A machine learning-based detection framework is proposed to detect a class of cyber-attacks that redistribute loads by modifying measurements. The detection framework consists of a multi-output support vector regression (SVR) load predictor and a subsequent support vector machine (SVM) attack detector to determine the existence of load redistribution (LR) attacks utilising loads predicted by the SVR predictor. Historical load data for training the SVR are obtained from the publicly available PJM zonal loads and are mapped to the IEEE 30-bus system. The features to predict loads are carefully extracted from the historical load data capturing both temporal and spatial correlations. The SVM attack detector is trained using normal data and randomly created LR attacks so that it can maximally explore the attack space. An algorithm to create random LR attacks is introduced. The results show that the SVM detector trained merely using random attacks can effectively detect not only random attacks but also intelligently designed attacks. Moreover, using the SVR predicted loads to re-dispatch generation when attacks are detected can significantly mitigate the attack consequences.
Read full abstract