ACCEPTED TO APPEAR IN IEEE TRANSACTIONS ON … TO APPEAR IN IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS 1 ... power generation and dis- ... stealthy

ACCEPTED TO APPEAR IN IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS 1

The STREAM Mechanism to Improve CPS SecurityThe Case of the Smart GridRanjan Pal, Member, IEEE, Viktor Prasanna, Fellow, IEEE

Abstract—Cyber-physical systems (CPSs) integrate computa-tion, communication, and physical capabilities to interact with thephysical world and humans. In this work, we develop STREAM,a novel STrategic REsource Availability Management systemto improve information integrity and availability in an energyconstrained CPS environment under the presence of maliciousadversaries. The term ‘resource’ here can be any component of aCPS. The main elements of STREAM are (i) difficult but realistic‘repeated (adversary-defender) game’ settings, and (ii) a set ofprovably optimal defender strategies plus effective heuristics,against equally potent adversary moves. STREAM is based onthe concept of dynamic games in sequential game theory, and isthe first system to incorporate the realistic behavioral aspect thatin many CPSs, both, the class of adversaries, as well as the classof CPS protectors, could move in a covert and stealthy mannerin order to outwit the other in the war on ‘resource control’. Inorder to demonstrate the effectiveness of STREAM strategies toimprove CPS resource availability to the non-adversary, we firstconduct a thorough theoretical analysis on a model Smart GridCPS as a representative example of a CPS. We then follow upthe analysis with an extensive simulation study on the standardIEEE 14 smart power grid architecture. The results show thatSTREAM strategies improve Smart Grid system integrity andavailability by approximately upto 67% when compared to non-strategic approaches. Our proposed (analysis, simulation) suitefor the grid is extendible to general CPS application domains.

Keywords— CPS, security, dynamic game, STREAM

I. INTRODUCTION

Cyber-physical systems (CPSs) arise from the tight inte-gration of physical processes, computational resources, andcommunication capabilities. More precisely, processing unitsmonitor and control physical processes by means of sensorsand actuators networks. Examples of cyber-physical systemsinclude transportation networks, power generation and dis-tribution networks, water and gas distribution networks, andadvanced communication systems. Due to the increasinglycrucial role of cyber-physical systems in everyday life, cyber-physical security needs to be promptly addressed.

In view of the above, resource availability and informa-tion integrity are one of the most important objectives inthe security of cyber-physical systems [1]. Here, the term‘resource’ implies any component in the CPS that is integralto its proper functioning. A loss in resource availabilityleads to the disruption of access to or use of information,thereby hampering system functionality. Examples of typicalavailability attacks include DDoS attacks on all layers of aCPS network architecture [channel jamming (a physical layerattack), MAC layer spoofing, buffer flooding (a TCP/IP layerattack), and application layer attacks.)]. Preserving information

R.Pal is with the jointly with the departments of Computer Science andElectrical Engineering, University of Southern California, CA, USA. E-mail:[email protected].

V.Prasanna is jointly with the departments of Electrical Engineer-ing and Computer Science, University of Southern California. E-mail:[email protected].

integrity refers to a system’s ability to guard against improperinformation modification or destruction by adversaries in orderto enforce information non-repudiation and authenticity. A lossof information integrity will induce incorrect decision making,thereby transferring control to system adversaries to causedamage. Integrity attacks are in general more sophisticatedthan availability attacks and mainly occur at the applica-tion level. Examples of information integrity attacks includestealthy data modification, and false data injection attacks.The focus of this paper is to address the proper managementof executing countermeasuring solutions to adversary-drivenresource availability and integrity attacks in cyber-physicalsystems. As a representative example of a CPS to base ourwork upon, we choose the Smart Grid.

A. Availability and Integrity Issues in the Smart Grid

Before motivating our research problem, we educate thegeneral reader with a brief example of resource availabilityand integrity attacks on the various primary layers of aSmart Grid architecture [1], their impacts on the Grid, andmention existing technical countermeasures to mitigate suchattacks. We motivate our problem in the following subsectionemphasizing the strategic importance of managing the timeinstants when countermeasures need to be executed.

1) Availability Issues: A feature not that common to thegeneral Internet but characteristic to many cyber-physicalsystems including the Smart Grid is the necessity to servedelay constrained applications. As an example, in the powersubstation network of a Smart Grid there is a stringent need ofinformation or control messages to be delivered to the powersystems (e.g., IEC 61850 messages [2] for local management)in time. Thus, a DoS attacker need not completely shutdown network access. It just needs to launch weaker versionsof availability attacks to intentionally delay the transmissionof a time-critical message to violate its timing requirement.Availability attacks in the Supervisory Control and DataAcquisition (SCADA) network consists of the SCADA centerbecoming a primary target to distributed DoS attacks than canbe launched from various local area systems, thereby leadingto untimely (but not necessarily time critical) monitoring andcontrol. In regard to time critical SCADA network attacks,weak DoS attacks on individual local area networks [3] [4] candelay or block correlated data delivery from these networksto the SCADA center or the phasor data concentrator (PDC)[5], thereby affecting the state estimation and synchronizationprocess that has a delay requirement of tens of milliseconds.At the home-area network level of a Smart Grid, availabilityattacks include the execution of conventional DoS attacks (asthe ones on the Internet or in sensor networks [6]), that focuson things like jamming real-time price signals between theutility and the consumer Advanced Metering Infrastructure


(AMI) network [7], resulting in the dysfunction of price-drivendemand response mechanisms.

2) Integrity Issues: At the power substation network level,spoofing and false data injection attacks can lead to a lossof integrity. For example, switches are used to protect powerinfrastructures in substations. When an Intelligent ElectronicDevice (IED) detects an abnormal status (e.g., high current),it will send open/close messages to switches to balance load(or break the circuit for protection) [8]. If a spoofing attackersuccessfully masquerades itself as a monitoring IED, it couldsend false close/open messages to switches, and lead the pro-tection system to mess-up system status, potentially resultingloss of power supply for customers. At the SCADA networklevel, man-in-the-middle attacks inject falsified data duringcommunication. In addition, attackers can cooperate with eachother in order to successfully launch data integrity attacks onthe SCADA center if individual tampering is easily identifi-able [3][4]. At the home-area-network level, integrity attacksinclude conventional man-in-the-middle and data falsificationattacks on the AMI network [9].

3) Technical Countermeasures: Common existing solutionsto counter these attacks primarily comprise of techniquesfalling into two major categories: network solutions, andcryptographic solutions [1]. The class of network solutions areprimarily designed to prevent DoS attacks, and include signaland packet based attack detection, spoof detection modules,rate-limiting mechanisms, filtering suspicious flows, and anti-jamming solutions. The class of cryptographic solutions aremainly designed to counter integrity attacks, and includeencryption, authentication, and key management. A detailedoverview of state of the art technical countermeasures toavailability and integrity attacks in the Smart Grid is givenin [1][10] [11][12][13][14].

B. Research MotivationDespite the existence of effective technical countermeasures

to improve availability and integrity in the Smart Grid, onenecessarily important aspect that has remained unaddressedin its security literature is the right timing behind executingthe countermeasures, more importantly in adversarial settings.

With respect to improving security in the Grid, we firmly be-lieve in the slogan: “Designing Technical Countermeasures forthe Smart Grid is Necessary but Not Sufficient!”. The strengthof our belief lies in the fact that most CPSs (e.g., the SmartGrid) can be viewed as a networked information processingsystem, comprising as integral components, low capacity (bothin terms of energy and processor/memory capacity) sensorsthat play a vital role in many computations geared towardsoptimal decision and control. In such an energy constrainedinformation processing environment, it is imperative to executeenergy consuming technical countermeasures (e.g., the spoofdetector module as explained above) in a ‘timely’ fashion toconserve the former. However, a strategic adversary woulddeliberately aim to attack in a manner that does not conflictwith the timing sequence of the CPS protector(s), so that (a)it can have control of the system as much as possible, and(b) push the protector(s) to drain more of their energy behindincreasing the frequency of countermeasuring activities, even-tually leading to inevitable availability attacks after eventualprotector drain outs.

Thus, an important goal in the Smart Grid is to come upwith a strategic resource availability management scheme that

minimizes the amount of time that a strategic adversary(s)can have control of the system. The sole focus of this paperis to design one such scheme. The scheme will leverage theavailability and integrity performance of the Grid throughexisting countermeasures, via their proper ‘execution timing’management. In this paper we use the term ‘resource’ toimply any component of a CPS that adversaries might target.Achieving our goal would ensure that the ‘good guys’ willconsiderably have more control on the Smart Grid than the‘bad guys’ over time, and in the process also save energyresources.

C. Related Work on Using Game Theory in The Smart GridGame theory provides the basis for generalizing strategic

decision making and distributed optimization in a multiagentsetting. Despite the development of a large number of coun-termeasures for the Smart Grid [1], the specific use of gametheory for strengthening security in the Smart Grid is relativelyscarce. Chen et al. [15] use two-player zero-sum static gamesbetween a so-called intentional attacker and a fusion-baseddefender to compute the equilibrium network robustness cor-responding to minimax strategies. In [16] [17], the authors usetwo-player zero-sum stochastic games for assessing securityrisks and optimal defenses for the smart grid. In comparison, ina current work [18], the same authors present a non zero-sumgame-theoretic approach to Smart Grid security by combiningquantitative risk management techniques with decision makingon protective measures. Specifically, as pre-game steps, they 1)provide a more intuitive definition of risk states, 2) study con-crete clustering-based intrusion detection algorithms insteadof hypothetical ones, and 3) provide alternative definitions ofthe players payoffs, one of which is based on the financialrisk measure of conditional value-at-risk (CVaR). Calculatedrisks based on the CVaR measure are then incorporated intoa stochastic security game model as input parameters. Thedecisions on defensive measures are obtained by solving thegame using dynamic programming techniques which take intoaccount resource constraints. Thus, the formulated securitygame provides an analytical framework for choosing the bestresponse strategies against attackers and minimizing potentialrisks. The difference of our work with the above mentionedones is the use of game theory to decide on the right timingbehind executing effective countermeasures, instead of theuse of game theory to design effective countermeasures. Inthis regard, game-theoretic methods have been extensivelyapplied in the risk analysis of general critical cyber-physicalinfrastructures by explicitly accounting for the interactionsbetween providers and attackers [19]. Both the formulationand solution space of such works is quite extensive, includingmultiple-period games [20] that address multiple timescales ofsystem dynamics; incomplete information games [21][22][23]that account for partial knowledge about the system dynamicsand attack models; and multiple-target games [24][25] thataccount for possibly competing objectives. However, unlikeus, none of the above efforts address issues of covert attacks.

D. Research ContributionsIn our work we design STREAM, a novel strategic resource

management fabric for cyber-physical systems, under adver-sarial settings. The main elements of STREAM are (i) difficultbut realistic ‘dynamic adversary-defender game’ settings, and


(ii) a set of provably optimal defender strategies plus effectiveheuristics, against equally potent adversary moves. ThroughSTREAM, we make the following research contributions.

1) As a basic component of STREAM, we model a timinggame played between a single attacker (the adversary)and a defender (e.g., the SCADA center in the SmartGrid) to represent the ‘war’ for resource control over aperiod of time in a cyber-physical system, i.e., in ourwork, the Smart Grid. The design of our timing game isbased on the the concept of dynamic games in sequentialgame theory. The novelty of our proposed game lies inthe fact that unlike traditional game-theoretic (be it staticor dynamic) approaches, where game players assumeimmediate move knowledge after their opponent makesa move (irrespective of when they move), STREAMrelaxes this assumption to capture scenarios where gameplayers might not have immediate move knowledgeabout their opponent. This relaxation is aligned withreality where an adversary would want to launch covertattacks on the Smart Grid that go undetected, also thedefender would want to fix the system without theknowledge of the adversary (See Section II).

2) We study the Nash equilibria and dominant STREAMstrategies (See Section II for definitions.) of our pro-posed (single attacker, single defender) game, and inves-tigate in theory, the following parameters with respectto player move costs: (i) optimal strategy parameters(see Section II for definition) for the attacker and thedefender, and (ii) optimal utilities (see Section II fordefinition) for the attacker and the defender. For energyconstrained environments such as ours, the results pro-vide practical insights for Smart Grid administrators toappropriately sketch out as strategy, the time instantswhen technical countermeasures need to be executed inorder to (i) protect the Smart Grid from being frequentlycompromised by an adversary, and (ii) de-incentivize theadversary from attacking the Grid (See Section III).

3) For reliability and fault tolerant purposes, STREAMgame settings investigate the case of multiple defendersin the Smart Grid fighting an adversary, or a singleclass of multiple synchronous adversaries. The ratio-nale behind modeling multiple defenders is to reflectthe practical scenario where adversaries target multi-ple strategic points in the Grid to ensure the successof availability and integrity attacks. The goal of thedefenders is to prevent the adversaries from havingattack success on a threshold number of strategic points,below which the Grid is uncompromised. In this re-gard, we extend the (single attacker, single defender)model to include multiple defenders and conduct aperformance analysis on the extended model. We showthrough theory that from a defender viewpoint, it isoptimal to execute technical countermeasures, i.e., movestrategies in STREAM, time independently (instead ofsynchronously) amongst different defender units whenan attacker needs to compromise bn2 c + 1 Grid units inorder to compromise the system (See Section IV).

4) We validate the theory behind STREAM’s effectivenessusing extensive simulations conducted on the standardIEEE 14 power grid architecture. As our main simula-tion results, we show that (i) STREAM improves Gridavailability and integrity by up to 67%, under adversarial

settings, compared to existing strategic and non-strategicmethods not in the STREAM set, (ii) STREAM reducesaverage overall energy expenditure via its countermea-sures by atleast around 90%, (iii) increasing the numberof defenders in STREAM game setting reduces theeffectiveness of the attacker in approximately an expo-nential fashion, compared to their decrease in a nearlylinear fashion for non-strategic timing scenarios, and(iv) the attacker effectiveness under STREAM decreasesupto approximately 80%, compared to when defendersadopt non-strategic moves (See Section V).

II. STREAM - GAME SETUP

In this section we first qualitatively describe the structuraloutline of the dynamic game setting in STREAM betweenSmart Grid adversaries and their defenders that is based on thegame concept in [26]. The outline captures a realistic exampleof an attack scenario in the Smart Grid that motivates ourgame formulation. We then follow it up with the mathematicalformulation of the game. The outline is highlighted for a singledefender and attacker. However, the game outline extends tomulti-attacker, multi-defender scenarios, as will be analyzedin Section IV. Table I lists the important symbols used in theformal definition of the game (and in the paper). We will usethe term ‘attacker’ and ‘adversary’ interchangeably throughoutthe rest of the paper. A brief discussion on similarities and dif-ferences of our game approach when compared to traditionallyused models of dynamic games in provided in Section VI.

A. Game Outline

Consider a Smart Grid resource (e.g., MAC layer parame-ters) that can be controlled by either of two players (attackeror defender). As a representative example for this paper, theadversary or attacker could be a spoofer that tries to takeadvantage of the openness of the address fields in a MACframe to masquerade itself as another device to send fakeinformation to other devices. Spoofing attacks can lead toloss of both availability and integrity. In a power substationnetwork, a malicious node can broadcast forged address reso-lution protocol (ARP) packets to shut down connections ofall IEDs to the substation gateway node [27]. One of thefunctions of an IED is to detect an abnormal status, e.g. highcurrent, when it will send close/open messages to switchesto balance the power load (or simply break the circuit forprotection). If a spoofing attacker successfully masqueradesitself as a monitoring IED, it could send false close/openmessages to switches and lead the protection system to amess-up status, resulting in potential loss of power supply forcustomers. A spoof detector running on the microcontrollerof a sensor module can act as a defender in this example.Once the spoof detector is successful in detecting a spoof,it informs the substation network administrator and the lattertakes steps to undo the actions implicated by a correspondingspoof message. When the adversary is successful in its actions,we say that the Smart Grid is compromised.

The Concept behind a Spoof Detector. The use of receivedsignal strength (RSS) to distinguish wireless devices for spoofdetection is a well known tool in wireless networking. RSSis the signal strength of a received frame measured at thereceivers antenna. Many commercial 802.11 chipsets provide


Fig. 1: Illustration of Our Dynamic Game: Attacker (top), Defender (bottom)

per-frame RSS measurements. RSS is correlated to the trans-mission power, the distance between the transmitter and thereceiver, and the radio environment because of multi-path andabsorption effects. Typically, a wireless device, e,g., a sensorin a smart meter, does not often change its transmission power,so a drastic change in RSS measurements of received framesfrom the same MAC address suggests a possible spoofingattack. The farther the attacker is from its victim, the morelikely their RSS patterns differ significantly, and the easierit is to detect (using a spoof detection module programmedin the smart meter sensor) the spoofing attacks. With a densearray of air-monitors (AMs) (off-the-shelf 802.11 devices usedto passively sniff wireless traffic), without cooperation fromaccess points (APs) or client stations, even if an attacker cansomehow manipulate its transmission power to mimic the RSSpattern of the victim to one AM, it is inherently difficult tofool the majority of these AMs, each of which have a differentradio environment.

However, due to energy constraints, the spoofing detectorcan only run at particular time instants. As a result, therecould be intervals of time when the adversary will have controlof a Smart Grid resource before the spoofing detector isback in action again. Our goal in this paper is to minimizethe cumulative duration of such time intervals over time.Ownership of a resource will change back and forth followinga move of either player, with the goal of each player beingto maximize the fraction of time that he or she controls theresource. This change of ownership concept is common instrategic security settings, where both the defender and theattacker fight back repeatedly over time to gain control overthe other (See Figure 11). An attacker move occurs whenthe adversary tries to gain control of a Smart Grid resource,whereas a defender move occurs when the spoof detector isrun to test for a potential spoof attack.

We assume in the realistic case that the players might notknow when its opponent has taken over control of a Smart Gridresource. Nor might they know (i) the current ownership ofthe resource unless they perform a move, and (ii) the numberof times the opponent moves before they take control of theresource (See more on the rationales behind (i) and (ii) inSection III.). Also important is the fact that to move, a playermust pay a move cost; players thus have a disincentive againstmoving too frequently. In our setting, the move costs for the

1We note here that the vertical arrows in the figure denote the time instancewhen either the attacker (top green) or the defender (bottom blue) regainsaccess to resources from their opponent. δ0, δ1 are the intermove periods ofthe defender and attacker respectively, and could be either fixed or stochastic.

defender are expenditures in battery energy units to run thespoof detector in the microcontroller, whereas move costs forthe attacker are its effort costs. Clearly, it is too costly forboth the attacker and the defender to always monitor the gridresource continuously and have control over it.

B. Formal Game Definition

As mentioned previously, we have two players in ourproposed monitoring game: the ‘good’ player identified witha 0 (the defender or the spoof detector), and the ‘bad’player (a malicious entity trying to compromise a Smart Gridresource), identified with a 1. The game begins at time t = 0and continues indefinitely as t approaches infinity. However,there are practical scenarios where the game ends the firsttime the attacker is tracked down. Our model captures thissituation as a special case. In this paper, we treat time as acontinuous variable, though our model is capable enough tohandle discrete versions of time. We propose a time-dependentvariable CP (t) that denotes the current player controlling theresource at time t. CP (t) is either 0 or 1 at any time t. Wesay the game is in ‘good’ state if CP (t) = 0 and in ‘bad’state if CP (t) = 1. We also let CPi(t) = I(CP (t) = i)denote whether the game is in a good state for player i. HereI(·) is an indicator function which takes in a value of 1 if itsargument is true and 0 otherwise. Therefore, CP1(t) = CP (t)and CP0(t) = 1 − CP1(t). We assume that the game beginsin the good state with CP (0) = 0.

A player may make a ‘move’ (execute its control command)at any time but only does so a finite number of times ina given time period. It can only move once at a giventime. The two players can move at the same time with themoves canceling each other and resulting in no change ofstate. We denote the sequence of move times, for moves ofboth players, as an infinite non-decreasing sequence given asfollows: t = t1, t2, ..... Let pk denote the player who madethe k-th move, so that pk ε {0, 1}. We assume that t1 = 0 andp1 = 0. For each player i = 0, 1, we let ti = ti,1, ti,2, .... bethe infinite increasing sequence of times when player i moves.Each element of the sequence can be thought of as a strategyadopted by player i to generate a move at the correspondingtime-stamp. In this paper, we assume that a player can generateits time sequence in advance (without the opponent knowingof it), before the game play starts in either a deterministicor randomized manner. Note that the sequences t0 and t1are disjoint subsequences of t. The game’s state variable,CP (t), denotes the player who has moved most recently (notincluding the current instant t), so that the following holds:CP (t) = pk, tk < t ≤ tk+1, ∀k ≥ 1. When CP (t) = i,player i has moved recently and is in control of the game orhas possession of the resource under consideration. We denotemi(t) to be the number of moves made by player i up to andincluding time t, and let m(t) = m0(t)+m1(t) denote the totalnumber of moves made by both players up to and includingtime t. For t > 0 and i = 0, 1, we let ri(t) =

mi(t)t denote the

average move rate by player i up to time t. We assume that aplayer needs to make a move to know whether its opponent hascontrol of a resource. It does not get any/immediate feedbackfrom the Grid regarding the opponent’s takeover instant, orthe amount of time the latter has control of the system.

A player receives a benefit (utility) equal to the number oftime units for which they are the most recent mover, minus


Symbol MeaningCP (t) current player controlling resource at time tCPi(t) variable denoting whether game is in good state for player i

t infinite sequence of move times for moves of both playersti infinite sequence of move times for player ipk player making the k-th move

mi(t) # of moves by player i up to and including time t(k0, k1) move cost of (defender, attacker)n number of defenders/attack pointskji move cost of player i on j-th attack pointrji move rate of player i on attack point jri(t) average move rate of player i up to time tGi(t) total gain of player i till time tγi(t) average gain rate of player i up to time tNBi(t) net benefit of player i up to time tbi(t) average benefit of player i till time tbi asymptotic benefit rate of player iR class of all renewal strategiesP class of periodic strategies with different random phasesPr periodic strategy with random phase of rate rZj

i time elapsed since player i’s last move on attack point jfZ

ji(fZi) density function of Zj

i

FZ

ji(zj) cumulative distribution function of Zj

i

TABLE I: List of Important Symbols

the cost of making the moves. We denote the cost of a movefor player i by ki. The total gain by player i is denoted as Gias is given by Gi(t) =

∫ t0CPi(t)dt. Thus, G0(t)+G1(t) = t.

We denote the average gain rate for each player as γi(t) =Gi(t)t , where γi(t) is the fraction of time that player i has

control of the Grid resource up to time t. Thus, for all t > 0,γ0(t)+γ1(t) = 1. We let NBi(t) denote player i’s net benefitup to time t. This net benefit is the gain (total possessiontime) minus the cost of player i’s moves so far. We expressNBi(t) as NBi(t) = Gi(t)−kimi(t). The average benefit ofplayer i is denoted as bi(t) and is given as bi(t) =

NBi(t)t =

γi(t)− kiri(t), which equals the fraction of time the resourcehas been owned by player i, minus the cost rate for moving.For any given game, we define player i’s asymptotic benefitrate (or just benefit) as bi = lim inft→∞ bi(t).

A Nash equilibrium [28] for a game G(C0, C1) is a pair ofplayer strategies (S0, S1) ∈ C0 × C1 such that b0(S0, S1) ≥b0(S

′0, S1), ∀S′0 ∈ C0, and b1(S0, S1) ≥ b1(S0, S

′1),∀S′1 ∈

C1. Here Ci is the class of strategies for player i. Intuitively,the Nash equilibrium represents the situation when no playerhas any incentive to deviate from its strategy. A strategy S0

is strongly dominant [28] for player 0 in game G(C0, C1) if:b0(S0, S1) > b0(S

′0, S1), ∀S′0 ∈ C0,∀S1 ∈ C1. A strategy

S0 is weakly dominant [28] for player 0 in game G(C0, C1)if: b0(S0, S1) ≥ b0(S

′0, S1), ∀S′0 ∈ C0, ∀S1 ∈ C1. Similar

definitions of dominant strategies hold for player 1 since ourgame is symmetric [28]. Note that the intersection of dominantstrategies of both players always imply a Nash equilibrium butnot vice-versa.

III. GAME ANALYSIS(SINGLE (ATTACKER, DEFENDER) SCENARIO)

In this section we analyze our proposed single attacker,single defender game. Note again that as a representativeexample, the attacker could be a spoofer trying to manipulatethe MAC parameters (the resource) of a local substationnetwork, and the defender is a spoof detector running on asensor module’s microcontroller. We assume that each player’sinter-move durations are generated by a fixed probabilitydistribution via a stochastic process. For the purpose of this

work, we use a renewal process [29] to model inter-movedurations of players. A renewal process is a generalizationof the Poisson process, except that the holding times take ona more general distribution, instead of a Poisson distribution.Note however that the independence and identical distribution(IID) property of the holding times is retained. In regard to aplayer employing a renewal strategy, the intervals between itsconsecutive moves are independent and identically distributedrandom variables generated by a renewal process. The intervaluntil the next move only depends on the current move time andnot on previous history. The game is graphically depicted inFigure 2 with general distributions f0 and f1 for the defenderand the attacker respectively.

Defender Strategy: In this paper, we assume that the de-fender plays with a memoryless exponential distribution (aspecial type of renewal process characterized by a probabilitydistribution that describes the time between events in a Poissonprocess) with rate λ, i.e., r0 = λ. Let us call this strategy Eλ(In Figure 2, X ′js are exponentially distributed.). The rationalefor a defender adopting an exponential strategy (a STREAMstrategy) is that even if the attacker is able to track the timingof the defender’s moves, he has no advantage over the defenderin predicting his next move (due to the memoryless nature ofthe exponential distribution). In practice, attackers are quiteprompt and smart and do have tools and resources availableto them to track defender moves at times.

Attacker Strategy: We assume in this paper that an adversaryis capable in the best case to observe the last time when thedefender played its move. We make this assumption to reflectreality where an attacker is generally more powerful than thedefender. In light of the results mentioned in [26] regardingoptimal strategies by an attacker (given that he is allowed toplay strategies that are either renewal or periodic), we go bythe fact that it is optimal for the attacker to move at periodicintervals of time, where the starting move time of the attackeris unknown to the defender. However, in the case when thedefender is able to log and track attacker move information, itis optimal for the attacker to also play exponential strategies,i,e., move timings governed by an exponential distribution. Wemodel this optimal exponential attacker strategy in Section IV.

We now study the Nash Equilibrium (NE), and the dominantstrategies for the players in the game. Through Theorems 1-3adapted from results in [26], we derive closed form expres-sions for optimal values of game parameters. Since the threetheorems are closely related together, and given the nature ofthe closed form expressions they entail, we feel it appropriateto provide their implications together after the results obtainedfrom the simulated version of the game implementation. Wehave the following result regarding the dominant strategy ofan attacker when the defender plays exponentially with rate.λ.

Theorem 1. ([26]) The strongly dominant strategy for anattacker when the defender plays with exponentially with rateλ is either Pr for some average play rate r > 0, or no play.The player benefit tuple when the attacker’s strongly dominantstrategy is Pr, is given by

(b0, b1) = (1− 1− e−λδ

λδ− λk0, 1−

1− e−λδ

λδ− k1

δ).

The player benefit tuple when the attacker’s strongly dominant


Fig. 2: Illustration of Game with Stochastic Inter-Move Durations

strategy is ‘no play’ is

(b0, b1) = (1− λk0, 0).

Here, δ is the optimal period of move of the attacker andr = 1

δ . The intersection of the strongly dominant strategies ofthe players is the Nash equilibrium of the game.

The next theorem decides on the optimal value of δ (theattacker’s move period), given a fixed value of λ.

Theorem 2. ([26]) Given that the defender plays with anexponential distribution Eλ with fixed rate λ, the stronglydominant strategy, Pr of the attacker is given by the solutionto the equation:

eλδ(1 + λδ) = 1− λk1,

when λ < 1k1

and δ = 1r . If λ ≥ 1

k1, the strongly dominant

strategy of the attacker is not playing at all.

A rate of λ chosen by the defender induces a period of δfor the attacker that the defender can compute in advance.In a pre-game strategy selection, a defender committed toplay an exponential strategy can determine the rate of playλ that maximizes his benefits assuming that the attacker alsochooses an optimal strategy. The following theorem provides aclose form expression for the λ that maximizes the defender’sbenefit.

Theorem 3. ([26]) When the defender plays exponentially,and the attacker chooses an optimal move period δ as givenby Theorem 2, the optimal λ for the defender is given by

λ =1− (1 + z)e−z

k1,

when k0 ≥ 0.854 · k1, where z is the unique solution to theequation:

k0k1

=ez − 1− z

z3

In the case when k0 < 0.854 · k1, the maximum defender’sbenefit is obtained by playing at rate λ = 1

k1.

Substituting the optimal (λ, δ) values in the player benefitexpressions of Theorem 1, we have

(b0, b1) = (1− 1− e−z

z− k0k1

[1− (1 + z)e−z], e−z),

when k0 ≥ 0.854 · k1, and (b0, b1) = (1− k0k1, 0), otherwise.

IV. GAME ANALYSIS(MULTIPLE (ATTACKER-DEFENDER) SCENARIO

In this section we extend the STREAM game setting inSection II (and its analysis in Section III) to account formultiple defenders protecting a Smart Grid. We provision forthe case when there are multiple strategic points of attackin the Grid, and in order to successfully compromise thelatter, an attacker needs to compromise at least half of thedefenders (a concept in line with the consensus argumentproposed in [30]). A typical example of such a setting occursat the SCADA network level. Features from correlated datasamples from local-area systems are collected to have a globalsnapshot of power signal quality at a particular time instant.The correlation between sampled raw data from differentlocations, in fact increases the difficulty for attackers to falsifypower status information to the SCADA center. Independenttamper of data samples can easily be identified by the data-integrity detector at the SCADA center [4]. Thus, attackersmay cooperate with one another in order to successfullylaunch attacks by compromising a certain threshold of sensors.Once a coordinated attack is successfully launched, it canbypass conventional bad-data detectors and steathily result indevastating impacts on power system operations. We dividethis section in two parts. In the first part, we propose themodeling extensions to the single attacker, single defendermodel. We then follow it up with the game analysis.

A. Modeling ExtensionsWe consider a defender class and an attacker class consisting

of potentially multiple players in each class. We first state theattacker/defender goals and then propose the player strategytypes.

1) Attacker and Defender Goals:: For the purpose ofmodeling simplicity, we will assume here that it is enough forthe attacker class to compromise bn2 c + 1 defenders, where nis the total number of strategic attack points, and is an oddnumber. We also assume knowledge by the attacker class ofwhich bn2 c + 1 attack points are most important to its cause.Similarly, the defender class also realizes that the subset ofbn2 c + 1 points chosen by the attacker class is most importantto its cause. Our assumption on such type of selection subsetsmakes sense in general because the defender class would likelyassociate weights to the importance of various attack pointsunder its control. The case analysis of an attacker class beingallowed to comprise any subset bn2 c + 1 attack points or more,is more general and mathematically involved. We leave theanalysis of this case to future work.

2) Player Strategy Types:: We assume that the defendersplay renewal strategies. As a special case of renewal strategies,they also play exponential or Poisson strategies (a STREAMstrategy). These strategies are of key importance, because theyare the only memoryless continuous probability distributions.The memoryless property means that the conditional proba-bility that we have to wait more than t1 time before the nextmove, given that the time elapsed since the last move is t2,is independent of t2. This implies that if the defender classuses an exponential strategy, an attacker with history of thedefender’s previous moves cannot learn any information re-garding the timing of the defender’s next move. Consequently,the exponential strategy might be a good choice for a defenderfacing an attacker who tries to track the history of defender


Fig. 3: Illustration of a Sample IEEE 14 Power Bus Architecture

moves. In case of the attacker, we assume that in additionalto renewal strategies, he also plays periodic strategies. Thisis because for the single attacker, single defender scenario,periodic strategies by the attacker are shown to be optimal inresponse to renewal strategies by the defender (See SectionIII).

Regarding the nature of timing moves made by the adver-sary class, and the defender class, we assume two differentmethods: (i) both the adversary class and the defenders moveindependently and asynchronously across the attack points(Move Method 1 or MM1 (not to be confused with ‘M/M/1’from the theory of queues), and (ii) both the adversary classand the defenders move synchronously across the attack points,though at different times (Move Method 2 or MM2). For boththe defender as well as the adversary class, it could also bethe case that either class could consist of just one member, asingle attacker and/or a single defender, and is able to launchmoves on multiple attack points simultaneously. In case ofMM1, the asymptotic benefit (or simply the benefit) for eachplayer is given by

bi = bi(−→ri ) = γi −

N∑j=1

kji rji ,

where N =bn2 c + 1, kji is the move cost of player i on thejth attack point, i ε {0, 1}, rji is the move rate of player i onattack point j, and −→ri is the vector of move rates for player ion the N given attack points. Similarly, in the case of MM2,the benefit for each player is given by

bi = bi(ri) = γi − riN∑j=1

kji ,

where ri is the single move rate for all the defenders in asynchronized setting. We note here that by player 0, we implythe defender class instead of a single defender.

B. Analysis (Multiple Defenders)In this section, we analyze the different games that can be

played between an attacker and a defender class. We classifyour results based on the type of strategies played by thedefender class, and the attacker class. We focus on providingmathematical expressions for the benefit of the attacker classand studying how it varies with the number of members inthe defender class. The asymptotic average gain (or just gain)of the defender class, γ0, is simply 1 − γ1 and as a resultthe benefit of this class can be computed from the relation,b0 = γ0−ri

∑Nj=1 k

ji . Thus, we do not provide the expressions

for b0 in our results.We also note that the study of (attacker, defender) benefits

with respect to move costs and move rates has already beenconducted in Section IV. The results in this section are mainlyabout the effect of the number of defenders on adversarybenefits. The results in this section are presented in the formof the following three theorems, the proofs of which are inthe Appendix.

Theorem 4. When both the attacker and the defender classplay strategies in the general class (R ∪ P ), the attackerbenefits for different move method scenarios are given by:

Case 1. Both the attacker and the defender class adopt MM1

b1 =

N∏j=1

∫ ∞0

fZj0(zj)FZj

1(zj)dz

j

− N∑j=1

kji rji .

Case 2. The attacker class adopts MM2 and the defenderclass adopts MM1

b1 =

∫ ∞0

N∏j=1

(1− FZj0(z)dzj)fZ1(z)

− N∑j=1

kji ri.


b1 =

∫ ∞0

fZ0(z)FZ1(z)dz −N∑j=1

kji ri.


b1 =

∫ ∞0

N∏j=1

FZ1(z)fZ0

(z)dz

− N∑j=1

kji rji .

Here, (R ∪ P ) denotes the set of strategies in the unionof the set of periodic and renewal strategies, Zji = Zji (t)(Zi = Zi(t)) is the random variable representing the timeelapsed since player i’s last move on attack point j if iadopts MM1 (adopts MM2). The corresponding density andcumulative distribution functions for these random variablesare fZj

i((fZi)) and FZj

i(zj) (FZi(z)) respectively.

Theorem Implications: We infer from the theorem resultthat MM1, i.e, moving independently is generally better thanMM2, i.e., moving synchronously at once, for the defenderclass, as class move rates are additive. This can be explained inview of the fact that the defender class only needs to control atleast one attack point, and so it is optimal for the class to move(have control of) one attack point at a time. This behaviorfrom the defender side forces the attacker class to move onall N = bn2 c+1 attack points as it does not have information


about which attack points are in control of the defender class.We also infer that the adversary class should adopt MM2 overMM1 because with increasing N , its benefit decreases at afaster rate using MM1 than using MM2 (assuming that themove rate of both players remain the same.). However, beit MM1 or MM2, in order to compromise the Smart Grid,the message spoofer spends significantly more resources withincreasing number defenders. This is good news from thesecurity enhancement viewpoint as spending more resourceswould eventually de-incentivize the malicious adversary fromtargeting the system.

Corollary 1. When both the attacker and the defender classplay strategies in the exponential class, the attacker benefitsfor different move method scenarios are given by:


b1 =

N∏j=1

rj1rj1 + rj0

−N∑j=1

kji rji .


b1 =

∫ ∞0

N∏j=1

(1− e−r

j0

)r0e−r0zdz

− N∑j=1

kji ri.


b1 =r1

r1 + r0−

N∑j=1

kji ri.


b1 =r1

r1 +∑Nj=1 r

j0

−N∑j=1

kji rji .

Corollary Implications: Similar to the implicationsof Theorem 4, we infer that MM2 strongly dominates(outperforms) MM1 for an attacker, and for the same reasonprovided for Theorem 4. However, an attacker loses thefreedom of choosing the move rate for each attack pointindependently. Thus, when the heterogeneity of the attacker’smove costs is very high, it adopting MM1, may outperformits benefit from adopting MM2. On the other hand MM1strongly dominates MM2 for the defender class, even forvery heterogeneous move costs.

Corollary 2. When the attacker class plays strategies in theP class and the defender class plays exponential strategies,the attacker benefits for different move method scenarios aregiven by:


b1 =

N∏j=1

rj1rj1

(1− e

− rj0

rj1

)−

N∑j=1

kji rji .


b1 =r1∑Nj=1 r

j0

(1− e−

∑Nj=1 r

j0

r1

)−

N∑j=1

kji ri.

Case 3. Both the attacker class and the defender class adoptMM2

b1 =r1∑Nj=1 r

j0

(1− e−

∑Nj=1 r

j0

r1

)−

N∑j=1

kji ri.


b1 =r1r0

(1− e−

r0r1

)−

N∑j=1

kji rji .

Corollary Implications: The implications are similar to thatof Theorem 4 and Corollary 1.

V. PERFORMANCE EVALUATION

In this section we evaluate STREAM on the standard IEEE14 power grid architecture. We first describe our simulationsetup, and follow it up with analyzing the simulation results.

A. Simulation SetupIn this section we primarily (i) describe an outline of the

IEEE 14 bus topology, (ii) state our attack setting, and (iii)describe the different types of adversary and defender classstrategies used in our simulations.

1) Grid Topology: Our system topology is based on theIEEE 14 bus system architecture. A sample example of thearchitecture is given in Figure 3. A graph representationof the architecture is directed and connected in nature, i.e.,consists of a set of vertices (buses) and a set of directed edges(connected transmission lines) connecting buses. In this paper,we consider an arbitrarily generated graph of 50 nodes for thepurpose of simulation. We assume the presence of a controlcenter that receives from smart meters, data consisting of businjection and line flow information.

2) Attack Scenario: As a representative example of avail-ability attacks, we model man-in-the-middle hacks in thispaper [31]. We consider the case where an adversary classintercepts network data (e.g., breaker and switch states) andmeter data from remote terminal units, modifies part of them,and forwards the modified version to the control center toeventually result in resource unavailability due to false deci-sion making. The Smart Grid defender class is equipped withtests to detect man-in-the-middle attacks. In the case when theattacker and the defender class contains multiple elements, wearbitrarily choose odd n, the number of attack points in theSmart Grid system, and also pre-state bn2 c+ 1 attack points.

3) Game Duration, Play Strategies, and Move Costs: Ourgame duration is fixed to 100000 time units. In our gamesetting, we assume the both the defender class and the attackerclass has prior knowledge of the strategy type used by eachother. STREAM focusses on the following plethora of strategytypes played by the defender class and the adversary class,viz., random periodic (RP), exponential (EXP), non-randomperiodic (NRP), uniformly random (UR), delayed randomperiodic (DRP), delayed exponential (DEXPR), and myopic(M).

The NRP strategy play is the only non-stochastic strategytype in the above mentioned strategy set. We also take theNRP strategy type as a representative of non-strategic/naiveplay by players of either class - representing the situation that


0 0.5 1 1.5 2 2.5 30

1

2

3

k1/k0

Avg.

Def

ende

r Ben

efit

MDEXPRDRPEXPRPURNRP

0 0.5 1 1.5 2 2.5 30

0.5

1

1.5

2

2.5

k1/k0

Avg.

Def

ende

r Ben

efit

MDEXPRDRPEXPRPURNRP

0 0.5 1 1.5 2 2.5 30

0.5

1

1.5

2

k1/k0

Avg.

Def

ende

r Ben

efit

MDEXPRDRPEXPRPURNRP

0 0.5 1 1.5 2 2.5 30

0.5

1

1.5

2

k1/k0

Avg.

Def

ende

r Ben

efit

MDEXPRDRPEXPRPURNRP

Fig. 4: Average Defender Benefit from Their Stratgies when Attacker (a) Plays RP, (b) Plays EXP, (c) Plays DEXPR, and (d) Plays M

0 0.5 1 1.5 2 2.5 30

0.5

1

1.5

2

k1/k0

’Avg

. Spa

re E

nerg

y ’ R

atio

DEXPR/NRPEXP/NRPM/NRPDRP/NRPRP/NRPUR/NRP

0 0.5 1 1.5 2 2.5 30

0.5

1

1.5

2

k1/k0

’Avg

. Spa

re E

nerg

y’ R

atio


0 0.5 1 1.5 2 2.5 30

0.5

1

1.5

k1/k0

’Avg

. Spa

re E

nerg

y’ R

atio


0 0.5 1 1.5 2 2.5 30

0.5

1

1.5

k1/k0

’Avg

. Spa

re E

nerg

y’ R

atio


Fig. 5: Average Spare Energy from Defender Strategies compared to NRP when Attacker (a) Plays RP, (b) Plays EXP, and (c) Plays DEXPR, and (d) Plays M

the class playing NRP just moves in the system based on apre-calculated periodic frequency without considering that theopponent might track the exact times when they move. Therationale for the inclusion of delayed strategy types is to reflectthe fact that player classes can at times players might ‘wait’to perform some system checks before executing their timingstrategy. Here, delayed periodic and delayed exponential implystrategies where there is a ‘fixed’ delay added to the typicalrandom periodic and exponential timing strategies.

For the purpose of this paper, we also propose a myopicheuristic strategy that is local and focuses only on improvinglong term defender class benefits by incrementally improvingthe benefits between two consecutive moves. The provablyoptimal strategies stated in this paper focus only on the longterm benefits of players, without providing significant insightson optimizing short term moves. The myopic heuristic isapplicable in the case when either the defender class is able toobserve the last move of the adversary class, or the adversaryclass is able to observe the last move of the defender class,but not both. Given that a non-observing player class willplay an exponential renewal strategy in this case to outwitits opponent, the goal of the observing player class throughthe myopic heuristic is to account for the probability density

function of the renewal strategy, and the last move time ofopponent, to find the move timing that maximizes its localbenefit between two consecutive moves. We are yet to provethe theoretical optimality of the myopic heuristic, and planto address it as part of future work. We are also yet to findany heuristic strategies for improving short term player moveswhen both the player classes go covert, let alone prove theiroptimality. In this paper we define the STREAM strategy setfor the defender class to consist only of the M, DEXPR,EXP, DRP, and RP strategies. These strategies (except M)lie in the set (R ∪ P ).

In order to illustrate the efficacy of the STREAM fabric, weassume that the attacker class only plays exponential, delayedexponential, or periodic strategies to outwit the defender class(apart from its myopic strategy). The rationale here followsfrom the theory in the paper, where we figure out exponentialor periodic play by the adversary class being the best againstthe defender class. Thus, in order to conservatively estimatethe availability improvement of STREAM from a defenderperspective, we enforce the attacker class to do its best.

In terms of player move costs, we assume that the ratio ofthe cost a single attacker to a defender to lie between the range[0.5, 2.5]. We take a ratio measure to indirectly represent the


budget constraints of both the attacker side and the defenderside.

4) Sensor Energy Discharge: For the purpose of simuation,we assume that the energy discharge in sensors follow thePeukert’s Law. According to the law, T = C

In , where C is thetheoretical capacity in amp-hours, I is the current in amps,T is the time in hours (in the non-sleep mode), and n is thePeukert number. Typically n lies in the range of 1.1 to 1.3.T denotes how long a sensor battery will really last after fullcharge. In this paper we choose n = 1.2, and assume that eachsensor does not decrease its energy levels in the sleep mode.A sensor goes into the sleep mode when it is not monitoringand detecting security attacks. We also assume that the attackdetection module in the sensors takes one unit of time.

B. Simulation Results

In this section, we state and analyse our plot results. Foreach plot, each point represents the result of the average ofrunning 50 game instances, where each game instance is runfor 100000 time units. For the exponential strategies (bothdelayed and non-delayed), for each game instance we chooseλ uniformly randomly in the range of [.05, 0.2], and a fixeddelay to also lie uniformly randomly in the range [5, 20] timeunits. For the periodic strategies, for each game instance, wefix the period to lie uniformly randomly in the interval [10, 30].The defender and attacker benefits in the plots are measuresof the resource availability of the corresponding players.

1) Single (Attacker-Defender) Scenario: Since we simulatea timing game, we project the defender benefits to be a directmeasure of its potential to prevent availability and integrityattacks in the Smart Grid. From the theory and correspondingsimulation results (Figure 4), we observe that the defenderbenefits through STREAM increase in approximately a piece-wise linear fashion (a nice approximation to the expressionsfor defender benefits stated in Theorem 1) in the ratio ofk1k0

. This trend holds true for all (attacker strategy, defenderstrategy) pairs. Myopic and delayed exponential strategiesby the defender gives it the best average benefit for theoptimal class of strategies played by the adversary. This isevident in light of the fact that the defender gets additionalinformation for these strategies, about the adversary’s lastmove. Following from theory, in situations of no informationabout opponent play, the EXP and (D)RP strategies work bestfor the defender. The Non-Random Periodic (NRP) strategyis clearly non-optimal due to the possibility of the adversarytracking down the move times of the defender. We observethat compared to non-strategic moves, using strategic movesthe adversary can increase the availability and integrity inthe grid by approximately upto 67%. From the energy savingsperspective, we observe from Figure 5 that the defenderadopting STREAM strategies can save up to [100% − 120%]when using exponential and myopic class strategies, comparedto a non-random periodic strategy. The intuition here is thatstrategically optimal moves in general are less in number whencompared to non-strategic moves, and thus sensors save moreenergy.

Practical Implications on Adversary Drop-Out: We inferfrom our proposed theory and simulations. the adversary undera STREAM setting would drop out of the game once the valueof the k1

k0ratio exceeds a threshold (derived from the above

mentioned theorems). From a practical perspective, the latter

fact implies that either (i) the nature of the attack shouldbe such that restoring the network to a stable state requiresfar lesser effort on behalf of the Smart Grid than that of theadversary, or (ii) the defender side should induce the attackerto incur costs high enough to be discouraged to attack theGrid. For example, if attacker move costs are represented bythe effort required to spoof the comunication channel betweentwo buses, at times an attacker is quite likely to spend alot of effort in executing an attack than a spoof detectorthat requires to execute just once to restore the channel. Inaddition, an attacker might need to launch a significant amountof messages to launch a Denial-of-Service (DoS attack usinga bus arbitration mechanism, compared to that required by thedefender to detect it. This could de-incentivize the adversaryfrom staying in the game.

2) Multiple (Attacker-Defender) Scenario: Figures 6 and7, emphthe main observation is that the gain of a maliciousadversary class decreases up to approximately 80% in strategicsettings (i.e., when defender class uses RP, EXP, DEXPR,and M strategies) when compared to non-strategic settings,i.e., defender class playing the NRP strategy, for given k1

k0values. The result obtained is by assuming best play by theadversary class and taking into account the average of thegain from all possible move synchronicity classes, when thenumber of strategic attack points varies between 2 to 8. Alsofollowing from the implications of Theorem 4, we observethrough simulations that MM1, i.e, moving independently isgenerally better than MM2, i.e., moving synchronously atonce, for the defender class, as class move rates are additive.This can be explained in view of the fact that the defenderclass only needs to control at least one attack point, and so itis optimal for the class to move (have control of) one attackpoint at a time. This behavior from the defender side forcesthe attacker class to move on all N = bn2 c+1 attack points asit does not have information about which attack points are incontrol of the defender class. We also infer that the adversaryclass should adopt MM2 over MM1 because with increasingN , its benefit decreases at a faster rate using MM1 than usingMM2 (assuming that the move rate of both players remain thesame. In addition, with the increasing number of defenders, theattacker gain reduces nearly exponentially. Regarding energysavings using strategic moves, we observe from Figure 8 thatthe defender class through STREAM can save up to 90% ofbattery energy compared to making non-strategic moves, evenif the adversary class plays it’s best moves.

VI. DISCUSSION ON OUR GAME APPROACH

In this section, we briefly state some similarities and differ-ences of our game approach when compared to traditionallyused models of dynamic games. We also state related workin terms of using dynamic game model types in securityproblems.

In regard to the type of game theory used by STREAM,models on ‘repeated games’ [32] seem most relevant. How-ever, there are more differences of our game model whencompared to repeated games than similarities. The obvioussimilarity is that like repeated game models, we do need toexercise care in defining appropriate measures of payoff foreach player, whether the game be finitely or infinitely repeatedin nature. Since we do not use history of past moves by boththe defender and adversary classes (assumed to be covert bydesign), the general use of ‘discount rates’ in repeated game


Both MM2 D−MM1, A−MM2 Both MM10

0.2

0.4

0.6

0.8

Defender and Attacker Synchronicity Class

aatta

cker

NRPURRPEXPDRPDEXPRM


0.2

0.4

0.6

0.8

Defender and Attacker Move Synchronicity

aatta

cker

NRPURRPEXPDRPEXPRM


0.2

0.4

0.6

0.8

Defender and Attacker Move Synchronicity Class

aatta

cker

NRPURRPEXPDRPEXPRM


0.1

0.2

0.3

0.4

0.5

Defender and Attacker Move Synchronicity Class

aatta

cker

NRPURRPEXPDRPEXPRM

Fig. 6: Avg. Attacker Class Gain from Strategies Under Various Move Scenarios when Defender Class Plays (a) RP, (b) EXP, and (c) DEXPR, and (d) M

Fig. 7: Avg. Attacker Class Gain Under Various (Move Scenario, AP count) values when Defender Class Plays (a) RP, (b) EXP, and (c) DEXPR, and (d) M

models are not applicable in our work. In the case, when wemodel some ‘player move history’ in our work, the use of suchfactors would be applicable. As far as important differencesare concerned, the game model in STREAM is typicallycontinuous, not discrete. A repeated game has a sequence ofstages, and a “stage game” is played again each stage. Thus,time is normally not continuous for a repeated game. As notherimportant difference, the players in the STREAM game modeldo not know when the other player moves. In a traditionalrepeated game, each player moves within each stage.

When it comes to the use dynamic games in systemsecurity, most works assume games of perfect information,with synchronous play by players [33][34][35], and someassume games of imperfect information with synchronousplay [36][37]. In [38], and several follow-up works relatedto the same, the authors assume Stackelberg (both Bayesianand non-Bayesian) games of perfect move information andnon-simultaneous play. However, unlike the game model inSTREAM, none of the models capture both the concept of

imperfect information and non-simultaneous play.

VII. SUMMARY AND FUTURE WORK

In this paper we addressed the resource management avail-ability problem in the Smart Grid under an adversarial setting,where in the worst case, an adversary can launch covert at-tacks. We named our resource availability management frame-work as STREAM. The STREAM game setting is modeledas an attacker-defender dynamic timing game problem playedbetween potentially multiple attackers and defenders. Theinter-move periods of the game for both the attacker andthe defender class were modeled in the most general casevia renewal processes. We studied the dominant STREAMstrategies and Nash equilibrium (NE) of the dynamic attacker-defender game, and investigated the following parameters atequilibrium and non-equilibrium settings with relevant prac-tical implications: (i) optimal monitoring strategies for theattacker and the defender(s), and (ii) optimal utilities for the


Fig. 8: Avg. Defender Class Spare Energy Under Various Move Scenarios when Attacker Class (2APs) Plays (a) RP, (b) EXP, and (c) DEXPR, and (d) M

attacker and the defender(s). As our main results, we showedthat (i) STREAM strategies improve Grid availability andintegrity by up to 67%, under adversarial settings, comparedto existing strategic and non-strategic methods outside theSTREAM strategy set, (ii) STREAM reduces average overallenergy expenditure via countermeasures by around 90%, (iii)increasing the number of defenders in STREAM game settingreduces the effectiveness of the attacker in approximately anexponential fashion, compared to their decrease in a nearlylinear fashion for non-strategic timing scenarios, and (iv) theattacker effectiveness in STREAM decreases approximately byupto 80% by strategic STREAM moves made by the defender,compared to the latter making non-strategic moves.

As part of future work, we primarily wish to validate theperformance of the STREAM under a real-world Smart Grid.

ACKNOWLEDGEMENT

This material is based upon work supported by the UnitedStates Department of Energy under Award Number number DE-OE0000192, the U.S. National Science Foundation under grant ACI-1339756, and the Los Angeles Department of Water and Power(LADWP). The views and opinions of authors expressed herein donot necessarily state or reflect those of the United States Governmentor any agency thereof, the LADWP, nor any of their employees.

REFERENCES

[1] W. Wang and Z. Lu, “Cyber-security in the smart grid: Survey and challenges,”Computer Networks, vol. 57, 2013.

[2] I. Standard, IEC 61850: Communication Networks and Systems in Substations.IEC.

[3] O. Kosut, L. Jia, R. J. Thomas, and L. Tong, “Malicious data attacks on smart gridstate estimation: Attack strategies and countermeasures,” in IEEE SmartGridComm,2010.

[4] Y. Liu, P. Ning, and M. Reiter, “False data injection attacks against state estimationin electric power grids,” in ACM CCS, 2009.

[5] J. D. L. Ree, V. Centeno, J. S. Thorp, and A. G. Phadke, “Synchronized phasormeasurement applications in power systems,” IEEE Transactions on Smart Grid,2010.

[6] M. Li, I. Koutsopoulous, and R. Poovendran, “Optimal jamming attacks andnetwork defense policies in wireless sensor networks,” in IEEE INFOCOM, 2007.

[7] H. Li and Z. Han, “Manipulating the electricity power market via jamming theprice signaling in smart grid,” in IEEE GLOBECOM, 2011.

[8] B. Akyol, H. Kirkham, S. Clements, and M. Hardley, A Survey of WirelessCommunications for the Electric Power System. Pacific Northwest NationalLaboratory, 2010.

[9] T. S. G. I. Panel, Guidelines for Smart Grid Security. NISTIR, 2010.[10] J. Liu, Y. Xiao, S. Li, W. Liang, and C. L. P. Chen, “Cyber security and privacy

issues in smart grids,” IEEE Communications Surveys, vol. 14, 2012.[11] Q. Yang, J. Yang, W. Yu, D. An, N. Zhang, and W. Zhao, “On false data-injection

attacks against power system state estimation: Modeling and countermeasures,”IEEE Transactions on Parallel and Distributed Systems, vol. 25, 2014.

[12] T. Liu, Y. Sun, Y. Liu, Y. Gui, Y. Zhao, D. Wang, and C. Shen, “Abnormal traffic-indexed state estimation: A cyber-physical fusion approach for smart grid attackdetection,” Elsevier Future Generation Computer Systems, 2014.

[13] Y. Huang, M. Esmalifalak, R. Zheng, Z. Han, H. Li, and L. Song, “Bad datainjection in smart grid: Attack and defense mechanisms,” IEEE CommunicationsMagazine, vol. 51, 2013.

[14] T. T. Kim and H. V. Poor, “Strategic protection against data injection attacks onpower grids,” IEEE Transactions on Smart Grid, vol. 2, 2011.

[15] P.-Y. Chen, S.-M. Cheng, and K.-C. Chen, “Smart attacks in smart grid communi-cation networks,” IEEE Communication Magazine, vol. 50, no. 8, 2012.

[16] Y. W. Law, T. Alpcan, M. Palaniswami, and S. Dey, “Security games and riskminimization for automatic generation control in smart grid,” in GameSec, 2012.

[17] Y. W. Law, T. Alpcan, and M. Palaniswami, “Security games for voltage controlin smart grid,” in Allerton Annual Conference on Communication, Control, andComputing, 2012.

[18] Y. W. Law, T. Alpcan, and M. Palanaswami, “Security games for risk minimizationin automatic generation control,” IEEE Transactions on Power Systems, vol. 30,2015.

[19] V. M. Bier and M. N. Azaiez, “Game theoretic risk analysis of security threats,”Springer Science and Business Media, no. 128, 2008.

[20] V. R. R. Jose and J. Zhuang, “Technology, adoption, accumulation, and competitionin multi-period attacker-defender games,” Military Operations Research, vol. 18,no. 2, 2013.

[21] F. He and J. Zhuang, “Modelling contracts between a terrorist group and agovernment in a sequential game,” Journal of the Operational Research Society,vol. 63, no. 6, 2012.

[22] E. Jenelius, J. Westin, and A. J. Holmgren, “Critical infrastructure protection underimperfect attacker perception,” International Journal of Critical InfrastructureProtection, vol. 3, no. 1, 2010.

[23] M. Nikoofal and J. Zhuang, “Robust allocation of a defensive budget consideringan attacker’s private information,” Risk Analysis, vol. 32, no. 5, 2012.

[24] X. Shan and J. Zhuang, “Hybrid defensive resource allocations in the face ofpartially strategic attackers in a sequential defender-attacker game,” EuropeanJournal of Operational Research, vol. 228, no. 1, 2013.

[25] X. Shan and J. Zhuang, “Cost of equity in homeland security resource allocationsin the face of partially strategic attackers,” Risk Analysis, vol. 33, no. 6, 2013.

[26] M. Dijk, A. Juels, A. Oprea, and R. L. Rivest, “Flipit: The game of ”stealthytakeover”.” Cryptology ePrint Archive, Report 2012/103, 2012.

[27] U. Premaratne, J. Samarabandu, T. Sidhu, R. Beresh, and J.-C. Tan, “An intrusiondetection system for iec61850 automated substations,” IEEE Transactions on PowerDelivery, vol. 25, 2010.

[28] D.Fudenberg and J.Tirole, Game Theory. MIT Press, 1991.[29] R. Gallager, Discrete Stochastic Processes. Springer, 1996.[30] S. Jain, A. Kumar, S. Mandal, J. Ong, L. Poutievski, A. Singh, S. Venkata,

J. Wanderer, J. Zhou, M. Zhu, J. Zolla, U. Holzle, S. Stuart, and A. Vahdat, “B4:Experience with a globally deployed software defined wan,” in ACM SIGCOMM,2013.

[31] J. Kim and L. Tong, “On topology attack of a smart grid: Undetectable attacks and


countermeasures,” IEEE JSAC, vol. 31, 2013.[32] G. J. Mailath and L. Samuelson, Repeated Games and Reputations: Long-Run

Relationships. Oxford University Press, 2006.[33] J. Katz, “Bridging game theory and cryptography,” in TCC, 2011.[34] S. N. Hamilton, W. L. Miller, A. Ott, and O. S. Saydjari, “Challenges in applying

game theory to the domain of information warfare,” in Information SurvivabilityWorkshop, 2002.

[35] S. Roy, C. Ellis, S. Shiva, D. Dasgupta, V. Shandilya, and Q. Wu, “A survey ofgame theory as applied to network security,” in HICSS, 2010.

[36] T. Moore, A. Friedman, and A. Procaccia, “Would a cyber-warrior protect us?exploring tradeoffs between attack and defense of information systems,” in NewSecurity Paradigms Workshop, 2010.

[37] K. C. Nguyen, T. Alpcan, and T. Basar, “Security games with incomplete infor-mation,” in IEEE ICC, 2009.

[38] J. Pita, M. Jain, J. Marecki, F. Ordonez, C. Portway, M. Tambe, C. Western,P. Paruchuri, and S. Kraus, “Deployed armor protection: The application of a gametheoretic model for security at the los angeles international airport,” in AAMAS,2008.

APPENDIX

In this section, we prove Theorem 4, and the corollaries thatfollow from it.

Proof of Theorem 4. When both players use strategies fromthe class R ∪ P , we have for Case 1:

γ1 = Pr{CP1(t)} = Pr{Z10 > Z1

1} ∩ ... ∩ Pr{ZN0 > ZN1 },

or

γ1 =

∫ ∞0

fZ10(z1)FZ1

1(z1)dz1...

∫ ∞0

fZN0(z1)FZN

1(z1)dzN .

Thus,

b1 =

N∏j=1

∫ ∞0

fZj0(zj)FZj

1(zj)dz

j

− N∑j=1

kj1rj1.

For Case 2 we have

γ1 =

∫ ∞0

Pr{z < Z10}....P r{z < ZN0 }fZ1

(z)dz,

or

γ1 =

∫ ∞0

N∏j=1

Pr{z < Zj0}fZ1(z)dz.

Thus,

b1 =

∫ ∞0

N∏j=1

(1− FZj0(z)dzj)fZ1

(z)

− N∑j=1

kj1r1.

For Case 3, it directly follows from results in [26] that

b1 =

∫ ∞0

fZ0(z)FZ1

(z)dz −N∑j=1

kj1r1.

Finally, for Case 4 we have

γ1 =

∫ ∞0

Pr{z > Z11}....P r{z > ZN1 }fZ0

(z)dz,

or

γ1 =

∫ ∞0

N∏j=1

Pr{z < Zj1}fZ0(z)dz.

Thus,

b1 =

∫ ∞0

N∏j=1

FZ1(z)fZ0

(z)dz

− N∑j=1

kj1rj1.

We have now proved Theorem 4. �Proof of Corollary 1. When both players use exponentialstrategies, we have for Case 1:

γ1 = Pr{CP1(t)} = Pr{Z10 > Z1

1} ∩ ... ∩ Pr{ZN0 > ZN1 },

or

γ1 =

N∏j=1

∫ ∞0

rj0e−rj0z

j

(1− e−rj1z

j

)dzj ,

or

γ1 =

N∏j=1

(rj0

∫ ∞0

e−rj0zdz − rj0

∫ ∞0

(e−(rj0+r

j1)z)dz

),

Thus,

b1 =

N∏j=1

rj1rj1 + rj0

−N∑j=1

kji rji .

For Case 2 we have

γ1 =

∫ ∞0

Pr{Z10 > Z1

1} ∩ ... ∩ Pr{ZN0 > ZN1 }fZ0(z)dz,

or

γ1 =

∫ ∞0

N∏j=1

FZj1(z)fZ0(z)dz.

Thus,

b1 =

∫ ∞0

N∏j=1

(1− FZj0(z)dzj)fZ1

(z)

− N∑j=1

kj1r1.

For Case 3 we have

γ1 =

∫ ∞0

r0e−rj0z(1− e−r1z)dz,

or

γ1 =

(r0

∫ ∞0

e−r0zdz − r0∫ ∞0

(e−(r0+r1)z)dz

).

Thus,

b1 =r1

r1 + r0−

N∑j=1

kj1r1.

Finally, for Case 4 we have

γ1 =

∫ ∞0

∞∏j=1

(1− (1− e−r

j0z))r1e−r1zdz,

or

γ1 =

∫ ∞0

∞∏j=1

(e−r

j0z))r1e−r1zdz.

Thus,

b1 =r1

r1 +∑Nj=1 r

j0

−N∑j=1

kj1rj1.

We have now proved Corollary 1. �Proof of Corollary 2. When the defenders play exponentialstrategies, and the attacker plays a periodic strategy, we havefor Case 1:

γ1 =

∫ ∞0

..

∫ ∞0

Pr[z1 < Z10∩...N < ZN0 ]fZ1

(z1, .., zN )dz1..dzN .


or

γ1 =

∫ ∞0

...

∫ ∞0

N∏r=1

Pr[zr < Zr0 ]

N∏r=1

fZr1(zr)dz1...dzN .

or

γ1 =

∫ 1

r11

0

...

∫ 1

rN1

0

N∏j=1

e−rj0zr

N∏j=1

rj1dz1...dzN .

γ1 =

∫ 1

r11

0

...

∫ 1

rN−11

0

rN1rN0

(1− e

rN1rN0

)N∏j=1

e−rj0zr

N∏j=1

rj1dz1...dzN .

or

γ =

N∏r=1

1

rN−11

rN1rN0

(1− e

rN1rN0

).

or

b1 =

N∏r=1

1

rN−11

rN1rN0

(1− e

rN1rN0

)−

N∑j=1

kj1rj1.

For Case 2 we have

γ1 =

∫ ∞0

Pr[z < Z11 ∪ ... ∪ z > ZN1 ]fZ0(z)dz.

or

γ1 =

N∏j=1

rj1

∫ minj1

r11

0

zNfZ0(z)dz.

or

γ1 =

N∏j=1

rj1

∫ minj

0

zNr0e−r0dz.

or

b1 =

N∏j=1

rj1

∫ minj

0

zNr0e−r0dz −

N∑j=1

kj1r1.

For Case 3, we have

γ1 = 1−∫ ∞0

FZ0(z)fZ1

(z)dz.

or

γ1 = 1−∫ 1

r1

0

FZ0(z)

1

r1dz =

r1r0

(1− e−

r0r1

).

Thus,

b1 =r1r0

(1− e−

r0r1

)−

N∑j=1

kj1r1.

Finally for Case 4, we have

γ1 =

∫ ∞0

Pr[z < Z10 ∪ ... ∪ z < ZN0 ]fZ1

(z)dz.

or

γ1 =

∫ 1r1

0

N∏j=1

(1−FZ0j(z))r1dz =

r1∑Nj=1 r

j0

(1− e−

∑Nj=1 r

j0

r1

).

or

b1 =r1∑Nj=1 r

j0

(1− e−

∑Nj=1 r

j0

r1

)−

N∑j=1

kj1rj1.

We have now proved Corollary 2. �

Ranjan Pal is a Research Scientist at the Universityof Southern California (USC), affiliated with boththe Electrical Engineering and Computer Science de-partments, where he co-leads the Quantitative Evalu-ation and Design Group (QED). He received his PhDin Computer Science from USC in 2014, and was therecipient of the Provost Fellowship throughout hisPhD studies. During his PhD, Ranjan held visitingscholar positions at the School of Engineering andApplied Science, Princeton University, USA, andDeutsch Telekom Research Laboratories (T-Labs),

Berlin, Germany. His primary research interests lie in the performance model-ing, analysis, and design of cyber-security, privacy, communication networks,and the Smart Grid, using tools from economics, game theory, appliedprobability, algorithms, information theory, and mathematical optimization.His research on cyber-insurance has generated press interests from USC News,and MIT Technology Review. Ranjan has also consulted on cyber-insurancefor Accel Partners. Ranjan is a member of the IEEE and the ACM.

Viktor Prasanna is Charles Lee Powell Chairin Engineering in the Ming Hsieh Department ofElectrical Engineering and Professor of ComputerScience at the University of Southern California.His research interests include High PerformanceComputing, Parallel and Distributed Systems, Re-configurable Computing, and Embedded Systems.He received his BS in Elec tronics Engineering fromthe Bangalore University, MS from the School ofAutomation, Indian Institute of Science and Ph.Din Computer Science from the Pennsylvania State

University. He is the Executive Director of the USC-Infosys Center forAdvanced Software Technologies (CAST) and is an Associate Director of theUSC-Chevron Center of Excellence for Research and Academic Training onInteractive Smart Oilfield Technologies (Cisoft). He also serves as the Directorof the Center for Energy Informatics at USC. He served as the Editor-in-Chiefof the IEEE Transactions on Computers during 2003-06. Currently, he is theEditor-in-Chief of the Journal of Parallel and Distributed Computing. He wasthe founding Chair of the IEEE Computer Society Technical Committee onParallel Processing. He is the Steering Co- Chair of the IEEE InternationalParallel and Distributed Processing Symposium (IPDPS) and is the SteeringChair of the IEEE International Conference on High Performance Computing(HiPC). Prasanna is a Fellow of the IEEE, the ACM and the AmericanAssociation for Advancement of Science (AAAS). He is a recipient of the2009 Outstanding Engineering Alumnus Award from the Pennsylvania StateUniversity. Prasanna is also the recipient of the IEEE Computer Society’s 2015Wallace McDowell Award for his contributions to reconfigurable computing.

Documents

ACCEPTED TO APPEAR IN IEEE TRANSACTIONS ON … TO APPEAR IN IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS 1 ... power generation and dis- ... stealthy