612 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO.

1, JANUARY 2021

Intrusion Detection for Cybersecurity

of Smart Meters
Chih-Che Sun , Member, IEEE, D. Jonathan Sebastian Cardenas , Member, IEEE,
Adam Hahn , Member, IEEE, and Chen-Ching Liu, Life Fellow, IEEE

Abstract—The integration of Information and hardware (e.g., smart meters and grid routers). Compared
Communications Technology (ICT) enables real-time com- to conventional electric energy meters, such as mechanical
munication for smart meters to participate in power system meters and Automatic Meter Reading (AMR) meters, smart
operations. However, Advanced Metering Infrastructures (AMI)
are vulnerable to cyber attacks. Both utilities and power meters are equipped with a two-way communication mod-
consumers may become victims of cyber intrusions. In this ule to exchange data (e.g., customer’s information, power
paper, a two-stage cyber intrusion protection system is proposed. readings, and control commands) between customers and
At the first stage of intrusion detection, a Support Vector a utility. Based on the real-time data acquisition and control
Machine (SVM) is used as a detection algorithm to discover capability, AMI facilitates power flow reading, load forecast-
suspicious behaviors inside a smart meter. At the second stage,
the Temporal Failure Propagation Graph (TFPG) technique ing, demand response, outage management, system monitor-
is used to generate attack routes for identifying attack events. ing, and dynamic pricing programs. However, cyber-physical
Finally, the proposed pattern recognition algorithm is used to system (CPS) security has become a significant concern to
calculate the similarity between a detected abnormal event and the smart grid infrastructure, as well as AMI devices. In 2015
pre-defined cyber attacks. A higher similarity value implies and 2016, cyber attacks on the Ukrainian power grid [1], [2]
a higher chance that a smart meter is under attack. An
AMI security test platform has been developed to: (1) Collect have demonstrated that power grids are vulnerable to cyber
training/testing data for SVM, (2) Simulate and analyze cyber intrusions.
attack events, and (3) Validate the proposed cyber attack Cyber security of the AMI network is widely recognized
protection system. The test platform consists of Network- as a critical issue [3]–[6]. For power consumers, data pri-
Simulator 3 (NS-3) software to simulate an AMI network vacy is a primary concern as current meters are upgraded
environment and single board computers (SBCs) to emulate
the IEEE 802.15.4 communication between a grid router and to smart meters [7]. To guarantee the confidentiality of data,
a smart meter. a new communication protocol has been proposed [8]. In [9],
an encryption scheme has been developed for AMI network
Index Terms—Advanced metering infrastructure (AMI), smart
meters, cyber-physical system security, intrusion detection. messages with minimal computation and communication over-
heads in encryption and decryption operations. For utilities,
data integrity and availability attacks can threaten the quality
I. I NTRODUCTION of power grid services and revenues. To prevent energy theft,
MART grid technologies have been deployed to enable various studies have proposed different detection algorithms by
S the new functions and services, improving the reliabil-
ity, security, and efficiency of a power system. Metering
analyzing historical and present consumption data [10]–[12].
Reference [13] discusses energy theft through the pricing
infrastructure plays a significant role between power sup- system. It is aimed at a long term detection technique to
ply and demand ends. To upgrade the service quality and capture anomaly pricing events. Due to vulnerabilities of
provide new services, many utilities adopt AMI components wireless communication and physical devices, meter tamper-
including software (e.g., meter data management system) and ing is one of the potential attacks. In [14], a collaborative
intrusion detection mechanism is proposed to detect False
Manuscript received October 20, 2019; revised March 8, 2020 and June Data Injection (FDI) attacks. The work of [15] introduces
21, 2020; accepted July 6, 2020. Date of publication July 20, 2020; date a specification-based intrusion detection system for advanced
of current version December 21, 2020. This work was supported in part
by the Department of Energy under Award DE-OE0000780; and in part metering infrastructures. Any sequence of operations executed
by National Science Foundation under Award ECCS-1824577. Paper no. outside the system’s specifications is considered a security
TSG-01577-2019. (Corresponding author: Chih-Che Sun.) violation. To develop a comprehensive solution, the authors
Chih-Che Sun, D. Jonathan Sebastian Cardenas, and Adam Hahn are with
the School of Electrical Engineering and Computer Science, Washington of [16] propose an IDS architecture which covers the entire
State University, Pullman, WA 99164 USA (e-mail: [email protected]; AMI network, including AMI headend (e.g., meter data man-
[email protected]; [email protected]). agement system), grid router, and smart meters. Machine
Chen-Ching Liu is with the Power and Energy Center, Virginia Polytechnic
Institute and State University, Blacksburg, VA 24061 USA, and also with the Learning (ML) based detection algorithms can handle multiple
School of Electrical Engineering and Computer Science, Washington State attack types.
University, Pullman, WA 99164 USA (e-mail: [email protected]). This paper proposes an IDS that includes two detection
Color versions of one or more of the figures in this article are available
online at https://ieeexplore.ieee.org. processes for smart meters to identify malicious behaviors
Digital Object Identifier 10.1109/TSG.2020.3010230 which are intentionally driven by humans. In comparison with
1949-3053 
c 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: Universidad del Valle. Downloaded on September 17,2025 at 19:58:58 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: INTRUSION DETECTION FOR CYBERSECURITY OF SMART METERS 613

existing detection systems, the proposed design can handle

different intrusion types rather than only focus on a spe-
cific intrusion type (e.g., energy theft or FDI). The individual
purposes of the two detection processes are: (i) collecting
intrusion evidence, and (ii) confirming an intrusion event
through the detected abnormal behaviors in the system. At the
first stage, the SVM technique is used to identify suspicious
behaviors in a smart meter and report to the IDS. Relative
to other intrusion detection techniques (e.g., knowledge- and
anomaly-based), ML-based detection systems are easier to
maintain due to the fact that detection accuracy can be
achieved by re-training the model of the classifier when new
system data is available.
SVM classifier is a useful tool to detect abnormal behaviors.
It provides fast response and does not require heavy compu-
tational effort. This feature meets the requirement of IDS for
smart meters. However, the reported abnormal behaviors may
include the communication failure events which are not caused Fig. 1. Hardware components inside a smart meter with potential attack
by cyber attacks. In order to reduce the false alarm ratio by targets.
excluding the communication failure events, a comprehensive
anomaly-based detection algorithm is developed. The SVM
classifier is used to avoid excessive usage of the second-stage 2) A pattern matching algorithm is proposed to identify
detection algorithm. Only high risk events are sent to the cyber attack events. This is achieved by creating realistic
anomaly-based IDS for advanced inspection. Therefore, the attack paths using the TFPG technique.
two-stage detection process may cause an extra processing bur- 3) A realistic cyber-physical system test platform has been
den. However, most of low risk events bypass the second-stage developed for smart meters. It is used for validating and
detection. Hence, the proposed two-stage detection scheme is evaluating the AMI network, impact of cyber attacks,
able to reduce the false alarm ratio and limit the usage of com- and performance of IDS. It is also able to generate the
putation power for smart meter applications. In addition, SVM training data for the SVM-based detection algorithm.
requires less training time than Neural Network (NN) algo- In the remaining of this paper, Section II describes the
rithms (e.g., feedforward, recurrent, and convolutional) which vulnerability of smart meters, including hardware and com-
can handle a vast amount of data in AMI networks. A shorter munication components. Section III presents the proposed
training time implies that smart meters can update the SVM- intrusion detection system for smart meters. Section IV dis-
based IDS in a more responsive manner. When an unknown cusses the components of the AMI test platform at Washington
attack event is identified, the new SVM model can be trained State University (WSU). Section V provides the test results
and sent within a shorter time to seek the defense power of of the proposed detection system. The conclusion and future
smart meters. work are stated in Section VI.
At the second stage, the intrusion detection process calcu-
lates the similarity between the reported abnormal behaviors II. C YBER S ECURITY V ULNERABILITY
and pre-defined intrusion events. To determine whether the OF S MART M ETERS
intrusion alarm is caused by a random system failure or
Since most of the AMI devices are not installed in a moni-
a cyber attack, the potential attack routes are proposed to pro-
tored environment, attackers may study the weaknesses of both
vide information with abnormal behavior sequences in four
wireless communication and physical devices and then launch
types of cyber attack events. If a detected abnormal event is
cyber attacks. This section will discuss the cyber security
matched with any of the predefined sequences, it is consid-
vulnerabilities of a smart meter.
ered an intrusion event. In this research, a CPS test platform
has been developed and used to emulate the operation and
communication of smart meters. It is a source to collect the A. Hardware Vulnerabilities
smart meter’s data for SVM training and testing purposes. In Fig. 1 shows five primary compartments in a smart meter:
addition, the performance of the proposed IDS has been val- (i) Central Processing Unit (CPU), (ii) Random Access
idated by simulating cyber attacks on this test platform. The Memory (RAM), (iii) communication module, (iv) flash
test results demonstrate that the proposed detection algorithms memory (EEPROM), and (v) energy sensors. Since soft-
are practical for the detection of simulated attacks on emu- ware/hardware components of smart meters are similar to
lated AMI devices. The main contributions of this paper are those of other ICT devices, cyber attackers may adapt intrusion
as follows: techniques from those employed in other software systems.
1) Developed an on-line detection IDS method that con- In a smart meter, firmware controls the critical functions
siders the limited computational capability of a smart that handle the low-level sensor data, data conversion, and
meter. data reporting. Since most functionalities are accomplished

Authorized licensed use limited to: Universidad del Valle. Downloaded on September 17,2025 at 19:58:58 UTC from IEEE Xplore. Restrictions apply.
614 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 1, JANUARY 2021

through software, new functions can be added by performing

updates. Firmware upgrades can be deployed using over the air
mechanisms, or manually uploaded by using the on-board opti-
cal port. Firmware-based attacks can hinder the device’s ability
to operate as intended; multiple hardware components can
be targeted when tampered firmware or settings are compro-
mised by attackers. The possible attack behaviors for different
targeted components are:
— CPU (A1): Exhausting CPU’s computational resources
by installing malware that causes dummy operations.
— Communication Module (A2): The communication chan-
nels can be disabled or manipulated in unintended
manners. In addition, AMI devices communicate in
frequency bands that can be easily monitored, jammed, Fig. 2. Communication structure of an AMI network.
or compromised.
— RAM (A3): RAM exhaustion can also cause metering the CIA triad requirements [18]. However, security flaws have
and communication applications to freeze or slow down. been discovered even with these mitigation efforts. Some
Operating Systems (OS) kernels terminate running appli- security issues are:
cation(s) or reboot to handle these faults. — Privacy Issues: Packet encryption protects the pay-
— Flash Memory (A4): Attackers can modify recorded con- load content, but it fails to protect the identity of the
sumption data, device calibration, and operation modes sender and receiver (MAC addresses) [1]. Furthermore,
can be altered by modifying configuration registers. researchers have been able to identify the usages (e.g.,
— Sensor (A5)/Actuator Compromise (A6): By sending control commands and consumption reports) of different
a tripping command, the utility system can disconnect network packets even when they are encrypted [2]. Such
a customer. knowledge can be used for attacks that target specific
— Inter-Board Communications (A7): All components operations.
shown in Fig. 1 adopt low-level communication pro- — Integrity: By using hardware forensics, local HAN
tocols that can be analyzed and modified to suit the passphrases can be recovered. These in conjunction with
attacker needs. Due to physical access requirements, spoofed MACs can be used to create false network
these attacks tend to be isolated. messages if the devices are not authenticated.
In summary, attackers can launch various types of cyber — Availability: Signal jamming, as well as DoS attacks, can
attacks to impact operations in a distribution system. The limit message transmission, leading to situations where
consequences of these attacks are reduced utility’s revenues, the control center cannot send commands, or the device
violation of customers’ privacy, or, in the worst case, power is unable to report its status.
outages.
III. I NTRUSION D ETECTION S YSTEM
B. Vulnerability of Wireless Communication This section introduces two detection algorithms for:
End to end communication in the AMI environment is (i) detecting abnormal behaviors in a smart meter, and (ii) rec-
achieved using a mixture of network architectures, commu- ognizing cyber attack attempts. The IDS for smart meters
nication protocols, and interfaces between the control center should consider the limited computational resources. Although
and field devices. Network architectures include: (i) Local existing IDSs provide excellent defense capabilities against
Area Network (LAN), (ii) Wide Area Network (WAN), cyber attacks, the detection function may consume significant
(iii) Neighborhood Area Network (NAN), and (iv) Home computational resources and impact the operation of smart
Area Network (HAN). Fig. 2 shows the communication struc- meters. The framework of the proposed IDS includes three
ture of an AMI system. This paper is focused on securing the parts: (1) anomaly detection (SVM classifier), (2) intrusion
communication path within the NAN domain. The initial AMI detection (pattern matching algorithm), and (3) information
meters deployed in North America used ZigBee, while newer flow between smart meters and a control center for exchang-
models use the IEEE 802.15.4g standard, either at the sub- ing training data and SVM model. This multi-stage algorithm
GHz (i.e., 900MHz) or 2.4 GHz [17]. Both frequency bands is designed to outperform other SVM-based anomaly detec-
fall under the Industrial, Scientific, and Medical (ISM) regu- tion techniques when computational resources are limited.
latory domain. Therefore, frequencies are public and can be Fig. 3 depicts the architecture of the proposed IDS. The spe-
used by other devices. Furthermore, the wide availability of cific functions for each block are described in the following
sniffers, signal modulators, and demodulators raises the overall subsections.
risk levels since these tools are accessible and affordable. To
reduce these risks, AMI devices use encrypted messages for A. Support Vector Machine Detection Technique
data communication, for achieving integrity and confidential- SVM is a kernel-based supervised learning algorithm to ana-
ity, while using meshed networks to provide availability under lyze associated data for solving classification and regression

Authorized licensed use limited to: Universidad del Valle. Downloaded on September 17,2025 at 19:58:58 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: INTRUSION DETECTION FOR CYBERSECURITY OF SMART METERS 615

Fig. 4. Kernel values of (a) a local kernel function (RBF) and (b) a global
kernel function (Polynomial).
Fig. 3. Structure of the proposed intrusion detection system for smart meters.

1) Local Kernels: Only nearby data points can affect

problems. SVM classifiers find an optimal hyperplane to sep-
the SVM model. It has a higher learning ability, but the
arate data points by maximizing the margin between a hyper-
generalization ability is lower. It is used as a general-purpose
plane and support vectors in each class. Equation (1) denotes
kernel when there is no prior knowledge about the training
the optimization problem for the soft-margin hyperplane with
dataset.
the nonnegative slack variable ξ :
2) Global Kernels: Allowing data points from a greater dis-
1  M tance to affect the SVM model. It has a higher generalization
Minimize: Q(w, b, ξ ) = w2 + C ξi ability, but the learning ability is lower.
2
i=1 In Fig. 4, Radial Basis Function (RBF) and Polynomial ker-
 
Subjectto: yi wT xi + b ≥ 1 − ξi , nels are selected as the local and global kernel functions for the
ξi ≥ 0, test, respectively [21]. To calculate the kernel values for each
kernel function, the test input is set as v = 1. Fig. 4(a) shows
i = 1, . . . , M (1)
the closer the test input, the greater the kernel value for the dif-
where w and xi (i = 1, . . . , M) are m-dimensional weight and ferent free parameters (σ ). This result implies only the nearby
input vectors, respectively. The symbol b is a bias term, while data points have an influence on the kernel value. Due to
yi is the class indicator. The tradeoff between the maximization a local kernel function that may discard or weaken the influ-
of the margin and minimization of the classification error is ence of some training data points, the SVM model loses the
determined by the margin parameter C. generalization property. However, it pays more attention to
To reduce the impact on training ability caused by the a certain number of data points located in a smaller range.
margin parameter in soft-margin SVMs, kernel tricks are Thus, it improves the learning ability by increasing the depth
used to improve the linear separability of training data. By and sacrificing the breadth of the information. The global
using a nonlinear vector function φ(x) = (φ1 (x), . . . , φl (x)), effect of the Polynomial kernel function of different degrees is
the m-dimensional input vector x can be mapped into the presented in Fig. 4(b). It shows that every data point from the
l-dimensional feature space. The decision function in the set μ has an influence on the kernel value of the test input v.
feature space is expressed as: Typically, smart meters have limited processing power. To
minimize the consumption of computational resources in a smart
D(x) = wT φ(x) + b (2)
meter, the proposed SVM based detection process integrates
In terms of solving the quadratic optimization problem of with two auxiliary control blocks: (i) updating, and (ii) operation
SVM, each training data point is in the form of dot products. mode, for the timing about updating SVM model and triggering
To simplify the calculation of dot product terms, φ(xi ), φ(xj ), the detection process. According to the classification process of
a kernel function K is introduced: the proposed SVM setting, an abnormal event indicator ADSind
  is given to indicate the status of input data.
K xi , xj = φ(xi ) · φ(xj ) (3) 
1, if D(x) = Class1 (Abnormal)
The properties of a training dataset affect the performance of ADSind = (4)
0, if D(x) = Class2 (Normal)
kernel functions. In general, existing kernel functions can be
categorized into two classes, and it can be a guideline for Once ADSind = 1 is given by the SVM classifier, the second
selection of a feasible kernel [19]. Reference [20] provides stage of the proposed IDS is activated to identify an intru-
a comprehensive list of kernel functions for SVMs. sion event by collecting evidence from device logs of a smart

Authorized licensed use limited to: Universidad del Valle. Downloaded on September 17,2025 at 19:58:58 UTC from IEEE Xplore. Restrictions apply.
616 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 1, JANUARY 2021

TABLE I
A BNORMAL E VENTS FOR S MART M ETERS IN TFPG M ODEL

Fig. 5. Attack routes for smart meters.

meter. Otherwise, the detection process stays silent until the

next round of system inspection.

B. Pattern Recognition Algorithm for Intrusion Detection

Arbitrarily reported abnormal events cannot serve as conclu-
sive evidence to identify an attack caused by system failures
(e.g., communication delay, low battery, and poor data sam-
pling). Too many false intrusion alarms may affect the oper-
ation of a distribution system. Therefore, an anomaly-based — RAM Exhaustion: A malware could be installed in
detection mechanism is developed to perform the inspection. a smart meter, generating dummy data to fill the
To help intrusion detection systems successfully identify mali- memory. When the available memory capacity is low,
cious behaviors by attackers, this paper proposes to construct some application processes become slow or even freeze.
attack routes for determining anomaly paths of each threat It may cause data loss, device freeze, or frequent reboot.
type. A TFPG [22] is a model-based diagnosis technique for — CPU Overloading: A malware may be installed in
a dynamic system. It was used for capturing the causal and a smart meter, generating processes that consume
temporal relationships between failures and consequences in heavy computational power (e.g., matrix multiplication).
a system. This feature can also be used for modeling tem- Except for the consequence of RAM exhaustion, smart
poral relationships between abnormal behaviors (cause) and meters may be physically damaged because of the heat
attack types (effect). Fig. 5 shows an example TFPG model produced by CPU operations.
for describing cyber attacks in smart meters. In the TFPG A series of abnormal events will be considered an intrusion
model, abnormal event nodes and arrows illustrate different behavior only if they are detected in a sequence that matches
attack routes. In this paper, four types of cyber attacks are the predefined attack routes. Otherwise, the detected abnor-
included in the proposed TFPG model: mal events will be regarded as a system failure. A description
— Denial of Service: Attackers may use a transmitter to of abnormal behaviors is provided in Table I. In the design
create a tremendous amount of wireless signal, congest- of the proposed IDS, two assumptions are made: (i) intrud-
ing the communication channel(s) of smart meters. The ers’ actions follow the sequence in the proposed attack routes,
dummy network packets block the communication with and (ii) IDSs have a false negative problem and fail to capture
other meters or a grid router. This attack type does not one or more abnormal events. Under these assumptions, the
impact the integrity and confidentiality of smart meters’ edit distance can be utilized as the method for attack pattern
data, but the low availability has a negative effect on the recognition [23], [24].
power system services. In the TFPG model, each abnormal event is assigned an
— False Data Injection: Attackers are able to access vic- English letter from the alphabet as shown in Fig. 5. Each
tim smart meters and send the commands via an AMI path, P ∈ {P1 , P2 , P3 , P4 }, from the first abnormal event node
network. The commands include: (1) requisition of (i.e., node a) to an attack type node (i.e., nodes A, B, C,
data (consumption data and/or meter status log file from and D) is considered a correct sequence in a dictionary as
a victim meter and (2) request of modifying (i.e., over- shown in Table II. The similarity is measured by the edit
write, insert and delete) any of the data points stored in distance d, between the input and predefined patterns in the
the meter. The falsified data may impact power system dictionary. Once the first abnormal behavior is detected, the
services and mislead the operators to take unwanted IDS starts to record the sequence of abnormal events. At each
actions on the power system. time stamp, it computes the minimum edit distance ED. The

Authorized licensed use limited to: Universidad del Valle. Downloaded on September 17,2025 at 19:58:58 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: INTRUSION DETECTION FOR CYBERSECURITY OF SMART METERS 617

TABLE II
ATTACK ROUTE S ET G ENERATED FOR S MART M ETERS
Algorithm 1 Wagner-Fischer Algorithm
Input: a = a0 , a1 , . . . , am and b = b0 , b1 , . . . , bn
Output: Edit Distance (ED)
1: // Using Eq (5) and Eq (6) to fill the first row and first column.
2: for i= 0 to m do
3: di0 = i;
4: end for
5: for j= 0 to n do
6: d0j = j;
7: end for
8: //Using Eq (7) to fill the matrix other than the first row and
column.
calculation is done by the Wagner-Fischer algorithm [25]. The 9: for i = 1 to m do
ED is defined as the minimum number of edit operations that 10: for j = 1 to n do
match one pattern to another. In this paper, the edit operations 11: if (ai = bj )
include (i) Wdel : delete a single symbol, (ii) Wins : insert a sin- 12: dij = di−1, j−1 ;
13: elseif (ai−1 ai = bj bj−1 )
gle symbol, and (iii) Wtrans : transposition of two successive 14: dij = di−2,j−2 + 1;
symbols. Each operation is counted as a unit cost by giving 15: else
Wdel = Wins = Wtrans = 1. The calculation process is based 16: dij = min{di−1,j + 1, di,j−1 + 1};
on the observation between all prefixes of the first pattern a as 17: end if
well as the second pattern b, where the lengths are m and n, 18: end for
19: end for
respectively. A matrix is created to hold each edit distance of 20: // Using Eq (8) to obtain the edit distance
prefixes of two patterns. All the values in the matrix are filled 21: Edit Distance (ED) = dmn ;
by repeating the observation between prefixes of two patterns.
Then, the last computed distance, dmn , is the distance (ED)
between two full strings. In [26], the computation of the edit
distance between two finite strings, “a” and “b”, is defined as
“traces”. A trace, Ta,b , from sequence a to b, is a sequence
of ordered pairs of integers (i, j) that satisfy:
1) 1 ≤ i ≤ m and 1 ≤ j ≤ n, where m and n are lengths of
string a and b, respectively.
2) Any of two pairs (i1 , j1 ) and (i2 , j2 ) in Ta,b , (a) i1 = i2 ,
j1 = j2 ; (b) ii < i2 iff j1 < j2 .
Take two strings “Ryan” and “Ray” as an example. A person
can easily match Ryan to Ray in two steps: (1) delete “n”
Fig. 6. Computing distances with matrix by Wagner-Fischer algorithm.
and (2) swap “y” and “a.” In this case, the edit distance is 2.
However, computers need to execute a series of comparison
processes from left to right, character by character. First, the abnormal behaviors is detected in an FDI attack. Due to non-
prefixes for two strings are: {R}, {Ry}, {Rya}, {Ryan}, and ideal factors, there exist missing or mistaken reports in the
{R}, {Ra}, {Ray}. Then, the entire comparison step is listed abnormal event sequence. In the example in Fig. 6, the IDS
as follows: ({R},{R}), ({R},{Ra}), ({R},{Ray}), ({Ry},{R}), fails to capture event “e” and is mistaken in the sequence
({Ry},{Ra}), ({Ry},{Ray}), · · · , ({Ryan},{Ray}). Therefore, of events “b” and “c.” Thus, the IDS calculates the similar-
all pairs of prefixes are compared to obtain the edit distance ity between “acbf” (detected event) and the attack path P2 in
of the two strings. The calculation for the matrix elements can Table II. The elements in the first row and column are decided
be formulated as: by (5) and (6), respectively. Then, the rest of the blanks can be

i calculated by (7). Once the last element (corner at the bottom
di0 = Wins (ak ) for 1 ≤ i ≤ m (5) right) is filled, the ED between two patterns is obtained.
k=1 Using the pattern recognition algorithm, the detected abnor-
j
mal event is compared with each pre-defined cyber attack in
d0j = Wdel (bk ) for 1 ≤ j ≤ n (6) the dictionary (TABLE II) and obtained a ED value. Among
⎧k=1 all four calculated ED values (ED1 , ED2 , . . . , ED4 ) according
⎪
⎪di−1,j−1 ,   if ai = bj to the attack paths (P1 , P2 , . . . , P4 ), the least edit opera-
⎨
di−2,j−2 +Wtrans bj−1 , bj , if ai−1 ai tion is considered the most likely attack type. Then, an attack
dij =
⎪
⎪   = bj bj−1 similarity index, IDSind , is defined as:
⎩ 
min di−1,j + Wins (ai ), di,j−1 + Wdel bj , otherwise
EDi
(7) IDSind = max 1 − (9)
Length(Pi )
ED = dmn (8)
where i = {1, 2, 3, 4}. Once IDSind is greater than a user-
Fig. 6 demonstrates how to calculate the edit distance by defined threshold value Vth , the detected event is regarded
using Wagner-Fischer algorithm. Assuming a sequence of as an intrusion event. Otherwise, it requests another round

Authorized licensed use limited to: Universidad del Valle. Downloaded on September 17,2025 at 19:58:58 UTC from IEEE Xplore. Restrictions apply.
618 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 1, JANUARY 2021

TABLE III TABLE IV

S YSTEM S TATUS ACCORDING TO R EPORTS OF ADS AND IDS S PECIFICATION OF S INGLE B OARD C OMPUTER

of inspection of the SVM detection process. The threshold

value can be regarded as the sensitivity of the second-
stage detection process. A greater threshold value setting
requires stronger evidence to identify a cyber attack event.
In other words, the time order of the detected anomaly event
should be similar to one of the predefined attack paths.
Therefore, an extremely high threshold value may cause A. Hardware Setting
extra false negatives. In contrast, false positive alarms may The selected SBC has a similar hardware structure which
increase if the threshold value is low. Therefore, a lower is introduced in Section III. The specifications of Table IV
threshold value is suggested in a new or an unknown com- show the computational capability of the SBC. An SBC
munication environment to increase the detection rate. On has two individual flash memories. The smaller one is for
the other hand, a higher threshold is able to reduce the the O/S and core components, whereas applications, meter
false positives in a well-known and stable communication data, and log files are stored in the embedded Multi-
network. Media Controller (eMMC) memory. The board runs a min-
If ADSind still equals to 1 in the second round inspection, it imal Linux kernel with a BusyBox shell [31]. This com-
reports a system failure alarm to the control center. Otherwise, bination provides a basic set of UNIX based commands
the proposed IDS stays silent until the next round of system that are intended to be used for systems with minimal
inspection. According to the different combinations of ADSind resources. The onboard communication module provides
and IDSind , an operator can conclude the system status, which a sub-GHz (902–928 MHz) IEEE 802.15.4 radio used for
is shown in Table III. mesh networking. According to the different modulators, the
data rate can be set between 12.5 to 600 Kbps. To establish
a realistic AMI communication environment, two SBCs are
IV. C YBER -P HYSICAL S YSTEM T ESTBED set as a smart meter and a grid router with 200 Kbps data rate
Training data plays a significant role in every ML-based on channel 1 (906 MHz).
algorithm and directly affects the performance. Currently, most
of the AMI cyber security studies use IDS databases, KDD
Cup 99’ [27], DARPA 1998 [28], and ADFA-LD [29], to B. Co-Simulation of Emulated AMI Devices and NS-3
train/test an ML-based detection system. Since these datasets The testbed has two parts: (1) simulation and (2) emulation.
were not developed in an AMI network environment, the train- Since emulation of an AMI network requires numerous physi-
ing result might not be applicable for smart meters. In some cal devices and system configurations, it is not feasible due to
other ML applications in AMI (e.g., load forecasting), a propri- limited availability of the equipment and engineering costs. In
etary smart meter database is used. These datasets are provided addition, the interoperability of different hardware increases
by utilities with their proprietary AMI system. The attributes the difficulty of developing an AMI testbed. In contrast,
(e.g., current, voltage, power consumption, and frequency) simulation methods cannot reflect the real communication
are not suitable for IDS studies since they only account for behaviors since they do not establish communication links
power system behaviors. To acquire a feasible dataset in by generating network packets. To eliminate the drawbacks
AMI, a CPS testbed has been developed at WSU. Smart City of an individual emulation or simulation method, a hybrid
Testbed (SCT) [30] was built for studying the effectiveness of test platform for a large-scale AMI network is developed in
cyber intrusions and mitigation techniques. In this paper, the this research. NS-3 is an open-source discrete-event network
SCT is extended by adding AMI components. Commercial- simulator that provides multiple sets of C++ and/or Python
grade SBCs capable of operating under IEEE 802.15.4 are libraries to develop a test communication network. By using
available. The performance of CPU and peripheral electronic the IEEE 802.15.4 library, a communication model of the AMI
components is sufficiently high to emulate a real smart meter network is designed with 5 NANs and over 900 communica-
in terms of the computational and wireless communication tion nodes. The topology of physical devices is referred to as
capability. The WSU SCT includes 19 actual smart meters the existing cellular network. In the proposed intrusion detec-
that are installed at a student dormitory on campus. To pro- tion method, the smart meters are assumed to send telemetry
vide communications, the AMI network messages are captured data (i.e., power consumptions and meter operating status) to
by a transceiver that supports IEEE 802.15.4 communication. the control center using their local NAN. This is achieved by
After analyzing the network traffic pattern, SBCs are config- defining a star-like topology that connects the control center
ured to generate the same traffic pattern for collecting the and the outfield NANs. Therefore, no multi-hop, or mesh-like
training data for the proposed IDS. communications are required for multi-NAN traversal.

Authorized licensed use limited to: Universidad del Valle. Downloaded on September 17,2025 at 19:58:58 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: INTRUSION DETECTION FOR CYBERSECURITY OF SMART METERS 619

TABLE V
I NPUT F EATURES FOR T RAINING AND T ESTING P ROCEDURES

Fig. 7. Co-simulation of IEEE 802.15.4 communication.

NS-3 provides the TapBridge model to integrate physi-

cal communication hosts into network simulations, bridging
the real-world environment with the virtual-simulation.
Fig. 7 depicts the co-simulation method for the physical
devices and a simulated AMI network. This paper is focused
on the emulation of smart meters by commercial-grade SBCs.
TABLE VI
The emulation platform is used to collect training data, simu- T ESTED K ERNEL F UNCTIONS FOR SVM
lating cyber attacks and analyzing the impact, and validating
the proposed IDS. The NS-3 simulation is to ensure the
data exchanging, including power consumption data, beacon
signal of smart meters, and distribution of SVM model, will
not congest the AMI network.
2) Attack Data: Except for the routine packet sending, one
V. S IMULATION R ESULTS AND A NALYSIS of the designed attack behaviors is executed simultaneously.
The proposed AMI test platform is used to simulate dif- The cyber attacks include CPU overloading, memory exhaus-
ferent types of attacks and analyze the effectiveness of the tion, and packet burst. A total of 1173 instances fall under the
proposed detection system at each stage. The performance of attack class in the test dataset.
different ML algorithms is compared. Three attack scenarios The Python tool, Scikit-Learn [32], is used for NN and
are generated for validation of the proposed pattern recognition SVM implementation with two typical kernel functions from
algorithm. different categories (i.e., global and local) which are listed
in Table VI. To enhance the credibility of test results, the
A. Training Process of ML Algorithms random selection method is used to choose a subset from
the overall dataset as training data. Three groups of train-
The Operating System (O/S) of the SBC supports executing
ing are conducted for SVM model according to the training
Portable Operating System Interface (POXIS) commands to
ratios, i.e., 80%, 70%, and 60%. Moreover, to demonstrate the
monitor the device attributes, providing input data for training
influence of kernel functions, different values are applied to
and testing of the SVM and NN models. No prior knowledge
kernel parameters, d and γ , in Polynomial and RBF kernels,
of the cyber attacks on smart meters is assumed. It is generally
respectively. Note that degree, d, is a natural number and γ
difficult to determine the criticality of a smart meter’s measure-
is a positive parameter which is defined as the radius of influ-
ments that can most impact the accuracy of the SVM model.
ence of selected support vectors. To compare the detection
In addition, new types of cyber attacks may appear at any time,
performance between different ML algorithms, a Multi Layer
causing different symptoms for a smart meter. Therefore, the
Perceptron (MLP) model is selected as a NN algorithm. It
proposed strategy in this research is to include every measure-
has 10 hidden layers with 10 neurons in each layer, and the
ment of the computer system that can be monitored by a smart
training ratio is set at 80%.
meter, such as CPU, RAM, storage, and network traffic read-
NS-3 is used to experimentally verify that the overhead traf-
ings. Table V lists the total of 19 features in this research.
fic, induced by transmission of the SVM training data, does
To generate the training data, the network packets are gener-
not cause a heavy burden on a large-scale AMI network. In this
ated and sent by the SBCs, which are used to emulate a smart
work, the utilization ratio is proposed as a metric to determine
meter, a grid router, and AMI communication. The two sets
the utilization overhead induced by the SVM data-transfer
of the training data are listed as follows:
process. That is,
1) Normal Data: Sending one beacon signal every 15 sec-
onds and three copies of a power consumption data point every Occupancy of communicaiton channel
Utilization ratio =
20 minutes. In the test dataset, 5000 instances are collected Sending cycle
under this class label. (10)

Authorized licensed use limited to: Universidad del Valle. Downloaded on September 17,2025 at 19:58:58 UTC from IEEE Xplore. Restrictions apply.
620 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 1, JANUARY 2021

TABLE VII
The pre-trained SVM model has a size of 353 Kbytes, and P ERFORMANCE C OMPARISON OF SVM M ODELS FOR S MART M ETER ADS
the throughput of the communication channel is assumed to
be 200 Kbps. As a result, it takes 14.12 seconds for the
data to travel from the grid router to a smart meter. Since
each smart meter sends measurements every 20 minutes, the
sending cycle will be set to 1200 seconds. Based on (10),
the SVM data-transfer introduces a small overhead (∼1.18%),
indicating that the proposed SVM-based IDS has a low impact
on the operation of an AMI network.

B. Performance of SVM Classifier

TABLE VIII
Although SVM-based classifiers are often compared to C OMPARISON B ETWEEN ML A LGORITHMS
other techniques such as Naïve-Bayes and K-nearest neigh-
bor (KNN) there are some advantages (and disadvantages) that
must be considered in terms of computational and time com-
plexities that were analyzed during the development phase of
this study. The comparison is summarized as follows:
— Space Complexity: KNN implementations need to store
every data point in the original data set, which can accuracy level. Table VIII shows the NN algorithm spends
be modeled as O(n). In contrast, SVM classifiers are more time to complete the training. In contrast, the longest
able to store their training data within the O(1) space. training time among all the tests of SVM is 0.52 seconds with
This reduced space complexity is an important aspect respect to RBF kernel with γ = 5 and 80% of training ratio.
to consider when the systems are executed in memory- Comparing to the SVM, the NN algorithm takes over 2.5 times
constrained devices such as smart meters. In terms of more seconds in the training process. To ensure the ML model
space complexity, SVM is preferred. can be updated timely when the new AMI data is available,
— Time Complexity: Time complexity must be considered training efficiency is a critical factor to affect the performance
under two scenarios, training and evaluation. For the first of the IDS.
case, KNN has an O(0) complexity, while SVM-based In this test, SVM is shown to be a better ML algorithm for
solutions have a relatively high training complexity real-time applications in AMI networks, and it is able to iden-
O(max(n, d)min(n, d)2 ), where d represents the dimen- tify abnormal behaviors from the network traffic and usages
sional features and n is the number of training examples. of smart meters (Table V).
Under the evaluation scenario, KNN has an O(n) com-
plexity, while SVM has a complexity of O(nsv ) (where, D. Attack Scenarios for Smart Meters
nsv is the number of support vectors).
1) CPU Overloading (Case1): In this scenario, attackers
are able to access the smart meter physically and open the
C. Evaluation of ML-Based Detection Techniques cover to view the structure of the electronic components.
Two common metrics, Detection Rate (DR) and accuracy, Based on what they learned, they try to crack the login pass-
are used to evaluate the performance of SVM models. DR word by brute-force and modify a smart meter’s firmware,
is defined as a ratio between numbers of detected and total allowing unauthorized users to install malware. In the follow-
attack samples, whereas accuracy is measured by the overall ing, the malware is installed and executed by the attacker,
True Positive (TP) and True Negative (TN) rates. The out- which is used to create a high volume of dummy load to
come of performance metrics is the average values from the exhaust the CPU. Since the computing resource is overused,
100-rounds test with different selected training/testing dataset the system becomes slow and freezes. Finally, the smart meter
as well as the same kernel function, size of datasets, and kernel automatically reboots. Therefore, an off-line record is written
parameters. to the log file after the CPU is overloaded.
1) SVM and Kernel Functions: Table VII provides the test- 2) RAM Exhaustion (Case2): Assuming attackers already
ing result of the proposed SVM method with the two kernel have the login information of a smart meter. After penetrating
functions. It shows that Polynomial kernel does not possess the smart meter’s internal system (e.g., filesystem and O/S), the
monotonically increasing or decreasing properties when: (i) d, malware is installed to create dummy data to fill the RAM. All
and (ii) training ratio are monotonically increased/decreased. the application processes in the target meter gradually slow
It can be assessed that local kernel functions are more suit- down and freeze. Eventually, the smart meter reboots and loses
able for the collected smart meter data compared with global all the unsaved data.
kernel functions, indicating that there is no strong connection 3) Denial of Service (Case3): Attackers have identified
among data features. and tested the PANID and the communication channel of the
2) Comparison of NN and SVM: To show the advantage victimized smart meter. With the information, attackers use
of SVM, the same training process is applied to the MLP a wireless signal transmitter to create heavy communication
model with the minimal setting which can achieve a similar traffic by sending dummy network packets to the target.

Authorized licensed use limited to: Universidad del Valle. Downloaded on September 17,2025 at 19:58:58 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: INTRUSION DETECTION FOR CYBERSECURITY OF SMART METERS 621

TABLE IX
T EST R ESULTS OF P ROPOSED IDS stage intrusion detection process is activated. According to the
predefined attack routes, which are based on the TFPG tech-
nique, the pattern recognition algorithm is able to calculate
the similarity index, indicating the likelihood of an intrusion
event as well as the attack type.
An AMI test platform has been developed to provide
a co-simulation environment, including emulating wireless
communication between a smart meter and a grid router,
simulating cyber attacks, collecting training/testing data, and
validating the proposed detection system. In this work, the
simulated 5 NANs are identical; however, this does not limit
the AMI network simulation applicability. Users can apply
different network topologies and bridge NANs with phys-
E. Validation of the Proposed IDS ical devices according to their needs. Since the proposed
Since the SVM provides high accuracy in the first stage SVM-based detection system only requires local NAN data to
detection process, the abnormal behaviors trigger the alarm classify normal versus abnormal data, it can be claimed that
in all the three test cases. Once ADSind is changed from 0 each NAN can operate in a parallel manner with respect to
to 1, the IDS starts to collect the time information of detected other NANs by only using a limited amount of computing
abnormal behaviors for the second stage detection process. power, O(nsv ). Therefore, the proposed intrusion detection
The test results are provided in Table IX. method is able to scale across multiple NANs as long as the
In Case 1, the IDS fails to detect abnormal event “j” which computing requirements of each NAN are met.
shows an abnormal temperature of CPU. The sequence of The simulation results show that the SVM classifier exhibits
detected abnormal behaviors is aligned along the time axis as good performance with kernel functions in the specific cate-
“abcegik.” The proposed pattern matching algorithm obtains gory. Compared to NN algorithms, SVM has an advantage
IDSind by finding the maximal similarity between the detected in the shorter training time. This feature allows the proposed
sequence and the pre-defined attack sequences. In this test SVM model to be frequently updated to maintain a high level
scenario, the length of P4 is 8, and the corresponding ED4 of detection accuracy. In the three test attack scenarios, the
is 1. ML-based detection algorithm identifies abnormal behaviors
Therefore, IDSind is calculated as 0.875 by (9), which is and triggers the next stage detection process to investigate the
the greatest value among all four attack paths. It indicates that sequence of the detected abnormal behaviors. The results show
the series of suspicious behaviors intends to launch a CPU that all test scenarios are recognized by the IDS successfully.
overloading attack. Since IDSind is greater than the threshold, To improve the detection accuracy of the SVM, more fea-
i.e., Vth = 0.6, this event is judged to be an attack. In Case 2, tures to represent physical system behaviors can be added
attackers do not physically access the target, and there is not an into the dataset, e.g., power measurement readings from
abnormal report from the shaking sensor. The detected abnor- feeders and neighboring meters. In this work, a star-like
mal event sequence is “bcghk.” The path P3 generates the communication topology is used in the NS-3 simulator to eval-
largest similarity index IDSind . The detection system reports uate the network performance after integrating the proposed
this attack event as a RAM exhaustion attack. In the last test IDS. Future research needs to be conducted to incorporate
case, Case 3, the target meter receives a couple of packets from other AMI network topologies, a task required for simulation
an unknown source address during testing of PANID. This of large-scale AMI networks.
behavior is recognized as the connection attempting. During
the attack stage, the communication channel is congested. In ACKNOWLEDGEMENT
this attack event, only “b” and “d” are captured by the IDS. The authors greatly appreciate the reviewers for the valuable
IDSind is 0.667, indicating that a DoS attack is recognized. comments that are incorporated in the revision.
Although the event “c” is missing in the attack sequence, the
IDS can still identify the cyber attack and the attack type.
R EFERENCES
[1] Analysis of the Cyber Attack on the Ukrainian Power Grid,
VI. C ONCLUSION SANS and Electricity Information Sharing and Analysis
The growing number of smart meters on the customer side Center (E-ISAC), Washington, DC, USA, Mar. 2016. [Online].
Available: http://www.nerc.com/pa/CI/ESISAC/Documents/E-
raised cyber security concerns about potential vulnerabilities ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
of the new technologies. It is shown that intruders can launch [2] Analysis of the Threat to Electric Grid Operations, Dragos Inc., Hanover,
a cyber attack by utilizing the vulnerability of hardware com- MD, USA, Jun. 2017. [Online]. Available: https://dragos.com/wp-
content/uploads/CrashOverride-01.pdf
ponents and communication systems of smart meters. This [3] C. C. Sun, A. Hahn, and C. C. Liu, “Cyber security of a power grid:
paper proposes an IDS with the two-stage collaborative detec- State-of-the-art,” Int. J. Elect. Power Energy Systs., vol. 99, pp. 45–56,
tion process for smart meters. The SVM classifier is applied Jan. 2018.
[4] Q. Sun et al., “A comprehensive review of smart energy meters in
as the abnormal behavior detection mechanism in the first intelligent energy networks,” IEEE Internet Things J., vol. 3, no. 4,
stage. As soon as a suspicious behavior is detected, the second pp. 464–479, Aug. 2016.

Authorized licensed use limited to: Universidad del Valle. Downloaded on September 17,2025 at 19:58:58 UTC from IEEE Xplore. Restrictions apply.
622 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 1, JANUARY 2021

[5] Y. Liu, S. Hu, and A. Y. Zomaya, “The hierarchical smart home [29] G. Creech and J. Hu, The ADFA Intrusion Detection Datasets. Accessed:
cyberattack detection considering power overloading and frequency dis- Jul. 29, 2020. [Online]. Available: https://www.unsw.adfa.edu.au/unsw-
turbance,” IEEE Trans. Ind. Informat., vol. 12, no. 5, pp. 1973–1983, canberra-cyber/cybersecurity/ADFA-IDS-Datasets/
Oct. 2016. [30] C.-C. Sun, J. Hong, and C.-C. Liu, “A co-simulation environment
[6] K. I. Sgouras, A. N. Kyriakidis, and D. P. Labridis, “Short-term risk for integrated cyber and power systems,” in Proc. IEEE Int. Conf.
assessment of botnet attacks on advanced metering infrastructure,” IET Smart Grid Commun. (SmartGridComm), Miami, FL, USA, 2015,
Cyber Phys. Syst. Theory Appl., vol. 2, no. 3, pp. 143–151, Oct. 2017. pp. 133–138.
[7] S. Finster and I. Baumgart, “Privacy-aware smart metering: A sur- [31] N. Wells, BusyBox: A Swiss Army Knife for Linux, JSLinux,
vey,” IEEE Commun. Surveys Tuts., vol. 17, no. 2, pp. 1088–1101, San Francisco, CA, USA, Nov. 2000. [Online]. Available:
2nd Quart., 2015. http://busybox.net/
[8] Y. Yan, R. Q. Hu, S. K. Das, H. Sharif, and Y. Qian, “An efficient [32] F. Pedregosa et al., “Scikit-learn: Machine learning in python,” J. Mach.
security protocol for advanced metering infrastructure in smart grid,” Learn. Res., vol. 12, pp. 2825–2830, Feb. 2011.
IEEE Netw., vol. 27, no. 4, pp. 64–71, Jul./Aug. 2013.
[9] A. Alsharif, M. Nabil, M. M. E. A. Mahmoud, and M. Abdallah,
“EPDA: Efficient and privacy-preserving data collection and access con-
trol scheme for multi-recipient AMI networks,” IEEE Access, vol. 7,
pp. 27829–27845, 2019.
[10] P. Jokar, N. Arianpoo, and V. C. M. Leung, “Electricity theft detection in Chih-Che Sun (Member, IEEE) received the
AMI using customers’ consumption patterns,” IEEE Trans. Smart Grid, Ph.D. degree from the Department of Electrical
vol. 7, no. 1, pp. 216–226, Jan. 2016. Engineering and Computer Science, Washington
[11] Y. Liu and S. Hu, “Cyberthreat analysis and detection for energy theft State University, Pullman, WA, USA, in 2019.
in social networking of smart homes,” IEEE Trans. Comput. Soc. Syst., He is currently a Postdoctoral Research Staff
vol. 2, no. 4, pp. 148–158, Dec. 2015. with Lawrence Livermore National Laboratory,
[12] S. McLaughlin, B. Holbert, A. Fawaz, R. Berthier, and S. Zonouz, Livermore, CA, USA. His research interests include
“A multi-sensor energy theft detection framework for advanced meter- cyber-physical systems security, and modeling and
ing infrastructures,” IEEE J. Sel. Areas Commun., vol. 31, no. 7, simulation.
pp. 1319–1330, Jul. 2013.
[13] Y. Liu, S. Hu, and T. Ho, “Leveraging strategic detection techniques for
smart home pricing cyberattacks,” IEEE Trans. Depend. Secure Comput.,
vol. 13, no. 2, pp. 220–235, Apr. 2016.
[14] X. Liu, P. Zhu, Y. Zhang, and K. Chen, “A collaborative intrusion detec-
tion mechanism against false data injection attack in advanced metering D. Jonathan Sebastian Cardenas (Member,
infrastructure,” IEEE Trans. Smart Grid, vol. 6, no. 5, pp. 2435–2443, IEEE) received the B.E. and M.Sc. degrees in electri-
Sep. 2015. cal engineering from Instituto Politécnico Nacional,
[15] R. Berthier and W. H. Sanders, “Specification-based intrusion detection Mexico City, Mexico, in 2013 and 2015, respec-
for advanced metering infrastructures,” in Proc. IEEE 17th Pac. Rim Int. tively. He is currently pursuing the Ph.D. degree in
Symp. Depend. Comput. (PRDC), Pasadena, CA, USA, pp. 184–193, computer science with Washington State University,
Dec. 2011. Pullman, WA, USA.
[16] M. A. Faisal, Z. Aung, J. R. Williams, and A. Sanchez, “Data-stream- Within the professional field, he has collaborated
based intrusion detection system for advanced metering infrastructure in in the development of training simulators and mar-
smart grid: A feasibility study,” IEEE Syst. J., vol. 9, no. 1, pp. 31–44, ket analysis tools that are in use by the industry.
Mar. 2015. His current research interests include cybersecurity
[17] R. Ullah, Y. Faheem, and B. Kim, “Energy and congestion-aware routing of cyber-physical systems and data privacy with an emphasis towards IoTs
metric for smart grid AMI networks in smart city,” IEEE Access, vol. 5, and IBRs.
pp. 13799–13810, 2017.
[18] W. Stallings and L. Brown, “Computer security concepts” in Computer
Security Principles and Practice, 2nd ed. London, U.K.: Pearson, 2012,
ch. 1, sec. 1, pp. 10–17.
[19] L. Liang, Q. Wang, and Y. Chen, “Application of support vector machine Adam Hahn (Member, IEEE) received the M.S.
in online monitoring of wastewater treatment based on combined kernel and Ph.D. degrees from the Department of Electrical
functions,” in Proc. Intel. Conf. Elect. Control Eng., Yichang, China, and Computer Engineering, Iowa State University
2011, pp. 3840–3843. in 2006 and 2013, respectively. He was worked as
[20] J. Zhang, “A complete list of kernels used in support vector machines,” a Senior Information Security Engineer with the
Biochem. Pharmacol. Open Access, vol. 4, no. 5, p. 195, Oct. 2015. MITRE Corporation. He is an Assistant Professor
[21] V. L. Brailovsky, O. Barzilay, and R. Shahave, “On global, local, with the Department of Electrical Engineering and
mixed and neighborhood kernels for support vector machines,” Pattern Computer Science, Washington State University. His
Recognit. Lett., vol. 20, nos. 11–13, pp. 1183–1190, 1999. research interests include cybersecurity of the smart
[22] S. Abdelwahed, G. Karsai, N. Mahadevan, and S.C. Ofsthun, “Practical grid and cyber-physical systems, including intrusion
implementation of diagnosis systems using timed failure propagation detection, risk modeling, vulnerability assessment,
graph models,” IEEE Trans. Instrum. Meas., vol. 58, no. 2, pp. 240–247, and secure system architectures.
Feb. 2009.
[23] T. Okuda, E. Tanaka, and T. Kasai, “A method for the correction of
garbled words based on the levenshtein metric,” IEEE Trans. Comput.,
vol. C-25, no. 2, pp. 172–178, Feb. 1976.
[24] N. D. L. R. K. Chaurasiya and S. Ghosh, “A novel weighted edit
distance-based spelling correction approach for improving the reliability Chen-Ching Liu (Life Fellow, IEEE) received the
of Devanagari script-based P300 speller system,” IEEE Access, vol. 4, Ph.D. degree from the University of California,
pp. 8184–8198, 2016. Berkeley, CA, USA. He is currently an American
[25] W. Masek and M. A. Paterson, “Faster algorithm computing string edit Electric Power Professor and the Director of
distances,” Comput. Syst. Sci., vol. 20, pp. 18–31, Feb. 1980. the Power and Energy Center, Virginia Tech,
[26] R. A. Wagner and M. J. Fischer, “The string-to-string correction Blacksburg, VA, USA. He was the Chair of
problem,” J. Assoc. Comput. Mach., vol. 21, no. 1, pp. 168–173, 1974. IEEE PES Technical Committee on Power System
[27] The KDD99 Dataset. Accessed: Jul. 29, 2020. [Online]. Available: Analysis, Computing, and Economics. He is the
http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html U.S. Member of CIGRE Study Committee D2,
[28] DARPA Intrusion Detection Data Sets, I. S. T. G. MIT Information Systems, and Telecommunication. He
Lincoln Lab, Lexington, MA, USA, 1998. [Online]. Available: is a Member of the U.S. National Academy of
http://www.ll.mit.edu/mission/communications/ Engineering.

Authorized licensed use limited to: Universidad del Valle. Downloaded on September 17,2025 at 19:58:58 UTC from IEEE Xplore. Restrictions apply.