**2. Literature Review**

A large variety of methods and algorithms have been used for detecting stealth attacks. Machine learning methods achieved significant success in this area. In [32], supervised learning based on recurrent neural networks (RNNs) was used for detecting FDI attacks. In [16], three supervised machine learning classifiers, namely, SVM, k-nearest neighbor (kNN), and the extended nearest neighbor (ENN), were used. Different machine learning algorithms are proposed in [28] for measurement classification. Measurements are classified as attacked or secure. Sparse logistic regression, SVM, and k-nearest neighbor methods were used in that study. Another technique was proposed in [33] for the detection of FDI attacks, which used the Gaussian mixture model. The contribution in [34] was based on unsupervised learning. Four machine learning methods, namely, a one-class SVM, local

outlier factor, isolation forest, and robust covariance estimation, were employed for FDI attack detection. In [35], a machine-learning-based scheme was used that employed ensemble learning. In ensemble learning, there is a use of multiple classifiers, and the decisions obtained by the individual classifiers are further classified. The proposed scheme used two ensembles. Supervised classifiers were used in the first ensemble and the unsupervised classifiers were employed in the second ensemble. Supervised learning was proposed in [36], which used a two-layer hierarchical framework. The first layer distinguished the mode of operation, such as a normal state or cyberattack. The second layer classified the type of cyberattack. An approach based on machine learning was adopted in [37] for cyber-attacks, which used an extremely randomized trees algorithm. In [38], three machine learning techniques, namely, a support vector machine (SVM), k-nearest neighbor, and artificial neural network, were implemented for detecting FDI attacks. Each technique was used with three different feature selection techniques.

An extreme learning machine framework was used in [39] for detecting FDI attacks. In [40], auto-encoders were used for detecting FDI attacks. The hidden correlation structures were learned in the data by using auto-encoders. The correlation was learned in two dimensions, namely, the time and the spatial dimensions. Denoising auto-encoders were also used to clean the corrupted data. The approaches based on the auto-encoder neural network [41] and attention-based auto-encoders [42] were also used for the detection of attacks.

The contribution of [15] distinguished the normal function of the power system from the function in which there was a stealth attack. The stealth attacks were detected by using two machine-learning-based techniques. In the first technique, supervised learning was used for a set of labeled data. That data was used for the training of a support vector machine (SVM). The second technique did not use any training data and the deviation of the measurements was detected. An anomaly detection algorithm was applied to detect stealth attacks.

Deep learning models were also used for the purpose of detecting FDI attacks. The deep neural network (DNN) model was used [43] for the classification of cyber-attacks in a smart grid. Another deep learning-based method was proposed in [44] to detect FDI attacks. The proposed approach consisted of a convolutional neural network (CNN) and a long short-term memory (LSTM) network for the detection of attacks. The data integrity attacks in AC power systems can be detected by using a deep Q-network detection (DQND) scheme proposed in [45]. It is a deep reinforcement learning approach. A neural network model was used in [46] for detecting false data. In this case, the residual elements obtained from state estimation were the inputs given to the perceptron model. An algorithm based on deep learning was proposed in [47] to detect FDI attacks. The dimensionality reduction, as well as feature extraction from measurement datasets, was done by using auto-encoders. Then auto-encoders were integrated into an advanced generative adversarial network (GAN) framework, which was used for detecting the FDI attacks.

The methods based on machine learning had great success in the detection of FDI attacks. However, at the same time, they have certain limitations and drawbacks. The methods based on supervised learning need a labeled dataset. They are built on some conventional attack assumptions. Similarly, deep learning techniques also have some limitations. In these methods, there is a need for extensive training. More memory space is also required for deep learning methods.

The main aim of the detection frameworks is to protect the whole communication system against attacks. One of the key features of microgrids is a secure communication network. For the development of a communication network, its design has vital importance. For the deployment of a heterogeneous automation and monitoring system, a multi-layered architecture was proposed in [48]. For the organization of hardware, as well as software equipment in an integrated manner, six functional layers were structured in the proposed architecture. In [49], a clear description of a smart grid and the type of communication methods were given. The communication methods were explained based on their advantages

and the lacking feature. The contribution of [50] was based on the hybrid communication simulation model. In hybrid network architectures, both wireless and dedicated wired media are used. A suite of hybrid communication simulation models was developed for the validation of critical system design criteria.

A mathematical model of the power system was presented in [51] and a robust security framework was proposed. A Kalman filter was used to estimate variables in the model. In [52], an online data-driven algorithm was presented for detecting FDI attacks toward synchrophasor measurements. The proposed algorithm applied density-based LOF (local outlier factor) analysis for detecting anomalies in the data. Another method was proposed in [53] in which the modeling of the system was done as a discrete-time linear dynamic system. There was the use of the Kalman filter for performing the state estimation (SE). A generalized cumulative sum algorithm achieved the quickest detection of the attacks. In [18,19], the economic impact due to stealth FDI attacks on the market operations in real-time was considered. The construction of a profitable attacking plan for the attacker was also shown. In [20], it was explained that the attacker can construct the stealth FDI attack without knowing the structure of the system. The attacker can find the system structure and make an attack.

In [54], a distributed state estimation method based on the alternating direction method of multipliers (ADMM) was presented for detecting cyber-attacks. In this case, the partitioning of regional subsystems was done using the K-means method. An online detection algorithm was proposed in [55] for detecting cyber-attacks. The online estimation of the unknown and time-varying attack parameters was provided by the algorithm. The FDI attacks were detected by proposing an active data modification scheme in [56]. In that scheme, there was an amendment of measurements and control data before they are transmitted through communication networks. In [57], an FDI attack detection method was proposed that was based on the equivalent model of a load frequency control (LFC) system and a Kalman filter algorithm.

The work of [21] formulated the problem of false data detection as a low-rank matrix recovery. Convex optimization was used for solving the problem. The adopted methodology normalized the combination of the *l*<sup>1</sup> norm and nuclear norm. This mixed norm optimization problem was solved using the augmented Lagrange method of multipliers in order to obtain a good convergence rate. In [22], the false data detection problem was considered a matrix separation problem. FDI attacks are sparse in nature. To separate the states of the power system from the anomalies, a mechanism was developed. The problem was solved using two methods, namely, low-rank matrix factorization and nuclear norm minimization.
