From Static to Dynamic Anomaly Detection with Application to Power System Cyber Security

Developing advanced diagnosis tools to detect cyber attacks is the key to security of power systems. It has been shown that multivariate attacks can bypass bad data detection schemes typically built on static behavior of the systems, which misleads operators to disruptive decisions. In this article, we depart from the existing static viewpoint to develop a diagnosis filter that captures the dynamics signatures of such a multivariate intrusion. To this end, we introduce a dynamic residual generator approach formulated as a robust optimization program in order to detect a class of disruptive multivariate attacks that potentially remain stealthy in view of a static bad data detector. We then reformulate the proposed approach as finite, but possibly non-convex, optimization program. We further develop a linear programming relaxation that improves the scalability, and as such practicality, of the diagnosis filter design. To illustrate the performance of our theoretical results, we implement the proposed diagnosis filter to detect multivariate attacks on the system measurements deployed to generate the so-called Automatic Generation Control signals in a three-area IEEE 39-bus system.