2016 Sixth International Conference on Instrumentation & Measurement, Computer, Communication and Control
A Survey on Intrusion Detection System for
Advanced Metering Infrastructure
Weiming Tong, Lei Lu, Zhongwei Li, Jingbo Lin, Xianji Jin,
School of Electrical Engineering and Automation
Harbin Institute of Technology
Harbin, China
lulei@hit.edu.cn
Abstract—The security issues of smart grid have drawn
more and more attention in the recent years. As a foundational
part of smart grid, the cyber and physical security of advanced
metering infrastructure (AMI) is of critical importance.
Various securing solutions for AMI have been proposed, most
of which based on cryptographic technology. However, as
learned from experiences in IT environment, intrusion
detection system (IDS) can dynamically monitoring the status
of network-based systems and provide supplementary
defensive capability besides the conventional static solutions,
such as encryption, authentication, firewall, etc. In this paper,
we analyze the potential threats in AMI and investigate the
current academic approaches on intrusion detection systems
and techniques for AMI. Then we give some recommendations
in designing and deploying a practical AMI-IDS, and propose
a comprehensive distributed IDS architecture suitable for AMI.
In addition, the existing research problems and challenges are
concluded to promote the future progress in this field.
Keywords—smart grid; cyber-physical security; advanced
metering infrastructure (AMI); intrusion detection system (IDS)
I. INTRODUCTION
Along with the rapid technical and practical development
of smart grid, advanced metering infrastructure (AMI) has
been intensely developed during the recent years [1, 2]. AMI
is a two-way network-based system connecting power utility
and customers, collecting consumption data and other
information from consumers, and implementing necessary
control actions [3]. AMI can provide information platform
and technical support for the real-time bidirectional
interaction and advanced applications, such as demand
response management, distributed energy generation and
storage, etc. These initiatives rely heavily on the information
infrastructures and communication networks, which may be
vulnerable against a wide array of threats, such as energy
theft and fraud, sensitive information theft, service disruption
for the purpose of extortion, vandalism, hacktivism, and
terrorism [4, 5]. Especially, the large-scale deployment of
AMI represents a significant increase in the attack surface
that need to be protected. This problem can be very
dangerous. For instance, a malicious attacker who gets
access to the crypto key may remotely disconnect massive
smart meters, which causes a heavy financial loss of the
978-1-5090-1195-7/16 $31.00 © 2016 IEEE 33
DOI 10.1109/IMCCC.2016.193
power utility, even causes devastating effect on the
livelihood and safety of people. Thus, there is a critical need
to secure the information confidentiality, integrity,
availability and accountability of AMI.
A number of literatures have been published in AMI
security area, mainly based on cryptographic technology,
such as encryption [6, 7], key distribution and management
[8, 9, 10], authentication [11, 12], privacy-preserving [13, 14,
15], security protocol [16, 17], etc. However, Cleveland [4]
states that encryption and authentication alone will not be
sufficient for AMI security protections, and that monitoring
solutions are critically necessary to be taken as a
complement. As learned from experiences in IT environment,
intrusion detection system (IDS) is usually adopted as the
second line defense besides the first line security measures
such as encryption, authorization, authentication, firewall,
etc. IDS is a monitoring system that can dynamically detect
any unwanted entity into a targeted system and trigger alerts
for the administrator to take appropriate measures to mitigate
the risks and prevent the escalation of malicious activities.
There are some unique characteristics in AMI that are
different from traditional IT environment. For example, most
of the AMI components are deployed in the public realm,
thus simply deploying a centralized IDS in utility network
will not provide the necessary coverage for AMI. Meanwhile,
AMI has several limitations in deploying a complex IDS
solution, such as heterogeneous communication networks
and protocols, limited computing and processing resources in
field devices, large cost of deploying a complex IDS, etc.
Thus, a variety of concerns should to be taken into account in
designing and deploying IDS for AMI. Some researchers
make efforts to this field in the past few years, proposing a
set of approaches and solutions. Nonetheless, the research in
this field is still fresh.
This paper is organized as follows. Section II presents the
attack surfaces, techniques and consequences in AMI.
Section III states the current approaches in intrusion
detection techniques and systems for AMI. Section IV gives
some recommendations and guidelines for designing IDS
and proposes a comprehensive IDS architecture. Section V
summarizes the current research problems and challenges.
Section VI presents the final conclusion of this paper.
 II. THREAT ANALYSIS
A. Attack surfaces
A typical architecture of AMI is shown in Fig.1. AMI is
mainly composed of the following components:
1) End devices
AMI devices include the headend and various application
servers deployed at the power utility end, smart meters
(usually serving as HAN gateway) and other intelligent
household devices at the customer end, and data
concentrators serving as intermediate storage and router
between AMI headend and smart meters. Differentiating
from the traditional IT facilities in the power utility, the field
devices (smart meters, concentrators, etc.) are usually
implemented by embedded systems and deployed in the
public realm, which are more vulnerable against possible
physical attacks (A3 and A6).
2) Communication networks.
AMI communication networks include various
hierarchical networks, such as LAN (local area network)
used to connect various business systems at the utility end,
WAN (wide area network) used to connect AMI headend
with data concentrators, NAN (neighborhood area network)
used to connect data concentrators and smart meters, HAN
(home area network) used to connect smart meter with
intelligent devices at the customer end. Unlike traditional
TCP/IP network in LAN, multiple wired and wireless
communication media and numerous public and private
protocols may be applied in WAN, NAN and LAN, which
make them more difficult to secure. Cyber attacks against
LAN (A1), WAN (A2), NAN (A4), HAN (A5) might be
taken by malicious attackers. Distinguishingly, though cyber
attacks inside the LAN may disrupt the legitimate
operational functionality and cause severe consequences, a
number of mature IT security solutions could be taken to
deal with this problem, such as malware prevention, firewall
and commercial IDS products. Thus, the protecting measures
for LAN are not generally concerned in AMI security.
In brief, a majority of AMI components are deployed at
the customer end, which is different from conventional
power automation systems (EMS, SAS, SCADA, etc.) and
LAN
A2
A1
MDMS
WAN
Optical fiber,
GIS/DRMS/... Headend 3G/4G, BPL
Ă Ă
Billing/Marketing
System
Power Utility
Fig.1. Attack surfaces in AMI
significantly increases the potential attack surfaces that need
to be protected.
B. Attack techniques and consequences
Similar with conventional IT systems, many
communication media and protocols in AMI are IP-based,
which means the same cyber attacks in IT systems could also
recur in AMI. Moreover, there are some unique
communication media (power line, M-Bus, RS-485, etc.) and
protocols (ANSI C12 series, DLMS/COSEM) in AMI, and
the field devices (data concentrators and smart meters) are
physically accessible, which means that AMI could face
some novel unique attacks different from IT system.
Mclaughlin et al [18] state that AMI would confront
significantly risk of energy theft because of the
interconnected nature and the large-scale deployment of field
devices. In [19], the same authors, develop an archetypal
attack tree, reveal the vulnerabilities in AMI, and introduce a
penetration testing method to evaluate AMI components.
Carpenter et al [20] present a number of attack approaches
against AMI, such as EEPROM/microcontroller dumping,
bus snooping, firmware disassembly, key extraction,
power/clock-glitching, etc. Gurugubelli et al [21] present the
potential attack surface in AMI with respect to hardware and
network configurations, protocols, and software.
The cyber and physical attacks against AMI may cause
many crucial consequences. For instance, with access to
decryption keys or discovery of flaws in encryption,
attackers may carry out unauthorized modifications to
system configurations and physical components, even
remotely disconnect massive power supply. With the fine-
grained data produced by AMI, attacker may infer sensitive
information about the customers’ lifestyles for criminal
activities [22]. The communication infrastructure may be
disrupted through DoS attack or abused through a botnet.
However, the security solution adopted in existing practical
AMI are basically cryptographic measures, such as data
encryption and identity authentication, which are proved to
be not sufficient from the experience in IT environment.
Thus, there is a critical and urgent need for developing
suitable IDS for AMI.
A5 HAN
A3 A4
IHD Other
meters
NAN
A6
smart energy
Data Mesh, PLC, meter storage
Concentrator M-Bus
DER PEV/HEV
End Customer
34
 III. CURRENT IDS SOLUTIONS FOR AMI
According to the original data source, IDS can be classified
into two types: host IDS and network IDS. The former
monitors and analyzes the file integrity, application logs and
system calls, etc., while the latter monitors and analyzes the
data packets and traffic characteristics in the communication
network. According to the detection mechanism, IDS can be
classified into three types: signature-based (also known as
misuse detection), anomaly-based and specification-based [23].
The signature-based IDS uses blacklist approach while the
other two use whitelist approach. The comparison among them
are shown in Table 1.
TABLE I. COMPARISON AMONG VARIANT TYPES OF IDS
Type Advantages Disadvantages
x can not handle unknown
Signature-
x high accuracy attacks
based
x need frequent updates
Anomaly- x able to handle
x high FPR, FNR
based unknown attacks
x hard to design
Specification- x high accurancy
x hard to generalize to
based x cost-efficient
various protocols
Since the signature-based IDS can not detect novel attacks
for AMI and need frequently updating, most researchers focus
on the anomaly-based and specification-based IDSes.
A. Anomaly-based IDS
Anomaly-based IDS identifies deviations from a normal
behavior profile predefined by statistical measures. In the
recent years, intrusion detection based on machine learning and
data mining techniques has been a research hotspot in IT
security field. The similar approach takes place in developing
IDS for AMI as well.
Zhang et al [24] describe a distributed intrusion detection
system for both AMI and SCADA systems that relies on
anomaly-based sensors deployed in HAN, NAN, WAN, and
SCADA environments. The IDS sensors collect security-
relevant information from the communication flows, and two
machine-learning algorithms, including SVM and CLONALG/
Airs2Parallel, process the data to identify malicious behavior.
Those algorithms need to be well-trained to gain good
performance, however, the attack samples in AMI are basically
rare. Moreover, the conventional machine-learning algorithms
are difficult to be implemented in embedded systems. Krishna
et al [25] proposed an anomaly detection method that uniquely
combines PCA feature selection algorithm and DBSCAN
clustering algorithm to verify the integrity of the smart meter
measurements. They use an open database of smart meter
readings obtained from a real deployment to model the normal
electricity consumption behaviors. Mohammadi et al [26]
propose a combined anomaly and signature-based IDS for
neighborhood area network (NAN) in AMI, taking into account
the NAN-specific requirements by considering various attacks
targeting physical, MAC, transport, and network layers.
Mustafa et al [27] firstly introduce data mining techniques into
IDS for AMI and explore the performances of various existing
35
state-of-the-art data stream mining algorithms on KDD CUP
1999 data set. They extend their research work in [28],
considering more data stream mining algorithms and
conducting a feasibility analysis for the distinct IDSes at AMI’s
three different components: smart meter, data concentrator and
AMI headend. Fadwa et al [29] propose a real-time distributed
intrusion detection system (DIDS) for the AMI infrastructure
that utilizes stream data mining techniques and a multi-layer
implementation approach. Using an unsupervised online
clustering techniques called Mini-Batch K-means, the
anomaly-based DIDS monitors the data flow in the AMI and
distinguish if there are anomalous traffics.
B. Specification-based IDS
The concept of specification-based IDS is to model a
desirable behavior of a system through its functionalities and
security policy. Any sequence of operations executed outside
the specifications is considered to be a violation and suspect
intrusion. The specification-based IDS can be regarded as a
more “strict” anomaly-based IDS.
1) Network IDS
Berthier et al [30] take advantage of specification-based
approach to monitor the ANSI C12.22 protocols through
dedicated sensors deployed in NAN. That solution was unique
in using formal methods to prove that specification-based
checkers offer sufficient coverage with respect to an AMI
security policy. Jokar et al [31] present a layered specification-
based IDS for HAN. Targeting the IEEE 802.15.4 standard, the
IDS can monitor the abnormal behavior in both the physical
and MAC layers. Ali et al [32] present a mutation-based
intrusion detection system that makes the behavior
unpredictable for the attacker while keeping it deterministic for
the system. They model the AMI behavior using event logs
collected at smart collectors, which in turn can be verified
using the invariant specifications generated from the AMI
behavior and mutable configuration. They extend their research
work in [33] and [34], modeling event logs using fourth-order
Markov chain and constructing specifications written in Linear
Temporal Logic (LTL), and propose a configuration
randomization module against evasion and mimicry attacks.
Ruan et al [35] propose a hybrid IDS framework combining
specification-based and signature-based technologies to handle
both known and unknown attacks. This framework is also
feasible for deploying on resource-limited devices in AMI.
2) Host IDS
Tabizi et al [36] propose a model-based technique for
building intrusion detection systems (IDS) for smart meters,
using LTL express temporal relations among the monitored
entities, which is suitable for the limitations of smart meters,
such as low processing capability, limited memory capacity.
They implement the IDS on an open source smart meter
platform called SegMeter and validate its efficiency. The same
authors extend their research in [37]. Liu et al [38] exploit the
colored Petri net to describe the information flows among units
in a smart meter, then they propose a threat model for smart
meters. Considering the constrained computation and storage
resources of a smart meter, they present a collaborative
intrusion detection mechanism against false data injection
attack.
 IV. RECOMMENDATIONS IN DEPLOYING IDS FOR AMI
We believe that a set of key guidelines should be complied
in design and deploying IDS in AMI:
1. Centralized IDS deployed in power utility network is
necessary but not sufficient in the context of AMI. Distributed
IDS that covers all the field devices and the edge of network is
strongly recommended.
2. Both the network IDS and host IDS are necessary
because they have complementary limitations and advantages.
The combination of these two approaches could provide
comprehensive monitoring and protecting capability for AMI.
3. The communication among several tiers of IDS should
be arranged in the separate secured channel from the normal
AMI communication network, in order to prevent the IDS from
becoming compromised in case the AMI communication
network is compromised. Even if it is expensive to construct a
separate physical channel, VPN technology should be taken to
strengthen the data transmission security of IDS.
4. Alert aggregation and correlation schemes should be
taken to enable operators to gain situational awareness without
being overwhelmed by numerous alerts. To lessen the
computation pressure in the power utility, appropriate alert
aggregation and correlation measures should also be taken in
the low-layer distributed field IDSes.
On the basis of the former analysis, a comprehensive IDS
architecture suitable for AMI is proposed, as shown in Fig. 2.
Management
Console
Server
Host
Headend
H-IDS
Network
WAN
H-IDS
Concentrator
Host Secured
C-IDS Channel
Network
NAN
C-IDS
Host
Smart Meter
M-IDS
Network
HAN
M-IDS
software& hardware implementation inside/outside device
software implementation inside device
Fig.2. Comprehensive IDS architecture for AMI
The proposed IDS is composed of several components:
1. Distributed IDSes: consist of both and network IDSes.
The host IDSes are used to monitor the hardware and operating
systems in headend, concentrators and smart meters. The
network IDSes are used to monitor and analyze the network
packet and traffic in WAN, NAN and HAN.
36
2. Management server: aggregates and correlates the
numerous alerts triggered by low-layer field IDSes, stores the
events information in the database, and communicates with
other applications.
3. Console: provides human-machine interface for the
administrator to configure the IDS, monitor the security state of
AMI, visualize the alerts and take appropriate countermeasures.
V. RESEARCH CHALLENGES
Although the current research of intrusion detection
techniques and systems for AMI has gained a certain
achievements, there are still some research problems and
challenges need to be dealt with.
A. Lack of test benchmark
AMI is different from the traditional IT environment in
many respects, thus some traditional test benchmark designed
for IDS in IT environment may not be suitable for verification
and validation of IDS in AMI environment, such as KDD CUP
1999 data set. The unique attack techniques and consequences
in AMI should be deeply researched, and a standardized
benchmark should be built to test the efficacy of designed IDS.
B. Alert aggrregation and correlation
AMI covers various communication networks and millions
of meters. A possible large-scale attack may trigger a large
amount of alerts from the distributed IDSes, which make it
difficult to handle. Thus, alert aggregation measures should be
taken to reduce the volume of alerts, and alert correlation
measures should be taken to analyze the attack scenarios and
track the attack source. However, this problem is still an open
research issue.
C. Integration with other systems
IDS for AMI should be able to communicate with other
applications, such as firewall and IPS, thus to take appropriate
countermeasures to mitigate the risk and prevent the escalation
of intrusion. Moreover, since some conventional defensive
products are already deployed in the power utility, the new-
built AMI-IDS should be able to integrate with the legacy
systems to reduce the cost and gain the cooperation benefit.
VI. CONCLUSION
The security issues of AMI are critical and crucial.
Cryptographic solutions alone are not sufficient for securing
AMI. This paper focuses on IDS for AMI, which serves as the
second line defense after the primary security measures, eg.
encryption, authentication, authorization, etc. The attack
surfaces, techniques and consequences in AMI are analyzed.
Then the existing academic approaches on intrusion detection
systems and techniques for AMI are investigated. A certain
recommendations and guidelines to design and deploy a
practical IDS are given, and a comprehensive IDS architecture
suitable for AMI is proposed. At last, the existing research
problems and challenges in this field are summarized. The
research work in this paper can provide reference for the
development and application of IDS for AMI.
 ACKNOWLEDGMENT
This paper is supported by the National Natural Science
Foundation of China (No. 51077015 and No. 50907014).
REFERENCES
[1] A. Ipakchi and F. Albuyeh, “Grid of the future,” IEEE Power & Energy
Machine, vol.7, July 2009, pp. 52-62.
[2] J. C. Zhang and Z. Y. Chen, “The impact of AMI on the future power
system,” Automation of Electric Power Systems, vol. 34, January 2010,
pp. 20-23.
[3] A. Mehdi , S. Vahid, and A. Behzad, “Advanced metering infrastructure
system architecture,” in Proceedings of 2011 Asia-Pacific Power and
Energy Engineering Conference, March 2011, pp. 1140-1146.
[4] F. M. Cleveland, “Cyber security issues for Advanced Metering
Infrastructure,” Power & Energy Society General Meeting Conversion &
Delivery of Electrical Energy, IEEE, 2008, pp. 1-5.
[5] R. Shein, "Security Measures for Advanced Metering Infrastructure
Components." Power and Energy Engineering Conference (APPEEC),
2010 Asia-Pacific IEEE, 2010, pp. 1-3.
[6] X .D. Zhang, W. M. Tong, et al. “Research on Fusion Algorithm of
Elliptic Curve Cryptography in Advanced Metering Infrastructure
Communication,” Seventh International Symposium on Computational
Intelligence and Design, IEEE, vol. 1, 2014, pp. 395-398.
[7] E. U. Soykan, S. D. Ersoz, and G. Soykan, “Identity based signcryption
for advanced metering infrastructure,” Smart Grid Congress and Fair
IEEE, 2015.
[8] J. Kamto, L. Qian, J. Fuller, et al. “Key Distribution and management
for power aggregation and accountability in Advance Metering
Infrastructure,” IEEE Third International Conference on Smart Grid
Communications, IEEE, 2012, pp. 360-365.
[9] Z. G. Wan, et al. “SKM: Scalable Key Management for Advanced
Metering Infrastructure in Smart Grids,” IEEE Transactions on
Industrial Electronics, vol. 61, no.12, 2014, pp. 7055-7066.
[10] G. Woong, and K. Jin. “Two-Dimensional Key Table-Based Group Key
Distribution in Advanced Metering Infrastructure,” Journal of Applied
Mathematics, vol. 10, 2014, pp. 1-9.
[11] J. W. Jeon, S. H. Lim, and O. Y. Yi, “A Wireless Network Structure and
AKA(Authentication and Key Agreement) Protocol of Advanced
Metering Infrastructure on the Smart Grid based on Binary CDMA,”
Journal of the Korea Institute of Information Security and Cryptology,
vol. 20, no. 5, 2010, pp. 111-124.
[12] Y. Yan, Y. Qian, and H. Sharif, “A secure and reliable in-network
collaborative communication scheme for advanced metering
infrastructure in smart grid,” IEEE Wireless Communications &
Networking Conference IEEE, 2011, pp. 909-914.
[13] P. Deng, and L. Yang, “A secure and privacy-preserving communication
scheme for Advanced Metering Infrastructur,” IEEE PES Innovative
Smart Grid Technologies Conference, IEEE, 2012, pp. 1-5.
[14] S. Chen, et al. “A privacy-aware communication scheme in Advanced
Metering Infrastructure (AMI) systems,” IEEE Wireless
Communications and Networking Conference, IEEE, 2013, pp. 1860-
1863.
[15] N. Saputro , and K. Akkaya, “On preserving user privacy in Smart Grid
advanced metering infrastructure applications,” Security &
Communication Networks, vol. 7, no. 1, 2014, pp. 206-220.
[16] Y. Yan, et al. “An efficient security protocol for advanced metering
infrastructure in smart grid,” IEEE Network, vol 27, 2013, pp. 64-71.
[17] F. Ye, Y. Qian, and R. Q. Hu, “A security protocol for advanced
metering infrastructure in smart grid,” Global Communications
Conference, IEEE, 2014, pp. 649-654.
[18] S. Mclaughlin, D. Podkuiko, and P. Mcdaniel, “Energy Theft in the
Advanced Metering Infrastructure,” International Workshop on Critical
Information Infrastructures Security, Critis 2009, Bonn, Germany, 2009,
pp. 129-142.
37
[19] S. Mclaughlin, et al. “Multi-vendor penetration testing in the advanced
metering infrastructure,” Computer Security Applications Conference
ACM, 2010, pp. 2686-2692.
[20] M. Carpenter, T. Goodspeed, B. Singletary, et al. “Avanced Metering
Infrastructure attack methodology v1.0,” USA: InGuardians, 2009.
[21] J. C. Foreman and D. Gurugubelli, “Identifying the Cyber Attack
Surface of the Advanced Metering Infrastructure,” Electricity Journal,
vol. 14, no. 1, 2015, pp. 94-103.
[22] F.G. Mármol, et al. “Do not snoop my habits: preserving privacy in the
smart grid,” IEEE Communications Magazine, vol. 50, no.5, 2012, pp.
166-172.
[23] R. Berthier, W. H. Sanders, and H. Khurana, “Intrusion Detection for
Advanced Metering Infrastructures: Requirements and Architectural
Directions,” IEEE International Conference on Smart Grid
Communications, IEEE, 2010, pp. 350-355.
[24] Y. Zhang, L. Wang, W. Sum, et al. “Distributed IDS in a multi-layer
network architecture of smart grids,” IEEE Transactions on Smart Grid,
vol. 2, no.4, 2011, pp. 796-808.
[25] V. B. Krishna, G. A. Weaver, and W. H. Sanders, “PCA-Based Method
for Detecting Integrity Attacks on Advanced Metering Infrastructure,”
International Conference on Quantitative Evaluation of Systems.
Springer International Publishing, 2015, pp. 70-85.
[26] N. B. Mohammadi, et al. “A framework for intrusion detection system
in advanced metering infrastructure,” Security & Communication
Networks, vol. 7, no. 1, 2014, pp. 195-205.
[27] M. A. Faisal, et al. “Securing Advanced Metering Infrastructure Using
Intrusion Detection System with Data Stream Mining,” Pacific Asia
Conference on Intelligence and Security Informatics, 2012, pp. 96-111.
[28] M. A. Faisal, et al. “Data-Stream-Based Intrusion Detection System for
Advanced Metering Infrastructure in Smart Grid: A Feasibility Study,”
IEEE Systems Journal, vol. 9, no. 1, 2015, pp. 31-44.
[29] F. A. A. Alseiari, and Z. Aung, “Real-time anomaly-based distributed
intrusion detection systems for advanced Metering Infrastructure
utilizing stream data mining,” International Conference on Smart Grid
and Clean Energy Technologies, IEEE, 2015, pp. 148-153.
[30] R. Berthier, and W. H. Sanders, “Specification-Based Intrusion
Detection for Advanced Metering Infrastructures,” IEEE Pacific Rim
International Symposium on Dependable Computing, IEEE, 2011,
pp.184-193.
[31] P. Jokar, H. Nicanfar, and V. C. M. Leung, “Specification-based
Intrusion Detection for home area networks in smart grids,” IEEE
International Conference on Smart Grid Communications, IEEE, 2011,
pp. 208-213.
[32] M. Q. Ali, and E. Al-Shaer, “Probabilistic model checking for AMI
intrusion detection,” IEEE International Conference on Smart Grid
Communications, IEEE, 2013, pp. 468-473.
[33] M. Q. Ali, and E. Al-Shaer, “Configuration-based IDS for advanced
metering infrastructure,” ACM Sigsac Conference on Computer &
Communications Security, 2013, pp. 451-462.
[34] M. Q. Ali, and E. Al-Shaer, “Randomization-Based Intrusion Detection
System for Advanced Metering Infrastructure,” ACM Transactions on
Information & System Security, vol 18.2, 2015, pp. 1-30.
[35] H. M. Ruan, G. W. Yeap, and C. L. Lei, “Hybrid intrusion detection
framework for advanced metering infrastructure,” Frontiers in Artificial
Intelligence & Applications, vol 274, 2015, pp. 894-903.
[36] F. M. Tabrizi, and K. Pattabiraman, “A Model-Based Intrusion
Detection System for Smart Meters,” IEEE International Symposium on
High-Assurance Systems Engineering, IEEE Computer Society, 2014,
pp. 17-24.
[37] F. M. Tabrizi, and K. Pattabiraman., “Flexible Intrusion Detection
Systems for Memory-Constrained Embedded Systems,” Dependable
Computing Conference IEEE, 2015, pp. 1-12.
[38] X. Liu, P. Zhu, Y. Zhang and K. Chen, “A Collaborative Intrusion
Detection Mechanism Against False Data Injection Attack in Advanced
Metering Infrastructure,” IEEE Transactions on Smart Grid, vol. 6, no. 5,
Sept. 2015 ,pp. 2435-2443.