A. Electricity Theft Detection Methods

In the realm of electricity theft detection, various methodologies have been devised to tackle and mitigate its ramifications. These methodologies can be broadly classified into three primary categories: hardware-based approaches, statistical and analytical methods, and machine learning-based techniques. In this section, we provide a concise overview of these methodologies, outlining their key characteristics and functionalities.

B. Adversarial Evasion Attacks and Countermeasures

The previous subsection discussed works that primarily focused on training accurate models for detecting electricity theft attacks. However, these works did not address the security of the models against adversarial evasion attacks. Evasion attacks employ advanced techniques to make minimal alterations to malicious samples, causing the detector to incorrectly classify them as benign. In this subsection, our attention shifts to these specific attacks and the countermeasures proposed to mitigate them.

Numerous research studies have explored the generation of adversarial evasion samples and their impact on machine learning-based detectors. The pioneering work by Szegedy et al. [48] delved into the effects of evasion attacks on neural networks. Subsequently, Moosavi-Dezfoli et al. [49], Goodfellow et al. [50], and Rozsa et al. [51] introduced various techniques, including the fast gradient sign method (FGSM), DeepFool, and fast gradient value (FGV), respectively, to generate evasion samples capable of deceiving detection models. In the domain of electrical power, Badr et al. [1] innovatively introduced evasion attacks targeting global electricity theft detectors. They employed a generative adversarial network (GAN) trained on real data to produce deceptive low-consumption readings effective at evading the global detector.

In addition, Li et al. [46] demonstrated the susceptibility of DL-based electricity theft detectors to evasion attacks. They introduced the SearchFromFree algorithm, which leverages gradients to create evasion samples, enabling malicious samples to evade DL-based detectors while yielding financial benefits. To address and mitigate adversarial evasion attacks, the technique of adversarial training defense has emerged as a promising approach to enhance detector resilience. Adversarial training, initially proposed by Szegedy et al. [48], entails exposing a trained detector to evasion attacks. This process generates adversarial samples capable of bypassing detection. Subsequently, the detector undergoes retraining using these adversarial samples to enhance its robustness.

C. Limitations and Research Gaps

In this subsection, we discuss the main limitations present in the existing literature, which constitute the motivations for this work, as follows.

• Lack of generalization. Many existing evasion attacks exploit specific vulnerabilities or weaknesses in a particular machine learning model. These attacks often rely on knowledge of the target model’s architecture, parameters, or training data. As a result, they may not generalize well to different models or datasets. This limitation restricts their applicability in different applications where the attacker may not have complete knowledge of the target model, limiting the effectiveness of the attacks.

• High computational cost. Some evasion attack methods utilize computationally expensive techniques such as optimization algorithms or brute-force search. These approaches explore a large search space to find the optimal perturbations that can fool the target model. However, these techniques are time-consuming and resource-intensive, especially for large datasets. The high computational cost makes these evasion attacks impractical for large-scale applications where efficiency is crucial.

• Limited transferability. Many existing works assume that evasion samples generated by a substitute model will also evade the target model, but this assumption is not guaranteed practically. The underlying reasons for limited transferability include differences in model architectures or decision boundaries.

To address these limitations and fill the existing research gap, we offer the following rationale for investigating RL as a viable approach to generate evasion samples:

• Model-agnostic attacks. RL-based evasion attacks have the potential to generate evasion samples that are less dependent on the architecture and type of the target model or the training dataset. By learning from interactions with the target model, RL attack agent can adapt its attack strategy, making it more versatile and transferable. This adaptability allows for more successful evasion attacks in scenarios where the attacker has limited knowledge of the target model compared to the traditional approaches.

• Optimization efficiency. RL techniques leverage exploration and exploitation techniques to compute evasion samples more efficiently. Instead of relying on exhaustive search or computationally expensive optimization algorithms, RL agents can learn to navigate the evasion sample space in an efficient manner. This improves the practicality and scalability of the evasion attack.

• Stealth and imperceptibility. RL agents can be trained to generate evasion samples that are indistinguishable from the benign samples. By incorporating appropriate reward values, RL agents can learn to minimize the perturbations in a way that makes it hard to detect the attack. This ability to generate stealthy and imperceptible evasion samples increases the effectiveness of the attacks in different applications or scenarios where the goal is to evade the detection model without raising suspicion.

A. Reinforcement Learning (RL)

RL distinguishes itself as a unique branch of machine learning, setting it apart from popular methods like supervised learning. Unlike those methods, RL empowers autonomous agents to shape their own learning experiences through direct interaction with the environment and feedback. The fundamental structure of an RL model comprises two key components: the environment and the agent, as depicted in FIGURE 1. Initially, the agent possesses limited or no prior knowledge of the environment. To address RL problems, a Markov decision process incorporates four distinct components: state ($s$ ), action ($a$ ), reward ($r$ ), and policy ($\pi$ ). RL follows a trial-and-error approach, where the agent takes action $a_{t}$ at each time step $t$ , causing a transition from the current state $s_{t}$ to a new state $s_{t+1}$ , and receiving a reward or penalty from the environment. The reward function provides the agent with insights into the desirability of an action within a given state. Over time, the agent learns to make better decisions and avoids suboptimal choices based on the accumulated rewards. The primary objective of RL is to optimize the overall accumulated reward and formulate a policy that links states to actions. This cumulative reward represents the aggregation of rewards obtained by the agent over time and is expressed by Eq. 1.

View Source\begin{equation*} R_{t}= r_{t+1}+ \gamma. r_{t+2}+ \gamma. r_{t+3}+\ldots =\sum _{l=0}^{\infty } \gamma ^{l} r_{t+l+l}, \tag{1}\end{equation*}

FIGURE 1.

The main structure of an RL scheme.

Show All

In order to deepen our understanding of the RL model’s capacity to determine the optimal policy, it is crucial to explore and comprehend fundamental concepts such as exploration and exploitation. Exploration involves evaluating and investigating various predefined actions to identify the most suitable course of actions for the upcoming states, while exploitation focuses on utilizing current knowledge to adjust the action selection policy and maximize overall rewards. These concepts are mathematically examined through the $\epsilon$ -greedy policy. At each state, the agent has the capability to explore an action with an exploration rate $\epsilon$ from a predefined set of actions randomly or exploit a specific action with the maximum $Q$ value using an exploitation rate of $1-\epsilon$ . The exploration rate, $\epsilon \in$ [0, 1], is initially set to its maximum value of 1, and gradually decreases as the learning process progresses. Ultimately, as the training model evolves, the agent relies solely on the exploitation mechanism and its accumulated knowledge to determine the optimal action to execute. The concept of Q-learning algorithm, introduced in [52], empowers the agent to learn and make optimal decisions through sequential exploration of different actions. The goal of this approach is to maximize the overall accumulated reward by leveraging the Bellman equation, as expressed in Eq. 2.

View Source\begin{align*} Q^{n e w}\left ({s_{t}, a_{t}}\right) &\leftarrow (1-\alpha) Q\left ({s_{t}, a_{t}}\right) \\ &\quad +\alpha \left ({r_{t}+\gamma \max _{a} Q\left ({s_{t+1}, a_{t+1}}\right)}\right), \tag{2}\end{align*}

The $Q$ -learning algorithm utilizes a $Q$ function to calculate the $Q$ values for a given state, with the primary objective of maximizing rewards. To store the $Q$ -values for state-action pairs, a $Q$ -table is employed, where rows represent states and columns represent available actions. However, as the number of states and actions increases, the state-action space grows exponentially, making the use of a $Q$ -table impractical. In order to address this challenge, DL plays a crucial role in the integration with RL, leading to the development of the deep Q network (DQN). This integration leverages the remarkable DL capabilities of DQN to overcome the exponential growth in the state-action space. Thanks to DL, the DQN enables efficient and effective representation of $Q$ -values without the need for an exhaustive $Q$ -table.

B. Deep Q Network (DQN)

The $Q$ -learning algorithm utilizes a $Q$ function to calculate the $Q$ value for a given state $s_{t}$ and action $a_{t}$ , which helps in formulating the policy for action selection. The optimal policy $\pi ^{\ast}$ is determined by selecting the action with the maximum $Q$ value for each state-action pair. In the training of DQN model, individual samples are presented in a triple format $(s_{t}, a_{t}, s_{t+1})$ , where $s_{t}$ , $a_{t}$ , and $s_{t+1}$ correspond to the current state, actual label, and the subsequent state, as illustrated in FIGURE 2. Throughout the training, the reward $r_{t}$ for a specific state $s_{t}$ is contingent on whether the predicted label $\hat {a}_{t}$ aligns with the true label $a_{t}$ . A reward of one is earned if the prediction is correct, while a reward of zero is given if it is incorrect, as illustrated in Eq. 3.

View Source\begin{align*} r_{t} = \begin{cases}\displaystyle 1 & \hat {a}_{t}= a_{t}.\\ \displaystyle 0 & \hat {a}_{t}\neq a_{t}.\end{cases} \tag{3}\end{align*}

FIGURE 2.

The training strategy of the DQN algorithm [28].

Show All

Furthermore, in the prediction phase of the DQN model illustrated in FIGURE 2, a set of $Q$ -value combinations $Q(s_{t},A) = [Q(s_{t}, a_{0}),Q(s_{t}, a_{1}),..Q(s_{t}, a_{b})]$ is computed for each given current state $s_{t}$ , taking into account the available set of labels $A$ . Here, $b$ represents the total number of available labels. Subsequently, a selection process using $\epsilon$ -greedy algorithm is performed to determine an action from the computed set of combinations. This selection process employs either the exploitation concept with a probability of $\epsilon$ or the exploration concept with a probability of $1-\epsilon$ . Likewise, the $Q$ -value of the next state $s_{t+1}$ is computed using the $arg_{a} max(.)$ policy, where $\hat {Q}_{t+1} = max_{a} Q(s_{t+1}, {A})$ . Upon successful completion of the training phase of the DQN model, the model is utilized to predict actions by selecting the action associated with the highest $Q$ function value.

C. Double Deep Q Network (DDQN)

The double deep $Q$ -network (DDQN) is a variation of the DQN, sharing its fundamental structure but diverging in the approach to predicting the next state. DDQN utilizes two deep neural networks, known as the current network and the target network [28], [53]. The former predicts the $Q$ -value for the current state $\hat {Q}_{t}$ , while the latter predicts the $Q$ -value for the next state $\hat {Q}_{t+1}$ . While both networks possess a similar architecture, the target network undergoes updates with a time-delayed synchronization method. This is done to mitigate the issue of a ‘moving target’ during gradient descent calculations for the $(\hat {Q}_{t}-Q_{ref})^{2}$ term. Periodically, the target network’s parameters are synchronized with those of the current network. Other than this distinction, the training and prediction phases of the DDQN model closely resemble those of the DQN model. Upon the successful conclusion of the DDQN model’s training phase, it is deployed for action prediction by selecting the action associated with the highest value in the $Q$ -function. The standard architecture and training procedure for the DDQN scheme can be visualized in FIGURE 3.

FIGURE 3.

The training strategy of the DDQN algorithm [28].

Show All

A. Benign Samples

In this research paper, we employ a real electricity consumption dataset obtained from the Irish Smart Energy Trials [54] to create two distinct datasets. The first dataset is used for training and evaluating the performance of electricity theft detectors, while the second dataset is utilized to construct an attack model for generating adversarial evasion samples. The Irish dataset, publicly available since January 2012 by the Electric Ireland and Sustainable Energy, consists of half-hourly electricity consumption readings from 3, 639 residential consumers. The dataset spans a duration of 536 days, covering readings collected between 2009 and 2010. For our study, we randomly select readings from the smart meters of 130 customers, resulting in a total of 69, 680 benign samples. The electricity theft detection process focuses on a one-day period, where the detector analyzes a set of electricity consumption readings (48 readings) for a specific consumer to determine if electricity theft is occurring. Our attack model is designed to generate the adversarial evasion samples, mimicking the characteristics of real consumption patterns.

B. Malicious Samples

To ensure the effectiveness of an electricity theft detector in accurately distinguishing between benign and malicious electricity consumption samples, it is crucial to train the detector using both types of samples. However, in the case of the Irish dataset, only benign samples are available, and there is a lack of publicly available malicious samples. To address this limitation, we adopt an electricity theft attack methodology proposed in a previous study [11]. This attack involves generating malicious samples by modifying the benign samples. The attack model is functionally represented as $f(x_{i}(t)) = \beta x_{i}(t)$ , where $x_{i}(t)$ stands for the actual electricity consumption readings of a specific consumer $i$ at a given time step $t$ . This function $f(x_{i}(t))$ diminishes the actual consumption value by a stochastic reduction factor $\beta$ , where $0 < \beta < 1$ . The attack’s aim is to emulate malicious behavior by artificially lowering the actual consumption value using $\beta$ .

C. Dataset Preprocessing

To generate malicious samples, we need to determine the parameter $\beta$ for the attack function mentioned earlier. This parameter follows a uniform distribution ranging from 0.1 to 0.4 within the attack function $f(.)$ . Subsequently, we apply the attack function to the benign samples, transforming them into a malicious dataset. Each of the 130 customers contributes 536 daily samples to this malicious dataset, which incorporates both benign and malicious readings. This process results in a grand total of 1,072 samples. When considering the dataset’s time span of 536 days and its coverage of 130 customers, it accumulates a vast total of 139,360 samples. We then divide this dataset into two distinct subsets, each containing 69,680 samples. The initial subset is exclusively reserved for training and evaluating the performance of the electricity theft detectors, while the second subset serves the purpose of constructing the attack model used for generating adversarial evasion samples. To further structure our dataset, we partition both of these subsets into training and testing subsets, maintaining a balanced 2:1 ratio. The training subset consists of 46, 453 samples, and the testing subset contains 23, 227 samples. The entire dataset preprocessing is illustrated and annotated through steps (1 to 4) within the proposed framework, as depicted in FIGURE 4. Additionally, Algorithm 1 provides a detailed explanation of the preprocessing steps.

FIGURE 4.

The proposed attack and defense models framework.

Show All

A. Attack Model

In this section, we introduce two attack models designed to generate adversarial evasion samples using malicious electricity consumption readings. The first model is the DRL-based DDQN model, and the second model is the FGSM-based model. TABLE 1 presents a comprehensive comparison between the DRL-based and FGSM-based evasion models, shedding light on their differences, advantages, and limitations.

TABLE 1 Comparison Between the DRL-Based and FGSM-Based Evasion Attack Models

2) DRL-Based Attack Model

The proposed approach employs DRL to develop a generation agent that can autonomously generate adversarial evasion samples to bypass the electricity theft detector. The attacker creates a substitute model to verify if the generated evasion samples can avoid detection. The attacker assumes that the generated samples that evade the substitute model are also able to pass the electricity theft detector of the utility.

To train the generation agent, the environment provides states to the agent through a sample provider that extracts malicious samples from the second subset of data. The agent employs a trial-and-error approach, leveraging the aforementioned DDQN algorithm and its mechanism for selecting the optimal action, as explained earlier in Section III-C. This action space consists of perturbation values that the generation agent can apply to a malicious sample through a multiplication process, thereby modifying it and generating an adversarial evasion sample. Subsequently, the generated evasion sample undergoes testing to determine its capability to evade the substitute model. The substitute model is trained on the second subset of the dataset, containing both benign and malicious samples. The agent’s reward is contingent upon the output of the substitute model when evaluating the generated sample. If the generated evasion sample successfully evades the substitute model, the generation agent receives a reward of 1; otherwise, the reward is 0.

In this setting, the substitute model is implemented using the DRL-based DDQN algorithm, employing three distinct neural network architectures: CNN, GRU, and FFNN. On the other hand, the generation agent of the attack model is implemented using the CNN architecture within the DRL-based DDQN algorithm. The DRL-based DDQN attack model is visually depicted and annotated in steps (7 [a, b, c], 8) in FIGURE 4. The training phase and the training accuracy of the DRL-based DDQN attack model are both outlined in Algorithm 2 and FIGURE 5, respectively. This figure visually represents the training convergence as accuracy improves with the progressive increase in the number of training batches.

FIGURE 5.

Training accuracy of DRL-based attack model.

Show All

Algorithm 2 DRL-Based DDQN Attack Model Training Algorithm

Input:

Exploration rate $\epsilon$ , learning rate $\alpha$ , discount factor $\gamma$ , batch size $H$ , and training epochs $G$ .

Output:

The optimal action $a^{\ast}$ . and the adversarial evasion sample.

1:

Initiate the action value function $Q(s,a)$ arbitrarily.

2:

Initiate the state $s$ using state generator in recognizable format by the agent.

3:

for $i= 0,1,2,\ldots, G$ do

4:

for each state $s$ in $i$ . do

5:

Input the state $s_{t}$ and the actions set $A$ in the current network in order to predict $Q(s,A)$ for all actions.

6:

Use the $\epsilon$ -greedy policy to select the action $\hat {a}_{t}$ .

7:

Given $s_{t}$ and $\hat {a}_{t}$ , obtain $Q(s_{t},\hat {a}_{t})$ .

8:

Generate the adversarial evasion sample through multiplying the state sample $s_{t}$ with $\hat {a}_{t}$ .

9:

Check whether the generated adversarial evasion sample can evade the substitute model.

10:

Calculate the reward $r_{t}$ .

11:

Input the next state $s_{t+1}$ and the actions set $A$ in the target network in order to predict $Q(s_{t+1},A)$ for all actions.

12:

Use $\arg \max _{a} Q(s_{t+1},A)$ policy to select $\hat {a}_{t+1}$ .

13:

Given $s_{t+1}$ and $\hat {a}_{t+1}$ , obtain $\hat {Q}_{t+1}(s_{t+1},\hat {a}_{t+1})$ .

14:

Using $\hat {Q}_{t+1}$ , $r_{t}$ , and $\gamma$ , Obtain $Q_{ref}$ .

15:

Calculate the loss function.

16:

Update the Q-value $Q(s_{t},a_{t})$ .

17:

Repeat until $s_{t+1}$ is terminal.

18:

end for

19:

Repeat until getting to epoch $G$ .

20:

end for

21:

Compute the optimal policy $\pi ^{\ast}$ and optimal action $a^{\ast}$ .

22:

Execute the optimal action $a^{\ast}_{t}$ at current time slot $t$ and get the adversarial evasion sample.

3) FGSM-Based Attack Model

Additionally, alongside the DRL-based DDQN attack model, we leverage an FGSM-based attack model to generate adversarial evasion samples. The FGSM technique is widely employed in the literature to create such samples by introducing carefully calculated perturbations to the input samples, aiming to cause misclassification of these samples [50], [55], [56], [57]. FGSM presents several distinct advantages. It operates by employing gradients of the loss function, often yielding impactful perturbations that lead to misclassification. Furthermore, it can achieve misclassification with minimal modifications to the input samples. To ensure that these added perturbations remain undetectable to the electricity theft detector, their magnitude must be within an acceptable limit. Thus, mathematically, these added perturbations can be described as follows:

$$\begin{align*} &\min \nolimits _{\delta \vec {x}} |\delta \vec {x}| \\ &{ \text {s.t. }} \hat {f}(\vec {x}+\delta \vec {x}) \neq \hat {f}(\vec {x}) \tag{4}\end{align*}$$ View Source\begin{align*} &\min \nolimits _{\delta \vec {x}} |\delta \vec {x}| \\ &{ \text {s.t. }} \hat {f}(\vec {x}+\delta \vec {x}) \neq \hat {f}(\vec {x}) \tag{4}\end{align*} where $\delta \vec {x}$ represents the adversarial perturbation applied to the input malicious sample $\vec {x}$ , the FGSM method utilizes the sign of the gradient of the cost function $C_{\hat {f}} (\theta, x, y)$ with respect to the model $\hat {f}$ . This gradient is evaluated for the input malicious sample, and its sign is employed to generate the adversarial perturbations described in Eq. 5. The objective is to maximize the value of the cost function to the greatest extent. $$\begin{equation*} \delta _{\vec {x}}=\lambda \mathrm {sign}\left ({\nabla _{\vec {x}} C_{\hat {f}} (\theta,\vec {x},y)}\right), \tag{5}\end{equation*}$$ View Source\begin{equation*} \delta _{\vec {x}}=\lambda \mathrm {sign}\left ({\nabla _{\vec {x}} C_{\hat {f}} (\theta,\vec {x},y)}\right), \tag{5}\end{equation*} Here, $\theta$ , $\vec {x}$ , and $y$ represent the model weights, the input malicious sample and the true label corresponding to $\vec {x}$ , respectively. Meanwhile, $\lambda$ is the parameter that is tuned so that the label produced by the model for the perturbed input data, i.e., $(\vec {x}+\delta \vec {x})$ changes from the malicious label to benign label and deceive the detector.

B. Defense Model

This section focuses on defense mechanisms against the attacks discussed earlier. These mechanisms are divided into two stages.

In the first stage, a DRL-based DDQN detector is employed. The detector is constructed using various neural network architectures, including FFNN, CNN, and GRU. It is trained using the initial subset of the dataset discussed in Section IV-C, allowing it to learn and identify patterns indicative of electricity theft cyber-attacks. It serves as a defense mechanism against evasion attacks, considering that the attacker might exploit adversarial evasion samples generated by either DRL-based or FGSM-based attack models to launch evasion attacks against the detector. The first stage of defense is described in steps 5 and 6 in FIGURE 4.

In the second stage of defense, evasion samples play a crucial role in the subsequent process known as adversarial training [58], [59]. This training significantly boosts a model’s resilience against evasion attacks by enhancing its ability to detect alterations in input data, resulting in improved differentiation between benign and malicious samples. This heightened sensitivity empowers models to make accurate judgments even when facing adversarial variations, thereby reducing the effectiveness of evasion attacks. The primary goal of this training process is to ‘harden’ and reinforce the detector’s defenses, making it more robust and resilient against future attacks. Leveraging the recorded evasion samples, the detector undergoes retraining, reinforcing its ability to identify and respond effectively to adversarial evasion attempts. Within the context of reinforcement learning (RL), adversarial training drives the RL agent to explore and adapt its policy to accommodate unexpected consumption patterns or attack tactics. Through intentional exposure to adversarial influences during training, the agent acquires the ability to make decisions that extend beyond routine situations, displaying resilience against variations and disruptions. Consequently, the agent enhances its capability to consider a wide range of scenarios and actions, enabling well-informed decisions even when confronting perturbed or adversarial observations.

The parameters guiding the adversarial training of the DRL-based DDQN model are outlined in TABLE 2. To gain a comprehensive understanding of the defense procedures, this defense is visually represented by steps 11 and 12 in FIGURE 4. These steps significantly contribute to safeguarding against adversarial evasion samples and enhancing the detector’s capabilities. Additionally, Algorithm 3 provides a detailed explanation of the procedures of this defense, offering insights into their implementation and functionality.

TABLE 2 Parameters of DRL-DDQN Based Attack and Defense Models

A. Metrics

The evaluations of the proposed attack and defense models include the analysis of multiple metrics, such as accuracy, precision, recall, false alarm, false negative rate, highest difference, F-1 score, evasion rate (EVR), attack success rate (ASR), and transfer-ability rate (TR). These metrics rely on the values of true positive (TP), true negative (TN), false positive (FP), and false negative (FN). TP and TN represent correctly classified malicious and benign samples, respectively, while FP and FN denote misclassified malicious and benign samples, respectively. The computation of these evaluation metrics is as follows:

1) Accuracy (ACC)

It represents the proportion of correctly classified test samples by the detector out of the total number of samples in the test dataset, which includes both benign and malicious samples. Mathematically, it is computed using the following equation:

$$\begin{equation*} {ACC (\%) = \frac {TP+TN}{TP+TN+FP+FN}\times 100.} \tag{6}\end{equation*}$$ View Source\begin{equation*} {ACC (\%) = \frac {TP+TN}{TP+TN+FP+FN}\times 100.} \tag{6}\end{equation*}

4) Precision

It represents the proportion of true positive samples to the total number of samples classified as positive by the detector. Mathematically, it is computed using the following equation:

$$\begin{equation*} Precision (\%) = \frac {TP}{TP+FP}\times 100. \tag{7}\end{equation*}$$ View Source\begin{equation*} Precision (\%) = \frac {TP}{TP+FP}\times 100. \tag{7}\end{equation*}

5) Recall

It represents the proportion of correctly identified positive samples to the total number of positive samples in the test dataset. Mathematically, it is computed using the following equation:

$$\begin{equation*} Recall (\%) = \frac {TP}{TP+FN}\times 100. \tag{8}\end{equation*}$$ View Source\begin{equation*} Recall (\%) = \frac {TP}{TP+FN}\times 100. \tag{8}\end{equation*}

6) False Alarm (FA)

It represents the proportion of false positive samples to the total number of negative samples in the test dataset. Mathematically, it is computed using the following equation:

$$\begin{equation*} FA (\%) = \frac {FP}{FP+TN}\times 100. \tag{9}\end{equation*}$$ View Source\begin{equation*} FA (\%) = \frac {FP}{FP+TN}\times 100. \tag{9}\end{equation*}

7) Highest Difference (HD)

It is the difference between recall and false alarm $(FA)$ . Mathematically, it is computed using the following equation:

$$\begin{equation*} HD (\%) = Recall(\%) - FA(\%). \tag{10}\end{equation*}$$ View Source\begin{equation*} HD (\%) = Recall(\%) - FA(\%). \tag{10}\end{equation*}

8) F-1 Score (F1)

It is the harmonic mean between precision and recall. Mathematically, it is computed using the following equation:

$$\begin{equation*} F1 (\%) = \frac {2* Precision*Recall}{Precision+Recall}\times 100. \tag{11}\end{equation*}$$ View Source\begin{equation*} F1 (\%) = \frac {2* Precision*Recall}{Precision+Recall}\times 100. \tag{11}\end{equation*}

11) Transferability Rate (TR)

It quantifies the proportion of evasion samples that successfully bypass both the substitute model and utility detector compared to the total number of evasion samples that only manage to bypass the substitute model. This metric, which is derived from the previous two metrics, provides an indication of the probability that a given sample, which evades the substitute model, will also successfully evade the utility detector. It is computed using the following equation:

$$\begin{equation*} {TR (\%) = \frac {ASR}{EVR}\times 100} \tag{12}\end{equation*}$$ View Source\begin{equation*} {TR (\%) = \frac {ASR}{EVR}\times 100} \tag{12}\end{equation*}

B. Experiment #1

In this experiment, we focused on training DRL-based DDQN global electricity theft detectors using the first subset of electricity consumption readings. Our approach encompassed the generation of distinct training and testing datasets, following the data preprocessing procedures detailed in Section IV-C. Subsequently, we employed the training dataset to train three distinct global DRL-based DDQN detectors, marking the initial phase of our defense strategy. These detectors employed different neural network architectures, including FFNN, CNN, and GRU. The selection of these DL-based architectures was based on their demonstrated superior performance compared to shallow architectures and their widespread use in the literature. Subsequently, we evaluated the performance of the three DRL-based DDQN detectors using the testing dataset. Table 4 provides a comprehensive comparison of the detectors in terms of key metrics such as $ACC, Precision, Recall, FA, HD$ , and $F1$ . From the table, it is evident that the FFNN detector exhibited the lowest performance, which can be attributed to its simpler architecture compared to CNN and GRU. The CNN detector achieved the highest performance, leveraging its convolutional layers to extract crucial features from the electricity consumption data, leading to superior detection accuracy. Likewise, the GRU detector delivered a strong performance, effectively capturing temporal patterns within the input electricity consumption data.

TABLE 4 Comparison Between the Performance of the Different Architectures of DRL-Based DDQN Detectors

C. Experiment #2

In this experiment, we conducted training for DRL-based DDQN and FGSM-based attack models to generate adversarial evasion attack samples, as explained in detail in Section V-A. During this experiment, we simulated a realistic black-box attack scenario, in which the attackers had no knowledge of the utility’s detector. Furthermore, there could be variations in the neural network architectures employed by the attack model and the electricity theft detector, as well as differences in the training datasets used. Additionally, the attacker lacked direct access to the utility’s detector. Therefore, the attacker attempted to create a substitute model to evaluate whether the generated evasion samples could successfully evade detection. The attacker’s assumption was that if the evasion samples were capable of deceiving the substitute model, they would likely also be able to bypass the actual electricity theft detector implemented by the utility. The parameter configurations of the substitute and attack models are provided in TABLE 2 and TABLE 3.

Once the attack models were trained, we utilized the test malicious samples from the second subset, as outlined in Section IV-B, to generate the evasion attack samples. These generated samples were subsequently employed to target the detectors developed in Experiment #1. The outcomes of this experiment, evaluated based on $EVR$ , $ASR$ , $TR$ , and $ACC$ , are presented in TABLE 5. These outcomes demonstrate the superior performance of the proposed DRL-based DDQN attack model compared to the FGSM-based attack model in terms of $EVR$ , $ASR$ , and $ACC$ . The DRL-based DDQN attack model achieves outstanding success, with $EVR$ ranging from 97.921% to 99.982%, $ASR$ ranging from 92.929% to 99.965%, and $ACC$ ranging from 41.210% to 46.563%. This indicates a significant reduction of 41.611% to 46.795% within 95% confidence interval ($CI$ ) of (44.66 ± 1.14)% compared to the corresponding values in TABLE 4. In the same context, the FGSM-based attack model exhibits $EVR$ values between 72.911% and 94.214%, $ASR$ values ranging from 48.479% to 95.484%, and $ACC$ ranging from 44.898% to 65.585%. This indicates a significant reduction of 26.768% to 42.768% within 95%$CI$ of (35.022 ± 3.27)% compared to the corresponding values in TABLE 4. These outcomes highlight the severity of the evasion attacks and the effectiveness of our proposed DRL-DDQN based attack model in computing effective evasion samples that can deceive and bypass the electricity theft detector, particularly in the challenging context of a black box attack scenario and variations in neural network architectures employed by the attack model and the electricity theft detector.

TABLE 5 Comparison Between the Performance of DRL-Based DDQN and FGSM-Based Attack Models Against the Detector

D. Experiment #3

The previous experiment has revealed the detrimental impact of evasion attacks on the performance of electricity theft detectors. Our goal in this experiment, which represents the second stage of defense, is to propose a robust and hardened detector capable of maintaining a consistent detection performance against evasion attacks. To accomplish this, we employ an adversarial training process for the electricity theft detector obtained in experiment #1, leveraging the captured evasion samples from the first defense stage. The procedures of this experiment are visually illustrated through annotated steps 11 and 12 in FIGURE 4 and detailed in Algorithm 3. The results of this experiment, evaluated based on $ASR$ , $ACC$ , $ACC_{adv}$ , and $ACC_{all}$ are presented in TABLE 6.

TABLE 6 Comparison Between the Defense Performance of the Hardened Detector against DRL-Based DDQN and FGSM-Based Evasion Samples

These results validate the effectiveness of our proposed defense mechanism, achieved through the process of adversarial training. This training enables us to enhance the resilience and robustness of the electricity theft detection model against evasion attacks. Specifically, when considering DRL-based evasion samples and comparing to the corresponding values in TABLE 5, which represent the detector’s performance without adversarial training, we observe a substantial decrease in $ASR$ , ranging from 1.80% to 9.20%, indicating a significant reduction of 83.72% to 98.16% within 95%$CI$ of (94.09 ± 3.05)%. Additionally, there is a significant increase in $ACC$ , ranging from 85.05% to 93.26%, representing an improvement of 39.81% to 46.75% within 95%$CI$ of (34.85 ± 1.6)%.

Furthermore, notable enhancements are observed in $ACC_{adv}$ and $ACC_{all}$ , with values ranging from 92.31% to 97% and 88.85% to 95.18%, respectively. Similarly, for FGSM-based evasion samples, comparing the results to the corresponding values in TABLE 5, we find a decrease in $ASR$ in the range of 0.67% to 14.4%. This showcases a reduction trend of 46.34% to 76.49% within 95%$CI$ of (63.05 ± 7.58)%. Moreover, there is a significant increase in $ACC$ , ranging from 84.03% to 92.76%, indicating an improvement of 25.06% to 42.29% within 95%$CI$ of (33.50 ± 3.31)%. Additionally, significant improvements are observed in $ACC_{adv}$ and $ACC_{all}$ , with values ranging from 79.98% to 96.5% and 81.99% to 93.59%, respectively. The basis for these improvements in the detector’s effectiveness lies in the adversarial training, which drives the RL agent to investigate and update its policy to accommodate unexpected shifts in consumption behaviors or attack methods. This empowers the agent to become proficient at making optimal decisions and broadens its capability to handle diverse scenarios and actions, enabling informed choices even when confronting adversarial perturbations or attacks.

E. Experiment #4

Following the promising results of the previous experiment, the focus of this study shifts to investigating whether the DRL evasion samples-based defense model can defend against FGSM-based adversarial evasion samples, and vice versa. Our objective is to examine the model’s ability to defend against evasion attacks originating from different attack methods. In the first phase of the experiment, we subject the adversarially trained hardened detector, which was initially trained exclusively on DRL-based evasion samples, to attacks using FGSM-based evasion samples. The outcomes, as presented in TABLE 7, reveal the detector’s vulnerability, with an $ASR$ ranging from 62.008% to 91.568%. To strengthen the defense mechanism, we proceed to apply adversarial training to the detector using both DRL-based and FGSM-based evasion samples. This comprehensive training approach yields remarkable performance, significantly reducing the $ASR$ to a range of 0.604% to 10.715%. Additionally, notable improvements are observed in key evaluation metrics: $ACC$ , $ACC_{adv}$ , and $ACC_{all}$ , with values ranging from 84.774% to 93.883%, 84.801% to 96.328%, and 84.751% to 95.161%, respectively.

TABLE 7 The Defense Performance of the Adversarially Trained Hardened Detector Using DRL-Based Evasion Samples Against FGSM-Based Evasion Samples

Furthermore, in the second phase of the experiment, we examine the impact of using an adversarially trained hardened detector, initially trained exclusively on FGSM-based evasion samples, to defend against DRL-based evasion samples. The outcomes, presented in TABLE 8, also reveal the detector’s vulnerability to the evasion attack, with an $ASR$ ranging from 97.462% to 97.750%. However, when the hardened detector is adversarially trained on both DRL-based and FGSM-based evasion samples, a reduction in $ASR$ is achieved, ranging from 2.197% to 3.832%. Moreover, significant improvements are observed in $ACC$ , $ACC_{adv}$ , and $ACC_{all}$ , with values ranging from 86.005% to 93.007%, 93.947% to 95.526%, and 90.167% to 94.308%, respectively.

TABLE 8 The Defense Performance of the Adversarially Trained Hardened Detector Using FGSM-Based Evasion Samples Against DRL-Based Evasion Samples