False Data Injection Attack Detection based on Hilbert-Huang Transform in AC Smart Islands

In Smart Island (SI) systems, operators of power distribution system usually utilize actual-time measurement information as the Advanced Metering Infrastructure (AMI) to have an accurate, efficient, advanced control and monitor of whole their system. SI system can be vulnerable to complicated information integrity attacks such as False Data Injection Attack (FDIA) on some equipment including sensors and controllers, which can generate misleading operational decision in the system. Hence, lack of detailed research in the evaluation of power system that links the FDIAs with system stability is felt, and it will be important for both assessment of the effect of cyber-attack and taking preventive protection measures. In this regards, time–frequency-based differential approach is proposed for SI cyber-attack detection according to non-stationary signal assessment. In this paper, non-stationary signal processing approach of Hilbert–Huang Transform (HHT) is performed for the FDIA detection in several case studies. Since various critical case studies with a small FDIA in data where accurate and efficient detection can be a challenge, the simulation results confirm the efficiency of HHT approach and the proposed detection frame is compared with shallow model. In this research, the configuration of the SI test case is developed in the MATLAB software with several Distributed Generations (DGs). As a result, it is found that the HHT approach is completely efficient and reliable for FDIA detection target in AC-SI. The simulation results verify that the proposed model is able to achieve accuracy rate of 93.17% and can detect FDIAs less than 50 ms from cyber-attack starting in different kind of scenarios.


I. INTRODUCTION
Cyber Physical Systems (CPSs) usually concentrate on connecting the physical globe to the cyber and digital world; also they are greatly utilized in the control of various industrial systems until several individuals can be able to grasp numerous kinds of required information in the real time [1]- [3]. The usage of CPS has a prominent potential of using in some fields including power distribution systems and sewage treatment plants. However, CPS safety subjects include integrity, confidentiality and availability, which are different from traditional cyber-security problems. The SI is responsible for monitoring, operation and control of transmission and distribution of electrical systems that can remarkably develop the reliability and efficiency of the power and energy systems.
The associate editor coordinating the review of this manuscript and approving it for publication was Eklas Hossain .
If such systems fail, they might have several negative and harmful effects on other systems, and can lead to short-term or long-term collapse in important infrastructures [4], [5]. Nowadays, numerous countries in the world regard the power network system as a pivotal infrastructure and have formed and stablished security and safety measures and related policies for this important issue [6]. Additionally, modern power systems, these days, are becoming more and more complex in the design and architecture; the phasor measurement units (PMUs) were accepted to develop the reliability of system. One of the advantages of this structure is the ability of making fast decisions by utilizing the collected information and data. Nevertheless, hackers are able to exploit vulnerabilities to intentionally causes of overloaded tripping of branches which might trigger a cascading fault and therefore impose considerable harms to the SIs [7], [8]. Consequently, the operators should take full account of the possibility of grid attack in controlling, operation and monitoring to deal with the power network protection that requires the expertise of the grid and remarkable energy. As a main component of the proposed approach, Hilbert-Huang Transform (HHT) can be employed. References [9], [10] presented HHT for reduction and decomposition in the dimensionality of a signal. Generally, HHT includes two steps: first, performing a data-adaptive decomposition approach named Empirical Mode Decomposition (EMD), and second, applying Hilbert spectral assessment to the decomposed signals which named Intrinsic Mode Functions (IMF's). Additionally, EMD can have several advantages and benefits over the Fourier assessment in which firstly, the oscillations embedded in every signal would be extracted adaptively and automatically from the signals; secondly, it would be relatively simple to perform; and thirdly, it would be specifically robust for every non-stationary and non-linear signal. In addition to this, EMD efficiently can capture non-linear specifications with regards to the frequency and amplitude modulations by local time scale. While IMF's are taken, Hilbert spectral assessment gives frequency data changing over period of time which is a major component of assessment for every non-stationary signal including cyber-attack signals.

Concepts such as Microgrid (MG), Smart Grid (SG) and
Smart Island (SI) in AC and DC power systems with advances in digital communication technologies have received more attention in the past few years. Recently, several researchers and studies have highlighted the vulnerability of traditional AC and DC state estimators to the FDIAs in that an adversary is able to present manipulated measurements to the mislead operation systems [11]. Some kind of attacks are able to bypass common Bad Data Detection (BDD) in the State Estimation (SE) as the measurement remnants with FDIAs are the same as the measurement residuals with no FDIAs. In the FDIAs, the attacker can have aims to mislead the SE of the system mechanism using sending corrupted measurements which in turn will successfully and effectively pass the BDD module and can bring mistake estimation in one or more of the state variables.
One important point is that choosing the suitable set of measurements to exploit between the accessible meters can be more complicated. AC state estimators have been safe against FDIA as long as the authors of the paper [12] showed that even though attacks aiming DC state estimators might not pass BDD in every AC-SE; nonetheless, an adversary still was able to inject false data attack into the AC-SE, thus, we observed that both AC and DC SE approaches were vulnerable and fragile to the FDIA. In reference [13], nonlinear FDI attacks with inaccurate and wrong data were introduced. Authors in the reference [14] displayed that an attacker was able to do FDI attack on the sub-grid without having full data about the whole power grid.
Another crucial point is that as an attacker, the issue of finding the attack vector could be in general NP-hard [15]. For this purpose, professionals and experts have suggested some attack vector construction approaches taking into account centralized and decentralized models. In reference [15] authors have presented a greedy approach to seek for a subsystem of measurement to be preserved by PMUs. Authors in paper [16] proposed a connection between grid observability and attack detectability by a graph-theoretic design. Machine learning approaches have also been presented in reference [17] to find stealth attacks (SA) in SE. Cyber-attacks, also, in systems like Supervisory Control And Data Acquisition (SCADA) can be very perilous, therefore, for such systems this should be used in a particular path [18]- [20]. There is a prominent amount of publications on CPS in recent years which a survey of this can be found in the paper [21]. Furthermore, authors of the paper [22] utilized noise fingerprint processing and sensors in order to address stealthy cyber-attack problems in CPS, and validated an approach in a data set from an actual-globe water treatment plant, which in this study the results displayed that the precision was about 98.1 percent. In reference [23] authors presented a Multi-Modal Luenberger observer that could be able to isolate the attacked sensors and SE of the basic dynamics of the remaining sensors and their methods could be able to be performed to large-scale CPSs. Reference [24] proposed a semantic system grid-based orientation detection to find attacks on control processing with utilizing grid traffic from water and sewage plants. Such kinds of studies display the emphasis on research in CPS safety; particularly, in the SGs that include CPSs. The PMU or synchro-phasor was built upon the cyber layer to serve real-time information [25] which can act as a bridge among physical and cyber amplitudes [26]. Besides, machine learning approaches have also been performed to intrusion detection related issues; following studies can be found in references [27]- [30]. Authors of the paper [27] presented a machine learning behavior-based method for the intrusion detection, and the data set that they utilized was Secure Water Treatment (SWaT)-generated information from eighteen attacks with ten type models. In paper [28] authors utilized a rapid one-class category method that overcomes the disadvantages of high sensitivity to the outliers; also, the presented approach was examined on an actual data set from distribution systems of drink water in France. In paper [29] authors utilized a method named One Class SVM (OCSVM) technology to discover SCADA grid intrusion.

B. MOTIVATION AND PRINCIPAL CONTRIBUTIONS OF THIS PAPER
In this study, we propose an HHT-based approach to draw out the dominant ingredients of a signal according to those ingredients. The suggested approach can be categorized into two parts: first, a signal will be decomposed using EMD; and second, meaningful IMF's ingredients will be opted using Hilbert spectrum. In this regards, the suggested approach will bring about development of FDI detection accuracy in AC-SI.
In the system, HHT is going to extract the state features of system, and define a threshold to detect AC-FDIA from VOLUME 8, 2020 usual operation occurrences. The principal contributions of this study are mentioned as follows: • This paper is located between the pioneering research of the use of HHT in the FDIA detection studies to diagnose an attack that is new and effective.
• The suggested method is going to identify FDIA in the AC-SI, specifically new attack templates with imperfect power grid data.
• In this work, the presented mechanism will be evaluated with the recently introduced FDIA template in SI case studies. The obtained results of the simulation confirm the accuracy and satisfactory of attack detection and the rate of false alarm.
• The test of parameter sensitivity is performed to assess the efficiency and accuracy of the suggested method.

C. PAPER STRUCTURE
The article will be organized as follows. In Section II, we will introduce the HHT approach and main concepts of FDI. In Section III, we will evaluate the SI information utilizing HHT, and also, their ability for FDI attack detection in different case studies will be presented. In Section IV, we will discuss obtained results of the simulation, and finally in Section V, we will present the conclusions of the study.

II. BASIC CONCEPTS A. HILBERT-HUANG TRANSFORM (HHT)
The growth of HHT is basically caused by the requiring and describing nonlinear waves with changes in these signals in non-constant processes [31]. HHT consists of 2 different operations, Hilbert Transform (HT) and EMD, and these two operations have to be performed sequentially.
A) Experimental mode analysis: The basic part of the HHT is EMD. This is a sieving process that breaks down the signal into a number of internal states. The main signal S(t) can be given in the equation (1).
It is noted that the first IMF (IMF1) c 1 (t) consists of the highest signal processing frequency and is often utilized as the input for subsequent processing with HT [31]. B) Hilbert transform (Conversion): by considering IMFs which is derived using the EMD approach, HT can be used for any component of the IMF which is defined in equation (2).
Considering this equation, ci(t) and H [c i (t)] are able to figure a complicated conjugate pair, that generates the analytic signal z i (t).
Meanwhile, z i (t) can be given as the equation (4) Combined with instantaneous amplitude a i (t) and phase θ i (t) gives equation (5); and The instantaneous frequency ω i (t) can be given by As a result, the original data can be given in the form of equation (8): where, the remnant r n (t) is remained and Re0 represents the real part of a complicated quantity. Also, the signal spectral energy can be given in equation (9).

B. FDIAS THREATS
Owing to the complication and fragility of the data transfer procedure in power CPS, many hackers might attempt to manipulate sensor measurements, inject incorrect into controlling commands and topological parameters, replay or postpone sensor observations, and also carry out many other destructive measures. As can be seen from the Figure 1, the operations of achieving, transmitting, and integrating measurement are threatened using stealthy FDIAs, which are now recognized as one of the most dangerous threats to CPS of power network. Depending on the different ways of attack, FDIA attack scenarios can be identified as follows: A) Tune using readings of some sensors including different intelligent user meters, PMU and Remote Terminal Units (RTUs). B) Directly attacks to communication grids. C) Infiltrate the SCADA system and the Main Domain Controller (MDC).
The final aim is to divide the accuracy and integrity of the measurements to provide accurate and sufficient observations and operational limitations are used for SE to deduce the operating modes of the system in smaller quantities and then it helps the control center decide. Owing to the risk of the predetermined subset, hackers can infect SE results to mislead operators which lead to wrong decisions, and even touch additional problems and power outages [32].
Therefore, it is important to figure out the AC-FDIA attack mode, which can provide an opportunity for CPS of power systems to increase reliability and performance economics by developing appropriate interactions

C. MAIN CONSTRUCTION OF AC-FDIAs
Hackers launched the FDIA by injecting false data into the attacker's vector z = [z 1 , z 2 , . . . , z m ] T in order to disrupt the AC-SE which is given in the equation (10), where, z generally consists of magnitudes of voltage and phase angles, complicated load injections at branches, complicated load flows on branches which included of forward and backward directions); x = [x 1 , x 2 , . . . , x n ] T defines the state vector (SV) that included of phase angles and voltage magnitudes; h(·) defines the nonlinear measurement function among SV x and measurement vector (MV) z, that belongs the physical parameters and features and also grid topology of the system. Hence, measurement error vector e = [e 1 , e 2 , . . . , e m ] T will be the matter for the Gaussian white noise (WN) division by covariance R. In experiment, weighted least square (WLS) approach is a common method to solve static ACSE [12].
Due to the failure of communications or electromagnetic interference, bad data is often present in the measurement, which can bring about remarkable errors and faults in estimating system modes. Therefore, the BDD module of EMS is used to identify them that are based on the Largest Normal Residual (LNR) approach. By assuming that the change vector of the SV x is determined as c, the residuals of the system measurement before and after the attack would be r and r a . In general, natural measurements z can cross the LNR-based BDD module, by calculating the l 2 − norm of the residual measurement in order to detect bad measurements, we can define equation (11): where in the equation (11), γ represents the detection threshold of LNR-based BDD module. Whenever the z-measurement vector is injected into the false data, the effect of FDIAs on the BDD module can be as follows: where in the equation (12), z a defines the compromised measurement vector. In time of circumvent the BDD module to remain stealthy, whenever hackers become familiar with the topology of system and can have access to measurements, the attack vector have to be constructed which is given in equation (13).
It should be noted that, in this case, the LNR value would be unvaried after attack which means r a = r ≤ γ . Unlike ideal conditions, it is highly unlikely for a hacker to gain full knowledge of the system in practice. To address this limitation, based on the attack model introduced in [14], we obtain a sufficient number of practical AC attack samples that they just need low prerequisites measurements in the attacking area along with the border buses.

D. SMART ISLAND
Defining an island as intelligent and smart is related to its ability to implement integrated solutions for managing infrastructure and natural sources, called energy, mobility and transportation, water and waste; all whenever promoting using new and comprehensive social programs, governance and funding plans. Introducing outstanding technologies along with proper environmental management consists of landscape protection and logical using of coastal and marine sources, is an important part to fostering sustainable economic and development activities on the islands. In addition, using information and communication technology (ICT) ensures the availability of reliable data to improve efficiency, VOLUME 8, 2020 can decrease costs and increase the quality of local communities' life, is of paramount importance features the SI concept. With the growing trend towards a new type of energy market, in that energy supply has been increasingly decentralized, new forms of commercial models are emerging; consumers are controlling their energy generation and consumption, and technologies innovatively penetrate the market like smart meters and electric vehicles (EVs) with priority of demand management, so, islands appear as the ideal lands for testing new technologies and scalable processes with the participation of all relevant actors, such as government officials, water and electricity, market players, network operators, and citizens.
However, because of these common trends, the inactivity of politics and technology, along with the ongoing economic crisis, prevent the islands from completely exploiting their potential to host sustainable and innovative plans. This is because of a wide range of factors. Such tests and scales of innovative applications are considered as risky endeavor, thus, new technological solutions can have challenges in systems and economies of the island, and finally, technologies and their consequences are not often fully understood in different areas. In contrast with this drawback, the islands have to build the groundwork for better understanding of their potential and assessing priorities. This allows them to take a holistic approach when developing and performing new projects, including economic, social and environmental considerations. Therefore, before an island is able transform itself into a SI; it should be better first to find out precisely where it is in relation to other regions by setting appropriate indicators to measure, monitor, and evaluate effects. It allows sustainable islands to ensure that their ecosystems are exploited while taking advantage of their comparisons. Environmental CPSs are often utilized to monitor for understanding behaviors, and controlling the physical globe [33].
Because the representative CPS program is emerging, the expansion of SIs has been seen. SI is a relatively new form of power distribution system which connects power lines such as traditional power grids as well as ICT infrastructure to smart meters, which might be in the form of specialized tools including telephones, mobile, laptops or other gadgets in the island in oceans. Many of these SI devices allow data systems to accomplish predictive assessment, which can balance the generation and consumption of electricity in the network system. Real-time pricing, for instance, gives consumers and suppliers' worthwhile clues to aid manage their demand and energy resources. As a result, energy distribution that is able to control the processes of energy production, consumption and transmission can be carried out in a more efficient and dynamic way.
Nonetheless, the incongruity, variety, and intricacy of SIs provide fundamental challenges to ensuring the overall integrity of the system [34]. This matter is because in the SIs, network inference and decision-making might be carried out on local smart components than on preserved control centers. Thus, unlike common power networks where most attacks and failures are transferred from physical access to important facilities [35], the widespread use of SI components invites most of these anomalies from cyber substructures. A common SI attack is a FDI that can be utilized to distort real power demand and supply resources. Therefore, energy distribution might be incorrect, leading to further costs or even more destructive risks. It is necessary to trust such systems and achieve security because national security and not only cyber security can be compromised. Nonetheless, new countermeasures against the FDI have concentrated on the traditional state of the power systems [34], in that FDI attacks on physical meters are performed rather than intelligent and smart components [35]. Regardless of cyber-attacks and the distributed design of SI substructure, these methods might not dedicate any positive result with the full protection that need to quickly make a decision for any local smart device or component according to the status information. Considering all the above mentioned issues, in this paper, a method which can be easily performed on every smart island to detect FDI in real time is presented.

E. PROPOSED FDIAS DETECTION SCHEME
Because the false attack vector satisfies Kirchhoff's basic underlying rules, it can escape the remaining BDD and bring the system modes to deviate from normal events. Nevertheless, we are going to make it clear that there is time interdependence among dynamic system states, which allows hackers to monitor the system for a long time and continuously manipulate all relevant measurements to produce non-FDIA detection given a temporary correlation. This complicated form of attack would be infeasible to create in the actual power utilities [28].
Considering this issue, instead of out-of-line training and the scattering of recognizing attack behaviors in previous   works, in this part, a real-time FDIAs detection mechanism to identify possible attacks by recording changes in temporal correlation properties between states of the systems is introduces. Figure 2 displays the main structure of the presented FDIA identification mechanism in real time. The signals are retrieved and then the signal is processed by HHT to detect the cyber-attack in AC SI.  [36], [37]. Some units in this MG are in the voltage frequency mode. They are responsible for stabilizing the voltage of MG. Figure 4 illustrates the power circuit of a typical three-phase inverter which connected to MG. For simplicity, in this study, the single-phase system is examined first; the equations are then generalized to these types of three-phase inverters that the topology of all three phases being the same as the single-phase system.

III. CASE STUDIES A. SMART ISLAND MODEL
The block diagram of used single-phase inverter is displayed in Figure 5 [36,37]. The LC output filter was used to reduce the harmonic components of the output VOLUME 8, 2020 The state equations in the single-phase inverter depicted in the Figure 5 are given in formulas (14) and (15).
where, V INV = uV dc is the output voltage of inverter; u represents the input signal of controller. By combining formulas (14) and (15) gives equation (16) d dt where in this equation, both capacitor voltage (V o ) and inductive current (I L ) are chosen as the state variables. V dc also represents the DC link voltage or Uninterruptable Power Supply (UPS). I o and I c define the filter output current and the capacitor current, respectively. Based on sliding mode controller, the index of cyberattack detection for FDIA in voltage and current parameters is defined in equation (17) and (18) [36], [37]. (17) S I = z − z base (18) where S V and S I (switching surface of voltage and current) is the voltage index and current index for cyber-attack detection, respectively, which are applied as a input of Huilbert-Huang transform. λ is a positive number, x and z are the SI voltage and current, respectively. x base and z base are the base voltage and current of SI, respectively. x base has a constant amplitude and frequency. z base is measurable for each agent. In this paper, the considered autonomous AC-MG is displayed in Figure 6.
DC sources are connected to each other by DC-AC inverters via tie lines, thus forming the physical layer of the MG. Every DC-AC inverter works to maintain the output voltage according to the values of reference generated by the main and secondary local controllers. In this article, the unexplained cyber chart from the communication grid has been considered to send and receive data from its neighbors. In addition, they are repeatedly connected at the output of the converter of each unit.
The suggested attack detection scheme is performed on a cyber-physical AC-MG as displayed in Figure 6(b) with V ref = 110sin(2 * pi * 60). V includes three factors of equal capacity connected to each other through resistance lines. It is important to mention that every agent includes a battery factor with DC / AC inverters are shown in Figure 6 (a). In order to test the performance and feasibility of the presented attack      detection strategy for the AC-MG cooperative, several attacks including the FDIAs have been tested on multiple sensors, which are not usually detected by distributed observers an is necessary to confirm security. The control system and parameters were presented in our previous work in the reference [37]. Another important point is that every event in the above scenarios is divided by a certain time interval for a better understanding.
Case Study I: Instability arising from injecting an attack by changing the amplitude of voltage signals.
In this part, an example of a FDI cyber-attack on the voltage range is stated. An attack can be on a voltage measuring sensor, the amount sent via wireless or fiber optic, or the reference value given in the controller or changing the values of the controller. To better understanding the issue, the attack started and ended in a period of time. The attack started at 0.2 seconds and ended at 0.4 seconds. Sample simulation results are shown in Figure 7. Figure 7(a) is the intelligent island network voltage to which the FDI attack has been reported in time. Figure 7(b) shows the Hilbert-Huang conversion under different IMFs along with the residual value. Figure 7(c) Hilbert-Huang spectral energy shows the S v index signal, which is able to detect a cyber-attack by determining the threshold at 1000. This value (1000) is obtained according to experimental results. The detection time is less than 5 ms from the FDIA occurred.
Case Study II: Instability arising from injecting an attack by changing the frequency of voltage signals.
In this part, an example of an FDI cyber-attack on the voltage signal frequency is described. The attack can be on a voltage measuring sensor, or the amount sent via wireless, or fiber optic, or the reference value given in the controller, or changes the values of the controller. To better understanding the issue, the attack began and ended over a period of time. The attack started at 0.2 seconds and ended at 0.4 seconds. The simulation results of the sample are shown in Figure 8. Figure 8(a) is the intelligent island network voltage to which the FDI attack has been reported in time. Figure 8(b) shows the Hilbert-Huang conversion under different IMFs with residual value. Figure 8(c) Hilbert-Huang spectral energy shows the S v index signal, which can detect a cyber-attack by determining the threshold at 1000. The detection time is less than 5 ms from the FDIA occurred.
Case Study III: Instability arising from injecting an attack by adding a white noise to the voltage signals.
In this section, an example of a FDI cyber-attack on a voltage signal is expressed by adding white noise to the voltage signal. The attack can be on a voltage measuring sensor, the amount sent via wireless or fiber optic. To better understanding the issue, the attack began and ended over a period of time. The attack started at 0.2 seconds and ended at 0.4 seconds. Sample simulation results are shown in Figure 9. Figure 9(a) is the intelligent island network voltage to which the FDI attack has been reported in time. Figure 9(b) shows the Hilbert-Huang conversion under different IMFs along with the residual value. Figure 9(c) Hilbert-Huang spectral energy shows the S v index signal, which is able to detect a cyber-attack by determining the threshold at 1000. The detection time is less than 50 ms from the FDIA occurred.
Case Study IV: Instability arising from injecting an attack by changing the current signal on agent II.
In this part, an example of a FDI cyberattack on signal flow of units II is described. An attack can be on a current measuring sensor, the amount sent via wireless or fiber optic, or the reference value given in the controller, or changing the values of the controller. In order to better understanding the issue, the attack began and ended over a period of time. The attack started at 0.2 seconds and ended at 0.4 seconds. Sample simulation results are shown in Figure 10. Figure 10(a) is the intelligent island network voltage. Figure 10(b) shows the flow of the production unit II that was attacked by the FDI, which was declared the FDI attack. Figure 10(c) shows the  Figure 10(d) Hilbert-Huang spectral energy shows the signal of the S_I index, which is able to detect cyber-attack by determining the threshold of 1000. The detection time is less than 5 ms from the FDIA occurred.
Case Study V: Load changing. In this part, the behavior of the system under load changes is examined; the Hilbert-Huang spectral energy index of the S v voltage index and the S I current, which is used as the FDI detection index, has been investigated during load changes. Sample simulation results are shown in Figure 11. Figure 11(a) is the SI network voltage. Figure 11(b) shows the unit load current. As can be seen, the resistive and ohmic loads are connected to the network at 0.2 and 0.4, respectively, and are disconnected both times at 0.5. It is also connected to the system nonlinearly 0.5 times. Figures 11(c) and 8d show Hilbert-Huang spectral energy signals S v and S I , respectively. As can be seen, it is less than the threshold value for detecting a cyber-attack, and in this method, the FDI attack is distinguished from load changes.

IV. DISCUSSION ABOUT SIMULATION RESULTS
Generally, it is said that when an issue is considered as a cyber activity, it can be a positive decision. In contrast, it is a negative decision when the model of anomaly detection recognizes as a normal behavior. The true decision is made whenever the pattern of abnormal detection is correct. As a result, it is obvious that a wrong decision indicates a wrong reaction from the cyber-attack detection model. Based on this, it can be concluded that a suitable model for detection anomalies is a model with a low false rate. According to these definitions, we can define 4 different type named: False Alarm Rate (FAR), Hit Rate (HR), Correct Reject Rate  (CRR), and Miss Rate (MR). In order to better understanding of these issues, Table 1 gives the confusion matrix.
To verify the efficiency and validation of suggested Hilbert-Huang transform in FDI attack detection, different sample test is applied. The performance of the proposed detection scheme is assessed through applying the FDIA layout and the evaluation results are displayed. The efficiency of suggested detection scheme is analyzed through applying the FDI attack model and the evaluation results are in Table 2. In addition, to show the efficiency of proposed cyber-attack detection frame, it has been compared with Shallow model.

V. CONCLUSION
The positive point of using HHT in cyber-attack detection is that the signals in the SI are unstable, meaning that their frequency changes with time. Hence, in this paper, HHT has been presented to compute spectral energy for FDI attack detection applications in AC Smart Islands. The presented technique successfully identified the true time of the cyber-attack by displaying a dramatic deviation in the time frequency spectrum at the time of the FDIA occurrence in AC-SI. The suggested scheme is able to detect FDIAs such as cyber-attacks in current and voltage signals of sensor or transmission data from wireless or fiber optic from common system operating status variations like load variation. The simulation results on a test SI demonstrated and proved the high performance and effectiveness of the proposed scheme, especially in the FDI attack detection, where the presented model was able to gain accuracy rate of 93.17% (3% more than detection based on shallow model). Additionally, the suggested protection scheme is able to detect FDI less than 50 ms after cyber-attack is started in different scenarios and it would be simple and easy to perform.