Oliver Kosut

Malicious Data Attacks on the Smart Grid

Malicious attacks against power systems are investigated, in which an adversary controls a set of meters and is able to alter the measurements from those meters. Two regimes of attacks are considered. The strong attack regime is where the adversary attacks a sufficient number of meters so that the network state becomes unobservable by the control center. For attacks in this regime, the smallest set of attacked meters capable of causing network unobservability is characterized using a graph theoretic approach. By casting the problem as one of minimizing a supermodular graph functional, the problem of identifying the smallest set of vulnerable meters is shown to have polynomial complexity. For the weak attack regime where the adversary controls only a small number of meters, the problem is examined from a decision theoretic perspective for both the control center and the adversary. For the control center, a generalized likelihood ratio detector is proposed that incorporates historical data. For the adversary, the trade-off between maximizing estimation error at the control center and minimizing detection probability of the launched attack is examined. An optimal attack based on minimum energy leakage is proposed.

Malicious Data Attacks on Smart Grid State Estimation: Attack Strategies and Countermeasures

The problem of constructing malicious data attack of smart grid state estimation is considered together with countermeasures that detect the presence of such attacks. For the adversary, using a graph theoretic approach, an efficient algorithm with polynomial-time complexity is obtained to find the minimum size unobservable malicious data attacks. When the unobservable attack does not exist due to restrictions of meter access, attacks are constructed to minimize the residue energy of attack while guaranteeing a certain level of increase of mean square error. For the control center, a computationally efficient algorithm is derived to detect and localize attacks using the generalized likelihood ratio test regularized by an L_1 norm penalty on the strength of attack.

Limiting false data attacks on power system state estimation

Malicious attacks against power system state estimation are considered. It has been recently observed that if an adversary is able to manipulate the measurements taken at several meters in a power system, it can sometimes change the state estimate at the control center in a way that will never be detected by classical bad data detectors. However, in cases when the adversary is not able to perform this attack, it was not clear what attacks might look like. An easily computable heuristic is developed to find bad adversarial attacks in all cases. This heuristic recovers the undetectable attacks, but it will also find the most damaging attack in all cases. In addition, a Bayesian formulation of the bad data problem is introduced, which captures the prior information that a control center has about the likely state of the power system. This formulation softens the impact of undetectable attacks. Finally, a new L∞ norm detector is introduced, and it is demonstrated that it outperforms more standard L2 norm based detectors by taking advantage of the inherent sparsity of the false data injection.

Nonlinear network coding is necessary to combat general Byzantine attacks

We consider the problem of achieving capacity through network coding when some of the nodes act covertly as Byzantine adversaries. For several case-study networks, we investigate rates of reliable communication through network coding and upper bounds on capacity. We show that linear codes are inadequate in general, and a slight augmentation of the class of linear codes can increase throughput. Furthermore, we show that even this nonlinear augmentation may not be enough to achieve capacity. We introduce a new class of codes known as bounded-linear that make use of distributions defined over bounded sets of integers subject to linear constraints using real arithmetic.

On the Dispersions of Three Network Information Theory Problems

We characterize fundamental limits for the Slepian-Wolf problem, the multiple-access channel and the asymmetric broadcast channel in the finite blocklength setting. For the Slepian-Wolf problem (distributed lossless source coding), we introduce a fundamental quantity known as the entropy dispersion matrix. We show that if this matrix is positive-definite, the optimal rate region under the constraint of a fixed blocklength and non-zero error probability has a curved boundary compared to being polyhedral for the asymptotic Slepian-Wolf scenario. In addition, the entropy dispersion matrix governs the rate of convergence of the non-asymptotic region to the asymptotic one. We develop a general universal achievability procedure for finite blocklength analyses of other network information theory problems such as the multiple-access channel and broadcast channel. We provide inner bounds to these problems using a key result known as the vector rate redundancy theorem which is proved using a multidimensional version of the Berry-Essèen theorem. We show that a so-called information dispersion matrix characterizes these inner bounds.

On the dispersions of three network information theory problems

We characterize fundamental limits for the Slepian-Wolf problem, the multiple-access channel and the asymmetric broadcast channel in the finite blocklength setting. For the Slepian-Wolf problem (distributed lossless source coding), we introduce a fundamental quantity known as the entropy dispersion matrix. We show that if this matrix is positive-definite, the optimal rate region under the constraint of a fixed blocklength and non-zero error probability has a curved boundary compared to being polyhedral for the asymptotic Slepian-Wolf scenario. In addition, the entropy dispersion matrix governs the rate of convergence of the non-asymptotic region to the asymptotic one. We develop a general universal achievability procedure for finite blocklength analyses of other network information theory problems such as the multiple-access channel and broadcast channel. We provide inner bounds to these problems using a key result known as the vector rate redundancy theorem which is proved using a multidimensional version of the Berry-Esseen theorem. We show that a so-called information dispersion matrix characterizes these inner bounds.

Polytope codes against adversaries in networks

Network coding is studied when an unknown subset of nodes in the network is controlled by an adversary. To solve this problem, a new class of codes called Polytope Codes is introduced. Polytope Codes are linear codes operating over bounded polytopes in real vector fields. The polytope structure creates additional complexity, but it induces properties on marginal distributions of code vectors so that validities of codewords can be checked by internal nodes of the network. It is shown that a cut-set bound for a class planar networks can be achieved using Polytope Codes. It is also shown that this cut-set bound is not always tight, and a tighter bound is given for an example network.

Vulnerability Analysis and Consequences of False Data Injection Attack on Power System State Estimation

An unobservable false data injection (FDI) attack on AC state estimation (SE) is introduced and its consequences on the physical system are studied. With a focus on understanding the physical consequences of FDI attacks, a bi-level optimization problem is introduced whose objective is to maximize the physical line flows subsequent to an FDI attack on DC SE. The maximization is subject to constraints on both attacker resources (size of attack) and attack detection (limiting load shifts) as well as those required by DC optimal power flow (OPF) following SE. The resulting attacks are tested on a more realistic non-linear system model using AC state estimation and ACOPF, and it is shown that, with an appropriately chosen sub-network, the attacker can overload transmission lines with moderate shifts of load.

Locating and quantifying gas emission sources using remotely obtained concentration data

We describe a method for detecting, locating and quantifying sources of gas emissions to the atmosphere using remotely obtained gas concentration data; the method is applicable to gases of environmental concern. We demonstrate its performance using methane data collected from aircraft. Atmospheric point concentration measurements are modelled as the sum of a spatially and temporally smooth atmospheric background concentration, augmented by concentrations due to local sources. We model source emission rates with a Gaussian mixture model and use a Markov random eld to represent the atmospheric background concentration component of the measurements. A Gaussian plume atmospheric eddy dispersion model represents gas dispersion between sources and measurement locations. Initial point estimates of background concentrations and source emission rates are obtained using mixed‘2-‘1 optimisation over a discretised grid of potential source locations. Subsequent reversible jump Markov chain Monte Carlo inference provides estimated values and uncertainties for the number, emission rates and locations of sources unconstrained by a grid. Source area, atmospheric background concentrations and other model parameters, including plume model spreading and Lagrangian turbulence time scale, are also estimated. We investigate the performance of the approach rst using a synthetic problem, then apply the method to real airborne data from a 1600km 2 area containing two landlls,

Cyber attacks on AC state estimation: Unobservability and physical consequences

An algorithm is developed to construct unobservable attacks for an AC state estimator (SE). It is shown that unobservability of the attack, in the absence of noise, is guaranteed when the attacker exploits its local network knowledge to perform AC SE locally than the simpler DC SE often assumed in the literature. Finally, the consequences of such an unobservable attack are highlighted via a scenario in which the physical system is changed due to false data injection.