c Consult author(s) regarding copyright matters · initial protective barrier, intrusion detection...

This may be the author’s version of a work that was submitted/acceptedfor publication in the following source:

Hu, Bowen, Zhou, Chunjie, Tian, Glen, Qin, Yuanqing, & Junping, Xinjue(2019)A collaborative intrusion detection approach using blockchain for multimi-crogrid systems.IEEE Transactions on Systems, Man, and Cybernetics: Systems, 49(8),Article number: 8700599 1720-1730.

This file was downloaded from: https://eprints.qut.edu.au/128808/

c© Consult author(s) regarding copyright matters

This work is covered by copyright. Unless the document is being made available under aCreative Commons Licence, you must assume that re-use is limited to personal use andthat permission from the copyright owner must be obtained for all other uses. If the docu-ment is available under a Creative Commons License (or other specified license) then referto the Licence for details of permitted re-use. It is a condition of access that users recog-nise and abide by the legal requirements associated with these rights. If you believe thatthis work infringes copyright please provide details by email to [email protected]

Notice: Please note that this document may not be the Version of Record(i.e. published version) of the work. Author manuscript versions (as Sub-mitted for peer review or as Accepted for publication after peer review) canbe identified by an absence of publisher branding and/or typeset appear-ance. If there is any doubt, please refer to the published source.

https://doi.org/10.1109/TSMC.2019.2911548

https://eprints.qut.edu.au/view/person/Tian,_Glen.html

https://eprints.qut.edu.au/128808/

https://doi.org/10.1109/TSMC.2019.2911548

IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS VOL. X, NO. X, MONTH 2018 1

A Collaborative Intrusion Detection Approachusing Blockchain for Multi-microgrid Systems

Abstract—Multi-microgrid (MMG) systems have the po-tential to play an increasingly important role in the trans-formation of existing power grid to smart grid. However,the open and distributed connectivity of MMGs exposesthe systems into various cyber-attacks, which may causeserious failures or physical damages, such as power supplyinterruption and human casualties. Therefore, ensuring thesecurity of MMGs is of paramount importance. To addressthis issue, a new collaborative intrusion detection (CID) ap-proach using blockchain is proposed in this paper for MMGsystems in smart grid. Due to the consensus mechanismof blockchain, the approach is designed without the needof a trusted authority or central server while improvingthe accuracy of intrusion detection in a collaborative way.It is equipped with a proposal generation method thatcombines periodic and trigger patterns to generate thedetection target of CID, i.e., a proposal. From the generatedproposals together with the correlation model of MMGs,a CID is achieved by using the consensus mechanism. Thefinal detection results of CID are stored on blockchain insequence. The use of an incentive mechanism motivates asingle microgrid to participate in consensus. The effective-ness of the presented approach is demonstrated through acase study on an MMG system.

Index Terms—Collaborative intrusion detection (CID);multi-microgrid (MMG); blockchain; consensus mecha-nism; incentive mechanism.

I. INTRODUCTION

In today’s power grid, energy is most generated inlarge and centralized power plants. Meanwhile, variousnew energy technologies are being introduced to thepower grid such as distributed generators, multi-agentsystems and cloud computing. Among these new tech-nologies, multi-microgrid (MMG) systems have the po-tential to play an increasingly important role in the futurepower grid [1]. They can be operated in either grid-connected or islanded mode [2]. New trading modelssuch as trading with the power grid, and purchasingfrom a controllable distributed generation plant, willcoexist [3], [4]. The typical structure of an MMG systemis shown in Fig. 1. While the vulnerability of traditionalpower systems has been exposed in recent years [5],the open and distributed connection of MMG systemsexposes the systems to serious cyber-security problems.

CB1

CB2

CB3

Microgrid 1

Microgrid 2

Microgrid 3

Communication Networks

DG1 DG2

A1 A2 A3 A4

Z = r + jωL

DG1 DG3

B1 B2 B3DG2

DG1 DG2

C1 C2 C3 C4 C5

Microgrid 1-EMS

Microgrid 2-EMS

Microgrid 3-EMS

Power NetworksLegend

CEMS:

PCC:

CB:

Centralized Energy Management System

Point of Common Coupling

Circuit Breaker

PCC

Isolation

switches

CB0Utility

grid

CEMS

Wide

Area

Network

Figure 1. A typical MMG system.

Therefore, it is of critical importance to ensure the secu-rity in addition to the stability for MMG systems. As theinitial protective barrier, intrusion detection system (IDS)playes a critical role in overall security protection. Theresults from IDS can be used in self-adaptive decisionsand real-time response [6], or help safety operator withthe detection result of abnormal state in time [7], [8].However, traditional host-based or network-based IDSthat works independently [9], [10] is not entirely adoptedto MMG systems. In comparison, collaborative intrusiondetection system (CIDS) can analyze the evidence frommultiple domains simultaneously and consider the alertsof distributed detector synthetically for promoting theefficiency of IDS [11]. Therefore, it is more appropriatefor distributed architecture as in MMG systems.

Recently, efforts have been made in the applicationsof CIDS in smart grid. This includes a fully distributed

January 30, 2019 DRAFT

tian

Typewritten Text

tian

Typewritten Text

tian

Typewritten Text

tian

Typewritten Text

Bowen Hu, Chunjie Zhou, Yu-Chu Tian, Yuanqing Qin, Junping Xing

tian

Typewritten Text

published online on 26 April 2019. DOI: 10.1109/TSMC.2019.2911548


CIDS management structure [12]. For constrained re-sources in smart meters, a CIDS is proposed againstfalse data injection attack [13]. A scalable and elasticarchitecture is also presented with a Peer-to-Peer (P2P)solution for grid and cloud computing [14]. In addition,considering the problem of how to operate a CIDS whenthese assumptions of trust and security are relaxed, someproposed methods have partially addressed this problem.Such as several CIDSs [15], [16] use message authen-tication to guarantee that alerts come from a trustedparticipant by using a central certification authority (CA)or certifying happens among peers [1], [17]. However,the central certificate authority can become a bottleneckfor scalability as the number of participants increases.Furthermore, these approaches cannot protect against alegitimate participant who is sending malicious data, andprevent misbehavior by a peer who has taken the timeto first build a high reputation.

Therefore, a new CID approach using blockchain ispresented in this paper for MMG systems. More specif-ically, the target of CID, called a proposal, is generatedfrom periodic and trigger patterns. From these generatedproposals together with the correlation model of MMGs,a CID is achieved by using the consensus mechanism inblockchain. The final detection results are stored on eachblock. The recording node that proposes the consensus-reached block will be awarded according to an incentivemechanism. Overall, the paper makes the following threemain contributions:

1) A distributed CID approach incorporating with theconsensus and incentive mechanisms of blockchainis proposed for MMG systems without a trustedauthority or central server;

2) As a part of the approach, a proposal generationmethod that combines periodic and trigger patternsis designed to enhance the accuracy of intrusiondetection;

3) An improved algorithm of delegated proof of stake(DPoS) is devised for consensus on the distributeddetection results by the utilization of the degree ofcorrelation and the detection coefficient.

The rest of this paper is organized as follows. Sec-tion II provides some background knowledge aboutCIDS and blockchain. Section III presents the archi-tecture of our CID approach using blockchain. Thisis followed by Section IV on the process of gener-ating proposals based on multiple patterns. Section Vshows the process of collaborative detection based onan improved DPoS algorithm and incentive mechanism.

TABLE IA COMPARISON OF THE THREE CLASSES OF CIDS.

Species Advantage Shortcoming

CentralizedCIDS [20]

1) High detectionaccuracy2) Simpleimplementation

1) Poor scalability2) Unsuitable forlarge-scale scenarios

HierarchicalCIDS [21]

1) Better scalability2) Suitable forlarge-scale scenarios

1) Lower detectionaccuracy2) Loss of detectioninformation3) Single-Point-of-Failure

Fully Dis-tributedCIDS [15]

1) Peer to peer suitsto transfer data

1) Lacking detector froma global perspective2) Low detection accuracy

Experiments are conducted in Section VI to demonstrateour approach. Finally, Section VII concludes the paper.

II. BACKGROUND AND RELATED WORK

A. A Brief Review of CIDS

A skilled intruder can slowly change his or her be-havior to avoid being detected by IDS. Thus, it is worthachieving collaboration among MMGs to increase thedifficulty of intrusion. According to the network topol-ogy of each detection unit and ways of the informationinteraction, a classical CIDS falls into one of the threeclasses [11], [18]: centralized, hierarchical [19], anddistributed. A comparison of these three classes is shownin Table I.

However, the survey [11] also point out that theanother important aspect is the problem of securityand trust for CID, and the trustworthiness of the alertsgenerated by each single anomaly detection unit is thepremise of accurate results of CIDS.

Thus, the immutability and reliability of informationtransfer and dissemination are worthy to be considered,more so in fully distributed systems.

B. Blockchain and Security

Since Satoshi Nakamoto founded Bitcoin in 2008 [22],blockchain, the underlying technology architecture ofBitcoin, has attracted widespread interest. A blockchainis a continuously growing list of records, called blocks,which are linked and secured using cryptography. Whena new block is added to the blockchain, it must beapproved by the verification of all nodes. The schematicdiagram of a blockchain is shown in Fig. 2.

As a typical distributed data storage technology,blockchain covers a variety of technologies, such as de-centralization, cryptography, and consensus algorithms.



Blockchain

Hash(Bn-1) Timestamp Hash(Bn)... ...Block Bn Block Bn+1

Nonce Merkle Root Nonce

Timestamp

Merkle Root

Hash 12 Hash 34

Hash 1 Hash 2 Hash 3 Hash 4

Tx 1 Tx 2 Tx 3 Tx 4

Figure 2. A schematic diagram of a blockchain.

In the absence of a trusted third party or centralizednode, a new consensus mechanism is formed. Due tothe advantage of establishing the secured, trusted, anddecentralized autonomous ecosystems for various sce-narios, blockchain has been investigated in both researchand applications [23].

As a novel and fundamental technical framework,blockchain is suitable for applications in the securityprotection of cyber-physical systems (CPSs). Most cur-rent applications of blockchain are in the field of datasecurity for ensuring that data is traceable and not easilytampered. For example, it is demonstrated [24] that theintegration of blockchain, smart contracts and Internet ofThings (IoT) technologies is powerful. With the abilityto interact with peers in a trustless, auditable manner,blockchain could give us resilient, truly distributed peer-to-peer systems. Blockchain has the fundamental roleto register and authenticate all operations performed onInternet of Things (IoT) devices data [25]. Consortiumblockchain is explored for a secure energy trading systemnamed energy blockchain [26]. It is suitable for P2Penergy trading, such as microgrids.

Other research efforts use the consensus mechanismto implement distributed and collaborative schedulingdecisions or intrusion detection. For managing billionsof devices deployed worldwide, a fully distributed accesscontrol system based on blockchain is proposed forarbitrating roles and permissions in IoT [27]. As theoperation of the future Energy Internet would also bemore decentralized and self-executing, it is suggestedthat blockchain be applied in operational frameworkof Energy Internet [28]. This could promote a con-sensus among the decentralized institutions of variousenergy entities. A distributed blockchain-based pro-tection framework is proposed to enhance the self-defensive capability of modern power systems againstcyber-attacks [29]. Moreover, a blockchain framework

is discussed in [30] for collaborative intrusion detection.In summary, blockchain has been used in several

domains to date. This motivates us to investigate thistechnique in the security of MMG systems by using thethe consensus and incentive mechanisms. Similar to thestorage of transaction information in cryptocurrency, thedetection results of CID with consensus will be storedon the blockchain.

III. THE PROPOSED ARCHITECTURE OF OUR CIDUSING BLOCKCHAIN

The architecture of our CID using blockchain is shownin Fig. 3. In each microgrid, our CID approach has aproposal generation component and a CID component.Their functions are described below.

The proposal generation component aims to proposeproposals for CID. The proposals are obtained period-ically under normal circumstances. They can also betriggered when abnormal state of microgrid is found outby its own IDS, whose content is defined as the state ofa microgrid.

The CID component realizes the transmission and con-sensus of detection results among MMGs. Firstly, as themicrogrid involved in the proposal is the detection target,each microgrid that has energy or cyber interdependencywith it obtains the result of detection independentlybased on One-Class SVM. Secondly, a consensus onthe proposal is reached based on an improved DPoSalgorithm, which utilizes the degree of correlation anddetection coefficient instead of stake in this paper. Theresults of CID are obtained and stored on blockchainin sequence to ensure its immutability and reliability.Thirdly, with the help of an incentive mechanism, whenthe Block Bn proposed by a microgrid is recorded,the level of the detection coefficient of a microgrid ispromoted, so as to make it be accepted more easily in thenext Block Bn+1 generation process. In contrast, othermicrogrids which put forward the orphan blocks will besuspected as attacked nodes.

IV. MULTI-PATTERN BASED PROPOSAL

GENERATION

This section presents the process of generating the ob-ject of consensus in the proposal generation component.It begins with an introduction of multi-pattern includingtrigger pattern and periodic pattern. Then, an algorithmis developed to implement the whole process.



Proposal

Generation

Component

Collaborative Intrusion

Detection Component

Proposal

Generation

Component

Collaborative Intrusion

Detection Component

...

Microgrid 2 Microgrid N

Proposal

Proposal Generation

Component

Collaborative Intrusion Detection Component

Blockchain

Microgrid 1

Final Detection Results

Trigger Pattern

(Abnormal)

Periodic Pattern

(Normal)

HIDS

NIDS

...

Alert

Fusion

Det

erm

ination o

f

Det

ecti

on

Tar

ge

tHash(Bn-1) Timestamp

Detection Results

Hash(Bn) Timestamp

Detection Results

... ...Block Bn Block Bn+1

Independent

Detection of Proposal

Consensus on

the Proposal

Reward &

Penalty

HIDS: Host-based Intrusion Detection System

NIDS: Network-based Intrusion Detection System

Legend

Status

Packets

Incentive

Mechanism

DPoS

Algorithm

One-Class

SVM

SVM: Support Vector Machine

Figure 3. The architecture of our CID using blockchain.

A. Multi-Pattern

The initial proposal is not only triggered when ab-normal event is detected by each microgrid’s IDS undertrigger pattern, but also generated in turn under periodicpattern.

1) Trigger Pattern: The IDS of each microgrid de-tects the abnormal state mainly from the perspective ofcommunication and power flows. The alert, context ofproposal, will be generated at the same time.

Detection of Communication Flow: The white list ofaccess-control mainly monitors medium-access control(MAC) addresses, IP addresses and ports in the data link,network and transport layers, respectively.

ac * ACwl → Alert, (1)

where ac indicates the set of {MACsrc, MACdst,IPsrc, IPdst, Portsrc, Portdst}, and ACwl representsthe white list of access-control. In addition, becauseMAC and IP addresses are unique when identifyinga communication subject, there is an unique match〈IP,MAC〉 generally. If the match 〈IP,MAC〉 has

been changed, a spoofing attack , e.g., an address reso-lution protocol (ARP) attack, may take place.

The white list of protocol-based mainly confirms thatthe protocol used is suitable for the grid in the appli-cation layer, such as DNP3, IEC61850, IEC61870 andother proprietary protocols.

pb * PBwl → Alert, (2)

where pb indicates the used communication protocol,and PBwl represents the white list of protocol-based.

Detection of Power Flow: Unknown and new attacktypes will be detected by behavior-based rules [31],which are mainly reflected in the constraints of powerflow. For instance, there is an upper limit (vi.max) anda lower limit (vi.min) of each nodal voltage (vi), anda maximum allowable apparent power (sl.max) of thebranch.

v /∈ {vi | vi ∈ (vi.min, vi.max)} → Alert, (3)

s /∈ {sl | sl ∈ (0, sl.max)} → Alert, (4)

where sl represents the apparent power of branch l.



2) Periodic Pattern: Due to the existence of falsenegatives, it is insufficient to rely on its own IDS. Totackle this problem, periodic pattern is integrated. Thisallows the state of a microgrid to regularly become thetarget of detection and also enables other microgrids tojudge it.

Under periodic pattern, as system runtime Trun is aninteger multiple of polling cycle time Tperiod, we selecta relevant microgrid m as a new proposal. Different froma proposal generated under trigger pattern, the content ofthis proposal is ‘Microgrid m: normal’.

m = (Trun/Tperiod) mod N, (5)

where N represents the total number of microgrids.

B. Algorithm for the Proposal Generation

The detailed steps of the proposal generation processis shown in Algorithm 1. In the pseudo code of thealgorithm, Pro′ and Pro represents pre-proposal andproposal, separately. Firstly, each microgrid is detectedfrom the perspective of communication flow and powerflow according to Section IV-A1. Then, the judgement(Pro 6= Pro′) aims to remove redundant results. Assoon as Trun/Tperiod ∈ Z, the proposal (Microgrid m:normal) is generated.

Finally, through fusion and de-redundancy, the ul-timate proposal is obtained and delivered to the CIDcomponent for the determination of the detection target.

Algorithm 1 Multi-Pattern Based Proposal Generation.

Input: Detect information of microgrids, Pro′Output: Pro

1: Pro← ∅2: while Trun/Tperiod /∈ Z do3: for each n ∈ {1, 2, ..., N} do4: a← ac * ACwl | pb * PBwl

5: b← v /∈ (vi.min, vi.max) | s /∈ (0, sl.max)6: if a& (Pro 6= Pro′) then7: Pro = ‘Microgrid n: abnormal comm.’8: else if b& (Pro 6= Pro′) then9: Pro = ‘Microgrid n: abnormal power’

10: end if11: end for12: end while13: m← (Trun/Tperiod) mod N14: Pro = ‘Microgrid m: normal’

V. CONSENSUS-BASED CID

After generating the proposal, the next step is toachieve CID. This section begins with an introductionof independent detection of proposal by each microgrid.

This is followed by discussions of the achievement ofconsensus. Then, the application of an incentive mech-anism is developed to reward or punish the recordingmicrogrid.

A. Independent Detection of Proposal

The smart grid is a complex cyber-physical system(CPS) [32]. The interaction between MMGs is mainlyreflected in both energy and cyber interdependencies,which are chosen as the basis of intrusion detection inthis paper. Through a calculation of load flow [33] [34],we aim to judge whether the voltage magnitude, cur-rent, power and other interactive electrical quantities arewithin the normal range from the perspective of powerflow. If not, the detection target will be suspected to havebeen attacked.

In view of intrusion detection at the communica-tion system, the rationality of the control strategy aswell as the real-time synchronization of informationtransmission are mainly considered. For instance, it isjudged whether or not the breaking of the line breaker isunreasonable under the goal of optimal scheduling, andwhether or not the transmission delay of data betweenthe nodes exceeds the threshold. An abnormal alarm isissued once discovered.

Normal behaviors are modelled by one-class SVM inthis paper. This is because abnormal data of the gridis more difficult to obtain during actual operations, andone-class SVM is suitable as an unsupervised learningalgorithm. Moreover, the algorithm has been widelyaccepted as a classification algorithm for detecting ab-normal states [35].

The detection process can be divided into three parts:data training, model establishment, and data testing.

The one-class SVM algorithm can be summarized asmapping the data into a feature space, and then tryingto separate the mapped vectors from the origin withmaximum margin, because the origin is the only originalmember of the second class [36]. In the modellingprocess of power system, there is no hyperplane inthe original sample space that can correctly classifytwo types of samples. Thus, we use a nonlinear kernelfunction (Φ(x)) to map samples from the original spaceto a higher-dimensional feature space [37], such as radialbasis function

κ(xi,xj) = exp(−‖xi − xj‖2

2σ2). (6)

It is always possible to find a hyperplane that solvesthe separation problem. Finding the maximum margin



to separate the dataset can be converted to the followingoptimization problem:

minw,ζi,ρ

1

2‖w‖2 +

1

νn

n∑i=1

ζi − ρ (7)

s.t. wTΦ(xi) > ρ− ζi, i = 1, · · · , n, ζi > 0 (8)

where parameters w is a vector orthogonal to the hyper-plane, ρ represents the margin, ζi is the slack variables,the role of ν is similar to penalty factor C in Two-classSVM, representing the fraction of training patterns thatare allowed to be rejected, and n is the total number oftraining patterns.

This optimization problem can be solved by using theLagrange multiplier method to transform (7) to a dualoptimization problem as follows

minα

1

2

∑ij

αiαjκ(xi,xj), (9)

s.t. 0 ≤ αi ≤1

νn,∑i

αi = 1. (10)

Finally, the decision function of one-class SVM canbe expressed as

f(x) = sgn((wTΦ(x)− ρ)

)= sgn

(∑i

αiκ(xi,x)− ρ)

), (11)

The types of data collected and analyzed includemeasurement information, state information, transactionlog, etc. Thus, one detection model based on one-classSVM has finished. If N is the number of microgrids,we will get at most N(N − 1) models according tothe relationship matrix between microgrids for intrusiondetection. It is worth mentioning that the detected datawhich is different from data of microgrid’s own IDS.

B. Consensus on the Proposal

Considering that each detector has its own insightabout the proposal, these distributed detection resultsneed to achieve consensus. In order to achieve thispurpose without any trusted authorities or central servers,one microgrid is selected as the recording node firstly.Its detection results will be stored in a new block andbe submitted to the network as the process of ‘mining’in Bitcoin [22].

Then, as every node in a decentralized system has acopy of the blockchain, a microgrid with similar insightsfor detection results will confirm that the detection resultis correct and add the new block to the end of the chain.

New Block

The recording node

Dectctor 1 Dectctor 2

Dectctor 3

Dectctor 5 Dectctor 4

Main

chain

Orphan

chain

Consensus

Figure 4. A schematic diagram of the consensus process.

On the other side, the microgrid that has objection tothe detection results will generate another block and addthe block to the end of its own chain. The schematicdiagram of the consensus process is shown in Fig. 4.

Finally, as main chain consists of the longest seriesof blocks which require a consensus of the networkmajority, wrong detection results will be meaninglessto become an orphan block. In other words, there isa reward for generating each block. The correspondingincentive mechanism will be described in detail later.

According to the different selection ways of recordingnode, the algorithms aiming to achieve consensus mainlyinclude: Proof of Work (PoW), Proof of Stake (PoS)and DPoS [23]. Combining system characteristics andapplication requirements, the DPoS algorithm is adoptedto achieve CID in MMGs due to its lower energyconsumption and shorter time in the process of reachingconsensus.

Each microgrid has a different probability of beingselected as a recording node based on the stake it owns.In the hash operation process of generating a new block,it is embodied in the difference of target and difficulty.A different recording node k has a different value of thedifficulty indicator D(k). A modified version of DPoSalgorithm uses a condition of

SHA256(SHA256(HashBn−1) + Timestamp

+Nonce+MerkleRoot)

< ST (k)Targetmax/D(k), (12)

where ST (k) means the elapsed time holding thesestakes by recording node k, and its maximum valuecannot exceed 72 hours. The larger the value of ST (k)

or the smaller the value of D(k), the easier the Inequal-ity (12) can be established. To ensure real-time detection,Targetmax can be set to 0xFFFF0000 ×24×56.



Legend

Detection target

Witness (k=4)

Witness (k=3)

Witness (k=2)

Witness (k=1)

Figure 5. DPoS based electing nodes for participation in consensus.

DPoS selects a recording node by trusting a smallnumber of honest nodes as representatives. For example,in the rating of 1 to 4, the honest nodes of level 2 andabove could be selected as representatives, as shown inFig. 5 intuitively. However, stake-based selection willresult in undesirable centralization. This is because thesingle richest member may have a permanent advantage.To overcome this defect, in this paper, the degree of cor-relation as well as the detection coefficient are utilized asthe basis for electing nodes instead of stake innovatively.

By adopting this method, the greater energy or cyberinterdependency with the target of detection, the largerprobability of the microgrid will be selected as a record-ing node. This is experssed as

Pij =

∫ T0θij(t)dt

T× Iij

=

∫ T0θij(t)dt

T× (γEij + (1− γ)Cij), (13)

where Pij means probability of selecting node i as arecording node, j means the target node for detection,θij represents the detection coefficient of node i on j

which is related to the accuracy of previous detectionresults,

∫ T0θij(t)dt/T means the cumulative mean of

θij over time, Iij indicates interdependency of microgridnode i on j, and Eij , Cij represent energy and cyberinterdependency of microgrid node i on j, respectively.A detailed example of correlation model, and the for-mation of Eij , Cij , can be seen in Section VI-B. γindicates the adjustment factor, which is different indifferent conditions. For instance, γ is 0.8 in the case ofabnormality of communication flow, is 0.2 on conditionof abnormality of power flow, and is 0.5 when proposalis normality. All above-mentioned index coefficients arewithin the interval [0, 1]. The correspondence betweenselection probability (Pij) and the level of difficulty(Pij) is shown in Table II.

C. Rewards and Penalties

Analogous to the fact that cryptocurrency can beobtained by the behaviour of mining in Bitcoin, the

TABLE IICORRESPONDENCE BETWEEN Pij AND Pij

Pij [0.6,1] [0.3,0.6) [0.1,0.3) [0,0.1)Pij 1 2 3 4

D(Pij) 16 162 163 164

D(Pij) is the corresponding difficulty indicator in Inequality (12).

incentive mechanism of blockchain when a new blockreaches consensus is also modified and adopted inthis paper. The form of reward is expressed not onlyby financial incentives but also the improvement ofdetection coefficient θij . Therefore, the probability thatthe node will be selected as a recording node in thenext block generation process will increase. A highercoefficient θij will bring benefits and more influenceon distributed management and decision-making for amicrogrid. Conversely, if the detection result presentedby i for target j does not reach consensus, the level ofdetection coefficient θij will decrease in a similar way.

θ′ij =

{max{−θ2ij + 2θij + αIij , 1}, consensus-reached,min{1−

√1− θij + βIij , 0}, consensus-unreached,

(14)where θij means the previous detection coefficientwhereas θ′ij signifies the detection coefficient afterexaltation. The greater interdependency Iij , the fasterthe change in detection coefficient θij . Parameters α

and β are added as adjustment factors.

VI. EXPERIMENTAL STUDIES

To evaluate the detection performance of our CIDapproach using blockchain, this section conducts sim-ulation experiments on a typical MMG platform.

A. Simulation Setup

A typical MMG scenario is set up in this section. Theco-simulation platform of a cyber-physical power systemis depicted in Fig. 6. The power distribution system isconsidered to be a set of interconnected microgrids thatmay be connected to the utility grid through PCC andCB. The radial distribution feeders contain 6 microgrids,which are divided according to different laterals. Eachmicrogrid has corresponding renewable energy resourcesand distributed load.

In order to establish a decentralized experimentalenvironment, we presume that the isolation switch (CB0)is open and interconnected microgrids are running inisland mode without the support of the utility grid. Themicrogrid adopt the master-slave control method. Thisimplies that there is one distributed grid adopts U/f



Isolation

switch

PCCCB1

CB2

CB3

Microgrid 1

Microgrid 2

Microgrid 3

CB0

Utility

grid

50kW

300m 200m

DG

100mDG

25kW 50kW

60kW

250m 150m

DG

100mDG

5kW 60kW

400m

30kW

150m

DG

50kW

CB4

CB5

CB6

Microgrid 4

Microgrid 5

Microgrid 6

20kW

300m 200m 100mDG

30kW

10kW

250m 500m

DG40kW

400m

20kW

150m

DG

30kW

20kW

150m

15kW

Legend

R = 0.325 Ω/km

X = 0.073 mH/km

10/0.4kV

10kW

10kW

250m

200m

RTU1

RTU2

RTU3

RTU4

RTU5

RTU6

Substation 1

Substation 2

Virtual Subs.

Control

CenterWide Area

Network

Figure 6. Typical MMG model of the simulation.

control to guarantee not only the balance of power sup-plies and demand but also the uniformity of frequency asthe master unit in each microgrid. All other microgridsadopt P/Q control to make the active power and reactivepower of the inverter output equal to the reference. Twocolor nodes, green and red, are used to represent masterunit and slave unit, respectively.

To build a communication environment of the powersystem, the function of remote terminal unit (RTU) andpower management unit (PMU) is simulated on thehost in a substation. Overall scheduling is achieved inthe control center, which is not used actually due toisland mode without the support of the utility grid. Thetransmission of measurement information and operatinginstructions is via a wide area network (WAN).

In this paper, four common types of attacks [38] areconsidered, and the attack secnarios are described indetails as below.

1) Tampering Attack: Typical tamper attack, suchas false data injection [39], is often occured in powersystems. In our simulations, control instructions of loadswitch is set as being tampered in microgrid.

2) Man-in-the-Middle (MITM) Attack: MITM attackmeans that the attacker secretly relays and possibly altersthe communication between two parties who believe theyare directly communicating with each other. Which is

conducted by ARP poisoning and the modification ofoperating instructions.

3) Replay Attack: Replay attack is a form of attackin which a valid data transmission is maliciously orfraudulently repeated or delayed. To conduct this kindof attack, the machine of substation is hacked into byan attacker who continues to intercept all data sequencefrom sensors and then retransmits it.

4) Denial of Service (DoS) Attack: This type of attackis simulated by totally obstructing the communicationchannels of sensor nodes, such as RTU.

B. Establishment of the Correlation Model

For achieving consensus and CID among MMGs, acorrelation model is established according to the energyand cyber interdependency of microgrids. Relationshipmatrix EM and CM are formed, respectively. Energyrelationship matrix EM means the magnitude of theimpact of one microgrid on another. With the MMGplatform, the experimental data is generated by thefloating load up and down below 10% in each singlemicrogrid. Active power and reactive power are selectedas features. For instance, we fit the active power ofthe microgrid whose load is dynamically changing withactive power of other microgrids, and get the linearregression equation y = aix + bi, (i = 1, · · · , N) and



∑Ni=1 ai = 1. So, Eij is defined as the correlation

coefficient ai for microgrid j.

EM =

1 0.287 0.208 0.191 0.151 0.163

0.242 1 0.221 0.203 0.161 0.173

0.224 0.281 1 0.187 0.148 0.160

0.220 0.276 0.200 1 0.146 0.158

0.211 0.265 0.192 0.177 1 0.155

0.214 0.269 0.196 0.179 0.142 1

.

The cyber relationship matrix CM reflects the trans-mission of measurement information (MI) and operatinginstructions (OI) between microgrids. It is also relatedto the geographical location (Distance) of the microgridin the radial distribution feeders.

Cij =σ1MIij/MIi + σ2OIij/OIi

Distance, (15)

where MIi and OIi indicate the total of measurementinformation and operate instructions from other micro-grids. For example, CM1 is calculated according toEq. (15) as σ1 = σ2 = 1.5

CM1 = {1, 0.45√1,

0.45√2,

0.3√3,

0.15√4,

0.15√5}.

The CM of the MMG model in Fig. 6 is

CM =

1 0.450 0.318 0.173 0.075 0.067

0.450 1 0.450 0.318 0.173 0.075

0.318 0.450 1 0.450 0.318 0.173

0.173 0.318 0.450 1 0.450 0.318

0.075 0.173 0.318 0.450 1 0.450

0.067 0.075 0.173 0.318 0.450 1

.

The relationship matrix between microgrids is obtainedas IM = γEM+(1−γ)CM , and the correlation modelis established.

C. Reach Consensus Based on DPoS Algorithm

Now, let us explain the implementation process of theDPoS algorithm through three typical attack scenarios:tampering attack on microgrid 4, MITM attack on micro-grid 6, and replay attack on microgrid 6. Due to the dif-ferent characteristics of attack types, tampering controlinstructions and the change in match 〈IP,MAC〉 maybe easily found by the abnormality of power flow andcommunication flow, while replay attack could spoof themonitor of substation. Thus, after ignoring other insignif-icant proposals, these three proposals are consideredin our experiments: A) Microgrid 4: abnormal power,

B) Microgrid 6: abnormal comm., and C) Microgrid 6:normal.

1) Proposal A: Using the consensus algorithm ofDPoS, the recording node needs to be selected. Forproposal A, the relationship is Iij = γEij + (1− γ)Cijwhere γ is 0.8. For Microgrid 4, its relationship vector

IM4 = {0.211, 0.284, 0.250, 1.000, 0.207, 0.190}.

Only some representative nodes whose relationship isbeyond 0.2 will be selected to participate in the processof consensus. As the initial value of detection coefficient(θij) of node j on i all is 0.5, microgrid 2 will be selectedas the recording node due to its maximum relationship.Then, for proving its computing power, microgrid 2 hasto put forward the new block in a limit time by hashoperation process (12). Otherwise, it will be replaced bythe microgrid whose relationship after its relationship.The selection probability

P24 =

∫ T0θ24(t)dt

T× I24 = 0.142 ∈ [0.1, 0.3).

D(P24) given in Table II is 163 and the initial value ofST (2) is 72. On the basis of Inequality (12),

SHA256(SHA256(HashBn−1) + Timestamp+

Nonce+MerkleRoot) < 72× Targetmax/163,

where HashBn−1 is 0x00 . . . 00︸︷︷︸64

as the genesis block,

and timestamp is the generation time of block. By theanomaly detection model based on one-class SVM, mi-crogrids 1, 2, 3 and 5 all believe power flow of microgrid4 is indeed abnormal by confirming the abnormal actionof load switch and abnormal nodal voltage. So the blockproposed by microgrid 2 will reach a consensus andthese two abnormal states will be recorded as a and b,respectively. Since Merkle Root is implemented by usingalgorithm SHA-256 twice, the stored detection resultsare shown in Fig. 7.

MerkleRoot = dhash(dhash(a) concat dhash(b)).

(16)Then, based on the incentive mechanism, the detection

coefficient (θ24) of microgrids 2 on 4 will get an upgradefrom 0.5 according to (14) when coefficient α = 0.1.

θ′24 = max{−θ224 + 2θ24 + αI24, 1} = 0.7784,

2) Proposal B: In contrast to proposal A, the contentof proposal B is an abnormal communication flow. Asγ is 0.2, the relationship vector IM6 of microgrid 6 is

IM6 = {0.097, 0.114, 0.177, 0.290, 0.388, 1.000}.



Block B1 Block B2 Block B3

0x00..00Hash0

38'35.7760Timestamp

0xb1cad7..SelfHash

0xb1cad7..Hash0

38'36.0240Timestamp

0x000c1e..SelfHash

0x000c1e..Hash0

38'37.2130Timestamp

0x0000cb..SelfHash

[]Nonce MerkleRoot

0xd3d56e..

Difficulty3 1829

Nonce MerkleRoot

0x5cde43..

Difficulty3 7198

Nonce MerkleRoot

0x70b652..

Difficulty3

DetectionResult

a: Abnormal action of load switch in microgrid 4.

b: Abnormal nodal voltage in microgrid 4.

DetectionResultc: The <IP, MAC> match is not unique in microgrid 6.

DetectionResult

e: Abnormal action of load switch in microgrid 6.

...

d: Abnormal apparent power of branch in microgrid 6.

f: Abnormal nodal voltage in microgrid 6.

Figure 7. Consensus-induced detection results are stored on blockchain.

Similar to the previous process, nodes 4 and 5 whoserelationship beyond 0.2 are selected as representative.Microgrid 5 is chosen as the recording node. The selec-tion probability

P56 =

∫ T0θ56(t)dt

T× I56 = 0.194 ∈ [0.1, 0.3).

D(P56) given in Table II is 163, too. According tothe collaborative anomaly detection model, microgrids4 and 5 justify the abnormal communication flow ofdetection target. The results will be recorded as abnormalstates c. Moreover, they also dig out that the abnormalapparent power of branch still exists in microgrid 6(abnormal states d). Analogous to the generation of block1, detection coefficient (θ56) will also get an upgrade as

θ′56 = max{−θ256 + 2θ56 + αI56, 1} = 0.7888,

3) Proposal C: About the proposal C ‘Microgrid 6 isnormal’, similar to the previous analysis process, theywill put forward their own different opinions and reacha consensus since not being deceived. The detectionresults will be stored as ‘e: Abnormal action of loadswitch in microgrid 6’ and ‘f : Abnormal nodal voltagein microgrid 6’. The new detection coefficient (θ56) ofmicrogrid 5 on 6 will changed to

θ′56 = max{−θ256 + 2θ56 + αI56, 1} = 1,

which means when detection object is microgrid 4, theprobability of microgrid 2 as the recording node willincrease.

D. CID Performance Evaluation

First, we test the detection rates of our CID approachfor different types of attacks. The overall accuracy (OA)depends on true positive rate (TPR) and false positiverate (FPR). It describes how correctly an IDS works by

TABLE IIITHE OA FOR DIFFERENT TYPES OF ATTACKS.

Category Tampering MITM Replay DoSSingle IDS 90.3% 85.6% × 100%CID 97.9% 94.3% 91.2% 100%

OA = (TPR+ 1−FPR)/2 [40]. Based on the variousattack scenarios introduced in Section VI-A, the resultsof the experiment are shown in Table III.

It is seen from Table III that the OA of our CIDapproach has improvement over traditional single IDSfor different types of attacks. In particular, in the MITMattacks scenario, CID not only verifies the abnormalityof communication flow in microgrid 6, but also checksout its power abnormality. In the replay attacks scenario,CID is able to detect the abnormal state whereas a singleIDS fails to do so. Furthermore, the results suggest thatreplay attacks and MITM attacks are more difficult todetect than others. That may be interpreted by the factthat the attacks sometimes do not cause abnormal stateof power grid.

Then, we evaluate the real-time performance of ourCID approach. The real-time performance of our CIDmainly depends on the execution time of the DPoSconsensus algorithm. Thus, we plan to analyze the re-lationship between the influencing factors (Pij , ST (k))and the computing time of generating a new block, andfind the apposite setting of difficulty.

By running the ‘mining’ process for 500 times atdifferent Pij values under ST (k) = 1, the minimum,mean, and maximum computing times are displayed inFig. 8. It is noted that the expression of the correlationis shown in (17). This correlation indicates that with theincrease of difficulty (Pij), the computing time growsexponentially. To ensure the real-time performance ofour CID approach, the nodes with a difficulty of 3 or



0 1 2 3 4 510−4

10−2

100

102

lg y≈ 1.19

32x− 3.50

38(s)

Pij of Recording Node i

Com

putin

gTi

me

(s)

Scope bounds Average time Best fitting line

Figure 8. Computing time versus Difficulty Indicator.

20 21 22 23 24 25 2610−4

10−2

100

102

lg y ≈ −0.2748 log2 x− 0.0872(s)

ST (k) of Recording Node k

Com

putin

gTi

me

(s)

Scope bounds Average time Best fitting line

Figure 9. Computing time versus Elapsed Time.

less are generally selected as recording node.

lg y ≈ 1.1932x− 3.5038. (17)

As a difficulty of 3 remains unchanged, running 500times at different ST (k) values, the computing timedisplay in Fig. 9. The elapsed time (ST (k)) holdingdetection coefficient (θij) exponential growth with base2, the computing time will also grow exponentially. Theexponential correlation is expressed as

lg y ≈ −0.2748 log2 x− 0.0872. (18)

E. Discussions

Through the above experiments, the proposed CID ap-proach is able to efficiently detect intrusions for MMGsin island mode. Using blockchain well solves the col-laborative problem of IDS in distributed systems throughconsensus of detection results. Proposal generation basedon multi-pattern reduces the false negative rate (FNR) bygenerating new proposals constantly. The achievementof consensus could increase the OA. Table IV presentsthe comparison of our CID with several previous studieson CID. According to Table IV, it suggests that ourapproach can achieve CID in the absence of a trustedthird party or centralized node by using the consensusand incentive mechanisms of blockchain, more so inMMG systems, the representative of fully distributedscenario.

TABLE IVPERFORMANCE COMPARISON OF CID APPROACHES.

CID Category Year TPRSystem ar-chitecture

IncentiveParticipantsafety

WithoutCA

[12]Smartgrid 2017 88.9%

Fullydistributed

× × –

[13] AMI 2015 100% Centralized × × –

[15] Internet 2004 – Fullydistributed

√× –

[17]Computer

net-works

2013 >93% Fullydistributed

√ √×

[41]HIDSnet-work

2010 – Fullydistributed

√ √×

OurCID

MMG 2019 96.3%Fully

distributed√ √ √

Note: ‘√

’ shows that the ability was considered in the literature;

‘×’ indicates that the ability was not available;

‘–’ means that the item was not mentioned and could not be inferred.

VII. CONCLUSION

A new CID approach using blockchain has beenpresented in this paper for distributed intrusion detec-tion in MMG systems without a trusted authority orcentral server. It guarantees the consistency and non-repudiability of detection results of IDS in each micro-grid in the process of distributed data transmission. Thenovelty of this paper lies in the following three aspects.Firstly, a new CID approach is proposed for MMGsystems by incorporating the consensus and incentivemechanisms in blockchain. Secondly, a multi-patternproposal generation method is developed to reduce theFNR of intrusion detection. Thirdly, an improved DPoSalgorithm is designed as the consensus mechanism toovercome the defect of one single richest member.

There are a few aspects worth investigating in ourfuture work. Our method utilizes consensus and incentivemechanisms of blockchain to achieve CID. To addressthe uncertainties in the propagation of distributed detec-tion results, how to design a fuzzy consensus algorithmis a direction for future work. In addition, in responseto the increasingly complex and distributed attacks, theabove method proposed for intrusion detection can beconsidered in collaborative risk assessment and decisionmaking.

REFERENCES

[1] K. Boroojeni, M. H. Amini, A. Nejadpak, T. Dragievi, S. S.Iyengar, and F. Blaabjerg, “A novel cloud-based platform forimplementation of oblivious power routing for clusters of mi-crogrids,” IEEE Access, vol. 5, no. 99, pp. 607–619, 2017.



[2] Q. Jiang, M. Xue, and G. Geng, “Energy management of micro-grid in grid-connected and stand-alone modes,” IEEE Transac-tions on Power Systems, vol. 28, no. 3, pp. 3380–3389, 2013.

[3] D. An, Q. Yang, W. Yu, X. Yang, X. Fu, and W. Zhao, “Soda:Strategy-proof online double auction scheme for multimicrogridsbidding,” IEEE Transactions on Systems, Man, and Cybernetics:Systems, vol. 48, no. 7, pp. 1177–1190, 2018.

[4] D. Gregoratti and J. Matamoros, “Distributed energy trading: Themultiple-microgrid case,” Industrial Electronics IEEE Transac-tions on, vol. 62, no. 4, pp. 2551–2559, 2013.

[5] G. Liang, S. R. Weller, J. Zhao, F. Luo, and Z. Y. Dong,“The 2015 ukraine blackout: Implications for false data injectionattacks,” IEEE Transactions on Power Systems, vol. 32, no. 4,pp. 3317–3318, 2017.

[6] C. W. Ten, G. Manimaran, and C. C. Liu, “Cybersecurity forcritical infrastructures: Attack and defense modeling,” IEEETransactions on Systems, Man, and Cybernetics - Part A: Systemsand Humans, vol. 40, no. 4, pp. 853–865, 2010.

[7] I. Ullah and Q. H. Mahmoud, “An intrusion detection frameworkfor the smart grid,” in Electrical and Computer Engineering,2017, pp. 1–5.

[8] Y. He, G. J. Mendis, and J. Wei, “Real-time detection of false datainjection attacks in smart grid: A deep learning-based intelligentmechanism,” IEEE Transactions on Smart Grid, vol. 8, no. 5, pp.2505–2516, 2017.

[9] J. Reeves, A. Ramaswamy, M. Locasto, S. Bratus, and S. Smith,“Intrusion detection for resource-constrained embedded controlsystems in the power grid,” International Journal of CriticalInfrastructure Protection, vol. 5, no. 2, pp. 74–83, 2012.

[10] O. A. Beg, L. V. Nguyen, T. T. Johnson, and A. Davoudi, “Signaltemporal logic-based attack detection in dc microgrids,” IEEETransactions on Smart Grid, vol. PP, no. 99, pp. 1–1, 2018.

[11] C. V. Zhou, C. Leckie, and S. Karunasekera, “A survey of coor-dinated attacks and collaborative intrusion detection,” Computers& Security, vol. 29, no. 1, pp. 124–140, 2010.

[12] A. Patel, H. Alhussian, J. M. Pedersen, B. Bounabat, J. C. Jnior,and S. Katsikas, “A nifty collaborative intrusion detection andprevention architecture for smart grid ecosystems,” Computers& Security, vol. 64, no. C, pp. 92–109, 2017.

[13] X. Liu, P. Zhu, Y. Zhang, and K. Chen, “A collaborative intru-sion detection mechanism against false data injection attack inadvanced metering infrastructure,” IEEE Transactions on SmartGrid, vol. 6, no. 5, pp. 2435–2443, Sept 2015.

[14] H. A. Kholidy and F. Baiardi, “Cids: A framework for intrusiondetection in cloud systems,” in International Conference onInformation Technology-New Generations, 2012, pp. 379–385.

[15] V. Yegneswaran, P. Barford, and S. Jha, “Global intrusion detec-tion in the domino overlay system,” in In Proceedings of Networkand Distributed System Security Symposium (NDSS), 2004.

[16] S. Shaik and S. G. John, “A novel distributed trust model forpeer-to-peer networks,” IJCER, vol. 3, no. 5, pp. 267–270, 2014.

[17] M. G. Perez, F. G. Marmol, G. M. Perez, and A. F. S. Gomez,“Repcidn: A reputation-based collaborative intrusion detectionnetwork to lessen the impact of malicious alarms,” Journal ofNetwork and Systems Management, vol. 21, no. 1, pp. 128–167,2013.

[18] E. Vasilomanolakis, S. Karuppayah, and M. Fischer, “Taxonomyand survey of collaborative intrusion detection,” Acm ComputingSurveys, vol. 47, no. 4, pp. 1–33, 2015.

[19] H. Sedjelmaci, S. M. Senouci, and N. Ansari, “A hierarchicaldetection and response system to enhance security against lethalcyber-attacks in uav networks,” IEEE Transactions on Systems,Man, and Cybernetics: Systems, vol. 48, no. 9, pp. 1594–1606,2018.

[20] F. Cuppens and A. Miege, “Alert correlation in a cooperativeintrusion detection framework,” in Proceedings 2002 IEEE Sym-posium on Security and Privacy, May 2002, pp. 202–215.

[21] E. Vasilomanolakis, M. Fischer, M. Mhlhuser, P. Ebinger, P. Kiki-ras, and S. Schmerl, “Collaborative intrusion detection in smartenergy grids,” in International Symposium for ICS & ScadaCyber Security, 2013.

[22] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,”Consulted, 2008.

[23] Y. Yuan and F. Wang, “Blockchain and cryptocurrencies: Model,techniques, and applications,” IEEE Transactions on Systems,Man, and Cybernetics: Systems, vol. 48, no. 9, pp. 1421–1428,Sept 2018.

[24] K. Christidis and M. Devetsikiotis, “Blockchains and smartcontracts for the internet of things,” IEEE Access, vol. 4, pp.2292–2303, 2016.

[25] M. Conoscenti, A. Vetr, and J. C. D. Martin, “Blockchain for theinternet of things: A systematic literature review,” in ComputerSystems and Applications, 2017.

[26] Z. Li, J. Kang, R. Yu, D. Ye, Q. Deng, and Y. Zhang, “Consortiumblockchain for secure energy trading in industrial internet ofthings,” IEEE Transactions on Industrial Informatics, vol. 14,no. 8, pp. 3690–3700, Aug 2018.

[27] O. Novo, “Blockchain meets iot: An architecture for scalableaccess management in iot,” IEEE Internet of Things Journal,vol. 5, no. 2, pp. 1184–1195, April 2018.

[28] T. Yang, Q. Guo, X. Tai, H. Sun, B. Zhang, W. Zhao, and C. Lin,“Applying blockchain technology to decentralized operation infuture energy internet,” in Energy Internet and Energy SystemIntegration, 2018, pp. 1–5.

[29] G. Liang, S. R. Weller, F. Luo, J. Zhao, and Z. Y. Dong,“Distributed blockchain-based data protection framework formodern power systems against cyber attacks,” IEEE Transactionson Smart Grid, vol. PP, no. 99, pp. 1–1, 2018.

[30] W. Meng, E. W. Tischhauser, Q. Wang, Y. Wang, and J. Han,“When intrusion detection meets blockchain technology: A re-view,” IEEE Access, vol. 6, no. 99, pp. 10 179–10 188, 2018.

[31] Y. Yang, K. Mclaughlin, S. Sezer, T. Littler, E. G. Im, B. Prang-gono, and H. F. Wang, “Multiattribute scada-specific intrusiondetection system for power networks,” IEEE Transactions onPower Delivery, vol. 29, no. 3, pp. 1092–1102, 2014.

[32] H. He and J. Yan, “Cyber-physical attacks and defences in thesmart grid: a survey,” IET Cyber-Physical Systems: Theory &Applications, vol. 1, no. 1, pp. 13–27, 2017.

[33] N. Qin, Voltage control in the future power transmission systems.Springer, 2017.

[34] A. Elrayyah, Y. Sozer, and M. E. Elbuluk, “A novel load-flowanalysis for stable and optimized microgrid operation,” IEEETransactions on Power Delivery, vol. 29, no. 4, pp. 1709–1717,2014.

[35] R. Perdisci, G. Gu, and W. Lee, “Using an ensemble of one-class svm classifiers to harden payload-based anomaly detectionsystems,” in International Conference on Data Mining, 2007, pp.488–498.

[36] L. M. Manevitz and M. Yousef, “One-class svms for documentclassification,” Journal of Machine Learning Research, vol. 2,no. 1, pp. 139–154, 2001.

[37] S. Lecomte, R. Lengelle, C. Richard, F. Capman, and B. Ravera,“Abnormal events detection using unsupervised one-class svm- application to audio surveillance and evaluation -,” in IEEEInternational Conference on Advanced Video and Signal-BasedSurveillance, 2011, pp. 124–129.

[38] A. A. Cardenas, T. Roosta, and S. Sastry, “Rethinking securityproperties, threat models, and the design space in sensor net-



works: A case study in scada systems,” Ad Hoc Networks, vol. 7,no. 8, pp. 1434–1447, 2009.

[39] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacksagainst state estimation in electric power grids,” ACM Trans. Inf.Syst. Secur., vol. 14, no. 1, pp. 13:1–13:33, Jun. 2011. [Online].Available: http://doi.acm.org/10.1145/1952982.1952995

[40] K. Huang, Q. Zhang, C. Zhou, N. Xiong, and Y. Qin, “An efficientintrusion detection approach for visual sensor networks based ontraffic pattern learning,” IEEE Transactions on Systems Man &Cybernetics Systems, vol. 47, pp. 2704–2713, May 2017.

[41] C. Fung, J. Zhang, I. Aib, and R. Boutaba, “Trust managementand admission control for host-based collaborative intrusiondetection,” Journal of Network and Systems Management, vol. 19,no. 2, pp. 257–277, 2011.


c Consult author(s) regarding copyright matters · initial protective barrier, intrusion detection...

Documents

Transcript of c Consult author(s) regarding copyright matters · initial protective barrier, intrusion detection...