1

Efficient and Secure Wireless Communications forAdvanced Metering Infrastructure in Smart Grids

Husheng Li, Shuping Gong, Lifeng Lai, Zhu Han, Robert C. Qiu and Depeng Yang

Abstract—An experiment is carried out to measure the powerconsumption of households. The analysis on the real measurementdata shows that the significant change of power consumptionarrives in a Poisson manner. Based on this experiment, a novelwireless communication scheme is proposed for the advancedmetering infrastructure (AMI) in smart grid that can significantlyimprove the spectrum efficiency. The main idea is to transmit onlywhen a significant power consumption change occurs. On theother hand, the policy of transmitting only when change occursmay bring a security issue; i.e., an eavesdropper can monitorthe daily life of the house owner, particularly the informationof whether the owner is at home. Hence, a defense scheme isproposed to combat this vulnerability by adding artificial spoofingpackets. It is shown by numerical results that the defense schemecan effectively prevent the security challenge.

I. INTRODUCTION

Advanced metering infrastructure (AMI) [3] is a key taskin smart grid [6] [4]. In such a system, each power useris equipped with a smart meter with the capability of two-way communications, which can monitor the power activities,report the power consumption and receive power price. Thepower consumption report can be used to achieve the balanceof power demand and supply by setting the correct power price[8] [9] [12] [14] [17].

Due to the importance of AMI, more and more studies arepaid to the mechanism of communications for AMI. Amongmany communication technologies, wireless communicationis a promising one due to its inexpensive devices and fastdeployment. Various schemes have been proposed for theAMI communications, such as Worldwide Interoperability forMicrowave Access (WiMAX) [2], 4G Long Term Evolution(LTE) [16], IEEE 802.11 [18] or even compressive sensingbased multiple access [10]. However, most existing studies aremore focused on the basic designs of communication such aslink budget or signal processing algorithms, but did not takethe fundamental characteristics of AMI data into account.

In the viewpoint of the authors, the major challenges ofwireless communications in smart grid include:

H. Li, S. Gong and D. Yang are with the Department of ElectricalEngineering and Computer Science, the University of Tennessee, Knoxville,TN 37996 (email: husheng@eecs.utk.edu). Z. Han is with the Departmentof Electrical and Computer Engineering, University of Houston, Houston,TX 77004 (email: zhan2@mail.uh.edu). L. Lai is with the Departmentof Systems Engineering, University of Arkansas, Little Rock, AR, 72204(email: lxlai@ualr.edu). R. C. Qiu is with the Department of Electricaland Computer Engineering, Tennessee Technological University, Cookeville,TN 38505 (email: rqiu@tntech.edu). This work was supported by the Na-tional Science Foundation under grants CNS-0910461, CNS-0905556, CNS-0953377, ECCS-1028782, CCF-0830451, ECCS-0901425, CNS-1116826,CCF-1054338, DMS-11-18822 and CNS-11-16534.

Fig. 1: Measurement using AEMC CL601 clamp.

• Efficiency: Since frequency spectrum is a very expensiveresource, it is desirable to utilize the spectrum efficiently.This requires a thorough study on the information source,i.e., the power consumption data, in order to avoidunnecessary redundancy in the transmissions.

• Security: The power consumption report in AMI maycarry much private information of the power users [11].Even if the packets are protected by encryptions, the datatransmission pattern may still disclose some importantinformation, if the data transmission times are dependenton the power consumption activities.

To address the above two challenges, in this paper wecarry out a measurement experiment for household powerconsumption using a power clamp, as shown in Fig. 1. Usingthe collected power consumption data, we have found thatthe power consumption stays constant for the majority of thetime and the change of power consumption arrives in anapproximately Poisson manner. Hence, we propose to let smartmeters transmit only when there is a significant change in thepower consumption, which is coined the policy of Changeand Transmit (CAT), thus significantly saving the spectrumrequirement. We will also analyze the performance of variousmultiple access schemes using the policy of CAT. However,the policy of CAT incurs a vulnerability to the AMI system,i.e., an eavesdropper can easily obtain the power consumptioninformation by monitoring the radio activity of smart meter.Particularly, an eavesdropper can detect whether the householdowner is at home or not, which is called Presence PrivacyAttack (PPA). Hence, in this paper, we propose a schemeof spoofing the eavesdropper by sending artificial dummypackets, which is coined Artificial Spoofing Packet (ASP).Using the real measurement data, we will demonstrate theeffectiveness of the ASP scheme. In summary, in this paper we

2

address both the efficiency and security issues of wireless AMIby proposing both CAT and ASP schemes, which can providesignificant insights to guide the detailed design of wirelesscommunications for AMI.

Note that there have been many studies on the powerconsumption of users, which is of key importance for thepricing in power market. However, in traditional studies, mostof them are focused on the modeling of long-term powerconsumptions, e.g., the hourly or daily or weekly consumption.An excellent survey can be found in [19]. In recent years, dueto the demand of study on smart meters, there have been somestudies on short-term power consumptions [13] [15]. However,to the authors’ best knowledge, there have not been any studiesusing the same modeling as that in this paper. It should alsobe noted that the conclusions obtained in this paper is valid toonly the measurements obtained by the authors. We will usemore measurements from more power consumers to verify theconclusions in our future study.

The remainder of this paper is organized as follows. InSection II, we describe the measurement experiment of powerconsumption and model the changes in power consumption.In Sections III and IV, we discuss the efficient and securemultiple access schemes, namely the CAT and ASP schemes.The conclusions are drawn in Section V.

II. MEASUREMENT AND MODELING

In this section, we introduce the measurement that we havecarried out and the corresponding modeling for the data ofpower consumption.

A. Measurement

We have carried out a measurement experiment to obtain thereal power consumption data. An AEMC CL601 clamp is usedto measure the current flowing through the main cable of thehouse/office, as shown in Fig. 1. Since the voltage is 110V, thepower consumption is proportional to the current (we assumethat the power factor1 is approximately constant). The powerclamp can sample the current every 500ms2 and record thecorresponding value in the memory. When the measurementis completed, the data can be downloaded to a computer usinga USB cable. The quantization step of the current is 0.1Arms.The measurement lasts for 33 days. The 24 hour measurementfor the first author’s house on Oct. 22, 2010 is shown in Fig.2. An interval of 25 minutes is shown in Fig. 3.

From the measurement, we observe the following featuresof the power consumption data:

• For most of the time, the power consumption keepsconstant. Changes could occur randomly (e.g., the electricoven is turned on). From the viewpoint of communi-cations, only the change implies information. There isno need for the smart meter to send messages when thepower consumption does not change.

1Power factor means the ratio between the average real power and apparentpower and equals the cosine of the phase difference between voltage andcurrent. It measures the capability of the load converting the electricity intoreal power.

2This sampling time period is such smaller than necessary for smart meters;however, it can be used to analyze the activities of household appliances.

Fig. 2: Measurement report for 24 hours on Oct. 22, 2010.

0 500 1000 1500 2000 2500 30000

2

4

6

8

10

12

14

16

18

20

time index

curr

ent v

alue

Fig. 3: Measurement spanning 25 minutes.

• There are also some periodic power consumptionchanges, as shown in Fig. 2, which is due to the on andoff of refrigerator. However, the change is sporadic (onceper more than 10 minutes), which does not cause muchimpact on the communications.

• The probability of power consumption change changes indifferent time intervals. Here we define a change as theevent that the difference of two successive measurementsis more than a threshold γ (Arms). For the measurementin Fig. 2, we have obtained the probability of change indifferent hours, which is shown in Fig. 4 for differentγ’s. Note that the probability of change is defined as theprobability that the difference of the current between thecurrent and the next time slots is larger than γ, which isobtained from the statistics in the measurements. We ob-serve that the change probability achieves the maximumduring the dinner time, which is due to the use of electricoven. This implies that, if the smart meter sends dataonly when the power consumption experiences a signifi-cant change, the communication requirement changes indifferent periods of the day. Hence, a dynamic spectrumallocation may improve the efficiency of spectrum (e.g.,in the midnight, the spectrum allocated to the smart meternetwork can be reduced)3.

Note that the above observation is dependent on the mea-

3This observation may motivate the application of dynamics spectrumaccess for AMI. However, this is out of the scope of this paper.

3

0 5 10 15 20 250

0.005

0.01

0.015

0.02

0.025

0.03

0.035

0.04

0.045

time (hour)

chan

ge p

roba

bilit

y

γ=0.2γ=0.5

Fig. 4: The probability of change in different hours.

surement data and the setup of the threshold γ. For measure-ment in other locations such as office, the power activity maynot have the pattern of households power consumption. Whenwe choose much higher threshold γ or choose much longertime scales such as minutes (in this paper the time scale is sub-seconds), the distribution of the power consumption changesmay be significantly changed. In our future study, we willobtain more measurements from more households or fromother types of power users such as offices, thus obtaining moregeneral characteristics of power consumption process.

B. Modeling

From the view point of communications, the power con-sumption dynamics data is the source of information. Tocompress the information source, or equivalently achieving anefficient source coding, we need to study the characteristics ofthe power consumption dynamics. For a general informationsource, we should model it as a random process and thenmeasure the entropy rate, which indicates how many bitsare needed to encode the information source. However, theoptimal source coding could be very complicated, particularlywhen the information source is not Markovian. Hence, inthis paper, we adopt the following policy: the smart metertransmits the report only when there is a significant powerconsumption change, while the source coding is independentamong different time slots (i.e., we do not consider the timecorrelation in the information source), which is called the CATpolicy.

Due to the CAT policy, we focus on the modeling ofthe arrivals of significant power consumption changes. Inmany arrival random processes, such as customer arrivals to ashop or packet arrivals at an Internet router, the process canbe modeled by a Poisson process, which has many elegantmathematical properties, i.e., the number of arrivals within aunit time satisfies the following distribution:

Pn = e−λ0λn0

n!, n = 0, 1, 2, ..., (1)

where λ0 is the average number of arrivals within a unit time.Then, can the arrival process of power consumption changes

0 2 4 6 8 100

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

number of changes

CD

F

Poisson: day 1empirical: day 1Poisson: day 2empirical: day 2

Fig. 5: Comparison of CDF of the change probability.

be modeled as a Poisson process? Fortunately, the answer isyes!

1) Comparison of CDF Curves: To verify the Poissonprocess modeling, we first plot the cumulative distributionfunction (CDF) curves of the empirical distribution and thePoisson distribution with an estimated average arrival numberin Fig. 5. Note that the CDF curves are obtained from the timeinterval 6pm–8pm on two successive days and the time unit isfixed as 100 seconds. We observe that the CDFs match verywell and the CDFs on different days are also very close to eachother, which implies that the distribution may be predictedfrom the history (not necessarily a good prediction).

2) Kolmogorov-Smirnov Test: To be more rigorous, we usedthe Kolmogorov-Smirnov test (K-S test) for the hypothesis thatthe power consumption change satisfies the Poisson distribu-tion (more details are provided in Appendix A). The metricof the K-S test is defined as

M(F, F̂ ) = maxx

∣∣∣F (x)− F̂ (x)∣∣∣ , (2)

where F and F̂ are the CDFs to be tested and the empiricaldistribution obtained from data, respectively. Note that we usedmax instead of sup in the definition since the distributionis discrete. We used the measurement of the first author’shome for three days. Since the distribution could change withtime, as shown in Fig. 4, we estimate different λ0 for everytwo hours in each day, by assuming that the point process isstationary. We used γ = 0.2Arms for detecting the change ofpower consumption. The metrics in the K-S test are shown fordifferent time periods (each spans two hours) in Fig. 6. Weobserve that the difference between the two CDFs is small,which implies that the point process of power consumptionchange can be well approximated by a Poisson distribution.

3) Time-varying Parameters: We also plotted the estimatedλ0 for different time periods and different days in Fig. 7. Weobserve that, in all three days, the expected arrival rate (per100s) has a peak during the dinner time, which coincides theobservation in Fig. 4. Hence, the approximation of Poissonprocess is valid only within a short period of time. We alsonotice that there are some fluctuations in the parameter λ0 forthe same time period and different days. For example, λ0 is

4

0 2 4 6 8 10 12 14 16 18 20 220

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0.08

Time (hour)

Err

or in

K−

S te

st

day 1day 2day 3

Fig. 6: The metric of Kolmogorov-Smirnov test for differenttime periods in three days.

0 5 10 15 200

1

2

3

4

5

6

time (hour)

λ

day 1day 2day 3

Fig. 7: λ0 in different time periods and different days.

very large at midnight for day 1, which is due to a ‘midnightmeal’ of the first author.

III. EFFICIENT MULTIPLE ACCESS SCHEME

In this section, we analyze the efficiency of differentschemes of multiple access for the wireless smart metering.We first compare the different schemes. Then, analyticalresults are shown for the performance. Finally we providethe numerical results. Note that the performance is based onthe mathematical model for the power consumption changesproposed in Section III.

A. Comparison of Different Schemes

We consider two types of multiple access schemes for thewireless smart metering:

• Dedicated channel based: In this case, each smart meteris assigned a dedicated channel, either in time or infrequency. The scheme could be either time division mul-tiple access (TDMA) or orthogonal frequency divisionmultiple access (OFDMA). In TDMA case, each smartmeter is allocated a time slot. In OFDMA case, thededicated channel could be one or more sub-carriers.

TABLE I: Comparison between Different Multiple AccessSchemes

Dedicated Channel The dedicated channel can avoid possible colli-sions. However, in TDMA, when the smart meterdetects a change, it has to wait until its own timeslot, thus incurring a time delay. If a new change isdetected during the waiting time, the old messageneeds to be discarded, thus incurring a packet loss.In OFDMA, although the smart meter can begin totransmit immediately, the time needed to transmita message is longer than that of TDMA since thebandwidth is distributed to all the users.

Contention Based When contention is introduced, there could becollisions, thus incurring random backoff and pos-sibly long delay. If new changes are detectedduring the backoff, the packet will be discarded.Hence, a congestion may seriously degrade theperformance. However, if there is no collision,the message can be sent out immediately and bedelivered quickly.

• Contention based: In this case, there is no dedicatedchannel for each smart meter. When a smart meter findsa change in the power consumption and needs to transmita packet for reporting the change, it senses the channelfor transmission and then transmits if the channel is idle(CSMA), or directly goes ahead to transmit (time slottedAloha). If collision occurs, it chooses a random backofffor retransmission.

The comparison between the two types of multiple accessschemes in the context of smart meter communication issummarized in Table I.

B. Performance AnalysisWe use the metrics of delay and packet loss rate to measure

the performance in a K smart meter network. We considerTDMA and OFDMA for the dedicated channel case andconsider binary exponential backoff slotted Aloha for thecontention based scheme. Note that the delay and packet lossare caused by the following reasons:

• Delay: For TDMA, a delay is incurred when the assignedtime slot has not arrived. For OFDMA, the packet can betransmitted immediately; however, it takes more time toaccomplish the transmission than the TDMA case, sincethe bandwidth allocated to each smart meter becomessmaller. For the random access case, the delay is causedby collisions.

• Packet loss: In practice, a packet could be lost dueto bad channel quality. For simplicity, we assume thatthe channel quality is always good enough such thatwe do not consider the packet loss caused by a badchannel. We assume that, if an old packet has not beentransmitted successfully, it has to be discarded when anew packet arrives. This is reasonable since the systemalways demands the newest information about powerconsumption. In practical systems, it is also possible touse a buffer to store untransmitted packets if the out-of-date information is also needed (e.g., for analyzing thepower consumption patterns). The corresponding analysiswill be much more complicated and will be studied in thefuture.

Although the analysis is simple and does not include manypractical factors such as fading and thermal noise, it can

5

provide a preliminary estimation on the delay and packet lossrate of various multiple access schemes.

1) Assumptions: Throughout the performance analysis, weuse the following assumptions in order to simplify the analysis:

• We assume that all smart meters are perfectly synchro-nized both in time and frequency.

• We assume that the time is slotted, and denote by τ thetime duration of each time slot. We assume that, in bothTDMA and time slotted Aloha schemes, a message can betransmitted within one time slot. For OFDMA, we assumethat the bandwidth is uniformly allocated to differentsmart meters; therefore, the time needed to transmit amessage is Kτ , i.e., K time slots.

• We ignore the transmission failures due to noise or fading.Transmission failure occurs only when two or more smartmeters transmit simultaneously in the Aloha case.

• Each message contains the new value of the powerconsumption. We do not consider the compression of themessage itself although it is possible to incorporate thetime redundancy into the source coding.

2) TDMA: Since the smart meter needs to wait until itsown time slot for transmitting and the change could occur atany time slot, the expected delay is Kτ

2 . It is easy to verifythat the packet loss rate is given by

PTDMA(packet loss)= 1− P (no new packet arrives before the assigned time slot)

= 1−K∑

k=1

P (there are still k time slots before the assigned one)

× P (no new packet during k time slots)

= 1− 1

K

K∑k=1

e−λ0kτ , (3)

where we utilized the fact that the probability that there arestill k time slots before the assigned time slot is 1

K , for anarbitrary time slot.

3) OFDMA: Obviously, the delay is fixed and equals Kτfor the OFDMA case. It is easy to verify that the packet lossrate is given by

POFDMA(packet loss)= P (there is a new packet during the K time slots)= 1− P (there are no new packets during the K time slots)= 1− e−λ0Kτ . (4)

4) Slotted Aloha: The analysis on the slotted Aloha schemeis much more complicated [7] [20]. Here we consider only thecase in which the retransmission is rare, i.e., collision happensvery rarely. We denote by W0 the initial backoff window.Then, the backoff window size of the r-th retransmissionis given by Wr = min

{2r−1W0,Wmax

}, where Wmax is

the maximum window size and the window size is a binaryexponential backoff one. Then, given that the message issuccessfully transmitted, the delay is given by

D = 1 +R∑

r=1

Dr, (5)

where R is the number of retransmissions and Dr is the delayof the r-th retransmission. The random variable here is thenumber of retransmissions, namely R. Due to the assumptionthat the retransmission is rare, we can assume that all collisionsare from the initial transmissions of other smart meters. Hence,the distribution of R is approximated by

P (R = r) ≈ (1− ps)r−1ps, (6)

where ps is the probability that the retransmission is success-ful, which is given by

ps = P (successful retransmission)= P (no new packet in one time slot)= e−Kλ0 . (7)

Note that the second equation is due to the assumption thatcollision occurs only when a new packet arrives at anothersmart meter, while the last equation is because e−λ0 is theprobability that no new packet arrives at a certain smart meter.

Meanwhile, the distribution of Dr is given by

P (Dr = n) =1

Wr, ∀n = 1, ...,Wr. (8)

By combining the above expressions, we can obtain thedistribution of D, which is that of the sum of R independentrandom variables.

The event of packet loss is that a new message is generatedbefore the success of transmission of the current message. Wedenote by p̃(R) that the packet is discarded during the R-thretransmission. Then, it is easy to verify that the distributionis given by

p̃(R) = (1− ps)R−1

R−1∑r=1

Wr∑wr=1

(R−1∏r=1

1

Wr

)e−λ0

∑R−1r=1 wr

×WR∑rR=1

1

WR(1− e−λ0rR), (9)

where the explanation is given by

• (1 − ps)R−1 is the probability that the transmission is

unsuccessful in the first R − 1 times, thus necessitatingthe R-th transmission.

• e−λ0∑R−1

r=1 wr , where wr is the actual backoff time inthe r-th retransmission, is the probability that there isno new packet given the backoff times in the R − 1retransmissions.

•∏R−1

r=11

Wris the probability that the backoff times are

given by {wr}r=1,...,R−1.•∑R−1

r=1

∑Wr

wr=1 is the summation of all possible backofftimes.

• 1− e−λ0rR is the probability that one or more packet isgenerated in the R-th retransmission.

Then, the packet loss rate is given by

PAloha(packet loss) =∞∑

R=1

p̃(R). (10)

6

C. Numerical Results

We use numerical simulations to demonstrate the perfor-mance of the different multiple access schemes. Unfortunately,we do not have sufficient data for the power consumptions. Weconsider the power consumptions of the same location (thefirst author’s home, as mentioned before) on different daysas those of different power users on the same day. Totally,we have K = 33, i.e., 33 smart meters from the 33 days’measurements. Although it is still far away from practical casein which there could be a large number of smart meters, wescale the bandwidth such that the bandwidth allocated to eachsmart meter is reasonable. The simulation results can alsoprovide insights for future studies. Unless noted otherwise,we set the duration of time slot τ to be 100ms, i.e., thetransmission of each packet needs 100ms4. If each packetcontains 1k bits (including the header, payload and digitalsignature), the 33 smart meters are assigned a bandwidth ofapproximately 10kbps, which is reasonable when the numberof smart meters is large. We also test different thresholds ofpower consumption change, i.e., γ, to trigger the report ofsmart meters.

Note that the time slot of 100ms does not mean that eachsmart meter needs to report every 100ms, which may beunnecessary since the power dynamics are usually in a largertime scale. When there are 1000 power users, the report willbe once per 100 seconds, which could be possible since theincorporation of many renewable energy generations such assolar panel or wind turbine has significantly increased thevariance of power generations.

The average delay and packet loss rate are shown in Figures8 and 9, respectively, when τ = 100ms, γ = 0.1 and K = 33.We observe that the slotted Aloha significantly outperformsTDMA and OFDMA. Within the dedicated channel case,TDMA outperforms OFDMA due to the long average delayof OFDMA (the long delay also incurs packet loss). Whenτ is smaller, i.e., more bandwidth for each smart meter, theperformance gain of slotted Aloha is even larger.

The average delay and packet loss rate are shown in Figures10 and 11, respectively, when τ = 100ms, γ = 0 andK = 33. Compared with the previous simulation results, themessage arrival rate is significantly increased. We observethat the performance of slotted Aloha is significantly impaireddue to the congestion. However, with this configuration, theperformance is intolerable for practical systems.

In Figures 12 and 13, we changed τ to 70ms by increasingthe communication bandwidth (γ is still set to 0), thus decreas-ing congestion level. We observe that slotted Aloha could bebetter than or worse than TDMA in different time periodsin the same day. This implies that the multiple access couldbe adaptive: upon congestions, the system can be switched toTDMA or OFDMA; on the other hand, it can switch to thecontention based one. The switch can be either adaptive to

4Note that the transmission time 100ms may be too large for a moderncommunication system. However, when there are a large number of smartmeters (e.g., thousands of meters), the average bandwidth that can be allocatedto each meter will not be large; hence, the transmission time may be largerthan many existing communication services.

0 3 6 9 12 15 18 210

0.5

1

1.5

2

2.5

3

3.5

time (hour)

dela

y (s

econ

d)

TDMAAlohaOFDMA

Fig. 8: Average delays in different time periods when τ =100ms, γ = 0.1 and K = 33.

0 3 6 9 12 15 18 210

0.05

0.1

0.15

0.2

0.25

0.3

0.35

time (hour)

pack

et lo

ss r

ate

TDMAAlohaOFDMA

Fig. 9: Packet loss rates in different time periods when τ =100ms, γ = 0.1 and K = 33.

0 3 6 9 12 15 18 210

0.5

1

1.5

2

2.5

3

3.5

time (hour)

dela

y (s

econ

d)

TDMAAlohaOFDMA

Fig. 10: Average delays in different time periods when τ =100ms, γ = 0 and K = 33.

7

0 3 6 9 12 15 18 210

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

time (hour)

pack

et lo

ss r

ate

TDMAAlohaOFDMA

Fig. 11: Packet loss rates in different time periods when τ =100ms, γ = 0 and K = 33.

0 3 6 9 12 15 18 210

0.5

1

1.5

2

2.5

time (hour)

dela

y (s

econ

d)

TDMAAlohaOFDMA

Fig. 12: Average delays in different time periods when τ =70ms, γ = 0 and K = 33.

the current system situation or be predetermined using historicdata.

Note that we only considered the simplest model for thesemultiple access schemes. We ignored many details, e.g., thecyclic prefix in OFDMA and the possible time synchronizationerror in TDMA. We will use more practical softwares likeQualnet for obtaining more concrete simulation results withthe measurement data.

IV. SECURE MULTIPLE ACCESS SCHEME

In this section, we study the security issues of the proposedCAT scheme for smart metering. Essentially, we consider thePPA attack in which an eavesdropper determines whether thehousehold owner is at home or not. We will propose theASP scheme which can efficiently spoof the eavesdropperand beat the counterstroke of K-S test by the attacker, aswill be demonstrated by numerical simulations. The arms racebetween the attacker and smart meter is illustrated in Fig. 14.

Note that there have intensive studies on traffic analysisattack [5] [21], into which the attack proposed in this papermay be categorized. The insertion of dummy packets is alsowidely used to mitigate the traffic analysis [1]. However, inmany of these studies, the attack and defense are focused

0 3 6 9 12 15 18 210

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

time (hour)

pack

et lo

ss r

ate

TDMAAlohaOFDMA

Fig. 13: Packet loss rates in different time periods when τ =70ms, γ = 0 and K = 33.

PPA attack:

counting the

radio activities

ASP defense:

sending spoofing

packets

K-S test:

detecting the

spoofing packets

Attacker Smart meter

complexity

Fig. 14: The arms race between the attacker and smart meter

on the correlation analysis in order to identify the source-destination pairs, instead of the presence of certain entity.Hence, the detailed algorithms in this paper are differentfrom the existing studies. It should also be noted that, if aperiodic transmission scheme is used, regardless of the powerconsumption situation, there will be no security issues. Tocombat the PPA attack, extra communication resources areneeded for the spoofing packets. However, compared withthe periodic transmission scheme, the communication of theproposed scheme is still efficient, even though the overheadof spoofing packets is added.

A. PPA Attack

In the PPA attack, an eavesdropper can monitor the radioactivity of a certain power consumer. It does not need todecode and decypher the packets (we assume that the smartmeter has a perfect encryption mechanism); it simply needsto count the number of packets within each time unit, e.g.,by employing an energy detector. As we have explained,when the power consumption activity is more intensive, thepower consumption change will also be increased, whichresults in more packets due to the CAT policy of transmission.Hence, the eavesdropper can easily determine the current

8

2 2.05 2.1 2.15 2.2 2.25 2.3 2.35 2.4 2.45 2.5−20

−10

0

10

20

time: hour

curr

ent:

mA

18 18.05 18.1 18.15 18.2 18.25 18.3 18.35 18.4 18.45 18.5−20

−10

0

10

20

time: hour

curr

ent:

mA

Fig. 15: Comparison of power consumption between 02:00–02:30 and 18:00–18:30

power consumption intensity. Then, for a typical period ofintensive power consumption such as dinner cooking time, ifthe eavesdropper finds that the number of packets is signifi-cantly lower than the normal level, it is highly possible thatthe house owner is not at home. This is particularly a goodnews to the community of thieves and thus brings significantjeopardy to the power user.

Fig. 15 shows the comparison between the power consump-tion changes in the midnight (which can be considered as thetime when the house owner is not at home) and those duringthe cooking time. We observe a substantial difference, whichimplies that the eavesdropper can detect the presence of theowner with a high confidence.

B. ASP Defense

The philosophy of combating the PPA attack is: when theowner is not at home, add spoofing packets to the transmissionwhen the power consumption is typically intensive. When thehouse owner leaves the house, he/she can trigger the ASP de-fense scheme, which will automatically generate more packetsduring the cooking time even though there is actually no powerconsumption change. This scheme can spoof the eavesdropperat the cost of some bandwidth waste. An illustration of theASP scheme is illustrated in Fig. 16.

The key challenge of the ASP scheme is how to add thespoofing packets. As will be seen below, we can have twoapproaches for generating the spoofing packets, namely thePoisson packet generation and history template (HT) basedgeneration. A memory, illustrated in Fig. 16, is used to storethe previous time pattern of data transmission during differenttime periods. A sliding window could be used to discard theold data and avoid the overflow of memory.

1) Poisson Generation of Spoofing Packets: As we havementioned, the arrivals of power consumption changes canbe approximated by a Poisson process. Hence, the memorycan store the average number of power consumption changeswithin unit time in different time intervals. Then, when thehouse owner leaves, the smart meter can generate the spoofing

memorydata

transmission

Power consumption

change

Is the owner at home?

Spoofing

packet

generator

packets

No

Fig. 16: An illustration of the ASP defense scheme

Procedure 1 Procedure of the ASP Defense Scheme1: if The owner is at home then2: Set the mode as ’at home’3: else4: Set the mode as ’on leave’5: end if6: for Each time slot do7: if The mode is ’at home’ then8: Transmit when a power consumption change arrives.9: Store the arrival interval in the memory.

10: else11: Use a random generator to generate spoofing packets or

use one HT stored in the memory.12: Transmit if there is a power consumption change or there

is a spoofing packet.13: end if14: end for

packets using a Poisson process generator and the correspond-ing arrival rates stored in the memory. An advantage of thisscheme is that only a small memory is needed to store theaverage arrival rates.

2) HT based Generation of Spoofing Packets: Anotherapproach is to generate the spoofing packets according to thehistory record in the memory. There are two approaches forutilizing the history record: (a) repeat the same arrivals ofpackets in the history; e.g., we can repeat the whole transmis-sion history during a busy dinner time; (b) randomly generatethe spoofing packets according to the empirical distributionof the time intervals between significant power consumptionchanges. Hence, the previous observations are used as the HTs;i.e., the time is divided into different time frames (e.g., 30minutes) and the observation within each frame is one HT.The advantage of this approach is that it does not rely onthe assumption of Poisson process of the power consumptionchanges. However, it requires more memory since it needs torecord the history of power consumptions.

C. Countermeasures of Eavesdropper

When the smart meter uses spoofing packets, it is difficultfor the attacker to determine whether the house owner is athome by simply counting the number of packets. However,since the defense scheme of ASP is public and the attackerknows how the spoofing packets are generated, it can detect

9

whether the packets are triggered by real power consumptionchanges, or are spoofing packets. Once the attacker finds thatpackets actually contain many spoofing ones, it can determinethat the house owner is on leave and the smart meter is in the’on leave’ mode. We discuss both cases in which the attackereither knows the HT or not.

1) Case of Known HT: We first assume that the attackerknows the set of HTs of the smart meter. For example, theattacker can also store the radio activities in a memory. Thegeneral procedure of detecting the spoofing packets is givenin Procedure 2.

• If the spoofing packets are generated as a Poisson process,the attacker can detect the spoofing packets by checkingwhether the packets follow a Poisson process. A K-S testcan be used for the detection by comparing the sampleswith a Poisson distribution whose expectation can beestimated from the samples. Actually, in this scenario,the attacker does not need to have the HT since it onlyneeds to determine whether the spoofing packets satisfya Poisson process. However, the knowledge of HT helpsto determine the parameter of the Poisson process, thusaccelerating the detection.

• If the spoofing packets are generated by using HTs thatare also known to the attacker, the attacker can alsocarry out the K-S test to judge whether the empiricaldistribution of the packet arrival times is close to that ofone of the HTs.

Procedure 2 Procedure for Detecting Spoofing Packets withKnown HT

1: Collect different frames and compute the empirical distributionof packet arrivals.

2: if The spoofing packets are generating with Poisson processthen

3: Estimate the expectation of the Poisson distribution.4: Carry out the K-S test between the empirical distribution and

Poisson distribution.5: else6: Carry out the K-S test for the reference CDFs obtained from

HTs.7: end if8: if The error in the K-S is sufficiently small then9: Claim that spoofing packets are detected.

10: end if

Three methods are applied for generating the empiricaldistribution function (EDF) and reference CDFs in the K-Stest. The difference among these three methods is in the firsttwo steps about how to construct the EDF of observations andreference CDFs of HTs in order to calculate the minimumdistance between thes EDF and all CDFs:

• For method 1, only data samples from one frame is usedto construct the EDF. The data source of each referenceCDF is from one HT.

• For method 2, the way to generate the reference CDF isthe same as method 1. However, the way to generate theEDF and calculate the error in the K-S test is differentfrom method 1. The procedure is shown in Procedure3. The idea of combining data samples from more than

one frames is to increase the detection rate when the HTlength is short.

• For method 3, the way to construct the EDF is the sameas that for method 2; for the reference CDFs, besidesthe reference CDF that is obtained from one HT, morereference CDFs are obtained based on the combinationof two HTs. The purpose of combining HTs to generatenew reference CDF is also to increase the detection rate.

Procedure 3 Procedure for Generating the EDF and Calculat-ing The Metric in K-S Test for Method 2

1: for Each frame k do2: Randomly select another frame m, then combine the data

samples from both frames k and m to generate the EDF Fk,m

3: Calculate the minimum distance Dk,m between Fk,m and allthe reference CDFs

4: end for5: Then the metric of K-S test, Di, for frame k is the minimum of

Dk,m.

2) Case of Unknown HT: When the attacker does not havethe record of HTs (e.g., the attacker does not have a largememory), it cannot use the K-S test since it does not have anytemplate distribution for the comparison. However, since thenumber of HTs stored in the smart meter is limited, thereis a high probability that one HT is used to generate thespoof packets for many times. In other words, the EDFs indifferent time frames could be vary similar. This correlationin EDFs can be used to detect whether the data in the timeframe is generated from real change of power consumptionor from the ASP defense scheme. The general procedure isvary similar to that of the case of known HTs. The onlydifference is that reference CDFs in the K-S test are generatedfrom online measurements (in the case of known HTs, thereference CDFs are obtained from the historical records). Thedetection procedure for method 1 with unknown HTs is givenin Procedure 4. We omit the counterparts for methods 2 and3 due to the similarity and limited space.

Procedure 4 Procedure of Method 1 with Unknown HTs1: Obtain the EDFs of Nf time frames2: for each time frame i, i = 1, 2, · · · , Nf do3: Carry out the K-S test by calculating the minimum distance

between the EDF of frame i and those of all other frames4: Claim that spoofing packets are detected if the minimum

distance is less than a threshold.5: end for

D. Numerical Results

Now we use numerical simulations to demonstrate thedefense and attack schemes proposed above. The measurementdata collected by the power clamp in 480 hours is used in thesimulation. We set the number of HTs to eight; i.e., there areeight templates for the traffic pattern in busy times stored inthe memory. The total length of data obtained during the timeof busy power consumptions is 100 hours. The number ofemulated frames during the status of ’on leave’ is 500, overwhich we obtain the performance of the attacker.

10

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.80.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

False Alarm Rate

Det

ectio

n R

ate

Method 1; Frame length: 1 hourMethod 1; Frame length: 0.5 hourMethod 1; Frame length: 0.25 hourMethod 2; Frame length: 1 hourMethod 2; Frame length: 0.5 hourMethod 2; Frame length: 0.25 hourMethod 3; Frame length: 1 hourMethod 3; Frame length: 0.5 hourMethod 3; Frame length: 0.25 hour

Fig. 17: The ROC of different detection methods with knownHTs when the smart meter generates the spoofing packetsusing Poisson process

Note that the main concern of the attacker is the falsealarm since a false alarm may cause significant damage tothe attacker. In this paper, we assume that a false alarm rateof 0.05 is acceptable. Then, we need to check the detectionrate at this false alarm rate.

1) Known HTs: Figures 17 and 18 show the ReceiverOperating Characteristic (ROC) of different methods when thespoofing packets generated from Poisson process and HTs,respectively, when HTs are known by the attacker. Here thefalse alarm rate means the probability that the attacker claimsthat the owner is on leave while the owner is actually at home,while the the detection rate is the probability that the attackersuccessfully detects the on leave state of the owner. In bothfigures, we observe that, the longer each frame is, the betterthe detection performance is. This motivates the smart meterto use reasonably short HTs for the generation of spoofingpackets. We also observe that method 3 achieves the bestperformance among the three proposed methods of detection.More importantly, the attacker can detect the ’on leave’ stateof the owner with a high detection probability when the smartmeter uses the generation of Poisson process. When the smartmeter uses the HT based generation of spoofing packet, thedetection performance of the attack becomes unreliable. Usingthe criterion of false alarm rate equaling 0.05, the detectionrate in Fig. 17 (using Poisson process) is fairly high (more than80%), which means that the detection performance is good forthe attacker; meanwhile, the detection rate in Fig. 18 (usingHT) is less than 0.5 for the worst case, which is not good forthe attacker.

2) Unknown HTs: Figures 19 and 20 show the ROCs ofdifferent attack methods when the HTs are unknown to theattacker. Compared with the cases when HTs are known, theperformance of the attacker is worse due to the unknown HTs.However, when the Poisson distribution is used for generatingthe spoofing packets, the attacker can still achieve a reasonableperformance. For example, when attack method 2 is used, theattacker can achieve a detection rate of 80% at the cost of falsealarm rate 5%. When the empirical distributions obtained fromHTs are used to generate the spoofing packets, the performanceof the attacker is significantly decreased, or equivalently thesecurity of the power user is enhanced. Again, it is more

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

False Alarm Rate

Det

ectio

n R

ate

Method 1; Frame length: 1 hourMethod 1; Frame length: 0.5 hourMethod 1; Frame length: 0.25 hourMethod 2; Frame length: 1 hourMethod 2; Frame length: 0.5 hourMethod 2; Frame length: 0.25 hourMethod 3; Frame length: 1 hourMethod 3; Frame length: 0.5 hourMethod 3; Frame length: 0.25 hour

Fig. 18: The ROC of different detection methods with knownHTs when the smart meter generates the spoofing packetsusing HTs

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

False Alarm Rate

Det

ectio

n R

ate

Method 1; Frame length: 1 hourMethod 1; Frame length: 0.5 hourMethod 1; Frame length: 0.25 hourMethod 2; Frame length: 1 hourMethod 2; Frame length: 0.5 hourMethod 2; Frame length: 0.25 hour

Fig. 19: The ROC of different detection methods with un-known HTs when the spoof packets are generated in a Poissonmanner.

desirable to use the HTs to generate the spoofing packets.Again, using the criterion of false alarm rate equaling 0.05, thedetection rate is less than 0.1, which means that the detectionperformance is bad.

V. CONCLUSIONS

In this paper, we have discussed the reliable and secure wire-less communications for advanced metering infrastructure insmart grid. We have carried out a measurement experiment forhousehold power consumption, based on which we have built

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

False Alarm Rate

Det

ectio

n R

ate

Method 1; Frame length: 1 hourMethod 1; Frame length: 0.5 hourMethod 1; Frame length: 0.25 hourMethod 2; Frame length: 1 hourMethod 2; Frame length: 0.5 hourMethod 2; Frame length: 0.25 hour

Fig. 20: The ROC of different detection methods with un-known HTs when the spoof packets are generated using HTs

11

a mathematical model for the packet arrival process. Then, wehave studied various schemes of multiple access, particularlythe schemes of dedicated channels and random access. Theperformance is analyzed both analytically and numerically. Wehave also studied the security of the wireless communications,mainly preventing attackers from analyzing the presence ofhouse owner by counting the number of packets. A schemeof transmitting spoofing packets is proposed for mitigatingthe attack, which has been demonstrated to be effective forcombating several types of countermeasures of the attack.

APPENDIX AINTRODUCTION TO KOLMOGOROV-SMIRNOV TEST

K-S statistic is widely used in K-S test as a measure ofdistance between two EDFs of samples or between the EDFof sample and the CDF of distribution function.

The EDF Fj(x), j = 1, 2 for N i.i.d. observations Xj,i isdefined as

Fj(x) =1

N

N∑i=1

IXj,i≤x. (11)

Then, the K-S statistic for a given CDF E(x) of a distributionand given EDF Fj(x) is

Dj = supx

|Fj(x)− E(x)|, (12)

where supx is the supremum of distance. The K-S statistic fortwo EDF F1(x) and F2(x) is

DN = supx

|F1(x)− F2(x)|. (13)

The reason we use K-S statistic as a measure of distanceis due to the Glivenko-antelli theorem which shows that Dj

converges to 0 almost surely as N → ∞ if the samples Xj,i

comes from distribution E(x).

REFERENCES

[1] T. Abraham and M. Wright, “Selective cross correlation in passivetiming analysis attacks against low-latency mixes,” in Proc. of IEEEConference on Global Communications (Globecom), 2009.

[2] M. Anderson, “WiMAX for smart grids,” IEEE Spectrum, July 2010.[3] C. Bennett and S. Wicker, “Decreased time delay and security enhance-

ment recommendations for AMI smart meter networks,” in Proc. ofInnovative Smart Grid Technologies Conference, 2010.

[4] S. Borenstein, M. Jaske, A. Rosenfeld, Dynamic Pricing, AdvancedMetering, and Demand Response in Electricity Markets, UC Berkeley:Center for the Study of Energy Markets.

[5] Y. Fan, Y. Jiang, H. Zhu and X. Shen, “An efficient privacy-preservingscheme against traffic analysis attacks in network coding,” in Proc. ofIEEE Conference on Computer Communications (Infocom), 2009.

[6] ISO New England Inc., Overview of the Smart Grid: Policies, Initiativesand Needs, Feb. 17, 2009.

[7] L. Kleinrock and F. A. Tobagi, “Packet switching in radio channels:Part I–Carrier sense multiple access modes and their throughput-delaycharacteristics,” IEEE Trans. on Commun., vol.23, pp.1400–1416, Dec.1975.

[8] F. Li, “Continuous locational marginal pricing (CLMP),” IEEE Trans.Power Syst., vol.22, pp.1638–1646, Nov. 2007.

[9] F. Li and R. Bo, “Congestion and price prediction under load variation,”IEEE Control System Magazine, vol.19, pp.59–70, Oct. 2009.

[10] H. Li, R. Mao, L. Lai and R. C. Qiu, “Compressed meter reading fordelay-sensitive and secure load report in smart grid,” in Proc. of the 1stIEEE Conference on Smart Grid Communications, 2010.

[11] M. A. Lisovich, D. K. Mulligan and S. B. Wicker, “Inferring personal in-formation from demand-response systems,” IEEE Security and Privacy,Jan./Feb. 2010.

[12] E. Litvinov, T. Zheng, G. Rosenwald and P. Shamsollahi, “Marginalloss modeling in LMP calculations,” IEEE Trans. Power Syst., vol.19,pp.880–888, May 2004.

[13] X. Ma, H. Li and S. Djouadi, “Stochastic modeling of short-termpower consumption for smart grid: A state space approach and realmeasurement demonstration,” in Proc. of Conference on InformationSciences and Systems (CISS), 2011.

[14] M. Roozbehani, M. Dahleh and S. Mitter, “Dynamic pricing andstabilization of supply and demand in modern electric power grids,”in Proc. of the 1st IEEE Conference on Smart Grid Communications,2010.

[15] D. D. Silva, X. Yu, D. Alahakoon and G. Holmes, “Incremental patterncharacterization learning and forecasting for electricity consumptionusing smart meters,” in Proc. of IEEE Industrial Electronics, 2011.

[16] M. R. Souryal and N. Golmie, “Analysis of advanced metering over awide area cellular network,” in Proc. of IEEE Conference on Smart GridCommunications (SmartGridComm), 2011.

[17] S. Stoft, Power System Economics – Designing Markets for Electricity,IEEE/Wiley, 2002.

[18] M. Tanaka, D. Umehara, M. Morikura, et al, “New throughput analysisof long-distance IEEE 802.11 wireless communication system for smartgrid,” in IEEE Conference on Smart Grid Communications (SmartGrid-Comm), 2011.

[19] R. Weron, Modeling and Forecasting Electricity Loads and Prices: AStatistical Approach, Wiley, 2006.

[20] Y. Yang and T. P. Yun, “Delay distributions of slotted Aloha and CSMA,”IEEE Trans. on Commun., vol.51, pp.1846–1855, Nov. 2003.

[21] Y. Zhu, X. Fu, B. Gramham, R. Bettati and W. Zhao, “Correlation-basedtraffic analysis attacks on anonymity networks,” IEEE Trans. on Paralleland Distributed Systems, vol.21, no.7, pp.954–967, July 2010.