testbed simulated data.
Authorized licensed use limited to: Tallinn University of Technology. Downloaded on September 16,2024 at 09:53:58 UTC from IEEE Xplore. Restrictions apply.
6106 IEEE SYSTEMS JOURNAL, VOL. 16, NO. 4, DECEMBER 2022

APPENDIX [15] N. Muralidhar et al., “illiad: Intelligent invariant and anomaly detection in
cyber-physical systems,” ACM Trans. Intell. Syst. Technol., vol. 9, no. 3,
Simulation Parameters pp. 1–20, May 2018.
[16] G. Anagnostou, F. Boem, S. Kuenzel, B. C. Pal, and T. Parisini, “Observer-
The test model is composed of four DGs (rated for 6 kW based anomaly detection of synchronous generators for power systems
each). The line parameter Rkl is attached from the kth agent to monitoring,” IEEE Trans. Power Syst., vol. 33, no. 4, pp. 4228–4237,
Jul. 2018.
the lth agent where each agent has identical controller gains. [17] P. Cheng, Z. Yang, J. Chen, Y. Qi, and L. Shi, “An event-based stealthy
Plant: R12 = 1.8 Ω, R14 = 1.3 Ω, R23 = 2.3 Ω, R43 = 2.1 Ω. attack on remote state estimation,” IEEE Trans. Autom. Control, vol. 65,
Converter: Lk = 3 mH, Ck = 250 μF, Imin = 0 A, Imax = no. 10, pp. 4348–4355, Oct. 2020.
[18] S. Paudel, P. Smith, and T. Zseby, “Stealthy attacks on smart grid PMU
18 A, Vmin = 270 V, Vmax = 360 V. state estimation,” in Proc. 13th Int. Conf. Availability Rel. Secur., 2018,
Controller: Vdcref = 315 V, Idcref = 0, KPH1 = 3, KIH1 = 0.01, pp. 1–10.
KPH2 = 4.5, KIH2 = 0.32, GV P = 2.8, GV I = 12.8, GCP = [19] E.-N. S. Youssef and F. Labeau, “False data injection attacks against state
estimation in smart grids: Challenges and opportunities,” in IEEE Can.
0.56, GCI = 21.8, Vin = 270 V. Conf. Elect. Comput. Eng., 2018, pp. 1–5.
[20] K. Bhatnagar, S. Sahoo, F. Iov, and F. Blaabjerg, “Physics guided data-
driven characterization of anomalies in power electronic systems,” in Proc.
Experimental Testbed Parameters 6th IEEE Workshop Electron. Grid, 2021, pp. 1–06.
[21] K. Gupta, S. Sahoo, R. Mohanty, B. K. Panigrahi, and F. Blaabjerg, “De-
The system is composed of two sources with 600 W equally centralized anomaly characterization certificates in cyber-physical power
rated converters, and for each converter, the controller gains are electronics based power systems,” in Proc. IEEE 22nd Workshop Control
consistent. Model. Power Electron., 2021, pp. 1–6.
[22] H. o. Rouzbahani, “Anomaly detection in cyber-physical systems using
Plant: R1 = 0.9 Ω, R2 = 1.2 Ω. machine learning,” in Handbook of Big Data Privacy. Berlin, Germany:
Converter: Lsei = 3 mH, Cdci = 100 μF. Springer, 2020, pp. 219–235.
Controller: Vdcref = 48 V, Idcref = 0, KPH1 = 1.92, KIH1 = 15, [23] X. Zhu and A. B. Goldberg, “Introduction to semi-supervised learning,”
Synth. Lectures AI ML, vol. 3, no. 1, pp. 1–130, 2009.
KPH2 = 4.5, KIH2 = 0.08. [24] A. A. Khan, O. A. Beg, M. Alamaniotis, and S. Ahmed, “Intelligent
anomaly identification in cyber-physical inverter-based systems,” Elect.
Power Syst. Res., vol. 193, 2021, Art. no. 107024.
REFERENCES [25] H. Cui, X. Dong, H. Deng, M. Dehghani, K. Alsubhi, and H. M. A. Aljah-
dali, “Cyber attack detection process in sensor of DC micro-grids under
[1] F. Al-Ismail, “DC microgrid planning, operation, and control: A compre-
electric vehicle based on Hilbert-Huang transform and deep learning,”
hensive review,” IEEE Access, vol. 9, pp. 36154–36172, 2021.
IEEE Sensors J., vol. 21, no. 14, pp. 15885–15894, Jul. 2020.
[2] M. M. Rahman and A. Mallick, “Measurement of the carbon footprint for
[26] A. Kavousi, W. Su, and T. Jin, “A machine-learning-based cyber attack
Bangladesh’s electricity generation in 2009-15,” in Proc. Emerg. Technol.
detection model for wireless sensor networks in microgrids,” IEEE Trans.
Comput. Commun. Electron., 2020, pp. 1–6.
Ind. Informat., vol. 17, no. 1, pp. 650–658, Jan. 2021.
[3] C. Marpaung, A. Soebagio, and R. Shrestha, “The role of carbon capture
[27] V. Nasirian, S. Moayedi, A. Davoudi, and F. L. Lewis, “Distributed
and storage and renewable energy for CO2 mitigation in the Indonesian
cooperative control of DC microgrids,” IEEE Trans. Power Electron.,
power sector,” in Proc. Int. Power Eng. Conf., 2007, pp. 779–783.
vol. 30, no. 4, pp. 2288–2303, Apr. 2015.
[4] S. Rath, D. Pal, P. S. Sharma, and B. K. Panigrahi, “A cyber-secure
[28] M. Zhu and S. Martínez, “Discrete-time dynamic average consensus,”
distributed control architecture for autonomous AC microgrid,” IEEE Syst.
Automatica, vol. 46, no. 2, pp. 322–329, 2010.
J., vol. 15, no. 3, pp. 3324–3335, Sep. 2021.
[29] S. Sahoo, S. Mishra, J. C. Peng, and T. Dragičević, “A stealth cyber-
[5] T. Qian, Y. Liu, W. Zhang, W. Tang, and M. Shahidehpour, “Event-
attack detection strategy for DC microgrids,” IEEE Trans. Power Electron.,
triggered updating method in centralized and distributed secondary con-
vol. 34, no. 8, pp. 8162–8174, Aug. 2019.
trols for islanded microgrid restoration,” IEEE Trans. Smart Grid, vol. 11,
[30] S. Sahoo and S. Mishra, “A distributed finite-time secondary average
no. 2, pp. 1387–1395, Mar. 2020.
voltage regulation and current sharing controller for DC microgrids,” IEEE
[6] S. Sahoo, J. C.-.H. Peng, S. Mishra, and T. Dragičević, “Distributed
Trans. Smart Grid, vol. 10, no. 1, pp. 282–292, Jan. 2019.
screening of hijacking attacks in DC microgrids,” IEEE Trans. Power
[31] S. Sahoo, J. C. Peng, A. Devakumar, S. Mishra, and T. Dragičević, “On
Electron., vol. 35, no. 7, pp. 7574–7582, Jul. 2020.
detection of false data in cooperative DC microgrids—A discordant ele-
[7] F. Ahmadloo and F. R. Salmasi, “A cyber-attack on communication link
ment approach,” IEEE Trans. Ind. Electron., vol. 67, no. 8, pp. 6562–6571,
in distributed systems and detection scheme based on H-infinity filtering,”
Aug. 2020.
in Proc. IEEE Int. Conf. Ind. Technol., 2017, pp. 698–703.
[32] V. Krishna, R. Iyer, and W. Sanders, “ARIMA-based modeling and
[8] S. Mazumder et al., “A review of current research trends in power-
validation of consumption readings in power grids,” in Critical In-
electronic innovations in cyber–physical systems,” IEEE J. Emerg. Sel.
formation Infrastructures Security. Berlin, Germany: Springer, 2016,
Topics Power Electron., vol. 9, no. 5, pp. 5146–5163, Oct. 2021.
pp. 199–210.
[9] S. Sahoo, T. Dragičević, and F. Blaabjerg, “Cyber security in con-
[33] A. Takiddin, M. Ismail, U. Zafar, and E. Serpedin, “Deep autoencoder-
trol of grid-tied power electronic converters–challenges and vulnerabil-
based anomaly detection of electricity theft cyberattacks in smart grids,”
ities,” IEEE Trans. Emerg. Sel. Topics Power Electron., vol. 9, no. 5,
IEEE Syst. J., pp. 1–12, Jan. 2022.
pp. 5326–5340, Oct. 2021.
[34] P. Jokar, N. Arianpoo, and V. C. Leung, “Electricity theft detection in AMI
[10] O. A. Beg, L. V. Nguyen, T. T. Johnson, and A. Davoudi, “Cyber-physical
using customers’ consumption patterns,” IEEE Trans. Smart Grid, vol. 7,
anomaly detection in microgrids using time-frequency logic formalism,”
no. 1, pp. 216–226, Jan. 2016.
IEEE Access, vol. 9, pp. 20012–20021, 2021.
[35] Z. Zhang, Y. Mishra, D. Yue, C. Dou, B. Zhang, and Y.-C. Tian, “Delay-
[11] R. Moghaddass and J. Wang, “A hierarchical framework for smart grid
tolerant predictive power compensation control for photovoltaic voltage
anomaly detection using large-scale smart meter data,” IEEE Trans. Smart
regulation,” IEEE Trans. Ind. Inform., vol. 17, no. 7, pp. 4545–4554,
Grid, vol. 9, no. 6, pp. 5820–5830, Nov. 2018.
Jul. 2021.
[12] O. A. Beg, T. T. Johnson, and A. Davoudi, “Detection of false-data
[36] A. Takiddin, M. Ismail, U. Zafar, and E. Serpedin, “Variational
injection attacks in cyber-physical DC microgrids,” IEEE Trans. Ind.
auto-encoder-based detection of electricity stealth cyber-attacks in
Inform., vol. 13, no. 5, pp. 2693–2703, Oct. 2018.
AMI networks,” in Proc. Eur. Signal Process. Conf.,Jan. 2021,
[13] O. A. Beg, L. V. Nguyen, T. T. Johnson, and A. Davoudi, “Signal temporal
pp. 1590–1594.
logic-based attack detection in DC microgrids,” IEEE Trans. Smart Grid,
[37] A. Takiddin, M. Ismail, U. Zafar, and E. Serpedin, “Deep autoencoder-
vol. 10, no. 4, pp. 3585–3595, Jul. 2019.
based detection of electricity stealth cyberattacks in AMI networks,” in
[14] T. Vu, B. H. L. Nguyen, T. A. Ngo, M. Steurer, K. Schoder, and R. Hov-
Proc. Int. Symp. Signals Circuits Syst., 2021, pp. 1–6.
sapian, “Distributed optimal dynamic state estimation for cyber intrusion
[38] I. Goodfellow, Y. Bengio, and A. Courville, Deep Learning. Cambridge,
detection in networked DC microgrids,” in Proc. Annu. Conf. IEEE Ind.
MA, USA: MIT Press, 2016.
Electron. Soc., 2019, pp. 4050–4055.

Authorized licensed use limited to: Tallinn University of Technology. Downloaded on September 16,2024 at 09:53:58 UTC from IEEE Xplore. Restrictions apply.