False data injection attack sample generation using an adversarial attention-diffusion model in smart grids
智能电网中利用对抗性注意力扩散模型生成虚假数据注入攻击样本

1.   Introduction  1. 简介

As a key component of modern power systems, smart grids are designed to achieve efficient, flexible, and safe energy distribution. By integrating advanced sensor technology, communication networks, and intelligent control strategies, smart grids have gradually evolved into a highly integrated cyber-physical system (CPS) ^[1], and can respond to various operating conditions and external events in real time, optimize resource allocation, and improve the system's adaptability and anti-interference capabilities. However, this progress has also brought new security challenges, especially in the face of increasingly complex cyber attacks. A false data injection attack (FDIA) is one of the main security threats facing smart grids. By manipulating the measurement data of the power grid, attackers can mislead the system state estimation and decision-making process, thereby posing a serious threat to the stability and security of the power grid ^[2]. The stealth and complexity of such attacks make it difficult for traditional security measures to effectively deal with it. It is urgent to develop new defense mechanisms to ensure the data integrity and system security of smart grids.
智能电网是现代电力系统的重要组成部分，旨在实现高效、灵活、安全的能源分配。智能电网通过集成先进的传感器技术、通信网络和智能控制策略，逐渐发展成为高度集成的信息物理系统 (CPS) ^[1] 并能实时响应各种运行状况和外部事件，优化资源配置，提高系统的适应性和抗干扰能力。然而，这种进步也带来了新的安全挑战，特别是面对日益复杂的网络攻击。虚假数据注入攻击（FDIA）是智能电网面临的主要安全威胁之一。攻击者通过操纵电网的测量数据，可以误导系统状态估计和决策过程，从而对电网的稳定性和安全性构成严重威胁 ^[2] 此类攻击的隐蔽性、复杂性使得传统安全手段难以有效应对，亟待开发新的防御机制，保障智能电网的数据完整性和系统安全。

In recent years, large-scale grid security incidents in which criminals use data tampering mechanisms to attack occur frequently. Take the attack on Ukrenergo as an example. From 2015 to 2016, Ukrenergo suffered two cyber attacks. The attackers injected false data into the monitoring data acquisition system and deleted the original data, causing huge economic losses and social unrest ^[3]. This has also attracted the attention of many researchers to FDIA attacks. Since false data can be cleverly designed by attackers to evade detection by detection mechanisms, the purpose of intrusion can be achieved, causing irreversible damage to the power system. Therefore, society has carried out a lot of research work to identify and defend against an FDIA. For example, Kumar et al. ^[4] explored the effectiveness of machine learning algorithms in detecting false data injection attacks (FDIA) in critical infrastructure. Cheng et al. ^[5] introduced a highly discriminative FDIA detector called k-minimum residual similarity (kSRS) detection. This method achieves a high detection rate and low false alarm rate for an FDIA by characterizing the statistical consistency of measurement residuals in AC state estimation. Qu et al. ^[6] proposed a novel approach to improve the accuracy of DDIA detection and localization by synthesizing topological correlations in non-Euclidean spatial attributes of grid data. However, the above research is based on traditional machine learning to design FDIA detection solutions, which are limited by the complexity of manual feature extraction, dimensionality disaster, and insufficient generalization ability when detecting FDIA attacks. Therefore, traditional FDIA detection methods have gradually lost their effectiveness in defending against these network attacks.
近年来，犯罪分子利用数据篡改手段进行攻击的大规模电网安全事件频频发生。以乌克兰国家电网公司遭受攻击为例，2015年至2016年，乌克兰国家电网公司遭受了两次网络攻击，攻击者向监控数据采集系统注入虚假数据，并删除原始数据，造成巨大的经济损失和社会动荡 ^[3] 这也引起了众多研究者对FDIA攻击的关注，由于攻击者可以巧妙设计虚假数据以逃避检测机制的检测，从而达到入侵的目的，对电力系统造成不可逆的破坏，因此社会上开展了大量对FDIA的识别和防御研究工作，例如Kumar等[1]对FDIA进行了研究。 ^[4] 探索了机器学习算法在检测关键基础设施中的虚假数据注入攻击 (FDIA) 方面的有效性。Cheng 等人 ^[5] 介绍了一种高辨别性的 FDIA 检测器，称为 k 最小残差相似度 (kSRS) 检测。该方法通过表征 AC 状态估计中测量残差的统计一致性，实现了 FDIA 的高检测率和低误报率。Qu 等人 ^[6] 提出了一种通过综合栅格数据非欧几里德空间属性中的拓扑相关性来提高DDIA检测与定位准确率的新方法。但上述研究都是基于传统机器学习来设计FDIA检测方案，在检测FDIA攻击时受到人工特征提取的复杂性、维数灾难、泛化能力不足等限制。 因此，传统的FDIA检测方法在防御这些网络攻击方面已逐渐失去效力。

With the update and iteration of technology, some FDIA detection methods based on machine learning and deep learning have also been developed. In order to correctly detect false data injection attacks in power grids, Fand et al. ^[7] proposed a one-dimensional convolutional neural network (1DCNN) and long short-term memory (LSTM) network multi-channel fusion network model based on the residual neural network (ResNet) structure, referred to as the channel-fused Res-CNN-LSTM network model. In order to make the detection results more credible, Su et al. ^[8] proposed an interpretable deep learning FDIA detection method, namely the dual attention multi-head graph attention network (DAMGAT). Takiddin et al. ^[9] proposed an anomaly detector based on generalized graph neural networks (GNN), which is robust to an FDIA and data poisoning. Li et al. ^[10] proposed a false data detection method based on graph neural networks, extracting the spatial features of power grid topology information and operation data through gated graph neural networks (GGNN). Qu et al. ^[11] proposed an improved adaptive Kalman filter (AKF) and convolutional neural network (CNN) hybrid detection method for power information physical system (CPS) FDIA. Wang et al. ^[12] proposed a deep learning-based location detection architecture (DLLD) to detect the exact location of an FDIA in real time. Xie et al. ^[13] proposed a Bayesian deep learning-based method to detect network attacks and maintain the security of smart grids. Although these methods show great advantages in FDIA attack detection, they also have great limitations. Most of the methods rely on large-scale training attack samples, but in the actual scenario, FDIA attack samples are difficult to obtain, and samples are scarce, resulting in extremely unbalanced sample data sets. Although they have strong detection performance, if there are not enough attack samples for model training, the efficiency of the FDIA attack detection model in smart grids will also be reduced. Therefore, the construction of FDIA attack samples and the acquisition of balanced data sets become the first problems to be solved.
随着技术的更新迭代，一些基于机器学习、深度学习的FDIA检测方法也得到了发展。为了正确检测电网中的虚假数据注入攻击，Fand等[9]提出了一种基于FDIA的检测方法，用于检测电网中的虚假数据注入攻击。 ^[7] 提出了一种基于残差神经网络（ResNet）结构的一维卷积神经网络（1DCNN）与长短期记忆网络（LSTM）多通道融合网络模型，简称通道融合的Res-CNN-LSTM网络模型。为了使检测结果更加可信，苏等人。 ^[8] 提出了一种可解释的深度学习FDIA检测方法，即双重注意多头图注意网络（DAMGAT）。Takiddin等人 ^[9] 提出了一种基于广义图神经网络（GNN）的异常检测器，该检测器对 FDIA 和数据中毒具有很强的鲁棒性。Li 等人 ^[10] 提出了一种基于图神经网络的虚假数据检测方法，通过门控图神经网络（GGNN）提取电网拓扑信息和运行数据的空间特征。 ^[11] 提出了一种针对电力信息物理系统（CPS）FDIA的改进自适应卡尔曼滤波（AKF）和卷积神经网络（CNN）混合检测方法。 ^[12] 提出了一种基于深度学习的位置检测架构 (DLLD)，用于实时检测 FDIA 的精确位置。Xie 等人 ^[13] 提出了基于贝叶斯深度学习的方法来检测网络攻击，维护智能电网的安全。虽然这些方法在FDIA攻击检测中表现出很大的优势，但也存在很大的局限性。 大部分方法都依赖于大规模训练攻击样本，但在实际场景中，FDIA攻击样本获取困难，样本稀缺，导致样本数据集极不平衡。虽然具有较强的检测性能，但如果没有足够的攻击样本进行模型训练，智能电网中FDIA攻击检测模型的效率也会降低。因此，FDIA攻击样本的构建和均衡数据集的获取成为首先要解决的问题。

Several researchers have conducted extensive research on the construction of FDIA attack vectors. Yan et al. ^[14] proposed the DoS-WGAN architecture, which uses a Wasserstein generative adversarial network (WGAN) with gradient penalty technology to evade network traffic classifiers. WGAN is used to automatically synthesize attack vectors that can be disguised as normal network traffic in the case of network attacks and bypass the detection of network intrusion detection systems. To address the problem of highly unbalanced data samples, Kumar et al. ^[15] proposed a Wasserstein conditional generative adversarial network (WCGAN) combined with an XGBoost classifier. The gradient penalty is used together with WCGAN for stable learning of the model. Tian et al. ^[16] introduced the joint adversarial examples and FDIA (AFDIA) to explore various attack scenarios on power system state estimation. Considering that disturbances directly added to the measurement are likely to be detected by the BDD, a method of adding disturbances to the state variables is proposed to ensure that the attack is invisible to the BDD. Bhattacharjee et al. ^[17] proposed a scheme for constructing invisible attack vectors based on independent component analysis to identify mixing matrices. Wu et al. ^[18] proposed a new FDIA sample generation method to construct large-scale attack samples by introducing a mixed Laplace model that can accurately fit the distribution of data changes. Li et al. ^[19] designed an efficient adversarial model for generating FDIA attack samples at the edge of public and private networks that can effectively bypass detection models and threaten grid systems. Through interactive adversarial learning, efficient FDIA attack samples can be continuously generated. Although the existing sample generation method can appropriately expand the FDIA attack sample library, its generation method is too simple, resulting in low concealment and weak attack capability of the generated samples, which is not conducive to the training of the detection model and the improvement of performance.
许多研究人员对 FDIA 攻击向量的构建进行了广泛的研究。Yan 等人。 ^[14] 提出了 DoS-WGAN 架构，利用 Wasserstein 生成对抗网络 (WGAN) 结合梯度惩罚技术来逃避网络流量分类器。WGAN 用于在网络攻击发生时自动合成可以伪装成正常网络流量的攻击向量，绕过网络入侵检测系统的检测。针对数据样本高度不平衡的问题，Kumar 等人提出了一种基于 WGAN 的 DoS-WGAN 架构。 ^[15] 提出了一种结合XGBoost分类器的Wasserstein条件生成对抗网络（WCGAN），并结合梯度惩罚和WCGAN实现模型的稳定学习。Tian等 ^[16] 引入联合对抗样本和 FDIA（AFDIA）来探索针对电力系统状态估计的各种攻击场景。考虑到直接添加到测量中的扰动很可能被 BDD 检测到，提出了一种向状态变量添加扰动的方法，以确保攻击对 BDD 不可见。Bhattacharjee 等人。 ^[17] 提出了一种基于独立成分分析识别混合矩阵的隐形攻击向量构建方案。吴等人。 ^[18] 通过引入能够准确拟合数据变化分布的混合拉普拉斯模型，提出了一种新的FDIA样本生成方法来构造大规模攻击样本。 ^[19] 设计了一种有效的对抗模型，用于在公共和私有网络边缘生成 FDIA 攻击样本，可以有效绕过检测模型并威胁电网系统。 通过交互式对抗学习，可以不断生成高效的FDIA攻击样本。现有的样本生成方法虽然可以适当扩充FDIA攻击样本库，但是其生成方法过于简单，导致生成的样本隐蔽性不高、攻击能力弱，不利于检测模型的训练和性能的提升。

With the rise of generative AI technology, a new perspective has been brought to the detection of various network attacks. Among them, the diffusion model has gradually become a new and most advanced model among the deep generation models in recent years, showing superior performance in the research of image generation and multi-modal generation. Compared with traditional deep learning methods, it can generate new attack samples with better concealment and attack capabilities by learning the distribution of data, which provides a new way to understand the strategies that attackers may adopt. Therefore, in response to the above problems, considering the diversity, concealment, and scalability of the data generated by the diffusion model ^[20] and its powerful generation ability, this paper presents a method to generate FDIA attack samples using an adversarial attention diffusion model. The proposed AttDiff model consists of a diffusion model and a GAN (ATTGAN) model with an attention mechanism. First, as the time step increases, in the forward diffusion process, the original input data is gradually denoised, the attack vector is injected, and the data state corresponding to each time step and the added noise are recorded. The recorded data is then used to train generative adversarial network (ATTGAN) models with attention mechanisms. The purpose is to allow the ATTGAN model to effectively focus on the information of power grid measurements and topological nodes through adversarial training, while weakening irrelevant information and fully learning the characteristics of real sample data. Afterward, in the reverse diffusion process, the noise-added data processed in the forward diffusion process should be denoised from back to front in combination with the size of the time step, and the trained ATTGAN model should be combined to predict the noise value to be removed. In this process, the purpose is to build the attack sample data closest to the real sample from the noise. The FDIA sample generated by the method in this paper is more diversified, more hidden, and can effectively simulate the behavior of the real attacker, and is less likely to be detected by the detector.
随着生成式人工智能技术的兴起，为各类网络攻击的检测带来了新的视角。其中，扩散模型近年来逐渐成为深度生成模型中较新的、最先进的模型，在图像生成、多模态生成的研究中表现出优越的性能。与传统的深度学习方法相比，它可以通过学习数据的分布来生成隐蔽性和攻击能力更强的新型攻击样本，为理解攻击者可能采取的策略提供了新的思路。因此，针对上述问题，考虑扩散模型生成数据的多样性、隐蔽性和可扩展性 ^[20] 及其强大的生成能力，本文提出一种利用对抗性注意扩散模型生成FDIA攻击样本的方法。提出的AttDiff模型由扩散模型和带有注意机制的GAN（ATTGAN）模型组成。首先，随着时间步长的增加，在前向扩散过程中，对原始输入数据逐渐去噪，注入攻击向量，并记录每个时间步长对应的数据状态和添加的噪声。然后利用记录的数据来训练带有注意机制的生成对抗网络（ATTGAN）模型。目的是让ATTGAN模型通过对抗性训练有效地聚焦电网测量值和拓扑节点信息，同时弱化无关信息，充分学习真实样本数据的特点。 随后在反向扩散过程中，需要结合时间步长的大小，从后向前对正向扩散过程中处理好的加噪数据进行去噪，并结合训练好的ATTGAN模型预测需要去除的噪声值。此过程的目的是从噪声中构建出最接近真实样本的攻击样本数据。本文方法生成的FDIA样本更加多样化，隐蔽性更强，能够有效模拟真实攻击者的行为，且被检测器检测到的概率更小。

Comparing with the existing schemes, we make the following novel contributions in FDIA attack sample generation:
与现有方案相比，我们在FDIA攻击样本生成方面做出了以下新颖的贡献：

● We propose a novel and efficient sample generation method. Our proposed scheme introduces an adversarial attention-diffusion model to generate a large number of attack samples, which can solve the problem of scarce attack samples in FDIA detection. According to the investigation, this is the first time that the diffusion model has been applied to the study of FDIA attack sample generation.
● 提出了一种新颖、高效的样本生成方法。该方案引入了对抗性注意力扩散模型来生成大量攻击样本，可以解决FDIA检测中攻击样本稀缺的问题。经调查，这是首次将扩散模型应用于FDIA攻击样本生成的研究中。

● We use the forward diffusion of the diffusion model to add noise to the real data while injecting the attack vector. Subsequently, the ATTGAN model is trained to effectively focus on the information of power grid measurements and topological nodes, while weakening irrelevant information. In the reverse diffusion process, we combine the trained ATTGAN model to predict the noise, and gradually iterate forward step by step and denoise in this process. A large number of efficient FDIA attack samples can be generated.
● 利用扩散模型的前向扩散，在注入攻击向量的同时，对真实数据添加噪声，随后训练ATTGAN模型，有效聚焦电网量测信息和拓扑节点信息，同时弱化无关信息；在反向扩散过程中，结合训练好的ATTGAN模型对噪声进行预测，并在此过程中逐步向前迭代，不断去噪，可以生成大量高效的FDIA攻击样本。

● Comprehensive experiments are performed with classical data sets. The experimental results demonstrate that the proposed method can significantly improve the overall performance against FDIA detection, and outperform the existing FDIA attack sample construction methods in terms of attack strength, concealment, and decline of FDIA detection accuracy.
● 使用经典数据集进行了全面的实验，实验结果表明，所提方法能够显著提高针对FDIA检测的整体性能，并且在攻击强度、隐蔽性、FDIA检测准确率下降等方面优于现有的FDIA攻击样本构造方法。

The rest of this paper is organized as follows. In Section 2, related works on FDIAs and diffusion models are introduced. In Section 3, the framework of the proposed attack sample generation method based on the adversarial attention diffusion model and the specific structure of the AttDiff model are introduced in detail. In Section 4, a large number of experiments and corresponding comparative experiments are carried out, and the experimental results are presented. Finally, in Section 5, the work of this paper is summarized and prospected.
本文其余部分安排如下。第2节介绍了FDIA和扩散模型的相关工作。第3节详细介绍了本文提出的基于对抗注意力扩散模型的攻击样本生成方法的框架和AttDiff模型的具体结构。第4节进行了大量的实验和相应的对比实验，并给出了实验结果。最后，第5节对本文的工作进行了总结和展望。

2.   Related work
2.相关工作

2.1.   False data injection attack
2.1. 虚假数据注入攻击

A fake data injection attack is a kind of network attack against CPS. Its core is to construct and inject fake data to bypass system detection, so as to achieve the purpose of attack. This type of attack is particularly common in critical infrastructure such as smart grids and can have a serious impact on the operational stability, supply reliability, and data accuracy of the power system.
虚假数据注入攻击是针对CPS的一种网络攻击，其核心是通过构造和注入虚假数据来绕过系统检测，从而达到攻击目的。此类攻击在智能电网等关键基础设施中尤为常见，会对电力系统的运行稳定性、供电可靠性、数据准确性造成严重影响。

The core principle of constructing an FDIA is to manipulate the key measurement data in the AC power system in order to change the state estimation results of the system. By tampering with the active power on any bus node, an attacker generates a set of attack vectors designed to interfere with the normal operation of the system. These attack vectors are injected into the measured data of the system, which causes the calculated state estimation to deviate from the real operating state of the power grid. In this way, attackers are able to mislead the system's decision-making process for their potential sabotage or manipulation purposes. In DC power flow, the relationship between system state $x$ and measurement data $z$ can be expressed as:
构建FDIA的核心原理是操纵交流电力系统中的关键测量数据，以改变系统的状态估计结果。通过篡改任意总线节点的有功功率，攻击者可以生成一组旨在干扰系统正常运行的攻击向量。这些攻击向量被注入到系统的测量数据中，导致计算出的状态估计偏离电网的实际运行状态。通过这种方式，攻击者能够误导系统的决策过程，以实现潜在的破坏或操纵目的。在直流潮流中，系统状态与系统状态之间的关系 $x$ 和测量数据 $z$ 可以表示为：

where $z=\{z_1,z_2,\dots ,z_I\}$ represents the measurement data, $x=\{x_1,x_2,\dots ,x_J\}$ represents the state vector, $e=\{e_1,e_2,\dots ,e_I\}$ represents the measurement error vector, $I$ and $J$ represent the number of measurements and the number of state data, respectively, and $H$ represents the measurement Jacobian matrix, which is a matrix representing the grid topology information. The measurement data includes the flow and injection power of different buses.
在哪里 $z=\{z_1,z_2,\dots ,z_I\}$ 表示测量数据， $x=\{x_1,x_2,\dots ,x_J\}$ 表示状态向量， $e=\{e_1,e_2,\dots ,e_I\}$ 表示测量误差向量， $I$ 和 $J$ 分别表示测量次数和状态数据次数， $H$ 表示测量雅可比矩阵，是表示电网拓扑信息的矩阵，测量数据包括不同母线的潮流和注入功率。

For DC state estimation, assuming that the per unit voltage of each node in the system is 1, ignoring the influence of line resistance and ground branch, the power between bus $i$ and bus $j$ is:
对于直流状态估计，假设系统各节点标幺电压为1，忽略线路电阻和接地支路的影响，母线间功率 $i$ 和公交车 $j$ 是：

where $x_{ij}$ represents the reactance of the transmission line between bus $i$ and bus $j$. ${\theta }_i$ and ${\theta }_j$ are the voltage phase angles of bus $i$ and bus $j$. The minimized objective function is estimated by linear weighted least squares:
在哪里 $x_{ij}$ 表示总线之间的传输线的电抗 $i$ 和公交车 $j$ 。 ${\theta }_i$ 和 ${\theta }_j$ 是母线电压相位角 $i$ 和公交车 $j$ 最小化目标函数通过线性加权最小二乘法估计：

where $R$ is the error covariance matrix of the measurement, and $\stackrel{\wedge }{x}$ of the minimized objective function is:
在哪里 $R$ 是测量的误差协方差矩阵，并且 $\stackrel{\wedge }{x}$ 最小化目标函数为：

The principle of residual detection has been widely used in the traditional bad data detection mechanism (BDD). Residual $r$ is the difference between the measurement value $z$ and the measurement estimate $\stackrel{\wedge }{z}=H\stackrel{\wedge }{x}$, i.e.:
残差检测的原理在传统的坏数据检测机制（BDD）中得到了广泛的应用。残差 $r$ 是测量值之间的差异 $z$ 和测量估计 $\stackrel{\wedge }{z}=H\stackrel{\wedge }{x}$ ， IE：

BDD can then detect bad data by comparing the Euclidean norm of the measured residuals to a predefined threshold $\tau$, as follows:
然后，BDD 可以通过将测量残差的欧几里德范数与预定义阈值进行比较来检测坏数据 $\tau$ ，如下所示：

In order to make the injected attack vector invisible, we assume that the measurement error $e$ follows an ideal normal distribution, and use $a=[a_1,a_2,...,a_m{]}^T$ to represent the FDIA vector injected by the attacker into the measured value. Then the actual measurement data is $z_a=z+a$, and the error vector of the state variable caused by the FDIA is $c=[c_1,c_2,...,c_n{]}^T$. At this time, the estimated state variable $x_a=\stackrel{\wedge }{x}+c$, and the residual error after attack can be expressed as:
为了使注入的攻击向量不可见，我们假设测量误差 $e$ 遵循理想的正态分布，并使用 $a=[a_1,a_2,...,a_m{]}^T$ 表示攻击者注入到测量值的FDIA向量。则实际测量数据为 $z_a=z+a$ ，FDIA引起的状态变量的误差向量为 $c=[c_1,c_2,...,c_n{]}^T$ 此时估计的状态变量 $x_a=\stackrel{\wedge }{x}+c$ ，攻击后的残差误差可表示为：

When $a=Hc$, the following formula holds:
什么时候 $a=Hc$ ，以下公式成立：

It can be seen that when the above conditions are met, an FDIA can successfully bypass BDD, causing changes and losses to the state estimation of the power system. However, it is worth noting that the basic assumption of an FDIA is that both the attacker and the defender (that is, the power system operator) have complete information about the parameters and topology of the power system, that is, $H$ in Eq (1), and it is also necessary to find highly sparse attack vectors that meet certain conditions to launch attacks. For this, the cost is high.
可以看出，当满足上述条件时，FDIA 可以成功绕过 BDD，给电力系统的状态估计带来变化和损失。但值得注意的是，FDIA 的基本假设是攻击者和防御者（即电力系统运营商）都拥有关于电力系统参数和拓扑的完整信息，即 $H$ 在式（1）中，还需要找到满足一定条件的高度稀疏的攻击向量才能发动攻击，这样做的成本较高。

2.2.   Diffusion model

Diffusion models have surpassed the previous leading generative adversarial network (GAN) technology in the field of image creation and have shown great application potential in multiple fields such as computer vision, natural language processing, signal processing, multimodal learning, molecular structure modeling, time series analysis, and adversarial sample purification. In the field of computer vision, diffusion models are used to perform various image restoration tasks, such as image resolution enhancement, image painting, and image translation [21–23]. In natural language processing, diffusion models can generate character level text through a technique called the discrete denoising diffusion probability model (D3PM) ^[24]. In addition, in terms of time series data generation, diffusion models are also used to fill in the blanks in time series data, as shown in the literature ^[25,26]. In the field of data generation, due to the similar structure of time series data and intrusion detection data, both of them are one-dimensional data composed of multiple features, which stimulates the idea of generating FDIA attack sample data in this experiment. According to the survey, there is no literature that uses diffusion models for FDIA attack sample generation to generate a balanced data set.

The existing sample generation methods are too simple, resulting in low concealment and weak attack ability of the generated samples, which is not conducive to the training and performance improvement of the detection model. The use of a diffusion model can construct more robust, more threatening, and more hidden attack samples, so that the training of the detection model can be further optimized and improved, and finally achieve the purpose of enhancing the defense capability of the power system, making its operation safer and more stable.

3.   Proposed method

3.1.   Proposed FDIA sample generation framework

The proposed framework mainly consists of three parts: the data processing module, AttDiff model, and data generation module. In the data processing module, various interactive data from the virtual power grid and power plant are first collected and processed, and then the flow calculation is performed on these data. Then, the measurement data in the power system is further simulated through simulation. Then, the processed measurement data is input into the AttDiff model and the sample data is normalized to adapt to network training. After initializing the model parameters, the forward diffusion process of the diffusion model is entered. During this process, as the time step increases, noise and attack vectors are gradually added to the original data, and the data in the forward diffusion process is recorded. After this process is completed, the ATTGAN model is trained with the recorded data. In addition, in backpropagation, noise prediction is combined with a trained ATTGAN model, and noise is iteratively removed step by step with time steps. Finally, new attack samples are generated based on the features of the original data to obtain a balanced data set. The complete framework of the proposed attack sample generation method is shown in Figure 1.

3.2.   Data processing module

In a cyber-physical system, data comes from a variety of sources and may include multiple sensors. These data have significant differences in structure, accuracy, transmission delay, and update frequency, so it is necessary to properly preprocess these diverse data. Each column of data in the data set represents a feature of the sensor, and different features correspond to different units of measurement and magnitude, which may lead to the uneven influence of certain attributes in data analysis and model training. In order to balance this dimensional difference and ensure that each attribute is given equal consideration during analysis and training, the minimum-maximum normalization technique is used to linearly transform the data into a specified interval while preserving the original relative order and distribution characteristics of the data. The specific normalization formula is as follows:

where $x_i$ is the eigenvalue of the original data set, $y_i$ is the normalized data value, $min(x)$ is the minimum eigenvalue, and $max(x)$ is the maximum eigenvalue. In this way, each feature value $x_i$ is converted into a range of 0 to 1, which helps ensure that different features have the same importance in model training, and reduces the impact of dimension and magnitude.

3.3.   Attention-diffusion model

In this section, the diffusion model is combined with the ATTGAN model to complete the forward diffusion and reverse diffusion process of the diffusion model, and finally generate more hidden FDIA attack samples. In the reverse diffusion process, the ATTGAN model is used for noise prediction. The specific structure of the AttDiff model is shown in Figure 2.

Diffusion models ^[20] usually contain two key stages: the forward diffusion process and reverse diffusion process. In this model, it is necessary to select a data point from the real data distribution as the starting point $x_0\sim q(x)$, and gradually add Gaussian noise and attack vectors to $x_0$ as the time step increases in the forward diffusion process, we finally turn $x_0$ into standard Gaussian noise $x_T=N(0,1)$. For each forward step $t\in [1,2,...,T]$, the noise disturbance is controlled by the following formula:

where $\{{\beta }_t\in (0,1){\}}_{t=1}^T$ is a different variance scale. After the forward diffusion ends, the reverse diffusion process gradually reconstructs the original data $x_0$ by sampling $x_T$ and learning the diffusion model $p_{\theta }$.

In addition, the parameter $t$ plays a crucial role in the diffusion model, and can directly affect its performance. Therefore, choosing the right $t$ value in our study is crucial to balance the concealment and quality of the generated attack samples. If $t$ is too large, the model may overfit the noise rather than the true distribution of the data, causing the generated attack sample to lose its correlation to the real data. Conversely, if $t$ is too small, the model may not be trained enough to efficiently generate high-quality attack samples. In the experimental part of this study, we find the optimal $t$ value by adjusting the value of $t$ and observing its effect on the quality of the generated sample to ensure that the generated attack sample is both highly concealed and able to effectively challenge the detection model.

3.3.1.   Forward diffusion process

For a specific data point $x_0$ extracted from the actual data distribution $q(x)$, this experiment constructs a forward diffusion process. The process involves gradually adding a small amount of Gaussian noise to the sample in $T$ steps along with varying degrees of attack vectors to generate a series of noisy data points $x_1,...,x_T$. The noise variance at each step is controlled by $\{{\beta }_t\in (0,1){\}}_{t=1}^T$. As the step size $t$ increases, the original data $x_0$ will have fewer and fewer recognizable features. When $T\to \mathrm{\infty }$, the final data point $x_T$ will tend to be an isotropic Gaussian distribution.

In addition, in the forward diffusion process, this experiment extracted data points from normal sample data, and recorded each time step corresponding to the added random noise and the data value before the current state was noised. The purpose is to train the ATTGAN model with the recorded data after the forward diffusion is over. In the process of inverse diffusion, the added noise corresponding to each time step can be predicted and denoised more accurately, so that the attack sample is closer to the real original normal data, and the invisibility of the attack sample is increased.

One benefit of the above process is that we can use the re-parameterization technique. We can sample $x_t$ in closed form at any time point $t$. Here we define ${\alpha }_t=1-{\beta }_t$, and ${\overline{\alpha }}_t=\prod _{i=1}^t{\alpha }_i,i.e.$, which means $x_t$ can be expressed as $x_t=\sqrt{\overline{\alpha }}{x}_0+\sqrt{1-{\overline{\alpha }}_t\epsilon }$. In this way, we can directly use the initial data point $x_0$ to represent $x_t$.

3.3.2.   Reverse diffusion process

By reversing the above forward diffusion process and sampling $q(x_{t-1}|x_t)$ at the same time, the real sample data can be recovered from the Gaussian noise input $x_T\sim N(0,I)$. If the variance ${\beta }_t$ at each step is small enough, then $q(x_{t-1}|x_t)$ will also take on the characteristics of a Gaussian distribution. However, it is important to note that directly estimating $q(x_{t-1}|x_t)$ is challenging because it often relies on the entire data set. Therefore, the ATTGAN model trained after the forward diffusion process mentioned above is used in this experiment to predict a noise value by inputting the $x{}_t$ corresponding to the current time step to approximate these conditional probabilities, so as to perform the denoising process of reverse diffusion. According to the nature of the Markov chain, the reverse diffusion process at the current time step $t$ depends only on its previous time step $t-1$, which means that we have the following formula:

From this, we can know the overall process of generating samples by the diffusion model. The sample generation process of the diffusion model involves gradually adding noise to the data from front to back until the data is completely transformed into standard Gaussian noise. This process is called forward diffusion. Subsequently, in the reverse diffusion process, by learning how to reverse the operation of adding noise, the noise is gradually removed from the back to the front to restore the original sample data. In this way, new data points can be generated from a limited sample data set, and these newly generated sample data are exactly the data needed at the moment.

3.3.3.   ATTGAN model

The ATTGAN model is mainly composed of generators and discriminators. In this experiment, in order to learn different features of the input data more effectively and improve the sensitivity of the model to specific parts of the input data, an attention mechanism layer is added to the generator, thereby improving the performance of the model.

The model's generator consists of six fully connected layers and is equipped with an appropriate activation function at each layer, such as LeakyReLU, to introduce nonlinear properties. In addition, an attention layer is introduced into the structure of the generator, which consists of three fully connected layers and focuses on the salient parts of the input features through a learnable weight vector $w$. The output of the attention mechanism is combined with the raw output of the generator to enhance the detail and quality of the data. Note that the design of the attention layer is based on the following formula:

where $h$ is the output of the previous layer, $W_a$ and $b_a$ are the learnable weights and biases, and softmax functions are used to generate a normalized weight vector $a$.

The discriminator corresponds to the generator, again consisting of six fully connected layers, each of which is followed by an activation function. The goal of a discriminator is to distinguish between real data and data generated by a generator.

The training of the model follows the standard adversarial training process. In the training process, this experiment adopts binary cross entropy loss (BCELoss) to optimize the model. Generators and discriminators are optimized with the following loss functions:

where $L_G$ and $L_D$ are the loss functions of the generator and discriminator, respectively, $G$ and $D$ represent the generator and discriminator, respectively, $z$ is the noise vector sampled from the prior distribution $p(z)$, and $x$ is the data point from the real data distribution $p_{data}(x)$. In this experiment, an Adam optimizer was used to train the model, the learning rate was 0.0001, and the batch size was 64. In the training process, the quality of the generated data and the performance of the discriminator are monitored in real time, and the hyperparameters are carefully adjusted to ensure the effectiveness and stability of the model.

3.4.   Data generation module

After the forward diffusion of the diffusion model ends, the reverse diffusion process must be followed. Before the reverse diffusion, the ATTGAN model needs to be trained with data recorded during the forward diffusion process described above, which is used for noise prediction in the reverse diffusion. After the model is trained, it officially enters the process of reverse diffusion. Combined with the trained ATTGAN model, it iteratively denoises step by step from the back, and the noise value removed is predicted by the ATTGAN model. In the end, large-scale samples close to the real data will be generated, and these samples are the required attack samples, so that the rare sample library can be expanded to form a balanced data set. Finally, the purpose of improving the detection performance of the detector can be achieved, and then the defense capability of the power system can be enhanced. The overall process of FDIA attack sample generation based on the AttDiff model is shown in Algorithm 1.

Among them, steps 1–8 are the forward diffusion stage of the diffusion model. According to the size of the time step, noise and attack vectors are added to the original data by iterating from front to back, and the data state and added noise corresponding to each time step are recorded. Step 9 is the training stage of the ATTGAN model. The data recorded in the process of forward diffusion is used for training. The purpose is to enable the ATTGAN model to effectively focus on power grid measurement values and topological node information, while weakening irrelevant information and fully learning the characteristics of real sample data, so as to play a better role in reverse diffusion. Steps 10–18 are the reverse diffusion stage of the diffusion model. According to the size of the time step, the noisy data is denoised by iterating from back to front. In this process, the diffusion model is combined with the trained ATTGAN model to predict the noise value to be removed, so as to build the attack sample data that is closest to the real sample. Finally, a large number of FDIA attack samples with high quality and high concealment can be obtained.

4.   Experimental results and discussions

4.1.   Experimental setup

In this study, three well-known power system test platforms, namely the IEEE 14 bus, IEEE 39 bus, and IEEE 118 bus systems ^[27,28], were used to evaluate and verify the performance of the proposed method. These bus systems are widely used benchmark models in power system analysis and research. They provide a simplified representation of the power system network, including bus configuration, electrical parameters, generator and load data, etc. Real load data from January 1, 2020, to May 1, 2022, were collected from the New York Independent System Operator (NYISO) as test data. These data cover a time range of more than two years, including seasonal changes throughout the year and load patterns under different weather conditions. By applying these actual load data to the above bus system, we can simulate the measurement data of the power system, and further obtain the load information of each bus state variable and each node, providing real data support for model evaluation.

In this experiment, the above test data are all the data under normal measurement conditions. In order to simulate the real attack behavior, the proposed method is used to attack the test data. A traditional FDIA is a classical method with a certain degree of invisibility and flexibility. The proposed method in this experiment combines the traditional FDIA method to construct an attack sample generation method based on adversarial attention diffusion. By combining the proposed adversarial generation network, the attack sample mixed with normal data features can be generated through reverse diffusion. In order to test the influence of different attack levels, the attack vector is divided into three different attack strengths according to the method in ^[29]: a) Weak attack: the ratio of the mean power injection deviation in $c$ to $x$ is less than 10$\mathrm{\%}$; b) Strong attack: the ratio of the mean power injection deviation in $c$ to $x$ is greater than 30$\mathrm{\%}$; c) Medium attack: FDIA samples that do not fall under either of the above attacks.

Since the three bus systems all contain 15,000 pieces of data, the data sets are divided into training sets, verification sets, and test sets according to the ratio of 5:3:2, and experimental comparison tests were carried out under different attack intensity scenarios.

In addition, the experiment uses four indicators, namely precision, recall, accuracy, and $F_1$ score, as the evaluation criteria for the output results, which are defined as follows:

where true positive (TP) indicates the amount of incorrect data correctly detected, true negative (TN) indicates the amount of normal data detected as normal, false positive (FP) indicates the amount of normal data incorrectly detected as incorrect, and false negative (FN) indicates the amount of incorrect data incorrectly detected as normal. The higher the accuracy and precision, the worse the concealment of the attack sample and the easier it is to be detected.

4.2.   Effectiveness verification for the proposed model

All experimental simulations in this study were performed on devices with an Intel Core i7-11390H CPU, NVIDIA GeForce MX450, and 16 GB RAM. MATPOWER is used to calculate the power flow and estimate the state of the data in MATLAB, and the proposed AttDiff model is used to generate FDIA attack samples in Python. The noise error of power flow calculation simulation measurement data is set to 0.25 and Gaussian noise with mean zero and standard deviation 1 is adopted. The time step of the diffusion model is set to 4.

In this study, large-scale experiments are carried out on IEEE 14, IEEE 39, and IEEE 118 bus systems to verify the performance of the attack samples generated by the proposed method. Two advanced deep learning detection models are used to detect the generated samples, namely the CNN-based detection model ^[12] and the LSTM-based detection model ^[30]. The three types of high, medium, and low attack intensity are subdivided into 9 attack intensities with low intensity is subdivided into 2$\mathrm{\%}$, 5$\mathrm{\%}$, and 10$\mathrm{\%}$, medium intensity is subdivided into 15$\mathrm{\%}$, 20$\mathrm{\%}$, and 25$\mathrm{\%}$, and high intensity is subdivided into 30$\mathrm{\%}$, 40$\mathrm{\%}$, and 50$\mathrm{\%}$ for comparison. The corresponding experimental results are shown in Tables 1-6, in which Tables 1 and 2 are the test results of the IEEE 14 bus system, Tables 3 and 4 are the test results of the IEEE 39 bus system, and Tables 5 and 6 are the test results of the IEEE 118 bus system.

As can be seen from the table above, the attack sample generation method proposed in this experiment can obtain the lowest accuracy and lower $F_1$ score under different attack intensifications. When the CNN-based FDIA detection on the IEEE 14 bus system is used for low-intensity attacks of 5$\mathrm{\%}$, the proposed method has a precision reduction of 6.256$\mathrm{\%}$ and 1.676$\mathrm{\%}$ compared with the traditional FDIA ^[8] method and the hybrid Laplace method ^[18], and a score reduction of 3.744$\mathrm{\%}$ and 2.896$\mathrm{\%}$ in $F_1$, respectively. For medium-intensity attacks of 20$\mathrm{\%}$, the proposed method has a precision reduction of 13.4$\mathrm{\%}$ and 3.854$\mathrm{\%}$ compared with the traditional FDIA ^[8] method and the mixed Laplacian method ^[18], and a score reduction of 18.22$\mathrm{\%}$ and 4.852$\mathrm{\%}$ in $F_1$, respectively. For high-intensity attacks of 40$\mathrm{\%}$, the proposed method has a precision reduction of 16.63$\mathrm{\%}$ and 4.344$\mathrm{\%}$ compared with the traditional FDIA ^[8] method and hybrid Laplacian method ^[18], and a score reduction of 19.91$\mathrm{\%}$ and 2.06$\mathrm{\%}$ in $F_1$, respectively.

In addition, on the IEEE 39 and IEEE 118 bus systems, both the accuracy and $F_1$ score achieved the lowest values under the three attack intensities. This is enough to show that the samples generated by the method proposed in this experiment have a stronger ability to evade detection, and have better concealment and attack capabilities. In the comparison of the three methods, the reason why the method proposed in this experiment can achieve better performance results mainly depends on the following two reasons: First, this experiment introduces an attention mechanism in the application of the diffusion model, which makes the model itself pay more attention to the node features that have a greater impact on the results, thereby promoting the model's efficient learning of node data features; and second, by combining adversarial training in the entire diffusion process, it helps the model learn more robust feature representations, improves the generalization ability of the model, and then generates high-quality, indistinguishable attack sample data.

4.3.   Performance comparison of different parameters

The main framework adopted in this experiment is the diffusion model. As we all know, the diffusion model is closely related to the time step, and the performance of the samples generated by the diffusion model is also closely related to the time step. In order to verify that the time step used is the most cost-effective value, a series of experiments were conducted to observe the effect of different time steps on the detection results of the final generated attack samples. Comparative experiments were carried out on IEEE 14, IEEE 39, and IEEE 118 bus systems using detection models based on CNN and LSTM. The result is shown in Figure 3.

This comparative experiment discusses the cases where the time step of the diffusion model is set to 2, 4, 6, 8, and 10, respectively. From the above experimental results, it can be seen that the detection accuracy on the three bus systems will decrease slightly with the increase of the time step. On the IEEE 14 bus test system, the detection accuracy of the CNN detector at different time steps is 0.6953, 0.6715, 0.6751, 0.673, and 0.6679, respectively. The detection accuracy of the LSTM detector at different time steps is 0.7051, 0.6788, 0.6744, 0.6727, and 0.6681, respectively. When the time step is 2, the detection accuracy based on the two detectors is the highest, and when the time step is 10, the detection accuracy is the lowest. However, when the time steps are 4, 6, 8, and 10, the accuracy only decreases in a small range, and there is not much difference.

In addition, for the comparison of the IEEE 39 and IEEE 118 bus systems, the detection accuracy based on the two detectors eventually showed a downward trend. For the diffusion model, the time step has a direct impact on the final detection result. Within a reasonable range, the larger the time step, the more detailed control the model will have, and the more opportunities to learn and approximate the true distribution of the data, and better capture and recover the complex patterns and structures in the data, so as to improve the diversity and authenticity of the generated samples. However, a larger the time step is not the better, because the increase of the time step will lead to a large increase in the amount of computation and training time, and too high of a time step may also cause the model to overfit the training data, and can not be well generalized to new data. In order to guarantee the quality of attack samples, the calculation cost is reduced as much as possible by analyzing the comparative experiments on three bus systems with different time steps. Therefore, the most cost-effective time step setting was chosen for this experiment, that is, the time step was set to 4. This setting can not only effectively control the time overhead, but also ensure the high quality of the generated samples.

4.4.   Influence of different noise environments

In order to verify the reliability of the proposed sample generation method, a series of experiments were carried out to study the influence of different noise disturbances on the measured data of the power system. Because the actual power system measurement data is often disturbed by noise, it is crucial to understand the impact of these disturbances on the proposed approach. This experiment simulates this kind of interference by adding Gaussian noise with different variance to the data of each node in the power system. In addition, on the IEEE 14, IEEE 39, and IEEE 118 bus systems, the detection models based on CNN and LSTM were used to conduct comparative tests on the attack samples generated by the traditional FDIA method, the mixed Laplacian method, and the method proposed in this experiment. The test results are shown in the figure below. Figures 4, 5, and 6 are the tests based on the IEEE 14 bus system, the IEEE 39 bus system, and the IEEE 118 bus system, respectively.

In this comparative experiment, seven different noise variance levels were set for the measurement data: 0.25, 0.30, 0.35, 0.40, 0.45, 0.50, and 0.55. By observing the above experimental results, it can be found that the precision of all models shows a decreasing trend with the increase of the noise variance level. Therefore, the noise variance level in the simulated power grid environment in this study is set at 0.25. This decrease in detection accuracy is mainly due to the fact that the increase in noise variance makes it more difficult to distinguish between normal and attack samples. Noise interference makes it easier for pure data to be masked by it. In addition, the experimental data also show that under the two detection models, the attack sample generation method proposed in this experiment performs better than the traditional FDIA sample generation method and the mixed Laplacian sample generation method under various noise levels. This proves that the sample generation method proposed in this study has more obvious advantages over the existing technology in terms of robustness and adaptability. In general, the method proposed in this paper can generate more stable and anti-jamming FDIA attack samples, and has stronger ability to evade detection. This provides a large number of efficient attack sample resources for constructing and training FDIA detection models based on deep learning and AI.

5.   Conclusions

The existing FDIA detection methods have been limited by the problem of sample scarcity and data set imbalance. This paper presents a method to generate FDIA attack samples using an adversarial attention diffusion model. The overall model of the method consists of two parts: the diffusion model and GAN model with an attention mechanism (ATTGAN). First, the original power flow data is noised by the forward diffusion of the diffusion model combined with the time step. In this process, the original measurement data and added noise corresponding to each time step are recorded for the subsequent model training. After the forward diffusion is completed, the data recorded during the forward diffusion process is used to train the proposed ATTGAN model, which is used for noise prediction during the reverse diffusion process. Finally, in the reverse diffusion process, the trained ATTGAN model is combined with the diffusion model, and according to the size of the time step, the iterative denoising is done step by step from back to front to generate FDIA attack samples with stronger concealment and attack capabilities. This experiment was conducted on a large scale on the IEEE 14, IEEE 39, and IEEE 118 bus systems. The experimental results show that the attack samples generated by the proposed sample generation method have better ability to evade detection after detection by two kinds of detectors, thus effectively reducing the detection precision and accuracy.

Although our proposed attention-diffusion method can generate more covert and disguised attack samples, thereby expanding the attack sample base, it also has some limitations. The main limitation is the relatively large time overhead of the model, which may affect its efficiency in real-time applications. In addition, model performance is sensitive to parameter selection and requires careful tuning to achieve optimal performance, potentially adding complexity to model deployment. To overcome these limitations, future work could explore algorithmic optimization and hardware acceleration to improve the computational efficiency of the model, as well as the application of hyperparameter optimization techniques to automate the parameter selection process to reduce the effort of manual adjustment and potentially discover a better combination of parameters. Future work could also further explore the explainability of the model, improve user trust in the model output, and extend the model's application to support broader smart grid security research.

Use of AI tools declaration

The authors declare they have not used Artificial Intelligence (AI) tools in the creation of this article.

Acknowledgments

This research is supported by grants from the Engineering Research Center of Offshore Wind Technology Ministry of Education (Shanghai University of Electric Power).

Conflict of interest

The authors declare no conflicts of interest.

Author contributions

Conceptualization, Kunzhan Li; methodology, Kunzhan Li and Fengyong Li; validation, Kunzhan Li; formal analysis, Fengyong Li and Baonan Wang; writing—original draft preparation, Kunzhan Li; writing—review and editing, Fengyong Li and Baonan Wang; supervision, Meijing Shan. All authors have read and agreed to the published version of the manuscript.