Next Article in Journal
Case Study on Pre-Splitting Blasting Reasonable Parameters of Goaf-Side Entry Retained by Roof Cutting for Hard Main Roof
Next Article in Special Issue
New Energy Power System Dynamic Security and Stability Region Calculation Based on AVURPSO-RLS Hybrid Algorithm
Previous Article in Journal
Hyperparameter Search for Machine Learning Algorithms for Optimizing the Computational Complexity
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Random-Enabled Hidden Moving Target Defense against False Data Injection Alert Attackers

Mike Wiegers Department of Electrical and Computer Engineering, Kansas State University, Manhattan, KS 66506, USA
*
Author to whom correspondence should be addressed.
Processes 2023, 11(2), 348; https://doi.org/10.3390/pr11020348
Submission received: 20 December 2022 / Revised: 16 January 2023 / Accepted: 17 January 2023 / Published: 21 January 2023
(This article belongs to the Special Issue Advances in Electrical Systems and Power Networks)

Abstract

:
Hidden moving target defense (HMTD) is a proactive defense strategy that is kept hidden from attackers by changing the reactance of transmission lines to thwart false data injection (FDI) attacks. However, alert attackers with strong capabilities pose additional risks to the HMTD and thus, it is much-needed to evaluate the hiddenness of the HMTD. This paper first summarizes two existing alert attacker models, i.e., bad-data-detection-based alert attackers and data-driven alert attackers. Furthermore, this paper proposes a novel model-based alert attacker model that uses the MTD operation models to estimate the dispatched line reactance. The proposed attacker model can use the estimated line reactance to construct stealthy FDI attacks against HMTD methods that lack randomness. We propose a novel random-enabled HMTD (RHMTD) operation method, which utilizes random weights to introduce randomness and uses the derived hiddenness operation conditions as constraints. RHMTD is theoretically proven to be kept hidden from three alert attacker models. In addition, we analyze the detection effectiveness of the RHMTD against three alert attacker models. Simulation results on the IEEE 14-bus systems show that traditional HMTD methods fail to detect attacks by the model-based alert attacker, and RHMTD is kept hidden from three alert attackers and is effective in detecting attacks by three alert attackers.

1. Introduction

Modern power systems suffer from significant threats from cyber–physical attacks due to the vulnerabilities of widely used information and communication technology (ICT) enabled devices and Internet of things (IoT) technologies. In addition, energy sources such as wind and solar energy have inherent instability that might compromise the stability of the system [1]. According to the U.S. Department of Energy, 362 power interruptions related to cyber–physical attacks were reported between 2011 and 2014 [2]. False data injection (FDI) attacks are one of the most destructive cyber–physical attacks against smart grids. FDI attacks compromise measurements in the supervisory control and data acquisition (SCADA) system, which aim to manipulate the voltage estimated by the state estimation in the energy management system of the power system. FDI attacks can cause severe consequences, including line overloading, load shedding, unstable system states, and even voltage collapse [3].
Moving target defense (MTD) is introduced into the physical layer of power systems to detect FDI attacks. MTD actively perturbs the branch impedance using distributed flexible AC transmission system (D-FACTS) devices, such that the time-variant system configuration invalidates attackers’ knowledge about the actual power system configurations. The first MTD work against FDI attacks [4] proposed a random MTD (RMTD) method in which the reactance of an arbitrary subset of D-FACTS-equipped lines is randomly changed. It was proved that MTD methods could effectively detect FDI attacks [5,6,7,8,9], cyber–physical attacks [10], and Stuxnet attacks [11].

1.1. Related Work

MTD planning and MTD operation are two essential steps in implementing the MTD method. MTD planning refers to installing D-FACTS devices on an identified subset of transmission lines, and MTD operation refers to adjusting the D-FACTS setpoints under different load conditions. Reference [12] proved that MTD planning determines the detection effectiveness of MTDs. Max-rank placement [5,12] can achieve the maximum rank of the composite matrix, which is the widely used metric of MTD detection effectiveness. Arbitrary placement and full placement are the two simplest D-FACTS placement strategies without considering the detection effectiveness of MTDs. Arbitrary placement installed D-FACTS devices on randomly selected lines [4], while full placement installed D-FACTS devices on every transmission line [13]. The placement of D-FACTS devices was optimized in [14], which aims to reduce the number of measurements that can be manipulated by the attacker. It also proved that the coordinated design of consecutive perturbation schemes within an MTD cycle could improve the MTD’s performance in detecting FDI attacks.
MTD operation methods mainly determine the function of D-FACTS devices in MTD. The arbitrary operation method, the simplest MTD operation method, randomly perturbed the D-FACTS setpoints [4] without considering the economic benefits and detection effectiveness. Optimal-power-flow (OPF)-based operation methods utilized the D-FACTS devices and OPF model to control the power flow and minimize the system losses or generation costs [12,15,16]. Optimization-based operation methods maximized the metric of detection effectiveness or the economic cost to optimally dispatch the D-FACTS setpoints [13,17]. Recently, a double-benefit moving target defense was proposed to protect the smart grid from cyber–physical attacks (CPAs) and also gain generation-cost benefits in the DC power system model [9]. Reference [18] studied the effectiveness and hiddenness of MTD using measurement residuals in three-phase AC distribution system state estimation and further formulated the optimization problem for MTD to jointly optimize the effectiveness and hiddenness considering voltage stability. Reference [19] developed two strategies to make the increasing operation cost zero for activating the MTD. In addition, it studied the impact of MTD on the system dynamics using small signal stability.
A strong and alert adversary can detect the existence of MTD in place, which can drive the attacker to postpone the attack using the incorrect line impedance. Consequently, the attacker can invest more resources to obtain the current power system configuration, and potentially launch stealthy attacks with a higher-level threat. The concept of hidden MTD is proposed in transmission systems [6] and distribution systems [20], in which the defender delicately modifies the line impedance to maintain MTD hidden to the attacker.
There are three types of hidden MTD methods in the literature. In the first type, referred to as watermarking HMTD [21], the defender slightly changes the line impedance such that the status of the power system will not significantly change, and the attacker will not realize the existence of MTD. However, small line impedance changes cause the Chi-square bad data detector (BDD) in state estimation to fail to detect the FDI attacks. The defender had to utilize the CUSUM detector to detect FDI attacks. Due to the characteristic of CUSUM [22], the CUSUM detector cannot immediately detect the FDI attacks. As a consequence, the power system may suffer from FDI attacks for multiple time instants. In the second type, referred to as secure-meter-based HMTD [23], multiple protected meters were utilized in each loop of the power system topology to cover the status change of the power system and the power flow changes caused by the line impedance changes. It is assumed that attackers have no read access to the protected meters such that alert attackers (AA) cannot detect the existence of MTD using the remaining measurements through the state estimation. However, this method is expensive for the defender, as the expensive protected meters are only used for ensuring the hiddenness of MTD, rather than improving the detection effectiveness against attacks. In the third type, referred to as model-based HMTD [5,20], the defender delicately changes the line impedance such that the power flow of each transmission line is the same before and after the MTD. However, the model-based HMTD methods utilize optimization models without any uncertainties, which are not consistent with the dynamic defense nature of MTD. Randomness and diversity are two essential components in the dynamic defense strategy [24]. Without randomness in MTD, the attacker can apply the same HMTD method to estimate the exact line impedance dispatched by the system operator, if the attacker knows which model-based HMTD is used. Therefore, it is necessary to model possible alert attackers, and further improve the hiddenness and detection effectiveness of MTD methods against the different types of smart and alert attackers.

1.2. Research Gap

There is a research gap in that existing alert attackers need to be summarized and modeled, and novel alert adversaries with strong and advanced capabilities are necessary to be modeled. With clearly defined alert attacker models, these alert attacker models can be used as a metric to comprehensively evaluate the hiddenness and detection effectiveness of any novel MTD methods. In this paper, two existing alert attackers against MTD are modeled, i.e., BDD-based alert attacker (BDD-AA), and data-driven alert attacker (DD-AA). In addition, this paper proposes a novel model-based alert attacker (M-AA). These three alert attacker models can be used to analyze the drawbacks of existing HMTD methods.
This paper further proposes a novel HMTD method that is hidden to three alert attacker models. We compare the proposed HMTD method with the existing methods regarding the hiddenness and detection effectiveness against three alert attacker models in Table 1. Table 1 presents the drawbacks of existing HMTD methods, highlights the necessity of the proposed model-based alert attacker, and demonstrates the novelties of the proposed HMTD method. Note that the first Yes (Y) or No (N) indicates whether the HMTD method is hidden to a given alert attacker, and the second Y or N indicates whether the HMTD method is able to detect the attacks by the attacker.

1.3. Contribution

To fill the research gap, this paper summarizes two alert attacker models and further proposes a novel alert attacker model. These three alert attacker models formulate a metric to fully evaluate the hiddenness and detection effectiveness of any HMTD method. Then, this paper proposes a novel random-enabled HMTD (RHMTD) operation model that is stealthy to the three alert attackers. The contribution of this paper is summarized as follows:
  • We summarize two alert attacker models against MTD in the literature: (i) a BDD-based alert attacker who uses Chi-square BDD to detect the existence of MTD; and (ii) a data-driven alert attacker who uses dimension reduction and unsupervised learning methods to detect the existence of MTD.
  • We propose a novel alert attacker model, i.e., a model-based alert attacker, who uses the MTD operation model to calculate the dispatched line reactance and then uses Chi-square BDD to verify the correctness of the estimated reactance. This attacker model can use the estimated line reactance to construct stealthy FDI attacks against HMTD methods that lack randomness.
  • We propose a novel RHMTD operation model in the DC power system model, which maximizes the weighted line reactance changes and integrates the derived MTD hiddenness operation condition as constraints. The weights of the line reactance in the objective function follow the uniform distribution for introducing the randomness.
  • We theoretically prove the hiddenness of the proposed RHMTD method against three alert attacker models. We further analyze the attack detection effectiveness of the proposed method against three alert attacker models.
The rest of this paper is organized as follows. In Section 2, we define three alert attacker models. In Section 3, we derive a novel RHMTD operation model, prove the hiddenness of RHMTD to three alert attackers, and evaluate the attack detection effectiveness of RHMTD against three alert attackers. The case studies in the IEEE 14-bus system are conducted in Section 4. The paper is concluded in Section 5.

2. Alert Attacker Models

In this section, we first define variables used in this paper and then define three alert attacker models.

2.1. Notation

Variables used throughout the paper are summarized in Nomenclature. “D-FACTS lines” and “non-D-FACTS lines” stand for the set of lines equipped with and without D-FACTS devices, respectively.

2.2. BDD-Based Alert Attacker Model

The first BDD-based alert attacker model was proposed in [6]. Here, we refine the BDD-based alert attacker with the capability of topology learning capability.
Attack goal. The BDD-based alert attacker aims to launch traditional stealthy FDI attacks using correct line impedance under the MTD. Assumption. We assume that the attacker knows the original configuration of the system without MTD, including the system topology and the line impedance b 0 , but does not know the actual line impedance dispatched by MTD on the current time instant. Attacker’s capability. The attacker has read access to all SCADA measurements in the power system to detect MTD, and write access to all measurements to inject FDI attacks. The attacker can perform SE and BDD to detect MTD, and can launch the topology learning (TL) methods [25] to learn the current line impedance b ^ a . Attack logic. The flowchart of the BDD-based alert attacker is shown in Figure 1. The attacker conducts SE using the original line impedance before the MTD, and then performs BDD to calculate the estimation residual by (1).
r a = z 1 H 0 ( H 0 T H 0 ) 1 H 0 T z 1 2 = H 1 x 1 H 0 ( H 0 T H 0 ) 1 H 0 T z 1 2
where the measurement matrix under the MTD is H1 and the attacker’s original measurement matrix before MTD is H0.
If the attacker’s estimation residual is less than the threshold, i.e., r a < r t h , it indicates the attacker’s knowledge of the line impedance is correct and no MTD is applied in the field. Then, the attacker can launch stealthy FDI attacks using the original system configuration H0. If r a > r t h , the alert attacker suspects the accuracy of the line impedance due to the MTD and postpones launching attacks until bypassing the BDD check by estimating the actual line impedance with the topology learning methods.

2.3. Data-Driven Alert Attacker Model

The first data-driven alert attacker model against MTD is proposed in [21]. Here, we generalize the data-driven alert attacker model, and enable the attacker with stronger attack capability. Currently, only watermarking HMTD has been evaluated to remain hidden to the data-driven attacker through simulation. However, the hiddenness of the secure-meter-based HMTD and model-based HMTD has not been evaluated against the data-driven attacker.
Attack goal. The attacker aims to launch data-driven FDI attacks under the MTD. Assumption. It is assumed the attacker does not know the configuration of the system before and after the MTD, including the system topology and the line impedance, but he knows MTD may be applied in the system. Attacker’s capability. The attacker has read access and write access to all SCADA measurements. The attacker can collect historical measurement data over time and the attacker can use unsupervised machine learning methods to analyze the data.
Attack logic. The attack logic of the data-driven alert attacker is shown in Figure 2. First, the attacker adds all eavesdropped measurements in Z matrix. Then, the attacker applies the dimension reduction method (e.g., PCA) on the collected historical measurement Z to 2D for visualization. If the low-dimensional historical measurements form more than one cluster, it reflects the pattern of the power flow measurements significantly changing, indicating MTD could exist in the field. Then, the attacker can apply clustering algorithms (e.g., K-means and DBSCAN) to identify all historical measurements responding to the current MTD, and construct data-driven FDI attacks using the identified historical measurements. However, the number of the identified historical measurements depends on the frequency of MTD. Therefore, under MTD, the number of historical measurements that can be used for constructing data-driven FDI attacks is significantly reduced. Since the performance of data-driven FDI attacks heavily relies on the number of measurements, advanced data-driven FDI attack methods need to be applied, such as matrix reconstruction FDI [26]. If the low-dimensional historical measurements only form one cluster, it indicates MTD is not applied in the field. Therefore, all collected historical measurements can be used to construct data-driven FDI attacks. With sufficient historical measurements, the attack has more data-driven FDI attack methods to choose from for constructing malicious injection vectors, such as PCA-FDI [27] and subspace FDI [28].

2.4. Model-Based Alert Attacker Model

For the first time, this paper proposes a model-based alert attacker model. This alert attacker model is designed for the existing MTD or HMTD methods [5,12,15,19,20], which are based on the optimization problem without considering any uncertainties. If the attacker applies the same MTD model, it is easy to obtain the actual line impedance dispatched in the field.
Attack goal. The attacker aims to launch traditional FDI attacks using the correct line impedance under the MTD. Assumptions. We assume the attacker knows the configuration of the system, including the system topology and the line impedance before the MTD. Attacker’s capability. The attacker has read access and write access to all SCADA measurements. In addition, the attacker is assumed to know the multiple MTD operation models, including the method used by the system operator. Attack logic. As shown in Figure 3, the model-based alert attacker utilizes the MTD operation model to calculate the dispatched line impedance b ^ a and measurement matrix H ^ . Then, the attacker can further evaluate the correctness of the solved line impedance by r a = z 1 H ^ ( H ^ T H ^ ) 1 H ^ T z 1 2 . If r a < r t h , it indicates the attacker obtains the actual line impedance under the MTD. If the estimated residual is larger than the threshold, i.e., r a > r t h , the alert attacker needs to change an MTD operation method until the system operator’s current MTD operation model is found and correct line impedance is obtained. Then, the attacker can launch the traditional FDI attacks using H ^ .

3. Random-Enabled HMTD

In this section, we first derive a novel hiddenness operation condition of HMTD, and then propose a novel RHMTD operation model. Finally, we prove that the proposed RHMTD is hidden to three alert attackers, and analyze the attack detection effectiveness of RHMTD.

3.1. Hiddenness Operation Condition

Assume MTD changes the line impedance of the transmission lines. Accordingly, the measurement matrix is changed from H0 to H1, and system states are changed from θ 0 to θ 1 . SCADA measurements are changed from z 0 = H 0 θ 0 (the measurements before MTD) to z 1 = H 1 θ 1 (the measurements after MTD).
We will use the decomposition of H matrix to demonstrate the impact of D-FACTS devices on H and the relationship between H0 and H1. First, we separate matrix H0 into two submatrices, i.e., H 0 1 and H 0 2 , which correspond to the measurements related to the lines with and without D-FACTS devices, respectively. Then, we apply the matrix decomposition [12] on H 0 1 and H 0 2 , respectively:
H 0 = [ H 0 1 H 0 2 ] = [ D 1 X 1 A 1 D 2 X 2 A 2 ]
where X1 p1×p1 and X2 p2×p2 are the diagonal reactance matrix of p1 D-FACTS lines and p2 non-D-FACTS lines, respectively; A1 n−1×p1 and A2 n−1×p2 are the reduced bus-branch incidence matrixes of the graphs composed of the D-FACTS lines and non-D-FACTS lines, respectively; D1 and D2 are the meter deployment matrixes of graph A1 and A2, respectively. Here, D-FACTS lines refer to the transmission lines equipped with D-FACTS devices, and non-D-FACTS lines refer to the remaining transmission lines in the power system. Similarly, H1 can be expressed by (3):
H 1 = [ H 1 1 H 1 2 ] = [ D 1 X 1 A 1 D 2 X 2 A 2 ] = [ D 1 ( X 1 + Δ X ) A 1 D 2 X 2 A 2 ]
where X is the diagonal reactance matrix of D-FACTS lines after D-FACTS devices modify the line reactance; and Δ X is the incremental line reactance matrix, i.e., Δ X = X 1 X 1 . Equations (2) and (3) intuitively demonstrate the impact of MTD on the measurement matrix. MTD only modified the submatrix of the measurement matrix related to the D-FACTS devices.
According to [6], HMTD remains hidden to BDD-based attackers by keeping all measurements unchanged after the setpoint changes of D-FACTS devices, i.e., z 0 = z 1 . In the noiseless condition, the unchanged measurement condition can be reformulated:
[ H 0 1 H 0 2 ] θ 0 = [ H 1 1 H 1 2 ] ( θ 0 + Δ θ )
where Δ θ is the incremental state by MTD, i.e., Δ θ = θ 1 θ 0 . When we substitute (2) and (3) into (4), we can obtain:
{ D 1 X 1 A 1 θ 0 = D 1 ( X 1 + Δ X ) A 1 ( θ 0 + Δ θ ) D 2 X 2 A 2 Δ θ = 0
Since D 2 X 2 A 2 is a fixed matrix, Δ θ determined by HMTD should belong to the null space of D 2 X 2 A 2 , i.e., Δ θ N u l l ( D 2 X 2 A 2 ) . Thus, Δ θ can be represented by the kernel bases of D 2 X 2 A 2 . Therefore, the hiddenness condition of the HMTD can be summarized as follows:
D 1 X 1 A 1 θ 0 = D 1 ( X 1 + Δ X ) A 1 ( θ 0 + K W )
where K = [ k 1 , k 2 , , k s ] p1×s is the matrix of kernel bases of D 2 X 2 A 2 ; W = [ w 1 , w 2 , , w s ] T s is the weight determined by the system operator; and s is the dimension of kernel bases.

3.2. The Random-Enabled HMTD Model

In order to remain hidden to three alert attackers and ensure the attack detection effectiveness, an HMTD operation model should simultaneously meet the following four requirements. First, for the BDD-based alert attacker, the measurements need to remain unchanged before and after the implementation of MTD. Essentially, the setpoints of D-FACTS devices in the HMTD operation model should satisfy the derived hiddenness condition (6). Secondly, for the data-driven alert attacker, MTD ought to avoid introducing distinct changes in measurements. Note that this requirement is less restrictive than that of the BDD-based alert attacker. Thirdly, for the model-based alert attacker, it is necessary to introduce unpredicted randomness into the HMTD operation model. In this case, even though the model-based alert attacker applies the same HMTD operation algorithm used by the system operator, the attacker still fails to obtain the actual line reactance dispatched by the system operator. Finally, sufficient line reactance changes are needed to guarantee a fast and effective attack detection capability [12].
We propose a non-convex, non-linear, optimization-based RHMTD operation model in (7), which aims to remain hidden to three alert attacker models and ensure the attack detection effectiveness. The proposed RHMTD model maximizes the weighted square of the line reactance changes using uniformly distributed random weights. The maximized line reactance changes ensure the attack detection effectiveness, while the random weights contribute to providing uncertainties to the model-based alert attacker. Constraint (8) is the derived hiddenness condition, which ensures the RHMTD is hidden to the BDD-based and data-driven alert attackers. Constraint (9) defines the kernel bases of D 2 X 2 A 2 for the hiddenness condition. Constraint (10) is the physical constraint of the D-FACTS devices’ working setpoints. Generally, the MTD magnitude μ is 0.2 [6].
max Δ X , W   diag ( Δ X ) T λ diag ( Δ X )
s . t . D 1 X 1 A 1 θ 0 = D 1 ( X 1 + Δ X ) A 1 ( θ 0 + K W )  
K = N u l l ( D 2 X 2 A 2 )  
μ diag X 1 diag ( Δ X ) μ diag X 1
where the weight parameter λ is random variables following the uniform distribution between 0 and 1, i.e., λ i U ( 0 , 1 ) , i = 1 , 2 , , X 1 0 .
The RHMTD operation model can be seamlessly integrated into the existing energy management system of the power system. The defender, i.e., the system operator, can assign the weight and then calculate the setpoints of the D-FACTS devices by solving model (7) after the optimal power flow (OPF) function determines the optimal generation. Then, the D-FACTS setpoints are sent to the field devices for implementation through encrypted communication.

3.3. Hiddenness of the RHMTD against Alert Attackers

In this section, we prove the hiddenness of the proposed method to three alert attackers. Assume the measurements before the MTD are z 0 = H 0 x 0 , and the measurements after the RHMTD are z 1 = H 1 x 1 , where H 1 is determined by (7). Note that z 0 = z 1 holds in the noiseless condition due to the hiddenness operation constraints.
Theorem 1.
The RHMTD model is hidden to the BDD-based alert attacker.
Proof. 
The BDD-based alert attacker uses the system configuration H 0 to calculate the estimation residual, and the estimation residual of the proposed RHMTD is zero in the noiseless condition, as follows. Thus, RHMTD is hidden to the BDD-based alert attacker.
r a = z 1 H 0 ( H 0 T H 0 ) 1 H 0 T z 1 2 = z 0 H 0 ( H 0 T H 0 ) 1 H 0 T z 0 2 = z 0 H 0 ( H 0 T H 0 ) 1 H 0 T H 0 x 0 2 = z 0 H 0 x 0 2 = 0
 □
Theorem 2.
The RHMTD is hidden to the data-driven alert attacker.
Proof. 
The data-driven alert attacker collects a set of historical measurements to conduct the UL detection. It is assumed that the attacker arranges all eavesdropped measurement vectors of T time instants into a historical measurement matrix Z H i s t = [ z 1 , z 2 , , z T ] , where Z H i s t m×T. Let us separate T time instants into two parts, i.e., T = T 1 + T 2 , and accordingly, let Z 1 and Z 2 be the historical measurement matrix of T1 and T2 time instants, respectively. When there are no MTDs applied in the system over T time instants, the historical measurement matrix is denoted by Z 0 H i s t = [ Z 1 , 0 Z 2 , 0 ] . The data-driven attacker first applies the PCA on Z 0 H i s t to reduce the dimension, and cluster the low-dimension data Z 0 P C A as follows:
Z 0 P C A = P C A ( Z 0 H i s t )
y i = C l u s t e r ( Z 0 P C A )
where yi is the cluster index of the i-th dimension-reduced measurement vector.
Assume the RHMTD model is applied since T2–th time instants, and the historical measurement matrix collected by the attacker becomes Z R H H i s t = [ Z 1 , 0 Z 2 , H ] . Due to the hiddenness operation condition, the measurement vector in the T2 time instants remain unchanged with and without RHMTD, i.e., Z 2 , 0 = Z 2 , H . Thus, Z 0 H i s t = Z R H H i s t holds. Then, the dimension-reduced vectors of Z R H H i s t are the same as those of Z 0 H i s t , i.e., P C A ( Z R H H i s t ) = Z 0 P C A . Since the input of the clustering algorithm remains unchanged, the RHMTD will not change the clustering results. Therefore, the proposed RHMTD is hidden to the data-driven alert attacker. □
Theorem 3.
The RHMTD is hidden to the model-based alert attacker.
Proof. 
It is assumed that the model-based alert attacker applies the RHMTD model (7) using the eavesdropped measurements z 1 , and obtains the system configuration H ^ . Even though the input measurement of the RHMTD model conducted by the system operator and the attacker are the same ( z 0 = z 1 ), different weights result in different D-FACTS setpoints, i.e., H R H H ^ . Due to the hiddenness condition, z 1 = H ^ x 2 holds. The estimation residual computed by the model-based alert attacker using H ^ is zero as follows.
r a = z 1 H ^ ( H ^ T H ^ ) 1 H ^ T z 1 2 = z 1 H ^ ( H ^ T H ^ ) 1 H ^ T H ^ x 2 2 = z 1 H ^ x 2 2 = 0
Note that if the attacker happens to use the same weight as that used by the system operator, H R H = H ^ holds. However, it does not impact the hiddenness of the RHMTD in Theorem 3. It only degrades the attack detection effectiveness of the proposed RHMTD, but it happens with very low probability. □

3.4. Detection Effectiveness of the RHMTD against Alert Attackers

In this section, we analyze the attack detection effectiveness of RHMTD against the attacks by the BDD-based and model-based alert attackers due to the straightforward analysis, and then prove that the RHMTD has the maximum detection effectiveness against the PCA-FDI attacks by the data-driven attackers.
For the BDD-based alert attacker, the stealthiness of the RHMTD misleads the attacker to adopt the traditional FDI attacks without the aid of topology learning. It is proved that the placement of D-FACTS determines the attack detection effectiveness of MTD against the traditional FDI attacks [12]. The max-rank HMTD placement [5] adopted in this paper guarantees the maximum attack detection effectiveness under the assumption that the reactance of all D-FACTS lines is changed by the D-FACTS devices. This assumption is satisfied by the RHMTD operation by maximizing the line reactance changes introduced by D-FACTS devices. Therefore, the RHMTD under the max-rank HMTD placement has the maximum detection effectiveness of the attacks by the BDD-based attackers.
The model-based alert attacker constructs FDI attacks using H ^ under the RHMTD. According to the MTD detection effectiveness metric [6,12,13], the detection effectiveness of RHMTD with H R H against the model-based alert attacker depends on the rank of the composite matrix, i.e., r a n k ( [ H ^ H R H ] ) . We can apply the graph theory analysis on deriving the value of r a n k ( [ H ^ H R H ] ) . Note that in the D-FACTS placement problem, it is the difference between the original line reactance (attacker’s knowledge) and defender’s dispatched line reactance that determines the detection effectiveness. However, it is the difference between the attacker’s estimated line reactance b ^ a (attacker’s knowledge) and defender’s dispatched line reactance b that plays an important role in the detection effectiveness of the model-based attacker’s attacks. Thus, we treat the difference between the attacker’s estimated line reactance and the defender’s dispatched line reactance, i.e., b ^ a b , as the contribution of D-FACTS devices. If b ^ a ( i ) = b ( i ) holds for the i-th D-FACTS line, it indicates the D-FACTS device on this line does not exist from the perspective of the alert attacker, referred to as the equivalently removed D-FACTS line hereafter; if b ^ a ( i ) b ( i ) , the D-FACTS device on this line works. In this case, if b ^ a b holds for all D-FACTS lines, the adopted max-rank HMTD placement ensures the maximum attack detection effectiveness, i.e., max ( r a n k ( [ H ^ H R H ] ) ) = p based on the graph theory analysis of MTD [12]. If the attacker accurately estimates the defender’s dispatched reactance of some D-FACTS lines, the rank of the composite matrix in MTDs is determined by the number of loops in G a as follows:
r a n k ( [ H ^ H R H ] ) = p l p D F ¯
where l p D F ¯ is the number of loops in G a and G a is a graph constructed from the view of the attackers, consisting of all buses, non-D-FACTS lines, and equivalently removed D-FACTS lines.
For the data-driven alert attacker, the hiddenness of RHMTD misleads the alert attacker to estimate the principle components of H 0 before the MTD, rather than that of the actual H R H . Consequently, the stealthiness of the PCA-FDI attack is degraded greatly. Specifically, the stealthiness of the PCA-FDI attacks depends on the difference between the column space of H 0 and that of H R H . In Theorem 4, we prove that the proposed RHMTD under the max-rank HMTD placement maximizes the difference between the column space of H 0 and that of H R H such that the stealthy attack space is minimized.
Theorem 4.
The RHMTD model has the maximized attack detection probability to the PCA-FDI attack by the data-driven alert attacker.
Proof. 
The alert attacker collects historical measurements under RHMTD over T times, and the historical measurement matrix is denoted by Z R H H i s t . Similar to the proof of Theorem 3, Z 0 H i s t = Z R H H i s t holds in the noiseless condition due to the hiddenness of the RHMTD. Therefore, the estimated H matrix under the RHMTD H R H P C A = P C A ( Z R H H i s t ) is the same as that without MTD H 0 P C A = P C A ( Z 0 H i s t ) in the noiseless condition, i.e., H R H P C A = H 0 P C A . Then, PCA-FDI attacks are constructed by a = H R H P C A c = H 0 P C A c .
According to the principle of FDI attack [6], if the attack vector a belongs to the column space of H R H , i.e., a c o l ( H R H ) , the constructed PCA-FDI attack is stealthy to RHMTD. Specifically, a PCA-FDI attack is stealthy to RHMTD if a c o l ( H R H ) c o l ( H 0 P C A ) . Then, the dimension of the stealthy attack space can be expressed as:
| c o l ( H R H ) c o l ( H 0 P C A ) | = r ( H R H ) + r ( H 0 P C A ) r ( [ H 0 P C A H R H ] ) = 2 × ( n 1 ) r ( [ H 0 P C A H R H ] )
Since the attacker’s H 0 P C A is unknown to the system operator, it is assumed that the attacker can accurately approximate the column space of H 0 , i.e., c o l ( H 0 P C A ) = c o l ( H 0 ) . Then, the dimension of the stealthy attack space becomes:
| c o l ( H R H ) c o l ( H 0 P C A ) | = 2 × ( n 1 ) r ( [ H 0 H R H ] )
The adopted max-rank HMTD placement guarantees the maximum value of r ( [ H 0 H R H ] . Therefore, the dimension of the stealthy attack space is minimized under the RHMTD. Therefore, RHMTD has the maximized attack detection effectiveness to PCA-FDI attacks by the data-driven alert attacker. □

4. Numerical Results

4.1. Test Systems

We evaluate the HMTD operation model in the IEEE 14-bus system [29]. We solve the HMTD operation model using the fmincon function of MATLAB. We use MATLAB to simulate the BDD-based and model-based alert attackers and use Python to simulate the data-driven alert attacker. The measurement noise is assumed to be Gaussian distributed with zero mean and the standard deviation as 1% of the actual measurement. The threshold of the Chi-square detector in the BDD used by attackers and defenders is set to have a 0.1% false positive rate.
A flowchart of HMTD against alert attackers regarding the attack detection probability (ADP) and defense stealthy probability (DSP) is shown in Figure 4. The ADP is a widely used metric to measure the MTD attack detection effectiveness from the perspective of defenders. ADP is defined as the ratio of the number of detected FDI attacks to the total number of launched FDI attacks. The DSP is a metric to measure the MTD hiddenness from the perspective of attackers in simulation, which is defined as the ratio of the number of MTDs hidden to attackers to the total number of launched MTDs. In the simulation, we assume there are N load conditions. We use counters cntH and cntA to record the number of hidden MTD and detected FDI attacks, respectively.

4.2. Uncertainties of RHMTD

First, we demonstrate the effectiveness of random weights in providing uncertainties to the line reactance in the RHMTD. Under the same load condition, we conduct the RHMTD operation model 20 times using different weights. Figure 5 shows the dispatched line reactance of each D-FACTS line in the 20 RHMTDs. It is seen that the reactance of each D-FACTS line in the 20 RHMTDs is different. The uncertainties can contribute to the hiddenness and detection effectiveness of RHMTD to the model-based attacker. However, for some RHMTDs, they have similar reactance to the seventh D-FACTS line, which negatively impacts the detection effectiveness of RHMTD against the attacks by the model-based alert attacker. This impact is evaluated in Section 4.4.
We utilize the L1-norm distance between the line reactance generated by the system operator and that by the model-based attacker to measure the uncertainties in the RHMTD. Based on the distance, we demonstrate the impact of MTD magnitude on the uncertainties. Under each MTD magnitude, we generate one RHMTD operation point for the system operator as the reference, and then generate 50 RHMTD operation points as the model-based alert attacker’s estimation by running the RHMTD model. Figure 6 shows the boxplot of the L1-norm distance under different MTD magnitudes. It is seen that a larger MTD magnitude generally results in a large L1-norm distance. The median of the L1-norm distance under 0.2 MTD magnitude is lower than that under 0.18. It indicates that a larger MTD magnitude does not guarantee a larger L1-norm distance or a better attack detection effectiveness against the model-based alert attacker due to the random uncertainties.

4.3. Hiddenness of RHMTD against Three Alert Attackers

In this section, we evaluate the hiddenness of RHMTD to three alert attackers. First, we evaluate the hiddenness of RHMTD to the BDD-based alert attacker by comparing the DSP of RHMTD and RMTD under different MTD magnitudes.
To study the impact of MTD magnitude on the MTD hiddenness, we increase the MTD magnitude from 0.02 to 0.2 with an increment of 0.02. For each MTD magnitude, we generate 100 RMTDs and 100 RHMTDs under different load conditions, respectively. In addition, we repeat this MTD generation process under two different noise conditions to evaluate the impact of noise on the MTD hiddenness. The DSP of RMTD and RHMTD against the BDD-based alert attacker is shown in Figure 7. As seen, when the MTD magnitude is small (less than 0.04), it is likely that RMTD remains hidden to the attacker. This is because the tiny line reactance mismatch has limited capability to increase the estimation residual in the attacker’s BDD. With the increase in MTD magnitude, the DSP drops to zero, indicating that RMTD is no longer hidden to the attacker. For the RHMTD, its DSP is larger than 0.95 regardless of MTD magnitudes and the noise standard deviation, indicating the hiddenness to the BDD-based attacker.
Then, we evaluate the hiddenness of RHMTD to the model-based alert attacker under different noise conditions. We generate 100 RHMTD operation setpoints under different load conditions under MTD magnitudes from 0.02 to 0.2 with an increment of 0.02. The measurements of RHMTD are sampled in the noiseless condition and noisy conditions with standard deviations σ = 1 % , σ = 2 % , and σ = 3 % , respectively. It is assumed that the model-based attacker applies the RHMTD model (7) to estimate the line reactance dispatched in the field, and then applies SE to calculate the estimation residual to detect the existence of MTD. The DSP of RHMTD against the model-based alert attacker is shown in Figure 8. In the noiseless condition, the DSP of RHMTD is always 1.0 regardless of MTD magnitudes. In noisy conditions, the DSP of RHMTD is more than 95%. It is seen that MTD magnitude and noise magnitude do not impact the hiddenness of RHMTD.
Finally, we demonstrate the drawbacks of RMTD against the data-driven alert attacker, and further evaluate the hiddenness of RHMTD to the data-driven alert attacker. To simulate historical measurements free from MTD collected by the data-driven alert attacker, the power flow problem is solved for multiple time instants. In this paper, we use 100 load conditions to generate historical measurements of 100 time instants. First, we generate three RMTD groups under 100 different load conditions under 0.05, 0.10, and 0.15 MTD magnitudes, respectively. Specifically, let RMTD 1, RMTD 2, and RMTD 3 refer to these generated RMTD groups, and RMTD i (i = 1, 2, 3) has 100 different operation setpoints for each MTD magnitude. After the SCADA measurements are collected by the attacker, a dimension reduction algorithm, i.e., PCA, is applied on the 100 measurement vectors under RMTDs and 100 measurement vectors free of MTD to visualize the difference between the normal data (no MTD measurements) and MTD measurements.
The projection of RMTD and no MTD measurement data in the ℝ2 space under different MTD magnitudes are shown in Figure 9. When the MTD magnitude is 0.05, the RMTD data points and no MTD data points are overlapped, indicating that the data-driven alert attacker cannot detect the existence of RMTD. When the MTD magnitude becomes 0.10, RMTD 1 is projected into a new cluster, while RMTDs 2 and 3 are still overlapped with no MTD data. When the MTD magnitude increases to 0.15, RMTDs 1 and 2 form two new clusters, and data points of RMTD 3 also remain separated from no MTD data. For the data-driven attacker, a new cluster indicates the detection of MTD. Thus, the hiddenness of RMTD degrades with the increase in MTD magnitude, which is consistent with the performance of RMTD against the BDD-based alert attacker.
To evaluate the hiddenness of RHMTD, we apply the RHMTD algorithm under 100 load conditions with 0.20 MTD magnitude. For comparison, we also generate 10 RMTD groups with 0.20 MTD magnitude. The projection of RHMTD, 10 RMTD, and no MTD measurements in the ℝ2 space is shown in Figure 10. As seen, under 0.20 MTD magnitude, all RMTD groups form new clusters that locate far from the cluster of no MTD measurements. All data points of RHMTD remain inside of the cluster of the no MTD, as shown in Figure 11. Therefore, these RHMTDs are hidden to the data-driven attacker. Since RHMTDs with 0.20 MTD magnitude could remain hidden, it infers that the RHMTD with a smaller MTD magnitude could also remain hidden, according to the impact of the MTD magnitude on the MTD stealthiness.
We compare the hiddenness of RHMTD with two existing HMTD methods, i.e., watermarking HMTD [21] and model-based HMTD [4] against three alert attacker models in Table 2. We can see that the proposed RHMTD is hidden to three alert attackers, consistent with the hiddenness theorems in Section 3.3. In addition, these three HMTD methods are all hidden to BDD-based alert attackers. This is because the BDD-based alert attacker is the first alert attacker model proposed in the literature, such that these HMTD methods consider the estimation residual changes in the alert attacker’s BDD. All three HMTD methods are hidden to a data-driven alert attacker since these HMTD methods avoid significant measurement changes before and after MTD. For the proposed model-based alert attacker, the DSP of watermarking HMTD is lower than its DSP against BDD-based alert attackers. It is because the randomness in the watermarking HMTD makes the attacker’s estimated line parameters different from the actual dispatched parameters. The difference results in an increase in the attacker’s estimation residual. Even though the model-based HMTD is hidden to the model-based alert attacker, the attacker can accurately estimate actual dispatched line parameters due to the lack of randomness in model-based HMTD. As a consequence, the model-based HMTD cannot detect the attacks by the model-based alert attacker, which is shown in Section 4.4.

4.4. Attack Detection Effectiveness of the RHMTD against Three Alert Attackers

In this subsection, we evaluate the attack detection effectiveness of the RHMTD against three alert attackers. First, we prepare the defense pool of RHMTD. We increase the MTD magnitude from 0.02 to 0.2 with an increment of 0.02, and then generate 100 RHMTD operation setpoints for each MTD magnitude. In total, there are 1000 RHMTD operation setpoints as the defense pool. In the simulation, the widely used attack detection probability is applied to measure the attack detection effectiveness of an MTD, which is defined as the ratio of the number of FDIs detected by the MTD to the total number of FDI attacks.
For the BDD-based attacker, RHMTD misleads the attacker to construct traditional FDI attacks without the aid of topology learning. Therefore, the BDD-based alert attacker constructs 100 single-bus FDI attacks using H 0 for each RHMTD in the defense pool. The ADP of RHMTD against the BDD-based alert attacker under different MTD magnitudes is shown in Figure 12. The ADP increases with the MTD magnitude. This is because the tiny line changes cannot cause sufficient residual incremental in the defender’s BDD, and thus the ADP under the low MTD magnitudes is low. When the MTD magnitude is larger than 0.08, the ADP becomes 93.3%. This is because MTD cannot detect the single-bus FDI attack on Bus 8, which only has one transmission line. This is the drawback of MTD identified by our previous work [30].
The model-based attacker utilizes the same RHMTD model to estimate the reactance of D-FACTS lines and uses H ^ to construct FDI attacks. We compare the detection effectiveness of the RHMTD and HMTD against the model-based attacker. We generate 100 HMTD under each MTD magnitude. For each HMTD and RHMTD, the model-based attacker launches 100 FDI attacks. The ADP of RHMTD and HMTD against the model-based alert attacker under different MTD magnitudes is shown in Figure 13. It is seen that HMTD cannot detect the attacks by the model-based attacker. The lack of uncertainties causes the model-based attacker to accurately estimate the reactance of D-FACTS lines, and the attacks can bypass the defender’s BDD. Compared with the low ADP of HMTD, the ADP of the RHMTD can reach 80%. We can see that the ADP of RHMTD against the model-based attacker is lower than the ADP of RHMTD against the BDD-based attacker. This is because the reactance of some D-FACTS lines estimated by the attacker is very close to the actual reactance dispatched by the defender. For a single-bus FDI attack by the model-based attacker, if line parameters of all connected lines associated with the target bus are accurately or approximately estimated, the FDI attack is very likely to remain stealthy to the RHMTD. The detection effectiveness of RHMTD against the model-based alert attacker is analyzed in Section 3.4.
The data-driven attacker constructs PCA-FDI attacks under RHMTD with 0.2 MTD magnitude. It is assumed that the attacker collects the historical measurements of 5000 time instants. The RHMTD is conducted under each time instant. In the PCA-FDI attacks, the number of the attacked buses are 1, 3, and 5, respectively. Here, the incremental voltage of the PCA-FDI attack is defined as c = k × θ 0 , where θ 0 is the actual voltage angle of the power system at the attacked time instant, and k is the FDI magnitude varying from 0.05 to 0.4. The ADP of RHMTD against the PCA-FDI attacks by the data-driven alert attacker is shown in Figure 14. It is seen that the ADP increases with the FDI attack magnitude and the number of attacked buses.
We compare the attack detection effectiveness of RHMTD with two existing HMTD methods against three alert attacker models in Table 3. We use the Chi-2 detector for three HMTD methods to detect FDI attacks. Due to small line parameter changes, the watermarking HMTD has low ADP against three attackers. Model-based HMTD has the same ADP as RHMTD against the BDD-based alert attacker. However, the ADP of model-based HMTD against the model-based alert attacker is close to zero. This is because the attacks constructed by the model-based alert attacker are based on accurately estimated line parameters. RHMTD has higher ADP than other HMTD methods due to its randomness and sufficient line impedance changes.

5. Conclusions

This paper points out the drawbacks of existing HMTD operation methods, including the delay of attack detection, extra costs on secure meters, and the lack of randomness. To fully evaluate the hiddenness of HMTD methods, this paper first summarizes the BDD-based alert attacker model and the data-driven alert attacker model, and then proposes a novel model-based alert attacker model. By analyzing the three alert attackers, this paper proposes a novel random-enabled HMTD, which maximizes the weighted square of line reactance changes, and introduces random variables into the weights of the objective function. In addition, the proposed model utilizes the novel derived hiddenness operation conditions as constraints to ensure the measurements before and after MTD remain unchanged. We theoretically prove the hiddenness of the proposed RHMTD to three alert attacker models, and analyze the effectiveness of RHMTD in detecting FDI attacks constructed by three alert attackers.
The simulation results show that the random weights in RHMTD successfully introduce the randomness into the setpoints of D-FACTS devices. The randomness increases the difficulty of the model-based alert attacker to accurately estimate the defender’s dispatched setpoints of D-FACTS devices. The RHMTD method is hidden to both the BDD-based and model-based alert attackers with more than 95% DSP. The RHMTD method is also hidden to the data-driven alert attacker since the projection of RHMTD and no MTD measurements overlaps after the dimension reduction. Simulation results also evaluate the detection effectiveness of RHMTD against three alert attackers. The traditional HMTD fails to detect FDI attacks by the model-based alert attacker, while RHMTD can detect these attacks with 80% ADP. RHMTD is effective in detecting FDI attacks by the BDD-based and data-driven alert attackers with more than 90% ADP.
In the future, we will extend the proposed HMTD operation method in the DC power system model to the AC power system model. In addition, we will define more alert adversary models using advanced machine learning techniques and limited data resources.

Author Contributions

Conceptualization, B.L. and H.W.; methodology, B.L., H.W., Q.Y. and H.Z.; software, B.L. and H.W.; validation, B.L., H.W., Q.Y. and H.Z.; formal analysis, B.L., H.W., Q.Y. and H.Z.; investigation, B.L., H.W., Q.Y. and H.Z.; resources, B.L., H.W., Q.Y. and H.Z.; data curation, B.L., H.W., Q.Y. and H.Z.; writing—original draft preparation, B.L. and H.W.; writing—review and editing, B.L., H.W., Q.Y. and H.Z.; visualization, B.L., H.W., Q.Y. and H.Z.; supervision, B.L., H.W., Q.Y. and H.Z.; project administration, B.L.; funding acquisition, H.W. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by U.S. National Science Foundation, grant number No. 1929147 and No. 2146156.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

MTD: moving target defense; FDI, false data injection; SE, state estimation; PCA, principal component analysis; D-FACTS, distributed flexible AC transmission system; BDD, Bad Data Detection.

Nomenclature

SymbolDefinition
θVoltage angle of buses excluding reference bus
zMeasurement vector
aFDI attack vector
H0DC measurement matrix in SE before MTD
HDC measurement matrix in SE after MTD
AIncident matrix of power system graph
XDiagonal line reactance matrix
xijThe reactance of line i–j (between bus i and j)
nTotal number of system buses
mTotal number of measurements
pTotal number of lines

References

  1. Balouch, S.; Muhammad, A.; Muqeet, K.A.; Pansota, M.; Jamil, H.; Hamdi, M.; Malik, A.; Hamam, H. Optimal Scheduling of Demand Side Load Management of Smart Grid Considering Energy Efficiency. Front. Energy Res. 2022, 1. [Google Scholar] [CrossRef]
  2. Musleh, A.S.; Chen, G.; Dong, Z.Y. A Survey on the Detection Algorithms for False Data Injection Attacks in Smart Grids. IEEE Trans. Smart Grid 2020, 11, 2218–2234. [Google Scholar] [CrossRef]
  3. Zhang, H.; Liu, B.; Wu, H. Smart Grid Cyber-Physical Attack and Defense: A Review. IEEE Access 2021, 9, 29641–29659. [Google Scholar] [CrossRef]
  4. Rahman, M.A.; Al-Shaer, E.; Bobba, R.B. Moving Target Defense for Hardening the Security of the Power System State Estimation. In Proceedings of the First ACM Workshop on Moving Target Defense; ACM: New York, NY, USA, 2014; pp. 59–68. [Google Scholar]
  5. Liu, B.; Wu, H. Optimal Planning and Operation of Hidden Moving Target Defense for Maximal Detection Effectiveness. IEEE Trans. Smart Grid 2021, 12, 4447–4459. [Google Scholar] [CrossRef]
  6. Tian, J.; Tan, R.; Guan, X.; Liu, T. Enhanced Hidden Moving Target Defense in Smart Grids. IEEE Trans. Smart Grid 2019, 10, 2208–2223. [Google Scholar] [CrossRef]
  7. Liu, M.; Zhao, C.; Zhang, Z.; Deng, R. Explicit Analysis on Effectiveness and Hiddenness of Moving Target Defense in AC Power Systems. IEEE Trans. Power Syst. 2022, 37, 4732–4746. [Google Scholar] [CrossRef]
  8. Zhang, H.; Liu, B.; Liu, X.; Pahwa, A.; Wu, H. Voltage Stability Constrained Moving Target Defense against Net Load Redistribution Attacks. IEEE Trans. Smart Grid 2022, 13, 3748–3759. [Google Scholar] [CrossRef]
  9. Zhang, Z.; Tian, Y.; Deng, R.; Ma, J. A Double-Benefit Moving Target Defense Against Cyber–Physical Attacks in Smart Grid. IEEE Internet Things J. 2022, 9, 17912–17925. [Google Scholar] [CrossRef]
  10. Deng, R.; Zhuang, P.; Liang, H. CCPA: Coordinated Cyber-Physical Attacks and Countermeasures in Smart Grid. IEEE Trans. Smart Grid 2017, 8, 2420–2430. [Google Scholar] [CrossRef]
  11. Tian, J.; Tan, R.; Guan, X.; Xu, Z.; Liu, T. Moving Target Defense Approach to Detecting Stuxnet-Like Attacks. IEEE Trans. Smart Grid 2020, 11, 291–300. [Google Scholar] [CrossRef]
  12. Liu, B.; Wu, H. Optimal D-FACTS Placement in Moving Target Defense against False Data Injection Attacks. IEEE Trans. Smart Grid 2020, 11, 4345–4357. [Google Scholar] [CrossRef]
  13. Liu, C.; Wu, J.; Long, C.; Kundur, D. Reactance Perturbation for Detecting and Identifying FDI Attacks in Power System State Estimation. IEEE J. Sel. Top. Signal Process. 2018, 12, 763–776. [Google Scholar] [CrossRef]
  14. Zhang, Z.; Deng, R.; Cheng, P.; Chow, M.-Y. Strategic Protection Against FDI Attacks With Moving Target Defense in Power Grids. IEEE Trans. Control Netw. Syst. 2022, 9, 245–256. [Google Scholar] [CrossRef]
  15. Lakshminarayana, S.; Yau, D.K.Y. Cost-Benefit Analysis of Moving-Target Defense in Power Grids. IEEE Trans. Power Syst. 2020, 3, 1152–1163. [Google Scholar]
  16. Liu, B.; Yang, Q.; Zhang, H.; Wu, H. An Interior-Point Solver for AC Optimal Power Flow Considering Variable Impedance-Based FACTS Devices. IEEE Access 2021, 9, 154460–154470. [Google Scholar] [CrossRef]
  17. Zhang, Z.; Deng, R.; Yau, D.K.Y.; Cheng, P.; Chen, J. Analysis of Moving Target Defense Against False Data Injection Attacks on Power Grid. IEEE Trans. Inf. Forensics Secur. 2019, 15, 2320–2335. [Google Scholar] [CrossRef] [Green Version]
  18. Liu, M.; Zhao, C.; Zhang, Z.; Deng, R.; Cheng, P. Analysis of Moving Target Defense in Unbalanced and Multiphase Distribution Systems Considering Voltage Stability. In Proceedings of the 2021 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), Aachen, Germany, 25–28 October 2021; pp. 207–213. [Google Scholar]
  19. Zhang, Z.; Deng, R.; Yau, D.K.Y.; Cheng, P.; Chow, M.-Y. Security Enhancement of Power System State Estimation With an Effective and Low-Cost Moving Target Defense. IEEE Trans. Syst. Man Cybern. Syst. 2022; 1–16, accepted. [Google Scholar]
  20. Liu, B.; Wu, H.; Pahwa, A.; Ding, F.; Ibrahim, E.; Liu, T. Hidden Moving Target Defense against False Data Injection in Distribution Network Reconfiguration. In Proceedings of the 2018 IEEE Power Energy Society General Meeting (PESGM), Portland, OR, USA, 5–10 August 2018; pp. 1–5. [Google Scholar]
  21. Higgins, M.; Teng, F.; Parisini, T. Stealthy MTD Against Unsupervised Learning-Based Blind FDI Attacks in Power Systems. IEEE Trans. Inf. Forensics Secur. 2021, 16, 1275–1287. [Google Scholar] [CrossRef]
  22. Murguia, C.; Ruths, J. CUSUM and chi-squared attack detection of compromised sensors. In Proceedings of the 2016 IEEE Conference on Control Applications (CCA), Buenos Aires, Argentina, 19–22 September 2016; IEEE: Buenos Aires, Argentina, 2016; pp. 474–480. [Google Scholar]
  23. Zhang, Z.; Deng, R.; Yau, D.K.Y.; Cheng, P.; Chen, J. On Hiddenness of Moving Target Defense against False Data Injection Attacks on Power Grid. ACM Trans. Cyber-Phys. Syst. 2020, 4, 1–29. [Google Scholar] [CrossRef] [Green Version]
  24. Zheng, J.; Namin, A.S. A Survey on the Moving Target Defense Strategies: An Architectural Perspective. J. Comput. Sci. Technol. 2019, 34, 207–233. [Google Scholar] [CrossRef]
  25. Lakshminarayana, S.; Sthapit, S.; Maple, C. A Comparison of Data-Driven Techniques for Power Grid Parameter Estimation. arXiv 2021. Available online: https://arxiv.org/pdf/2107.03762.pdf (accessed on 16 January 2023).
  26. Yang, H.; He, X.; Wang, Z.; Qiu, R.C.; Ai, Q. Blind False Data Injection Attacks Against State Estimation Based on Matrix Reconstruction. IEEE Trans. Smart Grid 2022, 13, 3174–3187. [Google Scholar] [CrossRef]
  27. Yu, Z.-H.; Chin, W.-L. Blind False Data Injection Attack Using PCA Approximation Method in Smart Grid. IEEE Trans. Smart Grid 2015, 6, 1219–1226. [Google Scholar] [CrossRef]
  28. Kim, J.; Tong, L.; Thomas, R.J. Subspace Methods for Data Attack on State Estimation: A Data Driven Approach. IEEE Trans. Signal Process. 2015, 63, 1102–1114. [Google Scholar] [CrossRef] [Green Version]
  29. Zimmerman, R.D.; Murillo-Sanchez, C.E.; Thomas, R.J. MATPOWER: Steady-State Operations, Planning, and Analysis Tools for Power Systems Research and Education. IEEE Trans. Power Syst. 2011, 26, 12–19. [Google Scholar] [CrossRef] [Green Version]
  30. Liu, B.; Wu, H. Systematic planning of moving target defence for maximising detection effectiveness against false data injection attacks in smart grid. IET Cyber-Phys. Syst. Theory Appl. 2021, 6, 151–163. [Google Scholar] [CrossRef]
Figure 1. The attack logic flowchart of the BDD-based alert attacker.
Figure 1. The attack logic flowchart of the BDD-based alert attacker.
Processes 11 00348 g001
Figure 2. The attack logic flowchart of the data-driven alert attacker.
Figure 2. The attack logic flowchart of the data-driven alert attacker.
Processes 11 00348 g002
Figure 3. The attack logic flowchart of the model-based attacker.
Figure 3. The attack logic flowchart of the model-based attacker.
Processes 11 00348 g003
Figure 4. Flowchart of HMTD against alert attackers regarding the attack detection probability and defense stealthy probability.
Figure 4. Flowchart of HMTD against alert attackers regarding the attack detection probability and defense stealthy probability.
Processes 11 00348 g004
Figure 5. The reactance of D-FACTS-lines in 20 RHMTDs under a given load.
Figure 5. The reactance of D-FACTS-lines in 20 RHMTDs under a given load.
Processes 11 00348 g005
Figure 6. L1-norm distance under MTD magnitudes.
Figure 6. L1-norm distance under MTD magnitudes.
Processes 11 00348 g006
Figure 7. The hiddenness of RMTD and RHMTD against the BDD-based alert attacker under different noise conditions.
Figure 7. The hiddenness of RMTD and RHMTD against the BDD-based alert attacker under different noise conditions.
Processes 11 00348 g007
Figure 8. The hiddenness of RHMTD against the model-based alert attacker under noiseless and noise conditions.
Figure 8. The hiddenness of RHMTD against the model-based alert attacker under noiseless and noise conditions.
Processes 11 00348 g008
Figure 9. The projection of RMTD and no MTD measurements in the ℝ2 space by PCA under different MTD magnitudes.
Figure 9. The projection of RMTD and no MTD measurements in the ℝ2 space by PCA under different MTD magnitudes.
Processes 11 00348 g009
Figure 10. The projection of RHMTD, 10 RMTD, and no MTD measurements in the ℝ2 space.
Figure 10. The projection of RHMTD, 10 RMTD, and no MTD measurements in the ℝ2 space.
Processes 11 00348 g010
Figure 11. The projection of RHMTD and no MTD measurements in the ℝ2 space.
Figure 11. The projection of RHMTD and no MTD measurements in the ℝ2 space.
Processes 11 00348 g011
Figure 12. The ADP of RHMTD against the BDD-based alert attacker under different MTD magnitudes.
Figure 12. The ADP of RHMTD against the BDD-based alert attacker under different MTD magnitudes.
Processes 11 00348 g012
Figure 13. The ADP of RHMTD and HMTD against the model-based alert attacker under different MTD magnitudes.
Figure 13. The ADP of RHMTD and HMTD against the model-based alert attacker under different MTD magnitudes.
Processes 11 00348 g013
Figure 14. The ADP of RHMTD against the data-driven alert attacker.
Figure 14. The ADP of RHMTD against the data-driven alert attacker.
Processes 11 00348 g014
Table 1. Comparison of the proposed and existing HMTD methods regarding the hiddenness and detection effectiveness.
Table 1. Comparison of the proposed and existing HMTD methods regarding the hiddenness and detection effectiveness.
MethodBDD-AADD-AAM-AACharacteristics
Watermarking HMTD [21]Y/YY/YY/YDetection delay of FDI attacks
Secure-meter-based HMTD [23]Y/Y N/YY/YExtra expensive protected meters
Model-based HMTD [5,20]Y/YY/YY/NLack of randomness
This paperY/YY/YY/YNo detection delay and no protected meters with randomness
Table 2. DSP of existing HMTD methods and the RHMTD against three alert attackers.
Table 2. DSP of existing HMTD methods and the RHMTD against three alert attackers.
MethodBDD-AADD-AAM-AA
Watermarking HMTD94%100%83%
Model-based HMTD93%100%96%
RHMTD95%100%96%
Table 3. ADP of existing HMTD methods and RHMTD against three alert attackers.
Table 3. ADP of existing HMTD methods and RHMTD against three alert attackers.
MethodBDD-AAM-AADD-AA
Watermarking HMTD37.8%47.3%33.0%
Model-based HMTD93.9%6.0%59.0%
RHMTD93.6%75.1%68.0%
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Liu, B.; Wu, H.; Yang, Q.; Zhang, H. Random-Enabled Hidden Moving Target Defense against False Data Injection Alert Attackers. Processes 2023, 11, 348. https://doi.org/10.3390/pr11020348

AMA Style

Liu B, Wu H, Yang Q, Zhang H. Random-Enabled Hidden Moving Target Defense against False Data Injection Alert Attackers. Processes. 2023; 11(2):348. https://doi.org/10.3390/pr11020348

Chicago/Turabian Style

Liu, Bo, Hongyu Wu, Qihui Yang, and Hang Zhang. 2023. "Random-Enabled Hidden Moving Target Defense against False Data Injection Alert Attackers" Processes 11, no. 2: 348. https://doi.org/10.3390/pr11020348

APA Style

Liu, B., Wu, H., Yang, Q., & Zhang, H. (2023). Random-Enabled Hidden Moving Target Defense against False Data Injection Alert Attackers. Processes, 11(2), 348. https://doi.org/10.3390/pr11020348

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop