Embed Size (px)
Citation preview
Data-driven Online Detection of Replay Attacks onWide-Area Measurement Systems
Kaustav Chatterjee and S. A. KhapardeDepartment of Electrical Engineering
Indian Institute of Technology BombayPowai, Mumbai 400076
Email: [email protected], [email protected]
Abstract—Attacks replaying pre-recorded data packets aredifficult to detect since these are copies of actual disturbance datafrom a previous time instant. Assuming that only a few sensorscan actually be tampered at any given time, it is suggested thatthe incoherence between the actual and tampered sensor readingsbe used in flagging an attack. Aligned to this theme, the paperpresents two different schemes for replay attack detection. Thesingular value decomposition approach proposed in the paper isbased on the relative change in ratios of dominant singular valuesof a data window sliding in time, while the proposed Pearsoncorrelation based approach utilizes the time-series correlationbetween the neighboring PMU measurements as an instrumentfor attack detection. It is proposed that these detection schemesbe incorporated in the wide area monitoring system as datapreprocessing units for anomaly identification. The effectivenessof the detection schemes are studied on a test system and theirmerits and limitations are discussed.
Index Terms—Wide Area Monitoring, Replay Attacks, Singu-lar Value Decomposition, Pearson Correlation, Cyber Security.
I. INTRODUCTION
Large-scale deployment of Phasor Measurement Units(PMU) across wide geographies, augmented by rapid advancesin communication technologies has attributed to better vi-sualization and monitoring of dynamical events in today’spower system. Wide Area Monitoring System (WAMS), as it iscalled, forms the backbone of the transmission system provid-ing the control room with the situational awareness necessaryfor operating the grid reliably under disturbances. However,the security of these applications hinges on the security ofthe cyber infrastructure for transport of data. Studies [1], [2]have explored the vulnerabilities associated with the cyberlayer and possibilities of malicious intrusions jeopardizing thesecure operation of WAMS. These have emphasized on theneed for anomaly detection engines to be incorporated withinthe traditional WAMS for detecting and filtering out maliciousdata from regular measurements [3].
The taxonomy of cyber attacks on the power system isconstantly evolving with fresh discoveries of vulnerabilitiesand attack surfaces. In a replay attack [1] on WAMS, theadversary replays a set of prerecorded data packets so as todeceive the operator to take wrong actions. The motive andpurpose behind these attacks can be plenty, some involvingmonetary gains while others being simply disruptive. There is
an extensive literature on detection and mitigation of attackson cyber-physical systems, and power systems in particular.However, it is impossible to design a single algorithm or amethod to take care of all types of anomalies and intrusions.Therefore, efforts have been laid towards the development ofdomain-specific and anomaly specific detection regimes.
Detection and resilient control against replay attacks havebeen studied in [4]–[6]. Authors in [4] assume that the systemmodel is known apriori and based on this linear time-invariantmodel Kalman filter based and Linear Quadratic GaussianController based detection methods are developed. However,for large transmission networks, it is hard to develop accuratelinearized models of the system without much approximation.Even then, the linearized models would depend heavily onthe knowledge of system parameters and would vary withloading conditions. In contrast, the methods suggested in thispaper are model-free and the detection schemes are designedbased on spatio-temporal correlation between sensor readings.As an alternative to this approach, researchers in [6] haveinjected harmonic oscillations in the system at non-linear timeintervals. Since the attacker cannot respond to these randomdisturbances the attack can be detected using signal processing.However, generating a nonlinear function that can approximatea given inverse describing function (needed for producingrobust oscillations) remains a challenge for a practical systeminvolving hundreds of buses.
The primary focus of this paper is to design an anomalydetection engine which would act as a pre-processing blockto differentiate between data packets coming from an actualfault or a disturbance and that being replayed by an attackerfrom a previous fault instant. The degree of correlation in thesensor measurements and the extent to which they reflect acommon trend is central to the detection approaches presentedhere. The main contributions of this paper are as follows-
• Development of a singular value decomposition basedreplay attack detection scheme which uses the relativechange in the dominant singular values of moving win-dow of measurements as a metric for detection,
• Development of a Pearson correlation based detectionscheme exploiting the correlation in time-series measure-ment data, which in addition to triggering alarms forreplay attacks can identify the location of the attack bus.978-1-5386-6159-8/18/$31.00 c© 2018 IEEE
Proceedings of the National Power Systems Conference (NPSC) - 2018, December 14-16, NIT Tiruchirappalli, India
The detection schemes suggested in the paper are data-driven,thus, eliminates the imperfections from modeling inaccuracies.
The paper does not highlight the challenges of hacking asubstation computer but assume a theoretical possibility oftheir security being breached. Attention is laid on develop-ment of independent power system domain specific securitymeasures which could act as secondary lines of defense.
The paper is organized into five sections. Section II intro-duces the concept of replay attack in wide area monitoringand the need for a coordinated detection scheme. The singu-lar value based and the Pearson correlation based detectionapproaches are discussed in Sections III and IV with suitableexamples and case studies. The concluding remarks and thefuture scopes are highlighted in Section V.
II. REPLAY ATTACKS ON WAMS
Attacks aimed at jeopardizing the stable operation of apower system seek to invade into the substation measurementand/or communication system thereby taking control of thedata packets being sent out from the substation. The phasormeasurement units can be potential targets as they serve asthe point of coupling between the physical system, involvingrelays and CT/PTs, and the cyber system, for communicationand transport of data. In replay attacks, the adversary wouldnormally sniff the data packets being sent to the phasor dataconcentrator, and at times of attack alter the actual packetswith pre-recorded ones. Analyzing the recorded data set theadversary identifies the periods of disturbances and separates itfrom ambient data. This pre-recorded disturbance data is thenreplayed from the sensor terminals to fool the operator to takeactions which could potentially benefit the adversary. It mayalso happen that a replay attack may suppress a disturbancefrom being noticed by the control center by replaying ambientdata during the period of disturbance. Since the recordedpackets are copies of the original packets and are framed inthe same protocol they cannot be identified as anomalies byusual methods. It is interesting that to launch a replay attack,the adversary need not know the dynamics or the model ofthe system. However, due to replay protection feature in someprotocols launching such attacks simultaneously from multiplepoints may be difficult.
Fig. 1: 4−machine 10−bus system from Kundur [7]
For the purpose of illustration, let us assume that the PMUof bus 9 in the 4-machine 10-bus system in Figure 1 iscompromised. During the period when the PMU data is beingobserved by the attacker, there happens a three-phase fault atthe bus at t = 5 s. The fault is cleared at t = 5.2 s, buttransient waveform of this period is captured by the attackerand is played back to the operator at t = 15 s. The voltagemagnitude of the bus as reported to the control center is shownin Figure 2. It is to be noted that because of the nature of theattack, the voltage dips at t = 5 s and t = 15 s appear exactlysimilar and cannot be distinguished by merely observing thevoltage waveform of bus 9 alone. This prompts the controlcenter to take corrective action against the presumed fault att = 15 s, by opening some breaker or by disconnecting a line.
time, s0 2 4 6 8 10 12 14 16 18
voltage,
pu
0
0.5
1
Bus 9
Fault
Replay
Attack
Duration
Actual
Fault
Fig. 2: Voltage waveform of Bus 9. Voltage dips at t = 5 sand t = 15 s cannot be distinguished as fault or replay attack
time, s0 2 4 6 8 10 12 14 16 18
voltage,
pu
0
0.2
0.4
0.6
0.8
1
Bus 1
Bus 2
Bus 3
Bus 4
Bus 5
Bus 6
Bus 7
Bus 8
Bus 9
Bus 10
Fault
Replay
Attack
Duration
Actual
Fault
Fig. 3: Voltage waveform of all buses. Dip at t = 5 s isspatially correlated, but that at t = 15 s is only seen at Bus 9
But if one looks at voltages of all other buses in collectionas shown in Figure 3, one can clearly identify the event att = 15 s as an anomaly. This is because in an actual fault, theneighbouring load bused would also participate in the voltagedip as shown at t = 5 s of Figure 3. However, in a large systeminvolving few hundreds of nodes or more the operator is notat a luxury of plotting all waveforms. Thus, an automatedsystem needs to be designed which would account for thespatio-temporal correlation in the bus voltage magnitudes todetect anomalies coming from replay attacks.
In the subsequent sections, two detection schemes exploitingthe correlation in the voltage measurements would be pre-sented. The first method is based on how the singular valuesof a measurement window vary differently under ambientcondition, fault and attack. The second method is based onthe correlation in time series data of neighbouring buses andtheir relative participation in voltage dips resulting from faults.
Proceedings of the National Power Systems Conference (NPSC) - 2018, December 14-16, NIT Tiruchirappalli, India
III. PROPOSED DETECTION SCHEME BASED ONSINGULAR VALUE DECOMPOSITION
The detection scheme presented in this section is based onthe idea that under ambient conditions the vectors of PMU dataat different instances of time would be copies of one anotherwith minor variations due to measurement inaccuracies andsystem noise. This would mean, that the matrix formed byassembling these vectors is low-rank with a single dominantsingular value and other values insignificantly small (capturingthe variations due to noise). However, on the onset of adisturbance - like a fault, the dynamics of the event wouldreflect itself on all singular values and these values whichwere previously small would increase few folds [8].
It has been studied in this paper that, for an attack on asingle PMU, only the second largest singular value increases inmagnitude, whereas if the event is a disturbance like a fault ortopology change, the increase can be seen in all singular valuesincluding the second. The percentage increase in the secondand the third largest singular values is used as a metric fordetection. A sudden jump in the second largest singular valuetriggers an alarm to check the next largest singular value. Ifthe jump is also observed in the third largest singular valueand if the percentage increase is above a designed thresholdwe call it an regular event, else it triggers the alarm for replayattack.
Let the mth PMU measurement available at ith time step bedenoted by yim. If there are M measurements in total and if thewindow length for computation be N , then the measurementmatrix at kth instant formed by assembling previous N datasamples is written as,
Y (k) =
yk1 yk−1
1 yk−21 . . . yk−N+1
1
yk2 yk−12 yk−2
2 ... yk−N+12
......
......
...ykM yk−1
M yk−2M . . . yk−N+1
M
(1)
The Singular Value Decomposition (SVD) [9] of the matrixY (k) is given by
Y (k) = UΣV T (2)
where, U and V T are the orthogonal matrices of left and rightsingular vectors and the matrix Σ is represented as,
Σ =
[Σ1
0
](3)
Σ1 is the diagonal matrix of the singular values of Y (k),arranged in descending order of magnitude.
Σ1 =
σ1 0 . . . 00 σ2 . . . 0... 0
. . . 00 0 . . . σr
(4)
The computation of singular values is done on a slidingwindow of fixed number of data samples. As and when PMUdata is streamed in, a fixed number of data samples (windowlength) is taken from history to form the measurement matrix
Y (k). The computation can be made faster by using recursivealgorithms for singular value decomposition.
It should be noted that the jumps in the singular valueson onset of an event may not be instantaneous, but gradualover few samples. Thus, checking percentage rise over twoimmediate windows can lead to false negatives (alarm nottriggered when desired). This can be avoided by comparingthe singular values from the immediate window with that ofa window few instants past in time. This can be ideally 3− 5time steps, left to the design as allowed by the operator. Inour analysis, this past window is denoted by sample numbern. Since the increase in not instantaneous, the time taken todetect an anomaly is also delayed by few samples.
The metrics used for detection are as follows-(1) Percentage increase in σ2,
%∆σ(k)2 =
σ(k)2 − σ(n)
2
σ(n)2
× 100% (5)
(2) Percentage increase in σ3,
%∆σ(k)3 =
σ(k)3 − σ(n)
3
σ(n)3
× 100% (6)
Initialize Data , k = 1
SVD for kth window
%∆σ(k)2 > Thσ2
%∆σ(k)3 > Thσ3
Ambient Condition
Disturbance
Replay Attack
WAMS Analytics
Increment, k = k + 1
ALARM
No
Yes
Yes
No
Fig. 4: Layout of the proposed detection scheme
The layout of the detection scheme proposed in this sectionis outlined in the Figure 4. The thresholds (Thσ2 and Thσ3 )are subject to design requirements and are to be chosen basedon system operating conditions. It is important to note thatthis SVD based method can raise an alarm on the onset ofan attack but cannot isolate its location. This is because theindividual time-series information of the PMUs get hidden in
Proceedings of the National Power Systems Conference (NPSC) - 2018, December 14-16, NIT Tiruchirappalli, India
the composite singular value indices and cannot be identifiedseparately.
A. Case Studies on 4-machine 10-bus System
The proposed detection method is tested on the system inFigure 1. The system model with parameters and network datais taken from [7]. The transient stability program developedby [10] is used for dynamic simulations and the packages fordetection are prepared in MATLAB (R2015a).
Multiple instants of attacks replaying bus faults and openingof lines were simulated and the performance of the detectionwas validated for each of these cases. However, due to paucityof space only two such results are reproduced in this paper.The PMU data streaming rate has been assumed to be 100 Hz.A moving window of 200 samples is taken for computationand thus, there is an initial buffer time of 2 s.
5 10 15 20 25 30 35 40 45 50
σ1
42
46
5 10 15 20 25 30 35 40 45 50
σ2
0
4
time, s
5 10 15 20 25 30 35 40 45 50
σ3
0
0.4
Fig. 5: SVD based detection of fault replay attack at bus 9
Figure 5 shows an attack scenario where a three phase busto ground fault at bus 9 at t = 5 s is replayed at t = 40 s.Observe the pattern in the singular values, as the computationwindow slides into the disturbance data a rise in σ2 is seen,which is also the case as the window slides into the replay-attack data at t = 40 s. σ2 remains high as long as windowcontains a combination of pre-disturbance and disturbancedata or disturbance and post-disturbance data. The rise in σ2triggers the onset of an event, however, it is yet to be identifiedif it is a disturbance or an anomaly. This can be addressedby observing the pattern in σ3. Note that the rise in σ3 issignificantly more at t = 5 s compared to that at t = 40 s.This clearly classifies the event at t = 5 s as a disturbanceand that at t = 40 s as a replay attack.
Figure 6 simulates opening of a line connecting buses 9 and10 at t = 10 s. The bus voltage variation recorded at bus 9 isreplayed at t = 70 s. Similar to Figure 5, the rise in σ2 signals
time, s10 20 30 40 50 60 70 80
voltage,
pu
0.96
0.98
1
Bus 6 Bus 7 Bus 9 Bus 10
Replay
AttackTopology
Change
10 20 30 40 50 60 70 80
σ1
44.8
44.9
10 20 30 40 50 60 70 80
σ2
0
0.1
time, s
10 20 30 40 50 60 70 80σ
3
0
0.04
Fig. 6: SVD based detection of attack at Bus 9 replaying atopology change (opening of a line connecting buses 9− 10)
onset of an event. The nature of the event is ascertained byobserving the trend in σ3. The event at t = 10 s is classifiedas a disturbance and that at t = 70 s as a replay attack. Notethat the increase in σ2 at t = 70 s is slow, which justifies theproposition to compare the singular value at every instant withthat of a window few samples past in time and not with thatfrom the immediate past window.
Although effective the method is computationally intensivebecause of flops involved in singular value decomposition.Another limitation of the method lies in its inability to identifythe location of the attack. Also the fact that rise in singularvalues may be gradual over few samples there is a lagin detection. These limitations have been addressed in thedetection scheme proposed in the next section.
IV. PROPOSED DETECTION SCHEME BASED ON PEARSONCORRELATION
It has been discussed in the preceding sections how adisturbance following a fault or a topology change wouldreflect in the voltage waveform of more than one bus. Forinstance, the voltage dip resulting from a fault would propagateto neighbouring buses, unless a voltage controlled device isinstalled at the other bus. The degree to which two nodesrespond to a disturbance and follow a trend is central toour detection problem. Aligned to this broad theme, detectionscheme proposed in this section exploits the statistical correla-tion between the voltage time series data of neighboring busesas an indicator to detect malicious corruption in individual
Proceedings of the National Power Systems Conference (NPSC) - 2018, December 14-16, NIT Tiruchirappalli, India
PMUs. Contrary to the SVD based method, the algorithmproposed here does not process the PMU data in blocks butanalyzes them as individual time series. This not only helpsparalyzing the computation but is also the key to isolating thepoint of attack.
The correlation coefficient in statistics, is defined as ameasure of the strength and direction of a linear relationshipbetween two variables on a scatter plot. In an algebraicnotation, if x and y are two time series representation of datapoints {x1, x2, ..., xi, ..., xn} and {y1, y2, ..., yi, ..., yn}, thenthe Pearson correlation coefficient r [11] for an window oflength N is defined as,
Corr(x, y) = r =
N∑i=1
(xi − x)(yi − y)√N∑i=1
(xi − x)2N∑i=1
(yi − y)2
(7)
where, x and y are the means of respective variables in thetime window of correlation. The coefficient r can take valuesbetween +1 and −1, with ±1 indicating an exact linear(positive +1, negative −1) relationship and 0 implying nocorrelation at all. The coefficient of determination, expressedas r2, is defined as the variations in values of y that can beexplained by the variation in values of x [11].
However, in a data set with finite entries it is possible toobtain a non-zero r even when no correlation exits betweenthe variables. Thus, like any other statistical value, r is of littleimportance unless interpreted properly. One way to do this isto plot the data sets on a scatter plot to observe if at all anylinear relationship exist.
V6, pu0.9825 0.9835
V9,pu
0.973
0.976
Window of Pre-fault Ambient Data
V6, pu0.9 0.95 1 1.05
V9,pu
0.9
0.95
1Window of Post-fault Data
r = 0.9894r = 0.9851
V6, pu0 0.5 1
V9,pu
0.94
0.96
Window of Attack
V6, pu0 0.5 1
V9,pu
0
0.5
1
Window of Pre-fault & Fault Data
r = 0.9985 r = 0.0085
Fig. 7: Scatter plot for voltage magnitudes of buses 6 & 9.Fault at bus 6. Window length = 2500 samples.
Figure 7 shows the scatter plot for voltage magnitudes ofbuses 6 and 9 and the correlation coefficients under pre-faultambient condition, fault, post-fault and replay attack scenarios.It can be seen that as the window slides over data samplesfrom pre-fault, fault and post-fault instances, a significantlyhigh correlation is seen between the voltage values of the twobuses, which implies that both these buses respond to any
variations and disturbances in unison. As expected, during areplay attack, the voltage magnitudes of bus 9 and 6 do notfollow a common trend, this is reflected in the poor value ofcorrelation. The sudden fall in the value r on onset of an attackon a single PMU would be used in this section, as the tool fordetecting replay attacks.
Instead of computing correlation between every pair ofnodes (bus), the proposed method reduces the computationby calculating it only between the pairs of nodes connectedover an edge (line). The rationale behind such a choiceis that the voltage dip/rise following a disturbance reflectsmore intensely in the electrical neighborhood of the sourcebus unless controlled by reactive power injection devices.Thus, with an assumption that only a single PMU can becompromised at any time and no voltage support in place,it is good to check correlation in the immediate electricalneighborhood.
Between two successive instants of time, if the per unitdecrease in r2 between a pair of directly connected nodesexceeds a predefined threshold, an alarm is triggered for areplay attack. The edges (pairs of nodes) triggering the alarmare isolated for analysis and the common node of incidenceof these edges is suspected to be the point of attack. In ouranalysis, the threshold of detection is kept at 0.5.
The condition for attack detection,
r2k−1 − r2kr2k−1
> 0.5 (8)
where, r2k is the coefficient of determination for kth window ofPMU data. The detection of anomaly is almost instantaneous,as comparison is made with an immediate past window.
The merit of the method is that it can isolate and identify theattack location from the node pairs which trigger the violationalarm. Also, the calculation of the correlation coefficientrequires elementary vector scalar products and summations,thus involving less computations compared to singular valuedecomposition. However, this is somewhat negated by needfor larger computation window for correlation calculationcompared to SVD. More the number of samples, larger is thewindow and more accurate is the interpretation of r.
A. Case Studies on 4-machine 10-bus System
The proposed detection scheme was tested for multipleattack scenarios on the system described in Figure 1. As,discussed in Section III, the system data has been adapted from[7] and the simulations are performed in MATLAB (R2015a).The PMU reporting rate is assumed to be 100 Hz and amoving window of 2500 samples (25 s) is taken for correlationcalculation.
In one of many cases, a three-phase fault was simulatedat bus 6 at t = 30 s and was cleared in 0.2 s. The faultdata was then replayed at the same bus at t = 65 s. As onecan see in Figure 8, the correlation between bus 6 and allother buses connected to it- buses 9, 5 and 7 falls sharply att = 65.02 s, triggering the detection alarm of Section IV andthereby, indicating the possibility of an attack. The detection
Proceedings of the National Power Systems Conference (NPSC) - 2018, December 14-16, NIT Tiruchirappalli, India
is accurate and almost instantaneous with a detection lag of 1sample time. Not shown in the figure is correlation betweenother pairs of connected nodes which either remain high orfall slow enough to trigger the alarm.
time, s25 30 35 40 45 50 55 60 65 70
r2
0
0.5
1
Bus 9-6 Bus 5-6 Bus 2-6Replay
Attack
Fig. 8: Bus 6 fault at t = 30 s, attack at t = 65 s
As discussed in Section IV, if one looks into all the nodepairs which see a sharp fall in correlation, buses 9 and 6, 5and 6 and 2 and 6, one can identify bus 6 as the common nodeof incidence of these edges or node pairs. It can be said thatbecause of a data manipulation at bus 6 these node pairs havesuffered the sharp drop in correlation. Thus, it is flagged asthe point of attack. Since the data was originally replayed atbus 6 in our simulation, the detection validates the correctnessof the proposed approach.
It is to be noted that a drop in correlation in bus pair 2and 6 is also observed at t = 55 s, but this does not triggeran alarm. This is because the drop is not instantaneous butslow and gradual. The reason being that, as the window of25 s crosses t = 55.2 s, it has also crossed t = 30.2 s at theother end. This implies that the window now comprises only ofimmediate post fault data, rich in inter-bus voltage oscillations.Bus 6 being a load bus participates in the post fault voltageoscillations but 2 being a generator bus has smaller variations.This results in a drop in the r2 value, but not sharp enoughto trigger alarm.
time, s25 30 35 40 45 50 55 60 65 70
r2
0
0.5
1
Bus 8-7 Bus 8-3
Replay
Attack
Fig. 9: Bus 8 fault at t = 30 s, attack at t = 65 s
Similar results have also been reported for a replay attackat bus 8 in Figure 9. A 0.2 s fault at t = 30 s is replayed att = 65 s. It is detected at t = 65.02 s with the sharp fall inr2 values of node pairs 8−3 and 8−7. Bus 8 is the commonnode and the suspected point of attack. The gradual declinein r2 for the pair 8 − 7, starting at t = 55.2 s is because ofpost fault oscillations as explained before. Although not seenclearly there is an instantaneous drop in r2 at t = 65.02 s forthe pair 8− 7.
V. CONCLUSION
The chapter presents two different schemes for detectingreplay attack on wide area measurements. The singular valuebased approach discussed in Section IV, analyses the trendsin magnitudes of dominant singular values of a window ofmeasurements under multiple operating scenarios, and presentsa condition for separating faults and outages from attacksbased on the relative change in the magnitudes of secondand third singular values. The method however is slow dueto computational overheads and cannot locate the source ofthe attack. This either needs to be augmented with separatealgorithms for attack localization or with resilient monitoringalgorithms [3] which when triggered replace an anomaly withan estimation of the expected data. But it is robust and is notprone to false triggering under post-fault oscillations.
On the other hand, the Pearson correlation based methodin Section IV, exploits the correlation in the time seriesmeasurement data to isolate the location of an attack bus. Thedetection is almost instantaneous. But unlike the SVD basedapproach, it is not robust to false triggering in a post faultwindow when there may be relative oscillation between buses.One way to overcome this could be computing correlationbetween those buses which have common observability of amode of oscillation. This would be taken into account in anextension of this work in future.
Although the methods have been tested with voltage mag-nitudes as measurement data, same can be applied on linecurrent measurements and bus frequency measurements withappropriate processing. However, the relative detection perfor-mance with different types of measurement data taken togetherneeds to be tested in future.
REFERENCES
[1] A. Ashok, M. Govindarasu, and J. Wang, “Cyber-Physical Attack-Resilient Wide-Area Monitoring, Protection, and Control for thePower Grid,” Proceedings of the IEEE, vol. 105, no. 7, pp. 1389–1407,Jul. 2017.
[2] K. Chatterjee, V. Padmini, and S. A. Khaparde, “Review of CyberAttacks on Power System Operations,” in 2017 IEEE Region 10Symposium, Jul. 2017, pp. 1–6.
[3] K. Mahapatra and N. R. Chaudhuri, “Malicious Corruption-ResilientWide-Area Oscillation Monitoring using Principal Component Pur-suit,” IEEE Transactions on Smart Grid, pp. 1–1, 2017.
[4] Y. Mo and B. Sinopoli, “Secure Control Against Replay Attacks,” inForty-Seventh Annual Allerton Conference, Jul. 2009.
[5] T. T. Tran, O. S. Shin, and J. H. Lee, “Detection of Replay Attacks inSmart Grid Systems,” in 2013 International Conference on Comput-ing, Management and Telecommunications (ComManTel), Jan. 2013.
[6] A. Hoehn and P. Zhang, “Detection of Replay Attacks in Cyber-Physical Systems,” in 2016 American Control Conference (ACC), Jul.2016, pp. 290–295.
[7] P. Kundur, Power System Stability and Control. McGraw-Hill, 1994.[8] K. Mahapatra, N. R. Chaudhuri, R. G. Kavasseri, and S. M. Brahma,
“Online Analytical Characterization of Outliers in SynchrophasorMeasurements: A Singular Value Perturbation Viewpoint,” IEEETransactions on Power Systems, vol. 33, no. 4, pp. 3863–3874, Jul.2018.
[9] G. H. Golub and C. F. V. Loan, Matrix Computations. The JohnHopkins University Press, Baltimore, MD, 1989.
[10] Pradeep and K. N. Shubhanga, Manual For A Multi-machine TransientStability Programme. NITK, Surathkal.
[11] R. O. Mason, D. A. Lind, and W. G. Marchal, Statistics: An Intro-duction. Harcourt Brace Jovanovich, Inc., 1983.
Proceedings of the National Power Systems Conference (NPSC) - 2018, December 14-16, NIT Tiruchirappalli, India
