Design of Load Forecast Systems Resilient Against Cyber-Attacks

Abstract

Load forecast systems play a fundamental role the operation in power systems, because they reduce uncertainties about the system’s future operation. An increasing demand for precise forecasts motivates the design of complex models that use information from different sources, such as smart appliances. However, untrusted sources can introduce vulnerabilities in the system. For example, an adversary may compromise the sensor measurements to induce errors in the forecast. In this work, we assess the vulnerabilities of load forecast systems based on neural networks and propose a defense mechanism to construct resilient forecasters.

We model the strategic interaction between a defender and an attacker as a Stackelberg game, where the defender decides first the prediction scheme and the attacker chooses afterwards its attack strategy. Here, the defender selects randomly the sensor measurements to use in the forecast, while the adversary calculates a bias to inject in some sensors. We find an approximate equilibrium of the game and implement the defense mechanism using an ensemble of predictors, which introduces uncertainties that mitigate the attack’s impact. We evaluate our defense approach training forecasters using data from an electric distribution system simulated in GridLAB-D.

A Appendix

Proof

(Lemma 1). Let \(\delta (B_a)\) and \(p^{DA} - p^{RT}\) be independent random variables; hence, we can approximate their expected value using a Monte Carlo integration with T terms, that is,

$$\begin{aligned} \mathrm {E}[\delta (B_a)] = \frac{1}{T} \sum \nolimits _{t=1}^T \delta (B_a, t) , \end{aligned}$$

$$\begin{aligned} \mathrm {E}[p^{DA} - p^{RT}] = \frac{1}{T} \sum \nolimits _{t=1}^T \left\{ p^{DA}(t) - p^{RT}(t) \right\} . \end{aligned}$$

Now, since two independent random variables X and Y satisfy \(\mathrm {E}[XY] = \mathrm {E}[X]\mathrm {E}[Y]\), we can approximate their expected product \(\mathrm {E}[\delta (B_a)(p^{DA} - p^{RT})]\) as

$$\begin{aligned} \mathrm {E}[\delta (B_a)(p^{DA} - p^{RT})] = \frac{1}{T} \sum \nolimits _{t=1}^T \delta (B_a, t) \frac{1}{T} \sum \nolimits _{t=1}^T \left\{ p^{DA}(t) - p^{RT}(t) \right\} . \end{aligned}$$

Thus, if either \(\sum _t p^{DA}(t) - p^{RT}(t) \ge 0\) and \(\sum _t \delta (B_a(t)) \le 0\) or \(\sum _t p^{DA}(t) - p^{RT}(t) \le 0\) and \(\sum _t \delta (B_a(t)) \ge 0\), then the attacker has positive profit (see Eq. (7)).

Proof

(Proposition 1). Let us consider the following bounds on the difference between expected impact and its approximation from Eq. (12)

$$\begin{aligned} \underline{\xi } \le \delta ( \lambda (\rho ^d, \rho ^a), t ) - \varPi ^a (\rho ^d, \rho ^a) \le \overline{\xi }. \end{aligned}$$

Since \(\varPi ^d (\rho ^d, \rho ^a) = -\varPi ^a(\rho ^d, \rho ^a)\), then the previous expression implies

$$\begin{aligned} \varPi ^d(\rho ^d, \rho ^a) \ge -\delta ( \lambda (\rho ^d, \rho ^a), t ) + \underline{\xi } \end{aligned}$$

(15)

and

$$\begin{aligned} -\delta (\lambda (\tilde{\rho }^d, \rho ^a), t) \ge \varPi ^d(\rho ^d, \rho ^a) - \overline{\xi }. \end{aligned}$$

(16)

Moreover, the solution to Eq. (13), denoted \((\rho ^d, \rho ^a)\), satisfies the following properties

$$\begin{aligned} \delta ( \lambda (\rho ^d, \rho ^a), t ) \ge \delta ( \lambda (\rho ^d, \tilde{\rho }^a), t ), \end{aligned}$$

$$\begin{aligned} \delta ( \lambda (\rho ^d, \rho ^a), t ) \le \delta ( \lambda (\tilde{\rho }^d, \rho ^a), t ), \end{aligned}$$

(17)

for some strategies \(\tilde{\rho }^d\) and \(\tilde{\rho }^a\). Thus, from Eqs. (15) and (17) we have

$$\begin{aligned} \varPi ^d(\rho ^d, \rho ^a) \ge -\delta ( \lambda (\rho ^d, \rho ^a), t ) + \underline{\xi } \ge -\delta (\lambda (\tilde{\rho }^d, \rho ^a), t) + \underline{\xi }. \end{aligned}$$

Now, using the previous expression with Eq. (16) we obtain

$$\begin{aligned} \varPi ^d(\rho ^d, \rho ^a) \ge \varPi ^d(\tilde{\rho }^d, \rho ^a) - \xi . \end{aligned}$$

where \(\xi = \overline{\xi } - \underline{\xi } \ge 0\). With a similar approach we can show that

$$\begin{aligned} \varPi ^a(\rho ^d, \rho ^a) \ge \varPi ^a(\rho ^d, \tilde{\rho }^a) - \xi . \end{aligned}$$

Proof

(Proposition 2). Since \(\delta (\cdot )\) is increasing with respect to the number of sensors compromised, the following holds

$$\begin{aligned} \max _x \delta (x) = \delta (\max _x x). \end{aligned}$$

The previous property can be applied also to minimization problems; hence, we can express the game’s equilibrium of Eq. (12) as

$$\begin{aligned} \min _{\rho ^d} \max _{\rho ^a} \delta ( \lambda (\rho ^d, \rho ^a)) = \delta \left( \min _{\rho ^d} \max _{\rho ^a} \lambda (\rho ^d, \rho ^a) \right) \end{aligned}$$

This means that the adversary designs its strategy to maximize the number of compromised sensors, while the defender pursues the opposite goal.

The adversary’s optimal strategy consists in attacking the sensors with highest selection probability. Without loss of generality, let \(\rho _1^d \ge \rho _2^d \ge \ldots \ge \rho _m^d\). Then, the attack strategy \(\rho _i^a = 1\) and \(\rho _j^a = 0\) for \(1\le i \le m^a\) and \(j>m^a\) leads to the following expected number of compromised sensors

$$\begin{aligned} \lambda (\rho ^d, \rho ^a) = \sum \nolimits _{i=1}^{m^a} \rho _i^d. \end{aligned}$$

Since a different attack strategy cannot increase the number of compromised sensors, this attack strategy is weakly dominant.

Given the previous attack strategy, the defender’s optimal strategy consists in selecting all the sensors with the same probability

$$\begin{aligned} \rho _k^d = \frac{m^d}{m}. \end{aligned}$$

Observe that any deviation from this strategy increases the number of sensors compromised.

Proof

(proposition 3). Here we consider that the adversary compromises \(m^a\) sensors. Let \(\sigma _i\) be the proportion of resources allocated to the set \(\mathcal {P}_i\). According to Sect. 4, we create a partition of sensors \(\{\mathcal {P}_i\}_{i=1}^n\). First, let us consider ensembles trained with sensors in \(\mathcal {M}_i = \cup _{j \ne i} \mathcal {P}_j\), for \(i=1, \ldots , n\), where \(\frac{n-1}{n}=frac{ m^d }{ m }\). Thus, the total number of compromised sensors used by the \(i^{th}\) model amount to \( m^a \sum \nolimits _{j\ne i} \sigma _j = m^a(1-\sigma _i). \)

Due to the concavity of the impact function, the expected impact on the ensemble satisfies

$$\begin{aligned} \frac{1}{n} \sum _{i=1}^n \delta ( m^a(1-\sigma _i) ) \le \delta \left( \frac{1}{n} \sum _{i=1}^n m^a(1-\sigma _i) \right) = \delta \left( \frac{n-1}{n} m^a \right) = \delta \left( \frac{m^d}{m} m^a \right) . \end{aligned}$$

Thus, the allocation that maximizes the impact attains the previous upper bound satisfying \( \sigma _i = \frac{1}{n}, \) for all \(i=1, \ldots , n\). In other words, the adversary’s best strategy consists in allocating its resources uniformly in the partition’s sets.

Now, if \(\mathcal {M}_i = \mathcal {P}_i\), for \(i=1, \ldots , n\), with \(n=\frac{m}{m^d}\), then the expected impact on the ensemble becomes

$$\begin{aligned} \frac{1}{n} \sum \nolimits _{i=1}^n \delta ( m^a \sigma _i ) \le \delta \left( \frac{1}{n} \sum \nolimits _{i=1}^n m^a \sigma _i \right) = \delta \left( \frac{m^a}{n} \right) = \delta \left( \frac{m^d}{m} m^a \right) . \end{aligned}$$

In this case, the attack strategy that attains the upper bound satisfies \(\sigma _i = \frac{1}{n}\). Therefore, the adversary allocates its resources equally in all the sensors in the partition.

In practice, the adversary can compromise at most \(m^d\) sensors form each partition. Hence, the optimal attack policy must satisfy \(\sigma _i = \min \{ 1 / n, m^d / m^a \}\). When \(1 / n > m^d / m^a\) the adversary cannot implement its ideal strategy.