# From Static to Dynamic Anomaly Detection with Application to Power   System Cyber Security

**Authors:** Kaikai Pan, Peter Palensky, Peyman Mohajerin Esfahani

arXiv: 1904.09137 · 2019-09-24

## TL;DR

This paper introduces a dynamic residual generator approach using robust optimization to detect stealthy multivariate cyber attacks in power systems, improving detection beyond static methods by capturing attack signatures in system dynamics.

## Contribution

It develops a novel dynamic diagnosis filter based on robust optimization that detects multivariate attacks undetectable by static schemes, with scalable design methods and theoretical guarantees.

## Key findings

- Successfully detects multivariate attacks on power system measurements.
- Provides a convex reformulation with Nash equilibrium properties.
- Demonstrates effectiveness on IEEE 39-bus system data.

## Abstract

Developing advanced diagnosis tools to detect cyber attacks is the key to security of power systems. It has been shown that multivariate data injection attacks can bypass bad data detection schemes typically built on static behavior of the systems, which misleads operators to disruptive decisions. In this article, we depart from the existing static viewpoint to develop a diagnosis filter that captures the dynamics signatures of such a multivariate intrusion. To this end, we introduce a dynamic residual generator approach formulated as robust optimization programs in order to detect a class of disruptive multivariate attacks that potentially remain stealthy in view of a static bad data detector. We investigate two possible desired features: (i) a non-zero transient and (ii) a non-zero steady-state behavior of the residual generator in the presence of an attack. In case (i), the problem is reformulated as a finite, but possibly non-convex, optimization program. We further develop a linear programming relaxation that improves the scalability, and as such practicality, of the diagnosis filter design. In case (ii), it turns out that the resulting robust program admits an exact convex reformulation, yielding a Nash equilibrium between the attacker and the residual generator. This assertion has an interesting implication: the proposed approach is not conservative in the sense that the additional knowledge of the worst-case attack does not improve the diagnosis performance. To illustrate our theoretical results, we implement the proposed diagnosis filter to detect multivariate attacks on the system measurements deployed to generate the so-called Automatic Generation Control signals in a three-area IEEE 39-bus system.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1904.09137/full.md

## Figures

21 figures with captions in the complete paper: https://tomesphere.com/paper/1904.09137/full.md

## References

35 references — full list in the complete paper: https://tomesphere.com/paper/1904.09137/full.md

---
Source: https://tomesphere.com/paper/1904.09137