IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015 1 BLITHE: Behavior Rule ... · 2015-09-14 · IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015 1 BLITHE: Behavior

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015 1

BLITHE: Behavior Rule Based Insider ThreatDetection for Smart Grid

Haiyong Bao, Rongxing Lu†, Member, IEEE, Beibei Li, and Ruilong Deng, Member, IEEE

Abstract—In this paper, we propose a Behavior ruLe basedmethodology for Insider THrEat detection (BLITHE) of datamonitor devices in smart grid, where the continuity and accuracyof operations are of vital importance. Based on the DC powerflow model and state estimation model, three behavior rules areextracted to depict the behavior norms of each device, such thata device (trustee) that is being monitored on its behavior can beeasily checked on the deviation from the behavior specification.Specifically, a rule-weight and compliance-distance based gradingstrategy is designed, which greatly improves the effectiveness ofthe traditional grading strategy for evaluation of trustees. Thestatistical property, i.e., the mathematical expectation of compli-ance degree of each trustee, is particularly analyzed from boththeoretical and practical perspectives, which achieves satisfactorytrade-off between detection accuracy and false alarms to detectmore sophisticated and hidden attackers. In addition, based onreal data run in POWER WORLD for IEEE benchmark powersystems, and through comparative analysis, we demonstrate thatBLITHE outperforms the state-of-arts for detecting abnormalbehaviors in pervasive smart grid applications.

Index Terms—Insider threat detection, smart grid, security.

I. INTRODUCTION

SMART grid, as widely considered to be the next genera-tion of the power grid, has attracted considerable attention

in recent years [1]–[3]. As a typical cyber-physical system(CPS), smart grid incorporates information and communi-cations technology (ICT) into the traditional power system,as shown in Fig. 1, and is characterized by sophisticatedreliability, efficiency, economy, and sustainability.

Power Generation Transmission Distribution Customer

Control Center (CC)

Information flow

Power flow

Fig. 1. The conceptual architecture of smart grid.

To ensure that smart grid can operate continuously evenwhen some components fail, power research communitiesuse meters or phasor measurement units (PMUs), placed atimportant locations of the power system, to monitor systemcomponents and report their measurements to the control

The authors are with the School of Electrical and Electronic En-gineering, Nanyang Technological University, Singapore 639798 (e-mail:[email protected]; [email protected]; [email protected]; [email protected]).

centre (CC), and the latter can estimate the state variablesbased on the meter measurements [4]. The estimation utilizesstate estimation model, which heavily relies on the accuracyof the reported measurements that CC receives [5], [6].

Recently, smart grid researchers have realized the threat ofbad measurements (or information corruption) and developedtechniques to address this challenge [5], [7]–[9]. Informationcorruption threats in smart grid are very complex, as theycan come from both outsider and insider. Particularly, dueto the openness brought by integrating ICT into the powersystem, some devices could be compromised and becomeinsider attackers. While great efforts have been made to resistthe outsider attacks, much less attention has been paid to theinsider ones because of the difficulties stemmed from theirconcealment and potentiality [10]–[12]. Statistically, accordingto 2013 U.S. State Cyber Crime Survey [13], insider threatsconstitute 34% of all surveyed attacks (outsider threats consti-tute 31%, and the remaining 35% of them have unknown/un-sure sources), which surprisingly shows that insider threatshave already become one of main sources of the securityhazards of cyber/cyber-physical systems.

Today, even though the insider threat detection for CPS hasattracted considerable concern due to the dire consequence ofCPS failure [14], [15], the effective and accurate detectiontechniques for CPS, especially for smart grid, are still in theirinfancy with very few studies conducted [16]–[26].

In most of the aforementioned literatures, there were nonumerical data studies regarding the false positive probabilitypfp (i.e., misidentifying good devices as bad devices) andthe false negative probability pfn (i.e., losing bad devices)[16]–[20]. Even though three of them had miniature numericaldata [21]–[23], one or two data points characterizing pfn/pfp,instead of a data set that could be transformed into a receiveroperating characteristic (ROC) figure, i.e., a pfn versus pfpcurve, are studied merely. One of them proposed an insiderthreat detection technique which can effectively balance smallfalse positives pfp for a high detection probability 1− pfn todeal with more sophisticated and hidden threats to supportsecure applications in smart grid [24]. However, since itonly addressed very high-level requirements in smart grid,it is too coarse-grained to be applied in practical scenarios.Two of them tried to exploit the topology restriction anddata correlation of smart grid to detect insider threats [25],[26]. However, because both of them only consider the veryspecific scenarios of smart grid, they are not universal andeffective solutions. Specifically, in [25], the flocking-basedmodeling paradigm is designed to identify insider threats forthe transient stability process of smart grid. Observing the

2 IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015

characteristics of smart grid from a hierarchical cyber-physicalperspective, natural physical couplings amongst power systemsare leveraged as telltale signs to identify insider cyber threats.However, the considered threat model is limited to narrowscenarios of the transient stability process, which is urgent tobe extended to generalized circumstances covering the stabilityprocess of smart grid. In [26], to improve the sensitivity of thetraditional state estimation model based bad data injection (onetype of insider threats) detection method, Liu et al. proposedone adaptive partitioning state estimation (APSE) method todetect bad data injections in smart grid. APSE divides the largesystem into several subsystems, and the detection proceduresare continuously performed in yielded subsystems until theplace of the insider threat is located. However, since theessentials of traditional methods have not been innovated,unless the system is divided into very small subsystems soas to locate the threat precisely at the cost of explosivecomputational overhead, the limitations in the traditional stateestimation based insider threat detection methods still exist.Moreover, as commented by the authors themselves, APSEcould only detect bad data on one transmission line, whichmakes it impractical in some scenarios.

Generally, insider threat detection techniques can be clas-sified into three types: signature-based, anomaly-based andspecification-based techniques. Although the signature-baseddetection technique is exceedingly capable of identifyingknown attacks [27]–[29], it cannot effectively cope with un-known attacker patterns [30]. The proposed anomaly-basedschemes utilize resource constrained sensors and/or actuatorsfor outlining anomaly patterns (e.g., via learning), whichsuffers from high computational overhead in detecting insiderthreats and generally has high rates of false alarms [31]–[33].In the existing literatures, specification-based techniques havebeen proposed only for insider threat detection of misbehavingpatterns in communication protocols [34]–[36].

Because all electrical devices (e.g., buses, transmissionlines, etc.) are connected as a whole system and each statevariable should manifest specific compliance to make smartgrid to be equilibrious, the topology restriction and datacorrelation indeed exist in smart grid. Therefore, behaviorrule specifications can be taken good advantage of to depictthe behavior criteria and norms of all devices in the sys-tem. However, due to the complexity of smart grid and thepotentiality and concealment of insider threats, to design anefficient and effective behavior rule specification based insiderthreat detection methodology for smart grid still faces manychallenges.

In this paper, to deal with the aforementioned challenges,after a complete survey and evaluation of existing similarliteratures, we aim to propose a new behavior rule basedinsider threat detection (BLITHE) methodology for smart grid,which can improve the accuracy of detection with very lowfalse alarms. In addition, with comprehensive and accuratebehavior rule definitions, our proposed methodology can alsobe easily generalized to other CPSs. Specifically, the majorcontributions of BLITHE include the following four aspects.

Firstly, as our initial research, we focus on establishingreasonable and accurate behavior rules to detect insider threats

using the DC power flow model of smart grid [37]. Weexpect the results obtained in this paper to serve as thegroundwork for future research on generalized power flowmodels. Specifically, based on the DC power flow modeland state estimation model, three behavior rules are extractedto depict the behavior norms of the devices (buses/nodes)for insider threat detection. Inspired by the universal truth“minority is subordinate to majority”, we build the first andkey rule to distinguish normal and abnormal devices, whichbases on the observation that phase angles differences betweenthe neighbouring nodes are within certain threshold in the DCpower flow model and assumes that majorities are normalcomponents. We exploit the theoretical foundation of stateestimation model that normal sensor measurements usuallygive estimations of state variables close to their actual valuesto build the second and third rules for detecting the “incon-sistency” (i.e., the insider threats) of bad measurements.

Secondly, considering the fact that each rule usually hasdifferent effect and prominence on evaluation of the com-pliance degree of trustee, the rule-weight and compliance-distance based grading strategy is designed to improve thetraditional evaluation strategy [24], [38], [39].

Thirdly, untreated in existing literatures, based on the realdata run in POWER WORLD for IEEE benchmark powersystems, we conduct performance evaluations of our proposedBLITHE and compare its effectiveness on insider threat de-tection with the state-of-arts.

Finally, we pay particular attention to statistical characteris-tics, i.e., the mathematical expectation of compliance degree ofeach trustee, for the trade-off between detection accuracy andfalse alarms of insider threat detection, since the insights oninsider threats relate to the long-term-behavior modeling andextensive behavioral analysis of internal/legal participants.

The remainder of this paper is organized as follows. InSection II, we give a brief review of some preliminaries ofour proposed BLITHE. In Section III, we formalize the systemmodel, including the unmanned-PMU-attached-to-bus (UPB)reference model, the threat model and the attacker prototypes.In Section IV, we present the details of BLITHE aimingto minimize the false negative rate without diminishing thefalse positive rate. In Section V, we evaluate the performanceof BLITHE. In Section VI, we perform the comparativeanalysis with state-of-the-art behavior rule based insider threatdetection schemes and demonstrate the advantages of ourimproved design. In Section VII, we discuss the related works.In Section VIII, we conclude this paper and depict the futurework.

II. PRELIMINARIES

In this section, we briefly recall some preliminaries of ourproposed insider threat detection methodology for smart grid,including the DC power flow model [37], power system stateestimation [5], and elliptic-curve-ElGamal cryptosystem [40].

A. DC Power Flow Model

For analysis of large power systems, the AC power flowmodel is heavily resource consuming and even unworkable

BAO et al.: BLITHE: BEHAVIOR RULE BASED INSIDER THREAT DETECTION FOR SMART GRID 3

in many cases. Thus, power research communities sometimesonly consider using the linearized (DC) power flow modelto approximate the AC power flow model [41]. The DC-power-flow modeling process stems from the AC power flowequations. For consistency consideration, the DC power flowmodel and its relation to the AC power flow model are brieflyreviewed.

The AC power flow equations in the polar coordinate formcan be represented as:

Pi = Vin∑j=1

Vj (Gij cos θij +Bij sin θij)

Qi = Vin∑j=1

Vj (Gij sin θij −Bij cos θij),

where Pi and Qi are the real and reactive bus power injectionsat bus i, Vi and θi are the voltage magnitude and angle at bus i,θij = θi−θj , Gij and Bij are the real and imaginary portionsof the constituent in the bus admittance matrix, i = 1, · · · , n,and n is the total number of all buses.

The DC power flow model is based on the following fourassumptions:

1) Branch reactance is much bigger than branch resistance,such that branch susceptance can be roughly expressedby:

bij ≈−1

xij.

2) The difference of voltage angles between two buses ofa branch is small and therefore:{

sin θij ≈ θi − θjcos θij ≈ 1

.

3) The susceptance of each bus relative to the ground canbe neglected:

bi0 = bj0 ≈ 0.

4) Each bus’s voltage magnitude is supposed to be 1 perunit.

On the basis of the above four assumptions, the real powerflow through a branch can be calculated as:

Pij =θi − θjxij

,

such that, bus real power injections can be computed as:

Pi =∑j∈Ri

Pij = B′iiθi +∑j∈Ri

B′ijθj i = 1, · · · , n, (1)

where Ri is the subset of buses which are directly linked tobus i, B′ij = −1

xij, B′ii = −

∑j∈Ri B

′ij , and xij is the branch

reactance. It is obvious that this is a series of linear algebraicequations. By use of matrix forms, Eq. (1) can be expressedas:

P = B′θ.

Suppose bus n to be the swing bus and let θn = 0, then B′

is a square matrix with (n− 1) dimensions.

B. Power System State Estimation

To monitor voltages and power flows of a power system isof great importance in maintaining the system reliability. Toguarantee the continues operation of a power system, powerengineers deploy meters and devices to monitor system statesand report the readings to CC, which estimates state variablesbased on these meter measurements. The state estimation prob-lem is to estimate state variables x = (x1, · · · , xn)T accordingto meter measurements z = (z1, · · · , zm)T , where n and mare natural numbers, and xi, zj ∈ R, for i = 1, · · · , n, andj = 1, · · · ,m [4]. More precisely, suppose e = (e1, · · · , em)T

are measurement errors, where ej ∈ R, and j = 1, · · · ,m,then state variables are related to meter measurements via thefollowing model:

z = h(x) + e, (2)

where h(x) = (h1(x1, · · · , xn), · · · , hm(x1, · · · , xn))T , andhi(x1, · · · , xn) is a function of x1, · · · , xn. The state estima-tion problem is to look for an estimate x̂ of x which best fitsmeter measurement z according to Eq. (2). For state estimationutilizing the DC power flow model illustrated in Section II-A,Eq. (2) can be represented by a linear regression model:

z = Hx + e,

where H = (hij)m×n. Three statistical estimation criteriaare often utilized in state estimation, i.e., maximum likelihoodcriterion, minimum variance criterion, and weighted least-square criterion [4]. When the meter error is supposed to benormally distributed with zero mean, the above criteria bringabout an unified estimator computed as the following matrixsolution:

x̂ = (HTWH)−1HTWz,

where W is a diagonal matrix, and elements of which arereciprocals of the variances of meter errors. That is,

W =

σ−2

1

σ−22

..σ−2m

,where σ2

i is the variance of the i-th meter (1 ≤ i ≤ m).Power research communities compatibly calculate the mea-

surement residual z−Hx̂ (i.e., the vector deviation betweenthe observed measurements and the estimated measurements),and utilize the L2-norm ||z −Hx̂|| to detect the appearanceof nonuniform measurements.

C. Elliptic-Curve-ElGamal Cryptosystem

It is generally believed that elliptic curve group baseddiscrete logarithm problem (DLP) is much harder than that inother groups. Hence the security of elliptic curve cryptosys-tem is comparable with other cryptosystems while equippedwith smaller key only. In this study, by exploiting Elliptic-Curve-ElGamal cryptosystem to encrypt the reporting dataof each bus, two messages can be encrypted simultaneouslyto the x-coordinate and y-coordinate of a certain point in


a elliptic curve, respectively [40]. Specifically, the Elliptic-Curve-ElGamal cryptosystem includes three algorithms: keygeneration, encryption, and decryption as follows.

1) Key generation: Given τ ∈ Z+, the security parameter,perform ζ(τ) to get the tuple (E,P ), where E(F2m) isa non-super singular elliptic curve with |m| = τ , andP ∈ E(2m) is a public generator of E. In addition,when a participant Ui wants to registers itself in thesystem, it selects a random integer xi as its private key,and computes the corresponding public key Yi = xiP .Eventually, E(F2m), P , and all Yis are published, andeach Ui keeps xi secretly.

2) Encryption: When the sender B wants to encrypt mes-sages M1 and M2 to the receiver A, B chooses arandom integer k, and uses the public generator Pand A’s public key Ya to compute Q = kP andkYa = kxaP = (x′, y′). Then B sends a pair ofelements (m1,m2) = (M1x

′,M2y′) and the point Q

to A.3) Decryption: To decrypt messages M1 and M2, A uses

its private key xa to compute xaQ = xakP = (x′, y′)and decrypts messages as M1 = m1(x′)−1 and M2 =m2(y′)−1.

III. SYSTEM MODEL

A. Reference UPB

We consider a typical cyber-physical smart grid systemcontaining a number of buses linked by transmission lines.Each bus is attached with a physical component of meterand/or PMU to report the measurement data (i.e., bus pow-er injection/load, bus phase angle, etc.) to CC periodically.Then CC can estimate state variables (i.e., bus power injec-tion/load, bus phase angle, line power flow, etc.) to realizereal-time monitoring and controlling. Fig. 2 illustrates thereference unmanned-PMU-attached-to-bus (UPB) embeddedsystem model characterized by the cyber physical loop. Specif-ically, via the communication link between each UPB and CC,the measurements collection and reporting process of eachUPB is followed by the data synthesization in CC. Then,according to all received measurements, CC performs stateestimation. The estimated state variables are utilized to controlthe smart grid components (e.g., to increase the output of apower generator) to keep the whole system within healthyconditions. For readability, we will use the terms “node”,“device” and “UPB” interchangeably in the rest of this paper.The UPB reference model formalizes and represents generalbehaviors of the UPB which allows us to quickly evaluate thesurvivability of each UPB facing malicious insider threats.

B. Threat Model

It is of vital importance to define the threat model to coversystem vulnerabilities. Even though our focus of this study isto detect the insider threats, we consider the basic outsiderthreats simultaneously. Specifically, we consider three threatsfocusing on misleading CC to take inaccurate/wrong actions:

... ...

For each bus i {

Measurement Estimation Behavior Rule

End For }

Control Center

…

,

,

,

…

…

…

For each bus

End For

166MW5Mvar

165MW28Mvar

Enc( Enc(

Fig. 2. Reference UPB.

1) The first threat is an insider attacker, performed by acompromised node, that deviates the data preparing tobe reported from the real one.

2) The second threat is an attacker that tries to obtain thereported measurements of a subset of nodes to impairthe state estimation performed by CC. This can be bothinsider and outsider attackers.

3) The third threat is an outsider attacker that interceptsand pollutes the reported measurement transmitted viathe communication link from each node to CC.

C. Attacker Prototypes

In this study, we model the attacker behavior and theenvironment noise (causing mis-monitoring) by the probabilityvalues pa and perr, respectively. Moreover, three attackerprototypes, i.e., reckless, random, and opportunistic [39], areconsidered.

1) For a reckless attacker, pa = 1 holds. Thus, it launchesattacks whenever there is a chance, which impairs theUPB functionality as early as possible.

2) For a random attacker, it launches attacks randomly(with probability pa). Thus, comparing with a recklessattacker, it is more deceptive and insidious to impair theUPB functionality, which makes it more difficult to bedetected.

3) An opportunistic attacker exploits the sensed perr tolaunch attacks. Specifically, when perr is higher, thesystem is more vulnerable. In such circumstance, anopportunistic attacker behaves aggressively. On the con-trary, when the sensed perr is lower, an opportunisticattacker behaves more conservatively to avoid beingdetected. Inspired by the demand-pricing model in the


field of Economics [42], we model pa as pa = C ∗P εerr,where C is a positive constant. Then, both conservativeand aggressive attack behaviors can be depicted. Whileε = 1, pa increases linearly with perr, which modelsa conservative opportunistic attacker; and while ε < 1,pa increases exponentially with perr, which models anaggressive opportunistic attacker, and the attack extentis modeled by ε.

IV. OUR PROPOSED BLITHEIn this section, considering the aforementioned threat model

and attacker prototypes, we present the concrete methodologyof BLITHE. As described in our reference UPB model, CCobtains the reported real-time measurements from each node toestimate state variables so as to monitor and ensure the healthof the whole smart grid system. In our proposed BLITHE, themeasurements, which includes the bus power injection/loadand bus phase angle, are measured by PMU device attachedto each bus. The state variables are the phase angles of allthe buses, which can uniquely determine the states of thewhole smart grid system. Therefore, it is of great importanceto ensure the accuracy of the reported measurements that CCobtains.

In the following, to prevent the latter two threats consideredin Section III-B, we adopt the data encryption and signaturetechniques in Section IV-A to provide confidentiality andintegrity of the data report link from each node to CC. Then,to resist the first threat, behavior ruled based insider threatdetection methodology is presented from Section IV-B toSection IV-F to detect the insider threat that compromisesthe reported data of each node (without reporting the genuinedata).

A. Encryption and Signature on Reported Measurements

Suppose the measurements to be reported by node i are thepower injection/load Pi and bus phase angle θi, and both ofwhich are with two decimal places.

Firstly, the measurements of θi and Pi are mapped tothe corresponding integers by multiplying 100, respectively.Then, Elliptic-Curve-ElGamal Cryptosystem in Section II-C isinvoked to encrypt the conversions of the measurements. Sub-sequently, the popular digital signature algorithm of ECDSA[43] is adopted to sign on the yielded ciphertext. Eventually,the signature and ciphertext are transmitted to CC.

B. Behavior Rules

After receiving all data from each node, CC decrypts toobtain and verify each of the measurement. Our design forBLITHE reference model depends on the use of simple specifi-cation based behavior rules for CC to analyze all received datasynthetically for monitoring and detecting potential attacks oneach UPB.

BLITHE focuses on detecting the inside attacker attached toeach specific physical device (UPB). It outputs a continuousoutput between 0 and 1, which allows a monitor device toperform insider threat detection on the target trustee via ob-servation. TABLE I illustrates the behavior rules for detecting

a malicious UPB with the monitor being a peer UPB or CC(see Fig. 2).

TABLE IBEHAVIOR RULES DESCRIPTION

Description Trustee MonitorTheoreticalfoundation andphilosophy

The difference in phase an-gle between every two neigh-bouring buses is less than acertain threshold, i.e., 10-15degrees

UPB UPB/CC Assumption 2)in Section II-A

The difference in bus phaseangle between the report-ed measurement and corre-sponding estimation is lessthan a certain threshold

UPB CC Section II-B

The difference in bus powerinjecton/load between the re-ported measurement and cor-responding estimation is lessthan a certain threshold

UPB CC Section II-B

C. Transforming Rules to State Machines

Each behavior rule reflects a specific state, which covers asafe state and an unsafe state. A safe state denotes a normalbehavior when the obedience of the behavior rule is observed.By contrast, an unsafe state denotes a malicious behavior whenthe violation of the behavior rule is observed. Therefore, abehavior rule corresponds to a state variable binding to thisrule, indicating the probability that the node is in a normal orin malicious behavior status.

A behavior rule specification can be transformed into a statemachine via performing the following procedures. Firstly, theattack behavior indicator is identified, which denotes that abehavior rule is violated. Then, the obtained attack behaviorindicator is transformed into a conjunctive normal form pred-icate which identifies the involved state components in theimplicit state machine. Next, the attack behavior indicators aresynthesized into a boolean expression in a disjunctive normalform. Subsequently, the conjunction of all predicate variablesare converted into state components of a state machine and thecorresponding range of each component is decided meanwhile.Finally, the number of all states is optimized by compressingstates and eliminating illegitimate values.

In the following, based on behavior rules of the referenceUPB model, we illustrate how a state machine is acquired froma behavior specification.

1) Identify Attack Behavior Indicators: Attacks associatedwith a UPB will drive the UPB into certain attack behaviorindicators, which can be identified via analyzing the specifi-cation based behavior rules. There are three attack behaviorindicators due to the violation of the three behavior rules of aUPB listed in TABLE I.

The first UPB attack behavior indicator is that more than oneneighbouring UPB (together with CC) notice that the trusteeUPB’s phase angle measurement exceeds a certain threshold.The trustee and monitor in this case are a certain UPB andits neighbouring UPBs (together with CC), respectively. The


second UPB attack behavior indicator is that the differencebetween the UPB’s reported phase angle measurement to CCand the corresponding estimation is above a certain threshold.The trustee and monitor in this case are a certain UPB and CC,respectively. The third UPB attack behavior indicator is thatthe difference between the UPB’s reported power measurementto CC and the corresponding estimation is above a certainthreshold. The trustee and monitor in this case are a certainUPB and CC, respectively.

2) Express Attack Behavior Indicators in a ConjunctiveNormal Form: Suppose w is the total number of node i’sneighbouring nodes, and the phase angles of node i and its wneighbouring nodes are θi, θ(i,1), · · · , θ(i,w), respectively. TheUPB attack behavior indicators in the conjunctive normal formare expressed in TABLE II.

TABLE IIBEHAVIOR RULES

AttackBehaviorIndicator

Expression

1(|θi − θ(i,1)| ≤ α1

)∧ · · · ∧

(|θi − θ(i,w)| ≤ α1

)2 |θi − θ̂i| > α2

3 |Pi − P̂i| > α3

3) Consolidate Predicates in a Disjunctive NormalForm:

(|θi − θ(i,1)| ≤ α1

)∧ · · · ∧

(|θi − θ(i,w)| ≤ α1

)∨(

|θi − θ̂i| > α2

)∨(|Pi − P̂i| > α3

).

4) Identify State Components and Component Ranges:Continuous components are quantized as integer scales withinpermissible ranges. Specifically, the value of a phase angleis in the range of [0◦, 360◦]. The value of power is in therange of [−10000MW, 10000MW ] (for generation bus, thevalue is positive; and for load bus, the value is negative).TABLE III shows the entire list of the allowed ranges ofUPB state components. The resulting UPB automaton has360w+1 ∗ 360 ∗ 200012 ≈ 8.7 ∗ 1023 states (supposing w = 4,i.e., one node has 4 neighbouring nodes on average). The scaleof the yielded automata is too large; and the state space willbe concentrated in the next step.

TABLE IIIUPB STATE COMPONENTS

Name Control or Reading Range

Phase angle Reading [0◦, 360◦]Power Reading [−10000MW, 10000MW ]

5) Optimize State Space: Through abbreviating the valuesof the components, the size of the state machine is reducedand the number of states is optimized. For each of the threecomponents, i.e., (i) the phase angle difference between one n-ode and its neighbouring nodes; (ii) the phase angle differencebetween the measurement and estimation of the trustee node;and (iii) the power difference between the measurement andestimation of the trustee node, each of our rules only considersfour states: normal/good, medium-warning, great-warning, andunsafe/bad. To depict the rule-violation and optimize the state

space more subtly and accurately, we perform transformationon each rule. Specifically, as shown in TABLE IV, the valueof the first rule is calculated by evaluating the ratio β1 = α/w,where α is the number of node i’s neighbouring nodes thatobserves |θi − θ(i,j)| > α1, for j = 1, · · · , w. The largerthe value of β1 is, the more severe the rule is violated. Thevalue of the second rule is calculated by evaluating the phaseangle difference β2 = |θi − θ̂i|, where θi and θ̂i are themeasurement and estimation of trustee node i’s phase angle,respectively. The larger the value of β2 is, the more severe therule is violated. The third rule is quantified similarly with theparameter β3.

This treatment generates a condensed UPB state machinewith 4× 4× 4 = 64 states, only 1 of which is safe, since thetrustee and the corresponding monitor readings match for allthree components as described in TABLE IV. Among thesestates, 26 are warning since the trustee and the correspondingmonitor readings differ by more than the warning (including7 medium-warning and 19 great-warning states) margin for atleast one component but do not exceed the unsafe threshold forany component. And 37 of the states are unsafe/bad because atleast one component’s differences exceed the unsafe threshold.

TABLE IVUPB COMPONENTS’ STATES

β1 = α/w β2 = |θi − θ̂i| β3 = |Pi − P̂i| States

[0, a1] [0, b1] (0, c1] safe/good(a1, a2] (b1, b2] (c1, c2] medium-warning(a2, a3] (b2, b3] (c2, c3] great-warning(a3, 1] (b3, 360] (c3, 20000] unsafe/bad

6) Behavior Rule State Machine: Here we illustrate howto produce the behavior rule state machine of a UPB device.Based on the behavior rules, the UPB state machine (including1 good, 7 medium-warning, 19 great-warning, and 37 unsafestates) is produced as follows. Firstly, all the states are markedas 1, · · · , 64. Next, to reflect a good, warning (includingmedium-warning and great-warning), or bad UPB’s behavior,pij is assigned, which denotes the probability that state itransfers to state j, for each pair (i, j) in the state machine.A good UPB should stay in safe states all the time. However,due to the unexpected surrounding noise, system disturbance,or communication fault, it may be misidentified as in a warningor unsafe state by the monitor node occasionally. Therefore,the compliance degree of a good UPB will slightly less thanbut close to 1. Assume perr models the error probability thata monitor node misidentifies the genuine status of a trusteenode due to the aforementioned factors. In testing phases, fora good UPB seeded in the system, a monitor node is assignedaccordingly to observe and measure its pij in the presenceof perr. Note that pij is 1 − perr when j is the good state,perr × 7/(7 + 19 + 37) when j is one of 7 medium-warningstates, perr × 19/(7 + 19 + 37) when j is one of 19 great-warning states, and perr×37/(7+19+37) when j is one of 37unsafe states. Fig. 3 illustrates the behavior rule state machinefor a good UPB in BLITHE. Let G, MW, GW and B are theabbreviations of good, medium-warning, great-warning andbad outputs of each rule, respectively. Transitions into states


including G, MW and GW outputs of rules are valid, but theirmarginality is ambiguous to be concerned. Transitions intostates including B output of rule are invalid, which causes analert. Any of the two states can be transferred mutually. Eachstate describes how one of the specific trustee node’s attributesmatches the counterpart observed by the monitor. For the UPBdevice, the measurement and estimation of the bus phase angleand bus power magnitude are the device attributes of interest.Note that each device, with specific attributes, owns the statemachine of itself.

MW G G

G GW

G

G G G

G MW

B

MW GW

G

MW GW

B

G MW MW

… …

Good (G) Medium-Warning (MW) Great-Warning (GW) Bad (B)

63

63

63

Fig. 3. The behavior rule state machine for a good UPB.

For a compromised UPB, pij relies on the attacker’s type. Areckless attacker will be assumed staying in unsafe or warningstates all the time. However, due to the surrounding noise orcommunication fault, it may be mistaken as staying in a safestate by the monitor node occasionally. In testing phases, for aUPB compromised by reckless attacker seeded in the system, amonitor node is assigned accordingly to observe and measureits pij . Note that pij is perr when j is the good state, 7/(7 +19+37)×(1−perr) when j is one of 7 medium-warning states,19/(7+19+37)×(1−perr) when j is one of 19 great-warningstates, and 37/(7 + 19 + 37)× (1− perr) when j is one of 37unsafe states. Similarly, for a random attacker with probabilitypa to launch attack, it stops attacking with probability 1− pa,which is to be detected by the monitor node with probability1− perr. Therefore, pij is pa × perr + (1− pa)× (1− perr)when j is the good state, 7/(7+19+37)× (pa× (1−perr)+(1− pa)× perr) when j is one of 7 medium-warning states,19/(7 + 19 + 37)× (pa × (1− perr) + (1− pa)× perr) whenj is one of 19 great-warning states, and 37/(7 + 19 + 37) ×(pa × (1− perr) + (1− pa)× perr) when j is one of 37 badstates. Fig. 4 illustrates the behavior rule state machine for aUPB compromised by a random attacker in BLITHE.

D. Collect Compliance Degree Data

In this section, we improve the traditional grading strategy[39] and propose our rule-weight and compliance-distancebased grading strategy to evaluate the compliance degree ofa trustee effectively. One of the remarkable characteristicsof our improved strategy is the adjustable weight for eachrule. The state machine built in Section IV-C is utilized tocollect compliance degrees of the good and/or bad trustees.

MW G G

G GW

G

G G G

G MW

B

MW GW

G

MW GW

B

G MW MW

… …

Good (G) Medium-Warning (MW) Great-Warning (GW) Bad (B)

63*

63*

63

Fig. 4. The behavior rule state machine for a UPB compromised by a randomattacker.

The yielded historical information of compliance degree isanalyzed to fine-tune the false positive and false negativeprobabilities for detection of insider threats optimally undervarious scenarios. Even though our experiments are performedwith a range of configurations, we focus on the trade-offof instances which can be gracefully adjusted to generate ahigh detection proportion, because the principal objective ofBLITHE is safety.

Specifically, for each UPB device assumed to be a goodor a bad trustee, we profile its measurements of bus powermagnitude and bus phase angle. For insider threat detection ofeach device (without reporting data genuinely), the behaviorof which is modeled by a stochastic process in states 1, · · · ,mwith transition probability pij described in Section IV-C, andlet πj denote the probability of a device in state j. Therefore,by summing up all the possible transitions to state j, theprobability of the random process in state j can be representedas πj =

∑mi=1 πipij . Because there are m states for each

node, total m such equations can be obtained. To avoid infinitesolutions, one additional equation as the constraint conditionis added as:

m∑i=1

πi = 1. (3)

Let cj denote the “grade” corresponding to state j, whichdepicts the closeness between the specified “good” behaviorand the observed behavior of state j. Then, by summing allthe products of each state’s probability and “grade”, a node’scompliance degree c can be expressed as:

c =

m∑j=1

πjcj , (4)

In BLITHE, we pioneer the rule-weight and compliance-distance based grading strategy as shown in Fig. 5 to evaluatethe compliance degree of a node. It is a general form ofgrading strategy, where m and n are the sizes of states and ruledomain of each node, respectively. And the intersection valuesbij , for i = 1, · · · ,m and j = 1, · · · , n, denote the monitoredbehavior data under the considered model. To quantize thecompliance degree, when state j is secure, we assign the valueof 1 to it. However, when state j is insecure, we assign itwith the value within [0, 1], expressing the distance of state


j deviating from the secure state. By integrating the weightfactor of each rule concurrently, cj is formalized as:

cj =

n∑k=1

γk

[1− Djk

Dmax (Rk)

],

where γk is the weight of rule k and satisfies∑nk=1 γk = 1,

Djk is the distance from the behavior data bjk to the corre-sponding secure state, and Dmax (Rk) is the largest distancefrom any possible insecure state to the corresponding securestate for Rk (rule k). According to this assignment, if state jis secure under all rules, then Djk = 0, for all k = 1, · · · , n,and hence cj = 1. If state j is insecure but still approaches toa secure state, then cj is close to 1. By contrast, cj is close to0, when state j is far away from a secure state. After all cjsare assigned, recalling Eq. (4), we can evaluate the compliancedegree of a node as:

c =

m∑j=1

πjcj =

m∑j=1

πj{n∑k=1

γk

[1− Djk

Dmax(Rk)

]}, (5)

where πj represents the ratio of time that the node is in statej during the observation period.

S1

S2

Sm

... ...

b11

b21

bm1

...

b12

b22

bm2

... ...

R1 R2

States ProbabilityStates ID

Rule ID

Rule Weight

RulesBehavior Data

States

b1n

b2n

bmn

...

Rn...

...

...

...

...

Fig. 5. The rule-weight and compliance-distance based grading strategy.

E. Compliance Degree Distribution

In BLITHE, observing that various perturbations, i.e, sur-rounding noises and unreliable communications, etc., mayaffect the evaluation accuracy of the compliance of a device,the Beta distribution in statistics and probability theory isapplied to model the node compliance degree. The reason ofchoosing Beta distribution is because its distribution couldbe regarded as a probability, and it could be utilized to depictthe prior distribution of the probability. Generally, the Betadistribution is a cluster of continuous probability distributionsdefined in the interval [0, 1]. The value of 0 represents that theoutput is completely unacceptable (without compliance), while1 represents the output is absolutely acceptable (with bestcompliance). Moreover, when Bayesian inference is applied,after observing sufficient instances, the Beta distribution canalso be exploited to compute the posterior distribution of theprobability [39].

Specifically, we model the compliance degree of a nodein BLITHE by a random variable X ∼ Beta(α, β), with

the probability distribution function (PDF) of f(x;α, β) =Γ(α+β)

Γ(α)Γ(β)xα−1(1−x)β−1, where Γ(·) denotes the gamma func-

tion [39], [44]. The cumulative distribution function (CDF)F (x) and the mathematical expectation EB [X] of X can becomputed as follows:

F (x) =

∫ x

0

f(t;α, β)dt, (6)

EB [X] =

∫ 1

0

xf(x;α, β)dx =α

α+ β.

Then, by taking advantage of the collected compliancedegree history data (c1, · · · , cn) in Section IV-D, the pa-rameters of α and β can be estimated via the maximumlikelihood method. Mathematically, by solving the followingtwo equations, the maximum likelihood estimates of α and βcan be obtained.

n∂Γ(α̂+β̂)

∂α̂

Γ(α̂+β̂)− n

∂Γ(α̂)∂α̂

Γ(α̂) +∑ni=1 log ci = 0

n∂Γ(α̂+β̂)

∂β̂

Γ(α̂+β̂)−

n∂Γ(α̂)

∂β̂

Γ(β̂)+∑ni=1 log(1− ci) = 0

,

where

∂Γ(α̂+ β̂)

∂α̂=∂Γ(α̂+ β̂)

∂β̂=

∫ ∞0

(log x)xα̂+β̂−1e−xdx.

Commonly, a less general but simplistic model, i.e., thesingle-parameter distribution Beta(1, β) with α set to 1, isconsidered, In such a circumstance, the PDF is f(x;β) =β(1−x)β−1 [39], and the corresponding maximum likelihoodestimate of β can be computed as:

β̂ =n

n∑i=1

log(

11−ci

) . (7)

F. False Negative and False Positive Rates

In this section, the threshold criterion [39] is consideredto describe the false positive probability pfp (misidentifyinggood devices as bad ones) and false negative probabilitypfn (losing bad devices). Despite neither pfp nor pfn isexpectable, pfn in BLITHE is much worse to the securityof smart grid. Since the key motivation of BLITHE is safety,we seek for configurations that achieves high detection rates(low pfn) without diminishing pfp. Specifically, suppose CTbe the minimum compliance threshold of the system. If abad node’s compliance degree (represented by Xb, with theCDF represented as Eq. (6)) exceeds CT , then a false negativehappens. Formally, pfn for BLITHE is represented as:

pfn = Pr{Xb > CT } = 1− F (CT ). (8)

On the contrary, if a good node’s compliance degree (repre-sented by Xg , with the CDF represented as Eq. (6)) is less thanCT , then a false positive happens. Formally, pfp for BLITHEis represented as:

pfp = Pr{Xg ≤ CT } = F (CT ). (9)


0

200

400

600

800

1000

0.01

0.02

0.03

0.04

0.05

0.94

0.95

0.96

0.97

0.98

0.99

1

com

plia

nce

degr

ee

Perr=0.01Perr=0.02Perr=0.03Perr=0.04Perr=0.05

trial number Perr

(a) ci versus perr for good nodes

0

200

400

600

800

1000

0.01

0.02

0.03

0.04

0.05

0

0.02

0.04

0.06

0.08

0.1

trial number

Perr

com

plia

nce

degr

ee

Perr=0.01Perr=0.02Perr=0.03Perr=0.04Perr=0.05

(b) ci versus perr for reckless attackers

0

200

400

600

800

1000

0.1

0.2

0.3

0.4

0.5

0.4

0.5

0.6

0.7

0.8

0.9

Perr

trial number

com

plia

nce

degr

ee

Perr=0.1

Perr=0.2

Perr=0.3

Perr=0.4

Perr=0.5

(c) ci versus perr for opportunistic attackers

0 200

400 600

800 1000 0

0.20.4

0.60.8

0

0.2

0.4

0.6

0.8

1

Patrial number

com

plia

nce

degr

ee

Pa=0.0

Pa=0.2

Pa=0.4

Pa=0.6

Pa=0.8

Pa=1.0

(d) ci versus pa for random attackers

Fig. 6. Sensitivity of node’s compliance degree ci to perr or pa.

V. PERFORMANCE EVALUATION

In this section, we evaluate the performance of BLITHE viaconducting Monte Carlo simulation and real data simulationin IEEE benchmark power system.

A. Monte Carlo Simulation

By the aid of Monte Carlo simulation, the compliancedegree history data (c1, · · · , cn) of a device is collected, whichallows us to generate random samples repeatedly following thestochastic process of a device’s state machine. We utilize theUPB device in the reference model described in Section IIIto illustrate the utility of BLITHE for securing smart gridapplications.

Specifically, we simulate the procedures in Section IV-C6to build the state machines of a good and a bad UPB device.For a good device, we simulate pij as 1 − perr when j is

the good state, and as perr when j is one of 63 abnormalstates (including 7 medium-warning, 19 great-warning, and37 unsafe states). For a bad device compromised by a randomattacker with attack probability pa, we simulate pij as (1 −pa)× (1− perr) + pa × perr when j is the good state, and as(pa × (1− perr) + (1− pa)× perr) /63 when j is one of 63abnormal states.

Based on the state machine of a UPB device generatedabove, we collect the time-dimensional compliance degreedata (c1, · · · , cn) through n = 1000 times of Monte Carlosimulations. In each simulation, we initiate from state 0 andobserve the stochastic process of the device when it goes fromone state to another. We continue this procedure until there isat least one state which has been sufficiently traversed (i.e.,100 times). Then we approximate the probability of the devicein state j (denoted as πj), i.e., the proportion of the number oftransitions to state j to the overall number of state transitions.


In this way, we can obtain one instance of the compliancedegree c using Eq. (4). We repeat a sufficiently large number(i.e., n = 1000) of test rounds to collect (c1, · · · , cn), based onwhich we compute the distribution of the compliance degreeof a good and/or a bad device under reckless, opportunisticand/or random attacks.

Fig. 6(a) plots n = 1000 points of the compliance degreeraw data for a good UPB node with different perr values.There are five clusters of compliance degree data, correspond-ing to each setting of perr. It can be observed that as perr(the surrounding noise) increases, the cluster of compliancedegree data moves downward, i.e., the good node’s compliancedegree declines. It implies the mechanism that when the noiseincreases, there is a higher probability that the monitoring nodemistakes the good UPB node as staying in a bad state.

Fig. 6(b) plots the sensitivity of the compliance degree ci toperr for a bad UPB node compromised by reckless attackers.Similar as Fig. 6(a), there are five clusters of compliancedegree data, corresponding to each setting of perr. However, inthis circumstance, as perr increases, the cluster of compliancedegree data moves upward, i.e., the bad node’s compliancedegree increases. It implies the mechanism that when the noiseincreases, there is a higher probability that the monitoring nodemistakes the bad UPB node as staying in a good state.

Fig. 6(c) plots the sensitivity of the compliance degree cito perr for a bad UPB node compromised by opportunisticattackers (with ε = 0.9). Similar as Fig. 6(b), there are fiveclusters of compliance degree data, corresponding to eachsetting of perr, and the lower compliance degree correlatesto the higher perr. It can be observed that the compliancedegree of opportunistic attackers is more sensitive to perrthan reckless ones. Numerically, the range of the compliancedegree spans (0.4, 0.9) for opportunistic attackers, while thecounterpart is just within approximate (0.01, 0.07) for recklessones.

Fig. 6(d) plots the sensitivity of the compliance degreeci to pa for a bad UPB node compromised by randomattackers. There are five clusters of compliance degree data,corresponding to each setting of pa. It can be observedthat as pa increases, the cluster of compliance degree datamoves downward, i.e., the compliance degree of the bad nodedeclines. It implies the mechanism that when the bad UPBnode is attacked more frequently, the attacker is more easilyto be detected, and thus the measured compliance degreedecreases.

With the compliance degree history data (c1, · · · , cn) of agood or bad UPB device at hand, we can apply Eq. (7) toestimate the parameter of β, and further obtain the probabilitydistribution Beta(1, β) of the compliance degree for thetrustee node. Then, given the minimum compliance degreethreshold CT as an input, we can calculate the false negativepfn and false positive pfp probabilities utilizing Eq. (8) andEq. (9), respectively. For a trustee in BLITHE, we take priorityto achieve a low false negative probability, since the keymotivation of BLITHE is safety.

TABLE V illustrates values of β, pfn and pfp under dif-ferent reckless and random attack types, with basic parametersettings of CT = 0.92 and perr = 0.01. The rule-weight and

TABLE VVALUES OF β , pfn AND pfp UNDER DIFFERENT RECKLESS AND RANDOM

ATTACK TYPES (CT = 0.92 AND perr = 0.01)

Attack Type β pfn (%) pfp (%)

Reckless Attack (pa = 1) 99.57 0.0008 17.21Random Attack (pa = 0.8) 4.33 0.0018 17.21Random Attack (pa = 0.6) 1.95 0.73 17.21Random Attack (pa = 0.4) 1.09 6.31 17.21Random Attack (pa = 0.2) 0.63 20.26 17.21

compliance-distance based grading strategy is used to evaluatecj to state j for a random or reckless attacker. In the following,we will show that, CT , as a design parameter, can be fine-tuned to trade-off between false negatives and false positivesaccording to the different safety criticality. It can be observedthat, when pa is high, the attacker is easy to be detected,as manifested by a low false negative probability. Especially,when pa = 1, the reckless attacker can rarely be missed. Onthe other hand, when pa decreases, the attacker becomes moreinsidious and hidden, reflected by the increase of the falsenegative probability. Note that the false positive probabilitymaintains the same no matter the attack probability is, becauseit is a metric which evaluates the detection error regardinggood nodes merely.

TABLE VIVALUES OF β , pfn AND pfp UNDER DIFFERENT OPPORTUNISTIC ATTACK

TYPES (CT = 0.92, perr = 0.01 AND C = 10)

Opportunistic Attack Type pa β pfn (%) pfp (%)

Conservative Attack (ε = 1) 0.1 0.44 32.33 17.21Aggressive Attack (ε = 0.9) 0.16 0.55 24.86 17.21Aggressive Attack (ε = 0.8) 0.25 0.73 15.76 17.21Aggressive Attack (ε = 0.7) 0.4 1.08 6.47 17.21

Likewise, TABLE VI illustrates values of β, pfn and pfpunder different opportunistic attack types, with basic parametersettings of CT = 0.92, perr = 0.01 and C = 10. The rule-weight and compliance-distance based grading strategy is usedto evaluate cj to state j for an opportunistic attacker. It canbe observed that, when ε decreases, due to exposed moreaggressive attack behaviors, the opportunistic attacker can bedetected more easily.

Our behavior rule based insider threat detection method-ology allows one to adjust the minimum compliance degreethreshold CT to achieve an satisfactory pfn while maintainingpfp as low as possible.

Fig. 7(a) plots the relationship between pfn and CT fordetecting random attackers with different values of pa. Foreach curve, it can be observed that pfn = 1 when CT = 0,and pfn = 0 when CT = 1, regardless of different values ofpa. Meanwhile, pfn decreases when pa increases, since it ismore likely for a bad node to be detected when behaves moremaliciously.

Fig. 7(b) plots the relationship between pfn and CT fordetecting reckless attackers (pa = 1) with different values ofperr. Similar as Fig. 7(a), for each curve, pfn = 1 when CT =0, and pfn = 0 when CT = 1, regardless of different values ofperr. Meanwhile, pfn decreases when perr decreases, since the


0

0.2

0.4

0.6

0.8

1 0

0.2

0.4

0.6

0.8

1

0

0.5

1

Pa

CT

Pfn

(a) pfn versus CT and pa for detecting random attackers

00.2

0.40.6

0.81

0.01

0.02

0.03

0.04

0.05

0

0.2

0.4

0.6

0.8

1

Perr

CT

Pfn

(b) pfn versus CT and perr for detecting reckless attackers

00.2

0.40.6

0.81 0.01

0.02

0.03

0.04

0.050

0.5

1

PerrCT

Pfn

(c) pfn versus CT and perr for detecting opportunistic attackers

00.2

0.40.6

0.81

0.01

0.02

0.03

0.04

0.050

0.2

0.4

0.6

0.8

1

CT

Perr

Pfp

(d) pfp versus CT and perr for detecting good nodes

Fig. 7. False negatives pfn or false positives pfp versus compliance threshold CT and attack probability pa or surrounding noise perr .

lower surrounding noise is less likely to conceal the maliciousbehavior of reckless attackers.

Fig. 7(c) plots the relationship between pfn and CT fordetecting opportunistic attackers (ε = 0.9) with differentvalues of perr. Similar as Fig. 7(b), for each curve, pfn = 1when CT = 0, and pfn = 0 when CT = 1, regardlessof different values of perr. However, unlike Fig. 7(b), itcan be observed that pfn decreases when perr increases.It implies the mechanism that the attack probability pa ofopportunistic attackers is higher (i.e., more aggressive) whenthe surrounding noise is higher, which increases the probabilityof being detected and results in a smaller pfn.

Correspondingly, Fig. 7(d) plots the relationship betweenpfp and CT for detecting good nodes with different values ofperr. For each curve, it can be observed that pfp = 0 whenCT = 0, and pfp = 1 when CT = 1, regardless of differentvalues of perr. Meanwhile, pfp decreases when perr decreases,since the lower surrounding noise is less likely to incite goodnodes to be mistaken as malicious ones.

By adjusting the minimum compliance degree threshold CT ,our behavior rule based insider threat detection technique caneffectively trade-off between pfp and pfn to cope with more

sophisticated and hidden attackers. The underlying philosophyis that, by increasing CT , pfn can be effectively reduced atthe cost of a higher pfp. This is especially desirable for smartgrid applications which requires ultra safety and security, sinceeven a very small false negative could result in tremendous anddire consequences.

Fig. 8 illustrates a receiver operating characteristic (ROC)graph of the insider threat detection rate 1 − pfn versus thefalse positive probability pfp. The ROC graph is deduced as aresult of adjusting CT , under the rule-weight and compliance-distance based grading policy for detecting reckless or randomattackers. We draw a number of ROC curves, correspondingto different values of the attack probability pa. The valueof perr is fixed to 0.01. When we increase CT , both thedetection rate (vertically up of z-plane) and the false positiveprobability (toward right of the graph) increase. It can be seenthat applying our behavior rule based insider threat detectiontechnique, the detection rate of the UPB device can approach1. That is, an attacker can be always detected without falsenegatives. Numerically, the false positive probability is upper-bounded by 0.1 for reckless attackers, and 0.3 for random


TABLE VIISELECTING CT TO SATISFY pfn = 0.01 GIVEN perr , pa AND ATTACKER TYPE AS INPUT

Attack type Reckless (pa = 1) Random (pa = 0.2) Opportunistic (C = 10 and ε = 0.8)perr CT pfn pfp CT pfn pfp CT pa pfn pfp

0.01 0.05 0.01 0.0079 0.9994 0.01 0.0743 0.997 0.25 0.01 0.08770.02 0.09 0.01 0.0202 0.9993 0.01 0.1377 0.979 0.44 0.01 0.07510.03 0.14 0.01 0.0477 0.9992 0.01 0.2074 0.910 0.60 0.01 0.06300.04 0.18 0.01 0.0520 0.9991 0.01 0.2525 0.754 0.76 0.01 0.05730.05 0.22 0.01 0.0709 0.9989 0.01 0.3031 0.481 0.91 0.01 0.0339

0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4

0.1

0.2

0.3

0.4

0

0.5

1

Pfp

Pa

Det

ectio

n R

ate

Fig. 8. A ROC graph of rule-weight and compliance-distance based gradingstrategy for detecting reckless or random attackers (perr = 0.01).

attackers, respectively.The results obtained above can be utilized by the system

administrator to adaptively select the value of CT to dynami-cally satisfy the imposed pfn in response to the environmentcondition (e.g., the surrounding noise) and the suspectedattacker type. TABLE VII illustrates one instance, where themaximum allowable pfn, which must be satisfied, is 0.01.Given perr and the attacker type as input, there is a value ofCT that has pfn = 0.01 (see Fig. 7(a), Fig. 7(b) and Fig. 7(c),following the z-plane at pfn = 0.01). From the selected valueof CT , the corresponding pfp can be determined by Eq. (9).TABLE VII summarizes the settings of CT for all attackertypes over a range of perr. For example, to achieve pfn = 0.01and pfp = 7.51%, the system administrator should set CTto be 0.979 when facing the surrounding noise perr = 0.02and suffered by an opportunistic attacker with C = 10 andε = 0.8. Such a CT is obtained by intersecting the planes ofperr = 0.02 and pfn = 0.01 with the hyperplane in Fig. 7(c).

B. Real Data Simulation

In the following, we check the validity of BLITHE throughconducting experiments on the IEEE 14-bus test system. Weare primarily interested in the feasibility of detecting insiderthreats on all 14 nodes when they report data to CC. We extractthe configuration of the IEEE test system (especially the Hmatrix, bus phase angle, bus power injection/load, transmission

Fig. 9. IEEE 14-bus test system in POWER WORLD.

TABLE VIIISIMULATION PARAMETERS

Description Parameter Value

Probability of mis-monitoring perr 0.001Weight of rule 1 γ1 0.6Weight of rule 2 γ2 0.2Weight of rule 3 γ3 0.2Phase angle difference of neighbouring buses α1 15◦Upper-bound of good for rule 1 a1 30%Upper-bound of medium-warning for rule 1 a2 40%Upper-bound of great-warning for rule 1 a3 60%Upper-bound of good for rule 2 b1 15◦Upper-bound of medium-warning for rule 2 b2 30◦Upper-bound of great-warning for rule 2 b3 50◦Upper-bound of good for rule 3 c1 50 MWUpper-bound of medium-warning for rule 3 c2 150 MWUpper-bound of great-warning for rule 3 c3 300 MW

line power flow, etc.) from POWER WORLD for solvingoptimal power flow problems running in DC model, as shownin Fig. 9 [45]. For our power system state estimation model,the measurements are real power injections/loads of all buses.The real power flows of all branches are set as the indirectmeasurements, which can be easily inferred from the directmeasurements of all buses. The state variables are phase anglesof all buses. Based on the estimated phase angle of each bus,the real power injection/load of each bus can be determineduniquely. Then the three behavior rules in Table I are utilizedas criteria to detect insider threats on each node. The outputsfrom POWER WORLD are fed to MATLAB for insider threatdetection and data analysis. All experiments are simulated onan HP PC running Windows 7, with one 3.0 GHz Pentium4 processor and 4 GB memory. The detailed test parameters


are listed in TABLE VIII. In order to illustrate our experimentclearly, a flow chart of major experiment procedures are shownin Fig. 10.

pa perr

θi

Pi θi’

Pi’

θi’ Pij’

Pi’ H

Start

State Estimation

Rule1:

Rule2:

Rule3:

Behavior Rule Evaluation

Build State Machine

Compute Compliance Degree

iReportCount>=1000

Data Report

iReportCount ++

Compute Expectation of Compliance Degree for Each Node:

iRound++

Insider Threat Detection with CT, pfp, pfn

Parameterize Compliance Degree Distribution

Pi’ 𝑷 𝒊

𝜽 𝒊 𝜽 𝒊

(|θi′ − θ(i,1)

′ | ≤ α1)⋀⋯⋀(|θi′ − θ(i,w)

′ | ≤ α1)

𝑐𝑖 = 𝜋𝑗 { 𝛾𝑘 1 −𝐷𝑗𝑘

𝐷𝑚𝑎𝑥 𝑅𝑘

3

𝑘=1 }

64

𝑗=1

𝐸𝐵[X]

End

Y

N

iRound>=2000

Y

N

iRound=0; iReportCount=0

|θi′ − θ i | ≤ α2

|𝑃𝑖′ − 𝑃 𝑖 | ≤ 𝛼3

Fig. 10. A flow chart of major experiment procedures.

We take random attacks for example in our experiments.Three insider threat scenarios are considered, i.e., the threaton one, two, and three bus(es), respectively. In each of thethree scenarios, four test cases with different values of pa areconducted providing that the error probability perr is fixed at0.001. For a clear comparison, in each experiment, the valueof pa set to each bus is the same.

The mathematical expectation of the compliance degree ofeach bus, denoted by EB [X], is plotted and compared in thethree test cases. The following phenomena are observed clearlyfrom Fig. 11(a), Fig. 11(b) and Fig. 11(c):

1) The value of EB [X] of the buses suffered from insiderthreats is remarkably low, while the counterparts of theremaining normal buses are hardly affected;

2) The value of EB [X] of each bus suffered from insiderthreats decreases greatly when pa increases;

1 2 3 4 5 6 7 8 9 10 11 12 13 140

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Bus

EB[X

]

pa=10%

pa=20%

pa=40%

pa=60%

(a) EB [X] under attacks on bus 9

1 2 3 4 5 6 7 8 9 10 11 12 13 140

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Bus

EB[X

]

pa=10%

pa=20%

pa=35%

pa=50%

(b) EB [X] under attacks on buses 4 and 13

1 2 3 4 5 6 7 8 9 10 11 12 13 140

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Bus

EB[X

]

pa=10%

pa=20%

pa=30%

pa=40%

(c) EB [X] under attacks on buses 2, 9 and 13

Fig. 11. Mathematical expectation of the compliance degree of each busEB [X] under random attacks with attack probability pa.


3) The value of EB [X] of the buses that are directly con-nected to (i.e., with 1-hop distance) the attacked busesare also slightly affected. With the distance increases,the impacts are hardly observed;

4) The distinction of EB [X] between normal buses andthe buses suffered from insider threat is obvious evenwhen multiple buses are attacked simultaneously, whichindicates the robustness and scalability of our insiderthreat detection methodology.

To conclude, the experiments show that our proposed behav-ior rule based insider threat detection methodology is effectiveand efficient.

VI. COMPARATIVE ANALYSIS

In this section, based on the experiment results from thereal data run on POWER WORLD IEEE 14-bus benchmarksystem, we compare our proposed BLITHE with the state-of-the-art behavior rule based insider threat detection schemes[24], [38], [39] in terms of the mathematical expectation ofthe compliance degree of each bus EB [X], which is the keymetric to detect insider threats. Several distance-based gradingstrategies (e.g., Hamming, Euclidean, Manhattan, Levenshtein,etc.) for measuring “grade” and computing the compliancedegree of trustee nodes have been proposed in [24], [38], [39].However, none of them considers the effect of the weightof each rule, which causes inaccuracy when evaluating thebehavior of trustees naturally with heterogeneous behavioralnorms. Simulations and experiments show that the rule-weightand compliance-distance based grading strategy proposed inBLITHE can effectively address this problem.

In our experiment, the insider threats are simulated on bus6. We compare the value of EB [X] of all 14 buses in twoscenarios with different grading strategies. One is the existingstrategy [24], [38], [39] with the identical weight for the threerules. The other is our proposed BLITHE that considers differ-ent weights for each rule. It can be seen from Fig. 12(a) andFig. 12(b), our proposed rule-weight and compliance-distancebased grading strategy outperforms the existing one in terms ofdistinguishing the abnormal nodes. Specifically, although bothof them can differentiate the nodes that are far away from(with more that 2-hop distance from bus 6) the suffered node,i.e., with the value of EB [X] approximately equal to 1, ourproposed strategy is more effective to differentiate the threatnode (bus 6) and the normal nodes within 1-hop (e.g., bus13). It can be seen clearly that, comparing with the existingstrategy, with the increase of pa, the value of EB [X] of bus 13(normal node) in our strategy decreases slightly while that ofbus 6 (abnormal node) decreases greatly. Numerically, whenpa = 0.6, for the existing strategy, the values of EB [X] ofbuses 6 and 13 are 0.655667 and 0.9285, respectively. Whilethe corresponding values of EB [X] in our improved strategyare 0.5514 and 0.9527, respectively. The discrimination in ourimproved strategy is 1.47 times of that in the existing strategy.Our improvement is due to the adjustable weight settings forrules. Actually, the weights can be fine-tuned in BLITHE soas to be applied in different scenarios with different attackerprototypes and abnormal extents.

Therefore, our rule-weight and compliance-distance basedgrading strategy proposed in BLITHE greatly outperformsthe state-of-the-art strategy in terms of detecting the insiderthreats.

VII. RELATE WORKS

Insider threats are malicious behaviors perpetrated by a legalmember (or a compromised device) with authorized systemaccess, called the insider attacker, for malicious goals, e.g.,tampering data, spoofing other members (or normal devices).Since insider attackers have authorized system access and arefamiliar with system architectures, they have distinct advan-tages over outsider attackers to launch attacks stealthily. Overpast few years, several insider threat detection schemes havebeen proposed [14], [15], [24], [27]–[36], [38], [39], whichcan be generally classified into three types: signature-based,anomaly-based, and specification-based schemes. Signature-based detection schemes completely rely on the conventionalinformation of known attack patterns and utilize data miningmethods and algorithms to detect possible attacks [27]–[29].Although these methods are exceedingly capable of identify-ing known attacks, their detection capabilities are imperfectwhen facing with unknown attack patterns [30]. In contrast,anomaly-based detection systems prevail over this problem byassuming the behaviors as suspicious or anomalous when theydeviate from the normal model. Utilizing various techniques,e.g., statistical, distance, profile and model based analyticalmethods, several anomaly detection schemes have been pro-posed trying to distinguish between the abnormal and nor-mal behavior properly [31]–[33]. Unfortunately, conventionalanomaly-based detection schemes consume high computation-al overhead in performing threat detection and regularly havehigh rates of false alarms [30].

A handful of specification-based insider threat detectionschemes thus far has been studied and applied only in thecontext of communication networks. For example, an insiderthreat detection system that applies seven types of traffic-based rules to detect insider threats is proposed in [34],and specification-based state machines are considered in [35],[36] for insider threat detection of misbehaving patterns incommunication networks. However, the physical environmentand the closed-loop control structure of CPS have not yet beenconsidered in existing literatures. In addition, some behaviorrule specifications proposed in [24], [38], [39], are impracticalbecause they are too coarse-grained, and only address veryhigh-level requirements in some specific research domains.

Today, although insider threat detection for CPS has at-tracted considerable attention due to the dire consequence offailures, the detection techniques for CPS, especially smartgrid, is still in its infancy with very little work reported [14],[15]. Therefore, it is urgently desirable to design effectiveinsider threat detection schemes for securing CPS, like smartgrid systems.

VIII. CONCLUSION

For smart grid, being able to detect insider threats to protectthe continuity and accuracy of operation is of vital importance.


0.1 0.2 0.3 0.4 0.5 0.60.65

0.7

0.75

0.8

0.85

0.9

0.95

1

pa

EB(X

)

bus5bus6bus11bus12bus13bus1bus2bus3bus4bus7bus8bus9bus10bus14

(a) Existing strategy with identical rule weight (γ1 = γ2 = γ3 = 13

)

0.1 0.2 0.3 0.4 0.5 0.60.55

0.6

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

pa

EB(X

)

bus5bus6bus11bus12bus13bus1bus2bus3bus4bus7bus8bus9bus10bus14

(b) BLITHE with different rule weights (γ1 = 0.6, γ2 = γ3 = 0.2)

Fig. 12. Comparison of the value of EB [X] of each bus in the IEEE 14-bus system with the insider threat on bus 6.

In this paper, BLITHE, a behavior rule based insider threatdetection methodology, has been proposed to capture theinsider attacks on physical devices. BLITHE features withsimplicity, flexibility and accuracy due to the configurableparameters, including the threshold for distinguishing nor-mal/abnormal devices and the weight of rules that is applicablefor heterogeneous behavioral norms. Through conducting thereal data based experiments and comparative analysis, we havedemonstrated that BLITHE outperforms existing behavior rulebased approaches for detecting insider threats.

In future work, we plan to model fine-grained adversaryprototypes and design more effective and practical insiderthreat detection mechanisms based on artificial intelligencetechniques (e.g., neuronic network [46], ant colony optimiza-tion [47], genetic algorithms [48], etc.), such that the systemcan dynamically and automatically adjust CT to maximize theinsider threat detection performance in face of varying anduncertain attack behaviors.

ACKNOWLEDGMENT

The authors would like to thank the support of NanyangTechnological University under Grant NTU-SUG (M4081196)and MOE Tier 1 (M4011177). H. Bao is supported in part byEEE Cybersecurity Research Program, NTU.

REFERENCES

[1] R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “Eppa: An efficientand privacy-preserving aggregation scheme for secure smart grid com-munications,” IEEE Transactions on Parallel and Distributed Systems,vol. 23, no. 9, pp. 1621–1631, 2012.

[2] X. S. Shen, “Empowering the smart grid with wireless technologies[editor’s note],” IEEE Network, vol. 26, no. 3, pp. 2–3, 2012.

[3] R. Deng, Z. Yang, M.-Y. Chow, and J. Chen, “A survey on demandresponse in smart grids: Mathematical models and approaches,” IEEETransactions on Industrial Informatics, to appear, DOI: 10.1109/TI-I.2015.2414719.

[4] A. J. Wood and B. F. Wollenberg, Power generation, operation, andcontrol. John Wiley & Sons, 2012.

[5] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks againststate estimation in electric power grids,” ACM Transactions on Informa-tion and System Security (TISSEC), vol. 14, no. 1, p. 13, 2011.

[6] J.-M. Lin and H.-Y. Pan, “A static state estimation approach includingbad data detection and identification in power systems,” in PowerEngineering Society General Meeting, 2007. IEEE. IEEE, 2007, pp.1–7.

[7] T. Van Cutsem and M. Ribbens-Pavella, “Bad data identification methodsin power system state estimation-acomparative study,” IEEE Transac-tions on PowerApparatus and Systems, vol. 104, no. 11, 1985.

[8] A. Monticelli, State estimation in electric power systems: a generalizedapproach. Springer Science & Business Media, 1999, vol. 507.

[9] I. W. Slutsker, “Bad data identification in power system state estimationbased on measurement compensation and linear residual calculation,”IEEE Transactions on Power Systems, vol. 4, no. 1, pp. 53–60, 1989.

[10] Z. Xiao, Y. Xiao, and D.-C. Du, “Non-repudiation in neighborhood areanetworks for smart grid,” Communications Magazine, IEEE, vol. 51,no. 1, pp. 18–26, 2013.

[11] C. Rottondi, M. Savi, D. Polenghi, G. Verticale, and C. Kraus, “Im-plementation of a protocol for secure distributed aggregation of smartmetering data,” in Smart Grid Technology, Economics and Policies (SG-TEP), 2012 International Conference on. IEEE, 2012, pp. 1–4.

[12] M. S. Thomas, I. Ali, and N. Gupta, “A secure way of exchangingthe secret keys in advanced metering infrastructure,” in Power SystemTechnology (POWERCON), 2012 IEEE International Conference on.IEEE, 2012, pp. 1–7.

[13] H. Kluitenberg, “Security risk management in it small and mediumenterprises,” 2014.

[14] M. Anand, E. Cronin, M. Sherr, M. Blaze, Z. Ives, and I. Lee, “Securitychallenges in next generation cyber physical systems,” Beyond SCADA:Networked Embedded Control for Cyber Physical Systems, 2006.

[15] A. Cardenas, S. Amin, B. Sinopoli, A. Giani, A. Perrig, and S. Sastry,“Challenges for securing cyber physical systems,” in Workshop on futuredirections in cyber-physical systems security, 2009.

[16] R. Berthier and W. H. Sanders, “Specification-based intrusion detectionfor advanced metering infrastructures,” in Dependable Computing (PRD-C), 2011 IEEE 17th Pacific Rim International Symposium on. IEEE,2011, pp. 184–193.

[17] A. A. Cardenas, S. Amin, Z.-S. Lin, Y.-L. Huang, C.-Y. Huang, andS. Sastry, “Attacks against process control systems: risk assessment,detection, and response,” in Proceedings of the 6th ACM symposium oninformation, computer and communications security. ACM, 2011, pp.355–366.

[18] Y. Chen and B. Luo, “S2a: secure smart household appliances,” inProceedings of the second ACM conference on Data and ApplicationSecurity and Privacy. ACM, 2012, pp. 217–228.

[19] P. Jokar, H. Nicanfar, and V. C. Leung, “Specification-based intrusiondetection for home area networks in smart grids,” in Smart Grid Commu-nications (SmartGridComm), 2011 IEEE International Conference on.IEEE, 2011, pp. 208–213.

[20] R. Klump and M. Kwiatkowski, “Distributed ip watchlist generation forintrusion detection in the electrical smart grid,” in Critical InfrastructureProtection IV. Springer, 2010, pp. 113–126.


[21] Q. He and R. S. Blum, “Smart grid monitoring for intrusion and faultdetection with new locally optimum testing procedures,” in Acoustics,Speech and Signal Processing (ICASSP), 2011 IEEE InternationalConference on. IEEE, 2011, pp. 3852–3855.

[22] Y. Zhang, L. Wang, W. Sun, R. Green, and M. Alam, “Artificial immunesystem based intrusion detection in a distributed hierarchical networkarchitecture of smart grid,” in Power and Energy Society GeneralMeeting, 2011 IEEE. IEEE, 2011, pp. 1–8.

[23] Y. Zhang, L. Wang, W. Sun, R. C. Green, and M. Alam, “Distributedintrusion detection system in a multi-layer network architecture of smartgrids,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 796–808,2011.

[24] R. Mitchell and R. Chen, “Behavior rule based intrusion detectionsystems for safety critical smart grid applications,” IEEE Transactionson Smart Grid, vol. 4, no. 3, pp. 1254–1263, 2013.

[25] J. Wei, D. Kundur, T. Zourntos, and K. Butler-Purry, “Probing the telltalephysics: Towards a cyber-physical protocol to mitigate informationcorruption in smart grid systems,” in Smart Grid Communications (S-martGridComm), 2012 IEEE Third International Conference on. IEEE,2012, pp. 372–377.

[26] T. Liu, Y. Gu, D. Wang, Y. Gui, and X. Guan, “A novel method to detectbad data injection attack in smart grid,” in INFOCOM, 2013 ProceedingsIEEE. IEEE, 2013, pp. 3423–3428.

[27] P. S. Wheeler, “Techniques for improving the performance of signature-based network intrusion detection systems,” Ph.D. dissertation, Citeseer,2006.

[28] S. Patton, W. Yurcik, and D. Doss, “An achilles?heel in signature-basedids: Squealing false positives in snort,” Proceedings of RAID 2001, 2001.

[29] G. Vigna, W. Robertson, and D. Balzarotti, “Testing network-basedintrusion detection signatures using mutant exploits,” in Proceedings ofthe 11th ACM conference on Computer and communications security.ACM, 2004, pp. 21–30.

[30] P. Louvieris, N. Clewley, and X. Liu, “Effects-based feature identifi-cation for network intrusion detection,” Neurocomputing, vol. 121, pp.265–273, 2013.

[31] M. V. Mahoney, “Network traffic anomaly detection based on packetbytes,” in Proceedings of the 2003 ACM symposium on Applied com-puting. ACM, 2003, pp. 346–350.

[32] C. Taylor and J. Alves-Foss, “Nate: N etwork analysis of a nomalous traffic e vents, a low-cost approach,” in Proceedings of the 2001 workshopon New security paradigms. ACM, 2001, pp. 89–96.

[33] K. Wang and S. J. Stolfo, “Anomalous payload-based network intrusiondetection,” in Recent Advances in Intrusion Detection. Springer, 2004,pp. 203–222.

[34] A. P. R. da Silva, M. H. Martins, B. P. Rocha, A. A. Loureiro, L. B. Ruiz,and H. C. Wong, “Decentralized intrusion detection in wireless sensornetworks,” in Proceedings of the 1st ACM international workshop onQuality of service & security in wireless and mobile networks. ACM,2005, pp. 16–23.

[35] S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, andA. Valdes, “Using model-based intrusion detection for scada networks,”in Proceedings of the SCADA security scientific symposium, vol. 46,2007, pp. 1–12.

[36] B. Dutertre, “Formal modeling and analysis of the modbus protocol,” inCritical Infrastructure Protection. Springer, 2008, pp. 189–204.

[37] W. Li, Risk assessment of power systems: models, methods, and appli-cations. John Wiley & Sons, 2014.

[38] R. Mitchell and R. Chen, “Adaptive intrusion detection of maliciousunmanned air vehicles using behavior rule specifications,” IEEE Trans-actions on Systems, Man, and Cybernetics, vol. 44, no. 5, pp. 593–604,2014.

[39] ——, “Behavior rule specification-based intrusion detection for safetycritical medical cyber physical systems,” IEEE Transactions on Depend-able and Secure Computing, vol. 12, no. 1, pp. 16–30, 2015.

[40] S. Sutikno, A. Surya, and R. Effendi, “An implementation of elgamalelliptic curves cryptosystems,” in Circuits and Systems, 1998. IEEEAPCCAS 1998. The 1998 IEEE Asia-Pacific Conference on. IEEE,1998, pp. 483–486.

[41] D. Van Hertem, J. Verboomen, K. Purchala, R. Belmans, and W. Kling,“Usefulness of dc power flow for active power flow analysis with flowcontrolling devices,” in AC and DC Power Transmission, 2006. ACDC2006. The 8th IEE International Conference on. IET, 2006, pp. 58–62.

[42] O. Yilmaz and R. Chen, “Utilizing call admission control for pricingoptimization of multiple service classes in wireless cellular networks,”Computer Communications, vol. 32, no. 2, pp. 317–323, 2009.

[43] D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digitalsignature algorithm (ecdsa),” International Journal of Information Se-curity, vol. 1, no. 1, pp. 36–63, 2001.

[44] S. M. Ross, Introduction to probability models. Academic press, 2014.[45] H. Kaur, Y. Brar, and J. S. Randhawa, “Optimal power flow using power

world simulator,” in Electric Power and Energy Conference (EPEC),2010 IEEE. IEEE, 2010, pp. 1–6.

[46] L. A. Zadeh, “Toward a theory of fuzzy information granulation and itscentrality in human reasoning and fuzzy logic,” Fuzzy sets and systems,vol. 90, no. 2, pp. 111–127, 1997.

[47] C.-F. Juang, C.-W. Hung, and C.-H. Hsu, “Rule-based cooperativecontinuous ant colony optimization to improve the accuracy of fuzzysystem design,” IEEE Transactions on Fuzzy Systems, vol. 22, no. 4,pp. 723–735, 2014.

[48] J. J. Grefenstette, “Optimization of control parameters for genetic algo-rithms,” IEEE Transactions on Systems, Man and Cybernetics, vol. 16,no. 1, pp. 122–128, 1986.

Documents

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015 1 BLITHE: Behavior Rule ... · 2015-09-14 · IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MONTH 2015 1 BLITHE: Behavior