This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JSAC.2019.2952181, IEEE Journal
on Selected Areas in Communications

A Statistical Framework for Detecting Electricity

Theft Activities in Smart Grid Distribution
Networks
Jin Tao, George Michailidis Member, IEEE

Abstract—Electricity distribution networks have undergone of attention has been paid to the impact of FDI on the
rapid change with the introduction of smart meter technology, grid’s state estimation problem [8] and how coordinate attacks
that have advanced sensing and communications capabilities, re- can occur [9],[10]. [11] proposes an adaptive procedure to
sulting in improved measurement and control functions. However,
the same capabilities have enabled various cyber-attacks. A par- test whether there is a data attack activity combined with
ticular attack focuses on electricity theft, where the attacker alters a multivariate hypothesis testing method in order to avoid
(increases) the electricity consumption measurements recorded the wrong grid-state estimate. Addressing the problem from
by the smart meter of other users, while reducing her own a different angle, [12] attempts to prevent the state estimation
measurement. Thus, such attacks, since they maintain the total from being compromised, by approaching the problem from
amount of power consumed at the distribution transformer
are hard to detect by techniques that monitor mean levels of a graph theoretic method aiming to design an optimal set of
consumption patterns. To address this data integrity problem, meter measurements. [13] considers a setting where multiple
we develop statistical techniques that utilize information on simultaneous nefarious data attacks are launched and proposes
higher order statistics of electricity consumption and thus are a game theoretic framework to build a defense system.
capable of detecting such attacks and also identify the users Another thrust has focused on the electricity theft problem
(attacker and victims) involved. The models work both for
independent and correlated electricity consumption streams. The and there are two general streams in the literature. One of them
results are illustrated on synthetic data, as well as emulated focuses on using machine learning and data mining techniques
attacks leveraging real consumption data. to detect anomalies in the consumption patterns of a household
Index Terms—false data injection mechanism, anomaly detec- or business, based on smart meters’ historical data -see e.g.
tion and diagnosis, higher order information, smart grid, inverse [14], [15], [16], [17], [18], [19], [20]- potentially augmented
problem, thresholded covariance matrix with information about the consumer type [20]. These methods
can be further subdivided to supervised ones that leverage
I. I NTRODUCTION labels (known FDI vs non-FDI) samples in the training data,
and unsupervised ones that try to identify abrupt changes
Electricity theft has been a major concern worldwide and from normal consumption patterns. Supervised methods can be
costs utility companies significant revenue losses [1], [2]. powerful, but availability of labeled FDI samples remains a big
It takes various forms, ranging from physical interventions challenge. Unsupervised methods are susceptible to the impact
through illegal connections and meter tampering, to billing of non-malicious factors that alter consumption patterns; e.g.
irregularities and unpaid bills by customers. The introduction seasonality, change of appliances, change of occupants, and
of advanced metering infrastructure has the potential to reduce so forth [21].
the risk of electricity theft through its increasing frequency A different stream in the literature utilizes information about
monitoring capabilities. In addition, smart meter technology the architecture of a neighborhood area network in the smart
can lead to effective and accurate load forecasting and on-time grid [22], [23], [24], [25], [26]. Specifically, it assumes that the
troubleshooting for outage remediation and network controlla- electricity provider builds a distribution station within every
bility (see, e.g., [3], [4], [5]). At the same time, it offers new neighborhood that acts as an “electricity router” to distribute
opportunities for tampering with operations of the power grid power from the substation to all consumers, A master smart
through cyber-attacks both locally and remotely, that take the meter (known as the collector) measures aggregate power
form of false data injections. The consequences range from supply from the power provider to all consumers within a
compromising demand response schemes for selected targeted certain time interval. Further, smart meters installed at each
areas, to endangering the power grid’s state estimation process consumer (households or businesses) record their correspond-
or even inducing power outages [6]. ing energy consumption for the same time interval. [24]
There is a growing literature on false data injection (FDI) proposed a method that utilizes such measurements, together
attack activities (a brief summary is given in [7]). A lot with information about the resistances of lines connecting the
This work was supported in part by NSF grant DMS 1830175. consumption points to the distribution transformers to estimate
J. Tao is with the Department of Statistics, University of Florida, technical losses due to low voltage power lines, as well as
Gainesville, FL 32611, USA email:[email protected] intrinsic inefficiencies in the transformers. [25], [26] em-
G. Michailidis is with the Departments of Statistics and Computer Science
and the Informatics institute, University of Florida, Gainesville, FL 32611, ployed such measurements and a linear regression framework
USA e-mail: [email protected] to identify electricity theft, wherein the dependent variable

0733-8716 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JSAC.2019.2952181, IEEE Journal
on Selected Areas in Communications

corresponds to the aggregate measurement by the collector, The remainder of this paper is organized as follows: Section
and the predictor variables to the household/business smart II introduces the modeling framework for the problem at hand.
meter measurements. However, for this approach to work, it Section III describes the detection and identification/diagnosis
is assumed that the predictor variables are uncorrelated, an strategies, while Section IV discusses implementation issues
assumption that is automatically violated when theft occurs, and evaluates the strategies based on synthetic data, as well
as technically demonstrated in Section II below. Note that this as emulated attacks based on real consumption data. Finally,
regression framework would work to identify faulty individual some concluding remarks are drawn in Section V.
smart meters, since their measurements will most likely be
random and hence uncorrelated. II. M ODEL D ESCRIPTION AND P ROBLEM F ORMULATION
In this paper, we adopt the architecture of the neighbor-
Let Y1 , Y2 , ..., YP correspond to the smart meter2 variables
hood area network, as previously described. In this setting,
that measure electricity consumption over a time interval, and
electricity theft involves an attacker who attempts to lower
further assume that Yi = ρi W + Ui , where E(W ) = µw ,
her energy bill by injecting false measurements to her own i.i.d.
smart meter, but to avoid detectability by the utility company V ar(W ) = σw , ρ ∈ (−1, 1) and Ui ∼ F (u). In
compensates with another false injection to smart meters words, the smart meter measurements are correlated, namely
√
within the neighborhood area network. Specifically, consider Corr(Yi , Yj ) = ρi ρj , ∀ i 6= j. This is a reasonable
a set of smart meters in a neighborhood under a common assumption, since neighboring households can exhibit a certain
distributional transformer, as depicted in Figure 1. If the degree of similarity in their electricity consumption patterns
attacker alters (increases) the electricity consumption mea- [27]. The idiosyncratic component Ui of each measurement Yi
surements recorded by the smart meters of other users, while (that captures the heterogeneity among electricity consumers)
reducing her own measurement, the total consumption reported has a distribution F , whose first two moments are denoted by
at the collector is not altered. Hence, various machine learning µ and σ, respectively. Finally, denote the P × P covariance
0

based monitoring schemes that focus on alterations in mean matrix of the measurements by Y = (Y1 , · · · , YP ) by
consumption patterns will fail to detect such an attack when h 0
i
Σ = V ar(Y) = E (Y − E (Y)) (Y − E (Y)) . (II.1)
considering measurements from the central node, or when used
in end user smart meters, especially if the attacker injects small Let Z denote the measurement variable at the collector node
magnitude false data1 (e.g. distributional transformer smart meter) controlled by the
power utility company, where the smart meter measurements
are communicated to; hence, assuming absence of technical
losses due to power distribution and transmission issues (see
P
Yi .3
P
discussion in [24]), we have by definition that Z =
i=1
An electricity theft attacker aims to distort the measure-
ments recorded by the end node smart meters, while not
changing their sum. For example, if the attacker can lower
the measurement of meter i by an amount α and increase
that of meter j by an equal amount, then the attacker can
benefit financially. We coin the smart meter (end node),
whose electricity consumption measurement is decreased as
the “Attacker Node”, and the end node whose electricity
consumption measurement is increased as the “Victim Node”.
Fig. 1. Structure of the neighborhood area network, with a central smart Next, we impose a number of assumptions on Y and α that
meter node (collector) for the distribution transformer and smart meters at are used in future technical developments. We start by defining
consumption points. the key variables.
Notation:
On the other hand, examining correlations between the Yi : value of ith smart meter measurement;
measurements (and in certain cases, information encapsulated W : the variable of the common component for each smart
in 3rd moments of the data distribution) proves a powerful meter measurement;
strategy, not only to detect an attack, but also identify the ρi : the relative contribution of W for Yi ;
attacking node, as well as the “victim” nodes. Further, the Ui : idiosyncratic component for each measurement Yi ;
proposed strategy works even when the consumption patters α: data attack variable;
amongst end users are correlated. The key message of the : approximate to or close to. For example, a−b  0 means
work is that examining correlation patterns can be a powerful the value of a − b is close to 0.
approach for the electricity theft problem. 2 end nodes of the distribution network; for example, deployed at households
or businesses
1 Note that this attack mechanism violates the assumption of uncorrelated 3 In the presence of technical losses, the techniques in [24] can be used to
predictors in the regression framework proposed by [25], and thus renders it adjust the controller and individual smart meter measurements, so that equality
inapplicable. holds.

0733-8716 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JSAC.2019.2952181, IEEE Journal
on Selected Areas in Communications

Assumptions: Theorem 2.1: The pairwise attack is undetectable by only

Assumption 2.1: Assume that all smart meter measurements monitoring the mean levels of electricity consumption at the
are non-negative, i.e., Yi ≥ 0, ∀ i and in addition that their 3rd smart meters (end nodes) and the central node.
moments exist; i.e, E(Yi3 ) ≤ ∞. Proof: If there is no attack, we have that E(Z) =
P
Assumption 2.2: | ρi − ρj | 0 for any 1 ≤ i 6= j ≤ P ; P
E(Yl ). In the pairwise attack scenario, we obtain E(Z) =
namely that the magnitude of ρi ’s is similar. l=1
P
Assumption 2.3: Cov(Ui , W ) = 0 for any 1 ≤ i ≤ P ; P P
E(Yl )+E(Yi −α)+E(Yj +α) = E(Yl ). Consequently,
namely, the common and idiosyncratic components of each l6=i,j l=1
smart meter measurement are uncorrelated. the meter in the central node Z has measurements that agree
Assumption 2.4: Each smart meter measurement is uncor- with the sum of those obtained at the smart meters.
related with any attack variable, i.e., Cov(Yi , αj ) = 0 for The key to detect the attack, as well as identify the nodes
1 ≤ i ≤ P and j ∈ N, the latter being the set of nodes involved is to examine higher moment (variance, etc.) infor-
involved in the attack either as attacker or victims. mation of the consumption measurements.
Assumption 2.5: All attack variables are positive, i.e., α > Under a pairwise attack mechanism, let an attack of mag-
0, and independently distributed with V ar(α) = σα . In nitude αe be launched by node i with victim node j, and
addition, we assume that E(α3 ) ≤ ∞. similarly let another attack of magnitude αf be launched with
Assumption 2.6: The attacker manages to coordinate the Attacker node k and Victim node l. Denote by V ar(αe ) = σαe
attacks, so that there is a single one during a reporting period and V ar(αf ) = σαf ; then, the following relationships hold:
by the smart meters to the utility company. • V ar(Yi − αe ) = σ + σαe , V ar(Yj + αe ) = σ + σαe ,
Remark: Discussion of Assumptions. Assumption 2.1 is mild, V ar(Yk − αf ) = σ + σαf , V ar(Yl + αf ) = σ + σαf .
since it is easily satisfied by distributions for electricity con- • Cov(Yi −αe , Yj +αe ) = −σαe , Cov(Yk −αf , Yl +αf ) =
sumption; only, fairly heavy tailed distributions are excluded. −σαf .
The same holds for Assumption 2.5. Assumptions 2.2 and Some straightforward algebra shows that
2.3 posit a mechanism that induces correlations amongst the
end node smart meter measurements that can be leveraged V ar(Yi ± αe ) = V ar(Yi ) + V ar(αe ) ± 2Cov(Yi , αe )
by the proposed approach for both electricity theft detection Then, by Assumption 2.4, we obtain Cov(Yi , αe ) = 0. Hence,
and identification of the attacker and the victim nodes. At
the same time, it is a very general mechanism that allows V ar(Yi ± αe ) = V ar(Yi ) + V ar(αe ) = σ + σαe ,
for both strongly and weakly correlated data, depending on
and
the magnitude of the ρi ’s and the variance of W .4 Finally,
Assumption 2.4 posits that the magnitude of the attack is Cov(Yi − αe , Yj + αe ) = Cov(Yi , Yj ) + Cov(Yi , αe )
uncorrelated with any of the smart meter measurements. This −Cov(αe , Yj ) − Cov(αe , αe )
is reasonable in practice; otherwise, the attacker would need
Since Cov(Yi , Yj ) = 0 and Cov(Yi , αj ) = 0 for 1 ≤ i ≤ P
to continuously adjust the amount of electricity to that of the
and j ∈ N, we have
measurement, which implies a high level of sophistication on
the attacker’s part. Cov(Yi − αe , Yj + αe ) = −V ar(αe ) = −σαe
Finally, note that the proposed model assumes that the
variances of all variables involved remain constant over time. Similarly,
Hence, the model can naturally accommodate shifts in the Cov(Yi − αe , Yk − αf ) = Cov(αe , αf )
mean electricity consumption.
By Assumption 2.5, we then get Cov(αi , αj ) = 0 for ∀ i, j ∈
N, and thus
A. Identifying Attacks: The Independent Case Cov(Yi − αe , Yk − αf ) = 0
To gain insight into the issue of whether and how an The other relationships can be obtained analogously. These
attack can be identified, we first consider the special case calculations imply that in the presence of an attack of magni-
where ρi = 0, ∀ 0 ≤ i ≤ P ; namely, that the smart meter tude α involving nodes 1 and 2, the covariance matrix Σ will
measurements are independent since Yi = Ui . Consequently, change its pattern from a diagonal matrix to a block diagonal
we have that Y1 , Y2 , ..., YP are i.i.d with EYi = µ and matrix given by
V ar(Yi ) = σ. Therefore, the covariance matrix Σ becomes  
a diagonal matrix, i.e., Σ = σI. σ + σα −σα 0 ··· 0
We start our analysis by examining an attack scenario  −σα σ + σα 0 · · · 0 
 
involving a single Victim Node. 0
 
Σ =
 0 0 σ ··· 0 
A Pairwise Attack Scenario: This setting involves nodes i

 .. .. .. . . .. 
(Attacker) and j (Victim) with respective measurements Yi −α

 . . . . .  
and Yj +α. Then, the following result can be easily established. 0 0 0 ··· σ
4 The case of uncorrelated data requires special treatment and is examined Analogously, if there are s different pairwise attacks in-
in Section II.A volving the first 2s end nodes with the first one designated as

0733-8716 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JSAC.2019.2952181, IEEE Journal
on Selected Areas in Communications

the Attacker and the second as the Victim, the corresponding It is easy to check that
covariance matrix of the smart meter measurements will have
E(Yi )3 − E(Yj )3 = (ρ3i − ρ3j )EW 3 +
the following form
  3(ρ2i EUi − ρ2j EUj )EW 2 +
B1
3(ρi EUi2 − ρj EUj2 )EW +

 B2 


.
 EUi3 − EUj3

 .. 

0
  and
Σ = Bs
 


 EYi − EYj = (ρi − ρj )EW + EUi − EUj
 σ 
  By Assumption 2.3, we have E(Yi )3 − E(Yj )3  0 and
..
 

 .

 EYi − EYj  0. Since Eα > 0 and Eα3 > 0, then
σ P ×P E(Yi + α)3 − E(Yj − α)3 > 0
where Bh , h = 1, ..., s,
" is the sub-covariance #block matrix for This proves the result.
σ + σαh −σαh A direct consequence of Theorem 2.2 is that the 3rd moment
attack αh , and Bh = .
−σαh σ + σαh of the Victim node is strictly larger than that of the Attacker
This explicit pattern dictates the following algorithmic strat- node within the same attack group. Hence, leveraging the
egy to detect an electricity theft attack and identify the pairs results of Theorem 2.1, the block diagonal structure of the
of nodes involved in it. covariance matrix and Theorem 2.2, give rise to the following
• If Cov(Yi , Yj ) < 0, i 6= j, we can conclude that end detection and identification algorithm for the pairwise attack
nodes i and j are involved in the same attack; i.e. they scenario.
belong to the same attack group;
• Similarly, if Cov(Yi , Yj ) = 0, i 6= j, we can conclude Algorithm 1 Pairwise Attack Detection and Identification
that there is no attack involving nodes i and j; rather, i←1
they belong to different attack groups. while i < P do
Hence, the above simple strategy detects electricity theft and while i < j ≤ P do
the nodes involved as Attacker and Victim in it. if Cov(yi , yj ) < 0 then
Remark: In practice, the s attacks will involve random pairs ∆ = E(yi )3 − E(yi0 )3
of nodes and not the first 2s ones. Then, one needs to reorder if ∆ > 0 then
the rows and columns of the covariance matrix to obtain the label yi as the Victim node for Attack Group i
desired structure previously discussed. and label yi0 as the Attacker node for the same
The previously outlined strategy identifies the s attack Group;
groups, but not which node in the pair is the Attacker else {∆ < 0}
and which is the Victim. To address this issue, information label yi as the Attacker for Attack Group i and
involving the 3rd moment of the smart meter measurements label yi0 as the Victim for the same Group;
is required, as the following result shows. end if
Theorem 2.2: Under the pairwise attack scenario, if end else
nodes i and j are in the same attack group with magnitude α, end if
then E(Yi + α)3 − E(Yj − α)3 > 0. j =j+1
Proof: Note that end while
i=i+1
E(Yi + α)3 = E(Yi )3 + 3E(Yi )2 E(α) + 3E(Yi )E(α)2 + E(α)3 end while
(II.2)
Similarly,
A Single Attacker-Many Victims Scenario: The pairwise
E(Yj −α)3 = E(Yj )3 −3E(Yj )2 E(α)+3E(Yj )E(α)2 −E(α)3 , scenario is the simplest one to execute, since only one Victim
(II.3) node is involved. However, if the Attacker node aims to
where nodes i and j are the Victim and Attacker nodes, use a large α, this action may be flagged by either using
respectively. Further, since α > 0, we obtain change point analysis techniques, since a sharp change in
Eα > 0, Eα3 > 0 the electricity consumption pattern of the Victim node would
occur, or by the consumer under attack, who may in turn
A subtraction of the the last two relationships [i.e., (II.2) − complain to the utility company for a sharp and unexpected
(II.3)] yields increase in her/his electricity bill. In that case, the Attacker
E(Yi + α)3 − E(Yj − α)3 = E(Yi )3 − E(Yj )3 + may want to spread the attack among a larger group of nodes,
so as not to raise such suspicions. This leads to a more
3E(α)(EYi2 + EYj 2 ) +
involved setting, where the Attacker node decreases the smart
3E(α)2 (EYi − EYj ) + meter measurement at node i by an amount α, and increases
2E(α)3 cumulatively the measurements of the Victim group smart

0733-8716 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JSAC.2019.2952181, IEEE Journal
on Selected Areas in Communications

meters by an equal amount. Specifically, when a magnitude α 1) Identify the node who has only negative covariance
attack is launched by node i, we have Yi − α; further, for the l values within the Bh sub-block and laebl it is as the
Victim PNodes we also have Yj1 +k1α α, Yj2 +k2α α,...,Yjl +klα α, Attacker node.
where kjα = 1. 2) Label the remaining nodes in the block as the Victim
j ones.
Analogously to the pairwise attack scenario, the single
Attacker-Many Victims case is undetectable by monitoring The following algorithm summarizes the detection and node
discrepancies in the measurements at the controller and the identification strategy.
end node smart meters, since by construction the sum of the
latter measurements agree with the former; i.e. Z. Algorithm 2 Single Attacker-Many Victims Attack Detection
A similar analysis to the pairwise scenario shows that the i ← 1, g ← 1, lg ← 1
resulting covariance matrix exhibits again a block diagonal while i < P do
pattern; namely, while i < j ≤ P do
  if Cov(yi , yj ) 6= 0 then
B1
denote yg1 = yi and let yg1 ∈ Groupg , and for each

 B2 
 l
j, then let lg = lg + 1, denote ygg = yj and let
 
 ..  lg
yg ∈ Groupg ;
 . 
0
  for Groupg , find the node yga s.t. Cov(yga , ygb ) < 0
Σ = Bs
 


 for all b 6= a and b ∈ (1, 2, ..., lg ). Then label yga

 σ 
 as the Attacker for Groupg and label the remaining

..
 nodes as Victims for Groupg . Then g = g + 1, lg =
.
 
  1.
σ P ×P else
where Bh , h = 1, ..., s, is the block of the covariance matrix end if
corresponding to the h-th attack. Each block Bh has the j =j+1
following form: end while
i=i+1
1 −k1αh · · · −kdαhh
 
end while
 −k αh (k αh )2 · · · k αh k αh 
 1 1 1 dh 
Bh = Σ + σαh  .. .. .. .. 
.
 
 . . . 
αh
−kdh kdh k1αh αh αh 2
· · · (kdh ) B. Identifying Attacks: The Dependent Case
Recall that in the general case, the smart meter measure-
where Σ has (dh + 1) × (dh + 1) dimensions and dh is the
ments are generated according to Yi = ρi W + Ui . Note
number of Victims in the αh attack group, Σ(dh +1)×(dh +1) is
that Cov(Yi , Yj ) = ρi ρj σw , which complicates detection and
the original block of the covariance matrix of the end nodes
Ps attacker-victim(s) identification strategies. We start by defining
in the αh attack group, and (dh + 1) = m. Xij = Yi − Yj for i, j = 1, 2, ..., P and i 6= j. By using this
h=1
Thus, the same broad strategy to the pairwise attack scenario new set of (P − 1)2 measurement variables, we show next
is applicable. Specifically, under the single Attacker-Many that their covariance exhibits patterns that lead to detection
Victims attack mechanism, and identification.
T
• If Cov(Yi , Yj ) 6= 0, i 6= j, we conclude that end nodes i
Denote by X = X12 , ..., X1p , X21 , X23 , ..., X(P −1)P ;
and j belong to the same attack group; we then can obtain the following result.
• If Cov(Yi , Yj ) = 0, i 6= j, we conclude that nodes i and
Theorem 2.3: Cov(Xij , Xkl )  0 if i 6= j 6= k 6= l.
j belong to different attack groups. Proof: Since Ui are i.i.d,, we get
Hence, a close examination of such patterns in the covariance Cov(Xij , Xkl ) = (ρi − ρj )(ρk − ρl )σw
structure of the smart meter measurements leads to detecting
such attacks. Since by Assumption 2.2 | ρi − ρj | 0, we get (ρi −
Interestingly, even though in this scenario the attack mech- ρj )(ρk − ρl )  0. Therefore, Cov(Xij , Xkl )  0.
anism is more involved, once an attack group has been Note that Theorem 2.3 implies that the differencing transfor-
identified, it is straightforward to separate the Attacker node mation of the original set of measurements leads to reducing
from the Victim ones. A close examination of the Bh block their correlation to a large extent, which proves key to our
shows, that under this scenario only the Attacker node will detection and identification strategy.
exhibit negative covariance values with all other nodes in the To illustrate, we start with the most general case. Without
same attack group; i.e., Cov(Yi0 , Yj ) < 0, ∀j 6= i0 . On the loss of generality, we assume that there are four different attack
other hand, all the Victim nodes in the same attack group will variables α1 , α2 , α3 , α4 applied to Yi , Yj , Yk , Yl , respectively
0
have positive covariance values with each other. Hence, for for any i 6= j 6= k 6= l. Then, Xij = Yi − Yj ± (α1 + α2 ) and
0
each attack group, labeling the Attacker and the Victim nodes Xkl = Yk − Yl ± (α3 + α4 ), depending on whether they are
requires attackers or victims.

0733-8716 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JSAC.2019.2952181, IEEE Journal
on Selected Areas in Communications

0 0
Theorem 2.4: Cov(Xij , Xkl ) 6= 0, for i 6= j 6= k 6= l, only III. I MPLEMENTATION I SSUES AND N UMERICAL R ESULTS
if attack variables from the same attack group are separately The previous results discuss detection and identification
applied, i.e., one is on node i (or j or i & j) and the other is
strategies, in the ideal case, when one has full knowledge of
on node k (or l or k & l). population parameters (e.g. the true variances σw , σ). How-
Proof: First, calculate ever, in practice one needs to replace them with their sample
0 0 counterparts. Thus, the estimate of the covariance matrix Σ
Cov(Xij , Xkl ) = Cov((ρi − ρj )W + Ui − Uj ± (α1 + α2 ), would be noisy. On the other hand, the previous analysis
(ρk − ρl )W + Uk − Ul ± (α3 + α4 )) established that the true covariance matrix is sparse and hence
= (ρi − ρj )(ρk − ρl )σw ± we should aim to sparsify its sample analogue as well. To
(Cov(α1 , α3 ) + Cov(α1 , α4 ) + that end, we employ the Universal Thresholding Method [28]
to regularize the sample correlation matrix in order to obtain
Cov(α2 , α3 ) + Cov(α2 , α4 ) a sparse estimate of it, before running our detection and
identification algorithms.
We provide the necessary details of our estimation strat-
T
(II.5) egy next. Let X = (X1 , ..., XP ) be a p-variate random
vector with covariance matrix Σ. Given an independent and
Since (ρi − ρj )(ρk − ρl )  0, we have identically distributed random sample {X1 , ..., Xn }, we can
calculate the covariance estimator as
0 0
Cov(Xij , Xkl ) = ± (Cov(α1 , α3 ) + Cov(α1 , α4 ) + Xn
−1
Cov(α2 , α3 ) + Cov(α2 , α4 )) σ̂ij = n (xit − x̄i )(xjt − x̄j ), i, j = 1, ..., P (III.1)
t=1
n
where x̄i = n−1
P
xit .
t=1
(II.7) Then, the sample correlation coefficient of xi and xj is
σ̂
given by ρ̂ij = √σ̂ ijσ̂jj . Thus, the estimator of R = (ρij ),
It can then be easily seen that only if α1 and α3 (or α1 and ii
denoted by R̃ = (ρ̃ij ), is given by
α4 , or α2 and α3 , or α2 and α4 ) are from the same attack
0 0
group, Cov(Xij , Xkl ) 6= 0.
h 1
i
ρ̃ij = ρ̂ij I |ρ̂| > n− 2 cq (P ) , i = 1, 2, ..., P −1, j = i+1, ..., P,
Based on the nature of this property, we could develop an
easy-to-implement algorithm to identify and group nodes for where cq (P ) = Φ−1 (1 − 2f q(P ) ) and q is the significant
both the pairwise attack and the single Attacker-Many Victims level for this multiple hypothesis testing procedure. We select
scenarios according to which attack groups they belong to. f (P ) = P (P2−1) .
Finally, the estimator of Σ, denoted by Σ̃, is given by
Algorithm 3 Detection Algorithm for Dependent Case
while 1 ≤ i 6= j 6= k 6= l ≤ P do Σ̃ = D̂1/2 R̃D̂1/2 (III.2)
if 41 = Cov(Xij , Xkl ) 6= 0 then
0 0 where D̂ = diag(σ̂11 , σ̂22 , ..., σ̂P P ).
while 1 ≤ l ≤ P & l 6= i 6= j 6= k 6= l do
if 42 = Cov(Xij , Xkl0 ) = 0 then
0 0 0
while 1 ≤ j ≤ P & j 6= l 6= i 6= j 6= k 6= l do A. Simulation Studies Results
if 43 = Cov(Xij 0 , Xkl ) = 0 then We start by providing the definition of the Variance Ratio,
conclude j & l belong to the same attack an important quantity in the sequel. Assume there are l victims
group in the group of an arbitrary attack of magnitude α; we then
else define the Variance Ratio (VR) for that group to be
conclude i & l belong to the same attack
group V ar( αl ) 1 V ar(α)
VR= = 2 (III.3)
end if V ar(Y ) l V ar(Y )
end while The quantity VR can be thought of a signal-to-noise measure
end if for the problem at hand.
end while 1) Independent Case: Recall that in this case, the model
end if i.i.d.
reduces to Yi = Ui , where Ui ∼ F (µ, σ).
update i, j, k, l To illustrate the detection algorithms, we consider P = 100
end while smart meter nodes; Y = (Y1 , ..., Y100 )T . Further, the signifi-
cance level in the Universal Thresholding Method is set to be
Remark: For example, if the output of Algorithm II-B q = 0.1. In the first simulation setting, we generate n = 200
is {(1, 2), (1, 3), (2, 3)}, we will conclude that (1, 2, 3) are independent sets of smart meter vectors, Y1 , ..., Yn , from
within the same attack group. The same logic applies to more the following two distributions: (i) Uniform(625, 675) and
complicated outcomes. (ii) Gamma(400, 1.5), respectively. The Uniform distribution

0733-8716 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JSAC.2019.2952181, IEEE Journal
on Selected Areas in Communications

limits electricity consumption within a prespecified range,

which is the case for most consumers, while the Gamma
distribution exhibits a longer tail and hence makes the de-
tection problem more challenging. We employ the Universal
Thresholding Method to estimate the covariance matrix of
Y. Figures 2 & 3 amply illustrate that the method performs
well in filtering noisy information when obtaining the sample
covariance matrix.

Fig. 4. Probability of detection for Uniformly(625.675) distributed uncorre-

lated data.

of attacks; (iii) If we are able to have adequate number of

repeated measurements from each smart meter, the detection
Fig. 2. Heat maps of the correlation matrix and its filtered version in the
independent Uniform, no attack case. probability of an attack converges to one.
In the next setting, the smart meter data are generated from a
Uniform(600, 700) that has higher variance than the previous
setting. In addition, the mean attack is set to E(α) = 80,
which is less than the range of the measurements. The same
mechanism is employed for generating the attack variables and
the same attack scenarios are considered. Figure 5 depicts the
detection probability calculated based on 50 simulated data
sets. Only a slight deterioration in the detection probability is
observed, compared to the previous setting.

Fig. 3. Heat maps of the correlation matrix and its filtered version in the
independent Gamma, no attack case.

Next, we describe the attack scenarios considered. For all

attack variables, let E(α) = 130, i.e., 20% of the mean
consumption level E(Y ); further, set the Variance Ratio to be
the same for each attack group. As a consequence, we generate
α from different Uniform Distributions, whose parameters
are calculated based on the prespecified mean and VR=0.1
requirement. In addition, for the single attacker-many victims
attack, we let all the victim nodes in the same attack group
to be increased by the same amount; i.e., the attack variable Fig. 5. Probability of detection for Uniformly(600.700) distributed uncorre-
lated data.
for the victim nodes are equally weighted. To calculate the
probability of detection, 50 data sets from the respective
Uniform and Gamma distributions, and for both pairwise Next, we consider 50 data sets generated from a
and single attacker-many victims cases were generated. The Gamma(625, 675), while the corresponding attacks α are also
probability of detection shown in Figure 4 corresponds to Gamma distributed, so that the prespecified mean (130) and
the relative frequency of both detecting and identifying the VR (0.10) requirements are met. Figure 6 shows the probabil-
attacker-victim groups in the 50 data sets. ity of detection for the Gamma distributed measurements. The
We draw the following conclusions based on the results presence of a longer right tail in the smart meter measurement
depicted in Figure 4: (i) As the sample size increases, the leads to a higher sample size requirement for achieving the
probability of detection also increases; (ii) The probability of same detection probability to the Uniform case. Further, all
detection will get lower when we have more complicated types the conclusions drawn from the Uniform distribution setting

0733-8716 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JSAC.2019.2952181, IEEE Journal
on Selected Areas in Communications

continue to hold.

Fig. 8. Heat map of the correlation matrix in the independent Uniform

“mixed attacks” case 2
Fig. 6. Probability of detection Gamma distributed uncorrelated data.

Next, we examine a scenario involving multiple attacks

of both pairwise and one attacker-many victims types, with
measurements generated from different distributions. Specifi-
cally, Y1 , ..., Yn come from a Uniform(625, 675) distribution,
and we consider 10 pairwise attacks, 5 One Attacker-Two
Victims attacks and 3 One Attacker-Three Victims attacks
from a Uniform(106.3, 153.7) distribution, which results in
a minimum V R = 0.1. Further, we set the sample size to
n = 5000. Figure 7 shows the resulting heat map of the
correlation matrix estimate.

Fig. 9. Heat map of the correlation matrix in the independent Gamma “mixed
attacks” case

in the bracket is the standard deviation of detected attack in

50 replications, which means that the bracketed number is the
smaller the better. The same format of table holds for the rest
of this paper.
TABLE I
W E REPEAT TO LAUNCH 10 PAIRWISE , 5 2- VICTIMS AND 3 3- VICTIMS
ATTACKS 50 TIMES , AND CALCULATE THE AVERAGE NUMBER OF
SUCCESSFUL DETECTION FOR EACH TYPE OF ATTACK .

Fig. 7. Heat map of the correlation matrix in the independent Uniform

“mixed attacks” case Pairwise 2 Victims 3 Victims
Uniform(625,675) 10(0.000) 5(0.000) 2.76(0.431)
Uniform(600,700) 10(0.000) 5(0.000) 2.82(0.388)
Gamma 9.98(0.141) 4.96(0.198) 2.84(0.370)
For Y1 , ..., Yn from a Uniform(600, 700) distribution, we
follow the same experiment set-up and generate the attack
variables from Uniform(33, 127). Figure 8 illustrates the cor- It can be seen that for the pairwise setting, all 10 at-
responding results. tacks are (essentially) always detected for both Uniform and
For Y1 , ..., Yn from a Gamma(400, 1.5) distribution, we Gamma distributed measurements. For the 3-victim setting, on
choose the same set-up, except for generating all the attack average 2.76 (2.84) of the victims are successfully detected
variables from a Gamma(17.78, 6.75) distribution. Figure 9 for Uniform (Gamma) measurements. Hence, even in the
depicts the results. “mixed attack” scenario, our proposed detection algorithm
The following Table I contains detection results, based on 50 nearly captures all the electricity theft activities according to
replicates of the attacks. This table shows the average number Figure 7, Figure 9 and Table I for both Uniform and Gamma
of successful detection for each type of attack, and the number data generating mechanisms.

0733-8716 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JSAC.2019.2952181, IEEE Journal
on Selected Areas in Communications

Remark: On sample size requirements. We conclude by com-

menting on the sample size needed for high detection and
identification accuracy. Note that in our simulation scenarios
we set VR=0.1, which as previously mentioned acts as a
signal-to-noise measure for the problem at hand. This is
a very stringent requirement which consequently requires a
fairly large sample size for high detection accuracy. Our
simulation results indicate that for measurements obtained
every 2 minutes (see real data setting in Section III.B), an
attack becomes detectable with high probability if it goes on
for 4+ days. At lower sampling frequency (e.g. 15 minute
intervals, which is the case for many utilities) the attack needs
to last considerably longer.
However, note that [29] reports that for the supervised
learning approach used, wherein ground truth data for attacks Fig. 10. Heat map of correlation matrix under dependent, no attack case,
are needed, an attack becomes detectable if it is ongoing for for data generated from a Uniform distribution.
more than a week. [18] simulates various attacks leveraging an
Irish data set comprising of 5,000 customers, whose electricity
profiles were monitored twice hourly for 535 days. Various
supervised learning techniques were assessed, assuming that
the simulated attacks lasted for one week. In paper [26] that
employs a similar neighborhood area network architecture,
the signal-to-noise ratio used in their numerical work ranges
between 1.1-9. For the proposed approach, when VR=0.2, the
probability of detection is close to 1 for all attack scenarios
and data generating distributions, for sample sizes around
2000. Finally, for VR=0.4, a sample size of 500 suffices for
detecting with probability 0.95 a pairwise attack based on
Uniform(600, 700 distributed independent data with E(α) =
0.80.
2) Dependent Case: For the general dependent (correlated)
scenario, we set P = 30 and the significance level in the
filtering technique to q = 0.1. Since we need to generate Fig. 11. Heat map of correlation matrix under dependent, no attack case,
for data generated from a Gamma distribution.
O(P 2 ) differencing variables, to ensure an adequate detection
level, a large number of smart meter measurements needs
to be generated. In our experiments, we set n = 10, 000
measurements from W ∼ Uniform(625, 675) and W ∼ the original measurements, that exhibit much higher variability
Gamma(400, 1.2) distributions, respectively. Further, we set (see for example, equation (II.7)).
Ui ∼ N (0, 100) and ρi ∼ Uniform(0.80, 0.85). For W ∼ Gamma(400, 1.5), we let E(α) = 120 in order
Figure 10 and 11 show the heat maps of the correlation to be approximately 20% of E(Y ). Figure 13 depicts the
matrix estimates of X, when there is no attack for different relationship between probability of detection, sample size and
generating procedures. VR for different types of attacks for this setting. Due to
For W ∼ Uniform(625, 675), we separately launch different the long right tailed nature of the Gamma distribution, the
types of attacks. To make settings comparable to the inde- probability of detection is lower than that for the Uniform
pendent case, we let E(α) = 130, i.e., approximately 20% distribution.
of E(Y ), and set Variance Ratio the same for each attack The counterpart of Table I is shown next. It can be seen
group. Analogously to the independent case, we generate that performance deteriorates significantly for complex attack
α from different Uniform distributions, whose parameters scenarios.
are calculated based on the pre-specified mean and VR=0.1
TABLE II
(or 0.2) requirement. As before, we generate 50 data sets AVERAGE NUMBER OF SUCCESSFUL DETECTIONS ( WITH STANDARD
to calculate the detection probability. Figure 12 depicts the DEVIATION IN PARENTHESES ) FOR 10 PAIRWISE , 5 TWO - VICTIM AND 3
relationship between the probability of detection, sample size THREE - VICTIMS ATTACKS , BASED ON 50 GENERATED DATA SETS
EXHIBITING DEPENDENCE .
and VR for different types of attacks.
Based on these results we conclude that: (i) an increased
Pairwise 2 Victims 3 Victims
sample size improves the probability of detection; (ii) a larger Uniform 4.68(1.096) 2.76(0.822) 0.92(0.274)
VR, significantly improves the probability of detection; (iii) Gamma 2.60(1.979) 1.20(1.485) 0.40(0.495)
the dependent case is considerably more challenging that the
independent case, since detection is based on differences of

0733-8716 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JSAC.2019.2952181, IEEE Journal
on Selected Areas in Communications

10

Fig. 12. Probability of detection for various attack scenarios for Uniformly Fig. 14. Electricity consumption of 19 campus buildings (in natural log-
distributed dependent data. scale).

Fig. 13. Probability of detection for various attack scenarios for Gamma Fig. 15. Boxplots of electricity consumption for the 19 selected buildings.
distributed dependent data.

a result, the detection algorithm for the independent case is

B. A Residential Buildings Example appropriate for this real data example.
Next, we use electricity consumption data from buildings
at the University of Michigan, Ann Arbor. The form of
data is time series based and recorded by the smart meters
deployed in the buildings every 2 minutes. The data were
preprocessed following the procedure presented in [30] that
included exclusion of buildings with highly unusual behavior,
such as missing recorded values, long intervals of constant
values, abnormal spiky trends and so forth. The extracted data
set comprises of p = 19 buildings and covers a duration of 5
days, for a total sample size of n = 3600. Figure 14 shows the
electricity consumption patterns (in natural log-scale) recorded
by the selected smart meters.
Further, boxplots of electricty consumption of the 19 build-
ings under consideration are depicted in Figure 15. It can
be seen that the average consumption across all buildings
Fig. 16. Filtered heat map for correlation matrix of residential data.
is comparable and hence the emulated attacks launched (see
below) are of the same magnitude for all buildings.
Figure 16 shows the heat map for the filtered correlation To test the algorithm in the real data example, we generate
matrix estimate of the data. It is apparent that the correlation the attack variable from different Uniform distributions such
coefficients between different buildings are 0, which helps us that E(α) is 20% of the mean consumption level of the selected
to conclude that we fall under the independent scenario. As buildings, and set the Variance Ratio to the same value in the

0733-8716 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JSAC.2019.2952181, IEEE Journal
on Selected Areas in Communications

11

TABLE III
set (0.05, 0.10, 0.15, 0.20) for each attack group. Figure 17 AVERAGE NUMBER OF SUCCESSFUL DETECTIONS ( WITH STANDARD
depicts the relationship between probability of detection rate DEVIATION IN PARENTHESES ) FOR 2 PAIRWISE , 1 TWO - VICTIM AND 1
THREE - VICTIMS ATTACKS , BASED ON 50 GENERATED ATTACKS BASED ON
and VR for different types of attacks, based on 50 generated
THE RESIDENTIAL BUILDINGS DATA .
attack data sets.
Pairwise 2 Victims 3 Victims
VR = 0.05 1.92(0.274) 0.62(0.490) 0.70(0.463)
VR = 0.10 1.94(0.240) 0.98(0.141) 0.98(0.141)
VR = 0.15 1.94(0.240) 0.98(0.141) 0.98(0.141)
VR = 0.20 1.94(0.240) 0.98(0.141) 0.98(0.141)

probability for the simulated scenario presented above is

80%; namely, it corresponds to the proportion of “anomalies”
detected in the 9 buildings involved in the attack scenario
under consideration. However, such techniques are not able to
go beyond the detection stage and thus identify attackers and
victims, unlike the proposed approach. The latter constitutes a
key property of the developed methodology that is particularly
useful to utility companies.
Fig. 17. Probability of detection for emulated attacks on the residential
building data.
C. Some practical guidelines to aid the proposed detection
algorithms
Moreover, we also launch different types of attacks simul- Note that regularizing the sample correlation matrix may
taneously, i.e., mixed attacks, to test our detection method. result in more complicated patterns than expected according to
Specifically, we generate 2 pairwise attacks, one 2-Victims our theoretical results. Examples include setting more elements
attack and one 3-Victims attack. Figure 18 shows the resulting to zero, the presence of opposite signs within sub-blocks,
heat map of the correlation matrix estimate, when V R = 0.15. etc. These issues will result in false positives/negatives for
the detection algorithm in the independent case. To address
them, we propose certain rules that can be applied as further
post-processing of the correlation matrix obtained from the
Universal Thresholding method.
Firstly, we denote two types of positions in the covariance
matrix, one is the Attacker-Victim position, where all the
elements should have negative sign theoretically; the other is
the Victim-Victim position, where all the elements should have
a positive sign.
1) Under the Pairwise Attack scenario, when dealing with
the covariance matrix estimate, if the entry in the
Attacker-Victim position has positive sign, we will con-
sider it as noise signal and conclude that there is no
attack between these two smart meters;
2) Under the One Attacker-Many Victims scenario, we
Fig. 18. Filtered heat map for Uniform mixed attacks in real data.
might have more than one meter node that has nega-
tive covariance values with the rest after regularization,
Finally, the following detection table III is given by repli- which will make it more difficult in identifying the
cating the mixed attacks scenario 50 times. It can be seen that Attacker and Victims. For example, in One Attacker-
once VR≥ 0.10 performance becomes very satisfactory. Three Victims case, the sub-covariance matrix block
The obtained results amply demonstrate that the proposed estimate for attack α is B. We could see that node a
detection methodology exhibits good performance and the key has negative covariance value with b and c. In the mean
conclusions obtained from the synthetic data are applicable to time, node d has negative covariance value with b. But
real smart meter measurements. based on the assumptions and detection method that we
Finally, we used time series techniques presented in [30] propose in this paper, there could be one and only one
that were applied to the same data set. They included sparse node that has negative covariance value with the rest
vector autoregressive models and dynamic factor models. Note theoretically. Therefore, it is hard to identify which node
that the average magnitude of the simulated attacks is 20% of is the Attacker given B. To address this, we denote the
the mean consumption level of each building, which translates cardinality of node a as N (a) = |{k : Cov(a, k) < 0}|.
to a signal to noise ratio of 1.2 for these models. The detection Then, for all the nodes in the sub-covariance matrix

0733-8716 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JSAC.2019.2952181, IEEE Journal
on Selected Areas in Communications

12

block, we let the node with the largest cardinality be Hence, this constitutes an important feature of the proposed
the Attacker, and consequently the rest are the victims. methodology.
In the example below, node a is the Attacker. There are some open problems that merit additional in-
vestigation, including scenarios involving multiple attackers
a b c d
and multiple victims. However, such coordinated attacks are
a + − − +
 
more difficult to launch, since they require a higher level of
b  − + + −  sophistication from the attacker’s perspective.
B=
 
−
 
c  + + + 
d + − + + R EFERENCES
3) We could also have some missing entries in the covari- [1] T. B. Smith, “Electricity theft: a comparative analysis,” Energy policy,
ance estimate after regularization. Considering the toy vol. 32, no. 18, pp. 2067–2076, 2004.
[2] T. Ahmad, H. Chen, J. Wang, and Y. Guo, “Review of various modeling
example above for the three victims case, note that if techniques for the detection of electricity theft in smart grid environ-
the covariance estimate B has the following form with ment,” Renewable and Sustainable Energy Reviews, vol. 82, pp. 2916–
some missing entries in the Victim-Victim positions, we 2933, 2018.
[3] A. Ipakchi and F. Albuyeh, “Grid of the future,” IEEE Power and Energy
still identify node a, b, c, d as being within the same Magazine, vol. 7, no. 2, pp. 52–62, March 2009.
attack group. [4] H. Gharavi and R. Ghafurian, “Smart grid: The electric energy system
of the future [scanning the issue],” Proceedings of the IEEE, vol. 99,
a b c d no. 6, pp. 917–921, June 2011.
a

+ − − −
 [5] G. B. Giannakis, V. Kekatos, N. Gatsis, S. J. Kim, H. Zhu, and B. F.
Wollenberg, “Monitoring and optimization for power grids: A signal
b  − + +  processing perspective,” IEEE Signal Processing Magazine, vol. 30,
B=
 
no. 5, pp. 107–128, Sept 2013.
−
 
c  + + +  [6] V. Pappu, M. Carvalho, and P. M. Pardalos, Optimization and security
d − + + challenges in smart power grids. Springer, 2013.
[7] G. Liang, J. Zhao, F. Luo, S. R. Weller, and Z. Y. Dong, “A review
If the missing values are in the Attacker-Victim posi- of false data injection attacks against modern power systems,” IEEE
Transactions on Smart Grid, vol. 8, no. 4, pp. 1630–1638, July 2017.
tions, we could again use the cardinality rule to address [8] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks against
this issue. For example, if estimate B has the following state estimation in electric power grids,” in Proceedings of the 16th
form, by applying our rules, we still identify a, b, c and ACM Conference on Computer and Communications Security, ser.
CCS ’09. New York, NY, USA: ACM, 2009, pp. 21–32. [Online].
d being within the same attack group, and the node a is Available: http://doi.acm.org/10.1145/1653662.1653666
the Attacker. [9] Z. H. Yu and W. L. Chin, “Blind false data injection attack using pca
approximation method in smart grid,” IEEE Transactions on Smart Grid,
vol. 6, no. 3, pp. 1219–1226, May 2015.
a b c d [10] X. Liu, Z. Bao, D. Lu, and Z. Li, “Modeling of local false data injection
a + − −
 
attacks with reduced network information,” IEEE Transactions on Smart
 − + + Grid, vol. 6, no. 4, pp. 1686–1696, July 2015.
b 
[11] M. G. Kallitsis, S. Bhattacharya, S. Stoev, and G. Michailidis, “Adaptive
B=
 
statistical detection of false data injection attacks in smart grids,” in
 
c  + + + 
2016 IEEE Global Conference on Signal and Information Processing
d − + + (GlobalSIP), Dec 2016, pp. 826–830.
[12] S. Bi and Y. J. Zhang, “Graphical methods for defense against false-data
By applying this rule, we could resolve this problem when injection attacks on power system state estimation,” IEEE Transactions
dealing with real noisy data sets. on Smart Grid, vol. 5, no. 3, pp. 1216–1227, May 2014.
[13] A. Sanjab and W. Saad, “Smart grid data injection attacks: To defend
or not?” in 2015 IEEE International Conference on Smart Grid Com-
IV. C ONCLUSION munications (SmartGridComm), Nov 2015, pp. 380–385.
[14] R. Jiang, R. Lu, Y. Wang, J. Luo, C. Shen, and X. S. Shen, “Energy-
In this paper, we have primarily focused on how to address theft detection issues for advanced metering infrastructure in smart grid,”
coordinated power theft activities detection problem by consid- Tsinghua Science and Technology, vol. 19, no. 2, pp. 105–120, 2014.
[15] S. McLaughlin, B. Holbert, A. Fawaz, R. Berthier, and S. Zonouz, “A
ering independent and dependent smart meter data generating multi-sensor energy theft detection framework for advanced metering
mechanism. For each case, two scenarios, pairwise and one infrastructures,” IEEE Journal on Selected Areas in Communications,
attacker-many victims, have been thoroughly investigated. vol. 31, no. 7, pp. 1319–1330, 2013.
[16] A. A. Cárdenas, S. Amin, G. Schwartz, R. Dong, and S. Sastry, “A
We have separately developed an easy-to-implement detec- game theory model for electricity theft detection and privacy-aware
tion algorithm to detect attacks and identify attackers and control in ami systems,” in 2012 50th Annual Allerton Conference on
victim nodes. The implementation of the strategy leverages Communication, Control, and Computing (Allerton). IEEE, 2012, pp.
1830–1837.
a regularized covariance estimator, followed by close exami- [17] S. S. S. R. Depuru, L. Wang, V. Devabhaktuni, and R. C. Green, “High
nation of patterns in the resulting matrix. Extensive numerical performance computing for detection of electricity theft,” International
results based on both synthetic and real data illustrate the Journal of Electrical Power & Energy Systems, vol. 47, pp. 21–30, 2013.
[18] P. Jokar, N. Arianpoo, and V. C. Leung, “Electricity theft detection
superior performance of the proposed methodology. in ami using customers consumption patterns,” IEEE Transactions on
Note that there is a plethora of machine learning approaches Smart Grid, vol. 7, no. 1, pp. 216–226, 2015.
that addresses the detection problem. However, identifying [19] M. G. Kallitsis, G. Michailidis, and S. Tout, “Correlative monitoring for
detection of false data injection attacks in smart grids,” in 2015 IEEE
“attackers” and their corresponding “victims” is a more chal- International Conference on Smart Grid Communications (SmartGrid-
lenging problem that few of these approaches can address. Comm), Nov 2015, pp. 386–391.

0733-8716 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JSAC.2019.2952181, IEEE Journal
on Selected Areas in Communications

13

[20] G. M. Messinis and N. D. Hatziargyriou, “Review of non-technical loss

detection methods,” Electric Power Systems Research, vol. 158, pp. 250–
266, 2018.
[21] S. Axelsson, “The base-rate fallacy and the difficulty of intrusion detec-
tion,” ACM Transactions on Information and System Security (TISSEC),
vol. 3, no. 3, pp. 186–205, 2000.
[22] F. Li, W. Qiao, H. Sun, H. Wan, J. Wang, Y. Xia, Z. Xu, and P. Zhang,
“Smart transmission grid: Vision and framework,” IEEE transactions on
Smart Grid, vol. 1, no. 2, pp. 168–177, 2010.
[23] Y. Yan, Y. Qian, H. Sharif, and D. Tipper, “A survey on smart grid com-
munication infrastructures: Motivations, requirements and challenges,”
IEEE communications surveys & tutorials, vol. 15, no. 1, pp. 5–20,
2012.
[24] S. Sahoo, D. Nikovski, T. Muso, and K. Tsuru, “Electricity theft
detection using smart meter data,” in 2015 IEEE Power & Energy Society
Innovative Smart Grid Technologies Conference (ISGT). IEEE, 2015,
pp. 1–5.
[25] S.-C. Yip, K. Wong, W.-P. Hew, M.-T. Gan, R. C.-W. Phan, and S.-
W. Tan, “Detection of energy theft and defective smart meters in smart
grids using linear regression,” International Journal of Electrical Power
& Energy Systems, vol. 91, pp. 230–240, 2017.
[26] S.-C. Yip, W.-N. Tan, C. Tan, M.-T. Gan, and K. Wong, “An anomaly
detection framework for identifying energy theft and defective meters
in smart grids,” International Journal of Electrical Power & Energy
Systems, vol. 101, pp. 189–203, 2018.
[27] J. L. Viegas, P. R. Esteves, and S. M. Vieira, “Clustering-based nov-
elty detection for identification of non-technical losses,” International
Journal of Electrical Power & Energy Systems, vol. 101, pp. 301–310,
2018.
[28] N. Bailey, M. H. Pesaran, and L. V. Smith, “A multiple testing approach
to the regularisation of large sample correlation matrices,” Journal of
econometrics, vol. 208, no. 2, pp. 507–534, 2019.
[29] V. B. Krishna, K. Lee, G. A. Weaver, R. K. Iyer, and W. H. Sanders,
“F-deta: A framework for detecting electricity theft attacks in smart
grids,” in 2016 46th Annual IEEE/IFIP International Conference on
Dependable Systems and Networks (DSN). IEEE, 2016, pp. 407–418.
[30] M. G. Kallitsis, S. Bhattacharya, and G. Michailidis, “Detection of false
data injection attacks in smart grids based on forecasts,” in 2018 IEEE
International Conference on Communications, Control, and Computing
Technologies for Smart Grids (SmartGridComm). IEEE, 2018, pp. 1–7.

Jin Tao was born in Liuzhou, Guangxi, China.

He received his Bachelor of Science degree in
mathematics and applied mathematics from Renmin
University of China with first class honors in 2012.
In August 2013, Jin enrolled as a graduate student in
the Department of Statistics at University of Florida
to pursue his doctorate degree with Top-Off Fellow
Award at Gainesville, Florida. Jin received his PhD
degree in Statistics in August 2018, and started a
new chapter at J.P. Morgan to pursue career goals in
industry. His research interest include computational
statistics, data mining and inverse problems, with applications to engineering
and finance problems.

George Michailidis received his B.S. in economics

from the University of Athens, Greece , in 1987.
He holds M.A. degrees in both economics and
mathematics from UCLA and a Ph.D. degree in
mathematics from UCLA. After a postdoc in oper-
ations research at Stanford University, he joined in
1998 the Department of Statistics at the University of
Michigan, where he became Full professor in 2008.
In 2015, he joined the University of Florida as the
Founding Director of the Informatics Institute. He
is a Fellow of the American Statistical Association
and the Institute of Mathematical Statistics. His research interests include
network analysis, queueing theory, stochastic control and optimization, applied
probability and machine learning.

0733-8716 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.