Predictive Abuse Detection for a PLC Smart Lighting ...

Research ArticlePredictive Abuse Detection for a PLC SmartLighting Network Based on Automatically CreatedModels of Exponential Smoothing

Tomasz Andrysiak Aukasz Saganowski and Piotr Kiedrowski

Institute of Telecommunications and Computer Science Faculty of Telecommunications Computer Science and Electrical EngineeringUniversity of Technology and Life Sciences in Bydgoszcz (UTP) Ul Kaliskiego 7 85-789 Bydgoszcz Poland

Correspondence should be addressed to Tomasz Andrysiak andrysutpedupl

Received 23 July 2017 Accepted 19 September 2017 Published 25 October 2017

Academic Editor Steffen Wendzel

Copyright copy 2017 Tomasz Andrysiak et al This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited

One of the basic elements of a Smart City is the urban infrastructure management system in particular systems of intelligentstreet lighting control However for their reliable operation they require special care for the safety of their critical communicationinfrastructure This article presents solutions for the detection of different kinds of abuses in network traffic of Smart Lightinginfrastructure realized by Power Line Communication technology Both the structure of the examined Smart Lighting network andits elements are described The article discusses the key security problems which have a direct impact on the correct performanceof the Smart Lighting critical infrastructure In order to detect an anomalyattack we proposed the usage of a statistical model toobtain forecasting intervals Then we calculated the value of the differences between the forecast in the estimated traffic modeland its real variability so as to detect abnormal behavior (which may be symptomatic of an abuse attempt) Due to the possibilityof appearance of significant fluctuations in the real network traffic we proposed a procedure of statistical models update whichis based on the criterion of interquartile spacing The results obtained during the experiments confirmed the effectiveness of thepresented misuse detection method

1 Introduction

In the last decade digital technologies started to covercities creating a skeleton of immense intelligent infrastruc-ture based on information and communication technologies(ITC) The aim of building such a ubiquitous system is tocreate Smart Cities (SC) which have the ability to managetheir resources in a better way to enhance the quality of lifeand safety of their citizens

One of the key elements of a Smart City is a systemof management monitoring and smart steering of streetlights This system allows for optimal use of the lightinginfrastructure and facilitates reduction of lighting operatingcosts It mostly involves prolonged operation of light sourcesand as a result a less often need to exchange them whichis costly A decrease in the consumption of electric energyalso causes limitation of CO2 emission Data presented in

[1 2] show that in the recent decade approximately 20 percent of the received electricity is consumed by lighting wherethe biggest share concerns roads and streets Reduction ofenergy consumption thanks to the use of energy-saving lightsources and introduction of Smart Lighting (SL) is performedin numerous ways of which the most important are (i)reduction of the intensity of light in a given time and space(ii) switching on and off the lamps precisely in time and(iii) taking into account the variable capacity of light sourcesin long-term operation Utilization of such type of activitiesensures optimization of light management costs and limitsthe electricity consumption costs even up to 40 per cent

Usually the Smart Lighting system is an extension ofalready existing traditional lighting systems Its implementa-tion is based on installing controllersdrivers in every lampThe controllers communicate with the steering server via anexisting energetic networkwith the use of LonWorks protocol

HindawiSecurity and Communication NetworksVolume 2017 Article ID 7892182 19 pageshttpsdoiorg10115520177892182

2 Security and Communication Networks

Lamp node

Smart Lighting serverIP network

Trac concentrator

Trac concentrator

Trac concentratorTrac concentrator

APN server

ree-phase LV network ree-phase LV network

ree-phase LV network


Figure 1 Smart Lighting critical infrastructure

and Power Line Communication (PLC) technology Thesteering server safely communicates through a data transmis-sion network with a central management and control systemThe central management system facilitates full control overall of the supervised lamps This allows for configuration ofparameters such as scenarios of switching onoff the lampsand time for initiation of the energy-saving function Italso supplies us with information concerning the currentperformance of the infrastructure and it reports failures andprovides data about lamps which work defectively [3]

In Figure 1 we can see the general block scheme ofa Smart Lighting Communication Network (SLCN) Thenetwork consists of lamp nodes (yellow triangles) connectedby three-phase low-voltage (LV) power mains by means ofPLC modems Traffic from the lamp nodes is received bya traffic concentrator (TC) The traffic concentrator alsoplays a role of a gateway between the PLC network andthe Internet Protocol (IP) network The Access Point NameServer (APN) allows us to make a connection by means ofpacket communication (eg Long-Term Evolution (LTE)) tothe PLC lighting network

Smart Lighting systems can be classified in two waysThe first way treats them as a subset of Smart City systemswhich are further understood as a subset called the InternetofThings Such classification does not include the whole areaof SL application (eg it does not contain Road Lightingsystems which in fact are identical to the street lightingsystems in terms of communication solutions) Thereforethe authors believe that a better way of classification is todefine the Smart Lighting as a part of the Smart Grid (SG)system This is a result of the fact that the Smart Lightingcommunication systems next to Smart Metering (SM) arethe biggest communication systems in Smart Grid when itcomes to the number of nodes and the size of the geographicarea where they operate The second key similarity is thetechnologies used in the fields of the last-mile area of thosecommunication systems In SL four technologies are appliednamely PLC Radio Frequency (RF) General Packet Radio

Service (GPRS) and Meter-Bus (M-BUS) while in SmartMetering there are only two PLC and RF As far as RFtechnologies are concerned in Smart Lighting and SmartMetering the used solutions are identical However in caseof PLC the differences are significant of which the mostimportant are the following (i) in terms of SM the standardPLC interfaces are applied [4] while in case of SL they are not(the existing Digital Addressable Lighting Interface (DALI)[5] has only local use eg steering a few lamps located onthe same pole not to control hundreds of lamps in a lightingcoursestring) (ii) the SM devices must communicate inBand A according to CENELEC [6] and SL devices mustcommunicate in Band A if the systemrsquos operator is an energysupplier or in Band B C or D if it is the receiver ofenergy (iii) there is a requirement to encrypt the transmittedinformation in case of SM while for SL there is no suchobligation

Even though on the market there are PLC chipsequipped with encryption modules (mostly AES-128) thisfunction is seldom usedThere are numerous reasons for thisfact for instance (i) bothersome distribution of encryptionkeys (ii) extending the transmission frames and thus improv-ing the unreliability and transmission time and (iii) finallythe cost of implementation

Actions connected with violating the safety rules inSmart Lighting Communication Networks (especially inthe last-mile area) may be deliberate or unaware Unawareinterference usually happens when the LV network powersboth streets and households in which there are connectedloads that do not meet the standards of electromagneticcompatibility On the other hand the deliberate interferencein a communication system consists in intentional switchinginto not only loads not being able to fulfil the norms butalso elements such as capacitors interfering generators orterminals emulating a hub Switching such devices even intothe LV networks dedicated only to lighting is not difficulttherefore an intruder may use them imperceptibly for alonger period of time

Security and Communication Networks 3

There are different reasons why the smart lights operatorneeds anomaly and intrusion detection for the PLC smartlights network In case of attacks the smart light opera-tor is responsible for proper operation of the PLC smartlights network The smart lights network operator is alsoresponsible to the customer in case of improper networkoperation and may be exposed to penalties Intentional andunintentional damage cause additional costs to the operatorwhen the attacker changes smart lights to ones instantly onwith maximum luminosity Reaction on anomalies in thesmart lights network is also important for public transportsafety (especially in intersections) when the attacker mightswitch off entire segments of the PLC smart lights networkSwitching lights off may also be responsible for decreasingpublic safety in areas where smart lights are off by an attackerDue to similar reasons energy suppliers use anomaly andintrusion detection systems in Smart Grid networks espe-cially for detecting energy thefts Energy operators detectabuses in for example WSN (Wireless Sensor Network)smart meter infrastructures [7]

In our system we propose a solution concerning detec-tion of different types of abuses in the network traffic forthe SL infrastructure which is based on automatically cre-ated models of exponential smoothing To detect abnormalbehavior that may be a symptom of possible malpracticewe counted the values of variance between the forecast inthe estimated model of traffic and its real variability Inthe abovementioned process we used a two-step method ofabuse detection In the first step of the proposed solutionwe identified and then eliminated outliers using the crite-rion based on Mahalanobisrsquos distance In the second stephowever we estimated proper statistical models smoothedexponentially for the analyzed network traffic parameters Asa result the respective operations presented differences in thetested SLCN parameters which point at possible occurrenceof malpractice

The article is organized as follows After the IntroductionSection 2 describes the communication protocol used in thelast-mile testbed network Next Section 3 presents relatedwork on existing abuse detection solutions for Smart LightingCommunications Networks Section 4 focuses on the mainsecurity risks related to the PLC network Section 5 presentsthe structure and operation of the proposed solution In Sec-tion 6 a real-life experimental setup and experimental resultsare presented and discussed Finally Section 7 concludes ourwork

2 Communication Protocol Used in theConsidered Solution

A communication protocol in last-mile Smart Lightingnetworks was proposed in 2010 and published in 2011 in[8] as EGQF protocol (Energy Greedy Quasi-Flooding) byone of the coauthors In the same year this protocol wasimplemented in Smart Metering networks which used alow-power RF technology for communication The EGQFprotocol is independent of communication media typesand may be applied in networks using RF PLC or even

RFPLC hybrid technologies This protocol is dedicated totiny communication nodes based on short distance devicesconnected to shared communication mediums It uses themultihop technique for transmission range extension andalso uses the multipath technique to improve reliability ofdata transfer The multipath scheme is useful for deliveringdata in unreliable environments such as PLC The retrans-mission mechanism is used only by the destination nodewithout any extra RAM memory occupation because theRESPONSE packet is already kept in the transmission bufferof a transceiver The decision to launch the retransmissionis as follows after sending the RESPONSE the destinationnode starts a retransmission timer After the timer expiresthe destination node sends RESPONSE again and stops thetimer This timer can also be stopped if a copy of RESPONSEor ACKCancel is received during the period of the timerrsquosoperation The number of retransmissions is reduced by aprotocol parameter RC (Retransmission Counter) In ourexperiments RC was set to 1 The architecture of the pre-sented network is very simple because it can operate withonly two types of nodes that is a traffic concentrator and aterminal (a lamp) All the traffic is forced and coordinated bythe traffic concentrator Due to the lack of memory terminalsdo not know the network topology and even do not know theaddresses of neighboring nodes

The EGQF protocol uses a small set of packet types thatis command packets response packets and ACKCancelpackets Command packets in most cases are used by thetraffic concentrator for controlling or querying the lamp orthe pole The answer or acknowledgement from the lampis transported over the response packet The ACKCancelpacket is a packet which acts as the low layer ACK for thedestination node and as the relaying process canceler for theother nodesTheACKCancel packet is sent only by the trafficconcentrator to confirm the reception of the response and tocancel the flooding process of response or even commandcopies The relaying process in nodes which are neitherdestination nor source nodes depends on transmitting thecopy of the packet after the sum of constant short time(60ms) and random time in the condition of an undetectedcarrier The difference between the typical flooding protocoland the EGQF protocol is that while using a typical floodingprotocol the nodes always send a copy of the packet oncewhereas while using the EGQF protocol copies are sentas often as needed for instance once twice or never Thedecision of whether a copy of the packet should be sent ismade when the transfer discriminator value of the packet isgreater than the previously stored one The initial (or set atthe end of the process) transfer discriminator value is zeroThe transfer discriminator consists of two fields organized inthe following order the packet type code and the time-to-live (TTL) counter The TTL occupied three least significantbits of the control field of the packet while the packet typecode occupied two more significant bits in the same fieldCommands are coded as 00 responses as 01 andACKCancelas 11 so that the transfer process of the command packetis always canceled after receiving a response packet Thisis the same as response packet propagation after receivingACKCancel The above cases show us a situation where the


relaying process was canceled which is a difference withregard to the typical flooding protocol The solution adoptedin EGQF reduces the risk of collision Using the same schemait is possible to send a copy of the same packet type morethan once Such situation occurs when after sending thecopy of the packet the same packet is received again witha greater value of TTL than the already copied packet Thissituation occurs very seldom (eg when a packet with agreater number of hops comes earlier than a packet with asmaller number of hops) and it increases reliability [9]

3 Related Work

Every administrator of a Smart Lightning network or asafety specialist would like to be timely informed aboutany nontypical behaviors in the infrastructure that he is incontrol of (whether they are connected to attacks abusesor improper performance of devices or applications) [10]The most important issue is to aim for the detection ofnew threats and such hazards that would break throughthe traditional defense mechanisms One of the possiblesolutions is the use of systems based on Network BehaviorAnomaly Detection (NBAD) [11] These solutions do notutilize knowledge about the attacksrsquoabusesrsquo signatures [12]but they are based on behavioral analysis [13] Such anapproach allows for the detection of numerous threats whichldquomanifestrdquo their presence with nontypical behaviors in thenetwork [14]

Generally NBAD systems use statistical profiles orbehavioral models to detect potential threatsanomaliesMost often the model approaches are autoregressive onesfor example AutoRegressive Moving Average (ARMA)or AutoRegressive Fractional Integrated Moving Average(AFIMA) [15] or mixed models composed of autoregres-sive and exponential smoothing ones [16] (combined toimprove the forecasting process) There can also be foundsolutions applied to anomaly detection in the network trafficwhich are based only on traditional exponential smoothingmodels [17] However all those approaches do not usethe processes of optimization to find defined exponentialsmoothing models best matching the input data In thesubject literature there can also be found other works(theoretical ones in particular) that is Gardner [39 40]Ord and Lowe [20] or Archibald [41] describing proceduresof automatic prediction of future time seriesrsquo values basedthough on defined exponential smoothing models In thesolution proposed by us we use amathematicalmethodologypresented byHyndman [38 43] which depends on seeking anoptimalmodel (in the process of nonlinear optimization) andautomatic procedure of prediction to find the future valuesof the analyzed time series Then detection of anomaliesconsists in comparing the variability of the real time seriesrsquovalueswith the estimatedmodel of that traffic Such a solutionhas not been yet used for anomalyabuse detection in theSmart Lightning network traffic

However exhaustive description of methods and tech-niques of detection of anomalies andor outlier observationscan be found in review articles [14 24]They describe diverseapproaches to anomaly detection starting with machine

learning methods through data mining and informationtheory and finishing on spectral solutions Neverthelessanalysis of those solutions should be conveyed in closeconnection with their application

Extensive research has been conducted on security inSmart Grids most of them are done for anomaly detectionin backbone networks andor all areas of networks basedon TCPIP or UDPIP protocol stack [25] Not only doesanomaly detection in LV network concern Smart mMteringsystems but also data transmitted over the LV network mustbe encrypted In Smart Lighting systems there are no securityrequirements for the transmitted data Most works focuson data transfer reliability [26] in Smart Lighting last-milecommunication networks which is realized by using twoindependent technologies for instance PLC and wirelessIn this work the authors proposed a decentralized methodof anomaly detection similar to the one in [27] but thedifference is that our method is proposed for Smart Lightingsystems not for Smart Metering

In spite of that we did not find anomalyattack detectionpublications for Smart Lighting PLC based networks thereare different methods of anomaly detection used in WirelessSensor Networks (WSN) or Smart Metering networks Ingeneral the anomaly detectionmethods used so far for sensornetworks (especially for WSN) were divided into [18 19]statistical methods (eg statistical chi-square test kerneldensity estimator) signal processing methods (eg basedon frequency analysis like Discrete Wavelet Transformation(DWT)) data mining (eg clustering methods like 119870-means Support Vector Machines (SVM)) computationalintelligence (eg Self-Organizing Maps (SOM)) rule-basedmethods graph based methods (eg tree construction)and hybrid methods [18 19 21] Part of the anomalyattackdetection methods work in lower protocol layers (eg datalink layer or network layer) while others are focused onthe application layer (especially for the Advanced MeteringInfrastructure (AMI) used by energy operators)

4 Security Risks in PLC Smart LightingCommunication Networks

In Smart Cities security of critical infrastructures is essen-tial for providing confidentiality accessibility integrity andstability of the transmitted data The use of advanced digitaltechnologies (ITC) which connect more and more com-plicated urban infrastructures is risky because there mayappear different types of abuses which may hamper orcompletely disenable proper functioning of a Smart CityUndoubtedly one of the biggest frailties of a Smart City isthe Smart Lighting system when taking into account thesize of the area where it functions potentially big numberof the systemrsquos devices and the generated operational costsTherefore providing a proper level of security and protectionbecomes a crucial element of the SLCN solutions [28]

The task of a Smart Lighting system is not only to light thestreets Depending on the kind of pavement it must controlthe brightness of the lighting its dimming homogeneityand reflectivity providing drivers and pedestrians with max-imum safe visibility Therefore lighting installations with


luminaires which are used as light sources must be easilycontrollable Such controlling may include whole groupsor even individual lamps which may be turned on or offaccording to a specified schedule or dimmed up to any degreeat specified times and the state of individual devices mustbe easy to control In comparison to a traditional autonomiclighting system Smart Lighting solutions are characterizedby much bigger functionality and flexibility however due totheir intelligent nature they may be liable to different typesof abuses (attacks) Such actions may be realized by both thesole receiver of the service and intruders wanting to enforcea specific state of infrastructure [29]

The receiver most often causes destructive actions tothe SLCN which interfere with the transmission of controlsignals (by active or passive influence) to achieve a change inperiod andor intensity of the light Increasing the intensity oflighting in front of the receiverrsquos property allows for switchingoff the light on his land which may result in significanteconomic benefits However a much bigger problem seemsto be protection against intended attacksThere are numerousreasons for performing such attacks the main one being todisturb the controlling system in order to set a different valueof lighting than the one established by the operator Switchingoff the light or reduction of its intensity in some area mayfacilitate criminal proceedings Another reason is maliciousactivity consisting in hindering the lives of neighbors orlocal authorities by forcing a change in the schedule oflighting (eg switching off the light at night or turning it onduring the day) However a much more serious challengeseems to be protection against attacks realized for criminalpurposes Then every potential Smart Lighting lamp maybecome a point by means of which an attack on SLCN maybe performed [10]

Such actions in particular in the area of the last mile mayhave a conscious or unconscious nature The unconsciousinterference most often happens when the LV network feedsboth the streets and the usersrsquo households where the includedloads do not meet electromagnetic compatibility standardsThe conscious form of interference in the communicationsystem is related to deliberate activity that consists in switch-ing into the SLCN infrastructure such elements as capacitorsinterfering generators or terminals emulating a hub Loadingsuch devices even in LV networks dedicated only to lightingis not difficult and using them by an intruder may remainunnoticed for a longer time

Smart Lighting network security and protection fromsuch attacks seems to be a harder task to solve than theprevention of possible abuses (to achieve quantifiable butlimited economic benefits) from the receiversrsquo side

Attacks on Smart Lighting Communication Networkscan be divided into two basic categories passive and activePassive attacks are any activities aiming to gain unauthorizedaccess to the data or SLCN infrastructure for which theattacker does not use emission of signals that may disturbandor disenable correct performance of the signal Activeattacks on the other hand are all the attempts of illegal accessto the data or the SLCN systemrsquos infrastructure by meansof any signals or realization of any actions which may bedetected [30]

Realizing a passive attack on the SLCN the intrudercamouflages onersquos presence and attempts to gain access to thetransmitted data by passively listening to such a network It ismost often realized by switching into the network additionalnode which has similar functionalities to the original one Insuch situation we can distinguish three cases (i) pretendingto be a hub (ii) pretending to be a particular lamp (iii) orparticipating only in transferring frames in the transmissionprocess

To provide protection from such events appropriatecryptographic mechanisms are most often used Anotherkind of passive attack on the SLCM is activities for analyzingthe traffic inside the network In this case the intruderrsquosintention is not to know the content of the transmittedpackets of data but to get topological knowledge enabling thelearning of the structure of the attacked network

Contrary to the above presented passive forms of attackson the SLCN infrastructure in case of realization of anactive attack the intruder influences indirectly or directlythe contents of the sent information andor functionalityof the system Attacks of this kind are much easier todetect in comparison to the passive ones because they causevisible disturbances in the SLCN performance An effect ofconducting an active attack may be degradation of a specificservice or in extreme cases complete loss of control over thewhole or some part of the SLCN infrastructure

Due to the form purpose and manner of realizationactive attacks can be divided into three types (i) physicalattacks aiming at destroying andor disturbing correctness ofthe SLCNrsquos node operation by means of an electromagneticpulse (EMP) (ii) attacks on integrity and confidentiality ofthe transmitted data and (iii) and attacks oriented ontoparticular layers of the SLCN (especially for the providedservices)

Physical attacks are all kinds of destructive activitieswhose aim is to completely destroy or damage the SLCNinfrastructure One of their forms may be activities per-formed by means of an electromagnetic pulse (EPM) orinjecting high pulse distortion into the power supply network[31]

Attacks directed onto the integrity or confidentiality ofdata however are especially dangerous because they enablethe attacker to gain unauthorized access to the informationtransmitted via the SLCN This type of attack was presentedin [32]

Another kind of attack in the SLCN consists in overload-ing the attacked network infrastructure which is visible inthe lack of correct data transmission or disenabling accessto specific services Such actions are usually realized byintroducing to the network bigger traffic than can be servedThey can also have other forms for instance they can occurin the physical layer performing jamming activities andin the layer of data link they can flood the network withpackets causing as a result a collision of data and a necessityto retransmit them The simplest way to perform such anattack is to connect an additional capacitor to the powercircuitThis will cause suppression of the PLCmodem carriersignal Another method is to load into the SLCN a generatorbroadcasting in the transmission band of the system which


causes reduction of the signalnoise gap more renderinga higher level of interfering signal Reduction of the gapcauses then an increase in the number of transmission errorsAnother solution is to add any PLC modem transmitting inthe same band that is used by the Smart Lighting systemThissolution is a bit more advanced than the use of a generatorand causes themodems remainingwithin the intruderrsquos reachto stay in the ldquoreceiverdquo state without the ability to switch tothe ldquobroadcastrdquo mode in the period when it transmits forinstance when it broadcasts without a break or with shortbreaks [9]

To ensure protection against the above presented threatsespecially different kinds of active and passive attacks it isnecessary to provide a high level of security to the criticalSLCN infrastructure by continuous monitoring and controlof the network traffic One of the possible solutions to theso-stated problem can be to implement a detection systemof anomalies reflected in defined SLCN traffic parameters Inconsequence the detected nonstandard behaviors of specificparameters may indicate a possibility of a given abuse or anyother form of attack The present paper focuses on the abovestated question

5 The Proposed Solution Predictive AbuseDetection System

For ensuring a high level of security to Smart LightingCommunication Network systems it is required that theyare properly protected by means of passive actions (networkmonitoring storing incidents and reporting) and activeactions (constant supervision to enforce the adopted securitypolicy) Realization of the so-stated tasks ensures connectionbetween technologies Intrusion Detection System (IDS)and Intrusion Prevention System (IPS) In the hierarchy ofnetwork infrastructure protection these systems are locatedjust after security elements such as a firewall

The aim of the IPS systems is to undertake actions toprevent an attack minimize its results or actively respondto violation of security rules From the technical side IPSin big simplification is an IDS connected with a firewall Asfar as topology is concerned IPS systems can be divided intonetwork solutions based on (i) a passive probe connected tothe monitoring port of the switch analyzing all packets in agiven network segment (ii) or a probe placed between twonetwork segments operating in a transparent bridge modethat transmits all packets in the network The basic aim ofsuch solution is to compare between the real network trafficand the remembered attack signatures [12]

However IDS systems are used to increase the securityof the protected network both from the inside and fromthe outside Their advantage is that they can be used fornetwork traffic analysis and use diverse threat identificationtechniques One of them consists in the detection of knownattacks with the use of specified features (signatures) whichdescribe changes in the network traffic The second onthe other hand is based on monitoring normal networkrsquosperformance in order to find deviations from the norms(anomalies) which may indicate a break-in to the protectednetwork infrastructure

Anomaly detection (abuses) consists in recognition ofnonstandard patterns of behaviors reflected in the networktraffic parameters All incidents deviating from those patterns(which are profiles that describe normal behavior of thenetwork traffic) are classified as potentially dangerous andmight signify an attempt of an attack or abuse High efficiencyand effectiveness of methods based on anomaly detectionare closely related to the ability of recognition of unknownattacks (abuses) These methods operate on the basis ofknowledge of not how a given attack runs (what is its signa-ture) but what exceeds the defined network traffic patternTherefore systems based on anomaly detection work betterthan those using signatures while detecting new unknowntypes of attacks (abuses) [14]

In the present article we propose a predictive abusedetection system for PLC Smart Lighting Networks basedon automatically created models of exponential smoothingAssuming that the correctness of the created statistical modeldirectly depends on the quality of data used for designingit at the initial stage we identified and eliminated outlyingdata bymeans ofMahalanobisrsquos distance (see Section 51) Forthe so-prepared data statistical models were created (whichconstituted patterns) for particular network traffic param-eters This process was realized by means of exponentialsmoothing methods which in turn assume that the futureforecasted value depends not only on the last observed valuebut also on the whole set of the past values Simultaneouslythe influence of past values (former ones) is weaker thanthe influence of the newer values that is earlier ones (thismethodology is further developed in Section 52) It shouldbe noticed that the presented assumption agrees with thegenerally accepted rules of prediction Bearing in mind thepossibility of occurrence of essential real network trafficfluctuations (triggered by natural factors) a procedure of thepattern modelsrsquo update was proposed on the basis of theinterquartile spread criterion (see Section 53)

In Figure 2 we presented a block scheme of the pro-posed anomalyattack solution for smart lights Power LineCommunication networks The presented solution is spreadout across two physical localizations On the right part ofFigure 2 we can see the analyzed smart light PLC networkwith smart light marked as a yellow triangle connected todifferent phases of low-voltage power mains The PLC trafficfrom different localizations of smart light PLC networks(in our case we used 3 localizations on different streets) isgathered by the traffic concentrator and repacked into IPpackets in order to send PLC network traffic by means ofstandard IP WAN network to distant locations where weperform anomalyattack detection stepsWe used two routersequipped with different WAN (Wide Area Network) portsor LTE (Long-Term Evolution) modems in order to connectthese two localizations bymeans of dedicated safe connectionthrough VPN (Virtual Private Network)

On the left of Figure 2 we can see the second partof our anomalyattack detection solution placed on a dis-tant location (in our case the university building) Theproposed solution is divided into two branches The firstbranch is responsible for calculation of reference models forPLC anomalyattack detection purposes The second branch

Security and Communication Networks 7A

nom

aly

atta

ckde

tect

ion

repo

rt

Calculation ofexponentially smoothmodels forecasting intervals

Automatic calculationof exponentiallysmooth models

Remove outliervalues from PLCtrac features

ADS database ofexponentially smoothmodels based onforecasting intervals

PLC trac features comparisonto prediction intervalsmodels in ADS database

PLC lightsnetwork tracfeatures calculation

PLC lightsnetwork tracfeatures selection

Calculation of reference models for PLC network anomalyattack detection

Online calculated anomalyattack detection steps

WAN router WAN router

WAN network

Trac concentrator

Trac concentrator

IP n

etw

ork



Smart light

Smart light Power Line Communication network

Figure 2 Block scheme of the proposed anomalyattack solution for smart lights Power Line Communication network

consists of steps performed online during anomalyattackdetection steps In order to achieve reference models for PLCnetwork traffic we extracted traffic features from the PLCnetwork traffic (more details are presented in Section 62)After removing outlier values for every traffic feature weperformed automatic calculation of exponential smoothingmodels and in the end forecasting intervals based on thesemodels (details are presented in Section 52) Connectionbetween the two branches of the proposed model is realizedby means of ADS database where forecasting intervals basedon exponential smoothing models are stored separately forevery extracted PLC network traffic feature Additionally thereference models are updated when necessary to prevent themodels from aging in case of changes in for example trafficcharacteristics or physical architecture (by providing addi-tional segments of PLC smart light network) Recalculationof the model is controlled by a trigger condition presented inmore detail in Section 53

The second branch of the proposedmodel also consists ofselection and calculation of the PLC network traffic features(see Section 62) PLC network traffic features are sampledand calculatedwith fixed time intervals appropriate for smartlight networks In order to detect anomalies we compareonline calculated traffic features to prediction intervals readfrom the ADS database where the prediction intervals basedon exponential smoothing models are stored When theonline calculated traffic features are outside the predictionintervals estimated by the model we generate an anomalydetection report for a given traffic feature (more details areprovided in Section 6)

51 Outliers Detection and Elimination Based on the Maha-lanobisrsquos Distance The quality of a statistical model directlydepends on the quality of data used to design it The valuesof variables describing observations in actual datasets areoften outlying (not typical) This is due to the specifics ofthe examined phenomenon or different kinds of errors Theoutlier observations may have a very strong influence on theresults of analysis and therefore they require special attention

The notion of outliers is not directly defined in theliterature In the present work a general definition takenfrom Hawkinsrsquos work [33] is used An outlier is such anobservation that deviates from the remaining observationsto such an extent that it generates an assumption that it was

created by another mechanism for instance it comes froma different distribution in the dataset It is worth noticingthat according to the above definition such emergenceindicates not fulfilling one of the most basic assumptionsconcerning the analyzed dataset namely that it is an iidset (independent and identically distributed) In that caseoccurrence of an outlier means that it comes from a differentdistribution and should not be analyzed with other elementsof the examined set of data

Analyzing particular elements and the operational envi-ronment of Smart Lighting Communication Networks itbecomes obvious that there may appear real possibilitiesof considerable fluctuations of the analyzed network trafficparameters (and as a consequence emergence of outliers)These fluctuations may have diverse sources for instance(i) environmental connected with interruptions caused byhigh-energy electromagnetic pulse (ii) technical related tochanges in the infrastructure (iii) devicesrsquo damage (iv) as aconsequence of a network attack or (v) intentional unfairinterference in the SLCN infrastructure Thus an importantelement of the preliminary analysis of data should be theevaluation of the impact that particular observations mayhave on the final result and in case of detection of outliersthey should be deleted from the set of data

In our approach identification of outliers in the analyzedSLCN traffic parameters is performed by means of a methodutilizing Mahalanobisrsquos distance The essence of this methodlies in the estimation of the distance between the analyzedobservation vector 119909 and the average value in the examineddataset based on the calculated matrix of variance andcovariance [34]

1198721198632 (119909) = (119909 minus 120583) Σ (119909 minus 120583) (1)

Σ = 1119899 minus 1

119899sum119894=1

(119909119894 minus 120583) (119909119894 minus 120583) (2)

where 120583 is the average value from the analyzed dataset and Σis the matrix of variance and covariance

To underline the generality of our method we left theoriginal Mahalanobisrsquos measure matrix record (the case ofmultiple regression) however with time series we have aone-dimensional case Identification of outliers is performedby comparing Mahalanobisrsquos square distance for each of the


observations with critical values taken from 1205942 distributionIf there are significant differences (at an accepted level ofimportance) the given observation is treated as an outlierThis approach has one drawback though namely the valueof the criterion (1) itself directly depends on statistics whichare very sensitive to the occurrence of distant values Toeliminate this disadvantage modifications were proposed forcalculating the meter (1) by exchanging the average 120583 witha resistant positional parameter One of the proposals is theuse of Minimum Volume Ellipsoid Estimator (MVE) [35]In this case 120583 takes the value of the center of gravity ofthe ellipsoid with a minimum volume containing at leastℎ observations of a given set where ℎ = (1198992) + 1 and119899 is the complete set of elements of the analyzed datasetThe second proposal is to designate a positional parameter120583 in formula (1) according to the following rule [35] 120583 is anaverage from these ℎ observations of the given set for whichthe determinant of covariance matrix is the smallest Such aresistant positional estimator is called Minimum CovarianceDeterminant (MCD) estimatorThe third approach suggestedin the paper [36] uses the analysis of main components andidentifies the distant observations just after transformation ofall observations in space ofmain components by determiningin this space Mahalanobisrsquos square distance The authors ofthis approach propose at the stage of preparing analyticaldata to standardize the variables by means of a medianas a positional parameter and MAD that is median abso-lute deviation as a dispersion parameter After using suchstandardization calculation of Euclidean distance in spaceof main components is equivalent to the calculation of theresistant variant of Mahalanobisrsquos distance

In summary it is necessary to state that the MD measuremodifications presented above are trying to eliminate thebasic drawback of the described method that is not alwaysreliable inference on the basis of classical statistics which arevery sensitive to the occurrence of nontypical observationsTherefore tomake an optimal choice numerous experimentswere performed on datasets containing the subject param-eters of SLCN traffic for both the original Mahalanobisrsquosmethod and its presented modifications As a result of theanalysis of the obtained results that is the size locationand number of outliers for further consideration we chosethe approach proposed by Filzmoser et al This method usesanalysis ofmain components for identification of outliers andit is further developed in [36]

52 The SLCN Traffic Featuresrsquo Forecasting Using ExponentialSmoothingModels Forecasting is still one of themain tasks ofthe time series analysis Construction of those predictions isusually amultistage process includingmatching the adequatemodel on the basis of historical data and evaluation of thequality of this matching (diagnostics) Correct conduct ofsuch analysis requires appropriate knowledge and experienceIt is usually also time-consuming which may become anobstacle when it is necessary to collect forecasts for numeroustime series simultaneouslyThus in practice there is a naturalneed to automate this forecasting

In case of some stages connected to matching the optimalmodel for data complete automatization is not possible

Particularly finding an appropriate compromise between thecomplexity of themodel and the quality of its matching to thedata often requires interpretation of the results by an analystAutomation of the optimal modelrsquos choice usually requiresadopting some assumptions simplifying the whole process(eg defining the statistical criterion which will be used asa measure of matching quality of the model or the possibleranges of variation of model parameters) [37]

Algorithms allowing for automatic construction of fore-casts should realize all the stages of the analysis that is (i)the choice of the optimal model for data (ii) parametersrsquoestimation and (iii) the forecastsrsquo construction (point andorinterval) While searching for an optimal model it is impor-tant to use proper criteria which will protect from too goodmatching of the model to the learning data which in turnmay lead to bad quality of forecasts for the new periodsThe algorithms should also be resistant in case of occurrence(in the analyzed time series) of outlier observations or theyshould be equipped with mechanisms of their detectionand elimination Additionally the algorithms should beeasily used for a big number of diverse time series withoutthe necessity of an analystrsquos interference and they shouldbe characterized by acceptable computational complexity[20]

One of the possible solutions to the so-stated problemof automatic forecasting is the ExponenTialSmoothing orErrorTrendSeason (ETS) models which constitute a familyof adaptive models developed by Hyndman et al [38] whichuses generalized algorithms of exponential smoothing Theircrucial advantages are simplicity relatively quick adaptivematching algorithm and ease of understanding and inter-pretation of the results The common denominator of thesemethods is assigning (exponentially) the weights decreasingwith distance in time to the past observations during theprocess of designating a new forecast for a future observationThis is due to the fact that the classical assumptions of thequantitative prediction come down to the postulate of therelative invariability of the development mechanism of thestudied phenomena and events In methods based on ETSexponential smoothing may be realized by means of differentmodels properly adjusted to the analyzed data

When the time seriesrsquo character and variability are ana-lyzed it is easy to notice that they are optionally composedof four elements a trend seasonal fluctuations periodicalfluctuations and random disturbancesThe seasonal fluctua-tions usually have an approximately constant period of timewhereas the time of the complete cycle of cyclical fluctuationsis usually changeable Optionally the components of theanalyzed time seriesmay be connected in twoways additivelyand multiplicatively [39] In the exponential smoothingmodels the trend is a combination of level 119888 and increment119892 values These two components may be connected in fourdifferentways including the attenuation parameter120601 isin [0 1]We then obtain diverse types of trends such as the following[40]

No trend 119881ℎ = 119888 (3a)

Additive 119881ℎ = 119888 + 119892ℎ (3b)


Multiplicative 119881ℎ = 119888119892ℎ (3c)

Attenuated 119881ℎ = 119888119892(120601+1206012+sdotsdotsdot+120601ℎ) (3d)

where119881ℎ describes the character of the trend and ℎ parameterdescribes the forecastrsquos horizon

If we take into consideration three possible combinationsof the seasonal component with a trend that is lack ofseasonality the additive variant and multiplicative variantthen we obtain twelve exponential smoothing models whichcan be written as

119897119905 = 120572119875119905 + (1 minus 120572)119876119905 (4a)

119887119905 = 120573119877119905 + (120601 minus 120573) 119887119905minus1 (4b)

119904119905 = 120574119879119905 + (1 minus 120574) 119904119905minus119898 (4c)

where 119897119905 denotes the series level at time 119905 119887119905 denotes the slopeat time 119905 119904119905 denotes the seasonal component of the seriesat time 119905 and 119898 denotes the number of seasons in a givenperiod the values of119875119905119876119905119877119905 and119879119905 vary according towhichof the cells the method belongs to and 120572 120573 120574 120601 isin [0 1] areconstants denoting model parameters [38]

The method with fixed level (constant over time) isobtained by setting 120572 = 0 the method with fixed trend (drift)is obtained by setting 120573 = 0 and the method with fixedseasonal pattern is obtained by setting 120574 = 0 Note also thatthe additive trend methods are obtained by letting 120593 = 1 inthe damped trend methods [41]

Theworks [42] discuss specific cases of state spacemodelswith a single source of error which may be a basis for somemethods of exponential smoothing Including the possiblecharacter of these errors we may present the state spacemodels for all twelve types of exponential smoothing asfollows

119884119905 = 119908 (119911119905minus1) + 119903 (119911119905minus1) 120598119905 (5a)

119911119905 = 119891 (119911119905minus1) + 119892 (119911119905minus1) 120598119905 (5b)

where 119911119905 = [119897119905 119887119905 119904119905 119904119905minus1 119904119905minus119898+1]119879 denotes the state vector119908(119909) 119903(119909) 119891(119909) and 119892(119909) are continuous functions withcontinuous derivatives and 120598119905 is a Gaussian white noiseprocess with mean zero and variance 1205902 and 120583119905 = 119908(119911119905minus1)[42]The error 120598119905may be included in themodel in an additiveor multiplicative way The model with additive errors has119903(119911119905minus1) = 1 so that119884119905 = 120583119905+120598119905Themodel withmultiplicativeerrors has 119903(119911119905minus1) = 120583119905 so that 119884119905 = 120583119905(1 + 120598119905) Thus 120598119905 =(119884119905 minus 120583119905)120583119905 is the relative error for the multiplicative modelThe models are not unique Apparently any value of 119903(119911119905minus1)will lead to identical point forecasts for 119884119905 [38]

From the twelve exponential smoothing modelsdescribed by dependency (4a) (4b) and (4c) after includingthe additive andmultiplicative error 120598119905 we obtain 24 adaptivemodels in the statesrsquo space The choice of an adequateexponential smoothing model in a particular prognostic taskrequires the selection of the best form of the model as well asinitialization of the 1199110 vectorrsquos components and parametersestimation Θ = [120572 120573 120574 120601]119879

It is necessary to calculate the values of 1199110 and Θparameters otherwise the models will not be useful forthe prognostic process It is not difficult to compute thelikelihood of the innovations state spacemodel (LISSMlowast) (see(6)) achieving the maximum likelihood estimates (MLE) issimilarly easy [38]

LISSMlowast (Θ 1199110) = 119899 log(119899sum119905=1

1205982119905119911119905minus1) + 2 119899sum119905=1

log 1003816100381610038161003816119903 (119911119905minus1)1003816100381610038161003816 (6)

where 119899 is the observationsrsquo numberCalculating the above is not difficult when recursive

equations are used [43] Minimizing LISSMlowast is a procedureused to calculate the parameter Θ and the initial state 1199110

The present model was selected by means of the AkaikeInformation Criterion (AIC)

AIC = LISSMlowast (Θ 0) + 2119896 (7)

where 119896 is the number of parameters inΘ plus the number offree states in 1199110 and Θ and 1199110 define the estimates of Θ and1199110 From all the models applicable to the data we selected theone which minimizes the AIC [44]

The AIC is also a method which enables us to choosebetween the additive and multiplicative error models How-ever there is no difference between the point forecasts ofthe two models to make it impossible for the standardaccuracy measures like the mean squared error (MSE) ormean absolute percentage error (MAPE) to differentiatebetween the error types

The presented methodology connected to optimalsearching for proper models of exponential smoothingrequires providing some initial values Usually the valuesof parameters 120572 120573 and 120574 are included in the range (0 1)However to avoid the problem with instability we usea narrower range of parameters that is 01 le 120572 le 0901 le 120573 le 09 01 le 120574 le 09 and 120573 le 120601 le 1 We also limitthe values of the initial states 119911119905 of the vectorrsquos elementsThis is done in such a way that the seasonality indexes weresummed up do zero for the additive model and added to119898 for the multiplicative model As the initial values in thenonlinear optimization we use 120572 = 120573 = 120574 = 05 and 120601 = 09

When we summarize the above ideas we obtain anautomatic forecasting algorithm It operates in compliancewith the following three-stage formula (i) all proper modelsare applied to each of the series to optimize the parameters(smoothing the variablersquos initial stage) (ii) selection of thebest matching model according to AIC and (iii) creation ofpoint forecasts on the grounds of the most effective model(with optimized parameters) for a necessary number of futurestages [38]

All the above described kinds of exponential smoothingmodels are created in compliance with the prediction theoryrsquosassumptions including the ongoing degradation processes(ie possible lack of stability in the variable correctness intime) Big flexibility of thosemodels and their adaptive abilityin case of irregular changes of the direction of speed of thetrend or deformations and shifts in seasonal fluctuationsmake them a comfortable tool for short-term forecasting


and prediction Hyndman et al [38 43] provide a detaileddescription of the proposed algorithm

53 The Condition of Statistical Modelrsquos Update The processof statistical modelsrsquo designation on the basis of experimentaldata is usually a complex task which depends on the knowl-edge about the object and attributes of the measuring results(observations)The quality of the designated statistical modeldirectly depends on the quality of data used for its estimation

In the present work the experimental object is networktraffic of an SLCN infrastructure and data characterizingthe state of the Smart Lighting system Both datasets arerepresented by defined time series While analyzing the char-acter of the examined dependencies in particular the SLCNtraffic parameters it is necessary to notice the possibility ofoccurrence of significant fluctuation of data The reasons ofthis phenomenon are to be sought in possible changes in theSLCN infrastructure that is aging of devices replacementwith newother models or modifications in the topology ofthe network Obviously when the nature of the analyzeddata changes there should be made a new estimation andcreation of an updated statistical model on the basis ofdatasets composed of the subject fluctuations As a resultthis should cause adaptation of the proposed method ofanomaly detection to the changing conditions (which are notan aftermath of any attack or abuse)

For the initial data selection that is checking if we aredealing with significant fluctuations in the analyzed timeseries we use the one-dimensional quartile criterion [45]For every analyzed set of data we calculate the first (Q1)and third (Q3) quartiles and the interquartile range (IRQ)IRQ = Q3 minus Q1 As influential observations we accept thosewhose values exceed the range (Q1minus 15IRQQ3 + 15IRQ) Asextremely influential observations however we understandthose exceeding the range (Q1 minus 3IRQ Q3 + 3IRQ)

In the next step for every detected influential observa-tion we check fulfilling the condition of whether it fits therange of forecasts of the appropriate reference model that isthe following condition

119909119894 isin (120583119891 minus 120590119891 120583119891 + 120590119891) 119894 = 1 2 119899 (8)

where 1199091 1199092 119909119899 is a time series limited by 119899-elementanalysis window 120583119891 is the average forecast of the givenreference model in the analysis window and 120590119891 is thestandard deviation of appropriate prognosis

The estimation condition of the new standard modelshould be an ability to detect (in the analyzed time series) sig-nificant and possibly stable statistic changeability Thereforeupdating the statistical model will be realized when in theanalyzed time series over 30 per cent of analysis windows in aweekly period contain observations not fitting the acceptableprognosis range of the appropriate reference model Theabove condition is a consequence of the observed depen-dency that the value of the false positive (FP) parameter of thepresented anomaly detection system increases exponentiallywhen in over 30 per cent analysis windows in a weekly periodwe note significant changeability in data

Table 1 PLC data link and network layer traffic features extractedfrom the traffic concentrators

Networkfeature PLC smart lights network traffic feature description

DLN1RSSI received signal strength indication for PLC

lamps [dBm]DLN2 SNR signal-to-noise ratio [dBu]DLN3 PER packet error rate per time interval []DLN4 PPTM number of packets per time intervalDLN5 TTL packet time-to-live value

Table 2 PLC application layer traffic features extracted from thetraffic concentrators


APL1 ENE power consumption by PLC lamp [Wh]APL2 TEMP lamp temperature [∘C]APL3 LUL lamp luminosity level in (value 0ndash100)APL4 NR number of lamp resets per time intervalAPL5 PS power supply value [V]

6 Experimental Installation andthe AnomalyAttack DetectionMethod and Results

In Figure 2 we presented a block scheme which consistsof the main steps in the proposed anomalyattack detectionmethod In the first step we extracted the PLC trafficfeatures from two experimental PLC smart lights networks(additional explanation can be found in Section 61) Thereare two main branches in the proposed method calculationof reference models for PLC network anomaly detection andthe second branch consisting of online steps for extractionof traffic features comparison of traffic features for referencemodel in ADS reference models database and generation ofan anomalyattack detection report for a given traffic feature

Values of the PLC traffic features can be captured in anarbitrary time interval but usually a 15-minute time interval issufficient for the PLC smart light networkThe extracted PLCnetwork traffic features (see Tables 1 and 2) are representedas a one-dimensional time series In case of a referencemodel generation we have to remove suspicious values firstby removing outlier values from network traffic features(see Section 51) After that step we can start to calculateexponential smoothing models (see Section 52) and in theend exponential smoothing models forecasting intervals Wecalculate a separate model for every PLC traffic feature andstore them in a database of reference models The referencemodels are calculated for a one-week period with a 15-minuteresolution window An example of the calculated forecastingintervals for traffic features can be seen in Figure 3We can seetwo prediction intervals for signal-to-noise ratio (SNR) PLCtraffic feature When the online calculated network trafficfeature is within boundaries set by two prediction intervals(see Figure 3) we assume that there is no anomalyattack in


Forecasts from ETS model

100 200 300 400 5000Time one interval 15 min

0

5

10

15

20

25

30

SNR

(dBu

)

Figure 3 Two prediction forecast intervals (80 narrower 95 wider) and 30-sample prediction interval calculated with the use ofexponential smoothing model (PLC traffic feature signal-to-noise ratio (SNR) [dBu])

this case We expect that 80 or 95 of the values for a givenPLC traffic feature will lie inside these intervals (see Figure 3)

The second branch in our anomalyattack detectionmethod consists of steps calculated online during normalwork of the PLC network anomalyattack detection methodIn the first two steps we extract and calculate PLC lightsnetwork traffic features from Tables 1 and 2 Next for everytraffic feature we check if the online calculated traffic featurevalues arewithin the intervals designated by referencemodelsstored in ADS reference database models When the onlinecalculated traffic features are outside reference intervals wegenerate a detection report about possible anomalyattacktriggered by the given PLC traffic feature

The main issue of the so far proposed anomalyattackdetection conception is the problem of reference modelsrsquoaging This phenomenon comes from the fact that thePLC lights network has a dynamic structure Connectingadditional segments of PLC smart lights networks will resultin changing of network traffic characteristics and as aconsequence the necessity of changing reference modelsNonupdated referencemodels will cause as a result a constantincrease of false positive values (FP []) To alleviate thisdrawback we propose a trigger condition responsible for therecalculation process of the reference models (see Section 53for more details) Reference models are calculated in a one-week period with the use of 15-minute windows Based onempirical experiments we recalculate all reference modelswhen trigger conditions (see (8)) are not satisfied in 30 ofthe 15-minute analysis windows during the one-week periodWe started to use new recalculated models at the beginningof the new week (the new model is valid for a minimum ofone-week period)

61 Experimental Testbed The analyzed data were capturedin two locations Nieszawska Street in Torun City (Poland)and University of Technology and Life Sciences (UTP) cam-pus in Bydgoszcz City (Poland) We also used an additionalseparate Smart Lighting low-voltage LV PLC network testbedconstructed during studies in GEKON project [46]

The first PLC network located in Nieszawska Streetwhich was dedicated to a Smart Lighting low-voltage LV

network has a length of 3 km (see Figure 4) divided by atraffic concentrator located in the middle of the street ThePLC smart lights network contains 108 lamps (only one lampis located on every electric pole) Old gas-discharge lampswere gradually replaced by smart LED lights We used thisnetwork for testing traffic concentrators and experiments fordetecting anomaliesattacks in PLC traffic

The second network was placed at the University ofTechnology and Life Sciences (UTP) campus (see Figure 4)In this case it was not a dedicated network with a separatepower supply (offices classrooms and labs were powered bythe same power supply network)The testbed in UTP campusconsisted of 36 lamps

Tests were performed in the laboratory (located in UTPcampus) with different types and numbers of lamps (gas-discharge lamps and LED lamps) The PLC traffic from bothlocations was captured from the WAN (from NieszawskaStreet) and local network placed in the university laboratory

62 Experimental Setup and Results In this section wepresent the methodology and results achieved for the pro-posed anomalyattack detection with the use of exponentialsmoothing based models We propose a set of differentscenarios for evaluating the usability of the proposedmethod

All experiments were carried out by means of two real-world PLC lights networks (see Section 61) A part of thetestbed located in the university campus can be seen inFigure 5 The picture presents different types of smart lightsused in the experiments Connections between the 36 lampsfor the testbed partially presented in Figure 5 are presentedin Figure 7 We can see connection schemes between lampsassigned to three-phase power mains with signed possiblehigh-quality and low-quality links The entire traffic asmentioned earlier is accessible by the traffic concentrator (redrectangle in Figure 7)

Every lamp consists of a PLC modem used for com-munication a lamp microprocessor controller and a powersupply An opened LED lamp with signed internal elementsis presented in Figure 6

The first step in our method requires capturing the PLCtraffic from smart lights networks presented in Section 61


WAN network

Trac concentrator

Trac concentrator

IP n

etw

ork

IP network

IP network

Smart light Smart light Smart light

PLC network

PLC network

PLC lights traccapture and analysis

Nieszawska Street in Toruń City (Poland) 108 smart lights

University of Technology and Life Sciences (UTP)campus in Bydgoszcz (Poland) 36 smart lights

middot middot middot

Figure 4 Experimental testbed used for evaluation of the proposed anomalyattack detection method

Figure 5 Part of the testbed used for achieving experimental results located in the university campus

Figure 6 Opened LED smart light used in experiments


0

12

16 17 18 19 20 21 22 23 24

25

26

27

28

29

30

31

32

33

343536

CAPL2

CAPL1

CAPL3

Gateway to IP network

IP network

High quality connection through phase L1High quality connection through phase L2High quality connection through phase L3Low quality connection through phase L1Low quality connection through phase L2Low quality connection through phase L3

151413

12

11

10

9

8

7

6

5

4

3

Figure 7 Schematic connection between 36 smart lamps for the testbed located in the university campus

We collect PLC traffic from traffic concentrators which areresponsible for translating the PLC network packets into IPpackets In the next step we extract the PLC traffic features inorder to analyze these features for anomalyattack detection

In our experiments we extracted features that belongto every layer of a PLC protocol stack In Tables 1 and 2we can see the extracted PLC traffic features together withexplanations

Traffic features from Table 1 are extracted based on datalink and network layers of PLC communication stack DLN1and DLN2 features give us information about the quality ofthe received signals transmitted through the power mainsRSSI gives us information about the received signal strengthwhere the signal power may come from any sources (egdifferent modulations background radiation) RSSI does notgive us information about the possibility of signal decodingSNR [dBu] measure gives us information about the relationbetween the desired signal and the noise level DLN3 trafficfeature stands for Packet Error Rate (PER) per time intervalIn our case we used a 15-minute time interval PER iscalculated as a quotient between the number of destroyedpackets received by the traffic concentrator and the numberof all packets received by the traffic concentrator for agiven period of time DLN4 feature PPTM stands for thenumber of packets per time interval The last feature fromlayer 2layer 3 DLN5 gives us TTL information connectedto packets received by the PLC concentrator In Table 2there are traffic features extracted from the data payload(application layer) of the PLC packets The application layer

traffic features are connected with parameters used by theenergy supplieroperator management staff APL1 featuregives us information about power consumption for a givenperiod of time separately for a given lamp APL2 carriesinformation about the temperature read from smart lightsLUL (lamp luminosity level in []) feature has values ofluminosity sent by the lamp to the traffic concentrator APL4carries the number of lamp resets per time interval (the valueis stored in the Static Random Access Memory (SRAM) withbackup power provided by a supercapacitor) The last valueextracted from the data payload is PS (power supply) in volts[V] which is useful information for maintenance systems

After PLC network features extraction we can analyzesubsequent traffic features in order to detect possible anoma-liesattacks We propose scenarios (as realistic as possible)in order to evaluate the efficiency of the proposed anomalydetection methodology

There are different purposes of attacking smart lights PLCnetworks First of all the attacker would like to disturb thecontrol system of a smart light operator in order to changethe settings of the lamps parameters Switching lamps offor lightsrsquo intensity reduction for a given area may cause anincrease in crime or can be dangerous for car traffic (highestpossibility of car accidents especially at intersections) Inten-tional damage or setting lamps instantly on near selectedattacker possessions causes additional financial losses to theoperator

Detecting anomalies is also an important thing for thesmart lights operator The operator will be able to react faster


(a) (b) (c)

Figure 8 Impact (on signal received by the smart light) of 470 nF capacitance connected to the power line (a) without capacitor (b) capacitorconnected close to the traffic concentrator and (c) capacitor connected inside the lamp pole

805040 609k 20k 30k 150k100kFrequency (Hz)

10

20

30

40

50

60

70

80

90

100

110

120

Leve

l (dB

V

)

Figure 9 Characteristics of the interference signal generated by damaged notebook switching supply

on damage intentional damage and network attacks so itwill be possible to limit the negative economic and socialconsequences

We can divide the proposed scenarios into two maingroups (i) the first type of scenario requires physical accessto the PLC network infrastructure in case of attacks on thephysical infrastructure of a PLC smart lights network and (ii)the second type of attack requires knowledge about devicesused in the PLC network and protocols used in the smartlights network

Scenario 1 The first type of attack belongs to Group I ofattacks It is an attack on the physical layer and requires con-nection of a capacitor to the power line The bigger the valueof capacitor we connect the higher the attenuation of PLCsignal we achieve In our case we connected a 470 nF capac-itor to the power line In Figure 8 we can see oscillogramsFigure 8(a) without connected capacitor Figure 8(b) with thesame value capacitor connected near the traffic concentratorand Figure 8(c) with capacitor 470 nF connected directlyinside the lighting pole In the presented oscillogram we cansee decreasing values of modulated PLC signals When weconnect a capacitor with higher values for example 47 uFclose to the PLC the transmitterrsquomodemwould not be able totransmit any packet because of the too low current efficiencyof power supply or line amplifier

A different method of attack on the physical layer isconnection of a signal generator to the power line Theconnected generator has to transmit the signal with valuesthat belong to the PLC frequency band used by the attackednetworkThe higher the level of the injected signal the biggerthe values of PER (DLN3 feature) and the lower values of theSNR traffic feature We performed such an attack by meansof a damagedprepared switching power supply which comesfrom a notebook computer This is an easy and cheap wayto perform such attack We transmitted a narrow bandwidthsignal with 90 dBuV power close to the disturbed device InFigure 9 we can see the characteristics of the interferencesignal that comes from the damaged laptop power supply

We also disturbed PLC power mains by a professionalElectrical Fast Transient (EFT)Burst generator [22] that isused during electromagnetic compatibility (EMC) tests andcapacitive coupling clamp (in this case there is no need fora galvanic connection to the power mains) according to theIEC 61000-4-4 [47] recommendation

In our experiments the capacitors and generator wereconnected constantly but the attacker can arbitrarily connectthese elements by a microcontroller controlled device andtake into consideration for example sunrise and sunset

Attacks from Scenario 1 have an impact mainly on datalink and the network layer fromTable 1 In Table 3 we can seethe results of the proposed anomalyattack detectionmethod


Table 3 DR [] and FP [] for anomaliesattacks performed on the SLCN in Scenario 1

Network feature DR [] FP [] DescriptionDLN1 9080 480 mdashDLN2 9800 360 The biggest impact on DLN2 in Scenario 1DLN3 9700 320 The biggest impact on DLN3 in Scenario 1DLN4 8140 520 mdashDLN5 7540 740 mdash




Network feature DR [] FP [] DescriptionAPL1 9840 280 mdashAPL2 9120 520 mdashAPL3 9680 380 mdashAPL4 mdash mdash Not important in this scenarioAPL5 mdash mdash Not important in this scenario

Scenario 2 In the second scenario the attacker would like togenerate random packets by means of a connected unautho-rized smart lamp or a PLC modem This is a more sophisti-cated attack than in case of using a generator (see Scenario 1)Constantly generated packets by the attackerrsquos PLC modemcause modems which are within the impact of this transmis-sion to be constantly in the receiving mode and to be unableto transmit or receive any packets The attacker transmitspackets with the use of carrier frequencyfrequencies usedin the attacked network one by one with the shortest delaysas possible between consecutive packets Packets transmittedby the attacker may be understandable or not from the smartlights networkrsquos point of view Results of DR [] and FP []for anomaly detection in case of Scenario 2 are presented inTables 4 and 5

Indirectly this type of attack can also be seen in applica-tion layer parameters because part of the lamps will switch tomaximum luminosity after three connection attempts to thetraffic concentrator (we set 900 seconds between attempts)In this case energy consumption will increase and otherparameters that depend on energy consumption also willchange (eg the lamprsquos temperature)

Scenario 3 The attack performed in Scenario 3 belongs toGroup II of attacks This type of attack requires knowledgeabout the PLC smart lights network topology devices used inthe smart lights network communication protocols used forevery layer of PLC communication stack and so forth

The attacker in the presented scenario connected anadditional traffic concentrator (with the same MAC address

as the valid traffic concentrator)The attackerrsquos traffic concen-trator pretends to be a valid communication device and takespart in packet exchange between lampsThe attacker is placednear lamps and wants to change the lampsrsquo settings In thiscase the attacker is far from the concentrator and the validconcentrator does not receive the command (or a commandcopy) sent by the fake concentrator In order to prevent thecommand from reaching the valid concentrator it is best tosend a command with TTL = 0

We also performed a similar attack when the attackerwas close to the valid concentrator In this case anomaly isrevealed by the registration command packet with TTL =TTLmaxThe valid concentratorwill never hear packetsrsquo copywith TTLmax In a proper situation the packet should haveTTL lt TTLmax In this case the attacker does not care thatpackets will not arrive to the valid concentrator Results forthe presented scenario are presented in Table 6

Scenario 4 In the presented scenario the attacker connectedan additional device with a PLC modem and tried to changeand retransmit packets with destroyed bitsThis action causesan increasing number of corrupted packets withwrongCyclicRedundancy Check (CRC) bytes In this case we can seean increasing value of Packet Error Rate (PER) (DLN3)network feature For example if we send a command to lampswith new luminosity settings some lamps may not get thisinformation When a lamp does not receive any commandafter three connection attempts to the concentrator (numberof attemptsrsquo parameter NA and time between attempts areprotocol parameters in our experiments set to NA = 3



Network feature DR [] FP [] DescriptionDLN1 mdash mdash Not important in this scenarioDLN2 mdash mdash Not important in this scenarioDLN3 mdash mdash Not important in this scenarioDLN4 9060 460 mdashDLN5 9860 340 mdash


Network feature DR [] FP [] DescriptionDLN1 mdash mdash Not important in this scenarioDLN2 mdash mdash Not important in this scenarioDLN3 9840 340 mdashDLN4 8540 724 mdashDLN5 9260 660 mdash



and time 900 seconds) then they will switch to maximumluminosityThis situation causes additional costs to the instal-lationrsquos operator This type of attack can be especially seenin application layer network features such as APL1 (ENEpower consumption by PLC lamp [Wh]) APL3 (LUL lampluminosity level received from the lamp) and indirectly thelamprsquos temperature (APL2) Detection rate DR [] and falsepositive FP [] results for Scenario 4 are presented in Tables7 and 8

Scenario 5 In the next scenario the attacker would like toprevent receiving the broadcast command (eg a commandthat wants to set a group of lamps to certain luminosity) bylamps When the attackerrsquos PLC modem detects a broadcastcommand sent by a traffic concentrator it transmits anarbitrary command (ie no operation command (NOP))in the unicast mode Transmission in the unicast modehas a higher priority and lower delay which is why thistransmission will reach first the lamp The lamp will respondto this packet by switching to the acknowledge ACKawaitingstate Broadcast command receiving is only possible for lampsin IDLE state Results for this scenario are presented in Tables9 and 10

Additional explanation requires application network fea-tures APL4 (number of lamp resets per time interval (NR))and APL5 (power supply (PS) value) These parameters aremainly important for the smart lights network operator andwere not affected by the attack simulated in our experimentsSuch parameters are important for smart lights network

management andmay indirectly have an impact on the trans-mission parameter but we did not have the chance to observethe impact of these parameters during our experiments

Taking into account all scenarios the detection rate (DR)values change from 7540 to 9880 while the false positiveranged from 780 to 240 We can see that dependingon the attack scenario only part of the network trafficfeatures selected from the PLC traffic give us meaningfulinformation from the anomalyattack detectionrsquos point ofview For example in Scenario 4 we can see a direct impacton data link and network layer features and indirect influenceon application layer features extracted from the data payload

Results achieved by the proposed anomalyattack detec-tion proved the usefulness of the proposedmethod Anomalydetection systems are characterized by higher values of falsepositive in comparison to classic intrusion detection systems(IDS) which are based on the database of already knownattacks

We verified the achieved results by comparing theproposed solution to methods available in the literatureAlthough we did not find anomaly and intrusion detectionfor smart lights PLC network operating in data link networklayer and application layer there are anomaly and intrusiondetection systems applied to WSN smart meter networks inSmart Grid AMI (Advanced Metering Infrastructure) Suchsolutions are mainly designed for energy theft detection andfor failure and maintenance purposes and operate usuallyin network and application layers Anomaly and intrusiondetection systems for energy theft detection use for example






the HMM (Hidden Markov Models) [48] rule-based solu-tions [13] and statistical methods by means of for exampleBollinger Bands [49] Different kinds of methods are forestimation of metering errors in AMI infrastructure with theuse of for example DTW (Dynamic Time Warping) [23] Ingeneral anomaly detection systems are very diverse and soa straightforward comparison is not easy though it can bestated bearing in mind the available literature [7 11 13 1516 23 48ndash50] that false positive values for anomaly detectiontype systems are generally less than 10 [18 19 21] This levelof false positive parameter is acceptable for the proposed classof systems especially for anomaly detection systems

We also proposed a mechanism that prevents the agingof exponential smoothing models (see Section 53) Such aninstallation like smart lights networks or Wireless SensorNetworks (WSN) changes over time so it is importantto predict such a situation and update anomaly detectionreference profiles in order to prevent the increase of falsepositive values

7 Conclusions

Thenumber of potential threats in dynamically created SmartCities and in particular in their critical communicationinfrastructures is very big and is increasing every dayThus protection from constantly newer vectors of attacks isbecoming more complicated and requires the use of highlyspecific solutions Currently themost often usedmechanismsensuring an adequate level of security in such infrastructuresare the methods of detection and classification of abuses(attacks) unknown so far often directed onto defined sourcesof critical communication infrastructures The basic aims ofsuch solutions are the early detection and reaction to thesymptoms of nontypical behavior of network traffic whichmay indicate various abuses originating both outside andinside the protected infrastructure

The article presents effective solutions concerning thedetection of different types of abuses in network traffic for

the critical infrastructure of Smart Lighting It proposes anddescribes the structure of the SLCN created for the purposesof the experiment The structure was built with the use ofPower Line Communication technology The key securityproblems are also discussed which have a direct impact onproper operation of the Smart Lighting critical infrastructurethat is the authors described the possibilities of emergenceof both external factors and active forms of attacks aim-ing at gaining influence on the informational contents ofthe transmitted data The article proposes an efficient andeffective method of abuse detection in the analyzed SmartLighting network traffic At the initial stage of the solutionthere is identification and elimination of outliers which isperformed bymeans ofMahalanobisrsquos distanceThe objectiveof such an activity was correction of data for automaticcreation of statistic models (standards) based on exponentialsmoothing methods The choice of optimal values of theestimated statistical models was realized as minimization oftheir forecast error The article also presents a procedureof recalculation (update) of the standard models in casethere are permanent changes in the character of the SLCNtraffic The next step is the calculation of the difference valuebetween the forecast in the estimated trafficmodel and its realvariability in order to detect abnormal behavior which mayindicate an attempt of an abuse for example a network attackor unauthorized interference in the SLCN infrastructure

The proposed anomalyattack detection system based onpredictive analysis with the use of exponential smoothingmethod was evaluated by five attack scenarios The proposedscenarios have an impact on every layer of PLC communica-tion stack In order to detect an anomalyattack we extracted10 network features from the PLC traffic network For allscenarios we achieved detection rate (DR) values changesfrom 7540 to 9880 while the false positive ranged from780 to 240 In order to prevent ADS reference modelsrsquoaging we added a trigger condition used for referenceprofiles recalculation The achieved results are promisingand proved that statistical analysis of traffic features with


the use of exponential smoothing models can be usefulfor anomalyattack detection and maintenance purposes forsmart lights operators

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by the National Centre forResearch and Development and also by the National Fundfor Environmental Protection andWater Management underthe realized GEKON program (Project no 214093) and italso was supported by the Polish Ministry of Science andHigh Education and Apator SA Company under Contract04409CZR6-62009

References

[1] IEEE Standards Association IEEE Guide for Smart Grid Inter-operability of Energy Technology and Information TechnologyOperation with the Electric Power System (EPS) End-Use Appli-cations and Loads The Institute of Electrical and ElectronicsEngineers 2011

[2] M Gorczewska S Mroczkowska and P Skrzypczak ldquoBadaniewplywu barwy swiatla w oswietleniu drogowym na rozpoz-nawalnosc przeszkod (light color influence on obstacle recog-nitionrdquo Electrical Engineering vol 73 pp 165ndash172 2013

[3] H Schaffers ldquoLandscape and Roadmap of Future Internet andSmart Citiesrdquo 2012

[4] S Sun B Rong and Y Qian ldquoArtificial frequency selectivechannel for covert cyclic delay diversity orthogonal frequencydivision multiplexing transmissionrdquo Security and Communica-tion Networks vol 8 no 9 pp 1707ndash1716 2015

[5] IEC 62386-1022014 Digital addressable lighting interface - Part102 General requirements - Control gear 2014

[6] EN 50065-12011 Signalling on low-voltage electrical instal-lations in the frequency range 3 kHz to 1485 kHz Generalrequirements frequency bands and electromagnetic distur-bances 2011

[7] M A Faisal Z Aung J R Williams and A Sanchez ldquoData-stream-based intrusion detection system for advancedmeteringinfrastructure in smart grid a feasibility studyrdquo IEEE SystemsJournal vol 9 no 1 pp 31ndash44 2015

[8] P Kiedrowski B Dubalski T Marciniak T Riaz and J Gutier-rez ldquoEnergy greedy protocol suite for smart grid communica-tion systems based on short range devicesrdquo in Image Processingand Communications Challenges 3 vol 102 of Advances inIntelligent and Soft Computing pp 493ndash502 Springer BerlinGermany 2011

[9] P Kiedrowski ldquoErrors nature of the narrowband plc transmis-sion in smart lighting LV networkrdquo International Journal ofDistributed Sensor Networks vol 2016 Article ID 9592679 9pages 2016

[10] A S Elmaghraby andMM Losavio ldquoCyber security challengesin smart cities Safety security and privacyrdquo Journal of AdvancedResearch vol 5 no 4 pp 491ndash497 2014

[11] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoNetworkanomaly detection methods systems and toolsrdquo IEEE Commu-nications Surveys amp Tutorials vol 16 no 1 pp 303ndash336 2014

[12] M Esposito C Mazzariello F Oliviero S P Romano andC Sansone ldquoEvaluating pattern recognition techniques inintrusion detection systemsrdquo in Proceedings of the 5th Interna-tional Workshop on Pattern Recognition in Information Systems(PRISrsquo05) in Conjunction with ICEIS 2005 pp 144ndash153 MiamiFL USA May 2005

[13] R Mitchell and I-R Chen ldquoBehavior-rule based intrusiondetection systems for safety critical smart grid applicationsrdquoIEEE Transactions on Smart Grid vol 4 no 3 pp 1254ndash12632013

[14] V Chandola A Banerjee and V Kumar ldquoAnomaly detection asurveyrdquo ACM Computing Surveys vol 41 no 3 article 15 2009

[15] T Andrysiak and Ł Saganowski Network Anomaly DetectionBasedon ARFIMA Model Image Processing ampamp Commu-nications Challenges 6 Advances in Intelligent Systems andComputing vol 313 Springer 2015

[16] E H M Pena M V O De Assis and M L Proenca ldquoAnomalydetection using forecasting methods ARIMA and HWDSrdquo inProceedings of the 32nd International Conference of the ChileanComputer Science Society SCCC 2013 pp 63ndash66 November2013

[17] G Galvas ldquoTime series forecasting used for real-time anomalydetection on websitesrdquo 2016 httpsbetavunlnlImagessta-geverslag-galvas tcm235-801861pdf

[18] M Xie S Han B Tian and S Parvin ldquoAnomaly detectionin wireless sensor networks a surveyrdquo Journal of Network andComputer Applications vol 34 no 4 pp 1302ndash1325 2011

[19] P Cheng and M Zhu ldquoLightweight anomaly detection forwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2015 Article ID 653232 2015

[20] K Ord and S Lowe ldquoAutomatic forecastingrdquo The AmericanStatistician vol 50 no 1 pp 88ndash94 1996

[21] V Garcia-Font C Garrigues and H Rifa-Pous ldquoA comparativestudy of anomaly detection techniques for smart city wirelesssensor networksrdquo Sensors vol 16 no 6 article 868 2016

[22] EFTBurst generator Teseq httpwwwteseqcomproductsNSG-3060php

[23] N Zhou J Wang and Q Wang ldquoA novel estimation method ofmetering errors of electric energy based on membership cloudand dynamic time warpingrdquo IEEE Transactions on Smart Gridvol 8 no 3 pp 1318ndash1329 2017

[24] V J Hodge and J Austin ldquoA survey of outlier detectionmethodologiesrdquo Artificial Intelligence Review vol 22 no 2 pp85ndash126 2004

[25] YWang T T Gamage andCHHauser ldquoSecurity Implicationsof Transport Layer Protocols in Power Grid SynchrophasorData Communicationrdquo IEEE Transactions on Smart Grid vol7 no 2 pp 807ndash816 2016

[26] M Mahoor F R Salmasi and T A Najafabadi ldquoA hierarchicalsmart street lighting system with brute-force energy optimiza-tionrdquo IEEE Sensors Journal vol 17 no 9 pp 2871ndash2879 2017

[27] C Liao C-W Ten and S Hu ldquoStrategic FRTU deploymentconsidering cybersecurity in secondary distribution networkrdquoIEEE Transactions on Smart Grid vol 4 no 3 pp 1264ndash12742013

[28] S M Rinaldi J P Peerenboom and T K Kelly ldquoIdentifyingunderstanding and analyzing critical infrastructure interde-pendenciesrdquo IEEE Control Systems Magazine vol 21 no 6 pp11ndash25 2001


[29] YWu C Shi X Zhang andW Yang ldquoDesign of new intelligentstreet light control systemrdquo in Proceedings of the 2010 8th IEEEInternational Conference on Control and Automation ICCA2010 pp 1423ndash1427 June 2010

[30] T Macaulay and B L Singer ICS vulnerabilities InCybersecurity industrial control systems SCADA DCS PLCHMI SIS [Internet] CRC PRESS Taylor amp Francis Group2012 httpswwwcrcpresscomCybersecurity-for-Industrial-Control-Systems-SCADA-DCS-PLC-HMI-andMacaulay-Singer9781439801963 [Google Scholar]

[31] R Smolenski Conducted Electromagnetic Interference (EMI) inSmart Grids Springer London UK 2012

[32] J Liu Y Xiao S LiW Liang and C L P Chen ldquoCyber securityand privacy issues in smart gridsrdquo IEEE CommunicationsSurveys amp Tutorials vol 14 no 4 pp 981ndash997 2012

[33] D M Hawkins Identification of Outliers Chapman and HallLondon UK 1980

[34] M J Healy ldquoMultivariate Normal Plottingrdquo Journal of AppliedStatistics vol 17 no 2 p 157 1968

[35] P J Rousseeuw ldquoLeast median of squares regressionrdquo Journalof the American Statistical Association vol 79 no 388 pp 871ndash880 1984

[36] P Filzmoser R Maronna and M Werner ldquoOutlier identifi-cation in high dimensionsrdquo Computational Statistics amp DataAnalysis vol 52 no 3 pp 1694ndash1711 2008

[37] R L Goodrich ldquoThe Forecast Pro methodologyrdquo InternationalJournal of Forecasting vol 16 no 4 pp 533ndash535 2000

[38] R JHyndmanA BKoehler RD Snyder and SGrose ldquoA statespace framework for automatic forecasting using exponentialsmoothing methodsrdquo International Journal of Forecasting vol18 no 3 pp 439ndash454 2002

[39] E S Gardner ldquoExponential smoothing the state of the artrdquoJournal of Forecasting vol 4 no 1 pp 1ndash28 1985

[40] E S Gardner Jr ldquoExponential smoothing the state of the art-part IIrdquo International Journal of Forecasting vol 22 no 4 pp637ndash666 2006

[41] B C Archibald ldquoParameter space of the holt-wintersrsquo modelrdquoInternational Journal of Forecasting vol 6 no 2 pp 199ndash2091990

[42] J Durbin and S J Koopman Time series analysis by state spacemethods vol 24 Oxford University Press Oxford UK 2001

[43] R J Hyndman and Y Khandakar ldquoAutomatic time seriesforecasting the forecast package for Rrdquo Journal of StatisticalSoftware vol 27 no 3 pp 1ndash22 2008

[44] H Bozdogan ldquoModel selection and Akaikersquos information cri-terion (AIC) the general theory and its analytical extensionsrdquoPsychometrika vol 52 no 3 pp 345ndash370 1987

[45] J Ramsey and D Wiley ldquoBook Reviews exploratory dataanalysis John W Tukey Reading Mass Addison-Wesley 1977Pps xvi +688 $1795rdquo Applied Psychological Measurement vol2 no 1 pp 151ndash155 1978

[46] National Fund for Environmental Protection and Water Man-agement under the realized GEKON program (project no214093)

[47] IEC 61000-4-4 httpwwwiecchemcbasic emcbasic emcimmunityhtm

[48] SMcLaughlin BHolbert A Fawaz R Berthier and S ZonouzldquoAmulti-sensor energy theft detection framework for advancedmetering infrastructuresrdquo IEEE Journal on Selected Areas inCommunications vol 31 no 7 pp 1319ndash1330 2013

[49] Y Liu S Hu and T-Y Ho ldquoLeveraging strategic detection tech-niques for smart home pricing cyberattacksrdquo IEEE TransactionsonDependable and Secure Computing vol 13 no 2 pp 220ndash2352016

[50] C-H Lo andNAnsari ldquoCONSUMER a novel hybrid intrusiondetection system for distribution networks in smart gridrdquo IEEETransactions on Emerging Topics in Computing vol 1 no 1 pp33ndash44 2013

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of


International Journal of

RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal of

Volume 201

Submit your manuscripts athttpswwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



Lamp node

Smart Lighting serverIP network

Trac concentrator

Trac concentrator

Trac concentratorTrac concentrator

APN server

ree-phase LV network ree-phase LV network



Figure 1 Smart Lighting critical infrastructure

and Power Line Communication (PLC) technology Thesteering server safely communicates through a data transmis-sion network with a central management and control systemThe central management system facilitates full control overall of the supervised lamps This allows for configuration ofparameters such as scenarios of switching onoff the lampsand time for initiation of the energy-saving function Italso supplies us with information concerning the currentperformance of the infrastructure and it reports failures andprovides data about lamps which work defectively [3]

In Figure 1 we can see the general block scheme ofa Smart Lighting Communication Network (SLCN) Thenetwork consists of lamp nodes (yellow triangles) connectedby three-phase low-voltage (LV) power mains by means ofPLC modems Traffic from the lamp nodes is received bya traffic concentrator (TC) The traffic concentrator alsoplays a role of a gateway between the PLC network andthe Internet Protocol (IP) network The Access Point NameServer (APN) allows us to make a connection by means ofpacket communication (eg Long-Term Evolution (LTE)) tothe PLC lighting network

Smart Lighting systems can be classified in two waysThe first way treats them as a subset of Smart City systemswhich are further understood as a subset called the InternetofThings Such classification does not include the whole areaof SL application (eg it does not contain Road Lightingsystems which in fact are identical to the street lightingsystems in terms of communication solutions) Thereforethe authors believe that a better way of classification is todefine the Smart Lighting as a part of the Smart Grid (SG)system This is a result of the fact that the Smart Lightingcommunication systems next to Smart Metering (SM) arethe biggest communication systems in Smart Grid when itcomes to the number of nodes and the size of the geographicarea where they operate The second key similarity is thetechnologies used in the fields of the last-mile area of thosecommunication systems In SL four technologies are appliednamely PLC Radio Frequency (RF) General Packet Radio

Service (GPRS) and Meter-Bus (M-BUS) while in SmartMetering there are only two PLC and RF As far as RFtechnologies are concerned in Smart Lighting and SmartMetering the used solutions are identical However in caseof PLC the differences are significant of which the mostimportant are the following (i) in terms of SM the standardPLC interfaces are applied [4] while in case of SL they are not(the existing Digital Addressable Lighting Interface (DALI)[5] has only local use eg steering a few lamps located onthe same pole not to control hundreds of lamps in a lightingcoursestring) (ii) the SM devices must communicate inBand A according to CENELEC [6] and SL devices mustcommunicate in Band A if the systemrsquos operator is an energysupplier or in Band B C or D if it is the receiver ofenergy (iii) there is a requirement to encrypt the transmittedinformation in case of SM while for SL there is no suchobligation

Even though on the market there are PLC chipsequipped with encryption modules (mostly AES-128) thisfunction is seldom usedThere are numerous reasons for thisfact for instance (i) bothersome distribution of encryptionkeys (ii) extending the transmission frames and thus improv-ing the unreliability and transmission time and (iii) finallythe cost of implementation

Actions connected with violating the safety rules inSmart Lighting Communication Networks (especially inthe last-mile area) may be deliberate or unaware Unawareinterference usually happens when the LV network powersboth streets and households in which there are connectedloads that do not meet the standards of electromagneticcompatibility On the other hand the deliberate interferencein a communication system consists in intentional switchinginto not only loads not being able to fulfil the norms butalso elements such as capacitors interfering generators orterminals emulating a hub Switching such devices even intothe LV networks dedicated only to lighting is not difficulttherefore an intruder may use them imperceptibly for alonger period of time











3 Related Work



































nom

aly

atta

ckde

tect

ion

repo

rt











WAN network

Trac concentrator

Trac concentrator

IP n

etw

ork



Smart light










1198721198632 (119909) = (119909 minus 120583) Σ (119909 minus 120583) (1)

Σ = 1119899 minus 1

119899sum119894=1

(119909119894 minus 120583) (119909119894 minus 120583) (2)












No trend 119881ℎ = 119888 (3a)

Additive 119881ℎ = 119888 + 119892ℎ (3b)






119897119905 = 120572119875119905 + (1 minus 120572)119876119905 (4a)

119887119905 = 120573119877119905 + (120601 minus 120573) 119887119905minus1 (4b)

119904119905 = 120574119879119905 + (1 minus 120574) 119904119905minus119898 (4c)




119884119905 = 119908 (119911119905minus1) + 119903 (119911119905minus1) 120598119905 (5a)

119911119905 = 119891 (119911119905minus1) + 119892 (119911119905minus1) 120598119905 (5b)





1205982119905119911119905minus1) + 2 119899sum119905=1

log 1003816100381610038161003816119903 (119911119905minus1)1003816100381610038161003816 (6)
















119909119894 isin (120583119891 minus 120590119891 120583119891 + 120590119891) 119894 = 1 2 119899 (8)
















0

5

10

15

20

25

30

SNR

(dBu

)















WAN network

Trac concentrator

Trac concentrator

IP n

etw

ork

IP network

IP network


PLC network

PLC network









0

12

16 17 18 19 20 21 22 23 24

25

26

27

28

29

30

31

32

33

343536

CAPL2

CAPL1

CAPL3


IP network


151413

12

11

10

9

8

7

6

5

4

3










(a) (b) (c)



10

20

30

40

50

60

70

80

90

100

110

120

Leve

l (dB

V

)












































7 Conclusions









Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation



















3 Related Work



































nom

aly

atta

ckde

tect

ion

repo

rt











WAN network

Trac concentrator

Trac concentrator

IP n

etw

ork



Smart light










1198721198632 (119909) = (119909 minus 120583) Σ (119909 minus 120583) (1)

Σ = 1119899 minus 1

119899sum119894=1

(119909119894 minus 120583) (119909119894 minus 120583) (2)












No trend 119881ℎ = 119888 (3a)

Additive 119881ℎ = 119888 + 119892ℎ (3b)






119897119905 = 120572119875119905 + (1 minus 120572)119876119905 (4a)

119887119905 = 120573119877119905 + (120601 minus 120573) 119887119905minus1 (4b)

119904119905 = 120574119879119905 + (1 minus 120574) 119904119905minus119898 (4c)




119884119905 = 119908 (119911119905minus1) + 119903 (119911119905minus1) 120598119905 (5a)

119911119905 = 119891 (119911119905minus1) + 119892 (119911119905minus1) 120598119905 (5b)





1205982119905119911119905minus1) + 2 119899sum119905=1

log 1003816100381610038161003816119903 (119911119905minus1)1003816100381610038161003816 (6)
















119909119894 isin (120583119891 minus 120590119891 120583119891 + 120590119891) 119894 = 1 2 119899 (8)
















0

5

10

15

20

25

30

SNR

(dBu

)















WAN network

Trac concentrator

Trac concentrator

IP n

etw

ork

IP network

IP network


PLC network

PLC network









0

12

16 17 18 19 20 21 22 23 24

25

26

27

28

29

30

31

32

33

343536

CAPL2

CAPL1

CAPL3


IP network


151413

12

11

10

9

8

7

6

5

4

3










(a) (b) (c)



10

20

30

40

50

60

70

80

90

100

110

120

Leve

l (dB

V

)












































7 Conclusions









Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation


































nom

aly

atta

ckde

tect

ion

repo

rt











WAN network

Trac concentrator

Trac concentrator

IP n

etw

ork



Smart light










1198721198632 (119909) = (119909 minus 120583) Σ (119909 minus 120583) (1)

Σ = 1119899 minus 1

119899sum119894=1

(119909119894 minus 120583) (119909119894 minus 120583) (2)












No trend 119881ℎ = 119888 (3a)

Additive 119881ℎ = 119888 + 119892ℎ (3b)






119897119905 = 120572119875119905 + (1 minus 120572)119876119905 (4a)

119887119905 = 120573119877119905 + (120601 minus 120573) 119887119905minus1 (4b)

119904119905 = 120574119879119905 + (1 minus 120574) 119904119905minus119898 (4c)




119884119905 = 119908 (119911119905minus1) + 119903 (119911119905minus1) 120598119905 (5a)

119911119905 = 119891 (119911119905minus1) + 119892 (119911119905minus1) 120598119905 (5b)





1205982119905119911119905minus1) + 2 119899sum119905=1

log 1003816100381610038161003816119903 (119911119905minus1)1003816100381610038161003816 (6)
















119909119894 isin (120583119891 minus 120590119891 120583119891 + 120590119891) 119894 = 1 2 119899 (8)
















0

5

10

15

20

25

30

SNR

(dBu

)















WAN network

Trac concentrator

Trac concentrator

IP n

etw

ork

IP network

IP network


PLC network

PLC network









0

12

16 17 18 19 20 21 22 23 24

25

26

27

28

29

30

31

32

33

343536

CAPL2

CAPL1

CAPL3


IP network


151413

12

11

10

9

8

7

6

5

4

3










(a) (b) (c)



10

20

30

40

50

60

70

80

90

100

110

120

Leve

l (dB

V

)












































7 Conclusions









Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation


















No trend 119881ℎ = 119888 (3a)

Additive 119881ℎ = 119888 + 119892ℎ (3b)






119897119905 = 120572119875119905 + (1 minus 120572)119876119905 (4a)

119887119905 = 120573119877119905 + (120601 minus 120573) 119887119905minus1 (4b)

119904119905 = 120574119879119905 + (1 minus 120574) 119904119905minus119898 (4c)




119884119905 = 119908 (119911119905minus1) + 119903 (119911119905minus1) 120598119905 (5a)

119911119905 = 119891 (119911119905minus1) + 119892 (119911119905minus1) 120598119905 (5b)





1205982119905119911119905minus1) + 2 119899sum119905=1

log 1003816100381610038161003816119903 (119911119905minus1)1003816100381610038161003816 (6)
















119909119894 isin (120583119891 minus 120590119891 120583119891 + 120590119891) 119894 = 1 2 119899 (8)
















0

5

10

15

20

25

30

SNR

(dBu

)















WAN network

Trac concentrator

Trac concentrator

IP n

etw

ork

IP network

IP network


PLC network

PLC network









0

12

16 17 18 19 20 21 22 23 24

25

26

27

28

29

30

31

32

33

343536

CAPL2

CAPL1

CAPL3


IP network


151413

12

11

10

9

8

7

6

5

4

3










(a) (b) (c)



10

20

30

40

50

60

70

80

90

100

110

120

Leve

l (dB

V

)












































7 Conclusions









Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation














119897119905 = 120572119875119905 + (1 minus 120572)119876119905 (4a)

119887119905 = 120573119877119905 + (120601 minus 120573) 119887119905minus1 (4b)

119904119905 = 120574119879119905 + (1 minus 120574) 119904119905minus119898 (4c)




119884119905 = 119908 (119911119905minus1) + 119903 (119911119905minus1) 120598119905 (5a)

119911119905 = 119891 (119911119905minus1) + 119892 (119911119905minus1) 120598119905 (5b)





1205982119905119911119905minus1) + 2 119899sum119905=1

log 1003816100381610038161003816119903 (119911119905minus1)1003816100381610038161003816 (6)
















119909119894 isin (120583119891 minus 120590119891 120583119891 + 120590119891) 119894 = 1 2 119899 (8)
















0

5

10

15

20

25

30

SNR

(dBu

)















WAN network

Trac concentrator

Trac concentrator

IP n

etw

ork

IP network

IP network


PLC network

PLC network









0

12

16 17 18 19 20 21 22 23 24

25

26

27

28

29

30

31

32

33

343536

CAPL2

CAPL1

CAPL3


IP network


151413

12

11

10

9

8

7

6

5

4

3










(a) (b) (c)



10

20

30

40

50

60

70

80

90

100

110

120

Leve

l (dB

V

)












































7 Conclusions









Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation















119909119894 isin (120583119891 minus 120590119891 120583119891 + 120590119891) 119894 = 1 2 119899 (8)
















0

5

10

15

20

25

30

SNR

(dBu

)















WAN network

Trac concentrator

Trac concentrator

IP n

etw

ork

IP network

IP network


PLC network

PLC network









0

12

16 17 18 19 20 21 22 23 24

25

26

27

28

29

30

31

32

33

343536

CAPL2

CAPL1

CAPL3


IP network


151413

12

11

10

9

8

7

6

5

4

3










(a) (b) (c)



10

20

30

40

50

60

70

80

90

100

110

120

Leve

l (dB

V

)












































7 Conclusions









Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












0

5

10

15

20

25

30

SNR

(dBu

)















WAN network

Trac concentrator

Trac concentrator

IP n

etw

ork

IP network

IP network


PLC network

PLC network









0

12

16 17 18 19 20 21 22 23 24

25

26

27

28

29

30

31

32

33

343536

CAPL2

CAPL1

CAPL3


IP network


151413

12

11

10

9

8

7

6

5

4

3










(a) (b) (c)



10

20

30

40

50

60

70

80

90

100

110

120

Leve

l (dB

V

)












































7 Conclusions









Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










WAN network

Trac concentrator

Trac concentrator

IP n

etw

ork

IP network

IP network


PLC network

PLC network









0

12

16 17 18 19 20 21 22 23 24

25

26

27

28

29

30

31

32

33

343536

CAPL2

CAPL1

CAPL3


IP network


151413

12

11

10

9

8

7

6

5

4

3










(a) (b) (c)



10

20

30

40

50

60

70

80

90

100

110

120

Leve

l (dB

V

)












































7 Conclusions









Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










0

12

16 17 18 19 20 21 22 23 24

25

26

27

28

29

30

31

32

33

343536

CAPL2

CAPL1

CAPL3


IP network


151413

12

11

10

9

8

7

6

5

4

3










(a) (b) (c)



10

20

30

40

50

60

70

80

90

100

110

120

Leve

l (dB

V

)












































7 Conclusions









Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










(a) (b) (c)



10

20

30

40

50

60

70

80

90

100

110

120

Leve

l (dB

V

)












































7 Conclusions









Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












































7 Conclusions









Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation













Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation
































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









Predictive Abuse Detection for a PLC Smart Lighting ...

Documents

Transcript of Predictive Abuse Detection for a PLC Smart Lighting ...