Controllable Blind AC FDIA via Physics-Informed Extrapolative AVAE

Abstract

False data injection attacks (FDIAs) targeting AC state estimation pose significant challenges, especially when only power measurements are available, and voltage measurements are absent. Current machine learning-based approaches struggle to effectively control state estimation errors and are confined to the data distribution of training sets. To address these limitations, we propose the physics-informed extrapolative adversarial variational autoencoder (PI-ExAVAE) for generating controllable and stealthy false data injections. By incorporating physically consistent priors derived from the AC power flow equations, which enforce both the physical laws of power systems and the stealth requirements to evade bad data detection mechanisms, the model learns to generate attack vectors that are physically plausible and stealthy while inducing significant and controllable deviations in state estimation. Experimental results on IEEE-14 and IEEE-118 systems show that the model achieves a 90% success rate in bypassing detection tests for most attack configurations and outperforms methods like SAGAN by generating smoother, more realistic deviations. Furthermore, the use of physical priors enables the model to extrapolate beyond the training data distribution, effectively targeting unseen operational scenarios. This highlights the importance of integrating physics knowledge into data-driven approaches to enhance adaptability and robustness against evolving detection mechanisms.

1. Introduction

Power systems constitute critical social infrastructure, making safety a paramount consideration in the operation of modern electrical power systems. Recently, the widespread adoption of information technology and the deep integration of physical and cyber domains have posed significant challenges for cybersecurity in contemporary power systems.

The concept of stealthy false data injection attacks (FDIAa) targeting power system state estimation (SE) has garnered considerable attention in the field, as discussed in [1]. These attacks are notable for their capacity to manipulate system data undetected, thereby posing serious risks to the integrity of state estimation processes. Given that state estimation is vital for various power system operations, including economic dispatch (ED) and contingency analysis [2,3], compromised state estimation can result in erroneous operational and control decisions within the energy management system (EMS). Therefore, it is essential to understand the nature of these cyber threats, implement effective detection mechanisms, and develop robust mitigation strategies.

Research on false data injection attacks (FDIAs) has attracted considerable attention, particularly due to their ability to compromise power system state estimation (SE) with minimal risk of detection [4]. Early explorations into FDIA predominantly focused on DC-based state estimation models. A seminal work by Liu et al. [1] established that if the state estimation Jacobian matrix (SEJM) and system parameters are known, attackers can execute fully unobservable FDIA, while bypassing conventional bad data detection (BDD). Leveraging this foundation, subsequent studies introduced local FDIA [5,6,7,8], where partial system parameters adjacent to the targeted lines suffice. Additionally, blind FDIA, such as DC-based blind methods [9,10,11,12], refer to attacks conducted without direct knowledge of the system’s parameters or topology. Instead, these DC-based approaches rely on techniques like matrix subspace learning to infer necessary information from observable data. Nevertheless, DC-based FDIA methods often prove vulnerable when confronted with AC-based detection techniques in real-world implementations, as illustrated by Rahman et al. [13].

To overcome the limitations associated with DC approximations, researchers have shifted toward constructing FDIA under AC-based state estimation [13]. In this context, Liang et al. [14] found that ensuring complete stealth typically requires knowledge of both the SEJM and certain state variables. Liu et al. [15] proposed a network parameter coordinated false data injection (NP-FDI) attack that reduces the number of attacked measurements by jointly modifying network parameters and power measurements, but it relies on the ability to alter network parameters, which is challenging in practice. Deng et al. [16] introduced a practical FDIA model leveraging power flow or injection measurements to approximate system states; however, it requires knowledge of the admittance matrix and network topology to construct effective attack vectors. Similarly, methods by Zhao et al. [17] and Tian et al. [18] assume access to the system topology and system parameters, making them dependent on accurate system information.

In order to further improve the adaptability of attack methods in practice, more recent research has turned to blind AC FDIAs, which leverage historical measurement data to eliminate the need for prior knowledge of system parameters, such as admittance matrices or topology. For example, the reference [19] introduced a parameter-free FDIA strategy that relies on robust tensor decomposition to construct stealthy attack vectors. However, most existing blind AC FDIA strategies [20,21,22] do not explicitly control the magnitude of the resulting state estimation errors, which becomes critical when attackers aim to engineer precise disruptions or implement adaptive attack strategies. Although a few studies [23,24] consider targeted attacks on state estimation, they all require the introduction of additional state measurements (i.e., voltage measurements).

To address this limitations, this paper introduces the physics-informed extrapolative adversarial variational autoencoder (PI-ExAVAE)-a novel generative model that integrates physical priors from AC power flow equations and adversarial training [25]. In contrast to traditional FDIA methods, PI-ExAVAE enables the following:

• Integration of physics-based priors. PI-ExAVAE incorporates AC power flow equations into the adversarial variational autoencoder framework, ensuring that generated attack vectors are physically consistent and stealthy against traditional detection mechanisms.
• Generative extrapolation capability. Unlike traditional generative models that focus on replicating the training data distribution and generating samples similar to the original input, the PI-ExAVAE integrates physics-informed priors, thereby enabling generative extrapolation to produce physically consistent and stealthy attack vectors far from the original input, even beyond the range covered by the training data.
• Precise control over state estimation errors without voltage measurements. The proposed approach allows fine-grained control over the magnitude and direction of state estimation errors, enabling the design of targeted attacks with predictable impacts.

Experimental results validate the proposed approach, showing that PI-ExAVAE not only maintains stealthiness under AC-based detection but also offers flexible control over the magnitude of state deviation—all without requiring access to historical state information. Our contributions bridge a crucial gap in FDIA research, paving the way for more powerful and adaptive cyberattack and defense frameworks in future power systems.

2. Related Work

Recent research has focused on AC-based blind FDIA methods that eliminate reliance on prior knowledge of system parameters, addressing practical limitations of traditional AC-based non-blind FDIA mechanisms. For example, Jiao et al. [20] employed a self-attention-GAN-based (SAGAN) technique. However, this method may lack flexibility for real-time adjustments. Costilla et al. [21] employed a Wasserstein generative adversarial network (WGAN) combined with an autoencoder (AE), which served as a surrogate for the state estimator and regularized the WGAN to produce measurement-consistent attacks capable of bypassing residual-based detectors. However, the AE constrained the attack’s flexibility by limiting the generated attacks to conform closely to the training data distribution, reducing its adaptability to dynamic or unseen scenarios. Furthermore, Narang et al. [22] proposed a LSTMAE-GAN-based FDIA on AC power system state estimation. Their method leverages generative adversarial networks (GANs) to learn measurement data distributions and uses a long short-term memory autoencoder (LSTMAE) as a state estimator mimic to embed physical system laws and temporal dependencies into the generated attack data, achieving high stealthiness and effectiveness without requiring system topology or parameter knowledge. However, the reliance on historical voltage measurements and the predefined temporal structure in LSTMAE limits its adaptability to dynamic or unseen scenarios. Additionally, the LSTMAE architecture primarily focuses on reconstructing temporal sequences rather than exploring broader data distributions, which restricts its ability to generalize to conditions outside the training data. In contrast, our PI-ExAVAE leverages the latent space of a variational autoencoder (VAE), which provides a more flexible representation of the system’s measurement-to-state mapping. By structuring the latent space with physical priors and incorporating adversarial training, PI-ExAVAE extends beyond the training data distribution while ensuring physical consistency. Unlike LSTMAE, which is inherently sequence-dependent, VAE’s latent space supports both static and dynamic attack scenarios, enabling precise control over state deviations without relying on temporal patterns or voltage measurements. Afrin and Ardakanian [26] proposed Sneaky-FGSM, a practical attack method using surrogate models trained on high-quality historical data, including voltage measurements. While effective at bypassing detection mechanisms, its reliance on surrogate models trained on historical voltage measurements reduces its adaptability in scenarios where such data are unavailable or outdated. This limitation makes it challenging to achieve coordinated and consistent adjustments across all state variables, particularly in high-dimensional systems. While these methods achieve blind attacks on AC state estimation using only power measurements, they fail to provide precise control over post-attack state deviations. This restricts their capacity to achieve desired impacts.

Targeted FDIA techniques have been proposed to achieve precise control over state estimation deviations by constructing stealthy attack vectors. Chin et al. [27] introduced a blind FDIA using a geometric approach to construct stealthy vectors by minimizing the angle between measurement and attack vectors. A targeted variant was also proposed, enabling precise control over specific state variables but requiring additional voltage information for implementation. Du et al. [28] proposed a targeted FDIA model for AC state estimation that bypasses the need for network parameters by leveraging limited PMU data. The Ornstein–Uhlenbeck process and regression theorem [29] can estimate key parameters like line admittances to construct stealthy attack vectors inducing large deviations in state variables. However, the effectiveness depends on accurate PMU voltage measurements for parameter estimation and attack design. Rahman et al. [30] proposed an adversarial model that leverages artificial neural networks (ANNs) to infer grid topology from historical measurements. However, the method relies on the availability of voltage measurements to accurately construct a substitute topology, which is then integrated into the attack pipeline along with a substitute bad data detector. The proposed method in [31] advances FDIA design by using adversarial machine learning to improve stealthiness against BDD and NAD, while sparse-state attacks enhance scalability and reduce costs. However, its reliance on a white-box scenario limits practicality. All of the above methods enable some degree of control over state estimation deviations by establishing a mapping between power measurements and state variables (e.g., voltage). However, their ability to achieve control depends on the availability of voltage measurements in the observation data, which are essential for constructing the mapping. In practice, such data may not always be accessible, especially in systems with only power measurements. This limitation underscores the need for an approach capable of precisely controlling state estimation deviations without relying on voltage measurements.

Our PI-ExAVAE addresses the limitations of existing methods, particularly their reliance on voltage measurements, by leveraging the controllability of the VAE’s latent space to construct false data injection attacks. Inspired by [27] and the aforementioned GAN-based works, we structure the latent space with physical priors and integrate adversarial training to achieve controllable and stealthy attacks. Unlike Sneaky-FGSM, LSTMAE-GAN, and AE-WGAN, our method does not require historical voltage measurements, which broadens its applicability in systems lacking comprehensive state observations. Moreover, PI-ExAVAE provides precise control over the magnitude of deviations across all state variables, enabling coordinated and consistent adjustments that surpass the capabilities of existing methods such as SA-GAN, which focuses on generating stealthy attack vectors but lacks the ability to control specific or global state deviations.

Table 1. Comparison of different FDIA methods.

Method	Key Features	Voltage Required	Controllable SE Deviations
Afrin et al. [26]	Sneaky-FGSM selectively perturbs high-variance measurements using multi-layer perceptron (MLP) surrogate models	Yes	No
Costilla et al. [21]	AE-WGAN: autoencoder serving as a fixed surrogate estimator	Yes	No
Narang et al. [22]	LSTMAE-GAN: LSTMAE embeds temporal dependencies within the autoencoder-based surrogate estimator	Yes	No
Jiao et al. [20]	SA-GAN leverages the self-attention mechanism to effectively capture long-range dependencies in power measurement data	No	No
PI-ExAVAE	A VAE guided by physical priors to control post-attack state estimation deviations via latent space controllability	No	Yes

summarizes the key differences between our method and previous works, highlighting PI-ExVAE’s ability to control post-attack state estimation deviations while eliminating reliance on voltage measurements.

3. Fundamentals of False Data Injection Attacks on AC State Estimation

In contemporary power systems, the weighted least squares (WLSs) estimation method, detailed in Equation (1), plays a crucial role in estimating system states.

$$\widehat{\mathit{x}}=\underset{\mathit{x}}{argmin}{[\mathit{y}-h\left(\mathit{x}\right)]}^T{\mathbf{R}}^{-1}[\mathit{y}-h\left(\mathit{x}\right)]$$

(1)

where $\mathit{x}$ represents the system state, while $\mathit{y}$ denotes measurement data, including bus injections and bidirectional line flows. The estimated system state, $\widehat{\mathit{x}}$ is derived to best fit the observed measurements $\mathit{y}$. The relationship between measurements and system states is defined by the nonlinear function h representing the nonlinear function between measurement data and system state, which depends on network topology and line parameters [32]. $\mathbf{R}$ is a diagonal matrix expressed as $\mathbf{R}=diag({\sigma }_1^2,···{\sigma }_i^2,···,{\sigma }_m^2)$, where ${\sigma }_i^2$ is the variance of the measurement error associated with the i-th meter and m is the number of measurements. Measurement errors and disturbances can result in $\mathit{y}\ne h\left(\mathit{x}\right)$. To address this, system operators employ bad data detection techniques to identify and filter out anomalies. These methods include the Chi-squares ${\chi }^2$-test, as well as more precise approaches utilizing normalized residuals [33]. The latter involves a series of well-defined steps to enhance detection accuracy:

• Step 1. Solve the WLS estimation and obtain the elements of the measurement residual vector:

  $$r_i=y_i-h_i\left(\widehat{\mathit{x}}\right)$$

  (2)
• Step 2. Compute the normalized residuals:

  $$\begin{array}{cc}\hfill r_i^N& ={\displaystyle \frac{\mid r_i\mid }{\sqrt{R_{ii}{S}_{ii}}}}={\displaystyle \frac{\mid r_i\mid }{\sqrt{R_{ii}{S}_{ii}}}}\hfill \\ \hfill \mathbf{S}& =\mathbf{I}-\mathbf{H}{\mathbf{G}}^{-1}{\mathbf{H}}^T{\mathbf{R}}^{-1}\hfill \\ \hfill \mathbf{G}& ={\mathbf{H}}^T{\mathbf{R}}^{-1}\mathbf{H}\hfill \end{array}$$

  (3)

  where $\mathbf{H}$ is the Jacobian of the linearized system dynamics, which is determined by the power network topology and the admittances of the branches.
• Step 3. Find k such that $r_k^N$ is the largest among all $r_i^N$.
• Step 4. If $r_k^N>\tau$, then the $k-th$ measurement will be suspected bad data. Here, $\tau$ is a chosen identification threshold, for instance 3.

In this paper, we test the performance of the proposed model against these two detection methods.

According to the above mentioned processes of AC state estimation, a successful FDIA targeting AC state estimation allows false data to evade bad data detection and appear as legitimate measurements. Let $\mathit{a}$ denote the attack vector and $\mathit{y}$ be the original measurement data. Under attack, the compromised measurements become ${\mathit{y}}_a=\mathit{y}+\mathit{a}$. The resulting residual, ${\mathit{r}}_a$, after the attack is computed as:

$$\begin{array}{cc}\hfill {\mathit{r}}_a& =\parallel {\mathit{y}}_a-h\left({\widehat{\mathit{x}}}_a\right){\parallel }_2\hfill \\ \hfill & =\parallel {\mathit{y}}_a-h\left({\widehat{\mathit{x}}}_a\right)+h\left(\widehat{\mathit{x}}\right)-h\left(\widehat{\mathit{x}}\right){\parallel }_2\hfill \\ \hfill & =\parallel \mathit{y}-h\left(\widehat{\mathit{x}}\right)+\mathit{a}-h\left({\widehat{\mathit{x}}}_a\right)+h\left(\widehat{\mathit{x}}\right){\parallel }_2\hfill \end{array}$$

(4)

so, the attack vector $\mathit{a}$ should satisfy:

$$\mathit{a}=h\left({\widehat{\mathit{x}}}_a\right)-h\left(\widehat{\mathit{x}}\right)$$

(5)

and the key to designing a false data injection attack on the AC state estimation lies in identifying the nonlinear function $\mathit{h}$ that connects measurement data with the power system state.

4. Proposed AC FDIA Method Based on PI-ExAVAE

In this section, the physics-informed extrapolative adversarial variational autoencoder (PI-ExAVAE) framework is designed to generate physically consistent, stealthy, and controllable FDIA targeting AC state estimation. Unlike conventional generative models, PI-ExAVAE incorporates physical priors derived from AC power flow equations into a adversarial variational autoencoder structure, ensuring both extrapolation capability and precise control over state estimation deviations. Below, we detail the components and training methodology of the proposed approach.

4.1. Variational Autoencoder with Adversarial Loss

A variational autoencoder (VAE) is composed of two neural networks: an encoder and a decoder. The encoder encodes a measurement sample $\mathit{y}$ into a latent representation $\mathit{z}$, while the decoder reconstructs the original data $\widehat{\mathit{y}}$ from $\mathit{z}$. This process can be described as:

$$\begin{array}{cc}\hfill \mathit{z}& \sim q\left(\mathit{z}\right|\mathit{y})=\mathcal{N}({\mathit{\mu }}_z,{\sigma }_z^2),({\mathit{\mu }}_z,{\sigma }_z)=\mathrm{Enc}\left(\mathit{y}\right)\hfill \\ \hfill \widehat{\mathit{y}}& \sim p\left(\mathit{y}\right|\mathit{z})=\mathcal{N}({\mathit{\mu }}_y,{\sigma }_y^2),({\mathit{\mu }}_y,{\sigma }_y)=\mathrm{Dec}\left(\mathit{z}\right)\hfill \end{array}$$

(6)

where $\mathrm{Enc}(·)$ and $\mathrm{Dec}(·)$ represent the mapping functions of the encoder and decoder, respectively. To ensure meaningful latent representations, the VAE imposes a prior $p\left(\mathit{z}\right)$, typically chosen as $\mathit{z}\sim \mathcal{N}(\mathbf{0},\mathbf{I})$. The VAE loss is minus the sum of the expected log likelihood (the reconstruction error) and a prior regularization term [34]:

$${\mathcal{L}}_{\mathrm{VAE}}=-{\mathbb{E}}_{q\left(z\right|y)}\left[log{\displaystyle \frac{p\left(y\right|z\left)p\right(z)}{q\left(z\right|y)}}\right]={\mathcal{L}}_{\mathrm{llike}}+{\mathcal{L}}_{\mathrm{prior}}$$

(7)

with

$$\begin{array}{cc}\hfill {\mathcal{L}}_{\mathrm{llike}}& =-{\mathbb{E}}_{q\left(z\right|y)}\left[logp\left(y\right|z)\right]\hfill \end{array}$$

(8a)

$$\begin{array}{cc}\hfill {\mathcal{L}}_{\mathrm{prior}}& =D_{KL}\left(q\left(z\right|y\left)\right|\left|p\right(z)\right)\hfill \end{array}$$

(8b)

where $D_{KL}$ is the Kullback–Leibler divergence and the subscript $\mathrm{llike}$ represents the log-likelihood function. Furthermore, to enhance the realism and stealth of generated samples, an adversarial discriminator $D\left(\mathit{y}\right)$ is introduced. This discriminator is a neural network that attempts to differentiate between real measurement samples $\mathit{y}$ and reconstructed/generated samples $\widehat{\mathit{y}}$. The adversarial component is trained jointly with the VAE to improve the quality of reconstructions and ensure they resemble real-world measurements. The adversarial loss is defined as:

$${\mathcal{L}}_{\mathrm{adv}}={\mathbb{E}}_{\mathit{y}\sim p_{\mathrm{data}}}\left[logD\left(\mathit{y}\right)\right]+{\mathbb{E}}_{\widehat{\mathit{y}}\sim p_{\mathrm{vae}}}\left[log\left(1-D\left(\widehat{\mathit{y}}\right)\right)\right]$$

(9)

where $p_{\mathrm{data}}$ and $p_{\mathrm{vae}}$ are the true distribution of measurements and distributions of reconstructed samples from the VAE, respectively.

4.2. Proposed Physics-Informed PI-ExAVAE

In the analysis presented in Section 3, the function h plays a critical role in constructing the attack vector. However, calculating h heavily relies on network information, which is typically assumed to be inaccessible to potential attackers. On the other hand, the adversarial VAE, as introduced in Section 4.1, is primarily designed to improve the reconstruction of original data. This objective differs from our goal of generating fake data for specific purposes.

To address this challenge, ref. [20] proposes using measurements from a different time as a reference to generate false measurements. While this method can effectively bypass BDD detection, it lacks control over the bias introduced into state estimation by the false measurements. To ensure control over state deviation and expand the generation space of fake data within the constraints of physical laws, we propose a novel physical loss function inspired by [27,35]. Based on Equation (1), the state deviation caused by an attack near the operating point can be expressed as follows:

$$\mathsf{\Delta }\mathit{x}={\left({\mathbf{H}}^T{\mathbf{R}}^{-1}\mathbf{H}\right)}^{-1}{\mathbf{H}}^T{\mathbf{R}}^{-1}(\mathbf{h}\left({\widehat{\mathit{x}}}_a\right)-\mathbf{h}\left(\widehat{\mathit{x}}\right))$$

(10)

then, substituting Equation (5) into Equation (10), the relationship between the attack vector $\mathit{a}$ and $\mathsf{\Delta }x$ can be obtained as $\mathit{a}=\mathbf{H}\mathsf{\Delta }\mathit{x}$. The active and reactive power injections at bus i measurements and power flow measurements from bus i to bus j can be expressed as follows:

$$\begin{array}{cc}\hfill P_i& =\sum _{j=1}^N{V}_i{V}_j\left(G_{ij}\cos {\theta }_{ij}+B_{ij}\sin {\theta }_{ij}\right)\hfill \end{array}$$

(11a)

$$\begin{array}{cc}\hfill Q_i& =\sum _{j=1}^N{V}_i{V}_j\left(G_{ij}\sin {\theta }_{ij}-B_{ij}\cos {\theta }_{ij}\right)\hfill \end{array}$$

(11b)

$$\begin{array}{cc}\hfill P_{ij}& =V_i^2{G}_{ij}-V_i{V}_j{G}_{ij}\cos {\theta }_{ij}-V_i{V}_j{B}_{ij}\sin {\theta }_{ij}\hfill \end{array}$$

(11c)

$$\begin{array}{cc}\hfill Q_{ij}& =-V_i^2{B}_{ij}+V_i{V}_j{B}_{ij}\cos {\theta }_{ij}-V_i{V}_j{G}_{ij}\sin {\theta }_{ij}\hfill \end{array}$$

(11d)

where N is the number of buses, ${\theta }_{ij}={\theta }_i-{\theta }_j$, and $G_{ij}$ and $B_{ij}$ denote the conductance and susceptance, respectively. From Equations (11a)–(11d), since the active and reactive power injections at a bus are equal to the sum of the active and reactive power flows on the connected lines, the sufficient conditions for ‘invisible’ attacks on bus power injections are the same as those for ‘invisible’ attacks on line power flows. Since active power flow and injection are significantly more sensitive to voltage angle than to voltage amplitude, priority is given to sufficient conditions for the attack vector with respect to the phase angle. According to $\mathit{a}=\mathbf{H}\mathsf{\Delta }\mathit{x}$, the relationship between the m-th element of $\mathit{a}$ on the active power flow from bus i to bus j with respect to the phase angle can be expressed as [27]:

$$\begin{array}{cc}\hfill a_m& =\sum _{k=1}^N\mathsf{\Delta }{\theta }_k{\displaystyle \frac{\partial P_{ik}}{\partial {\theta }_k}}\hfill \\ \hfill & =\mathsf{\Delta }{\theta }_{ij}{V}_i{V}_j\left(G_{ij}sin{\theta }_{ij}-B_{ij}cos{\theta }_{ij}\right)\hfill \end{array}$$

(12)

where ${\displaystyle \frac{\partial P_{ik}}{\partial {\theta }_k}}=0$ for $k\ne i,j$, and $\mathsf{\Delta }{\theta }_{ij}=\mathsf{\Delta }{\theta }_i-\mathsf{\Delta }{\theta }_j$, which is the difference of phase angle deviation under attacks. According to Equation (5), the $a_m$ should satisfy the following:

$$a_m={\mathit{h}}_m\left({\widehat{\mathit{x}}}_a\right)-{\mathit{h}}_m\left(\widehat{\mathit{x}}\right)={\mathit{h}}_m(\widehat{\mathit{x}}+\mathsf{\Delta }\mathit{x})-{\mathit{h}}_m\left(\widehat{\mathit{x}}\right)\equiv \mathsf{\Delta }{\mathit{h}}_m$$

(13)

then, according to Equation (11c) and Equation (13),

$$\begin{array}{cc}\hfill \mathsf{\Delta }{h}_m& =h_m(\widehat{x}+\mathsf{\Delta }x)-h_m\left(\widehat{x}\right)\hfill \\ \hfill & =\left(-V_i{V}_j{G}_{ij}\cos ({\widehat{\theta }}_{ij}+\mathsf{\Delta }{\theta }_{ij})-V_i{V}_j{B}_{ij}\sin ({\widehat{\theta }}_{ij}+\mathsf{\Delta }{\theta }_{ij})+V_i^2{G}_{ij}\right)\hfill \\ \hfill & \phantom{-}\phantom{-}-\left(-V_i{V}_j{G}_{ij}\cos \left({\widehat{\theta }}_{ij}\right)-V_i{V}_j{B}_{ij}\sin \left({\widehat{\theta }}_{ij}\right)+V_i^2{G}_{ij}\right)\hfill \\ \hfill & =-V_i{V}_j{G}_{ij}\cos ({\widehat{\theta }}_{ij}+\mathsf{\Delta }{\theta }_{ij})-V_i{V}_j{B}_{ij}\sin ({\widehat{\theta }}_{ij}+\mathsf{\Delta }{\theta }_{ij})\hfill \\ \hfill & \phantom{-}+V_i{V}_j{G}_{ij}\cos \left({\widehat{\theta }}_{ij}\right)+V_i{V}_j{B}_{ij}\sin \left({\widehat{\theta }}_{ij}\right)\hfill \end{array}$$

(14)

next, comparing Equation (14) with Equation (13), we aim to reduce $\mathsf{\Delta }{h}_m$ to $a_m$. Applying the approximations $\cos \left(\mathsf{\Delta }{\theta }_{ij}\right)\approx 1$ and $\sin \left(\mathsf{\Delta }{\theta }_{ij}\right)\approx \mathsf{\Delta }{\theta }_{ij}$, that is, $\mathsf{\Delta }{\theta }_{ij}\approx 0$, we have the following:

$$\begin{array}{cc}\hfill & -V_i{V}_j{G}_{ij}\cos ({\widehat{\theta }}_{ij}+\mathsf{\Delta }{\theta }_{ij})-V_i{V}_j{B}_{ij}\sin ({\widehat{\theta }}_{ij}+\mathsf{\Delta }{\theta }_{ij})+V_i{V}_j{G}_{ij}\cos ({\widehat{\theta }}_{ij})+V_i{V}_j{B}_{ij}\sin ({\widehat{\theta }}_{ij})\hfill \\ \hfill & =-V_i{V}_j{G}_{ij}\left[\cos ({\widehat{\theta }}_{ij})\cos (\mathsf{\Delta }{\theta }_{ij})-\sin ({\widehat{\theta }}_{ij})\sin (\mathsf{\Delta }{\theta }_{ij})-\cos ({\widehat{\theta }}_{ij})\right]\hfill \\ \hfill & \phantom{-}-V_i{V}_j{B}_{ij}\left[\sin ({\widehat{\theta }}_{ij})\cos (\mathsf{\Delta }{\theta }_{ij})+\cos ({\widehat{\theta }}_{ij})\sin (\mathsf{\Delta }{\theta }_{ij})-\sin ({\widehat{\theta }}_{ij})\right]\hfill \\ \hfill & \approx \mathsf{\Delta }{\theta }_{ij}{V}_i{V}_j\left(G_{ij}sin{\theta }_{ij}-B_{ij}cos{\theta }_{ij}\right)=a_m\hfill \end{array}$$

(15)

Then, because of $\left|\mathsf{\Delta }{\theta }_i-\mathsf{\Delta }{\theta }_j\right|\le \left|\mathsf{\Delta }{\theta }_i\right|+\left|\mathsf{\Delta }{\theta }_j\right|$, by minimizing $\mathsf{\Delta }{\theta }_i$ and $\mathsf{\Delta }{\theta }_j$, $\mathsf{\Delta }{\theta }_{ij}=\mathsf{\Delta }{\theta }_i-\mathsf{\Delta }{\theta }_j\approx 0$ can be satisfied. A special case is $\mathsf{\Delta }{\theta }_i=0$, which is equivalent to

$${\overline{\mathit{y}}}^T\overline{\mathit{a}}=1$$

(16)

where $\overline{\mathit{y}}={\displaystyle \frac{\mathit{y}}{\parallel \mathit{y}\parallel }}$ and $\overline{\mathit{a}}={\displaystyle \frac{\mathit{a}}{\parallel \mathit{a}\parallel }}$ represent the normalized forms of the measurement vector $\mathit{y}$ and the attack vector $\mathit{a}$, respectively. Then, the VAE reconstruction error of Equation (8a) can be replaced with

$${\mathcal{L}}_{\mathrm{phy}}={\overline{\mathit{y}}}^T\overline{\mathit{a}}-1$$

(17)

by replacing reconstruction loss ${\mathcal{L}}_{\mathrm{llike}}$ with physical loss ${\mathcal{L}}_{\mathrm{phy}}$, the proposed PI-ExAVAE leverages the underlying physics of the power system to expand the latent space for generating attack vectors. This structured latent space not only aligns with the system’s operational constraints but also enables the model to extrapolate beyond the training data distribution, generating physically consistent attack vectors under previously unseen scenarios. Moreover, the degree of influence on the system state can be precisely controlled through targeted sampling strategies in the structured latent space. The term ‘targeted sampling strategies’ refers to methods that guide the sampling process in the structured latent space towards specific goals, such as balancing stealth and impact, ensuring physical consistency, or adapting to unseen scenarios. These strategies exploit the structured latent space of PI-ExAVAE to produce attack vectors that achieve their intended objectives, such as causing significant deviations in system states, while remaining physically valid and consistent with power system constraints. This distinct capability to generate diverse attack vectors, adapt to unseen system conditions, and precisely control their impact lies in the ability of PI-ExAVAE to adjust the degree of influence on state estimation by sampling within the structured latent space. Unlike existing methods that focus on maximizing impact while minimizing detectability, especially in scenarios with only power measurements, PI-ExAVAE provides fine-grained control over the magnitude of the impact on the system state. This flexibility allows the model to generate attack vectors that range from subtle changes to significant disruptions, depending on the attacker’s objectives. Section 5 demonstrates this novel capability through case studies where the model adapts to diverse conditions while maintaining physical consistency. As for the voltage amplitude, the reference [27] deduces a simple sufficient condition, namely $\mathsf{\Delta }{V}_i\ll V_i,\forall i$. But this is difficult to use in practice, therefore, reference [27] did not implement this sufficient condition in the blind AC attack, only discussing it when the historical voltage amplitude state quantity is known. However, in the proposed PI-ExAVAE, the adversarial mechanism will naturally learn $\mathsf{\Delta }{V}_i\ll V_i,\forall i$ from the data.

Finally, considering the inherent spatial correlations in power system measurements, we introduce a convolutional neural network to capture these dependencies, making the generated fake data more realistic, physically consistent, and better at bypassing BDD.

So far, based on the description provided in the Section 4, we present the physics-informed PI-ExAVAE network illustrated in Figure 1 and trained with the triple criteria

$$\mathcal{L}={\mathcal{L}}_{\mathrm{prior}}+{\mathcal{L}}_{\mathrm{phy}}+{\mathcal{L}}_{\mathrm{adv}}.$$

(18)

4.3. Training Method and Controllable FDIA Generation

For a given time-point, the composition of the measurement data $\mathit{y}$ (bidirectional line flows and bus injections except for reference bus) is stated as:

$$y_t=[P{F}_t^{ij},P{T}_t^{ij},Pbu{s}_t^i,Q{F}_t^{ij},Q{T}_t^{ij},Qbu{s}_t^i]$$

(19)

where $PF$, $PT$, $QF$, and $QT$ represent real and reactive power injected at the “from” and “to” bus ends, respectively. $Pbus$ and $Qbus$ represent real and reactive power injections at buses. Subscript i and j are bus numbers. t is the time step. Since the number of nodes is usually less than the number of lines (i.e., $i<j$) within a time step, $Pbus$ and $Qbus$ are padded with 0.

The strategy for propagating error signals: According to the observation model $\mathit{y}=h\left(\mathit{x}\right)+\mathit{e}$ and the priors over the latent distribution $p\left(\mathit{z}\right)=\mathcal{N}(\mathbf{0},\mathbf{I})$, the latent space of VAE can be viewed as an embedding of high-dimensional measurements on low-dimensional manifolds.

The encoder maps high-dimensional measurement data $\mathit{y}$ into the low-dimensional latent space $\mathit{z}$. This process is regularized to ensure that the latent space captures not only the statistical structure of the measurements but also the underlying physical relationships dictated by the AC power flow equations. To achieve this, the encoder loss function includes two components:

$${\mathcal{L}}_{encoder}={\mathcal{L}}_{\mathrm{prior}}+{\mathcal{L}}_{\mathrm{phy}}.$$

(20)

where ${\mathcal{L}}_{\mathrm{prior}}$ ensures that the latent representation $\mathit{z}$ conforms to the prior distribution $p\left(\mathit{z}\right)=N(\mathbf{0},\mathbf{I})$, and ${\mathcal{L}}_{\mathrm{phy}}$ enforces that the latent space embedding aligns with the physical laws governing the system states. This formulation ensures that the encoder embeds the high-dimensional measurements into a latent representation that preserves the critical physical relationships necessary for effective FDIA generation.

The decoder reconstructs the manipulated measurements ${\mathit{y}}_a$ from the latent representation $\mathit{z}$ and plays a crucial role in generating physically consistent and stealthy attack vectors. Its loss function comprises two key terms:

$${\mathcal{L}}_{decoder}={\mathcal{L}}_{\mathrm{phy}}+{\mathcal{L}}_{\mathrm{adv}}.$$

(21)

where ${\mathcal{L}}_{\mathrm{phy}}$ guides the decoder to generate attack vectors that adhere to the phase angle in a sufficient condition, ensuring physical consistency with the AC power flow equations, and through adversarial learning, loss ${\mathcal{L}}_{\mathrm{adv}}$ ensures that the reconstructed measurements are indistinguishable from real measurements. It also helps the model learn the voltage amplitude-related sufficient conditions and the power balance equations, both of which are critical for crafting stealthy and effective FDIA. This combination ensures that the decoder not only generates valid attack vectors but also captures the nonlinear relationships between voltage amplitudes and phase angles required for FDIA.

Finally, the discriminator is trained with ${\mathcal{L}}_{\mathrm{adv}}$ described in Equation (9). Noteworthily, embedding dimension and loss functions are tied to the physical relationships in power systems, ensuring that the PI-ExAVAE can generalize to unseen scenarios. In summary, the overviews of the training procedure are presented in Algorithm 1. The detailed network architectures are listed in

Table 2. Architectures of the PI-ExAVAE attack model for IEEE14.

Encoder	Decoder	Discriminator
Conv2d(1, 8, (3, 2), (2, 1)), ReLU	ConvTranspose2d(hidden, 32, (2, 2), (1, 1)), ReLU	Conv2d(1, 16, (3, 2), (2, 2))
Conv2d(8, 16, (3, 2), (2, 1)), ReLU	ConvTranspose2d(32, 16, (3, 2), (1, 1)), ReLU	SpectralNorm, LeakyReLU
Conv2d(16, 32, (3, 2), (1, 1)), ReLU	ConvTranspose2d(16, 8, (3, 2), (2, 1)), ReLU	Conv2d(16, 32, (3, 2),(2, 1))
Conv2d(32, 64, (2, 2), (1, 1)), ReLU	ConvTranspose2d(8, 1,(4, 3), (2, 1)), ReLU	SpectralNorm, LeakyReLU
FC($hidden$, $latent$)-Mean	Tanhshrink	Conv2d(32, 64, (3, 2), (2, 1))
FC($hidden$, $latent$)-Logvar		SpectralNorm, LeakyReLU
		AdaptiveAvgPool2d(1)
		Linear(64, 1), Sigmoid

. In the model architecture design, the channel numbers in convolutional layers were determined to balance feature extraction capability and computational cost, while kernel sizes and strides were optimized for the spatial structure of IEEE14 data (Notably, for larger-scale systems, the architecture can be adapted by proportionally increasing the number of convolutional layers and corresponding channels. This approach preserves the hierarchical feature extraction capability while maintaining computational efficiency). Activation functions were selected to enhance non-linearity and training stability. Parameter initialization employed Xavier initialization for weights and zero initialization for biases to ensure balanced gradient flow. The architecture was finalized based on grid search experiments, prioritizing reconstruction accuracy and attack success rate.

Algorithm 1 Training the PI-ExAVAE attack model.

1: Initialization: ${\mathit{\theta }}_{\mathrm{Enc}},{\mathit{\theta }}_{\mathrm{Dec}},{\mathit{\theta }}_{\mathrm{Dis}}\leftarrow$ network parameters   2: repeat   3:    $\mathbf{Y}\leftarrow$ random mini-batch from measurement data $\mathit{y}$   4:    $\mathbf{Z}\leftarrow Enc\left(\mathbf{Y}\right)$   5:    ${\mathcal{L}}_{prior}\leftarrow D_{KL}\left(q\left(\mathbf{Z}\right|\mathbf{Y})\right|\left|p\left(\mathbf{Z}\right)\right)$   6:    $\tilde{\mathbf{Y}}\leftarrow Dec\left(\mathbf{Z}\right)$   7:    ${\mathcal{L}}_{phy}\leftarrow {\displaystyle \frac{\mathbf{Y}}{\parallel \mathbf{Y}\parallel }}{\displaystyle \frac{\tilde{\mathbf{Y}}-\mathbf{Y}}{\parallel \tilde{\mathbf{Y}}-\mathbf{Y}\parallel }}-1$   8:    ${\mathcal{L}}_{adv}\leftarrow log\left(Dis\left(\mathbf{Y}\right)\right)+log(1-Dis\left(\tilde{\mathbf{Y}}\right))$    // Update parameters according to gradients   9:    ${\mathit{\theta }}_{\mathrm{Enc}}\stackrel{+}{\leftarrow }-{\nabla }_{{\mathit{\theta }}_{\mathrm{Enc}}}({\mathcal{L}}_{prior}+{\mathcal{L}}_{phy})$ 10:    ${\mathit{\theta }}_{\mathrm{Dec}}\stackrel{+}{\leftarrow }-{\nabla }_{{\mathit{\theta }}_{\mathrm{Dec}}}({\mathcal{L}}_{phy}-{\mathcal{L}}_{adv})$ 11:    ${\mathit{\theta }}_{\mathrm{Dis}}\stackrel{+}{\leftarrow }-{\nabla }_{{\mathit{\theta }}_{\mathrm{Dis}}}{\mathcal{L}}_{adv}$ 12: until maximum epochs (300) reached or loss ${\mathcal{L}}_{adv}$ convergence threshold (${10}^{-4}$) met

Controllable Attack Generation with PI-ExAVAE: After training the PI-ExAVAE network, two distinct attack generation strategies are available, providing complementary approaches for crafting physically consistent and stealthy FDIA.

Path 1 involves measurement-conditioned generation, where a new measurement $\mathit{y}$ is encoded into the latent space by the encoder and decoded to produce an attack vector ${\mathit{a}}_1$. This path ensures input-specific attacks that align closely with the given measurement while adhering to physical constraints. Path 2 leverages latent sampling-based generation, where a latent vector $\widehat{\mathit{z}}$ is randomly sampled from the Gaussian prior $p\left(\mathit{z}\right)=N(\mathbf{0},\mathbf{I})$ and decoded to generate an attack vector ${\mathit{a}}_2$. This approach explores a broader operational space and generates attacks beyond the training data, emphasizing the PI-ExAVAE’s extrapolative capability. The flexibility of PI-ExAVAE lies in its ability to interpolate between these two paths, providing controllable FDIA. By linearly interpolating in the latent space,

$${\mathit{z}}_{inter}=(1-val)\times Enc\left(\mathit{y}\right)+val\times \widehat{\mathit{z}}$$

(22)

where $val\in [0,1]$, the PI-ExAVAE generates attacks that range from input-specific (Path 1, $val=0$) to fully extrapolated (Path 2, $val=1$). Intermediate values enable a blend of the two, balancing stealth and impact.

Finally, as illustrated in Figure 2, unlike GAN-based models that require two distinct sets of normal measurements for training, PI-ExAVAE significantly reduces data requirements by leveraging physical constraints, allowing it to train with only a single set of normal measurements. Furthermore, the structured latent space enables the generation of attack vectors that deviate significantly from the training data while adhering to physical constraints, a capability that GAN-based methods lack. These features, validated in the subsequent experiments, demonstrate PI-ExAVAE’s controllability and extrapolation capabilities, making it highly adaptable for crafting FDIA under diverse and extreme operational scenarios.

5. Case Studies

5.1. IEEE14 Test System with NYISO Field Data

As shown in Figure 3 [36], the New York Independent System Operator (NYISO) consists of 11 regions and is marked from A to K, and the IEEE14 system with 11 load buses is chosen as the test system. The software toolbox MATPOWER 7.1 [37] is utilized to generate the measurements, and real power load data in 2023 from NYISO (Rensselaer, NY, USA) are fed into the IEEE14 system. The sampling interval is 5 min. In the experiment, the network information in the standard system is kept unchanged. Each bus and each line is equipped with a power measurement to obtain the active and reactive power of the buses and bidirectional line flows. Therefore, for the snapshot at a given timepoint, the number of measurement data points of the IEEE14 is $M=4\times L+2\times N=106$ (recall $L=20$ is the number of links and $N=13$ is the number of nodes). The following procedures are utilized to estimate system states using load patterns from NYISO:

• Step 1. Link the buses of the IEEE14 system to regions of NYISO as follows:

  $$\left[\begin{array}{ccccccccccc}2& 3& 4& 5& 6& 9& 10& 11& 12& 13& 14\\ F& C& I& B& G& K& E& H& J& D& A\end{array}\right]$$

  where the row is the bus number of the IEEE14 system and the second row represents the NYISO region index in Figure 3.
• Step 2. Normalize the load of NYISO to the initial real and reactive load of the corresponding IEEE14 bus, so that the test system operates near the initial state of the IEEE14 system. Due to lack of reactive load information, we assume that the system load has a constant power factor $\left(0.8\right)$, so reactive power can be calculated by real power. This assumption can be relaxed if the historical data of reactive power is available.
• Step 3. Add up the new real power load. Find the ratio of the new total load to the IEEE14 bus initial total load. Multiply this ratio to by generation of all generators.
• Step 4. Repeat the previous step for reactive power.
• Step 5. Calculate the system state ($\mathit{x}$) using AC power flow analysis.
• Step 6. Calculate the system measurement value $\mathit{y}=h\left(\mathit{x}\right)$, where $h\left(\right)$ is the power flow equation derived from the system structure.
• Step 7. White Gaussian noise $\mathcal{N}(0,0.1^2)$, i.e., $0.1$ p.u. is added to the measurements $\mathit{y}$.

We construct 11,000 sample data points, of which 1000 are used as the training set for learning the attack model’s parameters, and 10,000 are used as the test set to evaluate its performance on new data. For the IEEE 14-bus system, the PI-ExAVAE is trained using the Adam optimizer with a learning rate of 0.003 and decay rates of 0.5 and 0.999 for the first and second moments, respectively, to ensure stable parameter updates. During training, each batch randomly selects data from the 1000-sample training set and the algorithm continues until either a maximum of 300 epochs is reached or the adversarial loss ${\mathcal{L}}_{adv}$ converges to a specified threshold. Specifically, convergence is determined when the change in ${\mathcal{L}}_{adv}$ across consecutive iterations falls below ${10}^{-4}$ for 10 consecutive updates, ensuring stability and preventing overfitting. The attack assumes tampering with all measurements at a single time point, while the operator is assumed to have precise knowledge of measurement noise levels for residual-based detection, i.e., the diagonal elements of $\mathbf{R}$ in Equation (1) are set to match the variance of the added noise. This setup evaluates the model’s performance under challenging conditions.

5.1.1. Attack Effectiveness and Controllability Analysis

In order to comprehensively evaluate the effectiveness and controllability of the PI-ExAVAE model proposed in this article for blind FDIA against AC state estimation without voltage measurements, 10,000 independent experiments were ran for each case. We compare our method against three state-of-the-art model-free FDIA methods developed for scenarios without voltage measurements: the self-attention generative adversarial network (SAGAN) proposed in reference [20], the Wasserstein GAN with autoencoder (AE-WGAN) approach presented in reference [21], and the GAN with long short-term memory autoencoder (LSTMAE-GAN) presented in reference [22].

Figure 4 compares the state estimation (SE) residuals for raw measurements (y), SAGAN, LSTMAE-GAN, AE-WGAN, and the proposed PI-ExAVAE model under different interpolation values ($val$). Raw measurements exhibit the highest residuals, often exceeding 100, due to inherent noise causing false positives in residual-based bad data detection (BDD). Among the baseline methods, SAGAN and LSTMAE-GAN reduce residuals but show significant variance and outliers, while AE-WGAN achieves lower residuals with better stability. In contrast, PI-ExAVAE demonstrates superior performance and, most importantly, exceptional controllability. By adjusting the $val$ parameter, PI-ExAVAE progressively reduces residuals, effectively balancing stealth and impact as $val$ transitions from 0 to 1. At higher $val$ values (0.7–1.0), it achieves the lowest median residuals (close to 10) with minimal variance and outliers. These results underscore PI-ExAVAE’s unique ability to dynamically control residuals, offering robust and precise attack generation tailored to specific objectives.

Figure 5 illustrates the detection rates for raw measurements (y), LSTMAE-GAN, SAGAN, AE-WGAN, and the proposed PI-ExAVAE model under different $val$ values. A “measurement group” includes all measurements collected at a single time step, including power measurements from multiple nodes. The detection rates are broken down into two components: the light blue base of each bar shows the proportion of time steps with at least one abnormal measurement, while the orange stack represents the total abnormal measurements across all time steps divided by the total number of time steps. Red dots indicate detection rates of 0%.

Raw measurements (y) exhibit the highest detection rate, exceeding 25%, primarily due to noise causing high residuals that trigger detection even in the absence of attacks. Among the baseline methods, LSTMAE-GAN shows a relatively high detection rate despite achieving lower residuals in Figure 4. This behavior can be attributed to its focus on capturing temporal correlations between measurements while neglecting the underlying physical relationships described by the power flow equations. As a result, although it reduces residuals, the generated measurements deviate from the physically consistent patterns expected by the system, leading to a higher likelihood of detection. SAGAN reduces the detection rate compared to LSTMAE-GAN but still exhibits a non-negligible level of detected anomalies, reflecting inconsistent stealth. AE-WGAN achieves the lowest detection rate among the baseline methods, with no orange stacks, indicating a complete absence of detected abnormal measurements within groups.

In contrast, PI-ExAVAE demonstrates superior stealth performance, achieving near-zero detection rates for most interpolation values ($val$). As $val$ increases from 0 to 1, the detection rate of PI-ExAVAE further declines, with red dots indicating a 0% detection rate for $val$ values of 0.5 and beyond. This trend highlights PI-ExAVAE’s ability to adaptively generate attack vectors that reliably evade detection, even as the deviation from the original data increase. The comparison underscores the robustness and controllability of PI-ExAVAE, outperforming all baseline methods in maintaining stealth while effectively bypassing detection mechanisms.

The plot of Figure 6 compares the deviations of estimated ($\left|\right|{\mathit{y}}_{est}-\mathit{y}{\left|\right|}_2$) and attacked measurements ($\left|\right|{\mathit{y}}_a-\mathit{y}{\left|\right|}_2$) from the original measurements for varying values of the parameter $val$ (indicated by the color gradient). Each data point represents a measurement group, and the dashed black diagonal line indicates equality ($\left|\right|{\mathit{y}}_{est}-\mathit{y}{\left|\right|}_2$ = $\left|\right|{\mathit{y}}_a-\mathit{y}{\left|\right|}_2$). As $val$ increases (from purple to red), the deviations of the attacked measurements from the original increase, highlighting the growing impact of the attack. For higher $val$ values, the points lie above the diagonal, indicating that the attacked measurements deviate more significantly from the original compared to the estimated values. This demonstrates the effectiveness of the attack in creating discrepancies, thereby amplifying its impact on the measurement groups.

Figure 7 illustrates the impact of the proposed PI-ExAVAE model on voltage magnitudes (left) and phase angles (right) across buses in the IEEE-14 system, compared with other methods, including SAGAN, LSTMAE-GAN, and AE-WGAN. The blue dashed line represents the pre-attack state, the orange line corresponds to the SAGAN attack, the pink dotted line represents the LSTMAE-GAN attack, and the red circular markers depict the results of the AE-WGAN attack. Solid lines are used to depict the results of PI-ExAVAE for $val$ values ranging from 0 to 1.0.

The results demonstrate the advanced controllability of PI-ExAVAE, enabling subtle deviations at lower $val$ values and more pronounced, targeted deviations as $val$ increases. At lower $val$, PI-ExAVAE closely maintains the original voltage profiles, ensuring plausible and realistic patterns. As $val$ approaches 1, it introduces significant deviations in both voltage magnitudes and phase angles, particularly for buses such as Bus 13, effectively amplifying the attack impact while preserving a smooth and structured profile across buses. Notably, the voltage magnitude of the PV bus (Bus 7 in this figure, corresponding to Bus 6 in the standard system) remains unchanged, showcasing its ability to respect physical constraints. In contrast, while methods such as SAGAN, LSTMAE-GAN, and AE-WGAN effectively bypass BDD detection and impact state estimation by generating deviations close to the original state estimation values, they lack the ability to introduce adjustable and structured deviations across multiple buses. In comparison, PI-ExAVAE provides precise control over the magnitude and distribution of post-attack deviations through the parameter $val$, offering greater flexibility and impact. These comparisons underscore the adaptability of PI-ExAVAE in achieving both realistic and impactful attack patterns.

5.1.2. Analysis of Extrapolative Performance

In order to analyze the extrapolative performance of the proposed PI-ExAVAE, Figure 8 compares the voltage magnitude (left) and voltage angle (right) across the 14 buses of the IEEE-14 system, illustrating the state range covered by the training data (blue shaded region) and the broader state space generated by the physics-guided model (red shaded region). The red boundaries represent the limits of the state space that the physics-guided model is capable of generating, while the blue region reflects the range of states observed within the training data.

The results demonstrate that the physics-guided model is not constrained by the state space observed during training but can extrapolate beyond it, producing a significantly expanded range of physically consistent states. This extrapolative capability is particularly advantageous for generating realistic and effective false measurements in scenarios not explicitly represented in the training data. By leveraging physical constraints and domain knowledge, the model ensures that the generated measurements remain plausible and consistent with the underlying system physics, even under extreme or previously unseen conditions. This ability is critical for constructing robust and stealthy false data injection attacks, as it enables the generation of measurements that are both effective in disrupting state estimation and difficult to detect by traditional monitoring systems.

5.1.3. Performance Analysis Under Different Detectors

To verify the flexibility of the PI-ExAVAE model under various detection scenarios, we evaluated its performance using three detection methods: the largest normalized residual (LNR) test, the Chi-Squared test, and a deep learning-based detector.

LNR test: Figure 9 illustrates the detection rates of false measurements under varying thresholds of the normalized maximum residuals (r) for the proposed PI-ExAVAE model with different $val$ values, compared to the results for original measurements (y), SAGAN, LSTMAE-GAN, and AE-WGAN. The red dashed line (representing original measurements) consistently exhibits high detection rates across all thresholds, exceeding 90% for low thresholds. SAGAN (green dashed line) and LSTMAE-GAN (blue dashed line) reduce detection rates compared to raw measurements but remain significantly less effective than PI-ExAVAE. AE-WGAN (pink dot line) achieves better stealth performance among the baseline methods, but its performance plateaus at higher thresholds. In contrast, PI-ExAVAE demonstrates superior adaptability and stealth performance. By varying the parameter $val$, PI-ExAVAE achieves progressively lower detection rates as $val$ increases, with near-zero detection rates at higher $val$ values for most thresholds. The solid lines for $val$ = 0.9 and $val$ = 1.0 exhibit the lowest detection rates across all thresholds, highlighting PI-ExAVAE’s ability to evade detection mechanisms effectively. This adaptability makes it possible to balance between stealthiness and impact, outperforming all baseline methods across a wide range of detection thresholds.

Chi-squared test:

Table 3. Comparison of passing the ${\chi }^2$-test with SAGAN, LSTMAE-GAN, and AE-WGAN.

Confidence Level		SAGAN	LSTMAE-GAN	AE-WGAN	PI-ExAVAE
					$\mathit{val}$= 0	$\mathit{val}$ = 0.5	$\mathit{val}$ = 1
Success Rate (%)	95%	95.5	98.6	100	98.2	100	100
	90%	90.2	95.3	100	96.1	100	100

presents a quantitative comparison of the success rates for bypassing the ${\chi }^2$-test under 95% and 90% confidence levels for SAGAN, LSTMAE-GAN, AE-WGAN, and the proposed PI-ExAVAE model. Among the baseline methods, AE-WGAN achieves the highest success rates, consistently reaching 100% across both confidence levels, while LSTMAE-GAN performs slightly better than SAGAN, with success rates of 98.6% and 95.3%, respectively, compared to SAGAN’s 95.5% and 90.2%. This slight improvement can be attributed to the lower median residuals observed for LSTMAE-GAN in Figure 4, which reduces its detection probability under the ${\chi }^2$-test.

In contrast, the PI-ExAVAE model consistently achieves 100% success for $val=0.5$ and $val=1.0$ across both confidence levels, highlighting its robustness and superior adaptability. Even at $val=0$, the success rates remain competitive (98.2% at 95% confidence and 96.1% at 90% confidence), outperforming SAGAN and LSTMAE-GAN. These results demonstrate the controllability of PI-ExAVAE, as it effectively tunes $val$ to adapt its attacks and evade various detection mechanisms. The table underscores the superiority of PI-ExAVAE in balancing stealthiness and effectiveness, achieving consistent performance under diverse BDD settings. Compared to baseline methods, PI-ExAVAE provides not only higher success rates but also greater adaptability to real-world scenarios, ensuring robust evasion of detection mechanisms.

Deep learning-based detector: In [38], Bhattacharjee et al. proposed a deep latent space clustering (DLSC) framework that combines stacked autoencoders (SAEs) with unsupervised k-means clustering to detect stealthy false data injection attacks (FDIAs) in AC state estimation without requiring labeled data.

Table 4. Performance comparison of different attack models under DLSC detection.

Method		Accuracy	Precision	Recall	F1 Score
SAGAN		0.4645	0.4816	0.9290	0.6343
AE-WGAN		0.8900	0.8197	1.0000	0.9009
LSTMAE-GAN		0.5160	0.5081	1.0000	0.6739
PI-ExAVAE	$val=0$	0.5270	1.0000	0.0540	0.1025
	$val=0.1$	0.7445	1.0000	0.4890	0.6568
	$val=0.2$	0.8945	1.0000	0.8890	0.9411
	$val=0.3$	0.9502	1.0000	0.9643	0.9816
	$val=0.4$	1.0000	1.0000	1.0000	1.0000
	$val=0.5$	1.0000	1.0000	1.0000	1.0000
	$val=0.6$	1.0000	1.0000	1.0000	1.0000
	$val=0.7$	1.0000	1.0000	1.0000	1.0000
	$val=0.8$	1.0000	1.0000	1.0000	1.0000
	$val=0.9$	1.0000	1.0000	1.0000	1.0000
	$val=1$	1.0000	1.0000	1.0000	1.0000

presents the performance comparison of different attack models under DLSC detection, evaluated using four metrics: Accuracy, Precision, Recall, and F1 Score. These metrics are commonly used to measure the detection system’s ability to identify attacks, with the following interpretations in the context of attack detection:

• Accuracy: Represents the proportion of correctly classified samples, including both correctly detected attacks and correctly identified normal measurements. A higher accuracy indicates the detection system’s overall reliability in distinguishing between attacks and normal data, while a lower accuracy suggests that the system struggles to identify the true nature of the measurements.
• Precision: Indicates the proportion of detected attacks that are true attacks (i.e., the accuracy of positive predictions). In this context, higher precision means the detection system generates fewer false alarms, while lower precision implies that many normal measurements are misclassified as attacks.
• Recall: Reflects the proportion of all true attacks that are successfully detected. Higher recall indicates that the detection system can capture a larger fraction of the actual attacks, while lower recall suggests that many attacks evade detection, indicating better attack stealthiness.
• F1 Score: Combines precision and recall into a single metric by calculating their harmonic mean. A higher F1 Score represents a good balance between precision and recall, indicating strong detection performance. Conversely, a lower F1 Score highlights that either precision or recall (or both) is compromised, which often correlates with higher attack stealthiness.

In the context of evaluating attack efficacy, higher detection metrics (Accuracy, Precision, Recall, and F1 Score) reflect stronger detection performance and consequently weaker attack efficacy. On the other hand, lower detection metrics suggest that the detection system struggles to identify attacks, demonstrating higher attack stealthiness and success.

The baseline methods—SAGAN, AE-WGAN, and LSTMAE-GAN—utilize their respective generated false measurements for both training and testing, leading to fixed performance levels. Among these methods, SAGAN and LSTMAE-GAN exhibit relatively stronger attack stealthiness, as indicated by lower detection metrics (e.g., F1 Scores of $0.6343$ and $0.6739$, respectively). In contrast, AE-WGAN achieves higher detection metrics (F1 Score = $0.9009$), reflecting weaker attack stealthiness and making it easier for the detection system to identify the attack vectors. These results highlight the limitations of baseline methods in controlling or adapting the attack strength to evade detection effectively.

The proposed PI-ExAVAE model demonstrates a significant advancement by enabling precise control over attack stealthiness through the adjustable parameter $val$. Trained with false measurements generated at $val=0.5$, the model achieves perfect evasion (all detection metrics = $1.0000$) under testing at the same $val$. To evaluate the adaptability of PI-ExAVAE, we tested it across a range of $val$ values (from 0 to 1). At $val=0$, the model achieves an F1 Score of $0.1025$, indicating high attack stealthiness as the detection system fails to recognize most attacks. As $val$ increases, detection metrics gradually rise, reflecting a decrease in attack stealthiness. For instance, at $val=0.3$, the F1 Score reaches $0.9816$, and from $val=0.5$ onwards, all detection metrics reach $1.0000$, signifying the attack becomes fully detectable. It is worth noting that the attack vectors generated by PI-ExAVAE at a single intensity ($val=0.5$) exhibit high consistency with those generated by AE-WGAN, leading to relatively low randomness. This characteristic makes the attacks easier to detect under fixed parameters, as reflected in the recall consistently reaching 1. This limitation is mitigated by the ability of PI-ExAVAE to adaptively adjust attack intensities. Furthermore, introducing a mixture of attack intensities during training could further degrade the performance of the DLSC detection system, amplifying the effectiveness of the proposed method. This ability to systematically adjust attack stealthiness underscores the superior control capability of PI-ExAVAE compared to the fixed-performance baseline methods. Such adaptability makes PI-ExAVAE a versatile tool for generating tailored attacks, offering enhanced stealthiness in diverse scenarios.

5.1.4. Analysis of Model Robustness to Noise

For SCADA systems, measurement errors often lead to deviations between the original measurement data and the power flow data after state estimation, which may affect attacks. However, our PI-ExAVAE model effectively handles noise by leveraging the VAE’s latent space regularization to suppress high-frequency noise and the adversarial training to refine realistic, noise-free outputs. This combination ensures robust noise mitigation while preserving the fidelity of the underlying data structure. In order to verify the robustness of the PI-ExAVAE to noise, three normal noises $\mathcal{N}(0,0.01)$, $\mathcal{N}(0,0.03)$, and $\mathcal{N}(0,0.05)$ are added to the sample data to simulate the measurement error, and the attack success rate of the proposed PI-ExAVAE attack model is calculated and analyzed. Here, we calculate the residual and success rate after the attack under different measuring errors when $val=0.5$, and the results are shown in

Table 5. The success rate of IEEE14 system under different noise levels.

Normal Noise	Residual Before Attack	Residual After Attack	Success Rate
	Min/Mean/Max	Min/Mean/Max
$\mathcal{N}(0,0.01)$	43.70/79.55/118.26	10.00/17.08/35.95	100%
$\mathcal{N}(0,0.03)$	54.84/90.64/146.24	15.14/23.44/65.68	99.7%
$\mathcal{N}(0,0.05)$	63.03/99.91/175.64	25.42/32.78/90.20	99.5%

.

As the measuring errors increase, the residual of the false data constructed by the proposed PI-ExAVAE attack model is always smaller than the residual before the attack. When the variance of the measuring error reaches $0.03$ and $0.05$, the average residuals of the system before the attack increase by 11.09 and 20.36, while those after the attack only increase by 6.36 and 15.7. The results indicate that regardless of the measurement error, the false data generated by the proposed PI-ExAVAE attack model can evade bad data detection. In other words, the proposed attack model exhibits strong robustness to measurement errors.

5.2. IEEE118 Test System

The generation of measurements is similar to that of the IEEE14 system in Section 5.1. Specifically, real power load data of the IEEE118 test system is obtained by simulating the pattern of NYISO’s real power load based on the IEEE118 system’s standard load data

$$\begin{array}{cc}\hfill m\left(k\right)& =m(k-1)+randn\times 0.1\hfill \end{array}$$

(23a)

$$\begin{array}{cc}\hfill P{D}_{i,j}& =P{D}_{i,j}^{IE}\times m\left(j\right)\hfill \end{array}$$

(23b)

where $x\left(1\right)=1$, $\{k\in \mathbb{Z}\mid 1\le k\le N_{datas}\}$ and $randn$ represents a normally distributed random number. In Equation (23b) $PD$ and $IE$ represent real power load and IEEE118, respectively. i, j represent the bus number and time point of the real power load. After obtaining the real power load, we use the same steps as described in Section 5.1 to obtain the measurement. Finally, white Gaussian noise $\mathcal{N}(0,0.01)$ is added to the measurements. Each bus and each line is equipped with a power measurement to obtain active and reactive power of buses (except for reference bus) and bidirectional line flows. Therefore, for the snapshot at a given timepoint, the measurement data of the IEEE118 includes $M=4\times L+2\times N=978$ (recall $L=186$ is the number of links and $N=117$ is the number of nodes).

For the IEEE118 system, the specific operations of attacking the model during training are as follows: we perform 300 iterations, and each batch consists of 4000 randomly shuffled samples. In addition, 10,000 samples are for testing, and the model is trained with the same optimizer as in Section 5.1.

Table 6. The success rates of IEEE118 system.

		Min/Mean/Max	Success Rate
Residual before attack		643.07/742.75/863.78	90%
PI-ExAVAE	$val=0$	83.82/94.58/121.52	100%
	$val=0.1$	83.50/89.86/106.81	100%
	$val=0.2$	101.38/126.85/172.20	100%
	$val=0.3$	152.74/191.51/229.13	100%
	$val=0.4$	221.85/272.18/318.69	100%
	$val=0.5$	310.69/361.57/412.27	100%
	$val=0.6$	399.59/452.75/504.51	100%
	$val=0.7$	489.46/542.29/599.57	100%
	$val=0.8$	571.53/622.95/683.75	100%
	$val=0.9$	638.06/693.08/738.09	95.3%
	$val=1.0$	640.67/739.92/840.78	90.2%

and Figure 10 collectively demonstrate the flexibility and effectiveness of the proposed PI-ExAVAE model in generating stealthy and impactful false measurements in the IEEE-118 system. Table 6 presents the success rates of the model in bypassing the normalized maximum residuals test with a fixed threshold of $r_i=3$. The results show that the PI-ExAVAE model achieves a 100% success rate for $val$ values between 0 and 0.8, with a slight decrease to 95.3% and 90.2% for $val=0.9$ and $val=1.0$, respectively. The residual statistics (min, mean, and max) before the attack further highlight the model’s ability to generate effective attacks that reduce the maximum residual below the detection threshold.

Figure 10 complements these findings by illustrating the voltage phasors (magnitude on the left and angle on the right) across 117 buses before and after the attack for different $val$ values. At lower $val$ values, the deviations from the pre-attack states are minimal and stealthy, closely resembling the original measurements, while higher $val$ values introduce more significant and targeted disruptions, particularly for specific buses. Despite the increasing attack intensity, the generated states remain physically plausible and consistent with power system constraints, demonstrating the model’s robustness.

These results highlight the scalability and controllability of the PI-ExAVAE model. By adjusting the parameter $val$, the model can effectively balance stealthiness and impact, adapting to complex detection scenarios such as the normalized maximum residuals test. Its ability to maintain physical feasibility while scaling attack intensity underscores its suitability for large-scale systems and diverse detection mechanisms.

6. Conclusions

This study introduces the PI-ExAVAE model, a physics-guided generative framework for creating stealthy and impactful false measurements in power systems. By integrating domain knowledge and physical constraints, the model generates measurements that remain consistent with system physics while effectively evading detection mechanisms, such as ${\chi }^2$-tests and normalized maximum residuals tests. Unlike SAGAN, which produces abrupt and less structured deviations, the PI-ExAVAE model offers fine-grained control through the parameter $val$, enabling a balance between stealthiness and impact and adaptability to varying detection thresholds. The model demonstrates strong extrapolative capabilities, generating physically plausible states beyond the training data, and excels in large-scale systems like IEEE-118, maintaining effectiveness and scalability. Experimental results confirm the model’s superior performance over SAGAN, achieving near-perfect detection evasion across diverse scenarios.

In summary, PI-ExAVAE sets a new standard for generating stealthy and adaptable false measurements in power systems, making it a robust tool for analyzing system vulnerabilities and advancing the study of smart grid security.