The power system is a strategic system for national economic development, and its stable operation ensures the energy supply required for economic development. As the amount of electricity consumed by citizens rises, the scale of the power system is growing, the network structure is becoming more complicated, and the requirements for preventive control of power system stability are increasing [1,2,3]. With the gradual progress of smart grid construction, the rapid development of power measurement technology and power communication technology, large amounts of data such as wide-area measurement and external information (environment, meteorology, society, etc.) are connected to the grid. The power system has developed into a CPPS, which has the characteristics of multi-source information interaction and high-dimensional time-varying nonlinearity [4,5]. The dependence of physical devices on communication channels makes network security more difficult, and it raises the potential of network attacks on power systems in particular. Following transient factors, network attacks have become another key factor affecting the stable operation of the power system [6]. Unlike network attacks on the Internet, network attacks on CPPSs are designed to cause large-scale chain failures, causing widespread power supply interruptions and irreversible damage to the power system. Therefore, detecting network attacks and defects on the power system quickly and accurately, as well as providing a foundation for developing appropriate defense measures, is a crucial part of ensuring the power system’s safe and stable functioning [7,8].

The smart grid detects abnormal data and abnormal events through state estimation, but traditional state estimation methods cannot meet the fast calculation requirements of multidimensional heterogeneous data, and the intelligence is relatively low [9]. Machine learning algorithm theory is developing, and its application in the field of CPPS network attack detection is becoming increasingly common [10,11,12]. Ensemble learning algorithms, as a branch of machine learning algorithms, have the advantages of both detection efficiency and accuracy without the need for complex time–frequency domain modeling calculations. The deployment of a wide-area measurement system provides large sample data support for ensemble learning algorithms. Therefore, the ensemble learning algorithm has certain advantages for network attack detection [13,14]. However, under a closed system sampling dataset, the lack of the network attack sample brings serious challenges to the training precision of the machine learning model. The lack of network attack samples causes serious data imbalance. The imbalance increases the low precision of network attack and fault detection. In the physically measured data, the network attack samples and the fault sample show a high degree of similarity. The classic machine learning algorithm has the disadvantages of insufficient detection rate and high false detection rate [15].

Aiming at the above problems, this paper proposes a network attack and fault detection method with an ensemble classifier; this method has been verified to apply to the following attack types: false data injection attack, control signal tampering attack, and fragile device attack. The pseudo sample generation strategy is used to solve the shortcomings of the low detection precision caused by the failure and insufficient network attack samples. At the same time, we constructed and improved the LightGBM ensemble classifier to further improve the detection precision of network attacks. It also proposes the reliability evaluation method of the network attack detection model. Under the action of the network attack detection model, the main contributions of the quantitative analysis of the power system security are as follows:

(1)

Imbalanced datasets where the majority of samples are benign may lead to high rates of false alarms. To overcome the problem, a centralized SMOTE oversampling approach is presented to obtain sufficient network attack pseudo data and implement data balancing processing. The MRMR feature selection method is used to reduce the dimension of the data, reduce the training time of the network attack detection model, and improve the efficiency of network attack detection.

(2)

Based on the focal loss, a LightGBM-integrated learning classifier is built to correct errors during model iterations and increase the attention weights for misclassified samples. During the iterative process, the classification accuracy of such samples improves, increasing the efficiency of network attack and fault detection in general. The final attack detection rate is improved by 16.73%, and the precision is improved by 15.67%.

(3)

In the process of data flow transmission, the vulnerability index of each cyber-physical node is abstracted. Under the influence of network attacks, the vulnerability of the whole cyber-physical system is comprehensively quantified.

Ganjkhani et al. [15] propose a network attack detection method based on a nonlinear autoregressive neural network. The method reduces the complexity of the algorithm to a certain extent and effectively improves the real-time performance of network attack detection. Xu et al. [16] propose a two-stage state prediction method to predict the measurement vector of the vulnerable node. Based on the threshold residual of the predicted value and the true value, the network attack is detected to realize the protection of the vulnerable node. Zhao et al. [17] propose a short-term prediction method to analyze the real-time condition and the consistency of the measured data of the power system. Based on $l2$ norm and $\infty$ norm detect network attacks, the shortcomings of traditional detectors in dealing with decision boundary problems are solved.

Hu et al. [18] propose a bad data detection and correction method based on kernel density estimation, which increases the ability to restore error data and improves the elastic error control ability of the system. Chaojun et al. [19] propose a feature extraction method based on a genetic algorithm to obtain the key features of the data to be detected, combined with the Euclidean detector, to detect the outliers in the state estimation data. The Euclidean distance-optimized Kalman filter was used to detect network attacks [20]; the traditional state estimation method based on the least squares method could not identify network attacks, the model solves the problem and has a significant effect on reducing the false alarm rate caused by noise.

Ahmed et al. [21] propose an improved genetic algorithm for the feature selection of state estimation data. It filters out redundant and irrelevant features and selects the optimal low-dimensional feature combination to represent the raw data. It then uses a support vector machine (SVM) as a classifier to identify network attacks, which improves the efficiency of network attack detection. Mohammadpourfard et al. [22] propose a new physical model to resist the false data injection attack. The model uses the GAN algorithm to capture the deviation between actual and ideal measured values and maintain the integrity of state estimation in real-time. Xue et al. [23] propose a One-Class-One-Network (OCON) framework based on extreme learning machine (ELM) to identify network attacks and data recovery based on spatial correlation analysis of power data. The method ensures the normal state estimation of the power system. James et al. [24] propose an online identification mechanism for AC system network attacks based on deep learning. To identify potential network attacks in real-time, the spatial characteristics of historical data were extracted by wavelet transform, and the recurrent neural network was constructed. The design of the machine learning algorithm avoids solving complex time–frequency domain problems of the power system, and the efficiency is relatively high.

The work conducted by Hink et al. [25] had an accuracy of approximately 90% and 75% over the multi-class dataset for JRipper–Adaboost and random forest, respectively. Wu et al. [26] propose a sequential pattern mining approach to extract patterns of power system disturbances and network attacks accurately. The mining common path algorithm had an accuracy of 93% on the multi-class datasets. Mohsenian-Rad et al. [27] propose a privacy preservation intrusion detection technique based on the correlation coefficient and expectation–maximization clustering mechanisms, which select important portions of data and recognize intrusive events. The model had a recall rate of 88.9% over the multi-class datasets with 75% of features. However, this work did not consider network attack detection from the perspective of the interaction between the cyber layer and the physical layer. Li J et al. [28] study the potential vulnerabilities of machine learning applied in CPSs by proposing a general threat model for Constrained Adversarial Machine Learning (ConAML). Li B et al. [29] propose a novel federated deep learning scheme named DeepFed.

The current CPPS network attack detection methods are divided into the time state predicting method, the state estimation method, and the machine learning detection method. The time state prediction method improves the dynamic state estimation ability of the power system [15,16,17]. However, the above methods are prone to low detection precision when a transient process occurs in the power grid due to non-attack factors. The state estimation method represented by [18,19,20] is simple in principle, is more in line with the characteristics of the power system, and has a high detection speed. However, the setting of the detection threshold brings a certain experience error and low precision. The traditional machine learning algorithms represented by [21,22,23,24] are very dependent on data quality, and the imbalance of sample numbers has a great influence on the training precision of the model. The deep learning algorithm is extremely dependent on the training data of large samples; the model complexity is high and the training speed is low. This model, which still needs to be improved in dealing with data imbalances, did not conduct a cyber-physical security assessment of the test results. Due to its ensemble voting and parallel characteristics, the ensemble learning algorithm can better balance the training precision and training speed and has higher advantages in solving network attacks and fault detection methods.