pith. sign in

arxiv: 1906.11328 · v1 · pith:TKI54OMSnew · submitted 2019-06-26 · 💻 cs.LG · cs.CR· stat.ML

Adversarial FDI Attack against AC State Estimation with ANN

Tian Liu , Tao Shu This is my paper

Pith reviewed 2026-05-25 15:30 UTC · model grok-4.3

classification 💻 cs.LG cs.CRstat.ML
keywords adversarial attackfalse data injectionAC state estimationartificial neural networksmart griddifferential evolutionpower system security
0
0 comments X

The pith

Differential evolution generates attack vectors that degrade ANN accuracy in AC state estimation.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper studies how an attacker can inject false data to fool an artificial neural network performing nonlinear AC state estimation in power grids. It proposes a population-based differential evolution algorithm and a gradient-based SLSQP algorithm to craft the attack vectors. Simulations on IEEE 9-bus, 14-bus, and 30-bus systems show that the differential evolution method reduces ANN estimation accuracy with high probability while remaining undetected. A sympathetic reader would care because state estimation underpins grid control, so such vulnerabilities could allow stealthy manipulation of critical measurements.

Core claim

By injecting deliberate attack vectors generated by differential evolution, an attacker with knowledge of the ANN model can degrade its accuracy for AC state estimation while evading detection, and this approach outperforms the SLSQP algorithm across all tested IEEE bus systems and attack scenarios.

What carries the argument

Differential evolution algorithm to optimize adversarial false data injection vectors against the ANN state estimator.

Load-bearing premise

The attacker has full knowledge of the target ANN model's architecture and parameters.

What would settle it

A test on an IEEE bus system where differential evolution attack vectors fail to reduce ANN state estimation accuracy below baseline levels.

Figures

Figures reproduced from arXiv: 1906.11328 by Tao Shu, Tian Liu.

Figure 1
Figure 1. Figure 1: An Example of a 5-meter Attack to 14-bus System [PITH_FULL_IMAGE:figures/full_fig_p010_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Relative Error (first row) and Success Prob. (second r [PITH_FULL_IMAGE:figures/full_fig_p011_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Cumulative Frequency of Meters Presenting in Attack [PITH_FULL_IMAGE:figures/full_fig_p011_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Relative Error (first row) and Success Prob. (second r [PITH_FULL_IMAGE:figures/full_fig_p013_4.png] view at source ↗
read the original abstract

Artificial neural network (ANN) provides superior accuracy for nonlinear alternating current (AC) state estimation (SE) in smart grid over traditional methods. However, research has discovered that ANN could be easily fooled by adversarial examples. In this paper, we initiate a new study of adversarial false data injection (FDI) attack against AC SE with ANN: by injecting a deliberate attack vector into measurements, the attacker can degrade the accuracy of ANN SE while remaining undetected. We propose a population-based algorithm and a gradient-based algorithm to generate attack vectors. The performance of these algorithms is evaluated through simulations on IEEE 9-bus, 14-bus and 30-bus systems under various attack scenarios. Simulation results show that DE is more effective than SLSQP on all simulation cases. The attack examples generated by DE algorithm successfully degrade the ANN SE accuracy with high probability.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper initiates the study of adversarial false data injection (FDI) attacks on artificial neural network (ANN)-based AC state estimation in smart grids. It proposes a population-based differential evolution (DE) algorithm and a gradient-based SLSQP algorithm to craft attack vectors that degrade ANN SE accuracy while remaining undetected. Performance is evaluated via simulations on IEEE 9-bus, 14-bus, and 30-bus systems under various scenarios, with results indicating that DE outperforms SLSQP and that the generated attacks succeed with high probability.

Significance. If the empirical results hold under the stated access model, the work provides a concrete demonstration that standard optimization methods can generate effective adversarial examples against ANN-based nonlinear state estimation on benchmark power-system test cases. This is a useful initial assessment of ML vulnerabilities in a critical infrastructure application and supplies reproducible simulation evidence on standard IEEE cases.

major comments (1)
  1. [Attack generation algorithms] Attack generation section: Both the DE and SLSQP procedures optimize attack vectors by directly evaluating or differentiating through the target ANN (to minimize SE error or maximize misestimation). All reported success rates on the IEEE 9/14/30-bus cases therefore presuppose white-box access to the exact model weights, architecture, and training distribution. The manuscript contains no black-box or transfer-attack experiments; removing this access model leaves the concrete generation procedures and the 'high probability' degradation claim without supporting evidence.
minor comments (1)
  1. [Abstract] Abstract: the claim that attacks succeed 'with high probability' is stated without any numerical success rates, detection thresholds, or error bars; these quantitative details appear only in the simulation section and should be summarized in the abstract for clarity.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the careful review and valuable feedback. We address the major comment point by point below.

read point-by-point responses

  1. Referee: [Attack generation algorithms] Attack generation section: Both the DE and SLSQP procedures optimize attack vectors by directly evaluating or differentiating through the target ANN (to minimize SE error or maximize misestimation). All reported success rates on the IEEE 9/14/30-bus cases therefore presuppose white-box access to the exact model weights, architecture, and training distribution. The manuscript contains no black-box or transfer-attack experiments; removing this access model leaves the concrete generation procedures and the 'high probability' degradation claim without supporting evidence.

    Authors: We agree that the DE and SLSQP procedures as described require white-box access, since they optimize directly against the target ANN's outputs or gradients. The paper's contribution is framed as an initial study of adversarial FDI attacks under this access model, which is standard for establishing attack feasibility in adversarial ML before extending to harder settings. The reported success rates are therefore valid under the white-box assumption. We acknowledge the absence of black-box or transfer experiments. In revision we will (i) explicitly state the white-box threat model in the introduction and Section III, (ii) add a dedicated paragraph in the discussion section noting this scope limitation, and (iii) outline possible black-box extensions (surrogate models, query-based optimization) as future work. These changes will clarify the claims without overstating the current evidence. revision: partial

Circularity Check

0 steps flagged

Empirical simulation study with no circular derivation chain

full rationale

The paper proposes two algorithms (DE population-based and SLSQP gradient-based) to craft adversarial FDI vectors against a white-box ANN state estimator, then reports success rates from direct Monte-Carlo simulations on IEEE 9/14/30-bus cases. No equations, fitted parameters, or self-citations are used to derive the reported degradation probabilities; the results are obtained by executing the stated attack-generation procedures on the target model. The central claim therefore rests on external simulation evidence rather than any self-referential reduction of the output metric to an input defined inside the paper.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the standard assumption that adversarial perturbations exist for the trained ANN and that the attacker can optimize them without triggering existing bad-data detectors; no new entities or fitted constants are introduced beyond algorithm hyperparameters.

axioms (1)
  • domain assumption ANN models for nonlinear AC state estimation are vulnerable to adversarial perturbations
    Invoked in the opening paragraph as established fact before proposing attacks.

pith-pipeline@v0.9.0 · 5666 in / 1025 out tokens · 26470 ms · 2026-05-25T15:30:28.499987+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

22 extracted references · 22 canonical work pages · 3 internal anchors

  1. [1]

    International Journal of I nteractive Multimedia & Artificial Intelligence 5(1) (2018)

    Abdel-Nasser, M., Mahmoud, K., Kashef, H.: A novel smart g rid state estimation method based on neural networks. International Journal of I nteractive Multimedia & Artificial Intelligence 5(1) (2018)

    work page 2018

  2. [2]

    ANSI: ANSI C12.1-2008: American National Standard for El ectric Meters: Code for Electricity Metering (2008)

    work page 2008

  3. [3]

    Carlini, N., Wagner, D.: Towards Evaluating the Robustne ss of Neu- ral Networks. Tech. rep. (2017). https://doi.org/10.1109 /SP.2017.49, http://nicholas.carlini.com/code/nn

    work page 2017

  4. [4]

    Electricity Information Sharing and Analysis Center (E-ISAC) (2016) 14 T

    Case, D.U.: Analysis of the cyber attack on the ukrainian p ower grid. Electricity Information Sharing and Analysis Center (E-ISAC) (2016) 14 T. Liu et al

    work page 2016

  5. [5]

    Computer methods in applied mechanics and engineering 186(2-4), 311–338 (2000)

    Deb, K.: An efficient constraint handling method for geneti c algorithms. Computer methods in applied mechanics and engineering 186(2-4), 311–338 (2000)

    work page 2000

  6. [6]

    Explaining and Harnessing Adversarial Examples

    Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining an d harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  7. [7]

    IEEE Transa ctions on smart grid 3(3), 1362–1370 (2012)

    Hug, G., Giampapa, J.A.: Vulnerability assessment of ac s tate estimation with respect to false data injection cyber-attacks. IEEE Transa ctions on smart grid 3(3), 1362–1370 (2012)

    work page 2012

  8. [8]

    In: 2008 40th North American Power Symposium

    Jain, A., Balasubramanian, R., Tripathy, S.: Topologica l observability: Artificial neural network application based solution for a practical p ower system. In: 2008 40th North American Power Symposium. pp. 1–6. IEEE (2008)

    work page 2008

  9. [9]

    In: 2012 IEEE Power and Energy Society Gener al Meeting

    Jia, L., Thomas, R.J., Tong, L.: On the nonlinearity effect s on malicious data attack on power system. In: 2012 IEEE Power and Energy Society Gener al Meeting. pp. 1–

    work page 2012

  10. [10]

    Forschungs- bericht Deutsche Forschungs und Versuchsanstalt f¨ ur Luftund Raumfahrt 88, 33 (1988)

    Kraft, D.: A software package for sequential quadratic p rogramming. Forschungs- bericht Deutsche Forschungs und Versuchsanstalt f¨ ur Luftund Raumfahrt 88, 33 (1988)

    work page 1988

  11. [11]

    IEE Proceedings-Generation, Transmission and Distribution 143, 99—-105 (1996)

    Kumar, DM Vinod and Srivastava, SC and Shah, S and Mathur, S.: Topol- ogy processing and static state estimation using artificial neural networks. IEE Proceedings-Generation, Transmission and Distribution 143, 99—-105 (1996)

    work page 1996

  12. [12]

    IEEE Tr ansactions on Power Systems 32(4), 3317–3318 (2017)

    Liang, G., Weller, S.R., Zhao, J., Luo, F., Dong, Z.Y.: Th e 2015 Ukraine Black- out: Implications for False Data Injection Attacks. IEEE Tr ansactions on Power Systems 32(4), 3317–3318 (2017). https://doi.org/10.1109/TPWRS.2 016.2631891

    work page doi:10.1109/tpwrs.2 2015

  13. [13]

    ACM Transactions on Information an d System Security (TISSEC) 14(1), 13 (2011)

    Liu, Y., Ning, P., Reiter, M.K.: False data injection att acks against state estimation in electric power grids. ACM Transactions on Information an d System Security (TISSEC) 14(1), 13 (2011)

    work page 2011

  14. [14]

    Distribution System Monitoring for Smart Power Grids with Distributed Generation Using Artificial Neural Networks

    Menke, J.H., Bornhorst, N., Braun, M.: Distribution sys tem monitoring for smart power grids with distributed generation using artificial ne ural networks. arXiv preprint arXiv:1801.04705 (2018)

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  15. [15]

    In: 2015 IEEE Electrical Pow er and Energy Con- ference (EPEC)

    Mosbah, H., El-Hawary, M.: Multilayer artificial neural networks for real time power system state estimation. In: 2015 IEEE Electrical Pow er and Energy Con- ference (EPEC). pp. 344–351. IEEE (2015)

    work page 2015

  16. [16]

    In: 2014 IEEE Electrical Power and Energy Conference

    Onwuachumba, A., Musavi, M.: New reduced model approach for power system state estimation using artificial neural networks and princ ipal component analysis. In: 2014 IEEE Electrical Power and Energy Conference. pp. 15 –20. IEEE (2014)

    work page 2014

  17. [17]

    In: 2013 IEEE Power & E nergy Society General Meeting

    Rahman, M.A., Mohsenian-Rad, H.: False data injection a ttacks against nonlinear state estimation in smart power grids. In: 2013 IEEE Power & E nergy Society General Meeting. pp. 1–5. IEEE (2013)

    work page 2013

  18. [18]

    Journal of global opt imization 11(4), 341–359 (1997)

    Storn, R., Price, K.: Differential evolution–a simple an d efficient heuristic for global optimization over continuous spaces. Journal of global opt imization 11(4), 341–359 (1997)

    work page 1997

  19. [19]

    CoRR abs/1710.08864 (2017), http://arxiv.org/abs/1710.08864

    Su, J., Vargas, D.V., Sakurai, K.: One pixel attack for fo oling deep neural networks. CoRR abs/1710.08864 (2017), http://arxiv.org/abs/1710.08864

    work page arXiv 2017

  20. [20]

    Intriguing properties of neural networks

    Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erha n, D., Goodfellow, I., Fer- gus, R.: Intriguing properties of neural networks. arXiv pr eprint arXiv:1312.6199 (2013)

    work page internal anchor Pith review Pith/arXiv arXiv 2013

  21. [21]

    John Wiley & Sons (2013)

    Wood, A.J., Wollenberg, B.F., Shebl´ e, G.B.: Power gene ration, operation, and control. John Wiley & Sons (2013)

    work page 2013

  22. [22]

    : Matpower: Steady-state operations, planning, and analysis tools for power systems research and education

    Zimmerman, R.D., Murillo-S´ anchez, C.E., Thomas, R.J. : Matpower: Steady-state operations, planning, and analysis tools for power systems research and education. IEEE Transactions on power systems 26(1), 12–19 (2011)

    work page 2011