BLITHE: Behavior Rule Based Insider Threat

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015
1
BLITHE: Behavior Rule Based Insider Threat
Detection for Smart Grid
Haiyong Bao, Rongxing Lu† , Member, IEEE, Beibei Li, and Ruilong Deng, Member, IEEE
Abstract—In this paper, we propose a Behavior ruLe based
methodology for Insider THrEat detection (BLITHE) of data
monitor devices in smart grid, where the continuity and accuracy
of operations are of vital importance. Based on the DC power
flow model and state estimation model, three behavior rules are
extracted to depict the behavior norms of each device, such that
a device (trustee) that is being monitored on its behavior can be
easily checked on the deviation from the behavior specification.
Specifically, a rule-weight and compliance-distance based grading
strategy is designed, which greatly improves the effectiveness of
the traditional grading strategy for evaluation of trustees. The
statistical property, i.e., the mathematical expectation of compliance degree of each trustee, is particularly analyzed from both
theoretical and practical perspectives, which achieves satisfactory
trade-off between detection accuracy and false alarms to detect
more sophisticated and hidden attackers. In addition, based on
real data run in POWER WORLD for IEEE benchmark power
systems, and through comparative analysis, we demonstrate that
BLITHE outperforms the state-of-arts for detecting abnormal
behaviors in pervasive smart grid applications.
Index Terms—Insider threat detection, smart grid, security.
I. I NTRODUCTION
MART grid, as widely considered to be the next generation of the power grid, has attracted considerable attention
in recent years [1]–[3]. As a typical cyber-physical system
(CPS), smart grid incorporates information and communications technology (ICT) into the traditional power system,
as shown in Fig. 1, and is characterized by sophisticated
reliability, efficiency, economy, and sustainability.
S
Control Center (CC)
Information flow
Power flow
Power Generation
Fig. 1.
Transmission
Distribution
Customer
The conceptual architecture of smart grid.
To ensure that smart grid can operate continuously even
when some components fail, power research communities
use meters or phasor measurement units (PMUs), placed at
important locations of the power system, to monitor system
components and report their measurements to the control
The authors are with the School of Electrical and Electronic Engineering, Nanyang Technological University, Singapore 639798 (e-mail:
[email protected]; [email protected]; [email protected]; [email protected]).
centre (CC), and the latter can estimate the state variables
based on the meter measurements [4]. The estimation utilizes
state estimation model, which heavily relies on the accuracy
of the reported measurements that CC receives [5], [6].
Recently, smart grid researchers have realized the threat of
bad measurements (or information corruption) and developed
techniques to address this challenge [5], [7]–[9]. Information
corruption threats in smart grid are very complex, as they
can come from both outsider and insider. Particularly, due
to the openness brought by integrating ICT into the power
system, some devices could be compromised and become
insider attackers. While great efforts have been made to resist
the outsider attacks, much less attention has been paid to the
insider ones because of the difficulties stemmed from their
concealment and potentiality [10]–[12]. Statistically, according
to 2013 U.S. State Cyber Crime Survey [13], insider threats
constitute 34% of all surveyed attacks (outsider threats constitute 31%, and the remaining 35% of them have unknown/unsure sources), which surprisingly shows that insider threats
have already become one of main sources of the security
hazards of cyber/cyber-physical systems.
Today, even though the insider threat detection for CPS has
attracted considerable concern due to the dire consequence of
CPS failure [14], [15], the effective and accurate detection
techniques for CPS, especially for smart grid, are still in their
infancy with very few studies conducted [16]–[26].
In most of the aforementioned literatures, there were no
numerical data studies regarding the false positive probability
pf p (i.e., misidentifying good devices as bad devices) and
the false negative probability pf n (i.e., losing bad devices)
[16]–[20]. Even though three of them had miniature numerical
data [21]–[23], one or two data points characterizing pf n /pf p ,
instead of a data set that could be transformed into a receiver
operating characteristic (ROC) figure, i.e., a pf n versus pf p
curve, are studied merely. One of them proposed an insider
threat detection technique which can effectively balance small
false positives pf p for a high detection probability 1 − pf n to
deal with more sophisticated and hidden threats to support
secure applications in smart grid [24]. However, since it
only addressed very high-level requirements in smart grid,
it is too coarse-grained to be applied in practical scenarios.
Two of them tried to exploit the topology restriction and
data correlation of smart grid to detect insider threats [25],
[26]. However, because both of them only consider the very
specific scenarios of smart grid, they are not universal and
effective solutions. Specifically, in [25], the flocking-based
modeling paradigm is designed to identify insider threats for
the transient stability process of smart grid. Observing the
2
characteristics of smart grid from a hierarchical cyber-physical
perspective, natural physical couplings amongst power systems
are leveraged as telltale signs to identify insider cyber threats.
However, the considered threat model is limited to narrow
scenarios of the transient stability process, which is urgent to
be extended to generalized circumstances covering the stability
process of smart grid. In [26], to improve the sensitivity of the
traditional state estimation model based bad data injection (one
type of insider threats) detection method, Liu et al. proposed
one adaptive partitioning state estimation (APSE) method to
detect bad data injections in smart grid. APSE divides the large
system into several subsystems, and the detection procedures
are continuously performed in yielded subsystems until the
place of the insider threat is located. However, since the
essentials of traditional methods have not been innovated,
unless the system is divided into very small subsystems so
as to locate the threat precisely at the cost of explosive
computational overhead, the limitations in the traditional state
estimation based insider threat detection methods still exist.
Moreover, as commented by the authors themselves, APSE
could only detect bad data on one transmission line, which
makes it impractical in some scenarios.
Generally, insider threat detection techniques can be classified into three types: signature-based, anomaly-based and
specification-based techniques. Although the signature-based
detection technique is exceedingly capable of identifying
known attacks [27]–[29], it cannot effectively cope with unknown attacker patterns [30]. The proposed anomaly-based
schemes utilize resource constrained sensors and/or actuators
for outlining anomaly patterns (e.g., via learning), which
suffers from high computational overhead in detecting insider
threats and generally has high rates of false alarms [31]–[33].
In the existing literatures, specification-based techniques have
been proposed only for insider threat detection of misbehaving
patterns in communication protocols [34]–[36].
Because all electrical devices (e.g., buses, transmission
lines, etc.) are connected as a whole system and each state
variable should manifest specific compliance to make smart
grid to be equilibrious, the topology restriction and data
correlation indeed exist in smart grid. Therefore, behavior
rule specifications can be taken good advantage of to depict
the behavior criteria and norms of all devices in the system. However, due to the complexity of smart grid and the
potentiality and concealment of insider threats, to design an
efficient and effective behavior rule specification based insider
threat detection methodology for smart grid still faces many
challenges.
In this paper, to deal with the aforementioned challenges,
after a complete survey and evaluation of existing similar
literatures, we aim to propose a new behavior rule based
insider threat detection (BLITHE) methodology for smart grid,
which can improve the accuracy of detection with very low
false alarms. In addition, with comprehensive and accurate
behavior rule definitions, our proposed methodology can also
be easily generalized to other CPSs. Specifically, the major
contributions of BLITHE include the following four aspects.
Firstly, as our initial research, we focus on establishing
reasonable and accurate behavior rules to detect insider threats
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015
using the DC power flow model of smart grid [37]. We
expect the results obtained in this paper to serve as the
groundwork for future research on generalized power flow
models. Specifically, based on the DC power flow model
and state estimation model, three behavior rules are extracted
to depict the behavior norms of the devices (buses/nodes)
for insider threat detection. Inspired by the universal truth
“minority is subordinate to majority”, we build the first and
key rule to distinguish normal and abnormal devices, which
bases on the observation that phase angles differences between
the neighbouring nodes are within certain threshold in the DC
power flow model and assumes that majorities are normal
components. We exploit the theoretical foundation of state
estimation model that normal sensor measurements usually
give estimations of state variables close to their actual values
to build the second and third rules for detecting the “inconsistency” (i.e., the insider threats) of bad measurements.
Secondly, considering the fact that each rule usually has
different effect and prominence on evaluation of the compliance degree of trustee, the rule-weight and compliancedistance based grading strategy is designed to improve the
traditional evaluation strategy [24], [38], [39].
Thirdly, untreated in existing literatures, based on the real
data run in POWER WORLD for IEEE benchmark power
systems, we conduct performance evaluations of our proposed
BLITHE and compare its effectiveness on insider threat detection with the state-of-arts.
Finally, we pay particular attention to statistical characteristics, i.e., the mathematical expectation of compliance degree of
each trustee, for the trade-off between detection accuracy and
false alarms of insider threat detection, since the insights on
insider threats relate to the long-term-behavior modeling and
extensive behavioral analysis of internal/legal participants.
The remainder of this paper is organized as follows. In
Section II, we give a brief review of some preliminaries of
our proposed BLITHE. In Section III, we formalize the system
model, including the unmanned-PMU-attached-to-bus (UPB)
reference model, the threat model and the attacker prototypes.
In Section IV, we present the details of BLITHE aiming
to minimize the false negative rate without diminishing the
false positive rate. In Section V, we evaluate the performance
of BLITHE. In Section VI, we perform the comparative
analysis with state-of-the-art behavior rule based insider threat
detection schemes and demonstrate the advantages of our
improved design. In Section VII, we discuss the related works.
In Section VIII, we conclude this paper and depict the future
work.
II. P RELIMINARIES
In this section, we briefly recall some preliminaries of our
proposed insider threat detection methodology for smart grid,
including the DC power flow model [37], power system state
estimation [5], and elliptic-curve-ElGamal cryptosystem [40].
A. DC Power Flow Model
For analysis of large power systems, the AC power flow
model is heavily resource consuming and even unworkable
BAO et al.: BLITHE: BEHAVIOR RULE BASED INSIDER THREAT DETECTION FOR SMART GRID
in many cases. Thus, power research communities sometimes
only consider using the linearized (DC) power flow model
to approximate the AC power flow model [41]. The DCpower-flow modeling process stems from the AC power flow
equations. For consistency consideration, the DC power flow
model and its relation to the AC power flow model are briefly
reviewed.
The AC power flow equations in the polar coordinate form
can be represented as:

n
P


Vj (Gij cos θij + Bij sin θij )
 Pi = V i
j=1
,
n
P


Vj (Gij sin θij − Bij cos θij )
 Qi = Vi
j=1
where Pi and Qi are the real and reactive bus power injections
at bus i, Vi and θi are the voltage magnitude and angle at bus i,
θij = θi − θj , Gij and Bij are the real and imaginary portions
of the constituent in the bus admittance matrix, i = 1, · · · , n,
and n is the total number of all buses.
The DC power flow model is based on the following four
assumptions:
1) Branch reactance is much bigger than branch resistance,
such that branch susceptance can be roughly expressed
by:
−1
.
bij ≈
xij
2) The difference of voltage angles between two buses of
a branch is small and therefore:
sin θij ≈ θi − θj
.
cos θij ≈ 1
3) The susceptance of each bus relative to the ground can
be neglected:
bi0 = bj0 ≈ 0.
4) Each bus’s voltage magnitude is supposed to be 1 per
unit.
On the basis of the above four assumptions, the real power
flow through a branch can be calculated as:
θi − θj
Pij =
,
xij
such that, bus real power injections can be computed as:
X
X
0
0
Pi =
Pij = Bii
θi +
Bij
θj i = 1, · · · , n, (1)
j∈Ri
3
B. Power System State Estimation
To monitor voltages and power flows of a power system is
of great importance in maintaining the system reliability. To
guarantee the continues operation of a power system, power
engineers deploy meters and devices to monitor system states
and report the readings to CC, which estimates state variables
based on these meter measurements. The state estimation problem is to estimate state variables x = (x1 , · · · , xn )T according
to meter measurements z = (z1 , · · · , zm )T , where n and m
are natural numbers, and xi , zj ∈ R, for i = 1, · · · , n, and
j = 1, · · · , m [4]. More precisely, suppose e = (e1 , · · · , em )T
are measurement errors, where ej ∈ R, and j = 1, · · · , m,
then state variables are related to meter measurements via the
following model:
z = h(x) + e,
(2)
where h(x) = (h1 (x1 , · · · , xn ), · · · , hm (x1 , · · · , xn ))T , and
hi (x1 , · · · , xn ) is a function of x1 , · · · , xn . The state estimation problem is to look for an estimate x̂ of x which best fits
meter measurement z according to Eq. (2). For state estimation
utilizing the DC power flow model illustrated in Section II-A,
Eq. (2) can be represented by a linear regression model:
z = Hx + e,
where H = (hij )m×n . Three statistical estimation criteria
are often utilized in state estimation, i.e., maximum likelihood
criterion, minimum variance criterion, and weighted leastsquare criterion [4]. When the meter error is supposed to be
normally distributed with zero mean, the above criteria bring
about an unified estimator computed as the following matrix
solution:
x̂ = (H T W H)−1 H T W z,
where W is a diagonal matrix, and elements of which are
reciprocals of the variances of meter errors. That is,

 −2
σ1


σ2−2


,

W =
.



.
−2
σm
where σi2 is the variance of the i-th meter (1 ≤ i ≤ m).
Power research communities compatibly calculate the measurement residual z − H x̂ (i.e., the vector deviation between
the observed measurements and the estimated measurements),
and utilize the L2 -norm ||z − H x̂|| to detect the appearance
of nonuniform measurements.
j∈Ri
where Ri is the subset of buses
are directly linked to
P which
0
0
0
bus i, Bij
= x−1
,
B
=
−
B
,
and
xij is the branch
ii
j∈Ri ij
ij
reactance. It is obvious that this is a series of linear algebraic
equations. By use of matrix forms, Eq. (1) can be expressed
as:
P = B 0 θ.
Suppose bus n to be the swing bus and let θn = 0, then B 0
is a square matrix with (n − 1) dimensions.
C. Elliptic-Curve-ElGamal Cryptosystem
It is generally believed that elliptic curve group based
discrete logarithm problem (DLP) is much harder than that in
other groups. Hence the security of elliptic curve cryptosystem is comparable with other cryptosystems while equipped
with smaller key only. In this study, by exploiting EllipticCurve-ElGamal cryptosystem to encrypt the reporting data
of each bus, two messages can be encrypted simultaneously
to the x-coordinate and y-coordinate of a certain point in
4
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015
a elliptic curve, respectively [40]. Specifically, the EllipticCurve-ElGamal cryptosystem includes three algorithms: key
generation, encryption, and decryption as follows.
1) Key generation: Given τ ∈ Z + , the security parameter,
perform ζ(τ ) to get the tuple (E, P ), where E(F2m ) is
a non-super singular elliptic curve with |m| = τ , and
P ∈ E(2m ) is a public generator of E. In addition,
when a participant Ui wants to registers itself in the
system, it selects a random integer xi as its private key,
and computes the corresponding public key Yi = xi P .
Eventually, E(F2m ), P , and all Yi s are published, and
each Ui keeps xi secretly.
2) Encryption: When the sender B wants to encrypt messages M1 and M2 to the receiver A, B chooses a
random integer k, and uses the public generator P
and A’s public key Ya to compute Q = kP and
kYa = kxa P = (x0 , y 0 ). Then B sends a pair of
elements (m1 , m2 ) = (M1 x0 , M2 y 0 ) and the point Q
to A.
3) Decryption: To decrypt messages M1 and M2 , A uses
its private key xa to compute xa Q = xa kP = (x0 , y 0 )
and decrypts messages as M1 = m1 (x0 )−1 and M2 =
m2 (y 0 )−1 .
III. S YSTEM M ODEL
A. Reference UPB
We consider a typical cyber-physical smart grid system
containing a number of buses linked by transmission lines.
Each bus is attached with a physical component of meter
and/or PMU to report the measurement data (i.e., bus power injection/load, bus phase angle, etc.) to CC periodically.
Then CC can estimate state variables (i.e., bus power injection/load, bus phase angle, line power flow, etc.) to realize
real-time monitoring and controlling. Fig. 2 illustrates the
reference unmanned-PMU-attached-to-bus (UPB) embedded
system model characterized by the cyber physical loop. Specifically, via the communication link between each UPB and CC,
the measurements collection and reporting process of each
UPB is followed by the data synthesization in CC. Then,
according to all received measurements, CC performs state
estimation. The estimated state variables are utilized to control
the smart grid components (e.g., to increase the output of a
power generator) to keep the whole system within healthy
conditions. For readability, we will use the terms “node”,
“device” and “UPB” interchangeably in the rest of this paper.
The UPB reference model formalizes and represents general
behaviors of the UPB which allows us to quickly evaluate the
survivability of each UPB facing malicious insider threats.
B. Threat Model
It is of vital importance to define the threat model to cover
system vulnerabilities. Even though our focus of this study is
to detect the insider threats, we consider the basic outsider
threats simultaneously. Specifically, we consider three threats
focusing on misleading CC to take inaccurate/wrong actions:
Measurement
Estimation
Behavior Rule
ܲͳ ǡ ߠͳ
ܲ෠ͳ ,ߠ෠ͳ
For each bus i {
For each bus ݆ ‫ܰ א‬ሺ݅ሻ
ܲʹ ǡ ߠʹ
ܲ෠ʹ ,ߠ෠ʹ
End For
…
…
ܲ݉ ǡ ߠ݉
ܲ෠݉ ,ߠ෠݉
…
}
End For
…
Control Center
Enc(ܲ݅ ǡ ߠ݅ ሻ
...
...
Enc(ܲ݅ ǡ ߠ݅ ሻ
166MW
5Mvar
165MW
28Mvar
Fig. 2.
Reference UPB.
1) The first threat is an insider attacker, performed by a
compromised node, that deviates the data preparing to
be reported from the real one.
2) The second threat is an attacker that tries to obtain the
reported measurements of a subset of nodes to impair
the state estimation performed by CC. This can be both
insider and outsider attackers.
3) The third threat is an outsider attacker that intercepts
and pollutes the reported measurement transmitted via
the communication link from each node to CC.
C. Attacker Prototypes
In this study, we model the attacker behavior and the
environment noise (causing mis-monitoring) by the probability
values pa and perr , respectively. Moreover, three attacker
prototypes, i.e., reckless, random, and opportunistic [39], are
considered.
1) For a reckless attacker, pa = 1 holds. Thus, it launches
attacks whenever there is a chance, which impairs the
UPB functionality as early as possible.
2) For a random attacker, it launches attacks randomly
(with probability pa ). Thus, comparing with a reckless
attacker, it is more deceptive and insidious to impair the
UPB functionality, which makes it more difficult to be
detected.
3) An opportunistic attacker exploits the sensed perr to
launch attacks. Specifically, when perr is higher, the
system is more vulnerable. In such circumstance, an
opportunistic attacker behaves aggressively. On the contrary, when the sensed perr is lower, an opportunistic
attacker behaves more conservatively to avoid being
detected. Inspired by the demand-pricing model in the
BAO et al.: BLITHE: BEHAVIOR RULE BASED INSIDER THREAT DETECTION FOR SMART GRID
ε
field of Economics [42], we model pa as pa = C ∗ Perr
,
where C is a positive constant. Then, both conservative
and aggressive attack behaviors can be depicted. While
ε = 1, pa increases linearly with perr , which models
a conservative opportunistic attacker; and while ε < 1,
pa increases exponentially with perr , which models an
aggressive opportunistic attacker, and the attack extent
is modeled by ε.
IV. O UR P ROPOSED BLITHE
In this section, considering the aforementioned threat model
and attacker prototypes, we present the concrete methodology
of BLITHE. As described in our reference UPB model, CC
obtains the reported real-time measurements from each node to
estimate state variables so as to monitor and ensure the health
of the whole smart grid system. In our proposed BLITHE, the
measurements, which includes the bus power injection/load
and bus phase angle, are measured by PMU device attached
to each bus. The state variables are the phase angles of all
the buses, which can uniquely determine the states of the
whole smart grid system. Therefore, it is of great importance
to ensure the accuracy of the reported measurements that CC
obtains.
In the following, to prevent the latter two threats considered
in Section III-B, we adopt the data encryption and signature
techniques in Section IV-A to provide confidentiality and
integrity of the data report link from each node to CC. Then,
to resist the first threat, behavior ruled based insider threat
detection methodology is presented from Section IV-B to
Section IV-F to detect the insider threat that compromises
the reported data of each node (without reporting the genuine
data).
A. Encryption and Signature on Reported Measurements
Suppose the measurements to be reported by node i are the
power injection/load Pi and bus phase angle θi , and both of
which are with two decimal places.
Firstly, the measurements of θi and Pi are mapped to
the corresponding integers by multiplying 100, respectively.
Then, Elliptic-Curve-ElGamal Cryptosystem in Section II-C is
invoked to encrypt the conversions of the measurements. Subsequently, the popular digital signature algorithm of ECDSA
[43] is adopted to sign on the yielded ciphertext. Eventually,
the signature and ciphertext are transmitted to CC.
B. Behavior Rules
After receiving all data from each node, CC decrypts to
obtain and verify each of the measurement. Our design for
BLITHE reference model depends on the use of simple specification based behavior rules for CC to analyze all received data
synthetically for monitoring and detecting potential attacks on
each UPB.
BLITHE focuses on detecting the inside attacker attached to
each specific physical device (UPB). It outputs a continuous
output between 0 and 1, which allows a monitor device to
perform insider threat detection on the target trustee via observation. TABLE I illustrates the behavior rules for detecting
5
a malicious UPB with the monitor being a peer UPB or CC
(see Fig. 2).
TABLE I
B EHAVIOR RULES D ESCRIPTION
Description
The difference in phase angle between every two neighbouring buses is less than a
certain threshold, i.e., 10-15
degrees
The difference in bus phase
angle between the reported measurement and corresponding estimation is less
than a certain threshold
The difference in bus power
injecton/load between the reported measurement and corresponding estimation is less
than a certain threshold
Trustee
Monitor
Theoretical
foundation and
philosophy
UPB
UPB/CC
Assumption 2)
in Section II-A
UPB
CC
Section II-B
UPB
CC
Section II-B
C. Transforming Rules to State Machines
Each behavior rule reflects a specific state, which covers a
safe state and an unsafe state. A safe state denotes a normal
behavior when the obedience of the behavior rule is observed.
By contrast, an unsafe state denotes a malicious behavior when
the violation of the behavior rule is observed. Therefore, a
behavior rule corresponds to a state variable binding to this
rule, indicating the probability that the node is in a normal or
in malicious behavior status.
A behavior rule specification can be transformed into a state
machine via performing the following procedures. Firstly, the
attack behavior indicator is identified, which denotes that a
behavior rule is violated. Then, the obtained attack behavior
indicator is transformed into a conjunctive normal form predicate which identifies the involved state components in the
implicit state machine. Next, the attack behavior indicators are
synthesized into a boolean expression in a disjunctive normal
form. Subsequently, the conjunction of all predicate variables
are converted into state components of a state machine and the
corresponding range of each component is decided meanwhile.
Finally, the number of all states is optimized by compressing
states and eliminating illegitimate values.
In the following, based on behavior rules of the reference
UPB model, we illustrate how a state machine is acquired from
a behavior specification.
1) Identify Attack Behavior Indicators: Attacks associated
with a UPB will drive the UPB into certain attack behavior
indicators, which can be identified via analyzing the specification based behavior rules. There are three attack behavior
indicators due to the violation of the three behavior rules of a
UPB listed in TABLE I.
The first UPB attack behavior indicator is that more than one
neighbouring UPB (together with CC) notice that the trustee
UPB’s phase angle measurement exceeds a certain threshold.
The trustee and monitor in this case are a certain UPB and
its neighbouring UPBs (together with CC), respectively. The
6
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015
second UPB attack behavior indicator is that the difference
between the UPB’s reported phase angle measurement to CC
and the corresponding estimation is above a certain threshold.
The trustee and monitor in this case are a certain UPB and CC,
respectively. The third UPB attack behavior indicator is that
the difference between the UPB’s reported power measurement
to CC and the corresponding estimation is above a certain
threshold. The trustee and monitor in this case are a certain
UPB and CC, respectively.
2) Express Attack Behavior Indicators in a Conjunctive
Normal Form: Suppose w is the total number of node i’s
neighbouring nodes, and the phase angles of node i and its w
neighbouring nodes are θi , θ(i,1) , · · · , θ(i,w) , respectively. The
UPB attack behavior indicators in the conjunctive normal form
are expressed in TABLE II.
TABLE II
B EHAVIOR RULES
Attack
Behavior
Indicator
Expression
1
2
3
|θi − θ(i,1) | ≤ α1 ∧ · · · ∧ |θi − θ(i,w) | ≤ α1
|θi − θˆi | > α2
|Pi − P̂i | > α3
3) Consolidate Predicates
in a Disjunctive Normal
Form:
|θ
−
θ
|
≤
α
∧ · · · ∧ |θi − θ(i,w) | ≤ α1 ∨
i
1
(i,1)
|θi − θˆi | > α2 ∨ |Pi − P̂i | > α3 .
4) Identify State Components and Component Ranges:
Continuous components are quantized as integer scales within
permissible ranges. Specifically, the value of a phase angle
is in the range of [0◦ , 360◦ ]. The value of power is in the
range of [−10000M W, 10000M W ] (for generation bus, the
value is positive; and for load bus, the value is negative).
TABLE III shows the entire list of the allowed ranges of
UPB state components. The resulting UPB automaton has
360w+1 ∗ 360 ∗ 200012 ≈ 8.7 ∗ 1023 states (supposing w = 4,
i.e., one node has 4 neighbouring nodes on average). The scale
of the yielded automata is too large; and the state space will
be concentrated in the next step.
TABLE III
UPB S TATE C OMPONENTS
Name
Control or Reading
Range
Phase angle
Power
Reading
Reading
[0◦ , 360◦ ]
[−10000M W, 10000M W ]
5) Optimize State Space: Through abbreviating the values
of the components, the size of the state machine is reduced
and the number of states is optimized. For each of the three
components, i.e., (i) the phase angle difference between one node and its neighbouring nodes; (ii) the phase angle difference
between the measurement and estimation of the trustee node;
and (iii) the power difference between the measurement and
estimation of the trustee node, each of our rules only considers
four states: normal/good, medium-warning, great-warning, and
unsafe/bad. To depict the rule-violation and optimize the state
space more subtly and accurately, we perform transformation
on each rule. Specifically, as shown in TABLE IV, the value
of the first rule is calculated by evaluating the ratio β1 = α/w,
where α is the number of node i’s neighbouring nodes that
observes |θi − θ(i,j) | > α1 , for j = 1, · · · , w. The larger
the value of β1 is, the more severe the rule is violated. The
value of the second rule is calculated by evaluating the phase
angle difference β2 = |θi − θˆi |, where θi and θˆi are the
measurement and estimation of trustee node i’s phase angle,
respectively. The larger the value of β2 is, the more severe the
rule is violated. The third rule is quantified similarly with the
parameter β3 .
This treatment generates a condensed UPB state machine
with 4 × 4 × 4 = 64 states, only 1 of which is safe, since the
trustee and the corresponding monitor readings match for all
three components as described in TABLE IV. Among these
states, 26 are warning since the trustee and the corresponding
monitor readings differ by more than the warning (including
7 medium-warning and 19 great-warning states) margin for at
least one component but do not exceed the unsafe threshold for
any component. And 37 of the states are unsafe/bad because at
least one component’s differences exceed the unsafe threshold.
TABLE IV
UPB C OMPONENTS ’ S TATES
β1 = α/w
β2 = |θi − θˆi |
β3 = |Pi − P̂i |
States
[0, a1 ]
(a1 , a2 ]
(a2 , a3 ]
(a3 , 1]
[0, b1 ]
(b1 , b2 ]
(b2 , b3 ]
(b3 , 360]
(0, c1 ]
(c1 , c2 ]
(c2 , c3 ]
(c3 , 20000]
safe/good
medium-warning
great-warning
unsafe/bad
6) Behavior Rule State Machine: Here we illustrate how
to produce the behavior rule state machine of a UPB device.
Based on the behavior rules, the UPB state machine (including
1 good, 7 medium-warning, 19 great-warning, and 37 unsafe
states) is produced as follows. Firstly, all the states are marked
as 1, · · · , 64. Next, to reflect a good, warning (including
medium-warning and great-warning), or bad UPB’s behavior,
pij is assigned, which denotes the probability that state i
transfers to state j, for each pair (i, j) in the state machine.
A good UPB should stay in safe states all the time. However,
due to the unexpected surrounding noise, system disturbance,
or communication fault, it may be misidentified as in a warning
or unsafe state by the monitor node occasionally. Therefore,
the compliance degree of a good UPB will slightly less than
but close to 1. Assume perr models the error probability that
a monitor node misidentifies the genuine status of a trustee
node due to the aforementioned factors. In testing phases, for
a good UPB seeded in the system, a monitor node is assigned
accordingly to observe and measure its pij in the presence
of perr . Note that pij is 1 − perr when j is the good state,
perr × 7/(7 + 19 + 37) when j is one of 7 medium-warning
states, perr × 19/(7 + 19 + 37) when j is one of 19 greatwarning states, and perr ×37/(7+19+37) when j is one of 37
unsafe states. Fig. 3 illustrates the behavior rule state machine
for a good UPB in BLITHE. Let G, MW, GW and B are the
abbreviations of good, medium-warning, great-warning and
bad outputs of each rule, respectively. Transitions into states
BAO et al.: BLITHE: BEHAVIOR RULE BASED INSIDER THREAT DETECTION FOR SMART GRID
including G, MW and GW outputs of rules are valid, but their
marginality is ambiguous to be concerned. Transitions into
states including B output of rule are invalid, which causes an
alert. Any of the two states can be transferred mutually. Each
state describes how one of the specific trustee node’s attributes
matches the counterpart observed by the monitor. For the UPB
device, the measurement and estimation of the bus phase angle
and bus power magnitude are the device attributes of interest.
Note that each device, with specific attributes, owns the state
machine of itself.
MW
G
G
…
G
G
G
G
MW
B
Good (G)
Medium-Warning (MW)
Great-Warning (GW)
Bad (B)
G
GW
G
MW
GW
B
…
ͳ െ ‫݌‬௘௥௥
MW
GW
G
Fig. 3.
G
MW
MW
‫݌‬௘௥௥ ‫ כ‬͹Ȁ63
‫݌‬௘௥௥ ‫ͻͳ כ‬Ȁ63
‫݌‬௘௥௥ ‫͵ כ‬͹Ȁ63
The behavior rule state machine for a good UPB.
For a compromised UPB, pij relies on the attacker’s type. A
reckless attacker will be assumed staying in unsafe or warning
states all the time. However, due to the surrounding noise or
communication fault, it may be mistaken as staying in a safe
state by the monitor node occasionally. In testing phases, for a
UPB compromised by reckless attacker seeded in the system, a
monitor node is assigned accordingly to observe and measure
its pij . Note that pij is perr when j is the good state, 7/(7 +
19+37)×(1−perr ) when j is one of 7 medium-warning states,
19/(7+19+37)×(1−perr ) when j is one of 19 great-warning
states, and 37/(7 + 19 + 37) × (1 − perr ) when j is one of 37
unsafe states. Similarly, for a random attacker with probability
pa to launch attack, it stops attacking with probability 1 − pa ,
which is to be detected by the monitor node with probability
1 − perr . Therefore, pij is pa × perr + (1 − pa ) × (1 − perr )
when j is the good state, 7/(7 + 19 + 37) × (pa × (1 − perr ) +
(1 − pa ) × perr ) when j is one of 7 medium-warning states,
19/(7 + 19 + 37) × (pa × (1 − perr ) + (1 − pa ) × perr ) when
j is one of 19 great-warning states, and 37/(7 + 19 + 37) ×
(pa × (1 − perr ) + (1 − pa ) × perr ) when j is one of 37 bad
states. Fig. 4 illustrates the behavior rule state machine for a
UPB compromised by a random attacker in BLITHE.
D. Collect Compliance Degree Data
In this section, we improve the traditional grading strategy
[39] and propose our rule-weight and compliance-distance
based grading strategy to evaluate the compliance degree of
a trustee effectively. One of the remarkable characteristics
of our improved strategy is the adjustable weight for each
rule. The state machine built in Section IV-C is utilized to
collect compliance degrees of the good and/or bad trustees.
7
MW
G
G
…
Good (G)
Medium-Warning (MW)
Great-Warning (GW)
Bad (B)
G
GW
G
G
G
G
G
MW
B
MW
GW
B
…
‫݌‬௔ ‫݌ כ‬௘௥௥ ൅ ͳ െ ‫݌‬௔ ‫ כ‬ሺͳ െ ‫݌‬௘௥௥ ሻ
MW
GW
G
G
MW
MW
͹Ȁ63*ሾ‫݌‬௔ ‫ ͳ כ‬െ ‫݌‬௘௥௥ ൅ ͳ െ ‫݌‬௔ ‫݌ כ‬௘௥௥ ሿ
ͳͻȀ63*ሾ‫݌‬௔ ‫ ͳ כ‬െ ‫݌‬௘௥௥ ൅ ͳ െ ‫݌‬௔ ‫݌ כ‬௘௥௥ ሿ
͵͹Ȁ63‫כ‬ሾ‫݌‬௔ ‫ ͳ כ‬െ ‫݌‬௘௥௥ ൅ ͳ െ ‫݌‬௔ ‫݌ כ‬௘௥௥ ሿ
Fig. 4. The behavior rule state machine for a UPB compromised by a random
attacker.
The yielded historical information of compliance degree is
analyzed to fine-tune the false positive and false negative
probabilities for detection of insider threats optimally under
various scenarios. Even though our experiments are performed
with a range of configurations, we focus on the trade-off
of instances which can be gracefully adjusted to generate a
high detection proportion, because the principal objective of
BLITHE is safety.
Specifically, for each UPB device assumed to be a good
or a bad trustee, we profile its measurements of bus power
magnitude and bus phase angle. For insider threat detection of
each device (without reporting data genuinely), the behavior
of which is modeled by a stochastic process in states 1, · · · , m
with transition probability pij described in Section IV-C, and
let πj denote the probability of a device in state j. Therefore,
by summing up all the possible transitions to state j, the
probabilityP
of the random process in state j can be represented
m
as πj =
i=1 πi pij . Because there are m states for each
node, total m such equations can be obtained. To avoid infinite
solutions, one additional equation as the constraint condition
is added as:
m
X
πi = 1.
(3)
i=1
j
Let c denote the “grade” corresponding to state j, which
depicts the closeness between the specified “good” behavior
and the observed behavior of state j. Then, by summing all
the products of each state’s probability and “grade”, a node’s
compliance degree c can be expressed as:
c=
m
X
π j cj ,
(4)
j=1
In BLITHE, we pioneer the rule-weight and compliancedistance based grading strategy as shown in Fig. 5 to evaluate
the compliance degree of a node. It is a general form of
grading strategy, where m and n are the sizes of states and rule
domain of each node, respectively. And the intersection values
bij , for i = 1, · · · , m and j = 1, · · · , n, denote the monitored
behavior data under the considered model. To quantize the
compliance degree, when state j is secure, we assign the value
of 1 to it. However, when state j is insecure, we assign it
with the value within [0, 1], expressing the distance of state
8
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015
j deviating from the secure state. By integrating the weight
factor of each rule concurrently, cj is formalized as:
n
X
Djk
,
cj =
γk 1 −
Dmax (Rk )
k=1
Pn
where γk is the weight of rule k and satisfies k=1 γk = 1,
Djk is the distance from the behavior data bjk to the corresponding secure state, and Dmax (Rk ) is the largest distance
from any possible insecure state to the corresponding secure
state for Rk (rule k). According to this assignment, if state j
is secure under all rules, then Djk = 0, for all k = 1, · · · , n,
and hence cj = 1. If state j is insecure but still approaches to
a secure state, then cj is close to 1. By contrast, cj is close to
0, when state j is far away from a secure state. After all cj s
are assigned, recalling Eq. (4), we can evaluate the compliance
degree of a node as:
m
m
n
X
X
X
Djk
j
},
(5)
c=
πj c =
πj {
γk 1 −
Dmax (Rk )
j=1
j=1
k=1
where πj represents the ratio of time that the node is in state
j during the observation period.
Behavior Rules
Data
R1
R2
...
Rn
...
States
Rule Weight
S1
b11
b12
...
b1n
S2
b21
b22
...
b2n
...
...
...
...
bm1
bm2
...
bmn
...
Sm
...
Rule ID
States ID States Probability
the probability distribution function (PDF) of f (x; α, β) =
Γ(α+β) α−1
(1−x)β−1 , where Γ(·) denotes the gamma funcΓ(α)Γ(β) x
tion [39], [44]. The cumulative distribution function (CDF)
F (x) and the mathematical expectation EB [X] of X can be
computed as follows:
Z x
f (t; α, β)dt,
(6)
F (x) =
0
1
Z
EB [X] =
xf (x; α, β)dx =
0
α
.
α+β
Then, by taking advantage of the collected compliance
degree history data (c1 , · · · , cn ) in Section IV-D, the parameters of α and β can be estimated via the maximum
likelihood method. Mathematically, by solving the following
two equations, the maximum likelihood estimates of α and β
can be obtained.





∂Γ(α̂)
∂Γ(α̂+β̂)
n
∂ α̂
Γ(α̂+β̂)
∂Γ(α̂+β̂)
n
∂ β̂
Γ(α̂+β̂)
−
−
n ∂ α̂
Γ(α̂)
∂Γ(α̂)
n
∂ β̂
Γ(β̂)
+
Pn
log ci = 0
+
Pn
log(1 − ci ) = 0
i=1
i=1
,
where
∂Γ(α̂ + β̂)
∂Γ(α̂ + β̂)
=
=
∂ α̂
∂ β̂
Z
∞
(log x) xα̂+β̂−1 e−x dx.
0
Commonly, a less general but simplistic model, i.e., the
single-parameter distribution Beta(1, β) with α set to 1, is
considered, In such a circumstance, the PDF is f (x; β) =
β(1 − x)β−1 [39], and the corresponding maximum likelihood
estimate of β can be computed as:
n
β̂ = P
(7)
.
n
1
log 1−c
i
i=1
Fig. 5.
The rule-weight and compliance-distance based grading strategy.
F. False Negative and False Positive Rates
E. Compliance Degree Distribution
In BLITHE, observing that various perturbations, i.e, surrounding noises and unreliable communications, etc., may
affect the evaluation accuracy of the compliance of a device,
the Beta distribution in statistics and probability theory is
applied to model the node compliance degree. The reason of
choosing Beta distribution is because its distribution could
be regarded as a probability, and it could be utilized to depict
the prior distribution of the probability. Generally, the Beta
distribution is a cluster of continuous probability distributions
defined in the interval [0, 1]. The value of 0 represents that the
output is completely unacceptable (without compliance), while
1 represents the output is absolutely acceptable (with best
compliance). Moreover, when Bayesian inference is applied,
after observing sufficient instances, the Beta distribution can
also be exploited to compute the posterior distribution of the
probability [39].
Specifically, we model the compliance degree of a node
in BLITHE by a random variable X ∼ Beta(α, β), with
In this section, the threshold criterion [39] is considered
to describe the false positive probability pf p (misidentifying
good devices as bad ones) and false negative probability
pf n (losing bad devices). Despite neither pf p nor pf n is
expectable, pf n in BLITHE is much worse to the security
of smart grid. Since the key motivation of BLITHE is safety,
we seek for configurations that achieves high detection rates
(low pf n ) without diminishing pf p . Specifically, suppose CT
be the minimum compliance threshold of the system. If a
bad node’s compliance degree (represented by Xb , with the
CDF represented as Eq. (6)) exceeds CT , then a false negative
happens. Formally, pf n for BLITHE is represented as:
pf n = Pr{Xb > CT } = 1 − F (CT ).
(8)
On the contrary, if a good node’s compliance degree (represented by Xg , with the CDF represented as Eq. (6)) is less than
CT , then a false positive happens. Formally, pf p for BLITHE
is represented as:
pf p = Pr{Xg ≤ CT } = F (CT ).
(9)
BAO et al.: BLITHE: BEHAVIOR RULE BASED INSIDER THREAT DETECTION FOR SMART GRID
Perr=0.01
Perr=0.02
Perr=0.03
Perr=0.04
Perr=0.05
Perr=0.01
Perr=0.02
Perr=0.03
Perr=0.04
Perr=0.05
1
0.99
compliance degree
9
0.98
0.97
0.1
compliance degree
0.96
0.95
0.94
1000
800
1000
0.04
0.02
800
600
0.05
0.02
0.04
400
trial number
0.06
0
0.01
600
0.08
400
0.03
trial number
0.03
200
0.04
0
Perr
200
0.02
Perr
0.05
0.01
(a) ci versus perr for good nodes
0
(b) ci versus perr for reckless attackers
Perr=0.1
Perr=0.2
Perr=0.3
0.9
Pa=0.0
Perr=0.4
Pa=0.2
Perr=0.5
Pa=0.6
0.7
Pa=0.8
0.8
0.6
0.5
0.4
0
Pa=1.0
0.6
0.4
0.2
200
0.1
400
0.2
600
trial number
0.3
800
0.4
1000
Perr
0.5
(c) ci versus perr for opportunistic attackers
Fig. 6.
Pa=0.4
1
compliance degree
compliance degree
0.8
0
1000
0
0.2
800
0.4
600
0.6
400
0.8
200
trial number
0
Pa
(d) ci versus pa for random attackers
Sensitivity of node’s compliance degree ci to perr or pa .
V. P ERFORMANCE E VALUATION
In this section, we evaluate the performance of BLITHE via
conducting Monte Carlo simulation and real data simulation
in IEEE benchmark power system.
A. Monte Carlo Simulation
By the aid of Monte Carlo simulation, the compliance
degree history data (c1 , · · · , cn ) of a device is collected, which
allows us to generate random samples repeatedly following the
stochastic process of a device’s state machine. We utilize the
UPB device in the reference model described in Section III
to illustrate the utility of BLITHE for securing smart grid
applications.
Specifically, we simulate the procedures in Section IV-C6
to build the state machines of a good and a bad UPB device.
For a good device, we simulate pij as 1 − perr when j is
the good state, and as perr when j is one of 63 abnormal
states (including 7 medium-warning, 19 great-warning, and
37 unsafe states). For a bad device compromised by a random
attacker with attack probability pa , we simulate pij as (1 −
pa ) × (1 − perr ) + pa × perr when j is the good state, and as
(pa × (1 − perr ) + (1 − pa ) × perr ) /63 when j is one of 63
abnormal states.
Based on the state machine of a UPB device generated
above, we collect the time-dimensional compliance degree
data (c1 , · · · , cn ) through n = 1000 times of Monte Carlo
simulations. In each simulation, we initiate from state 0 and
observe the stochastic process of the device when it goes from
one state to another. We continue this procedure until there is
at least one state which has been sufficiently traversed (i.e.,
100 times). Then we approximate the probability of the device
in state j (denoted as πj ), i.e., the proportion of the number of
transitions to state j to the overall number of state transitions.
10
In this way, we can obtain one instance of the compliance
degree c using Eq. (4). We repeat a sufficiently large number
(i.e., n = 1000) of test rounds to collect (c1 , · · · , cn ), based on
which we compute the distribution of the compliance degree
of a good and/or a bad device under reckless, opportunistic
and/or random attacks.
Fig. 6(a) plots n = 1000 points of the compliance degree
raw data for a good UPB node with different perr values.
There are five clusters of compliance degree data, corresponding to each setting of perr . It can be observed that as perr
(the surrounding noise) increases, the cluster of compliance
degree data moves downward, i.e., the good node’s compliance
degree declines. It implies the mechanism that when the noise
increases, there is a higher probability that the monitoring node
mistakes the good UPB node as staying in a bad state.
Fig. 6(b) plots the sensitivity of the compliance degree ci to
perr for a bad UPB node compromised by reckless attackers.
Similar as Fig. 6(a), there are five clusters of compliance
degree data, corresponding to each setting of perr . However, in
this circumstance, as perr increases, the cluster of compliance
degree data moves upward, i.e., the bad node’s compliance
degree increases. It implies the mechanism that when the noise
increases, there is a higher probability that the monitoring node
mistakes the bad UPB node as staying in a good state.
Fig. 6(c) plots the sensitivity of the compliance degree ci
to perr for a bad UPB node compromised by opportunistic
attackers (with ε = 0.9). Similar as Fig. 6(b), there are five
clusters of compliance degree data, corresponding to each
setting of perr , and the lower compliance degree correlates
to the higher perr . It can be observed that the compliance
degree of opportunistic attackers is more sensitive to perr
than reckless ones. Numerically, the range of the compliance
degree spans (0.4, 0.9) for opportunistic attackers, while the
counterpart is just within approximate (0.01, 0.07) for reckless
ones.
Fig. 6(d) plots the sensitivity of the compliance degree
ci to pa for a bad UPB node compromised by random
attackers. There are five clusters of compliance degree data,
corresponding to each setting of pa . It can be observed
that as pa increases, the cluster of compliance degree data
moves downward, i.e., the compliance degree of the bad node
declines. It implies the mechanism that when the bad UPB
node is attacked more frequently, the attacker is more easily
to be detected, and thus the measured compliance degree
decreases.
With the compliance degree history data (c1 , · · · , cn ) of a
good or bad UPB device at hand, we can apply Eq. (7) to
estimate the parameter of β, and further obtain the probability
distribution Beta(1, β) of the compliance degree for the
trustee node. Then, given the minimum compliance degree
threshold CT as an input, we can calculate the false negative
pf n and false positive pf p probabilities utilizing Eq. (8) and
Eq. (9), respectively. For a trustee in BLITHE, we take priority
to achieve a low false negative probability, since the key
motivation of BLITHE is safety.
TABLE V illustrates values of β, pf n and pf p under different reckless and random attack types, with basic parameter
settings of CT = 0.92 and perr = 0.01. The rule-weight and
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015
TABLE V
VALUES OF β, pf n AND pf p UNDER DIFFERENT RECKLESS AND RANDOM
ATTACK TYPES (CT = 0.92 AND perr = 0.01)
Attack Type
β
pf n (%)
pf p (%)
Reckless Attack (pa = 1)
Random Attack (pa = 0.8)
Random Attack (pa = 0.6)
Random Attack (pa = 0.4)
Random Attack (pa = 0.2)
99.57
4.33
1.95
1.09
0.63
0.0008
0.0018
0.73
6.31
20.26
17.21
17.21
17.21
17.21
17.21
compliance-distance based grading strategy is used to evaluate
cj to state j for a random or reckless attacker. In the following,
we will show that, CT , as a design parameter, can be finetuned to trade-off between false negatives and false positives
according to the different safety criticality. It can be observed
that, when pa is high, the attacker is easy to be detected,
as manifested by a low false negative probability. Especially,
when pa = 1, the reckless attacker can rarely be missed. On
the other hand, when pa decreases, the attacker becomes more
insidious and hidden, reflected by the increase of the false
negative probability. Note that the false positive probability
maintains the same no matter the attack probability is, because
it is a metric which evaluates the detection error regarding
good nodes merely.
TABLE VI
VALUES OF β, pf n AND pf p UNDER DIFFERENT OPPORTUNISTIC ATTACK
TYPES (CT = 0.92, perr = 0.01 AND C = 10)
Opportunistic Attack Type
pa
β
pf n (%)
pf p (%)
Conservative Attack (ε = 1)
Aggressive Attack (ε = 0.9)
Aggressive Attack (ε = 0.8)
Aggressive Attack (ε = 0.7)
0.1
0.16
0.25
0.4
0.44
0.55
0.73
1.08
32.33
24.86
15.76
6.47
17.21
17.21
17.21
17.21
Likewise, TABLE VI illustrates values of β, pf n and pf p
under different opportunistic attack types, with basic parameter
settings of CT = 0.92, perr = 0.01 and C = 10. The ruleweight and compliance-distance based grading strategy is used
to evaluate cj to state j for an opportunistic attacker. It can
be observed that, when ε decreases, due to exposed more
aggressive attack behaviors, the opportunistic attacker can be
detected more easily.
Our behavior rule based insider threat detection methodology allows one to adjust the minimum compliance degree
threshold CT to achieve an satisfactory pf n while maintaining
pf p as low as possible.
Fig. 7(a) plots the relationship between pf n and CT for
detecting random attackers with different values of pa . For
each curve, it can be observed that pf n = 1 when CT = 0,
and pf n = 0 when CT = 1, regardless of different values of
pa . Meanwhile, pf n decreases when pa increases, since it is
more likely for a bad node to be detected when behaves more
maliciously.
Fig. 7(b) plots the relationship between pf n and CT for
detecting reckless attackers (pa = 1) with different values of
perr . Similar as Fig. 7(a), for each curve, pf n = 1 when CT =
0, and pf n = 0 when CT = 1, regardless of different values of
perr . Meanwhile, pf n decreases when perr decreases, since the
BAO et al.: BLITHE: BEHAVIOR RULE BASED INSIDER THREAT DETECTION FOR SMART GRID
11
1
Pfn
1
0.5
0.8
Pfn
0
0
0.2
1
0.4
0.01
0.02
0
0
0.6
0.6
0.4
0.2
0.8
CT
0.6
0.03
0.2
0.4
0.8
0.2
1
0.4
0.04
0.6
Pa
0.8
CT
0
1
(a) pf n versus CT and pa for detecting random attackers
Perr
0.05
(b) pf n versus CT and perr for detecting reckless attackers
1
0.8
1
Pfn
Pfp
0.6
0.5
0.2
0.05
0
0
0.04
0.2
0.4
0.6
CT
0.02
0.8
1
0
0.05
0.04
0.03
0.03
Perr
Perr
0.01
(c) pf n versus CT and perr for detecting opportunistic attackers
Fig. 7.
0.4
0.02
0.01
0
0.2
0.6
0.4
0.8
1
CT
(d) pf p versus CT and perr for detecting good nodes
False negatives pf n or false positives pf p versus compliance threshold CT and attack probability pa or surrounding noise perr .
lower surrounding noise is less likely to conceal the malicious
behavior of reckless attackers.
Fig. 7(c) plots the relationship between pf n and CT for
detecting opportunistic attackers (ε = 0.9) with different
values of perr . Similar as Fig. 7(b), for each curve, pf n = 1
when CT = 0, and pf n = 0 when CT = 1, regardless
of different values of perr . However, unlike Fig. 7(b), it
can be observed that pf n decreases when perr increases.
It implies the mechanism that the attack probability pa of
opportunistic attackers is higher (i.e., more aggressive) when
the surrounding noise is higher, which increases the probability
of being detected and results in a smaller pf n .
Correspondingly, Fig. 7(d) plots the relationship between
pf p and CT for detecting good nodes with different values of
perr . For each curve, it can be observed that pf p = 0 when
CT = 0, and pf p = 1 when CT = 1, regardless of different
values of perr . Meanwhile, pf p decreases when perr decreases,
since the lower surrounding noise is less likely to incite good
nodes to be mistaken as malicious ones.
By adjusting the minimum compliance degree threshold CT ,
our behavior rule based insider threat detection technique can
effectively trade-off between pf p and pf n to cope with more
sophisticated and hidden attackers. The underlying philosophy
is that, by increasing CT , pf n can be effectively reduced at
the cost of a higher pf p . This is especially desirable for smart
grid applications which requires ultra safety and security, since
even a very small false negative could result in tremendous and
dire consequences.
Fig. 8 illustrates a receiver operating characteristic (ROC)
graph of the insider threat detection rate 1 − pf n versus the
false positive probability pf p . The ROC graph is deduced as a
result of adjusting CT , under the rule-weight and compliancedistance based grading policy for detecting reckless or random
attackers. We draw a number of ROC curves, corresponding
to different values of the attack probability pa . The value
of perr is fixed to 0.01. When we increase CT , both the
detection rate (vertically up of z-plane) and the false positive
probability (toward right of the graph) increase. It can be seen
that applying our behavior rule based insider threat detection
technique, the detection rate of the UPB device can approach
1. That is, an attacker can be always detected without false
negatives. Numerically, the false positive probability is upperbounded by 0.1 for reckless attackers, and 0.3 for random
12
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015
TABLE VII
S ELECTING CT TO SATISFY pf n = 0.01 GIVEN perr , pa AND ATTACKER TYPE AS INPUT
Attack type
perr
0.01
0.02
0.03
0.04
0.05
Reckless (pa = 1)
CT
pf n
pf p
0.05
0.09
0.14
0.18
0.22
0.01
0.01
0.01
0.01
0.01
0.0079
0.0202
0.0477
0.0520
0.0709
Random (pa = 0.2)
CT
pf n
pf p
0.9994
0.9993
0.9992
0.9991
0.9989
0.01
0.01
0.01
0.01
0.01
0.0743
0.1377
0.2074
0.2525
0.3031
Opportunistic (C = 10 and ε = 0.8)
CT
pa
pf n
pf p
0.997
0.979
0.910
0.754
0.481
0.25
0.44
0.60
0.76
0.91
0.01
0.01
0.01
0.01
0.01
0.0877
0.0751
0.0630
0.0573
0.0339
Detection Rate
1
0.5
0
0.4
0.3
Pa
0.2
0.1
Fig. 9.
0
0.05
0.1
0.2
0.15
0.25
0.3
0.35
IEEE 14-bus test system in POWER WORLD.
0.4
TABLE VIII
S IMULATION PARAMETERS
Pfp
Fig. 8. A ROC graph of rule-weight and compliance-distance based grading
strategy for detecting reckless or random attackers (perr = 0.01).
attackers, respectively.
The results obtained above can be utilized by the system
administrator to adaptively select the value of CT to dynamically satisfy the imposed pf n in response to the environment
condition (e.g., the surrounding noise) and the suspected
attacker type. TABLE VII illustrates one instance, where the
maximum allowable pf n , which must be satisfied, is 0.01.
Given perr and the attacker type as input, there is a value of
CT that has pf n = 0.01 (see Fig. 7(a), Fig. 7(b) and Fig. 7(c),
following the z-plane at pf n = 0.01). From the selected value
of CT , the corresponding pf p can be determined by Eq. (9).
TABLE VII summarizes the settings of CT for all attacker
types over a range of perr . For example, to achieve pf n = 0.01
and pf p = 7.51%, the system administrator should set CT
to be 0.979 when facing the surrounding noise perr = 0.02
and suffered by an opportunistic attacker with C = 10 and
ε = 0.8. Such a CT is obtained by intersecting the planes of
perr = 0.02 and pf n = 0.01 with the hyperplane in Fig. 7(c).
B. Real Data Simulation
In the following, we check the validity of BLITHE through
conducting experiments on the IEEE 14-bus test system. We
are primarily interested in the feasibility of detecting insider
threats on all 14 nodes when they report data to CC. We extract
the configuration of the IEEE test system (especially the H
matrix, bus phase angle, bus power injection/load, transmission
Description
Probability of mis-monitoring
Weight of rule 1
Weight of rule 2
Weight of rule 3
Phase angle difference of neighbouring buses
Upper-bound of good for rule 1
Upper-bound of medium-warning for rule 1
Upper-bound of great-warning for rule 1
Upper-bound of good for rule 2
Upper-bound of medium-warning for rule 2
Upper-bound of great-warning for rule 2
Upper-bound of good for rule 3
Upper-bound of medium-warning for rule 3
Upper-bound of great-warning for rule 3
Parameter
Value
perr
γ1
γ2
γ3
α1
a1
a2
a3
b1
b2
b3
c1
c2
c3
0.001
0.6
0.2
0.2
15◦
30%
40%
60%
15◦
30◦
50◦
50 MW
150 MW
300 MW
line power flow, etc.) from POWER WORLD for solving
optimal power flow problems running in DC model, as shown
in Fig. 9 [45]. For our power system state estimation model,
the measurements are real power injections/loads of all buses.
The real power flows of all branches are set as the indirect
measurements, which can be easily inferred from the direct
measurements of all buses. The state variables are phase angles
of all buses. Based on the estimated phase angle of each bus,
the real power injection/load of each bus can be determined
uniquely. Then the three behavior rules in Table I are utilized
as criteria to detect insider threats on each node. The outputs
from POWER WORLD are fed to MATLAB for insider threat
detection and data analysis. All experiments are simulated on
an HP PC running Windows 7, with one 3.0 GHz Pentium
4 processor and 4 GB memory. The detailed test parameters
BAO et al.: BLITHE: BEHAVIOR RULE BASED INSIDER THREAT DETECTION FOR SMART GRID
are listed in TABLE VIII. In order to illustrate our experiment
clearly, a flow chart of major experiment procedures are shown
in Fig. 10.
13
1
0.9
0.8
Start
0.7
iRound=0;
iReportCount=0
E [X]
0.6
B
Data Report
Pi pa perr Pi’
θi ’
θi
0.4
Pi’ H
θi ’
Pij’
𝜽𝒊
pa=20%
0.2
N
pa=40%
pa=60%
0.1
Y
State Estimation
Pi’
pa=10%
0.3
iReportCount ++
iReportCount>=1000
0.5
0
𝑷𝒊
𝜽𝒊
1
2
3
4
5
6
7
8
Bus
9
10
11
12
13
14
11
12
13
14
12
13
14
(a) EB [X] under attacks on bus 9
1
Behavior Rule Evaluation
Rule1: (|θ′i − θ′(i,1) | ≤ α1 )⋀ ⋯ ⋀(|θ′i − θ′(i,w) | ≤ α1 )
′
Rule2: |θi − θi | ≤ α2
Rule3: |𝑃𝑖′ − 𝑃𝑖 | ≤ 𝛼3
0.9
0.8
0.7
Build State Machine
}
EB[X]
0.6
Compute Compliance Degree
64
3
𝐷𝑗𝑘
𝑐𝑖 =
𝜋𝑗 {
𝛾𝑘 1 −
𝐷𝑚𝑎𝑥 𝑅𝑘
𝑗 =1
𝑘=1
0.4
iRound++
N
0.5
iRound>=2000
0.2
Y
Parameterize Compliance Degree Distribution
0.1
0
Compute Expectation of Compliance
Degree for Each Node: 𝐸𝐵 [X]
pa=20%
pa=35%
pa=50%
1
2
3
4
5
6
7
8
Bus
9
10
(b) EB [X] under attacks on buses 4 and 13
Insider Threat Detection with CT, pfp, pfn
1
End
Fig. 10.
pa=10%
0.3
0.9
0.8
A flow chart of major experiment procedures.
0.7
0.6
EB[X]
We take random attacks for example in our experiments.
Three insider threat scenarios are considered, i.e., the threat
on one, two, and three bus(es), respectively. In each of the
three scenarios, four test cases with different values of pa are
conducted providing that the error probability perr is fixed at
0.001. For a clear comparison, in each experiment, the value
of pa set to each bus is the same.
The mathematical expectation of the compliance degree of
each bus, denoted by EB [X], is plotted and compared in the
three test cases. The following phenomena are observed clearly
from Fig. 11(a), Fig. 11(b) and Fig. 11(c):
1) The value of EB [X] of the buses suffered from insider
threats is remarkably low, while the counterparts of the
remaining normal buses are hardly affected;
2) The value of EB [X] of each bus suffered from insider
threats decreases greatly when pa increases;
0.5
0.4
pa=10%
0.3
pa=20%
0.2
pa=30%
pa=40%
0.1
0
1
2
3
4
5
6
7
8
Bus
9
10
11
(c) EB [X] under attacks on buses 2, 9 and 13
Fig. 11. Mathematical expectation of the compliance degree of each bus
EB [X] under random attacks with attack probability pa .
14
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015
3) The value of EB [X] of the buses that are directly connected to (i.e., with 1-hop distance) the attacked buses
are also slightly affected. With the distance increases,
the impacts are hardly observed;
4) The distinction of EB [X] between normal buses and
the buses suffered from insider threat is obvious even
when multiple buses are attacked simultaneously, which
indicates the robustness and scalability of our insider
threat detection methodology.
To conclude, the experiments show that our proposed behavior rule based insider threat detection methodology is effective
and efficient.
VI. C OMPARATIVE A NALYSIS
In this section, based on the experiment results from the
real data run on POWER WORLD IEEE 14-bus benchmark
system, we compare our proposed BLITHE with the state-ofthe-art behavior rule based insider threat detection schemes
[24], [38], [39] in terms of the mathematical expectation of
the compliance degree of each bus EB [X], which is the key
metric to detect insider threats. Several distance-based grading
strategies (e.g., Hamming, Euclidean, Manhattan, Levenshtein,
etc.) for measuring “grade” and computing the compliance
degree of trustee nodes have been proposed in [24], [38], [39].
However, none of them considers the effect of the weight
of each rule, which causes inaccuracy when evaluating the
behavior of trustees naturally with heterogeneous behavioral
norms. Simulations and experiments show that the rule-weight
and compliance-distance based grading strategy proposed in
BLITHE can effectively address this problem.
In our experiment, the insider threats are simulated on bus
6. We compare the value of EB [X] of all 14 buses in two
scenarios with different grading strategies. One is the existing
strategy [24], [38], [39] with the identical weight for the three
rules. The other is our proposed BLITHE that considers different weights for each rule. It can be seen from Fig. 12(a) and
Fig. 12(b), our proposed rule-weight and compliance-distance
based grading strategy outperforms the existing one in terms of
distinguishing the abnormal nodes. Specifically, although both
of them can differentiate the nodes that are far away from
(with more that 2-hop distance from bus 6) the suffered node,
i.e., with the value of EB [X] approximately equal to 1, our
proposed strategy is more effective to differentiate the threat
node (bus 6) and the normal nodes within 1-hop (e.g., bus
13). It can be seen clearly that, comparing with the existing
strategy, with the increase of pa , the value of EB [X] of bus 13
(normal node) in our strategy decreases slightly while that of
bus 6 (abnormal node) decreases greatly. Numerically, when
pa = 0.6, for the existing strategy, the values of EB [X] of
buses 6 and 13 are 0.655667 and 0.9285, respectively. While
the corresponding values of EB [X] in our improved strategy
are 0.5514 and 0.9527, respectively. The discrimination in our
improved strategy is 1.47 times of that in the existing strategy.
Our improvement is due to the adjustable weight settings for
rules. Actually, the weights can be fine-tuned in BLITHE so
as to be applied in different scenarios with different attacker
prototypes and abnormal extents.
Therefore, our rule-weight and compliance-distance based
grading strategy proposed in BLITHE greatly outperforms
the state-of-the-art strategy in terms of detecting the insider
threats.
VII. R ELATE W ORKS
Insider threats are malicious behaviors perpetrated by a legal
member (or a compromised device) with authorized system
access, called the insider attacker, for malicious goals, e.g.,
tampering data, spoofing other members (or normal devices).
Since insider attackers have authorized system access and are
familiar with system architectures, they have distinct advantages over outsider attackers to launch attacks stealthily. Over
past few years, several insider threat detection schemes have
been proposed [14], [15], [24], [27]–[36], [38], [39], which
can be generally classified into three types: signature-based,
anomaly-based, and specification-based schemes. Signaturebased detection schemes completely rely on the conventional
information of known attack patterns and utilize data mining
methods and algorithms to detect possible attacks [27]–[29].
Although these methods are exceedingly capable of identifying known attacks, their detection capabilities are imperfect
when facing with unknown attack patterns [30]. In contrast,
anomaly-based detection systems prevail over this problem by
assuming the behaviors as suspicious or anomalous when they
deviate from the normal model. Utilizing various techniques,
e.g., statistical, distance, profile and model based analytical
methods, several anomaly detection schemes have been proposed trying to distinguish between the abnormal and normal behavior properly [31]–[33]. Unfortunately, conventional
anomaly-based detection schemes consume high computational overhead in performing threat detection and regularly have
high rates of false alarms [30].
A handful of specification-based insider threat detection
schemes thus far has been studied and applied only in the
context of communication networks. For example, an insider
threat detection system that applies seven types of trafficbased rules to detect insider threats is proposed in [34],
and specification-based state machines are considered in [35],
[36] for insider threat detection of misbehaving patterns in
communication networks. However, the physical environment
and the closed-loop control structure of CPS have not yet been
considered in existing literatures. In addition, some behavior
rule specifications proposed in [24], [38], [39], are impractical
because they are too coarse-grained, and only address very
high-level requirements in some specific research domains.
Today, although insider threat detection for CPS has attracted considerable attention due to the dire consequence of
failures, the detection techniques for CPS, especially smart
grid, is still in its infancy with very little work reported [14],
[15]. Therefore, it is urgently desirable to design effective
insider threat detection schemes for securing CPS, like smart
grid systems.
VIII. C ONCLUSION
For smart grid, being able to detect insider threats to protect
the continuity and accuracy of operation is of vital importance.
BAO et al.: BLITHE: BEHAVIOR RULE BASED INSIDER THREAT DETECTION FOR SMART GRID
1
1
0.95
0.95
bus5
bus6
bus11
bus12
bus13
bus1
bus2
bus3
bus4
bus7
bus8
bus9
bus10
bus14
0.85
0.8
0.75
0.85
0.8
0.75
0.7
0.65
0.7
0.6
0.2
0.3
0.4
0.5
0.55
0.1
0.6
pa
(a) Existing strategy with identical rule weight (γ1 = γ2 = γ3 =
Fig. 12.
bus5
bus6
bus11
bus12
bus13
bus1
bus2
bus3
bus4
bus7
bus8
bus9
bus10
bus14
0.9
EB(X)
EB(X)
0.9
0.65
0.1
15
0.2
0.3
0.4
0.5
0.6
pa
1
)
3
(b) BLITHE with different rule weights (γ1 = 0.6, γ2 = γ3 = 0.2)
Comparison of the value of EB [X] of each bus in the IEEE 14-bus system with the insider threat on bus 6.
In this paper, BLITHE, a behavior rule based insider threat
detection methodology, has been proposed to capture the
insider attacks on physical devices. BLITHE features with
simplicity, flexibility and accuracy due to the configurable
parameters, including the threshold for distinguishing normal/abnormal devices and the weight of rules that is applicable
for heterogeneous behavioral norms. Through conducting the
real data based experiments and comparative analysis, we have
demonstrated that BLITHE outperforms existing behavior rule
based approaches for detecting insider threats.
In future work, we plan to model fine-grained adversary
prototypes and design more effective and practical insider
threat detection mechanisms based on artificial intelligence
techniques (e.g., neuronic network [46], ant colony optimization [47], genetic algorithms [48], etc.), such that the system
can dynamically and automatically adjust CT to maximize the
insider threat detection performance in face of varying and
uncertain attack behaviors.
ACKNOWLEDGMENT
The authors would like to thank the support of Nanyang
Technological University under Grant NTU-SUG (M4081196)
and MOE Tier 1 (M4011177). H. Bao is supported in part by
EEE Cybersecurity Research Program, NTU.
R EFERENCES
[1] R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “Eppa: An efficient
and privacy-preserving aggregation scheme for secure smart grid communications,” IEEE Transactions on Parallel and Distributed Systems,
vol. 23, no. 9, pp. 1621–1631, 2012.
[2] X. S. Shen, “Empowering the smart grid with wireless technologies
[editor’s note],” IEEE Network, vol. 26, no. 3, pp. 2–3, 2012.
[3] R. Deng, Z. Yang, M.-Y. Chow, and J. Chen, “A survey on demand
response in smart grids: Mathematical models and approaches,” IEEE
Transactions on Industrial Informatics, to appear, DOI: 10.1109/TII.2015.2414719.
[4] A. J. Wood and B. F. Wollenberg, Power generation, operation, and
control. John Wiley & Sons, 2012.
[5] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks against
state estimation in electric power grids,” ACM Transactions on Information and System Security (TISSEC), vol. 14, no. 1, p. 13, 2011.
[6] J.-M. Lin and H.-Y. Pan, “A static state estimation approach including
bad data detection and identification in power systems,” in Power
Engineering Society General Meeting, 2007. IEEE. IEEE, 2007, pp.
1–7.
[7] T. Van Cutsem and M. Ribbens-Pavella, “Bad data identification methods
in power system state estimation-acomparative study,” IEEE Transactions on PowerApparatus and Systems, vol. 104, no. 11, 1985.
[8] A. Monticelli, State estimation in electric power systems: a generalized
approach. Springer Science & Business Media, 1999, vol. 507.
[9] I. W. Slutsker, “Bad data identification in power system state estimation
based on measurement compensation and linear residual calculation,”
IEEE Transactions on Power Systems, vol. 4, no. 1, pp. 53–60, 1989.
[10] Z. Xiao, Y. Xiao, and D.-C. Du, “Non-repudiation in neighborhood area
networks for smart grid,” Communications Magazine, IEEE, vol. 51,
no. 1, pp. 18–26, 2013.
[11] C. Rottondi, M. Savi, D. Polenghi, G. Verticale, and C. Kraus, “Implementation of a protocol for secure distributed aggregation of smart
metering data,” in Smart Grid Technology, Economics and Policies (SGTEP), 2012 International Conference on. IEEE, 2012, pp. 1–4.
[12] M. S. Thomas, I. Ali, and N. Gupta, “A secure way of exchanging
the secret keys in advanced metering infrastructure,” in Power System
Technology (POWERCON), 2012 IEEE International Conference on.
IEEE, 2012, pp. 1–7.
[13] H. Kluitenberg, “Security risk management in it small and medium
enterprises,” 2014.
[14] M. Anand, E. Cronin, M. Sherr, M. Blaze, Z. Ives, and I. Lee, “Security
challenges in next generation cyber physical systems,” Beyond SCADA:
Networked Embedded Control for Cyber Physical Systems, 2006.
[15] A. Cardenas, S. Amin, B. Sinopoli, A. Giani, A. Perrig, and S. Sastry,
“Challenges for securing cyber physical systems,” in Workshop on future
directions in cyber-physical systems security, 2009.
[16] R. Berthier and W. H. Sanders, “Specification-based intrusion detection
for advanced metering infrastructures,” in Dependable Computing (PRDC), 2011 IEEE 17th Pacific Rim International Symposium on. IEEE,
2011, pp. 184–193.
[17] A. A. Cardenas, S. Amin, Z.-S. Lin, Y.-L. Huang, C.-Y. Huang, and
S. Sastry, “Attacks against process control systems: risk assessment,
detection, and response,” in Proceedings of the 6th ACM symposium on
information, computer and communications security. ACM, 2011, pp.
355–366.
[18] Y. Chen and B. Luo, “S2a: secure smart household appliances,” in
Proceedings of the second ACM conference on Data and Application
Security and Privacy. ACM, 2012, pp. 217–228.
[19] P. Jokar, H. Nicanfar, and V. C. Leung, “Specification-based intrusion
detection for home area networks in smart grids,” in Smart Grid Communications (SmartGridComm), 2011 IEEE International Conference on.
IEEE, 2011, pp. 208–213.
[20] R. Klump and M. Kwiatkowski, “Distributed ip watchlist generation for
intrusion detection in the electrical smart grid,” in Critical Infrastructure
Protection IV. Springer, 2010, pp. 113–126.
16
[21] Q. He and R. S. Blum, “Smart grid monitoring for intrusion and fault
detection with new locally optimum testing procedures,” in Acoustics,
Speech and Signal Processing (ICASSP), 2011 IEEE International
Conference on. IEEE, 2011, pp. 3852–3855.
[22] Y. Zhang, L. Wang, W. Sun, R. Green, and M. Alam, “Artificial immune
system based intrusion detection in a distributed hierarchical network
architecture of smart grid,” in Power and Energy Society General
Meeting, 2011 IEEE. IEEE, 2011, pp. 1–8.
[23] Y. Zhang, L. Wang, W. Sun, R. C. Green, and M. Alam, “Distributed
intrusion detection system in a multi-layer network architecture of smart
grids,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 796–808,
2011.
[24] R. Mitchell and R. Chen, “Behavior rule based intrusion detection
systems for safety critical smart grid applications,” IEEE Transactions
on Smart Grid, vol. 4, no. 3, pp. 1254–1263, 2013.
[25] J. Wei, D. Kundur, T. Zourntos, and K. Butler-Purry, “Probing the telltale
physics: Towards a cyber-physical protocol to mitigate information
corruption in smart grid systems,” in Smart Grid Communications (SmartGridComm), 2012 IEEE Third International Conference on. IEEE,
2012, pp. 372–377.
[26] T. Liu, Y. Gu, D. Wang, Y. Gui, and X. Guan, “A novel method to detect
bad data injection attack in smart grid,” in INFOCOM, 2013 Proceedings
IEEE. IEEE, 2013, pp. 3423–3428.
[27] P. S. Wheeler, “Techniques for improving the performance of signaturebased network intrusion detection systems,” Ph.D. dissertation, Citeseer,
2006.
[28] S. Patton, W. Yurcik, and D. Doss, “An achilles?heel in signature-based
ids: Squealing false positives in snort,” Proceedings of RAID 2001, 2001.
[29] G. Vigna, W. Robertson, and D. Balzarotti, “Testing network-based
intrusion detection signatures using mutant exploits,” in Proceedings of
the 11th ACM conference on Computer and communications security.
ACM, 2004, pp. 21–30.
[30] P. Louvieris, N. Clewley, and X. Liu, “Effects-based feature identification for network intrusion detection,” Neurocomputing, vol. 121, pp.
265–273, 2013.
[31] M. V. Mahoney, “Network traffic anomaly detection based on packet
bytes,” in Proceedings of the 2003 ACM symposium on Applied computing. ACM, 2003, pp. 346–350.
[32] C. Taylor and J. Alves-Foss, “Nate: N etwork analysis of a nomalous t
raffic e vents, a low-cost approach,” in Proceedings of the 2001 workshop
on New security paradigms. ACM, 2001, pp. 89–96.
[33] K. Wang and S. J. Stolfo, “Anomalous payload-based network intrusion
detection,” in Recent Advances in Intrusion Detection. Springer, 2004,
pp. 203–222.
[34] A. P. R. da Silva, M. H. Martins, B. P. Rocha, A. A. Loureiro, L. B. Ruiz,
and H. C. Wong, “Decentralized intrusion detection in wireless sensor
networks,” in Proceedings of the 1st ACM international workshop on
Quality of service & security in wireless and mobile networks. ACM,
2005, pp. 16–23.
[35] S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, and
A. Valdes, “Using model-based intrusion detection for scada networks,”
in Proceedings of the SCADA security scientific symposium, vol. 46,
2007, pp. 1–12.
[36] B. Dutertre, “Formal modeling and analysis of the modbus protocol,” in
Critical Infrastructure Protection. Springer, 2008, pp. 189–204.
[37] W. Li, Risk assessment of power systems: models, methods, and applications. John Wiley & Sons, 2014.
[38] R. Mitchell and R. Chen, “Adaptive intrusion detection of malicious
unmanned air vehicles using behavior rule specifications,” IEEE Transactions on Systems, Man, and Cybernetics, vol. 44, no. 5, pp. 593–604,
2014.
[39] ——, “Behavior rule specification-based intrusion detection for safety
critical medical cyber physical systems,” IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 1, pp. 16–30, 2015.
[40] S. Sutikno, A. Surya, and R. Effendi, “An implementation of elgamal
elliptic curves cryptosystems,” in Circuits and Systems, 1998. IEEE
APCCAS 1998. The 1998 IEEE Asia-Pacific Conference on. IEEE,
1998, pp. 483–486.
[41] D. Van Hertem, J. Verboomen, K. Purchala, R. Belmans, and W. Kling,
“Usefulness of dc power flow for active power flow analysis with flow
controlling devices,” in AC and DC Power Transmission, 2006. ACDC
2006. The 8th IEE International Conference on. IET, 2006, pp. 58–62.
[42] O. Yilmaz and R. Chen, “Utilizing call admission control for pricing
optimization of multiple service classes in wireless cellular networks,”
Computer Communications, vol. 32, no. 2, pp. 317–323, 2009.
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015
[43] D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digital
signature algorithm (ecdsa),” International Journal of Information Security, vol. 1, no. 1, pp. 36–63, 2001.
[44] S. M. Ross, Introduction to probability models. Academic press, 2014.
[45] H. Kaur, Y. Brar, and J. S. Randhawa, “Optimal power flow using power
world simulator,” in Electric Power and Energy Conference (EPEC),
2010 IEEE. IEEE, 2010, pp. 1–6.
[46] L. A. Zadeh, “Toward a theory of fuzzy information granulation and its
centrality in human reasoning and fuzzy logic,” Fuzzy sets and systems,
vol. 90, no. 2, pp. 111–127, 1997.
[47] C.-F. Juang, C.-W. Hung, and C.-H. Hsu, “Rule-based cooperative
continuous ant colony optimization to improve the accuracy of fuzzy
system design,” IEEE Transactions on Fuzzy Systems, vol. 22, no. 4,
pp. 723–735, 2014.
[48] J. J. Grefenstette, “Optimization of control parameters for genetic algorithms,” IEEE Transactions on Systems, Man and Cybernetics, vol. 16,
no. 1, pp. 122–128, 1986.