Cyber-Attack Detection in DC Microgrids Based on Deep Machine Learning and Wavelet Singular Values Approach

Abstract

Nowadays, the role of cyber-physical systems (CPSs) is of paramount importance in power system security since they are more vulnerable to different cyber-attacks. Detection of cyber-attacks on a direct current microgrid (DC-MG) has become a pivotal issue due to the increasing use of them in various electrical engineering applications, from renewable power generations to the distribution of electricity and power system of public transportation and subway electric network. In this study, a novel strategy was provided to diagnose possible false data injection attacks (FDIA) in DC-MGs to enhance the cyber-security of electrical systems. Accordingly, to diagnose cyber-attacks in DC-MG and to identify the FDIA to distributed energy resource (DER) unit, a new procedure of wavelet transform (WT) and singular value decomposition (SVD) based on deep machine learning was proposed. Additionally, this paper presents a developed selective ensemble deep learning (DL) approach using the gray wolf optimization (GWO) algorithm to identify the FDIA in DC-MG. In the first stage, in the paper, to gather sufficient data within the ordinary performance required for the training of the DL network, a DC-MG was operated and controlled with no FDIAs. In the information generation procedure, load changing was considered to have diagnosing datasets for cyber-attack and load variation schemes. The obtained simulation results were compared with the new Shallow model and Hilbert Huang Transform methods, and the results confirmed that the presented approach could more precisely and robustly identify multiple forms of FDIAs with more than 95% precision.

1. Introduction

1.1. Background

Recent studies have confirmed that with the increasing development of power electronics, DC microgrids (DC-MGs) provide significant efficiency and reliability compared to conventional AC microgrids (AC-MGs), and they are also more cost-effective [1,2,3,4]. In general, to control DC-MGs, the primary control is performed according to the droop technique to adjust the output voltage and divide the current between individual converters locally [5,6]. Ancillary control is executed to restore the voltage of the DC bus. The main goals of cooperative ancillary controllers have been divided into load sharing and voltage adjustment [7,8].

As the importance of communication systems in the cooperative control strategies, DC-MGs are assailable to different kinds of cyber-attack. It has been shown that if a DC-MG operates under undetected cyber-attacks, the DC-MG power control and management scheme can be affected or disrupted. Accordingly, cyber-attack detection has a vital role in reliable and effective operation in a DC-MG [9]. Some new research has focused on several kinds of cyber-attack in electrical power grids. Good examples here can be the denial of service (DoS) and false data injection (FDI) attacks [10,11]. In DoS attacks, the hacker tries to keep the microgrid (MG) communication network fully inaccessible, whereas, in an FDI attack (FDIA), hackers change the status of the system by injecting incorrect data into the sensors [12,13].

Replay attacks (RAs) are considered as another form of cyber-attacks. The purpose of RAs is to record the readings of the sensors for a specified period, and then these readings are repeated to deceive the operator in the system. In [14], a concept of RAs in CPS was presented. Given the variety of cyber-attack schemes, it is vital to find different solutions to identify the hacker’s efforts. Paper [15] has concentrated on FDIA as the most prevalent kind of cyber-attack. FDI attacks (FDIAs) can also damage control programs in DC-MGs, including voltage and power control. As the potential negative impacts of FDIA on DC-MGs, it is pivotal to enhance different solutions for their reliable detection.

Previous research like [16,17] has worked on the protection of DC-MGs to increase the reliability of power systems. In Reference [18], a technique for identifying FDIAs on voltage measurement sensors in DC-MG has been proposed. It introduced a cooperative vulnerability agent and monitored the secondary output sublayer to identify the attacked parts.

Some research works on FDIA detection in power systems can be found in [19,20,21,22,23], which widely employ state estimation procedures, for instance, by using Kalman filters in [24], sparse optimization and state forecasting provided in [20], generalized likelihood ratio in [19], Kullback–Leibler distance in [25], Chi-square detector and also similarity matching in [26], and machine learning methods in [27]. But in this paper, FDIA detection has been considered in DC-MGs to detect FDIAs in voltage/current sensors and in the reference amount, actual amounts used in the controllers.

According to the presented technique in reference [28], a Chi-square-based detector and cosine similarity matching have been performed to distinguish the cyber-attack in smart grids (SGs) [29]. Most of them do not consider the voltage and current measurements in an integrated framework. Thus, there are no general methods for detecting FDIAs in both current and voltage measurements because the attackers can attack both measurements, so it is better to consider FDIAs in both voltage and current measurements. An example is [30], which discussed some forms of attacks on voltage measurements; also, in [31], attacks on current measurements were considered.

Several FDIA detection ways rendered for CPSs have been considered and analyzed. Based on the control information, the CPSs controllers have been classified as various distributed and centralized controllers [32,33,34,35]. Extant centralized cyber-attack detection techniques have been considered in several forms, including 1- linear time-invariant systems, 2- actuator/sensor attacks, 3- nonlinear systems, and finally, 4- systems with noise. Additionally, the advancement of distributed cyber-attack detection has been surveyed based on various decoupling approaches. Furthermore, future research paths and different forms of challenges in cyber-attack detection methods have been listed. In [36], a review of recent developments on security concepts and cyber-attack detection in CPSs is presented from a control theory viewpoint.

Recently, new techniques for detecting FDIA according to machine learning and deep learning (DL) frameworks have been presented; for instance, Reference [37] provided an in-depth learning-based approach to detect FDIA in the smart grid (SG). In [38], according to the attack detection formula as a problem based on machine learning, the possibility of some techniques, including supervised and semi-supervised learning approaches, decision fusion and level features, and online learning frameworks for FDIA in smart grids have been examined. Some of the previous works have been summarized in

Table 1. Exiting literature of FDIA detection.

Reference	Methodology	Detection Technique	Limitation	Advantages of Our Proposed Technique
[12]	Cooperative vulnerability factor	Considering attacks on measurements in DC-MG	Criteria indexes of the accuracy rate like miss rate (MR), false alarm rate (FAR), hit rate (HR), and correct reject rate (CRR) are not considered and not compared to the other FDIA detection methods based on the accuracy criteria indexes	Both voltage and current measurement are investigated in the proposed study. Criteria indexes of the accuracy rate are considered and compared to the other FDIA detection methods; The technique is free-model-based
[24]	Kalman filter	Applying the mathematical method in smart grids to detect the FDIAs	Criteria indexes of the accuracy rate like MR, FAR, HR, and CRR are not considered and not compared to the other FDIA detection methods based on the accuracy criteria indexes; DC system is not considered;	This work is not dependent on the system’s mathematical model. Criteria indexes of the accuracy rate are considered and compared to the other FDIA detection methods; DC-MG has been investigated
[38]	Deep learning	Applying DL schemes to identify the properties behavior of FDIA with the historical measurement information and using the captured properties to diagnose the FDIA	Criteria indexes of the accuracy rate like MR, FAR, HR, and CRR are not considered for the FDIA detection; DC system is not considered;	Applying WT and SVD to extract features to use as input of deep learning and deep base models are built to adaptively learn hidden properties. Criteria indexes of the accuracy rate are considered and compared to the other FDIA detection methods;
[39]	Kullback–Leibler	The ability to diagnose different attacks. Has difficulty diagnosing FDIAs in some state variables	Using historical data so it cannot detect small FDIA to the system. Criteria indexes of the accuracy rate like MR, FAR, HR, and CRR are not considered for the FDIA detection;	This work is not dependent on the state variable for detection FDIAs and is based on signals features. Various criteria indexes are considered and compared. It does not depend on the historical data
[40]	Chi-square detector and cosine similarity matching were applied	The results illustrated that detection based Chi-square could not detect the examined FDIAs	Criteria indexes of the accuracy rate like MR, FAR, HR, and CRR are not considered for the FDIA detection; and is not compared to the other FDIA detection methods based on the accuracy criteria indexes; DC system is not considered;	This paper is capable to detect various FDIAs in smart MG; Criteria indexes of the accuracy rate are considered and compared to the other FDIA detection methods; DC-MG has been investigated;
[41]	Discordant Element Approach	Considering attacks on current measurements in DC-MG	Criteria indexes of the accuracy rate like MR, FAR, HR, and CRR are not considered for the FDIA detection; and not compared to the other FDIA detection methods based on the accuracy criteria indexes; does not consider the attack on voltage sensors	Both voltage and current measurement are investigated in the proposed study. Criteria indexes of the accuracy rate are considered and compared to the other FDIA detection methods;

.

1.2. Motivation and Main Contribution

In this paper, we provide a strategy to diagnose possible FDIA in DC-MGs to enhance cyber-physical security. Accordingly, a new procedure of wavelet transform (WT) and singular value decomposition (SVD) based on DL has been presented to diagnose cyber-attacks in DC-MG and identify the attack. Additionally, this paper presents a developed selective ensemble DL approach using a gray wolf optimization algorithm (GWOA). In this regard, in the first step, the WT has been applied to extract the features of the signals. Afterward, these features have been decomposed according to SVD to reach wavelet singular values (WSVs). Additionally, the WSVs have been utilized as the input for the multiple deep base concepts to obtain sensitive features automatically from raw vibration signals.

In the second stage, to ensure the variety of the base concepts, several encoders, and decoders including sparse auto-encoder, de-noising auto-encoder, and linear decoder, have been utilized to build different deep auto-encoders. Besides, bootstrapping was utilized to plan distinctive training information subsets for every base concept.

The third part presents a developed weighted voting (DWV) combination scenario with class-defined thresholds to perform selective ensemble learning.

In the final phase, a grey wolf optimization (GWO) approach is used to choose the optimal class-specific thresholds adaptively.

Briefly, the main contributions of this paper are explained as follows:

• WT and SVD are combined to extract features from signals and obtained singular values (SVs) of the signals.
• A singular value of the signals has been used as input of DL to diagnose FDIA in DC-MG for the first time.
• Deep base models have been built to learn hidden properties from signals adaptively.
• Several deep base patterns are obtained with AE and bootstrap types.
• DWV is designed with particular class thresholds to perform elective ensembles.
• The DWV’s class-specific thresholds are optimized by applying the GWO algorithm.

1.3. Paper Structure

Part 2 presents the concepts about WT, SVD, and presented approach. In part 3, cyber-security in DC-MGs and FDIA will be demonstrated in detail. Part 4 will carry out the simulations, and the gained outcomes will be considered. Finally, in Part 5, the main conclusion will be expressed.

2. Basic Concepts

2.1. Wavelet Singular Values

In this section, the mechanism of the FDIA detection applies the benefits of WT and SVD analysis to exploit the exact features to utilize as the input indicator for the DL method. To begin with, we define the structure of the proposed technique; then, we state the efficiency of the technique involved in the short term.

2.1.1. Wavelet Transform

Typical 1-D decomposition includes a time-domain resolution or amplitude frequency that can usually not achieve an attack pattern. Moreover, it would be difficult to diagnose a DC-MG cyber-attack based solely on data provided by the time or frequency domain.

Time-frequency display is an efficient way of analyzing sensor signals to detect an attack by presenting visibility to the basic data in time. Various approaches include S transform (ST), WT, and short-time Fourier transform (STFT), which can discover time-frequency imaging. However, due to the constant resolution of the STFT frequency and the frequency darkness for the ST frequency band, WT was accepted to convert the transform of 1-D oscillation signals in this paper.

WT is a beneficial method for accurate time-frequency extraction due to the lesser time and higher frequency decompositions in the low-frequency part. Hence WT has been called a microscope for signal assessment. In addition, it could depict low-frequency data on a wide scale and locally specify the high-frequency property on a small scale. WT is understood by calculating the inner signal efficiency of the status resolution of signal $z\left(t\right)$ and also by the wavelet function base ${\theta }_{a,\tau }\left(t\right)$. Accordingly, WT can be determined in below [33,42,43]:

$$W{T}_z\left(\alpha ,\tau \right) ={{\displaystyle \int }}_{-\infty }^{+\infty }z\left(t\right){\theta }_{\alpha ,\tau }\left(t\right)dt={{\displaystyle \int }}_{-\infty }^{+\infty }z\left(t\right)\theta \left(\frac{t-\tau }{\alpha }\right)dt$$

(1)

In which, $\alpha$ and $\tau$ provide the dilation factor and the translation factor in transformation.

2.1.2. Singular Value Decomposition

It proposes which of the main discrete signals $Z=z\left(1\right),z\left(2\right),\dots ,z\left(N\right)$ have been collected.

According to the References [13,33], the Hankel matrix can form the basis of the idea of phase reconstruction as below:

$$H=\left[\begin{array}{cccc}z\left(1\right)& z\left(2\right)& \dots & z\left(n\right)\\ z\left(2\right)& z\left(3\right)& \dots & z(n+1)\\ \dots & \dots & \dots & \dots \\ z\left(N-n+1\right)& z\left(N-N+2\right)& \dots & z\left(N\right)\end{array}\right]$$

(2)

where in, we have: $1<n<N$, let $m=N-n+1$, then $YϵR^{m\ast n}$. The mentioned matrix rebuilds the attack circuit matrix. The N matrix incorporates the dynamic properties of the invader into the reconstruction area by reconstructing the characteristic of the aggressor. Therefore, H can present as $H=D+W$, which $D$ displays the $\left(N-n+1\right) \ast n$ matrix of the soft signal in the reconstruction area, $W$ also shows the $\left(N-n+1\right) \ast n$ matrix of the noise intervention signal. The SVD can be used to the above-noted matrix $H$, where the bellow formula is achieved [13,33]:

$$H=US{V}^T$$

(3)

In Equation (3), $U$ and $V^T$ represent $\left(N-n+1\right) \ast \left(N-n+1\right)$ and $n\ast n$ matrices. $S$ defines a diagonal matrix of $\left(N-n+1\right) \ast n$, the basic diagonal parts provide ${\delta }_i\left(i=1,2,\dots ,j\right)$ and $j=min\left((N-n+1\right),n)$, which is given in the Equation (4).

$$S=diag\left({\delta }_1,{\delta }_2,\dots ,{\delta }_k\right)$$

(4)

In Equation (4), ${\delta }_1,{\delta }_2,\dots ,{\delta }_k$ give the SVs of matrix H, and ${\delta }_1\ge {\delta }_2\ge \dots \ge {\delta }_k\ge 0$ has been convinced, $V^T$ and $U$ represent the left and right singular matrix.

2.2. Deep Learning Method

In this work, we proposed a developed selective ensemble DL approach using GWOA for FDIA detection in DC-MGs to enhance cyber-physical security.

In this regard, in the first step, DL base types are constructed to learn representative features adaptively from the WSV of signals. Then, to warranty the variety of the constructed base types, several deep auto-encoders are built with deforming auto-encoders (DAE), stacked auto-encoders (SAE), and linear decoder. In addition to this, distinguished training datasets for every basis type were planned using bootstrap. The DWV combination framework with particular class thresholds is planned to perform an elective ensemble in the third stage. In the final part, the GWO algorithm was carried out to achieve the optimal class-specific thresholds. The structures of the presented approach are introduced below:

2.2.1. Multiple Diverse Deep Auto-Encoders Construction

Various approaches have been proposed for developing the diversity of basic models, including adopting different types, choosing various hyperparameters, teaching with various optimizers, etc. To satisfy these diversities, this article adopted three methods as follows:

(a) Various auto-encoders usually have different features. Therefore, to obtain diverse base types, multiple DDAEs, DSAEs, DDLAEs, and DSLAEs were constructed through accumulating several SAEs, SLAEs DAEs, and DLAEs. The construction procedures of these deep automated encoders were the same as those taught by learning without layer supervision.

As shown in Figure 1, the latent output of the prior automatic encoder is utilized as the input of the subsequent automatic encoder until the final automatic encoder is trained, and the upper layer will be the soft-max arranger.

(b) A fine-tuning procedure was performed after learning without layered supervision, and the fine-tuning cost function procedure is computed through Equation (5).

$$J_{DeepAE}\left(\phi \right) =-\frac{1}{n}{\displaystyle \sum }_{i=1}^n\left({\widehat{x}}_{i}log{x}_i\right)+\frac{\beta }{2}{\displaystyle \sum }_{k=1}^k{\displaystyle \sum }_{i=1}^{n_l}{\displaystyle \sum }_{j=1}^{n_{l=1}}{\left({\omega }_{ij}^l\right)}^2$$

(5)

where $x_i$ and ${\widehat{x}}_i$ represent the real and anticipated labels of the $i\mathrm{th}$ sample, also $\left(K-1\right)$ gives the number of hidden layers. The important point is that the iteration number of fine-tuning procedures impresses the impact of training; therefore, diverse iteration numbers of fine-tuning procedures have opted. If $m$ diverse iteration numbers of fine-tuning procedures have opted, afterward there will be $4 m$ base types.

(c) In addition to constructing different deep base types, distinct training information sets for every type have also been planned through bootstrap to warranty the variety of such base types.

In particular, the entire dataset is assumed to be specified as ${\mathrm{Z}}_{\mathrm{w}}=\left\{{\mathrm{Z}}_1,{\mathrm{Z}}_2,\dots ,{\mathrm{Z}}_{\mathrm{i}},\dots ,{\mathrm{Z}}_{\mathrm{s}}\right\}$, where s represents the sum number of the instances, ${\mathrm{Z}}_{\mathrm{i}}=\left\{{\mathrm{z}}_1,{\mathrm{z}}_2,\dots ,{\mathrm{z}}_{\mathrm{j}},\dots ,{\mathrm{z}}_{\mathrm{m}}\right\}$, and m gives the information points number of every sample. Then ${\mathrm{Z}}^{\mathrm{w}}$ represents disarticulate into three segments such as ${\mathrm{Z}}^{\mathrm{tr}}=\left\{{\mathrm{Z}}_1,{\mathrm{Z}}_2,\dots ,{\mathrm{Z}}_{\mathrm{n}},\dots ,{\mathrm{Z}}_{\mathsf{\rho }}\right\}$, ${\mathrm{Z}}^{\mathrm{v}}=\left\{{\mathrm{Z}}_{\mathsf{\rho }+1},{\mathrm{Z}}_{\mathsf{\rho }+2},\dots ,{\mathrm{Z}}_{\mathrm{q}}\right\}$, and ${\mathrm{Z}}^{\mathrm{t}}=\left\{{\mathrm{Z}}_{\mathrm{q}+1},{\mathrm{Z}}_{\mathrm{q}+2},\dots ,{\mathrm{Z}}_{\mathrm{s}}\right\}$; where ${\mathrm{Z}}^{\mathrm{tr}}$, ${\mathrm{Z}}^{\mathrm{t}}$, and ${\mathrm{Z}}^{\mathrm{v}}$ are the training dataset, test dataset, and validation dataset. To obtain distinctive training datasets, bootstrap was utilized to randomly choose $\mathrm{n}$ instances from ${\mathrm{Z}}^{\mathrm{tr}}$ per time, and the training information subset for $\mathrm{ith}$ type was signified as ${\mathrm{Z}}^{\mathrm{tri}}$.

The method or architecture of selecting parameters is based on the empirical guidelines. In this regard, 2–5 hidden layers are suggested firstly, and then, gradually, the number of hidden nodes decreases from the lower layer to the top layer. It is noteworthy that high-performance hardware has been required for lots of deep bases kinds. Therefore, 8–24 deep base types will be suitable.

2.2.2. DWV with Class-Specific Thresholds

Weighted voting (WV) criteria only provide the overall implementation diversity of every type to set the voting weights and usually do not pay attention to the efficiency variety of multiple base types for every attack type. As a result, in this paper, a novel compound platform called DWV was planned. The DWV is given, including the efficiency of diverse types for every fault mode according to a general term called $\mathcal{F}$1-measure [43,44]. To begin with, class-specific thresholds are adjusted to run the selected group; afterward, the class-specific weight is allocated to every base pattern in each error state.

Details of the DWV are presented as follows: In the first stage, several basic layouts are built and trained. After that, the confirmation outcomes of every base type are obtained; moreover, the corresponding $\mathcal{F}$1 values are computed using Equation (6).

$$\mathcal{F}=\frac{2\mathcal{P}·P}{\mathcal{P}+\mathcal{P}}=\frac{2T\mathcal{P}}{2T\mathcal{P}+\mathcal{F}\mathcal{P}+\mathcal{F}N}$$

(6)

where:

$$\mathcal{P}=\frac{T\mathcal{P}}{T\mathcal{P}+\mathcal{F}\mathcal{P}}\ast 100\%$$

(7)

$$R=\frac{T\mathcal{P}}{T\mathcal{P}+\mathcal{F}N}\ast 100\%$$

(8)

$\mathcal{P}$ is defined as the accuracy rate, $R$ gives the recall rate; $T\mathcal{P}, \mathcal{F}N, \mathcal{F}\mathcal{P}$ provide the number of true positive, false negative, and false-positive samples. After this step, the class-specific $\mathcal{F}1$ thresholds for every error type are defined like $ft=f{t}_1,f{t}_2,\dots ,f{t}_c$ [43,44].

By comparing each value of $\mathcal{F}$1 with the relevant threshold, if the amounts of $\mathcal{F}$1 are less than the relevant threshold amounts, the value is fixed to 0, which defines the corresponding weight will also be equal to 0. As a result, we need to define Equation (9) as:

$${\mathcal{F}}_{ij}=\left\{\begin{array}{c}0 , {\mathcal{F}}_{ij}<ft{}_j\\ {\mathcal{F}}_{ij}, Otherwise\end{array}\right.,i=1,2,\dots ,k;j=1,2,\dots ,\delta$$

(9)

In which:

$$\min \left\{{\mathcal{F}}_{ij},i=1,2,\dots k\right\}\le f{t}_j\le \max \left\{{\mathcal{F}}_{ij},i=1,2,\dots k\right\}$$

(10)

${\mathcal{F}}_{ij}$ provides the $\mathcal{F}1$ value for error mode $j$ of $i\mathrm{th}$ base type, $f{t}_j$ gives the $\mathcal{F}1$ threshold for error type $i$, and $\delta$ represents the number of error types. After that, we should devote weights to every base type for every error mode as given in Equation (11).

$${\omega }_{ij}=\frac{{\mathcal{F}}_{ij}}{{{\displaystyle \sum }}_{i=1}^k{\mathcal{F}}_{ij}}$$

(11)

where:

$${{\displaystyle \sum }}_{i=1}^k{\omega }_{ij},{\omega }_{ij}\ge 0$$

(12)

${\omega }_{ij}$ is the weights of base type $i$ for error type $j$.

In the final stage, the decision is made as follows; we should suppose that type i$\left(Z_t\right)$ gives the expected label of base type $i$ for instance $Z_t$. The sum score that $Z_t$ appertains to error type $j$ is computed through Equation (13).

$$Scor{e}_j\left(Z_t\right)={\displaystyle \sum }_{i=1}^k{\omega }_{ij}·H\left(Z_t,j\right),t=\rho +1,\rho +2,\dots ,q$$

(13)

where:

$$H\left(Z_t,j\right)=\left\{\begin{array}{c}1 Mode{l}_i\left(Z_t\right) =j\\ 0 Otherwise\end{array}\right.$$

(14)

The final predicted label $Pre\_K\left(Z_t\right)$ of $Z_t$ is acquired by Equation (15).

$$Pr{e}_K\left(Z_t\right) =T$$

(15)

where:

$$Scor{e}_r\left(Z_t\right) =\max \left\{Scor{e}_r\left(Z_t\right),\mathrm{j}=1,2,\dots \delta \right\}$$

(16)

As a result, the accuracy of the final confirmation of ensemble learning is computed as follows:

$$Ensembe{l}_{V_{acc}}=\frac{{{\displaystyle \sum }}_{t=\rho +1}^{q}h\left(Z_t,X_t\right)}{q-\rho }$$

(17)

where:

$$h\left(Z_t,X_t\right) = \left\{\begin{array}{c}1 Pre\_K\left(Z_t\right) =X_t\\ 0 Otherwise\end{array}\right.$$

(18)

$X_t$ also represents the actual label of the sample $Z_t$.

2.2.3. Gray Wolf Optimization

GWO is a relatively novel intelligence algorithm presented by Mirjalili and his colleagues, designed through the hunting behaviors and the social hierarchy of gray wolves [45]. In GWO, the rest of the solutions are named as $\omega$ wolves that chase the $\alpha ,\beta$ and $\delta$ wolves within their hunting. The grey wolves’ hunting behavior can be formulated as follows:

$$\left\{\begin{array}{c}{D}_p = \left|C·X_p\left(t\right)-X\left(t\right)\right|\\ X\left(t+1\right) =\frac{1}{3}{\displaystyle {\displaystyle \sum }_{p=\alpha ,\beta ,\delta }}\left(X_p\left(t\right)-A·D_p\right)\end{array}\right.$$

(19)

where $D_p$ gives the absolute amount of every dimension in the vector, $t$ shows the running iteration, $X$ and $X_p$ represent the situation vectors of grey wolf and prey. Also, $A$ and $C$ provide coefficient vectors that are computed in Equation (20):

$$\left\{\begin{array}{c}\begin{array}{c}A=2a·r_1-a\\ C=2a·r_2\end{array}\\ \begin{array}{c}a=2-2t/t_{max}\\ r_1,r_2=rand\left(0,1\right)\end{array}\end{array}\right.$$

(20)

where in Equation (20), $a$ signifies control parameter, $t_{max}$ provides the maximum number of iterations. $r_1,r_2$ show the random vectors of (0, 1). Multi-objective gray wolf optimization (MOGWO) is an extended form of the GWO where two added components are dedicated to accommodating multipurpose optimization problems. One component is the archive used to store Pareto solutions (non-dominated solutions). Another component acts as a leader election framework that aims to opt wolves α, β, and δ from the set while hunting. Exact explanations of the two components are provided as follows:

(a) The external archive

In MOGWO, an outer archive was performed to save Pareto solutions achieved. During every iteration, Pareto solutions are reserved while the dominant members are removed. Besides, while there is mutual non-dominate from the new solution to archive residents, a new solution can be embedded into the archive. When the archive is full, the procedure of the network, according to Reference [46], is used to replace one of the archive members in the busiest set with a new solution that assists in maintaining the variety of archive residents.

(b) The leader selection framework

Since the non-dominated solutions cannot be easily sorted, it would be hard to straightly choose the leader of wolves with considering the first, 2nd, and 3rd best solutions. In reply to this, according to [46], the leader chosen framework selected with the roulette-wheel approach can be used to select such leaders from the archive, including the entire non-dominated solutions achieved. In this strategy, the probability of being opted as new leaders is inversely proportional to the severity of the parts that increase the variety of solutions.

2.3. Procedure of the Proposed Technique

As shown in Figure 2, in this paper, we propose a developed selective ensemble DL approach by GWO method to detect cyber-attack in DC-MGs.

In the first stage, the signal feature is extracted using WSVs. Then, deep base types are built to adaptively learn hidden characteristics from extracted indexes by WSVs of signals to ensure the variety of the base types. In this way: (1) the deep auto-encoders are produced by applying DAE, SAE, and linear decoder; (2) the datasets of distinctive training for every base type are planned by bootstrap. After that, the DWV combination framework with particular class thresholds is planned to conduct an elective ensemble. In the final stage, the GWO algorithm is applied to find optimal thresholds.

3. CYBER PHYSICAL LAYER in DC-MGs

In this section, we focus on the cybersecurity of DC-MG and then explaining a type of cyber-attack in such systems.

3.1. Cyber Security in DC-MG

As a small electrical power grid, the MG encompasses both production and consumption, allowing it to operate in both network and island operation modes. In addition to the physical layer like distributed generations (DGs) and green energy units, storage and loads units, an MG with an interconnected cyber layer, basically with transferring information and decision-making according to collected datum, deals with advanced measurement infrastructures (AMIs).

Such factors make MG a complicated CPS with a nonlinear, hybrid correlated structure, which in turn is an accessible target point for hackers to infiltrate and exploit their malicious targets. Several items including heterogeneous information resources, vulnerable sensors, and a high amount of interactions within the MG and from the MG to the main network, sensibility to synchronization of time and communication postpones usually create different challenges to ensure a secure and reliable operation strategy in MGs. AMI plays a pivotal key layer in an MG that creates a two-rout communication way from the smart metering components with special IP addresses to the electrical suppliers and users. Additionally, AMI is responsible for information collection, information communication, and energy expenditures assessment for optimal MG performance.

AMI enables to make real-time decisions on both production and consumption sides. According to AMI, DGs are timely optimized for their operation, and electricity consumers can take appropriate economic decisions to maximize energy savings and actively participate in market pricing. Figure 3 displays the cyber-physical framework of an MG with AMI. As depicted in Figure 3, through links of wireless/wired communication, smart meters, which act as the main section of AMI, get information from electrical consumers, generations, and storage agents for efficient decision making and exploitation.

As a result, smart sensors are given into account as a gateway to gather and assess the state of the physical layers to fine dust. This factor makes them a vulnerable and potential point of intrusion to carry out malicious attacks because they affect the efficiency of the whole MG. By compromising the information reported by smart sensors, it is possible to infiltrate the optimal dispatch of DGs, thereby greatly lessening the reliability, security, and energy quality of electrical power services.

3.2. Cyber-Attack

In a generic MG, the main task of AMI can be to collect load consumption information and exchanged it to the decision-making program for appropriate planning of generating units. In every case, a healthful MG must meet the production and demand equilibrium equation to eschew unanticipated interruptions or obliged load shedding. Furthermore, AMI can do an important duty in diminishing the entire cost of MGs via offering real-time information regarding consumers’ demands. To meet electrical requirements, an MG should gain power generation during peak load times.

By accurately estimating the load demand offered by AMI, the MG can use demand response techniques to change peak load times, thereby reducing the total costs of MG, using unnecessary feeder combustion, and preventing frequency and voltage drops. This would be a valuable and applicable strategy while accurate data on electrical load demand is presented. Unfortunately, AMI, which is according to the communication interfaces, can be assailable from cyber hackers so an expert enemy can change the reported load.

By hacking AMI, the other party disrupts the demand response procedures and upsets the balance of production and demand. This can lead to other damaging results, including additional operating costs, impractical operations, and unplanned shutdowns. As a result, the issue of which events might ultimately occur for an MG depends on both the stability of the cyber-attack and how the MG works. As noted earlier, an MG can act as a network-connected mode or islanded mode. A cyber-attack on AMI can gain the MG’s costs, power loss, and voltage drop when in network-connected mode. For example, in the islanded operation of a power system, a cyber-attack can bring about more intense consequences, including loss of production and demand balance and inaccessibility of exploitation or even shutting down of units. In terms of severity, cyber-attack power can be categorized into two diverse states: Firstly, a malicious attack by strength and immediate impact causes the most detriment to the MG. Such kinds of attacks should be felt quickly and should be recognizable because of their large size. Secondly, a destructive attack with a smooth and slow impact causes a change in the long term. The significant aim of the form of cyber-attack is to prevent the system from being detected and changes in MG’s accessibility in the long run.

In this regard, in this article, both forms of cyber-attacks on MGs are analyzed. An intelligent type is presented to detect a cyber-attack, which is described in detail.

4. Simulation Outcomes

In the simulation, we tested the presented strategy for attack detection on the cyber-physical DC-MG, which is depicted in Figure 4b with $V_{dcref}=315\mathrm{V}$, including four different agents with equal capacities interconnected with others with resistive lines. It should be stated that every production agent includes a battery accompanied by boost converters, as depicted in Figure 4a. To confirm the efficiency of the offered strategy for attack detection in cooperative DC-MG, it was tested against numerous disturbances. This included FDIA and stealth attacks in sensors that often go undetected with distributed observers, and also communication links to diagnose the affected nodes so that the intransitive measures can be derived to maintain cyber-security. In the FDIAs, the attacker can access the datum of the sensors, communication links, and controllers. To simulate the FDIA, it has been assumed that the attacker can manipulate the data; therefore, the data has been manipulated to show the attack at the attack's time. The parameters of the system are presented in

Table 2. Simulated system parameters.

Parameter	Value
$V_{dcref}$	$315\mathrm{V}$
$\Delta t$	$5\mathrm{ms}$
$L_f$	$5\mathrm{mH}$
$C_f$	$50\mathrm{mF}$
$R_{12}$	$1.8\Omega$
$R_{14}$	$2.3\Omega$
$R_{23}$	$1.3\Omega$
$R_{34}$	$1.5\Omega$

. Because the main goal in this paper is FDIA detection in DC-MGs, the system details and control parameters in [47] are used to simulate the physical system and controller. It has to be stated that every attack in the defined strategies has been separated using a certain time gap to present a better understanding.

4.1. Case Studies

The proposed strategy was implemented into three different study cases.

Study Case 1: In this part, the FDIA on the voltage sensor occurs in the 2nd unit. System behavior is considered in an example of a defined type of FDIA, and DL indicators have been indicated which one has been extracted based on the WSVs. The FDIA starts at t = 0.4 and finishes at t = 0.6 s, respectively. Moreover, the voltage reference signal amplitude changes and is reduced by about 30%. The outcomes of this study case are displayed in Figure 5. Figure 5a shows that the DC-MG voltage on that the FDIA was reported in a timely manner. Additionally, Figure 5b displays the signal wavelet decomposition in db4, which is used to extract SVs utilized as machine learning input for detecting cyber-attacks.

Study Case 2: In this part, the FDIA on the voltage sensor occurs in the 4th agent. System behavior is considered in an example of this type of FDIA, and deep machine learning indicators show which one has been extracted based on the WSVs. The FDIA starts at t = 0.4 and finishes at t = 0.6 s, respectively. Moreover, the voltage reference signals amplitude changes and increases about 30%. The outcomes of this study case have been displayed in Figure 6. Figure 6a shows that the DC-MG voltage on that the FDIA was reported in a timely manner. Additionally, Figure 6b displays the signal wavelet decomposition in db4, which is used to extract SVs utilized as machine learning input for detecting cyber-attacks.

Study Case 3: In this part, the FDIA on the voltage sensor occurs in the 1st unit. System behavior is considered in an example of this type of FDIA, and DL indicators displayed which one has been extracted based on the WSVs. The FDIA starts at t = 0.4 and finishes at t = 0.6 s, respectively. Moreover, the voltage reference signal amplitude changes, and noise adds to the signal. The outcomes of this study case have been displayed in Figure 7. Figure 7a shows that the DC-MG voltage on that the FDIA was reported in a timely manner. Additionally, Figure 7b displays the signal wavelet decomposition in db4, which is used to extract SVs utilized as machine learning input for detecting cyber-attacks.

4.2. Discussion

On the one hand, a decision would be positive when it is recognized as a cyber-attack. On the other hand, a decision would be negative when the anomaly detection type identifies it as a usual condition. The real decision has been taken when the type of anomaly detection is the true decision. An incorrect decision displays a false reaction of the type of detection of the cyber-attack.

In this regard, it is inferred that a proper type of anomaly detection is a type with a low false rate. Based on these definitions, four various criteria can be determined as follows: miss rate (MR), false alarm rate (FAR), hit rate (HR), and correctly reject rate (CRR). To aid a clear understanding of the issue,

Table 3. The proposed detection matrix framework.

Type	Real Value
Detection Type Response	Form	Positives	Negatives
	Positives	Hit Rate True Positive	False Alarm Rate False Positive
	Negatives	Miss Rate False Negative	Correct Rejection Rate True Negative

provides a matrix of the suggested detection method to show the accuracy rate of the suggested method to detect attacked conditions and normal conditions correctly. Hit rate (true positive) shows the percentage of correct detection when FDIAs occur in the system, and the method can detect it as attacked. Miss rate (false Negative) shows the percentage of incorrect detection of the method when FDIAs occur in the system, and the detection method cannot detect it as attacked. Correct rejection rate (true negative) represents the percentage of correct diagnosis of the normal conditions; in other words, when there is no attack in the system, and the condition is normal, the method does not alarm as the attacked condition. False alarm rate (false positive) is the percentage of incorrect diagnosis in the normal conditions and the detection method alarm in the normal condition as the attacked.

The number of test data in attacked conditions is 1348 and in normal conditions is 1174. The proposed cyber-attack detection method could detect 1285 from 1348 (number of test data in attacked conditions) as the manipulated or attacked condition and accurately identify 1125 from 1174 (number of test data in normal conditions) as the normal condition.

Various case tests have been executed to validate the presented deep machine learning approach in the FDIA detection. The FDIA type has analyzed the efficiency/performance of offered detection method, and the appraisal results are depicted in

Table 4. The value matrix of the presented detection framework.

Type	Method	Real Value
		Form	Positives	Negatives
Detection Type Response	WT and DL	Positives	95.36%	4.16%
		Negatives	4.64%	95.84%
	Shallow Model	Positives	90.13%	8.36%
		Negatives	9.87%	91.64%
	HHT and DL [48]	Positives	93.75%	4.77%
		Negatives	6.25%	95.23%
	Method		WT and DL	HHT and DL [48]
Response Time	Average Detection Time		10 ms	50 ms
	DNN Training Time		1638 s	1759 s

. Besides, to indicate the performance of the proposed cyber-attack detection approach, it compares the Shallow model and deep neural network (DNN) with Hilbert–Huang Transform (HHT) presented in the [48] in Table 4. As shown in Table 4, it can be argued that the proposed method could diagnose the FDIAs by detection precision over 95% that indicates the performance of the offered diagnosing approach on detecting the FDIAs.

According to the Shallow model and HHT as DNN inputs, the detection methods can diagnose FDIAs with over 90% and 93% accuracy, respectively. The DNN training time in HHT as DNN inputs are 1759 s that means detection time is 50 ms; but in the proposed technique, the average detection time is 10 ms and the DNN training time is 1638 s. As a result, it provides the competency of the stated detection approach for detecting the FDIAs.

5. Conclusions

This research work presents an advanced selective DL approach with a GWO algorithm using WSV to type a cyber-attack detection procedure. WSVs have been extracted from the spectral energy of the input signals to be used as an indicator of DL input, and then numerous types of deep bases are produced via SAE, DAE, and linear encoder. Bootstrap has also been used for them to design distinctive training information subsets. In addition, a hybrid DWV strategy with class-specific thresholds has been presented to perform the selected group, and the GWO algorithm has been used for class-specific thresholds optimization. Accordingly, simulation data has been applied to confirm the effectiveness of the presented framework. The gained results of the simulation have been compared with the new Shallow model and Hilbert–Huang transform methods. The simulation results suggested that the presented approach can detect FDIAs more accurately and robustly in DC-MG. Besides, it was seen that the presented type illustrates suitable efficiency in the face of FDIAs with numerous severities ranging from 10% to 100% information changed. The outcomes of two diverse criteria for the rate of diagnosis and the outcomes of the confusion matrix confirm the integrity and valuable proficiency of the proposed anomaly type of diagnosis. The efficiency of the presented method has been verified using simulations by offline digital time-domain in the MATLAB software. The obtained outcomes of 2 various criteria of detection rate and matrixes support the integrity and significant sufficiency of the presented anomaly detection type.

Evaluating the efficiency of the suggested cyber-attack detection scheme on a real-time “hardware experiment” can be a hot subject for future research. The FPGA and DSP boards can also be used as the processor. Other cyber-attacks like a man-in-the-middle attack, reply attacks, etc., can consider in the DC-MG in future studies.