A Comprehensive Game Theoretical Defense Strategy in Demand Side Management Against Price Tampering Attacks

Price tamping attacks may cause market turbulence, attack detection and defense strategy are needed to study. Firstly, demand response characteristics are analyzed in a User Energy System. A quantitative model is established to describe the load changes caused by price tampering attacks. Secondly, a space-based cumulative intrusion detection method is proposed to pick up the discrepancy under tampering attacks. To verify the practicability of the proposed method, intrusion detection experiments are tested in the Principal Information and Safety Laboratory. Then, comprehensively considering the purchase of electricity from the power grid, self-generation, and load shedding, a quantitative model of attack consequences is established based on the allocation coefficient. Thus, the intrusion detection algorithm is used as a defense resource, and a demand-side defense protection strategy is formed to find an optimal deployment method based on non-cooperative game theory. The defensive protection strategy takes the quantitative model of attack consequences as the solution target, and solves the Nash equilibrium solution under different attack modes. Finally, in the IEEE-33 node system simulations, the defense resource is deployed using intrusion detection strategy, and the defense decision is executed to show the effectiveness of the comprehensive protection strategies.


INTRODUCTION
The cyber-physical system integrates the computing system, the communication network, and the physical environment through computation, communication, and control (3C) technology. Thus, a multi-dimensional heterogeneous complex system that integrates real-time sensing, dynamic control, and information services is formed by Liu et al. (2015). In recent years, with the rapid development of smart grid construction, the interaction between traditional power networks and information networks has become increasingly complex. Zhao et al. (2010) indicates that The modern power system is no longer the traditional power equipment network. It develops into a power cyber-physical system (CPS) with various typical features.
As a private network of power industrial control systems, power communication network had the characteristic of "secure partition, network-specific, horizontal isolation, and vertical authentication". And it was considered to have strong security and reliability for a long time which was proposed by Miao et al. (2009). However, compared with the traditional primary power network, the research on security protection for power communication systems started late.
Recently, A. Ashok et al. (2017) 's research showed that traditional physical isolation can't guarantee the absolute security of power CPS. So the attack against the power system wasn't implemented on the physical side only. On the contrary, current attack was more likely to happen on the information side due to the low cost and the greater potential damage. Tang et al. (2016) revealed the ever-changing attack methods which may exist on the information side of the power CPS. The Ukrainian power outage event analyzed in the literature of Tong et al. (2016) was an example of a network attack in the power network.
Currently, false data injection attacks (FDIA) exist in all aspects of the power CPS according to Tang et al. (2016). Zhao et al. (2016) and Ni et al. (2016) indicated that the attacker attacked the sensing device by injecting false data to achieve the purpose of attacking the power grid. Wang. (2014) described the FDIA against large, complex SCADA systems. The relative active/passive defense methods need to be further studied (Hahn and Manimaran, 2011;Tian et al., 2018).
At the same time, renewable energy is developing fast. Prosumers in the smart grid have not only participated in the production, transmission, distribution, and use of electricity as consumers, but also have gradually participated in the distributed generation process as the role of power producers according to Jun et al. (2015) and Yang et al. (2018). The electricity consumed in an area consists of two parts-traditional power and local distributed new energy generation such as solar energy, wind energy, etc. In this case, the regional electricity price can no longer be fixed to a certain value. It should dynamically change with the production of two kinds of electric energy to pursue the maximization of their profits according to Telaretti et al. (2014) 's points.
This situation requires the introduction of a competitive mechanism in the field of power generation. The business model of the open power generation side has gradually formed. It means that each power generation unit needs to compete in the electricity market. In such case, Wang. (2001) revealed that the opening of electricity prices also brought many security risks. With the development of power CPS and new energy technologies, the power grid has become more distributed. The control center in the power grid gradually becomes more diversified. Regional power grids often use proxy methods to participate in electricity price decisions. In order to obtain more benefits or implement destructive actions, malicious bidding events occur from time to time. In the literature of Ma et al. (2016), real-time electricity price attacks had a serious impact on user load demand. Xia et al. (2017) conducted experiments and found that electricity price delay attacks caused great interference to the electricity market.
As can be seen from Jie et al. (2019), a Stackelberg game was used to model Man-In-The-Middle (MITM) attack mode. They compared the financial loss and the effect of cyber security. From the result, there were great differences in the losses and delays caused by MITM attacks before and after defensive measures. MITM attacks were studied in VANET by Ahmad et al. (2018). Results suggested that these attacks had a massive influence on the network in terms of low content delivery, high end-to-end delay, compromised messages, and packet losses. For example, for 50% distributed MITM attackers, the network experiences about 6.89% more loss as compared to the network containing fleet attackers. In the field of electricity, Chen et al. (2017) showed the man-in-themiddle attacks against smart meters DL/T 645-2007 Protocol. Wang et al. (2015) described a false data injection attack against multi-step electricity prices (MEP). It can be seen that the malicious bidding behavior realized by MITM attacks on electricity prices has gradually become a big problem. And it needs more attention and better solutions (Lin et al., 2013). This shows that man-in-the-middle attacks cannot be ignored. It is gradually affecting the security of systems that contain communications such as power CPS.
Generally, there have been two types of MITM attacks on electricity prices (23-25) (Bharti and Mala, 2019;Singh et al., 2019;Sun et al., 2019): 1) It attacks the information flow; 2) It attacks the information center (Song, 2018). The first type of MITM attacks can maliciously change the price data between the buyer and the seller, and the second type can send false price data. Because the first type is easy to operate, it becomes the main way of MITM attacks on electricity prices according to Liwei and Yang. (2019).
When MITM attacks on electricity prices occur, the load changes according to electricity prices. Further, the load may be mismatched with the source. When the load is larger than the source, the voltage level would decrease and the load shedding would occur in a large area sometimes. When the load is less than the source, the system voltage level would rise, which may lead to an electric accident.
In this case, Bao (2018) studied that the attacker and the defender are clearly opposed. The attack mode of the middleman attacker will not be static, and it will develop in the direction of maximizing the attack benefits. In order to cope with the changing attacks, grid defenders must also respond in a timely manner. The attacker wants to cause the biggest grid loss. The purpose of the defender is to reduce this loss. This process is consistent with the process of the game.
As a powerful solution tool, the game theory had been widely used to solve various problems in the power system. W. Lee et al. used game theory to solve the problem of new energy consumption (Lee et al., 2015). The game strategy was also used by Wei et al. (2018) to solve the coordinated cyberphysical attacks problem.
This article starts from the intrusion detection and protection of price tampering attacks by MITM attackers. A set of defense strategies is designed based on state estimation and game theory. The main content of this article has the following aspects: 1) A cumulative error detection strategy based on normal distribution is designed to detect the price tampering attack by MITM attackers; 2) Based on the minimum comprehensive cost, a quantitative model of attack consequences is established which considers three demand-side response methods of purchasing power from the external grid, self-generation, and load shedding comprehensively; 3) A demand-side defense protection strategy based on game theory is established. The model uses the intrusion detection method to deploy defend resources, and sets the demandresponsive attack consequence quantitative model as the game target.

Architecture of a User Energy System
On the demand side, prosumers such as residential, commercial, industrial consumers, have their dispatch centers to monitor their loads and generations in a User Energy System. These dispatch centers are managed by User Energy Management System (UEMS) (Ma L et al., 2016). Among them, residential and commercial electricity consumption affected by current electricity price is small and industrial electricity consumption is often relatively large, due to the difference in production costs elasticity. For example, residential prosumers have micro power generation units installed on the user side, such as photovoltaic and wind power, and can meet part of the power demand on the demand side through self-generation. The architecture of a User Energy System is shown in Figure 1.
In this architecture, prosumers can be divided into several areas for better control. Each area is controlled by a Distributed Control Unit (DCU), which is responsible for transferring distributed information. In UEMS, each DCU communicates with the demand-side control center to achieve measurement and control of the demand side. The center makes decisions based on the information uploaded by the DCUs. These DCUs control the energy transactions of prosumers in the area, generate electricity prices according to the power consumption and load type of the corresponding area, and upload them to the demand-side control center. The demand-side control center can communicate with the external distribution grid about its electricity information.
The Electricity price tampering attack scenario based on MITM attack is simulated in the experiment. MITM attack on electricity price provide false information to interfere with the power market. MITM attack secretly changed the communication mode between UEMS and demand side control center. It makes the initial connection becomes a new connection with the intervention of a MITM attacker. Therefore, the normal tariff transmitted in the original connection will be replaced by malicious electricity price required by the bidder. UEMS will no longer purchase and use power resources according to the normal electricity price. MITM attack mode is shown in Figure 2.

Electricity Changes Under Price Tampering Attacks
When a price tampering attack occurs on the demand side, it will cause demand changes to the corresponding area. Based on the price elasticity of electricity demand (PEED) model proposed by Hu et al. (2008), the electricity consumption change of an area after the attack can be expressed. 1) Large power consumers consume more variable electricity such as industrial users, and their electricity prices are higher Frontiers in Energy Research | www.frontiersin.org November 2021 | Volume 9 | Article 763260 than ordinary ones. When the price tampering attack occurs, due to the influence of production costs, large power consumers purchase electricity under certain restrictions. The electricity consumption D a after the price tampering attack is defined as: where p is the normal electricity price without attack, ¥/kW. D a0 is the electricity consumption before price tampering attack, kW. p′ is the false electricity price tampered by the attacker, ¥/kW. 2) Small power consumers usually consume load relatively constantly, such as residential and commercial users. They seldom change their own electricity demand when the electricity price changes. Suppose their electricity consumption in a certain area is D b0 , it can be considered that the price tampering attack has no intuitive effect on their electricity demands, the electricity consumption D b after the price tampering attack refers to: D b0 D b .
According to the power consumption changes of these two types of consumers, the PEED model is used to express the electricity consumption D of the region after the price tampering attack: where p is the benchmark electricity price from the external grid, the unit is ¥/kW. E is the self-elasticity coefficient of electricity demand price: E ((D a0 − D a /D a0 )/( p − p/p)). To sum up, if the price tampering attack is successful, the target area has an electricity change ΔD in the total demand:

INTRUSION DETECTION OF PRICE TAMPING ATTACKS
This section studies how to detect price tamping attacks based on statistical bias and state estimation. Intrusion detection is essential to determine whether an abnormal event occurs in the system. It comes down to the problem of distinguishing between "normal" and "abnormal" states. The existing anomaly detection methods can be divided into deviation-based detection and feature-based detection methods according to the identification basis.
In the actual application process, the detection relying on a single residual is likely to cause residual pollution and flooding. It can lead to missed or false detection of abnormal data. So when there is a lot of abnormal data in the detected data, the correlation between the data cannot be fully utilized. This detection method is also powerless to attack multiple nodes at the same time. The detection accuracy of detection methods based on state estimation will also be greatly affected.
Aiming at the shortcoming that the detection result is overly dependent on a single residual, this section studies a cumulative error detection strategy based on a normal distribution under tampering attacks. The strategy improves the detection success rate from the perspective of multi-point cumulative deviation.
The detection of price tampering attacks is essentially a state estimation process. Power system state estimation processing generally analyzes low-precision, incomplete, and occasionally bad data in power system measurement data, and outputs high-precision, complete, and reliable data after processing.

Basic Theory of Intrusion Detection
Here are general intrusion detection processes of the power system: November 2021 | Volume 9 | Article 763260 1) Establish state estimation functions. The state estimation equation is: z h(x) + e, where z (z 1 , z 2 , . . . , z m ) is the measured value vector of the measuring component; h(x) is nonlinear electricity balance functions; x (x 1 , x 2 , . . . , x n ) is a state vector; e (e 1 , e 2 , . . . , e m ) is the measurement error vector.
2) Simplify the state estimation functions. In order to facilitate calculation, assumptions are as follows: the bus voltage value is approximately equal to 1; the shunt component, bus, branch circuit, and reactive power flow can be ignored. Now, h(x) can be linearized to Hx, where H m×n is a constant Jacobian matrix.
3) Modify the state estimation functions. When the price tamping attack occurs, prosumers response to change the demand loads, and the measured value vector is modified as Z a z + a, where z is the true measured value, a (a 1 , a 2 , . . . , a m ) is a non-zero attack vector. This will cause the state vector to change:x bad x + c, wherex is the initial state value, c is the amount of impact of the attack. Now, the measurement error vector after the price tamping attack can be obtained:

Cumulative Error Detection Based on Normal Distribution
Assuming that small independent effects make an additive contribution to each observation, the measuring datum are random and have a multivariate normal distribution based on historical data analysis. So a Bayesian model is established to describe the true data z as z ∼ N(μ, σ 2 ). When there is a price tamping attack, some specific measures such as electricity price and load demands are bound to be changed. The combination of these measures will cause the state variables to move away from their true values.
When the attacker knows the defense information of the defender (layout H and error detection algorithm, etc.), the covert attack can make a − Hc zero, and the deviation |z i − Z i | generated by one measurement is not enough to be detected by the detection system.
When the deviation of all measured values in the vector is accumulated from the vector, the accumulated deviation will become prominent. The detection scheme studied in this section identifies attacks based on cumulative errors, such as the relationship between electricity changes and abnormal pricing measures.
Here, a space-based cumulative error detection method based on hypothesis testing is introduced. The cumulative deviation is as follows: Here we consider two assumptions: H 0 and H 1 . H 0 is a null hypothesis in which the measured load value is true; H 1 is an assumption that the cyber system has been attacked. These two assumptions can be described as: We assume that measurement vector z′ (z 1 ′ , z 2 ′ , . . . , z m ′ ) follows a multivariate Gaussian distribution and z i ′ are independent of each other. It can be expressed as . Based on the above, the hypothesis test is given by a threshold τ corresponding to the load changes. When J(z′) < τ, H 0 holds and the attack is undetected; when J(z′) ≥ τ, H 1 holds and the attack is detected.

Experiment Analysis
An intrusion detection test environment is built to check the strategy's effectiveness ( Figure 3A). Its equivalent topology is shown in Figure 3B. In the Test Verification Center of the Principal Information and Safety Laboratory, the avalanche application attack test tool, Hessman switches, and Wireshark packet capture tools are used to test price tamping attacks. The communication side port connection diagram for the test process is shown in the Figure 3C.
In the experimental environment, each DCU (using 4 DCUs for simulation test) is connected to the simulation dispatch center through a Hessman switch. Simulated packet sending tools are used to send GOOSE/SV messages to UEMS, which simulates the normal output and consumption of each area on the demand side. In each DCU, the price information is collected in the information link through the packet capture tool and sent to the demand side control center regularly. In the demand side control center, the intrusion detection strategy is tested to detect the attacks. Due to limited resources, 4 DCUs are simulated in a UEMS.
The experiment test steps are as follows: 1) The input and output ports of DCU, UEMS, avalanche application attack tester, switch, and other devices are connected according to the communication topology. The DCUs are connected at all levels to the demand side control center through the communication equipment switch. Through the Hessman switch, the analog demand side control center and the switch connection port are assigned to VLAN100. Configure the DCU and switch connection ports at all levels as TRUNK ports. 2) Connect the avalanche application attack tester to the switch, and connect the port to VLAN200. Perform corresponding price tampering attacks to the DCU through the switch using MITM attack mode. 3) DCU sends the compound information message with a digital signature to the demand side control center, and the analog side control center detection unit uses the proposed intrusion strategies to judge whether the price tampering attack occurs. 4) Repeat the test to obtain the detection success rate under different price tampering attacks. In order to reflect the superiority of the intrusion detection strategy, a horizontal comparison is carried out. The detection results of traditional single-point detection, non-parametric cumulative detection, and cumulative error detection strategies under the same attack scheme and threshold are analyzed.
The relevant parameters of the experiment 1 are set as follows:  1) Set the current market electricity price to 100 ¥/kW. 2) Set the attack method as follows: DCU1 price is tampered with 80% of the original electricity price, DCU2 price is tampered with 60% of the original electricity price, DCU3 price is tampered with the original electricity price of 100%, and DCU4 electricity price is tampered with the original electricity price of 100%. 3) Set the threshold as follows: τ 40; 4) Set the number of simulations from1 to 100, and the statistics node from 1 to 10.
The detection success rate obtained by simulation is shown in Figure 4A. The abscissa shows the number of detections. The ordinate is the detection success rate. 100 trials are conducted and the detection success rate is the ratio of successful intrusion detection number in the total number of tests. During the test, the detection success rate varies with the number of tests. This is due to errors (such as communication data packet loss and communication delay) that may occur during the test. From the overall trend, the cumulative error detection mentioned can achieve a detection success rate of more than 76%, the cumulative detection success rate (73% in 100 trials), and the single-point detection success rate (66% in 100 trials). It can be seen that the detection success rate is sorted according to size: cumulative error detection success rate > non-parametric cumulative detection success rate > single point detection success rate.
The relationship between detection success rate and the threshold τ is shown in Figure 4B. The abscissa shows the logarithmic function lg(τ/10) of the threshold τ. Different threshold values of 20, 40, 80, . . . 2,560 are chosen for tests. When τ ≤80, the detection success rate reaches the maximum and will not increase. When τ > 80, the detection success rate gradually decreases with the increment of the threshold value, the sensitivity of the algorithm becomes insufficient, and some price tampering attacks are missed from detection. When τ > 1,280, the detection success rate is less than 50%. To examine the detection success of the defense strategy against different attack methods, experiment 2 first analyzed the detection success of the strategy when attacking different regions with the same amount of price tampering attack, Table 1. The parameters for experiment 2 are set as follows.
1) Set the current market electricity price to 100 ¥/kW. 2) Based on the principle of random combination, set the following 14 attack methods when the electricity price tampering amount is 80% of the original price in an attack scenario containing four target areas. 3) Set the threshold values as follows: τ 40 4) Set the number of simulations to 100.
The detection success rate obtained from the simulation is shown in Figure 5.
The horizontal coordinates of Figure 6 represent the 14 attack methods and the vertical coordinates represent the detection success rate. From the experimental results, it can be concluded that the detection success rate is higher when the tariff tampering attack attacks more DCUs, indicating that the proposed strategy is more effective in detecting tariff tampering attacks when they occur in more areas.

Power Purchase Cost Model From the Power Grid
If the price tamping attack occurs, the demand-side prosumers respond to load shedding and power purchase from the power grid. For the regional control center, the purchasing power should satisfy the load demand in the current time period.
According to the demand-side response model, the demandside power demand has changed under the price tampering attack. At this time, the power demand side must take certain measures to repair or restore the energy balance on the demand side.
In the area k ,the power purchase cost C A,k spent by the power purchaser can be expressed as follows (Wu et al., 2002): where λ k represents the proportion of electricity provided by the electricity seller in total demand. p A,k represents the power purchase price in the electricity spot market. d buy,k is used to indicate the total power demand of prosumers in the area k. q A,k represents the spot stock of the electricity seller.

Self-Generation Cost Model
In addition to spot price trading with the power grid, there are also ways to purchase electricity by self-generated energy resources. The internal energy system belongs to the user side, and its power generation cost is the prosumer's electricity cost. In the area k, the power generation cost function of the internal energy system C B,k can be expressed using a quadratic function: where q B,k represents the amount of electricity generated by the internal energy system. a k , b k , c k is the cost factor for power generation. c k indicates the ratio of the internal energy system's electricity power in the total power generation. Refer to Wang and Li. (2010), the power supply of this type is affected by user investment, so the value c k is generally 5-20%. In this section, two types of power purchase methods are considered: spot transactions with the power grid, and power purchase in internal energy system power generation. Therefore, the following constraint exists:

Load Shedding Cost Model
If the price tampering attack consequences are serious, the purchase of electricity may not fully balance the power loss load. At this time, in order to meet the demand-side power supply balance, load shedding is required in an urgent state. Following principles need to be met during load shedding: cut off from the end to the source, give priority to protecting important loads, and ensure normal area power supply. According to the principle of load shedding, loads in different areas have different importance. α k is used to indicate the relative importance of load in the area k (Kucuk. 2018). The larger the value α k is, the load in the area is more important, and the load shedding loss is greater. In the process of load shedding, the area load with low α k is preferentially removed.
Load shedding cost is introduced to quantify the loss caused by load removal. It is related to many factors, such as user type, advance notice time, power outage duration, power outage occurrence time, and power shortage rate. The cost value affected by these factors is usually obtained by user survey, and its calculation method has been specifically analyzed by Ren et al. (2006). The load shedding cost C C,k is as follow: where u k is the load cost, the unit is ¥/kW, and its element represents the cost of the independent load of the corresponding area k, d load−of f ,k represents the load reduction amount in the area k, the unit is kW.

Integrated Defense Cost Model
In the power defense architecture, two types of power suppliers are considered: internal self-generation energy resource and  Frontiers in Energy Research | www.frontiersin.org November 2021 | Volume 9 | Article 763260 8 external power grid under the price tampering attack. This means that two different types of electricity sellers need to be considered comprehensively when purchasing electricity. In addition, considering serious attack consequences, some areas may not be able to restore power supply balance through the purchase of electricity. At this time, it is urgent to consider cutting off the loads. To avoid further losses and restore power supply balance as quickly as possible, the system administrator needs to make a trade-off among power purchase, internal energy supply, and load shedding operation.
Load shedding is a serious consequence of a tampering attack on electricity prices. If an area is not directly connected to the external power grid after the attack, it cannot purchase the power supply and restore the loss loads. Although the power purchase scheme could meet the short-term power supply balance promptly, purchasing electricity is a tampered electricity price. The electricity price paid is higher than the normal electricity price, the power purchase cost becomes higher than before. Thus the hidden loss may have an impact in a longer period. At this time, a load loss weight coefficient β k ∈ [0, 1] is introduced to represent the ratio of load shedding in operation methods.
For the area k(k 1, 2, . . . , K), the integrated regional defense cost C I,k under the price tampering attack is: To reduce the defense cost, the demand-side emergency defense cost minimization function after the price tampering attack is as follows: The Eq. 12 can be transformed as:

Game Elements Design
The interactive process between the cyber attacker and the grid defender is a game process. The grid defender often doesn't know the attacker's offensive strategy, and there is no partnership between the attacker and the defender. Therefore, it is a non-cooperative game process based on incomplete information, which can be represented by a four-tuple: Since it is a non-cooperative zero-sum game process, the sum of the gains of both attackers and defenders is zero. If the attacker's gain function W a min C is set to a positive value, the defender's gain function W d is a negative value: W d −min C.

Analysis of the Non-cooperative Game Process
During the non-cooperative zero-sum game process, the attacker and the defender revolve around the reward function and adjust their strategies to obtain the maximum benefit. When both side players are at an equilibrium point, neither can adjust the strategy to obtain higher returns, thus the players have reached the equilibrium point, which is called the Nash equilibrium point.
In the price tampering attack, due to the low cost of attack and the universality of the attack modes, the attacker often has enough attack resources and can choose different attack modes. On the contrary, on the defense side, since the potential attack is unknown and the cost of defense resources is high, it is impossible to defend every link in each area. The specific game process is listed as follows: Step 1: Determine the attacker's offensive strategy space A including the offensive mode a m and its resources. Determine the defender's defensive strategy space D including the defensive mode d n and its resources. According to the offensive strategy space A and the defensive strategy space D, the total number of game rounds R (1 ≤ R ≤ N A × N D ) is estimated, and the initial value of the round number r is set to 1.
Step 2: In the rth round, the attacker determines the current offensive strategy a m , finds the optimal attack target area to obtain high returns, and calculates current revenue W a ; Step 3: In the rth round, the defender determines a possible attacked area by the intrusion detection strategy. The defender finds the optimal defense target by minimizing the integrated emergency defense cost on the demand side. The defender's gain function W d is calculated under the attack mode.
Step 4: Determine whether the round number r reaches the preset total number of rounds R. If not, the Nash equilibrium point (A p , D p ) is solved according to the zero-sum game theory, the attack strategy is selected against the price tamping attack. Then, the algorithm updates r to r + 1, and returns to step 2. If it is reached, the game process ends. The offensive and defensive game flow chart is shown in Figure 6.
In the game process, the attacker and the defender adjust their strategiesn in order to obtain the maximum income. When the two sides are at an equilibrium point, neither of them can obtain higher returns by adjusting strategies. When two sides reach an equilibrium state, the Nash equilibrium point is (A p , D p ).
Frontiers in Energy Research | www.frontiersin.org November 2021 | Volume 9 | Article 763260 9 5 DEFENSE SIMULATION AND CASE STUDY

Simulation Case
In this section, an improved IEEE-33 node distribution system (Meng et al., 2015) is used to verify the effectiveness of the proposed game model. As shown in Figure 7, the IEEE-33 node distribution system is divided into 4 areas. Each area contains a DCU, which is deployed on nodes 1, 2, 5, 25. The load is divided into the industrial, residential, and commercial load. Detailed load demand before attacks is shown in Table 2.
Refer to Table 2, D a0 is the load before the price tampering attack of the industrial load; D b0 is the load before the price tampering attack of the residential/commercial load. According different load ratios in each area, the importance of 4 regions are f1 0.9690, f2 0.4953, f3 0.2476, and f4 0.6110. When the threshold is set as, the detection result is better than others. When τ 20, the detection success rate is 83.0% for areas where detection and defense resources are deployed.

The Load Change Analysis
In the scenario analysis, the attacker modifies the electricity price to 80% of the normal electricity price to discuss the optimal defense strategy pair. In 4 attack target areas, assuming that the number of attack target areas is not greater than 3, there are 14 selectable offensive strategy combinations.
The load changes ΔD under various price tampering attack modes are calculated as shown in Table 4. It shows the variation of load under various offensive strategies. The offensive strategy that causes the largest load change is a14, which is 534.5 kW, and the strategy that causes the smallest load change is a1, which is 27 kW. At the same time, it can be obtained that attacking more areas often causes more load changes than attacking a single area. Compared to the attack modes of single target areas, a1, a2, a3, and a4, it shows that attack on area 2 causes a greater change in load than the attack on other areas.

Optimal c k 、β k Value Calculation
According to different load changes ΔD in 14 attack modes, the defenders can calculate optimal c k 、β k to determine the ratio of   power purchase and load shedding. Based on the quantitative model, the optimal values of c k 、β k are calculated iteratively by particle swarm optimization algorithm as shown in Table 5.
In Table 5, c p 1 , c p 2 , c p 3 , c p 4 are the optimal proportion of electricity provided by the electricity seller; β p 1 , β p 2 , β p 3 , β p 4 are the optimal loss weight coefficient of 4 areas. For the attack target area k, c k tends to its maximum value when the cost function takes the minimum value. This is because, under current parameters, the cost of self-generated electricity is much smaller than the cost of purchasing electricity from the external grid. The prosumers tend to use self-generated electricity than purchase electricity outside. c k is chosen to its maximum value, which is consistent with the policy of preferential consumption of self-generated electricity. It also shows that although the attack target area k is changed, the optimal values c k 、 β k for the attacked area don't change under different attack modes.

Attack Loss Quantification
Under various attack modes, the electricity purchased from the external grid, self-generated power, and load-shedding capacity can be obtained, as shown in Figure 8A. The attack loss results can be further quantified as shown in Figure 8B.
In Figure 8B, the abscissa is the attack mode and the ordinate is the quantized loss value under attack. This illustration shows that attack method a14 causes the largest loss value of 898000¥; the attack mode a2 causes the smallest loss value of 86000¥.
In general, the loss value caused by the attack modes with more target areas is greater than that with fewer target areas. The overall loss value with three areas (attack modes a11-a14) as the attack target is greater than that of targeting two areas (attack modes a5-a10). The overall loss value of targeting two areas (attack modes a5-a10) is greater than that of targeting a single area (attack modes a1-a4).

Game Result Analysis
To reflect the defense deploy verification with limited defense resources, the deployment area of the intrusion detection strategy has been limited to less than or equal to 2, so there are currently 10 methods to deploy intrusion detecting equipment, as shown in Figure 9. In 4 attack target areas, 14 selectable offensive strategy Attack mode combinations have been mentioned before, so the total number of game rounds is R 14 * 10 140. According to the offensive strategy space and defense strategy space, the Nash equilibrium points under various attacks are obtained as shown in Table 6. The intersection of the offensive strategy and the defense strategy (green block) in Table 6 is the Nash equilibrium point under various attack modes.  Defense strategy It can be found that under the condition that the offensive resources and the defense resources have sufficient configuration, the Nash equilibrium point will appear in the place where the attack target and the defense target are consistent, namely (a1, d1), (a2, d2), (a3, d3), (a4, d4), (a5, d5), (a6, d6), (a7, d7), (a8, d8), (a9, d9), (a10, d10). It matches the actual deployment situation. In the case of insufficient defense resources, the Nash equilibrium points are (a11, d5), (a12, d9), (a13, d6), (a14, d10). The optimal defense strategy is not matched the actual deployment situation.
Considering 14 attack modes, the comparison of the loss value with optimal defense strategy and without defense strategy are shown in Figure 10A. For attack mode a1 to attack mode a14, the loss values decreased by 61.4, 37.6, 56.3, 46.5, 73.2, 56.0, 22.8, 36.2, 56.8, 31.5, 52.1, 45.2, 57.2, 31.7%. The results show that the optimal defense protection strategy can significantly reduce the losses caused by attacks.
Taking attack mode a13 as an example, the loss value of different defense strategies under 10 attack modes is shown in Figure 10B. The abscissa represents the defense strategy, and the ordinate represents the loss value under the current attack mode and defense strategy. It can be seen that the defense strategy d6 has the best defense result and the loss value is 345500¥. On the contrary, the defense strategy d2 has the worst defense result, even if it has no defense result. In summary, Nash equilibrium point (a13, d6) has the best deployment and defense strategy.

CONCLUSION
In this paper, a set of intrusion detection and defense strategies is designed. The conclusions are as follows:

1) A space-based cumulative intrusion detection method is
proposed under the price tampering attack. The cumulative deviation detection strategy can not only detect the measured value of one measurement point based on normal distribution, but also detect the shortcomings of the subtle tampering of the target area. The experiment tests verified the superiority of the strategy. The detection success rate has been increased by 14% compared with the traditional detection strategy and by 3% compared with the non-parametric cumulative detection strategy. 2) A quantitative model of attack consequences is established to minimize the integrated defense cost. The model quantifies the changes in electricity caused by price tampering attacks, comprehensively considering three demand-side response methods of purchasing external grid, self-generation, and load shedding. 3) A demand-side defense strategy is established based on noncooperative game theory. It deploys the defense resource using intrusion detection strategy, and takes the quantitative model of attack consequences as the game target. Taking into account the limited nature of defense resources, the Nash equilibrium point is solved to generate defense decisions. In the distribution system simulations, the Nash equilibrium point is solved under various attack strategies and a reference for defense matching is provided. The results show that the proposed defense protection strategy has certain effectiveness.

DATA AVAILABILITY STATEMENT
The original contributions presented in the study are included in the article/Supplementary Material, further inquiries can be directed to the corresponding author.