Haixiang Wang,Jiyuan Li,Tianchen Zhang,Huan Ying,Jiajia Han,Xiaoyu Ji

DOI: https://doi.org/10.1109/itnec.2019.8729232

2019-01-01

Abstract:With the continuous development of smart grids, smart meter, one of the typical embedded equipment, is also becoming more intellectualized. Smart meters nowadays are capable of not only recording power consumption, but also uploading information to the electricity supplier for monitoring and billing, which makes the electric power dispatching and usage more efficient and convenient. However, the enhanced functions and computation power of the smart meter renders it more valuable and vulnerable for the adversary to conduct a cyber attack. One of the most common and important security threats of the smart meter is the malicious code due to its widespread and the easy access for adversaries. Therefore, it is of great criticalness to detect malicious code in the smart meters to safeguard the security of smart terminals. In this paper, we propose a novel approach that detects malicious code in embedded terminals, e.g., smart meters, with a Long Short Term Memory (LSTM) network based on the power consumption of the CPU or MCU of the device. The evaluation results demonstrate that the proposed method can effectively detect the malicious code in smart meters with an accuracy as high as 92%.

Shanglin Dai,Yuehan Chi,Zhongwei Qiao,Xiaoyu Ji

DOI: https://doi.org/10.1109/ei250167.2020.9347116

2020-01-01

Abstract:With the development of computer technology, information technology, big data, artificial intelligence, and industrial automation technology, information technology has been widely used in the field of industrial control. However, microgrid terminals generally work in an open environment and have the computing power and wireless communication functions, making them more vulnerable to attacks and threatening the security of the power grid. This paper proposes a method of using message flow to build a safety monitoring model and evaluates it through experiments. We use the external characteristics of network traffic flow to generate the model, that is, the specific content of network traffic is not considered. We validate that it is feasible to detect attacks with a detection accuracy above 95% by using machine learning methods.

Haitao Wu,Zhongwei Qiao,Yuepeng Zhang,Xiaoyu Ji

DOI: https://doi.org/10.1109/ei250167.2020.9346879

2020-01-01

Abstract:With the development of ubiquitous electric Internet of things(UEIoT), the number and types of terminal devices in the smart grid have reached an unprecedented level. In order to ensure the stable operation of the smart grid, we need to monitor the operation status of each terminal, detect various software-level or hardware-level attacks in time, and make corresponding decisions. In this paper, we propose a novel detection method based on multi-dimensional information fusion and computer vision, in which power consumption, traffic, message data and security logs generated by terminal equipments are drawn as characteristic graphs, and then we use a convolution neural network(CNN) to recognize them. According to the detection results, we can know whether there is an attack and if so, which kind of attack has occurred. We also use actual measurement data of an DTU to test our method, and it achieves real-time detection and has high precision.

Ruochen Zhou,Zhiyun Wang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei250167.2020.9347104

2020-01-01

Abstract:Programmable logic controller (PLC) is one of the critical infrastructure in industrial control system, which is therefore vulnerable to a variety of cyber-attacks. To mitigate this issue, we design an anomaly detection system, a novel non-invasive intrusion detection method for PLC. Our system utilizes the magnetic side-channel information around the power supply module of PLC and analyzes the running status rely on the fact that different programs will result in various magnetic characteristic. We design a classification algorithm which can extract representational features from the raw signal, as well as avoid the interference of environmental noise. To validate the idea, we design 3 types of attacks and implement on the prototype of thermal power plant in laboratory. The evaluation shows our system is feasible to detect attacks and achieve an overall detection accuracy above 90%.

Hua Dai,Xin Sun,Jiyuan Li,Guoming Zhang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/itnec48623.2020.9084649

2020-01-01

Abstract:With the rapid development of the smart grid in recent years, more and more smart devices are applied in the smart grid. As a critical monitoring and control device, the protection relay helps improve safety, reliability, and simplify of the smarter grid. However, due to the lack of effective anomaly detection and protection methods, the relay protectors are vulnerable to different types of attacks. In order to achieve the anomaly detection of the relay protector, we propose a monitoring method based on the power consumption side channel. By collecting the power consumption of the relay protection, we can acquire the features which reflecting the running state of devices from the power consumption and train a machine learning (ML) model. Finally, the anomaly state can be detected by the ML model. The test results on the relay protection platform in the laboratory show that the accuracy of anomaly detection can be up to 99.4%.

Jiachang Wen,Chen Yan,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/eeet58130.2022.00019

2022-01-01

Abstract:With the widespread use of new technologies such as mobile Internet, cloud computing, and Internet of Things in power systems, the number of terminal devices in power systems has increased dramatically, and the ensuing security vulnerabilities have increased, making terminal devices increasingly vulnerable to cyber attacks such as ransomware viruses. In this paper, we focus on the security of terminal devices in power systems and realize security monitoring of power terminals by collecting power consumption side channel information of power terminal devices in normal and abnormal states, using training device abnormality identification models using supervised learning algorithms with some time-domain frequency-domain feature information of power consumption as power consumption features of the devices.

Yanmiao Zhang,Xiaoyu Ji,Yushi Cheng,Wenyuan Xu

DOI: https://doi.org/10.23919/ChiCC.2019.8866144

2019-01-01

Abstract:As a modern power transmission network, smart grid connects abundant terminal devices and plays an important role in our daily life. However, along with its growth are the security threats. Different from the separated environment previously, an adversary nowadays can destroy the power system by attacking its terminal devices. As a result, it's critical to ensure the security and safety of terminal devices. To achieve it, detecting the pre-existing vulnerabilities in the terminal program and enhancing its security, are of great importance and necessity. In this paper. we introduce Cker, a novel vulnerability detection tool for smart grid devices, which generates an program model based on device sources and sets rules to perform model checking. We utilize the static analysis to extract necessary information and build corresponding program models. By further checking the model with pre-defined vulnerability patterns, we achieve security detection and error reporting. The evaluation results demonstrate that our method can effectively detect vulnerabilities in smart devices with an acceptable accuracy and false positive rate. In addition, as Cker is realized by pure python. it can be easily scaled to other platforms.

Aidong Xu,Yixin Jiang,Yang Cao,Guoming Zhang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei247390.2019.9062014

2019-01-01

Abstract:With the rapid development of information technology and the Internet of Things, the common information technologies are being applied to the power grid. It brings about the tremendous improvement in productivity, yet breaks down the safety barrier, which makes the power grid a popular target for attacks. The Distribution Terminal Unit (DTU) is a critical part of the power grid because of the acts as access points in the substation and controls the grid equipment. However, DTUs are vulnerable to different types of attacks, which can cause significant property loss or even casualties To monitor the operation of DTU, we proposed a real-time monitoring system by analyzing the side-channel information of power consumption. To validate this idea, we design 3 types of attacks and collect the power information separately, then we choose representational power features and machine learning algorithm for detecting those attacks. We validate that it is feasible to detect attacks and achieves a detection accuracy above 99%.

Huaiyu Liu,Yuze Fu,Kaikai Pan,Wenyuan Xu,Chenggang Li,Chen Liu

DOI: https://doi.org/10.1109/isgtasia54891.2023.10372698

2023-01-01

Abstract:With the growing focus on reducing carbon emissions, there has been a significant increase in the deployment of distributed photovoltaic generation systems. However, their distributed nature makes them vulnerable to adversarial threats. Moreover, these systems can serve as potential entry points or attack surfaces for targeting the power grid. Existing methods are either designed for specific attacks or intrusive to power terminals (e.g., intelligent terminal, communication device). To tackle this issue, this paper introduces a method for detecting and classifying attacks on distributed PV systems leveraging cyber and power side channel data. The proposed method is capable of detecting various attacks rather than specific ones and is non-intrusive for collecting information from power terminals.

Yu-jun Xiao,Wen-yuan Xu,Zhen-hua Jia,Zhuo-ran Ma,Dong-lian Qi

DOI: https://doi.org/10.1631/fitee.1601540

2017-01-01

Abstract:Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years, exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately, PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus, an effective method for PLC protection is yet to be designed. Motivated by these concerns, we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption, which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements, we extract a discriminative feature set from the power trace, and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally, an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed, and for a trojan attack whose difference from the normal program is around 0.63%, the detection accuracy reaches 99.83%.

Wenxin Lei,Aidong Xu,Haojie Lin,Wenjing Hou,Yunan Zhang,Yixin Jiang,Zhongqi Mao,Hong Wen

DOI: https://doi.org/10.1088/1742-6596/1646/1/012131

2020-01-01

Journal of Physics Conference Series

Abstract:Abstract With the continuous deployment of smart grids, various new smart technologies applied to the power grids have emerged, and the security boundaries of the power systems have gradually blurred, so that the power security protection measures urgently need to be updated. Aiming at the smart micro-grid system based on edge computing, this paper introduces a non-intrusive load monitoring (NILM) method, combined with the advantages of edge computing, and designs an online detection mechanism for malicious activities of terminal devices. This method is dedicated to achieving device-level security assurance.

Guoming Zhang,Xiaoyu Ji,Yanjie Li,Wenyuan Xu

DOI: https://doi.org/10.3390/s20133635

2020-06-28

Abstract:As a critical component in the smart grid, the Distribution Terminal Unit (DTU) dynamically adjusts the running status of the entire smart grid based on the collected electrical parameters to ensure the safe and stable operation of the smart grid. However, as a real-time embedded device, DTU has not only resource constraints but also specific requirements on real-time performance, thus, the traditional anomaly detection method cannot be deployed. To detect the tamper of the program running on DTU, we proposed a power-based non-intrusive condition monitoring method that collects and analyzes the power consumption of DTU using power sensors and machine learning (ML) techniques, the feasibility of this approach is that the power consumption is closely related to the executing code in CPUs, that is when the execution code is tampered with, the power consumption changes accordingly. To validate this idea, we set up a testbed based on DTU and simulated four types of imperceptible attacks that change the code running in ARM and DSP processors, respectively. We generate representative features and select lightweight ML algorithms to detect these attacks. We finally implemented the detection system on the windows and ubuntu platform and validated its effectiveness. The results show that the detection accuracy is up to 99.98% in a non-intrusive and lightweight way.

Yanjie Li,Ruiwen He,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei247390.2019.9061783

2019-01-01

Abstract:Security threats of smart grid terminals continue to increase. In order to realize non-invasive intrusion detection of power distribution terminal devices in smart grid, we propose a novel anomaly-based intrusion detection approach that use power side-channel. The approach monitors programs running in the terminals by collecting and analyzing the power consumption data of terminal devices. We run three abnormal programs and one normal program in the distribution terminal units (DTUs), and then extract feature values of the power consumption data and lastly conducted anomaly-based intrusion detection through LSTM neural network. Our evaluation results demonstrate that a false positive rate is less than 2% and an accuracy rate is more than 90%.

Zhi-Yang,Xiao-jun

2020-01-01

Abstract:Intrusion Detection Algorithm of Power Grid Industrial Control System Based on CNN ZHAO Zhi-Yang, XIA Xiao-Jun (University of Chinese Academy of Sciences, Beijing 100049, China) (Shenyang Institute of Computing Technology, Chinese Academy of Sciences, Shenyang 110168, China) Abstract: Traditional power grid industrial control systems are mainly isolated from external networks through tools such as firewalls, but with the application of new technologies such as cloud computing and the Internet of Things, the degree of interconnection between networks has continued to deepen, and the difficulty of security protection has greatly increased. How to effectively detect network intrusion behavior has become very important. Compared with traditional intrusion detection technology, convolutional neural networks have a better ability to extract intrusion features. This study proposes a power grid industrial control system intrusion detection algorithm based on convolutional neural networks. The KDD99 dataset is processed for model training, and a cascade convolution layer is added to optimize the network structure. Under the premise of small parameter scale, the real-time requirements of the model are guaranteed. Compared with the traditional SVM algorithm and the k-means algorithm, the intrusion detection accuracy of the proposed algorithm in this study is improved, the false detection rate is reduced, and the intrusion behavior to the power grid industrial control system can be effectively detected.

Xueqi Wang,Yaxin Wang,Yulin Chen,Donglian Qi

DOI: https://doi.org/10.1109/spies55999.2022.10082318

2022-01-01

Abstract:Energy and information flow are deeply integrated in AC microgrid cyber-physical systems. Therefore, the risk of the communication layer, such as malicious attacks, will be transmitted to the physical layer, disrupting the regular operation of microgrids. To this end, this paper proposes an optimal distributed cooperative strategy for the frequency restoration of AC microgrids. The strategy is implemented in a fully distributed form while considering the balance between distributed generators. It is shown that the proposed control strategy can achieve frequency restoration of microgrids event under malicious attacks and hence the security of system is greatly improved. Finally, the effectiveness of the strategy is verified by simulation experiments.

C. Wanigasekara,V. Logeeshan,M. Dayarathne,M. Jayathilaka,R. Bandara,S. Kumarawadu

DOI: https://doi.org/10.1109/AIIoT61789.2024.10578979

2024-05-29

Abstract:As renewable energy sources are integrated into power grids worldwide, the vulnerability to cyber-attacks increases, necessitating robust detection mechanisms to ensure system integrity and stability. In this paper, we propose a novel approach for cyber-attack detection in power grids, specifically based on the conditions of the Sri Lankan power system. Using the concept of wide area network monitoring and utilizing Ceylon Electricity Board generation data, as well as a PSCAD model representing real-time solar farms, synthetic datasets resembling actual demand-supply curves are generated. By analyzing well-known cyber-attack methodologies such as fault data injection, replay attacks, man-in-the-middle, and spoofing, we create attack datasets. Subsequently, we train neural network models including Convolutional Neural Networks (CNNs), Transformer models, and Long Short-Term Memory (LSTM) networks. Through comprehensive comparative analysis of model effectiveness using various parameters, our objective is to swiftly identify cyber-attacks as they occur within the system. The proposed methodology aims to address two primary objectives of cyber-attacks on power grids: energy theft and destabilization. By preemptively detecting and mitigating such attacks, the integrity and stability of the power grid can be safeguarded effectively. Our research contributes to the advancement of cyber-security measures in power systems, particularly in regions experiencing increased penetration of renewable energy sources like Sri Lanka.

Computer Science,Environmental Science,Engineering

Zecheng He,Aswin Raghavan,Guangyuan Hu,Sek Chai,Ruby Lee

DOI: https://doi.org/10.48550/arXiv.1806.06496

2019-06-23

Abstract:Controllers of security-critical cyber-physical systems, like the power grid, are a very important class of computer systems. Attacks against the control code of a power-grid system, especially zero-day attacks, can be catastrophic. Earlier detection of the anomalies can prevent further damage. However, detecting zero-day attacks is extremely challenging because they have no known code and have unknown behavior. Furthermore, if data collected from the controller is transferred to a server through networks for analysis and detection of anomalous behavior, this creates a very large attack surface and also delays detection. In order to address this problem, we propose Reconstruction Error Distribution (RED) of Hardware Performance Counters (HPCs), and a data-driven defense system based on it. Specifically, we first train a temporal deep learning model, using only normal HPC readings from legitimate processes that run daily in these power-grid systems, to model the normal behavior of the power-grid controller. Then, we run this model using real-time data from commonly available HPCs. We use the proposed RED to enhance the temporal deep learning detection of anomalous behavior, by estimating distribution deviations from the normal behavior with an effective statistical test. Experimental results on a real power-grid controller show that we can detect anomalous behavior with high accuracy (>99.9%), nearly zero false positives and short (<360ms) latency.

Cryptography and Security,Artificial Intelligence

Xiaoyuan Luo,Ruiyang Gao,Xiaolei Li,Yuliang Fu,Qianwen Xu,Xinping Guan

DOI: https://doi.org/10.1109/tsg.2024.3365498

IF: 10.275

2024-01-01

IEEE Transactions on Smart Grid

Abstract:Data manipulation attacks have become one of the main threats to cyber-physical direct current (DC) microgrids, but how to ensure voltage and current restoration under cyber attacks has not been well explored. In this paper, the event-based attack detection and mitigation problem for DC microgrids is considered. Specifically, an attack detection mechanism is designed to detect whether an attack has occurred. Then the proposed resilient secondary control strategy is only activated when the detection mechanism generates an attack event. For unknown types of attacks that aim at tampering with the information transmitted in the communication network, an adaptive linear quadratic regulator (LQR) based control strategy is designed to mitigate the effects such that the voltage and current restoration is achieved. Finally, the effectiveness of the proposed strategy is verified through simulationthis.

engineering, electrical & electronic

Dalin He,Huanyu Wang,Tuo Deng,Jishi Liu,Junnian Wang

DOI: https://doi.org/10.1016/j.cose.2024.104135

IF: 5.105

2024-09-27

Computers & Security

Abstract:The widespread deployment of IIoT edge devices makes them attractive victims for malicious activities. Consequently, how to implement trustworthy operations becomes a realistic topic in embedded systems. While most current physical systems for detecting malicious activities primarily focus on identifying known intrusion codes at the block level, they ignore that even an unnoticeable injected function can result in system-wide loss of security. In this paper, we propose a framework called CNDSW built on deep-learning side-channel analysis for function-level industrial control flow integrity monitoring. By collaboratively utilizing correlation analysis and deep-learning techniques, the dual window sliding monitoring mechanism in the proposed CNDSW framework demonstrates a real-time code intrusion tracking capacity on embedded controllers with a 99% detection accuracy on average. Instead of focusing on known block-level intrusions, we experimentally show that our model is feasible to detect function-level code intrusions without knowing the potential threat type. Besides, we further explore how different configurations of the CNDSW framework can help the monitoring process with different emphases and to which extent the model can concurrently detect multiple code intrusion activities. All our experiments are conducted on 32-bit ARM Cortex-M4 and 8-bit RISC MCUs across five different control flow programs, providing a comprehensive evaluation of the framework's capabilities.

computer science, information systems

Engang Tian,Zhihua Wu,Xiangpeng Xie

DOI: https://doi.org/10.1109/TNNLS.2022.3230056

Abstract:The primary purpose of this article is to design an intelligent false data injection (FDI) attacks detection, isolation, and mitigation scheme for a class of complex microgrid systems with electric vehicles (EVs). First, a networked microgrid with an EV model is well established, which takes load disturbance, wind generation fluctuation, and FDI attacks into account so as to truly reflect the operation process of the complex system. Then, an intelligent hyper basis function neural network (HBF-NN) observer is designed to accurately estimate the state of the microgrids, learn, and reconstruct the possible attack signal online. Subsequently, a novel HBF-NN-based H∞ controller is skillfully designed to mitigate the negative impact of FDI attacks online, so as to ensure the normal operation of the complex systems in an unreliable network environment. Finally, a two-stage integrated intelligent detection and maintenance algorithm is summarized and one simulation is presented to provide tangible evidence of the feasibility and superiority of the proposed FDI attacks detection, isolation, and mitigation methodology.