Anomaly Detection with Machine Learning Algorithms in Large-Scale Power Grids

We apply several machine learning algorithms to the problem of anomaly detection in operational data for large-scale, high-voltage electric power grids. We observe important differences in the performance of the algorithms. Neural networks typically outperform classical algorithms such as k-nearest neighbors and support vector machines, which we explain by the strong contextual nature of the anomalies. We show that unsupervised learning algorithm work remarkably well and that their predictions are robust against simultaneous, concurring anomalies.

💡 Research Summary

This paper investigates the use of machine‑learning (ML) techniques for fast, data‑driven anomaly detection in large‑scale, high‑voltage transmission grids. The authors focus on three continental‑European grids—Switzerland (163 load buses, 36 generators), Spain (908 load buses, 61 generators), and Germany (560 load buses, 101 generators)—and construct a synthetic 20‑year, hourly‑resolution dataset that includes power‑injection time series for every node. The study concentrates on highly dispatchable sources, especially hydroelectric plants, because their short‑term production is erratic and therefore more challenging to predict. Ten hydro plants in Switzerland, nine in Spain, and a mixture of gas and coal plants in Spain and Germany are selected for anomaly experiments.

Two anomaly scenarios are considered. The first is a supervised “false data injection” attack in which an adversary flips the reported output of a plant: if the real output is below half of rated capacity the attacker reports full output, and if it is above half the attacker reports zero. This “on/off” manipulation maximizes the deviation in power injection while respecting the plant’s rated limits. Ten percent of the time steps are altered in this way and labeled as anomalies, creating a binary classification problem. Performance is measured with the F₂‑score, which weights recall higher than precision because missing an attack is more costly than a false alarm.

The second scenario is unsupervised: the algorithms must detect any deviation from normal behavior without explicit labels. Here the authors employ Isolation Forest and auto‑encoder reconstruction error as anomaly scores. Both methods are evaluated on single‑plant attacks as well as on simultaneous multi‑plant attacks to test robustness.

Nine ML algorithms are benchmarked: k‑Nearest Neighbours (k‑NN), Support Vector Machine (SVM), Random Forest, Gradient Boosting, Multi‑Layer Perceptron (MLP), Convolutional Neural Network (CNN), Long Short‑Term Memory (LSTM), Isolation Forest, and Auto‑Encoder. For each algorithm the authors systematically vary three aspects of the input representation: (1) Context – either only generation data or the full set of injections (generation + load); (2) History length – no history, 4 h, or 24 h of past timesteps; (3) Historical context – history of the target plant only, of all generators, or of all injections. The combinatorial explosion of input size is mitigated by limiting the most extreme configurations (e.g., full historical context for Spain would yield > 900 features).

Key findings:

1. Deep learning excels in supervised detection. LSTM and CNN achieve the highest F₂‑scores (0.92–0.96) when supplied with a moderate‑size context (all injections) and a history of 4–24 h. Their ability to capture both temporal dynamics and spatial correlations makes them particularly suited for contextual anomalies where a plant’s output must be interpreted relative to the rest of the grid.

2. Classical methods suffer from the curse of dimensionality. k‑NN and SVM performance degrades sharply as the number of input features grows, reflecting sensitivity to distance metrics in high‑dimensional spaces. Random Forest and Gradient Boosting perform better than k‑NN/SVM but still lag behind deep models, and they require careful hyper‑parameter tuning (tree depth, learning rate).

3. Unsupervised methods are robust to multi‑simultaneous attacks. Isolation Forest and auto‑encoders maintain detection rates above 85 % and false‑positive rates below 10 % even when several plants are compromised at once. Their reliance on learning the normal data manifold rather than specific attack signatures gives them an advantage in scenarios where attack patterns are unknown.

4. Input design matters more than algorithm choice in some regimes. Including the full injection context (generation + load) consistently improves detection across all models, confirming that anomalies are fundamentally relational. However, providing too much information (e.g., full historical context for all nodes over 24 h) leads to “information overload,” causing over‑fitting and longer training times without performance gains. The sweet spot is a moderate number of features (a few hundred) combined with a short‑to‑medium history window.

5. Computational considerations for real‑time deployment. Deep models require GPU acceleration for training but can infer within tens of milliseconds, making them viable for online monitoring. Isolation Forest runs efficiently on CPUs and offers sub‑second inference, suitable for an early‑warning layer that flags potential anomalies for further analysis.

6. Pre‑processing improves all models. Removing seasonal and diurnal cycles and applying standard normalization raises average performance by roughly 5 % across the board.

The authors synthesize these observations into practical recommendations: (i) always embed contextual information when designing anomaly detectors for power grids; (ii) use deep recurrent or convolutional architectures when sufficient computational resources are available and a labeled attack dataset can be generated; (iii) employ lightweight unsupervised models as a complementary safety net, especially when labeled data are scarce or attacks evolve; (iv) limit input dimensionality to avoid over‑fitting and ensure tractable training times; and (v) incorporate robust preprocessing pipelines to handle the strong periodicities inherent in power‑system data.

Overall, the paper provides a thorough, empirically‑grounded comparison of supervised and unsupervised ML techniques for anomaly detection in large‑scale transmission networks, highlighting the superiority of deep learning for contextual anomaly detection while also demonstrating that well‑tuned unsupervised methods can deliver strong, computationally efficient performance in the presence of simultaneous, multi‑plant attacks.