BLITHE: Behavior Rule-Based Insider Threat Detection for Smart Grid

In this paper, we propose a behavior rule-based methodology for insider threat (BLITHE) detection of data monitor devices in smart grid, where the continuity and accuracy of operations are of vital importance. Based on the dc power flow model and state estimation model, three behavior rules are extracted to depict the behavior norms of each device, such that a device (trustee) that is being monitored on its behavior can be easily checked on the deviation from the behavior specification. Specifically, a rule-weight and compliance-distance-based grading strategy is designed, which greatly improves the effectiveness of the traditional grading strategy for evaluation of trustees. The statistical property, i.e., the mathematical expectation of compliance degree of each trustee, is particularly analyzed from both theoretical and practical perspectives, which achieves satisfactory tradeoff between detection accuracy and false alarms to detect more sophisticated and hidden attackers. In addition, based on real data run in POWER WORLD for IEEE benchmark power systems, and through comparative analysis, we demonstrate that BLITHE outperforms the state of arts for detecting abnormal behaviors in pervasive smart grid applications.