Detection Scheme for Tampering Behavior on Distributed Controller of Electric-Thermal Integrated Energy System Based on Relation Network

In recent years, with the development of smart grid, the power systems and other energy systems are gradually forming integrated energy systems. The electric-thermal integrated energy system is a mature integrated energy system at present. The electric-thermal integrated energy system uses modern communication technology to realize the comprehensive regulation of electric energy and thermal energy, which greatly improves the efficiency of energy use. However, this also greatly increases the risk of malicious tampering with the energy dispatch system. In this paper, we study the regulation of electric-thermal integrated energy systems considering false data injection attacks. First, we establish a compromised model of an electric-thermal integrated energy system considering false data injection attacks. Then, we designed vulnerable variable observers for different tampering scenarios to observe the tampered variables. Finally, considering the relationship between the observed data and the measured data, we design a tampering behavior detection method based on relation network. The simulation results verify the effectiveness of the detection method proposed in this paper.


Introduction
e electric-thermal integrated energy system (ETIES) is an important part of the integrated energy system. With the aid of the advanced network information technology and innovative operation and management models, ETIES integrates electrical and thermal energy in the region, realizes operation optimization and coordinated control among various heterogeneous energy sub-networks through energy coupling equipment, and effectively improves energy conversion efficiency and promotes sustainable energy while meeting the diverse energy needs of users [1][2][3]. However, ETIES based on distributed optimization architecture is a highly integrated information-physical energy system. e information system of ETIES is bound to endure a huge threat of cyber attacks while exchanging a large amount of information data [4,5]. e spread of malicious attacks in the communication network will destroy the environment of network communication, make the economic operation of the system impossible, even destroy the stability of the system [6,7]. In [8], the authors propose that the measurement equipment in the cyber physical system suffer from multiple types of cyberattacks, and summarizes the current mainstream attack defense schemes based on learning-based methods. In [9], the authors propose that the energy-water nexus with multiple sensors may be vulnerable to cyber-attacks. To deal with the potential threats, an observer-based attack detection method is proposed. As a typical information-physical system, the monitoring and control of power system highly depends on the accuracy of measured data [10]. When the measurement data is compromised, the operation stability and security of the power system will be greatly reduced, thus threatening social security and social economy. To enhance the resilience of the sensors in power systems, the attack defense scheme based on the features of the measured data is proposed. is type of attack detection scheme enables cyber physical system to maintain good detection performance under cyber-attacks. [24] added a data frame attack to the man-in-the-middle attack based on the normalized residual search method. Different from traditional false data injection attacks, which aim to maintain the concealment of false data, the main purpose of this type of attack is to deliberately launch bad data detection (BDD) to make real data be regarded as false data, thereby disturbing state estimation of energy system.
On the other hand, researchers propose defense strategies against network attacks from the perspective of system defense. References [25,26] use Petri nets to describe the information flow between data interaction terminals in a power cyber-physical system and propose a cooperative intrusion detection algorithm against false data injection attacks. e analysis model based on Petri net can clearly describe the transient and steady-state reliability of power system under multiple attack events. e detection of false data injection attacks based on machine learning algorithms is also a research direction that domestic and foreign researchers focus on. Reference [27] considered the behavior characteristics of false data injection attacks against load frequency control systems, and designed an intelligent attack detection algorithm based on multi-layer perceptrons to effectively identify false data injection attacks. Reference [28] considered the behavior characteristics of false data injection attack on power system transmission lines, using programmable logic controller as a detection method. e computing node of the algorithm is tested, and the classifier of machine learning is used to realize the identification of false data injection attacks. is distributed attack detection algorithm can effectively reduce decision-making delay and improve attack detection efficiency. Reference [29] proposed an unsupervised attack detection scheme based on the isolation forest algorithm, and used the principal component analysis method to extract the features of the power system variables, thereby reducing the dimensionality problem in the machine learning process. Reference [30] considered the problem of a small number of abnormal samples in the process of machine learning training, and proposed an intelligent attack detection algorithm using the support vector description domain to detect false data injection attacks in the load frequency control system. Reference [31] considered the false data injection attack form for load forecasting, proposed a machine learning-based load forecasting anomaly detection method, and estimated the false data injection attack type through naive Bayesian classification.
Similar to the original social power supply, heating and other systems, in the operation process of ETIES, one of the most concerned issues is how to realize the economic scheduling of the system, that is, how to comprehensively allocate the capacity distribution between multiple energy units on the premise of meeting the system security constraints, so as to minimize the economic cost of the system, and then realize the dual guarantee of system operation in terms of security and economy. e economic scheduling method of ETIES can be divided into centralized method and distributed method. Although the centralized method has high efficiency in information processing, it has some problems, such as high communication cost and sensitivity to single point of failure. e distributed method can use the sparse communication network structure to realize the decentralized cooperation of various equipment components of the system, which has less communication burden, stronger robustness and privacy. erefore, in recent years, experts and scholars at home and abroad have proposed many ETIES economic scheduling methods based on distributed optimization.
However, it is worth noting that although the above method can effectively solve the distributed economic scheduling problem of ETIES, its premise is that the system operates in an ideal network communication environment, that is, a large number of interactive measurement and control data can be reliably transmitted on the communication line. However, ETIES based on distributed optimization architecture is an energy system with high integration of information and physics. While the information system of ETIES interacts with a large amount of information and data, it is bound to suffer from a huge threat of network attack.
e spread of malicious attacks in the communication network will destroy the bad environment of network communication, make the economic operation of the system impossible, and even destroy the stability of the system, resulting in the paralysis of the energy supply system.
ETIES is a large system with electrical-thermal coupling characteristics, and its structure and operation are much more complex than traditional power systems. erefore, malicious attackers need to adopt more complex and targeted strategies according to system conditions when attacking ETIES. So far, most of the research on the impact of network attacks on system performance is carried out on a single power system, and there is no research on the impact of network attacks on the operational security of ETIES. e distributed scheduling of ETIES depends on the security and reliability of the communication network, and network attacks will inevitably affect the scheduling process of ETIES, thereby affecting the performance of the system.
Aiming at this research gap, the motivation of the paper is to enhance the safety and security of the electric-thermal integrated energy system by studying the ETIES model under FDI attacks and designing an attack detection method based on machine learning algorithm. e main contributions of the paper are three fold: (1) We establish attack templates in the electric-thermal integrated energy system and discuss the impact of false data injection attacks on the integrated energy system. (2) In the electric-thermal integrated energy system under FDI attack, we propose an observer-based method for observing vulnerable variables of the system, so that the compromised variables can be effectively observed. (3) Using the observation data obtained by the observer, we propose a relation network-based attack detection algorithm to detect FDI attacks in integrated energy systems. e scope of the paper is shown as follows: first, the compromised model of the electric-thermal integrated energy system is discussed in this paper; en, based on the variables in the system, a machine-learning-based attack detection method is studied to identify the FDI attacks on ETIES.
e remaining part of this paper is organized as follows: in Section 2, the model of the compromised electric-thermal integrated energy system under FDI attacks is established. In Section 3, the observer of the vulnerable variables is designed. In Section 4, the attack detection method based on relation network is designed. In Section 5, simulations are designed and the results are discussed. In Section 6, conclusions are stated.

FDI Attacks against Compromised Electric-Thermal Integrated Energy System and Countermeasures
In this section, we propose the FDI attacks against electricthermal integrated energy system and study the countermeasures by designing the attack detection scheme. First, we introduce the basics of the energy management control strategy of electric-thermal integrated energy system, and propose the compromised model as the first step to mitigate FDI attacks. Second, based on the compromised model, we design observers to detect the variables compromised by FDI attacks. Finally, based on the observed data obtained by the proposed observers and the measured data obtained by measurement in ETIES, we propose an attack detection method to identify the safety status of ETIES.

Basics of Compromised Electric-ermal Integrated Energy
System. e typical distributed energy management method of electric-thermal integrated energy system is to use distributed energy double-consensus algorithm (DDCA). DDCA employs two different consensus protocols. One of the consensus protocols is used to calculate the incremental cost corresponding to the optimal solution of the ETIES economic dispatch problem. Another consensus protocol aims to estimate the amount of electrical/thermal local power mismatch for coordinating device output. e two protocols of DDCA use different but strongly coupled consistency variables to calculate the electric/thermal incremental cost, electric/thermal output power and electric/ thermal local power mismatch corresponding to the optimal solution of ETIES economic dispatching problem, so as to finally realize the distributed economic dispatching of ETIES. ETIES scheduling depends on the information exchange and local calculation between each unit and its neighbors. Each energy unit contains a distributed controller for operation. e attacker can attack the incremental cost estimator and the output power decision of the energy unit in DDCA, thereby affecting the output power of the unit in the energy unit. Inspired by reference [32], the compromised incremental cost estimator and output power decision-maker studied in this paper can be written as where where A is the consistency algorithm update matrix in DDCA, which is determined by the adjacency relationship between the current energy unit and the surrounding energy unit; B is the algorithm convergence rate adjustment matrix in DDCA; M is the corresponding attack weight matrix. e compromised output power decision-maker studied in this paper can be written as where where C is the cost coefficient matrix; N is the corresponding attack weight matrix. It can be learned that FDI attacks can change the power output of the energy unit by tampering with the state variables of different modules in the ETIES, which has an impact on the power balance of the integrated energy system. In the next section, observers for different attack intrusion locations are designed to observe the FDI attacks.

Observer Design of Incremental Cost Estimator under FDI
Attacks. In this part, we focus on the observer for compromised incremental cost estimator. e compromised system ice can be expressed as Taking the attack vector m(k − 1) at k − 1 time as an additional state, we can obtain the augmented state vector

e following augmented system can be established
where 4 Computational Intelligence and Neuroscience e following observer of the augmented system is designed where z represents the state vector of the dynamic system (4); R, L and T are the gain matrices with appropriate dimensions.
Theorem 1. When the compromised system has a state observer in the form equation (5), it needs to meet the following requirements: (1) RE + TC � I n+q ; (2) ere are symmetric positive definite matrices P and W satisfying Proof. Proof. Consider nonsingular matrices U ∈ R (n+q)×(n+q) and V ∈ R (n+q)×(n+q) such that Based on Sylvester inequality, we can derive rank erefore, we can derive rank When the matrix to be designed R is en the matrix R is a nonsingular matrix. Let the matrix T be ere exists RE + TC � I n+q . e relationship between matrix [R, T] and matrix [EC] T is satisfied en according to Moore Penrose theorem, it can be seen that [R, T] is a kind of generalized inverse matrix of [EC] T , and has Among them, Θ ∈ R (n+q)×(n+q+m) is a freely selected matrix, and the main purpose of parameter selection is to make R a nonsingular matrix.
For the system estimation error, we can derive us Computational Intelligence and Neuroscience 5 Select the following Lyapunov function We can derive If there exists matrix P and matrix L satisfying en according to Schur complement theorem and Lyapunov stability theory, it can be obtained that ΔV(k) < 0 and e(k) is convergent. Let W � PL, then inequality equation (21) is equivalent to inequality equation (9). e proof is completed. It can be learned that the defender can observe the system variables through the observer proposed in this paper when the incremental cost estimator is compromised.

Observer Design of Output Power Decision-Maker under FDI Attacks.
In this part, we focus on the observer for compromised output power decision-maker. e compromised system opd can be expressed as Taking the attack vector m(k) as an additional state, we can obtain the augmented state vector x(k) � [x(k)m(k)] T . e following augmented system can be established Similarly, for this augmented system, we can also construct an observer in the form of formula (8). Conditions for the existence of observer are stated in eorem 1. Due to space limitation, the proof of the existence of the observer is not repeated in this subsection. It can be learned that the observer design method based on augmented system can be effectively applied to the situations where incremental cost estimator or output power decision-maker is compromised.

Observer Design in Situations of Multiple Modules being
Compromised considering Uncertainties. In this part, multipoint FDI attacks are considered: the attacker can launch FDI attacks on incremental cost estimator and output power decision-maker simultaneously.
e compromised system s can be expressed as where ω a (k) and ω s (k) are unknown input vectors caused by uncertainties of system; E a and E s are known constant coefficient matrices with appropriate dimensions. Taking the attack vector as an additional state, we can obtain the augmented state vector x(k) � x(k) m(k) T . e following augmented system can be established e following augmented system can be established where z represents the state vector of the dynamic system equation (26); R, S, L 1 , L 2 and T are the gain matrices with appropriate dimensions. e estimation error can be defined as e(k) � x(k) − x(k). e derivative of the estimation error can be calculated as 6 Computational Intelligence and Neuroscience If the following relationships can be held: e derivative of the estimation error can be expressed as e proof of the necessary conditions for the existence of the observer for the augmented system (26) can be found in [33] and omitted in here.
Theorem 2. For the augmented system 23, there exists a robust observer in the form of equation (24) there exists a positive definite matrix P and matrix Q, such that where Proof. Proof. Take the following Lyapunov function candidate for system (30) one has If c(k) � 0, from equations (32) and (34) one has ΔV(k) < 0. e error dynamic is asymptotically stable. Let We can derive Based on equations (32) and (36), we can derive In view of the fact that V(∞) ≥ 0 and V(0) � 0, we can derive which is equivalent to ‖e(k)‖ l 2 ≤ � 2 √ r‖c(k)‖ l 2 . e proof is completed.
Based on the proposed observer, we can derive the observed data of the variables and the measured data of those in DDCA. For the defender, it is necessary to identify the similarities between the measured data and the observed data under normal situations and distinguish the differences under the compromised situations.

Detection Scheme against FDI Attack considering Dual Source Data
In this section, we study the attack detection scheme against FDI attacks based on the observed data of the variables and Computational Intelligence and Neuroscience the measured data of those in DDCA. A relation-based detection network is proposed to extract the similarity of the dual source data. We design the machine-learning-based detection scheme based on the following considerations: (i) e method of calculating dual source data vector similarity based on traditional Euclidean distance requires too much prior knowledge level of defenders. In this paper, we use an embedding module and a relation module to extract the similarity of the dual source data automatically. (ii) Traditional machine learning methods need the distance of data vector in feature space to identify, which means that large scale of training data set is needed. In this paper, we skip the learning of feature distance and directly learn the relationship between dual source data, so as to effectively reduce the demand for the size of data set.
As is shown in Figure 1, the detection network contains measured data set, observed data set, Embedding module, and relation module. e data in the observed data set can reflect the current real operating state of the DDCA system, and the data in the measured data set may be tampered with. As to the attack detection network, we identify the attack by comparing the observed data with measured data. e measured data set consists of the compromised data set and the normal data set. When the data for comparison comes from the compromised data set, the relationship between dual source data is strong similarity. When the data for comparison comes from the normal data set, the relationship between two dual data is weak similarity.
As to the datasets, the data vectors in each dataset consists of the time series data of target variables in DDCA, including the data of incremental cost and those of output power. e data vector in the measured data set is written as d m . e data vector in the observed data set is written as d o .
e embedding module, which consists of full connect layers and rectified linear units (ReLUs), is used to extract the features of samples with a nonlinear function E. Compared with the traditional manual feature extraction method, the feature extraction by full connect layers can reduce the prior knowledge requirements of attack detection network for attack features. Rectified linear units are used to improve the generalization ability of the embedding module. e feature vectors of measured data and observed data generated by the embedding module can be expressed as F(d m ) and F(d o ). To alleviate the over fitting problem of the embedding module, class prototype of each feature vector class is adopted. e prototype P m i of the measured data feature vectors and the prototype P o i of the observed data feature vectors can be expressed as (39) We can derive the class feature vector C(P m i , P o i ) by concatenating the prototypes in depth dimension. e relation module is used to extract the similarity between the concatenations with a nonlinear relation function R. e similarity S can be written as To train the attack detection model, mean square error (MSE) is used as the objective function L m .
If the measured data is compromised, then l m ≠ l o and S is closed to 0. If the measured data is normal, then l m � l o and S is closed to 1.
Pseudocode for the proposed detection scheme is provided in Figure 2. First, input samples of variables of interest in DDCA as measured data set. Label the compromised data and the normal data. en, use the proposed observer to observe the variables and form the observed data set. en, obtain the feature vectors and prototype vectors in order with the help of the proposed module. Based on the relation feature vector concatenated by prototype vectors, calculate the similarity score using relation module. Based on the proposed objective function, optimize the model parameters with the stochastic gradient descent optimizer. After training the model, sample the incoming data, calculate the similarity and output the type of the test data.

Case Study
In this section, simulations are carried out to illustrate the effectiveness of the proposed observer and attack detection network of the variables in DDCA. e Barry Island electricity and heating networks is used as the tested system. e structure and parameters of the system can be found in [34].

Performance of the Observer for the Compromised System.
In the DDCA system, the coefficient matrices are 8 Computational Intelligence and Neuroscience First, we illustrate the performance of observer against false data injection attacks on incremental cost estimator. e attack target variable is x P p . Based on the method proposed in Section 1, the observed data of the variable x P p can be obtained. e simulation result of the dual source data is shown in Figure 3. e observation error is shown in Figure 4. It can be learned that when the attack volume is a static value, the observed data can effectively track the measured data. When the attack volume changes, there is a certain observation error between the observed data and the measured data, because the changed attack volume is equivalent to the changing disturbance volume. e difference between the observed data and the measured data will be an important basis for the attack detection network to identify whether the system is compromised. en, the performance of observer against false data injection attacks on output power decision-maker is studied. e attack target variable is y C p . Based on the method proposed in Section 2, the observed data of the state variable x C p in DDCA can be obtained. e simulation results are shown in Figures 5 and 6.
It can be learned that the FDI attacks on electric output power y C p in the output power decision-maker makes the measured incremental cost data x P p different from the observed ones. Compared with the FDI attacks on incremental cost estimator, the impact of FDI attacks on output power decision-maker can be reflected by the variables in incremental cost estimator.
To illustrate the performance of the proposed observer in situations of multiple modules being compromised, we analysis the simulation results considering the situation that x C h and y C h are compromised simultaneously. Based on the method proposed in Section 3, the observed data of the variable x C h can be obtained. e simulation results are shown in Figures 7 and8. It can be learned that there are obvious differences between the measured data and the observed data. e difference of dual source data is affected by the attack volume, as well as the system noise, disturbance and delay. erefore, it is necessary to identify whether the system is compromised based on the attack detection scheme.

Performance of the Observer for the Relation-Based Attack
Detection Scheme. In this subsection, we evaluate the performance of the proposed attack detection scheme. In the embedding module, there are three full connect layers and rectified linear units. e batch size of the relation network is chosen as 20. In the measured data set, there are 500 normal     sample data and 500 compromised data from the historical database. In the observed data set, 1000 observed data are generated based on the proposed method studied in Section B. e simulations are carried out on a personal computer with Intel processor core i7, cache 3.4 GHz, NVIDIA GTX 2060, and random-access memory (RAM) 32 GB.
To evaluate the performance of the relation-based attack detection scheme, the following metrics are used: (1) Accuracy: where TP represents the number of true positive detection results; TN represents the number of true negative detection results; FP represents the number of false positive detection results; FN represents the number of false negative detection results. (2) e probability of detecting correctly: (3) Success ratio: (4) Probability of identifying normal cases:

MF(T)
where T is the trade-off coefficient. Details about the performance metrics can be found in [31].
To illustrate the effectiveness of the proposed detection scheme, six methods are adopted for comparison: (1) e proposed relation-based attack detection scheme (ME1); (2) Attack detection scheme using relation network without prototype module (ME2); (3) Attack detection scheme using multi-layer perception (ME3); (4) Attack detection scheme using signal forecasting method (ME4); (5) Attack detection scheme using support vector machine (ME5); (6) Attack detection scheme using clustering artificial bee colony algorithm (ME6). e simulation results are shown in Figure 9. Compared with other attack detection scheme, the attack detection scheme (ME1) proposed in this paper has better performance in each algorithm evaluation index, that is, the proposed detection scheme can effectively detect false data injection attacks on variables in DDCA. e better performance of the proposed attack detection scheme mainly comes from the fact that the relation-based attack detection network focuses on exploiting the differences between normal data and compromised data, while the other attack detection schemes focus on exploiting the features. If the common features of normal data and compromised data are  learned by the other attack detection schemes, it will have a negative impact on the performance of the attack detection schemes.

Stability and Reliability of the Relation-Based Attack
Detection Scheme. In order to further investigate the stability of the detection performance of the proposed attack detection scheme, the performance of the attack detection scheme with different proportion of training sets is studied: at an interval of 5%, samples with a proportion from 40% to 80% are selected as the training sets. e simulation results are shown in Figure 10. It can be seen that although the performance of the proposed attack detection scheme will decline with the sample size, and the performance of some training sample sizes is inferior to other schemes, its overall attack detection performance is basically in the first echelon, which verifies that the attack detection scheme still has excellent detection effect under the sample size discussed in this section.

Computational Intelligence and Neuroscience
Considering the insufficient samples of compromised data in practice, we further discuss the reliability and stability under different positive and negative sample ratios. In this section, the ratio of positive samples to negative samples is 1 : 1, 1 : 2, 1 : 5 and 1 : 10 respectively. e specific performance verification effect is shown in Figure 11. It can be learned that when the number of positive samples is smaller than the number of negative samples, the performance of the proposed attack detection scheme will decline to a certain extent, but the overall performance still has certain advantages over other detection schemes. e decline of detection performance is mainly due to the fact that the attack detection network can not fully learn the difference between positive and negative samples.
Considering that the detection scheme proposed in this paper depends on the real-time data of the sensors, we further study the impact of measurement noise and measurement delay on the attack detection performance in the process of collecting sensor data. We design two metrics, security noise and security delay, to evaluate the detection performance of the proposed attack detection method. Safe noise (delay) refers to the maximum noise (delay) that can be tolerated when the detection accuracy (MA) reaches a specified threshold. Safe noise and safe delay considering different threshold of MA are in Table 1. It can be learned that the safe noise (delay) decreases with the increase of the threshold. It can be seen that when there are high requirements for the accuracy of the detection scheme, the data required by the detection scheme is also more ideal. Noise and delay have a significant impact on the detection effect. Correspondingly, if the requirements for detection performance are appropriately reduced, the proposed detection scheme has a certain tolerance to noise and delay. As a remedy, the defender should also consider using a variety of detection schemes to cross check the attack behavior, so as to improve the overall accuracy.

Conclusions and Discussions
6.1. Conclusions. In this article, false data injection attacks on distributed controller of electric-thermal integrated energy system and countermeasures are studied. Observers of variables in DDCA are designed to track the compromised data.
e proposed observer can achieve the observation considering different attack targets in DDCA. Based on the observed data and the measured data, we proposed a relation-based attack detection scheme to identify the false data injection attacks. e simulation results show that the attack detection scheme has better performance than the current mainstream scheme under multiple evaluation indexes. e better detection performance of the proposed scheme is attributed to its direct judgment of the difference between normal data pairs and compromised data pairs, which reduces the learning of other unnecessary or incorrect features. For the stability of the proposed scheme, compared with other schemes, the proposed scheme can maintain better detection performance with less proportion of training sets. erefore, we believe that the proposed attack detection scheme can achieve good performance against FDI attacks on ETIES.

Discussions.
It can be seen that the limitation of the proposed method used in this paper is that it requires realtime data of the system, which makes the defender have a certain dependence on the real-time sensor communication network. As to practical implementation, the challenge is how to deal with the large-scale destruction of more sensors by attackers. In such a scenario, the trusted data available in this paper will be reduced, and the ability to identify attacks will be reduced.
A possible mitigation approach is to stop using the realtime data obtained by the sensors of the system. As an alternative, the defender can use the system model and historical data to generate prediction data for real-time data, and use the predicted data combined with the algorithm proposed in this paper to identify cyber attacks. It can be seen that this research idea further reduces the dependence on real-time sensors, thereby reducing the uncertainty under large-scale attacks.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare no conflicts of interest.