On-line Detection of Malicious Activities Based on Edge Computing in Micro-grid System

With the continuous deployment of smart grids, various new smart technologies applied to the power grids have emerged, and the security boundaries of the power systems have gradually blurred, so that the power security protection measures urgently need to be updated. Aiming at the smart micro-grid system based on edge computing, this paper introduces a non-intrusive load monitoring (NILM) method, combined with the advantages of edge computing, and designs an online detection mechanism for malicious activities of terminal devices. This method is dedicated to achieving device-level security assurance.


Introduction
In recent years, with the continuous deployment of smart power grids, new equipment in the field of intelligent devices, wireless communications and other new technologies are emerging, and gradually widely used in the construction of electric power communication networks [1]. Micro-grid, as a complete power system, can realize self-control, protection and management, which has become a research hotspot and thus an important embodiment of smart grids deployment [2]. The edge computing technology [3] of the power Internet of things is applied to smart devices near the terminal side of the smart grids. Compared with cloud computing, it brings the nearby processing of data, reduces network transmission bandwidth and response delay, and can be widely used in micro-grid system. At the same time, a high degree of intelligence brings a complex access environment, flexible and diverse access methods, a large number of smart access terminals and other features [4], which will increase the security risks of smart grids. Under this background, the support of computing resources based on the edge computing makes it possible to implement the security protection of the micro-grid system with slightly complex computing methods [5], [6]. Further, in the smart micro-grid system based on edge computing [7], due to the widespread deployment of smart meters [8], the electrical data of the equipment is easy to obtain. It is a better choice to use non-intrusive load monitoring (NILM) [9]to realize the safety protection of the micro-grid system, which reduces additional monitoring equipment costs, additional line deployment costs, and additional time costs.
In this paper, we first discuss the architecture of the smart micro-grid system based on edge computing, and then analysis the NILM method, and propose a method for detecting malicious activities in the smart micro-grid based on the NILM edge computing system.

Micro-grid System
A smart micro-grid is a small-scale, decentralized and independent power system. It is an autonomous system that can realize self-control, protection and management. It can operate with an external power grid or in isolation [10]. It is a small power distribution system that combines distributed power sources, energy storage devices, inverters, related loads and protection devices. Figure 1 is an energy storage-photovoltaic-load topology diagram. The system consists of photovoltaic units, energy storage units, general loads and important loads. The electrical energy of the terminal load is provided by photovoltaic inverters and energy storage devices. When the self-generated energy of the micro-grid cannot meet the demand, the electric power is provided by the commercial grid. The microgrid central controller collects electrical information of devices at all levels for analysis, and realizes the function of controlling the coordinated operation of the entire microgrid.

Edge Computing Module
However, due to the high intelligence of smart micro-grids, the security risks that terminal loads may encounter include: permission attacks, data storage and encryption attacks, vulnerability threats, and remote control [11], [12]. These risks will lead to abnormal activities of the terminal's feedback data [13], allowing the micro-grid central controller to collect wrong information and then make wrong decision-making activities, causing the local or even the entire system of the micro-grid to collapse [14]. In response to this problem, we designed an edge computing module based on NILM for malicious activities detection, and placed it at the same level as the microgrid central controller shown in Figure 1. The edge computing module has the functions of online judgment and instant feedback, which helps to improve the safety performance of the entire system.

NILM
Non-intrusive load monitoring (NILM) is designed to monitor a circuit containing a number of devices that are individually switched on and off [15]. By analyzing the waveform of the total load [16], NILM estimated the current moment electrical energy consumption properties and other relevant statistics of a single load.

Event Detection
The sliding window is taken for event detection of the power sequence. The window power sequence , where  is the threshold control coefficient, then it is judged that power mutation occurs at this time, that is, load state changes.

Feature Extraction
The Fourier series expansion was carried out by selecting the time-series samples of the current at steady-state work after the power abrupt transition point. The amplitude of each current harmonic was taken as the load characteristic and denoted as 12 ( , , , ) n x x x  x , among which n was the number of odd harmonics with the maximum amplitude.

Load Identification
During load identification, test samples are mapped according to the mapping relationship between established load characteristics and terminal load, so as to determine the category of samples to be tested. The specific steps are as follows:  Training set x  x to be tested is taken as the input. Through the trained load classifier () fx, the output is j y and the specific type of terminal advice belongs to is obtained.

Preparation of Parameters
When we detect the state change information of the terminal device in the electrical waveform of the total power outlet and disaggregate the specific state change of the terminal device through NILM, we collect the electricity information of the terminal device. At the moment of state change, the electrical information is exported:  The steady-state power of the terminal device is extracted and denoted as p .

Figure 3.
Load disaggregation of simulation test. In the following experimental simulation, we collect the historical power data of each terminal load through the edge computing device, and obtain the historical power consumption information of the terminal device load. At the same time, the total power data is collected, and the event detection is performed according to the sequence of the total power. Figure 2 is a schematic diagram of event detection through a sliding window, which can separate events from the total power. Figure 3 is an example of extracting features from the corresponding current sequence and training a classifier to act on three terminal loads. According to the total output power information, the power consumption information of the terminal load can be clearly separated. Then, based on the separated real-time load information, we compare it with our own historical indication information to obtain whether the terminal device is currently operating abnormally.

Acknowledgments
This work is supported by the National major R & D program (No. 2018YFB0904900, 2018YFB0904905).