Detection of Anomalies in Electric Vehicle Charging Sessions

Dustin Kern Christoph Krauß Matthias Hollick

Darmstadt University of Applied Darmstadt University of Applied Technical University of Darmstadt
Sciences Sciences Darmstadt, Germany
Darmstadt, Germany Darmstadt, Germany mhollick@seemoo.tu-darmstadt.de
dustin.kern@h-da.de christoph.krauss@h-da.de

ABSTRACT 1 INTRODUCTION
Electric Vehicle (EV) charging involves a complex system with Electric Vehicles (EVs) play an important part in making the trans-
cyber-physical components, backend systems, and communication portation sector more environmentally friendly and the adoption
protocols. A potential security incident in this system can open up of EVs is steadily rising worldwide [18]. EV charging, however, in-
cyber-physical threats and, for instance, lead to EV battery fires volves major cyber-physical threats [49], for instance, the potential
or power grid blackouts. In this paper, we propose a hybrid Intru- of battery fires [16, 42]. Moreover, due to the close link between
sion Detection System (IDS) method consisting of regression-based e-mobility and the power grid, EV charging loads can have a signif-
charging session forecasting and anomaly detection. The method icant impact on grid stability [44, 46].
considers an EV’s detailed charging behavior throughout a session EV charging involves a number of complex and connected IT
and we discuss and evaluate different design choices. For anomaly systems, including Charge Points (CPs) and backend systems. This
detection, we consider both classification- and novelty-based mod- complexity amplifies the possibility of exploitable vulnerabilities,
els as well as an ensemble method to combine both models. We which is demonstrated by a number of successful cyber-attacks
perform evaluations based on real-world EV charging session data in the past (cf. [21] for examples of vulnerabilities in the CP con-
with simulated attacks. Our results show that regression-based fore- text or [45] for examples in the automotive context). A security
casting provides a significant increase in detection performance for vulnerability in a cyber-physical system also opens the possibility
attacks affecting individual reports during a charging session. Addi- of cyber-attacks being used to threaten physical functions [50].
tionally, the proposed ensemble method, which combines artificial For example, cyber-attacks on the IT systems of grid operators
neural network-based classification and local outlier factor-based have already been used to cause significant power grid blackouts
novelty detection, can maintain a low false alarm rate while of- in the past [5]. One aspect in addressing these security threats is
fering good detection performance w.r.t. known attacks as well as prevention, e.g., through secure system or software design. How-
generalization to previously unseen attacks. We thus argue that ever, since no preventive measure can possibly guarantee perfect
the proposed solution can provide a positive contribution to EV security, another important aspect in making cyber-physical sys-
charging security, resilience, and trustworthiness. tems more resilient towards security threats is attack detection
[41]. The output of attack detection can then be used to initiate
CCS CONCEPTS appropriate response measures in order to transition the system
back into a trustworthy operating state, e.g., through the isolation
• Security and privacy → Intrusion detection systems; Denial-
of affected/compromised components.
of-service attacks; Distributed systems security.
In this paper, we propose an Intrusion Detection System (IDS)
for the detection of anomalies in EV charging sessions. The IDS
KEYWORDS is operated by Charge Point Operators (CPOs) and considers the
E-Mobility, EV Charging, Power Grid, Intrusion Detection System, potential damage of compromised EVs and CPs. The IDS design is
Anomaly Detection based on a hybrid of detection- and regression models, whereby
different detection model designs are considered (using supervised
ACM Reference Format: classification, semi-supervised novelty detection, as well as an en-
Dustin Kern, Christoph Krauß, and Matthias Hollick. 2023. Detection of semble of both). Our focus is on detection and specific response
Anomalies in Electric Vehicle Charging Sessions. In Annual Computer Secu- measures are out-of-scope. The main contributions of this paper
rity Applications Conference (ACSAC ’23), December 04–08, 2023, Austin, TX, are as follows:
USA. ACM, New York, NY, USA, 12 pages. https://doi.org/10.1145/3627106.
(i) We examine the EV charging system model w.r.t. threats that
3627127
arise from an active adversary and security vulnerabilities
in EVs and CPs.
(ii) We propose a hybrid IDS concept for EV charging sessions,
which combines regression-based charging session forecast-
ing and anomaly detection models. The proposed concept
This work is licensed under a Creative Commons Attribution International
4.0 License. does not require a pre-existing data set with known anom-
alies and can identify complex attacks by analyzing the charg-
ACSAC ’23, December 04–08, 2023, Austin, TX, USA ing behavior throughout a session.
© 2023 Copyright held by the owner/author(s).
ACM ISBN 979-8-4007-0886-2/23/12. (iii) We consider two relevant kinds of anomaly detection models,
https://doi.org/10.1145/3627106.3627127 namely classification- and novelty detection-based models.

298
ACSAC ’23, December 04–08, 2023, Austin, TX, USA Dustin Kern, Christoph Krauß, and Matthias Hollick

Classification-based models are shown to provide a high on the internal CAN bus in EVs. In [1] a simple centralized detec-
detection rate for known attacks with a low degree of gen- tion approach of False Data Injections (FDIs) attacks from EVs to
eralization to previously unseen attacks. Novelty detection- the grid, based on the chi-square test and signal-based thresholding,
based models, however, are shown to offer a higher degree is proposed and evaluated based on simulated data. The authors
of generalization at the cost of a higher false alarm rate. of [8] propose a method for anomaly detection in a system of EV
(iv) To combine the strengths of classification- and novelty de- load, local building load, solar generation, and electricity prices,
tection-based models, we propose an ensemble method of based on correlations between the individual variables and using a
both kinds of models, which shows how the models can k-nearest neighbor classifier. In [9], a project report is presented
complement each other. that mentions an anomaly detection system for EV charging based
(v) We evaluate different design decisions of the detection sys- on a regression model and using simulated data. However, details
tem with multiple publicly available EV charging data sets regarding the approach, such as specifics of the IDS design or a com-
and different kinds of simulated attack behavior. Addition- prehensive evaluation, are missing. To improve EV charging safety,
ally, we evaluate detection performance for different magni- the authors of [48] investigate the use of a multivariate Gaussian
tudes of attacks to identify the thresholds at which anomalies distribution model for anomaly detection, i.e., unsupervised outlier
can reasonably be detected. detection. The authors of [10] propose a classifier-based collabora-
(vi) We publish the used data sets and code for reproducibility tive anomaly detection system for charging sessions, focusing on
and for the future use in related studies.1 the coordination between different IDSs instances and simulating
The remainder of this paper is structured as follows: we distin- attacks via random anomalies. However, details of the individual
guish our work from related work in Section 2. In Section 3, we IDS design, changes in charging behavior throughout a session,
present the EV charging system model. Afterwards, we motivate and detection performance for specific kinds of attacks patterns
the assumed adversary model in Section 4 and provide an analysis are not investigated. Finally, in [25] a distributed and cooperative
of the adversary’s potential attack vectors. We introduce our con- regression-based IDS for the detection of large-scale coordinated
cept of an IDS for EV charging sessions in Section 5 and describe attacks on the grid by a large number of compromised EVs/CPs is
the implementation and evaluation with different data sets and IDS proposed. However, the IDS operates on the combined load of si-
design decisions in Section 6. Finally, we conclude the paper in multaneous charging sessions and anomaly detection in individual
Section 7. sessions is not considered.
While current IDS solutions for the e-mobility sector usually
consider classifier models (or outlier detection models in case of
2 RELATED WORK
[48]) as the basis for anomaly detection, novelty detection models
Intrusion detection is commonly identified as an important com- have shown to be a viable alternative in different domains [38]. The
ponent in securing critical infrastructures such as the power grid, main advantage of novelty detection over classifier models is that
including its connected components like the Advanced Metering these methods do not require datasets with pre-labeled anomalies.
Infrastructures (AMIs) or e-mobility infrastructure [39]. In this con- That is, they operate semi-supervised and are trained on un-labeled
text, security incidents can have severe consequences, ranging from datasets without anomalies, which usually enables a greater degree
damage to physical devices (e.g., battery fires in EVs [16, 42]) to of generalization to previously unseen attacks. Compared to outlier
large-scale blackouts [44, 46]. Since security incidents can never be detection (which operate unsupervised, i.e., directly on data sets
completely ruled out, anomaly detection is an essential measure to with anomalies), we argue that semi-supervised novelty detection
ensure system resilience and trustworthiness under consideration is more appropriate for the considered use case, as the proposed IDS
of active adversaries. operators (i.e., CPOs) can be expected to already possess datasets
Several papers investigate the use of IDSs in the automotive without anomalies for training. While the use of novelty detection
context. For example, [29] propose and autoencoder-based IDS for has been investigated in the general smart grid context [4, 20], its
a vehicle’s internal Controller Area Network (CAN) bus. As another use for anomaly detection in the e-mobility sector is still an open
example, [40] consider the use of anomaly detection for Vehicle to issue.
Everything (V2X)-related interactions. In this work, we provide novelty over existing approaches by
Additionally, several papers investigate the use of IDSs in smart investigating the design of a charging session IDS that considers
grids under the consideration of relevant cyber-physical aspects. the detailed charging behavior throughout a session via regression-
For example, [27, 35] propose IDS solutions for the detection of based forecasting. Additionally, we consider both classification- and
malicious injected consumption/state estimate data. As another novelty detection-based IDS models as well as an ensemble method
example, [7, 31] consider IDS approaches for the detection of attacks that combines the strengths of both base models. Furthermore,
that directly manipulate a consumer’s demand. this paper provides novelty by evaluating the potential detection
Similarly, the use of IDS solutions in the e-mobility sector has performance for specific kinds of attacks patterns (random and
been investigated. For instance, [12] proposes a method for detec- targeted attacks with different anomaly magnitudes).
tion of cyber-attacks against EV batteries, such as denial-of-charge
attacks or overcharging of the battery, via an IDS in CPs. The au-
thors of [23] investigate the detection of message flooding attacks 3 SYSTEM MODEL
Fig. 1 shows the relevant actors and communications of the e-
1 https://code.fbi.h-da.de/seacop/ev-charging-ids-data-sets/ mobility system model for (semi-)public EV charging. EVs are

299
Detection of Anomalies in Electric Vehicle Charging Sessions ACSAC ’23, December 04–08, 2023, Austin, TX, USA

TLS Channel

TLS Channel Transaction Start

Charge
Electric Charge Authorization Charge Charge Authorization Point
Vehicle Point
Operator
(EV) Charge Parameter Exchange (CP) Charge Parameter Exchange (CPO)
Periodic Charge Status/Metering Periodic Transaction Updates

ISO 15118 Open Charge Point Protocol (OCPP)

Figure 1: e-Mobility System Model

recharged at CPs and both actors can communicate with each other a specific session (e.g., to incorporate the specific charging
using the international standard ISO 15118 [19]. CPs further com- needs of the current EV) or session independent. CPOs can
municate with their respective CPO using the de-facto standard use a variety of data during the generation of charging pro-
protocol Open Charge Point Protocol (OCPP) [36]. All communica- files, including capacity forecasts from power grid operators
tions channels are assumed to use Transport Layer Security (TLS) (not shown in Fig. 1).
in accordance to their specifications. The EV responds with its selected charging profile and op-
CPs in semi-public (e.g., workplace or customer parking) and tionally its planned energy consumption over time (e.g., if
public locations usually support charging speeds of 11 to 22 kW (on- the planned consumption is less than the allowed maximum).
board AC charging) or charging speeds of 50 to 350 kW (off-board Afterwards, the transfer of energy can start.
DC fast charging). These scenarios can result in a very high load on Charging Process. During a charging session, the session can be
power grids, which is why a grid-friendly way of scheduling charg- paused/continued and both parties can always start a re-
ing sessions is important. For this purpose, CPOs may distribute negotiation of the charging parameters/-profile. The CP’s
charging profiles to their CPs, which can implement load balancing energy meter periodically generates signed reports of the
by directly limiting the allowed energy consumption over time. consumed energy. The CP can optionally request an addi-
Alternatively, load balancing mechanisms are often based on price tional signature over these meter values from the EV. Signed
incentives to couple the goals of grid operators and customers (e.g., meter values are reported to the CPO for billing purposes.
cheaper prices during off-peak hours) [17, 32]. Besides charge sched- These meter values can be used for other purposes, e.g., by
uling, the e-mobility communication protocols support several use grid operators for state estimation or capacity forecasts. Ad-
cases as summarized in the following. ditionally, in the case of DC charging, the EV periodically
sends its target voltage/current to the CP with off-board
Charging Session Authorization. After an EV is connected to a charger.
CP, a TLS connection is established. Afterwards, the CP ver-
ifies the EV’s charging authorization status and registers the
start of a charging transaction with the CPO. The charging
authorization is based on an application layer challenge-
response protocol between CP and EV. The CP’s challenge is 4 ADVERSARY MODEL
a random nonce and the EV responds by creating a signature The EV charging system is a cyber-physical system and security
over this nonce using locally installed credentials (private vulnerabilities can cause severe physical and/or safety threats [49].
key and corresponding public key certificate). The CP can For instance, an adversary with control over an EV’s Battery Man-
verify the EV’s signature using the public key of the EV’s agement System (BMS) could cause physical damage to the EV’s
certificate. Charging authorization can optionally involve battery and potentially start a fire [16, 42] or an adversary with
additional validations by backend operators. control over a large amount of charging sessions could negatively
Charging Parameter Exchange. After an EV is authorized to affect grid stability and potentially cause major blackouts [44, 46].
charge at a CP, both actors exchange relevant charging pa- In this paper, we assume an adversary with control over several
rameters. The EV first sends its estimated required energy, CPs and/or EVs, motivated by the potentially large locally and re-
its supported current and voltage limits, and optionally its motely exploitable attack surfaces that these devices offer (cf., e.g.,
planned departure time. The CP responds with its current [6, 45] for EVs or [21, 51] for CPs). The assumption of adversary-
and voltage limits and with offered charging profiles. controlled CPs and/or EVs is further motivated by the existence of
A charging profile indicates the maximum allowed energy real-world exploits in the past, for example, the compromise of CPs
consumption over time along with associated tariffs. Charg- via an insecure local interface [11], the remote compromised of CPs
ing profiles are generated by CPO and are either defined for via their web interfaces [14], or the compromise of EV charging via

300
ACSAC ’23, December 04–08, 2023, Austin, TX, USA Dustin Kern, Christoph Krauß, and Matthias Hollick

an insecure charge control protocol [52]. However, since we inves- predictions for the training phase, the regression models are used
tigate the possibility of attack detection by CPOs, the respective in a k-fold method on the historic charging session data with simu-
backend systems are assumed to be secure. lated attacks. The output of the k-fold regression predictions is used
The adversary can use controlled CPs/EVs to conduct different as additional input for training of the detection model. To train the
attacks, which we differentiate into two groups based on whether classification-based detection model, anomalies (abnormal changes
they affect individual charging sessions (small-scale attacks with in charging behavior) are simulated in a subset of historic charging
one or more adversary-controlled CP and/or EV) or are coordinated session data using a randomization strategy. The novelty-based
over a large amount of charging sessions (large-scale attacks with detection model is directly trained on features from the historic
a large amount of adversary-controlled CPs and/or EVs): charging session data in combination with the k-fold regression pre-
Small-scale Attacks. The main concern of attacks on individual dictions. This IDS design enables the better detection of anomalies
charging sessions is physical damage to the local compo- during a session (based on the regression predictions) and allows
nents. Adversary-controlled CPs/EVs could ignore danger- us to compare the degree of generalization to previously unseen
ous operating conditions like battery overheating to poten- attacks between the random attack-based classification method and
tially cause a fire or manipulate charging behavior to shorten the novelty detection method (as evaluated in Section 6).
battery life and cause hazardous situations [16]. Further po- After offline training, the IDS can be used for anomaly detection
tential threats include financial damage via energy theft (e.g., during live operation. That is, the reported session information of
by reporting less than the actual charge) or a degradation CPs is used as an input to the fully trained regression models to
of service via an illegitimate denial/reduction of charging generate consumption predictions. Afterwards, the reported ses-
energy to EVs. sion information in combination with the consumption predictions
Large-scale Attacks. The main concern of large-scale coordinated are used as input to the trained detection model to generate a
attacks are threats to power grid stability. Several simulation- label (normal/anomalous) for the charging session. Additionally,
based studies investigate the potential negative effect of classification- and novelty-based detection models may be com-
adversary-controlled CPs/EVs to the grid [2, 24, 51], show- bined in an ensemble to combine the individual strengths of both
ing that power outages are possible if enough systems are approaches. In order to adjust for changes in the e-mobility sector
compromised. The adversary can affect power grid stability (e.g., new EVs with different charging behavior), the models are
by causing a significant imbalance in power demand and periodically re-trained with new charging session data.
generation. This can be achieved in two ways: (i) by ma-
nipulating any data that is reported to the backend for use 5.1 Offline Training
in power grid state estimation or capacity planning (e.g., Before the IDS is used during live operation, it is first trained offline,
reported meter values or planned future consumption), i.e., i.e., independent of current charging operations, based on historic
False Data Injection (FDI) attacks [28], or (ii) by directly al- charging session data. The charging session data is recorded by
tering the energy consumption of the controlled systems, CPOs as the transaction updates they receive from CPs via OCPP (cf.
i.e., Manipulation of demand (Mad) attacks [44]. Section 3). After initial training of the IDS, a CPO can further update
the set of historic session data with new sessions and periodically
5 IDS CONCEPT FOR EV CHARGING SESSION re-train the models to adapt to a changing e-mobility environment
ANOMALIES (e.g., the introduction of new/faster charging technologies).
Training a regression model based on this data requires appro-
Our concept of an IDS for EV charging sessions is shown in Fig. 2.
priate feature selection/engineering and further involves selection-
The IDS is operated by a CPO based on its CP’s charging sessions.
s/optimizations of the regression model itself. Similarly, training
The general idea is to use machine learning-based anomaly de-
a classification model also involves feature engineering as well as
tection methods for the identification of adversarial behavior in
model optimization and it further requires the design of an adequate
individual charging sessions. Anomaly detection is based on a hy-
attack simulation method. Details of the relevant design choices
brid approach, combining a detection model and semi-supervised
and processes of our proposed IDS are detailed in the following.
regression models. For the detection model, we consider two possi-
bilities: (i) a supervised classification model, or (ii) a semi-super- Regression-based Forecasting. The goal of the regression mod-
vised novelty detection model. Supervised classification requires a els is to predict the future charging behavior for a session
pre-labeled data set with normal and anomalous data for training based on past measurements. For this, the historic charg-
and is later used for predicting a label (normal/anomalous) for an ing data is converted to a training set which identifies, for
unlabeled charging session. In comparison, semi-supervised novelty each received meter value, the previous 𝑛 recorded charging
detection is trained on a data set with normal charging sessions and speeds of that session (filling with zeros for the start of a
later used to predict a label (normal/anomalous) for an unlabeled session). Besides the previous 𝑛 charging speeds, we consider
charging session. Similarly, semi-supervised regression is trained several other features with potential effect on the charging
with only data of normal charging sessions and later used to predict behavior, including: (i) the respective time in different reso-
the expected consumption over time for an unlabeled session. lutions (day, month, year, day of week, hour), (ii) whether
The regression models for anomaly detection during live opera- the respective day is a work day, (iii) if load balancing is
tion are directly trained based on features from historic charging applied, (iv) the relative time since the start of the charging
session data without attacks. Additionally, to generate consumption session, (v) the CP’s ID, and (vi) the potential capacity of the

301
Detection of Anomalies in Electric Vehicle Charging Sessions ACSAC ’23, December 04–08, 2023, Austin, TX, USA

(Periodic) Offline Training

Skipped for Novelty Detection

Historic Attack Labeled D. Feature Detector

Charge Data Simulation Session Data Extraction Training

R. Feature Regressor Consumption

Extraction Training Forecast

Anomaly Detection

R. Feature Regression Consumption

CPO
Extraction Models Forecast

Unlabeled D. Feature Detection

OCPP
Data

Session Data Extraction Model

Detection
Charging 1 to N Sessions
Output
CP EV with Potential
Sessions Adversaries

Figure 2: Concept of an IDS for EV Charging Sessions

CP. Different design choices are evaluated in Section 6. Several classification algorithms could be used for anomaly
As a regression algorithm, we consider random forest re- detection. Among the most popular are [34]: (i) support vec-
gression since it was shown in [30] to be a good choice for tor machines, (ii) neural networks, (iii) naïve bayes, (iv) deci-
the prediction of EV charging load. The prediction target sion trees, (v) ensemble methods, and (vi) k-nearest neighbor.
of the model are the next 𝑚 charging speeds, whereby for We consider and evaluate different implementations of these
each value of {1, ..., 𝑚} a unique regressor is used. Hence, the kinds of classification algorithms in Section 6. Additionally,
first output of the regressor training phase are 𝑚 regression we consider different features as shown in Table 1.
models, which can be used during anomaly detection. The Novelty Detection. The main difference between the training pro-
second output are consumption forecasts, which identify cess for the novelty detection-based design and that of the
the predicted charging speeds for historic charging session classification-based design is that no pre-labeled anomalous
data with simulated attacks. These consumption forecasts charging sessions are required. That is, the novelty detec-
are generated with a k-fold method. That is, the data is split tion method is only trained with normal charging sessions
into 𝑘 chunks and we successively use 𝑘 − 1 chunks to train and can then label a later charging session as normal or
regression models (on the data without attacks) and use these novel/anomalous. Popularly used novelty detection methods
models to predict charging speeds for the remaining chunk include [4, 20]: (i) one class support vector machines, (ii) lo-
(with attacks) until predictions are available for all 𝑘 chunks. cal outlier factor, (iii) elliptic envelope, and (iv) isolation
Classification-based Detection. The goal of the classification forest. For novelty detection, we consider and evaluate the
model is to label charging sessions as either normal or anoma- same features as for classification (cf. Table 1).
lous. A problem is that training a classifier requires a pre-
labeled data set of normal/anomalous charging session, how-
ever, no data sets exist that includes all (or any) of the con- 5.2 Anomaly Detection During Live Operation
sidered threats from Section 3. Hence, we propose the simu-
lation of an attack data set by inserting randomized generic During live operation a CPO can use their previously trained models
anomalies into the charging behavior of a part of the ex- for anomaly detection. That is, after the data of a charging session
isting historic charging session data. That is, we randomly has been received, the relevant regressor features are extracted
sample 𝑠% of sessions for attack simulation. Afterwards, we (same as during training) and the regression models are used to
randomly select {1, ..., 𝑟 } meter values per sampled session generate the consumption forecasts. Afterwards, the forecasts are
and change the selected value by a factor of {𝑥, ..., 𝑦}. In this used together with the session data to generate the relevant de-
process, the values of 𝑠, 𝑟, 𝑥, 𝑦 can be adjusted to optimize tection features (same as during training) and given to the trained
anomaly detection to the considered threats (cf. Section 6). detection model for anomaly prediction. The output of the anomaly
detection process is a classification of the session as either normal

302
ACSAC ’23, December 04–08, 2023, Austin, TX, USA Dustin Kern, Christoph Krauß, and Matthias Hollick

Table 1: Considered Detection Model Features and their Types/Resolutions

Feature Type/Resolution
– Total charge amount Absolute and in relation to the charging time
– Start and end timestamps Epoch, week, day, hour, day of week, etc.
– Work day True/False
High-Level
Features

– Load balancing True/False

– The CP’s ID Integer
– Potential capacity of the CP Floating Point Number
– EV State of Charge (SoC) Starting/end battery charge percentage
– Total length of the session Time in hour/seconds
– Amount of charging time during the session Absolute and in relation to the full session time
– Indicators of charging speed throughout the Max, min, mean, median, relation of mean to max
Charging
Behavior

session
– Amount of distinct charging speeds Absolute and in relation to amount of meter values
– Amount of changes in charging speed Absolute and in relation to amount of meter values
– Indicators of the 𝑚 predicted charging speeds Max, min, mean, median, relation of mean to max
Consumption
Predictions

throughout the session

– Indicators of the difference between the received Max, min, mean, median, relation of mean to max, mean
charging speed and the 𝑚 predicted charging speeds squared error
throughout the session

or anomalous together with a probability estimate, i.e., the detection IDS’s anomaly detection confidence output should be considered
model’s confidence in its prediction. during attack response, e.g., the automatic execution of more drastic
In order to take advantage of the strengths of both classification- response measures (with a relatively large impact on service quality
and novelty-based detection, the two methods can be combined in case of a false positive) should be limited to a high confidence
into one ensemble detector. Specifically, classification-based de- threshold. Detailed considerations of response measures, however,
tection usually provides a higher True Positive Rate (TPR) on are out-of-scope for this paper.
known/trained-on attacks and a lower TPR for previously unseen
attacks. However, novelty-based detection can usually generalize
better to previously unseen attacks, while incurring a higher False
6 IMPLEMENTATION AND EVALUATION
Positive Rate (FPR). To combine the two methods into an ensemble, To evaluate the proposed IDS, we use different public EV charging
we consider the use of a simple weighted voting method whereby data sets to represent a CPO’s historic charging sessions data. The
the weights are defined in relation to the respective detector’s con- used base sets are the three Adaptive Charging Network (ACN)
fidence in its prediction. That is, if a session is considered to be data sets [26] and the ElaadNL data set [13], which represent semi-
an anomaly if one detector has a high anomaly confidence or if public and public charging scenarios respectively. The ACN data
both detectors have a medium anomaly confidence. This ensemble sets are: (i) ACN Caltech, which contains data of 54 semi-public
method can, for instance, accommodate a novelty-based detection CPs in a university garage, (ii) ACN JPL, which contains data of 52
model’s potentially higher FPR by increasing the respective confi- workplace CPs from a national research lab, and (iii) ACN Office,
dence thresholds. The specific parameters for the ensemble method which contains data of 8 workplace CPs from an office building. The
depend on the used models/data sets and can be tuned towards: data sets contain detailed charging session metering data at mostly
(i) an optimal TPR/FPR trade-off based on training data with attacks 4 second intervals over a time period of roughly 2.5 to 3.5 years
(e.g., simulated) or (ii) an acceptable FPR level based on normal his- (depending on the data set). For our purposes, we only use one year
toric charging data without attacks (since FPR, i.e., the classification of each data set and transaction (i.e., the data received by CPOs)
of normal data as an anomaly, is independent of attacks). update intervals of 1 minute. The ElaadNL data set contains data
Depending on the anomaly detection output, the CPO can initiate from 850 public charging stations, which are operated by EVnetNL
appropriate containment/recovery measures in order to return the in the Netherlands, and contains detailed charging session metering
system to a secure state. For instance, compromised systems could data at 15-minute intervals over a time period of one year. All data
be taken out of service in order to isolate the attack [33] or systems sets are split into 11 months of training data (for hyperparameter
could be updated to fix existing vulnerabilities and return them optimizations/feature selection) and 1 month of testing data (for
to a secure software state [47]. Additionally, data/requests from final performance validations). Figure 3 shows one week of charging
compromised charging sessions could be discarded or delayed in sessions from the ACN JPL and ElaadNL data sets as an example
case of FDI attacks [22] and control over non-compromised systems (different line types/colors represent individual charge sessions).
could be used to counteract potential Mad attacks [43]. Notably, the Since no public data sets with real (or simulated) anomalies are
available, we insert simulated anomalies into the base data sets

303
Detection of Anomalies in Electric Vehicle Charging Sessions ACSAC ’23, December 04–08, 2023, Austin, TX, USA

16
amounts of time and either change existing charging session data
14 or create new data/sessions. In total, 3 random anomaly training
data sets, 30 random anomaly testing data sets, and 54 targeted
12
attack testing data sets are generated per base data set and provided
Charge Speed [kW]

10 in an online repository.1 Besides the data sets, the online repository

also includes the source code, which can be used to reproduce the
8
following evaluations.
6 For machine learning algorithms, we use the respective im-
plementations from the scikit-learn [37] framework. Specifi-
4
cally, for the regression models, we use RandomForestRegressor.
2 For the classification model, we use: LinearSVC, SGDClassifier,
and SVC (support vector machines); MLPClassifier (neural net-
0
14 15 16 17 18 19 20 work); BernoulliNB and GaussianNB (naïve bayes); Decision-
6− 06− 06− 06 − 06− 06− 06−
1 −0 1− 1− 1− 1− 1− 1− TreeClassifier (decision tree); AdaBoostClassifier, Random-
202 202 202 202 202 202 202
ForestClassifier, and ExtraTreesClassifier (ensemble meth-
(a) ACN JPL Data Set ods); and KNeighborsClassifier (k-nearest neighbor). For the
novelty detection model, we use: OneClassSVM and SGDOneClass-
SVM (one class support vector machines); EllipticEnvelope (el-
16
liptic envelope); IsolationForest (isolation forest); and Local-
14 OutlierFactor (local outlier factor).
To get a first evaluation of which detectors (classifiers or novelty
12
detection models) are appropriate for the data, we perform a 5-fold
Charge Speed [kW]

10 cross validation with each implementation on the training data. For

this, we only consider a basic parameter set of high-level features
8
(per session total charge amount/time, etc.; cf. Section 5.1). We
6 simulate anomalies by randomly selecting 20% of training sessions,
selecting a random number of features per session, and manipulat-
4
ing the selected values by a random factor of {0.0, ..., 0.8, 1.2, ..., 2.0}.
2 This setup is used for the hyperparameter tuning of all detec-
tors based on a grid-search over detector-specific parameter grids,
0
23 24 25 26 27 28 29 whereby we additionally consider the optional use of standardizing
7− 07− 07− 07− 07 − 07− 07−
9 −0 9− 9− 9− 9− 9− 9− the features using the scikit-learn StandardScaler (i.e., scaling
201 201 201 201 201 201 201
to unit variance) as some detectors perform better with standardized
(b) ElaadNL Data Set inputs (e.g., the MLPClassifier). The results of hyperparameter
tuning can be found in the online repository.1 The detection results
Figure 3: One Week of Charging Sessions over all data sets for the different classifiers are shown in Fig. 4 and
for the different novelty detection models in Fig. 5. Specifically, we
report the mean Receiver Operating Characteristic (ROC) curves,2
for later evaluations, as is standard practice in related research (cf. over the 5 folds, per optimized detector and per data set. The classi-
Section 2). To support reproducibility and to aid future research, fier results show that the MLPClassifier always provides the best
the used data sets with simulated anomalies are provided online.1 performance with the largest Area Under the Curve (AUC), usu-
We consider two types of anomalies, namely: (i) random anomalies, ally followed by the RandomForestClassifier and SVC (e.g., with
changing a random number of different values for randomly chosen AUCs of 0.92, 0.89, and 0.85 respectively for Fig. 4d). The novelty
sessions by a random factor, and (ii) targeted attacks based on [24], detection results show that the LocalOutlierFactor always pro-
which target power grid stability by means of synchronized changes vides the best performance with the largest AUC, usually followed
in charging behavior for different numbers of adversary-controlled by the EllipticEnvelope (e.g., with AUCs of 0.871 and 0.870 re-
EVs and/or CPs. The parameters for the generation of (i) random spectively for Fig. 5b, where the performance of both is the closest).
anomalies are described per evaluation, later in the text. The ran- Due to these results, all following evaluations are performed with
dom anomaly generation strategy may lead to inconsistent data, the MLPClassifier as classifier and the LocalOutlierFactor for
which may simplify detection. For (ii) targeted attacks, however, novelty detection.
we consider data consistency in order to model a more realistic To evaluate the usefulness of the different considered features
attack behavior. Additionally, we consider different attack patterns, (cf. Section 5.1), we perform a 5-fold cross validation with each im-
namely: (ii.1) synchronized increase or decrease in charging load plementation on the training data. For this, we simulate anomalies
of the affected systems at a specific time, (ii.2) a prepared demand
increase attack by means of a prior reduction in charging load to 2A ROC curve can represent a classifier’s trade-off between True Positive Rate (TPR)
increase the attack capacity, and (ii.3) slowly increasing alterations and False Positive Rate (FPR) based on its prediction probability estimates. A larger
in charging load over time. Additionally, attacks can last for varying Area Under the Curve (AUC) generally indicates better classification performance.

304
 0.8

True Positive Rate

OC curves 0.6

ACSAC ’23, December 04–08, 2023, Austin, TX, USA Dustin Kern, Christoph Krauß, and Matthias Hollick
0.4

random baseline (AUC = 0.5) random baseline (AUC = 0.5)

0.2
AdaBoostClassifier LocalOutlierFactor
BernoulliNB OneClassSVM
DecisionTreeClassifier SGDOneClassSVM
0.0
0.0
ExtraTreesClassifier 0.2 0.4 0.6 0.8 1.0 EllipticEnvelope
GaussianNB False Positive Rate IsolationForest
KNeighborsClassifier
LinearSVC
MLPClassifier
Mean ROC curves Mean ROC curves
RandomForestClassifier 1.0 1.0
0.6 0.8 1.0 SGDClassifier
itive Rate SVC 0.8 0.8

True Positive Rate

True Positive Rate

0.6 0.6

Mean ROC curves Mean ROC curves

1.0 1.0
0.4 0.4

0.8 0.8 random baseline (AUC = 0.5) ra

0.2 0.2 LocalOutlierFactor L
True Positive Rate

True Positive Rate

random baseline (AUC = 0.5) random baseline (AUC = 0.5)

OneClassSVM O
AdaBoostClassifier AdaBoostClassifier
0.6 0.6 SGDOneClassSVM S
BernoulliNB 0.0 BernoulliNB 0.0
0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6
EllipticEnvelope 0.8 1.0 E
DecisionTreeClassifier DecisionTreeClassifier
False Positive Rate FalseIsolationForest
Positive Rate Is
0.4 0.4 ExtraTreesClassifier ExtraTreesClassifier
GaussianNB (a)GaussianNB
ACN Office Data Set (b) ACN Caltech Data Set
KNeighborsClassifier KNeighborsClassifier
0.2 0.2 LinearSVC LinearSVC
MLPClassifier MLPClassifier
0.0 0.0
RandomForestClassifier Mean ROC curves
RandomForestClassifier Mean ROC curves
0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6
SGDClassifier 0.8 1.0 1.0 SGDClassifier 1.0
False Positive Rate FalseSVC
Positive Rate SVC
0.8 0.8
(a) ACN Office Data Set (b) ACN Caltech Data Set
True Positive Rate

True Positive Rate

0.6 0.6

Mean ROC curves Mean ROC curves

1.0 1.0
0.4 0.4

0.8 0.8 random baseline (AUC = 0.5) ra

0.2 0.2 LocalOutlierFactor L
True Positive Rate

True Positive Rate

random baseline (AUC = 0.5) random baseline (AUC = 0.5)

OneClassSVM O
AdaBoostClassifier AdaBoostClassifier
0.6 0.6 SGDOneClassSVM S
BernoulliNB 0.0 BernoulliNB 0.0
0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6
EllipticEnvelope 0.8 1.0 E
DecisionTreeClassifier DecisionTreeClassifier
False Positive Rate FalseIsolationForest
Positive Rate Is
0.4 0.4 ExtraTreesClassifier ExtraTreesClassifier
GaussianNB (c)GaussianNB
ACN JPL Data Set (d) ElaadNL Data Set
KNeighborsClassifier KNeighborsClassifier
0.2 0.2 LinearSVC LinearSVC
MLPClassifier Figure 5: Evaluation of Novelty Detection
MLPClassifier
RandomForestClassifier RandomForestClassifier
0.0 0.0
0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6
SGDClassifier 0.8 1.0 SGDClassifier
False Positive Rate FalseSVC
Positive Rate SVC

(c) ACN JPL Data Set (d) ElaadNL Data Set model predictions. The results clearly show the importance of the
consumption forecasts, resulting in a mean classification AUC of
Figure 4: Evaluation of Classifiers 0.88 with the ACN Caltech data set (cf. Fig. 6b).
We evaluate the performance of the optimized IDS on previously
unseen data using the testing data sets. Hereby, we consider random
exemplary as changes within a charging session by randomly se- changes in 20% of sessions, specifically, in 2–20% of meter values
lecting 20% of training sessions, randomly selecting 20% of reported per session by a random factor of {0.0, ..., 0.99, 1.01, ..., 2.0} as basic
charging speeds from those sessions and altering the selected values anomalies with varying magnitudes. Additionally, we consider at-
by a random factor of {0.0, ..., 0.8, 1.2, ..., 2.0}. These changes then tacks that specifically target grid stability based on [24], to evaluate
indirectly affect the corresponding features in the feature extraction detection performance w.r.t. previously unseen advanced attacks.
process. Additionally, we train 𝑚 = 5 regression models and gen- Specifically, these advanced attacks consist of coordinated increas-
erate the corresponding consumption forecasts for training of the ing and/or shifting the load of a random number of EVs to peak
detector. The results for classification and novelty detection, exem- grid load times. In total, we generate 140 attack data sets per base
plified on the ACN Caltech data set, are shown in Fig. 6. Specifically, data set. The results for classification and novelty detection over
we report the mean ROC curves, which consider different potential all data sets are shown in Fig. 7. Specifically, we show the TPRs in
feature sets: (i) basic parameter set of high-level features and charg- relation to the minimum considered anomaly magnitude, whereby
ing behavior details throughout the session (number of changes in we define the anomaly magnitude as the maximum load change
charging speed, etc.) and (ii) same as (i) with the all five regression during a session in relation to the respective CP potential capacity.

305
 1.0

0.8

e with variability
Detection of Anomalies in Electric Vehicle Charging Sessions ACSAC ’23, December 04–08, 2023, Austin, TX, USA

TPR/FPR
0.6

random baseline (AUC = 0.5)0.4 MLPClassifier TPR Basic Anomaly

MLPClassifier TPR Advanced Attack
ROC fold 0
MLPClassifier Mean FPR
ROC fold 1 LocalOutlierFactor TPR Basic Anomaly
0.2
ROC fold 2 LocalOutlierFactor TPR Advanced Attack
ROC fold 3 LocalOutlierFactor Mean FPR
ROC fold 4 0.0
0.05 0.10 0.15 0.20 0.25 0.30
Mean ROC Min. Anomaly Magnitude
± 1 std. dev. 1.0 1.0

0.8 0.8

Mean ROC curve with variability Mean ROC curve with variability

TPR/FPR

TPR/FPR
1.0 1.0 0.6 0.6
0.6 0.8 1.0
itive Rate random baseline (AUC = 0.5) random baseline (AUC = 0.5) MLPClassifier TPR Basic Anomaly MLPClassifier TP
0.8 0.8 0.4 0.4
ROC fold 0 (AUC = 0.55) ROC fold 0 (AUC = 0.92) MLPClassifier TPR Advanced Attack MLPClassifier TP
True Positive Rate

True Positive Rate

MLPClassifier Mean FPR MLPClassifier Me

ROC fold 1 (AUC = 0.63) ROC fold 1 (AUC = 0.85)
0.2 0.2 LocalOutlierFactor TPR Basic Anomaly LocalOutlierFacto
0.6 0.6 ROC fold 2 (AUC = 0.66) ROC fold 2 (AUC = 0.81) LocalOutlierFactor TPR Advanced Attack LocalOutlierFacto
ROC fold 3 (AUC = 0.61) ROC fold 3 (AUC = 0.91) LocalOutlierFactor Mean FPR LocalOutlierFacto
ROC fold 4 (AUC = 0.62) 0.0 ROC fold 0.15
4 (AUC0.20
= 0.89)0.25 0.0
0.4 0.4 0.05 0.10 0.30 0.05 0.10 0.15 0.20 0.25 0.30
Mean ROC Mean
Min. ROCAnomaly Magnitude Min. Anomaly Magnitude
± 1 std. dev. ± 1 std. dev.
0.2 0.2 (a) ACN Office Data Set (b) ACN Caltech Data Set

0.0 0.0
0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0
1.0 1.0
False Positive Rate False Positive Rate

(a) Classifier w/o Forecasts (b) Classifier w/ Forecasts 0.8 0.8

MLPClassifier TP
TPR/FPR

TPR/FPR
0.6 0.6 MLPClassifier TP
MLPClassifier Me
Mean ROC curve with variability Mean ROC curve with variability LocalOutlierFacto
1.0 1.0 MLPClassifier TPR Basic Anomaly
0.4 0.4 LocalOutlierFacto
MLPClassifier TPR Advanced Attack
LocalOutlierFacto
random baseline (AUC = 0.5) random baseline (AUC = 0.5) MLPClassifier Mean FPR
0.8 0.8 0.2 0.2 LocalOutlierFactor TPR Basic Anomaly
ROC fold 0 (AUC = 0.56) ROC fold 0 (AUC = 0.90)
True Positive Rate

True Positive Rate

LocalOutlierFactor TPR Advanced Attack

ROC fold 1 (AUC = 0.57) ROC fold 1 (AUC = 0.84) LocalOutlierFactor Mean FPR
0.6 0.6 ROC fold 2 (AUC = 0.49) 0.0 ROC fold 2 (AUC = 0.88) 0.0
0.1 0.2 0.3 0.2 0.4 0.6 0.8
ROC fold 3 (AUC = 0.56) ROC foldAnomaly
Min. 3 (AUC =Magnitude
0.89) Min. Anomaly Magnitude
ROC fold 4 (AUC = 0.56) ROC fold 4 (AUC = 0.89)
0.4 0.4
Mean ROC (c) ACN
Mean ROCJPL Data Set (d) ElaadNL Data Set
± 1 std. dev. ± 1 std. dev.
0.2 0.2
Figure 7: Evaluation of Classification- and Novelty Detection-
0.0
0.0 0.2 0.4 0.6 0.8 1.0
0.0
0.0 0.2 0.4 0.6 0.8 1.0
based Detection Performance w.r.t. Anomaly Magnitude
False Positive Rate False Positive Rate

(c) Novelty Detect. w/o Forecasts (d) Novelty Detect. w/ Forecasts

levels of 0.03, 0.06, and 0.09 (optimized threshold values can be found
in online repository1 ). The results for all data sets are shown in
Figure 6: Evaluation of Feature Sets with ACN Caltech Fig. 8. The detection results of the ensemble method show how the
classification and novelty detection methods can complement each
other. That is, they show the possibility of tuning the IDS towards
Additionally, we show the mean FPR (independent of anomaly). The
a low FPR while maintaining a good detection rate for known
results with the classification model show overall good TPR and
attacks (i.e., the basic case with randomized generic anomalies)
low FPR, with the advanced attacks generally being more difficult
and generalization w.r.t. previously unseen attacks. Notably, one
to detect. The results with the novelty detection model show overall
a new kind of anomaly was identified by the novelty detection
a better TPR for the advanced attacks and usually comparable TPR
model, the characteristics of this anomaly may be included in attack
for the basic attacks (except for the ElaadNL data set). Addition-
simulations for the generation of training data for the classification
ally, the novelty detection FPR is always higher than that of the
model to further increase detection performance.
classification model.
Finally, we evaluate the detection performance of the IDS over
The previous evaluation (cf. Fig. 7) indicates that classification
time based on the ACN data sets (the ElaadNL data set does not
and novelty detection may complement each other in the form of a
cover a long enough time period). We consider random anomalies
detection ensemble for use in an IDS for EV charging sessions. For
in 20% of sessions, by a random factor of {0.0, ..., 0.8, 1.2, ..., 2.0} in
this, we implement an ensemble of the two methods as discussed
20% of meter values per session. The models are trained based on
in Section 5.2 based on the respective prediction confidence.3 The
one year of data and we report the 4-week averages of the daily
ensemble thresholds are optimized towards different maximum FPR
the LocalOutlierFactor, the prediction confidence is returned by the decision_-
3 For the MLPClassifier, the prediction confidence is returned by the predict_proba function method as a calculated signed distance metric of a charging session compared
method as probability estimates of a charging session being normal/anomalous. For to the trained normal model.

306
 ACSAC ’23, December 04–08, 2023, Austin, TX, USA Dustin Kern, Christoph Krauß, and Matthias Hollick

TPR Basic Anomaly (Max FPR 0.03) 1.0

TPR Advanced Attack (Max FPR 0.03)

Mean FPR ≤ 0.03 0.8
TPR Basic Anomaly (Max FPR 0.06) ACN Office TPR (mean=0.932)

TPR/FPR
TPR Advanced Attack (Max FPR 0.06) 0.6 ACN Office FPR (mean=0.004)
Mean FPR ≤ 0.06 ACN Caltech TPR (mean=0.696)
TPR Basic Anomaly (Max FPR 0.09) ACN Caltech FPR (mean=0.037)
0.4
TPR Advanced Attack (Max FPR 0.09) ACN JPL TPR (mean=0.866)
0.15 0.20 0.25 0.30 ACN JPL FPR (mean=0.019)
n. Anomaly Magnitude Mean FPR ≤ 0.09
0.2

1.0 1.0 0.0

0 10 20 30 40 50
Week
0.8 0.8
(a) Evaluation with Classifier-based Detection
TPR/FPR

TPR/FPR

0.6 0.6
TPR Basic Anomaly (Max FPR 0.03) TPR Basic
1.0 Anomaly (Max FPR 0.03)
TPR Advanced Attack (Max FPR 0.03) TPR Advanced Attack (Max FPR 0.03)
0.4 0.4 Mean FPR ≤ 0.03 Mean FPR ≤ 0.03
TPR Basic Anomaly (Max FPR 0.06) TPR Basic
0.8 Anomaly (Max FPR 0.06)
0.2 0.2 TPR Advanced Attack (Max FPR 0.06) TPR Advanced Attack (Max FPR 0.06)
Mean FPR ≤ 0.06 Mean FPR ≤ 0.06 ACN Office TPR (mean=0.918)

TPR/FPR
TPR Basic Anomaly (Max FPR 0.09) TPR Basic
0.6 Anomaly (Max FPR 0.09) ACN Office FPR (mean=0.156)
0.0 0.0 TPR Advanced Attack (Max FPR 0.09) TPR Advanced Attack (Max FPR 0.09) ACN Caltech TPR (mean=0.523)
0.05 0.10 0.15 0.20 0.25 0.30 0.05 0.10 0.15 0.20 0.25 0.30
Min. Anomaly Magnitude Mean FPR ≤ 0.09
Min. Anomaly Magnitude Mean FPR ≤ 0.09
ACN Caltech FPR (mean=0.038)
0.4
ACN JPL TPR (mean=0.693)
(a) ACN Office Data Set (b) ACN Caltech Data Set TPR Basic Anomaly (Max FPR 0.03)
ACN JPL FPR (mean=0.035)
TPR Advanced Attack (Max FPR 0.03)
0.2 ≤ 0.03
Mean FPR
TPR Basic Anomaly (Max FPR 0.06)
1.0 1.0 TPR Advanced Attack (Max FPR 0.06)
0.0
Mean FPR0≤ 0.06 10 20 30 40 50
TPR Basic Anomaly (Max FPR 0.09)
Week
0.8 0.8
TPR Advanced Attack (Max FPR 0.09)
Mean FPR ≤ 0.09
(b) Evaluation with Novelty Detection
TPR/FPR

TPR/FPR

0.6 0.6
TPR Basic Anomaly (Max FPR 0.03)
TPR Advanced Attack (Max FPR 0.03)
0.4 0.4 Mean FPR ≤ 0.03 1.0

TPR Basic Anomaly (Max FPR 0.06)

0.2 0.2 TPR Advanced Attack (Max FPR 0.06) 0.8
Mean FPR ≤ 0.06
TPR Basic Anomaly (Max FPR 0.09) ACN Office TPR (mean=0.946)
TPR/FPR

0.0 0.0 TPR Advanced Attack (Max FPR 0.09) ACN Office FPR (mean=0.004)
0.1 0.2 0.3 0.2 0.4 0.6 0.8 0.6
Min. Anomaly Magnitude Mean FPR ≤ 0.09
Min. Anomaly Magnitude ACN Caltech TPR (mean=0.712)
ACN Caltech FPR (mean=0.013)
(c) ACN JPL Data Set (d) ElaadNL Data Set 0.4
ACN JPL TPR (mean=0.862)
ACN JPL FPR (mean=0.02)
0.2
Figure 8: Evaluation of Ensemble Detection Performance
w.r.t. Anomaly Magnitude
0.0
0 10 20 30 40 50
Week
TPR and FPR over one following year in Fig. 9. As only random (c) Evaluation with Ensemble-based Detection
anomalies are considered, a steady FPR can be seen as the main
performance indicator for this evaluation as it indicates that normal Figure 9: Evaluation of Detection Performance over Time
changes in the e-mobility sector over time do not get wrongly
identified as anomalies. The results show overall a relatively steady
performance w.r.t. TPR and FPR for the classifier-based detection resilience, and trustworthiness by enabling the detection of related
method (cf. Fig. 9a) and indicate that a yearly re-training cycle cyber-physical attacks. Moreover, the proposed IDS can have an
is adequate. Similarly, the novelty detection approach (cf. Fig. 9b), important impact with regards to keeping up with regulations,
while it generally shows more variance in its performance, shows no as regulatory requirements for security concepts (including IDSs)
significant decrease over time. Most notably, the ensemble-based become more and more common (cf., e.g., the requirement for Ger-
detection approach (cf. Fig. 9c), optimized towards a maximum man critical infrastructure operators to implement attack detection
FPR of 0.02, shows very stable performance that is comparable or systems starting from 1 May 2023 [15]). Regarding the practical
better than the performance of the classifier-based method. This applicability of IDSs in general, a major hurdle can be high FPRs
observation shows the proposed ensemble method can even provide leading to alarm burnout [3]. Notably, our proposed concept tries
an advantage over a purely classifier-based approach when only to address this issue by including a method for tuning detection
considering known attacks (in this case, the randomized anomalies). performance towards an acceptable FPR threshold. This method
In summary, the evaluation shows that our IDS concept can showed good robustness in our tests and thus enhances the practical
overall provide a positive contribution on EV charging security, usability of the IDS.

307
Detection of Anomalies in Electric Vehicle Charging Sessions ACSAC ’23, December 04–08, 2023, Austin, TX, USA

7 CONCLUSION [5] Defense Use Case. 2016. Analysis of the cyber attack on the Ukrainian power
grid. Electricity Information Sharing and Analysis Center (E-ISAC) 388 (2016).
Adversarial manipulations of EV charging behavior can cause major [6] Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav
cyber-physical risks, e.g., physical damage to components or threats Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, Ta-
dayoshi Kohno, et al. 2011. Comprehensive experimental analyses of automotive
to the stability of the power grid. An important part in addressing attack surfaces.. In USENIX Security Symposium, Vol. 4. San Francisco, 2021.
this threat is automated attack detection. [7] Gong Chen, Yanfeng Qu, and Dong Jin. 2022. Cyber-Physical Simulation Testbed
To this end, we propose a hybrid IDS for EV charging sessions. for MadIoT Attack Detection and Mitigation. In Proceedings of the 2022 ACM
SIGSIM Conference on Principles of Advanced Discrete Simulation. 59–60.
The system incorporates regression-based charging behavior pre- [8] Yu-Wei Chung, Mervin Mathew, Cole Rodgers, Bin Wang, Behnam Khaki,
dictions with anomaly detection. The use of regression-based pre- Chicheng Chu, and Rajit Gadh. 2020. The framework of invariant electric vehicle
dictions allows the system to even detect stealthy/advanced attacks charging network for anomaly detection. In IEEE Transportation Electrification
Conference & Expo.
during a charging session that may not be detectable based on high- [9] David Coats, Harish Suryanarayana, Zhenyuan Wang, Alex Brissette, Yuzhi
level session summary features. We consider two types of anom- Zhang, VR Ramanan, Don Scoffield, Duncan Woodbury, Nick Haltmeyer, and
Austin Benzinger. 2021. Cybersecurity for Grid Connected eXtreme Fast Charging
aly detection methods, namely: (i) a classification-based method (XFC) Station (CyberX). Technical Report. ABB, Inc.
and (ii) a novelty detection-based method. The classification-based [10] Jesus Cumplido, Cristina Alcaraz, and Javier Lopez. 2022. Collaborative Anomaly
method provides a high detection rate for known attacks with a Detection System for Charging Stations. In European Symposium on Research in
Computer Security. Springer, 716–736.
low false alarm rate while offering low generalization to previously [11] Mathias Dalheimer. 2017. Chaos Computer Club hacks e-motor charging stations.
unseen attacks. The novelty detection method, however, provides https://www.ccc.de/en/updates/2017/e-motor
a high degree of generalization while incurring also a high false [12] Satadru Dey and Munmun Khanra. 2020. Cybersecurity of Plug-In Electric
Vehicles: Cyberattack Detection During Charging. IEEE Transactions on Industrial
alarm rate. To combine the strengths of both methods, we propose Electronics (2020).
the use of an ensemble of classification and novelty detection. [13] ElaadNL. 2019. ElaadNL Open EV Charging Transactions. platform.elaad.io/
download-data/
We implement and evaluate the system with real-world charg- [14] Hossam ElHussini, Chadi Assi, Bassam Moussa, Ribal Atallah, and Ali Ghrayeb.
ing data and simulated attacks. The evaluation of different design 2021. A tale of two entities: Contextualizing the security of electric vehicle
choices identified the combination of random forest-based regres- charging stations on the power grid. ACM Transactions on Internet of Things 2, 2
(2021), 1–21.
sion, artificial neural network-based classification, and local outlier [15] Federal Office for Information Security. 2023. FAQ on attack detection
factor-based novelty detection as suited for the use-case. Evalu- systems. https://www.bsi.bund.de/EN/Themen/KRITIS-und-regulierte-
ations with more complex/coordinated attacks show the ability Unternehmen/Kritische-Infrastrukturen/KRITIS-FAQ/FAQ-Systeme-
Angriffserkennung/faq-systeme-angriffserkennung_node.html
to generalize to previously unseen anomalies. Additionally, the [16] Andreas Fuchs, Dustin Kern, Christoph Krauß, and Maria Zhdanova. 2020. Secur-
possibility of optimizing the ensemble detection method towards ing electric vehicle charging systems through component binding. In International
Conference on Computer Safety, Reliability, and Security. Springer, 387–401.
a low false alarm rate is shown. Further evaluations of detection [17] Lingwen Gan, Ufuk Topcu, and Steven H Low. 2012. Optimal decentralized
performance over time indicate one year as a reasonable re-training protocol for electric vehicle charging. IEEE Transactions on Power Systems 28, 2
frequency for the IDS. (2012), 940–951.
[18] IEA. [n. d.]. Global EV Outlook 2022. www.iea.org/reports/global-ev-outlook-
Future work may further investigate the effects of the intercon- 2022
nection between e-mobility and power grid in the IDS context. For [19] ISO/IEC. 2014. Road vehicles – Vehicle-to-Grid Communication Interface – Part 2:
instance, the future use of Vehicle to Grid (V2G) power transfer may Network and application protocol requirements. ISO Standard 15118-2.
[20] MZH Jesmeen, J Hossen, and Azlan Bin Abd Aziz. 2021. Unsupervised anom-
open up new attack vectors as well as options regarding IDS design aly detection for energy consumption in time series using clustering approach.
and feature engineering, which should be considered. Additionally, Emerging Science Journal 5, 6 (2021), 840–854.
[21] Jay Johnson, Timothy Berg, Benjamin Anderson, and Brian Wright. 2022. Review
the combined use of data sources from the e-mobility and power of Electric Vehicle Charger Cybersecurity Vulnerabilities, Potential Impacts, and
grid domains in an IDS offers room for further research. Defenses. Energies 15, 11 (2022), 3931.
[22] Mohammad Ekramul Kabir, Mohsen Ghafouri, Bassam Moussa, and Chadi Assi.
2021. A two-stage protection method for detection and mitigation of coordinated
ACKNOWLEDGMENTS EVSE switching attacks. IEEE Transactions on Smart Grid 12, 5 (2021), 4377–4388.
This research work has been partly funded by the German Federal [23] Abdollah Kavousi-Fard, Tao Jin, Wencong Su, and Navid Parsa. 2020. An Effective
Anomaly Detection Model for Securing Communications in Electric Vehicles.
Ministry of Education and Research and the Hessian Ministry of IEEE Transactions on Industry Applications (2020).
Higher Education, Research, Science and the Arts within their joint [24] Dustin Kern and Christoph Krauß. 2021. Analysis of E-Mobility-based Threats
support of the National Research Center for Applied Cybersecurity to Power Grid Resilience. In Computer Science in Cars Symposium. 1–12.
[25] Dustin Kern and Christoph Krauß. 2023. Detection of e-Mobility-based Attacks
ATHENE and the Deutsche Forschungsgemeinschaft (DFG, German on the Power Grid. In 2023 53rd Annual IEEE/IFIP International Conference on
Research Foundation) – project number 503329135. Dependable Systems and Networks (DSN). IEEE, 352–365.
[26] Zachary J. Lee, Tongxin Li, and Steven H. Low. 2019. ACN-Data: Analysis
and Applications of an Open EV Charging Dataset. In Proceedings of the Tenth
REFERENCES International Conference on Future Energy Systems (Phoenix, Arizona) (e-Energy
[1] Sajjad Abedi, Ata Arvani, and Reza Jamalzadeh. 2015. Cyber security of plug-in ’19).
electric vehicles in smart grids: application of intrusion detection methods. In [27] Xiaoxue Liu, Peidong Zhu, Yan Zhang, and Kan Chen. 2015. A collaborative
Plug In Electric Vehicles in Smart Grids. Springer, 129–147. intrusion detection mechanism against false data injection attack in advanced
[2] Samrat Acharya, Yury Dvorkin, and Ramesh Karri. 2020. Public plug-in electric metering infrastructure. IEEE Transactions on Smart Grid 6, 5 (2015), 2435–2443.
vehicles+ grid data: Is a new cyberattack vector viable? IEEE Transactions on [28] Yao Liu, Peng Ning, and Michael Reiter. 2011. False data injection attacks against
Smart Grid (2020). state estimation in electric power grids. ACM Transactions on Information and
[3] Bushra A Alahmadi, Louise Axon, and Ivan Martinovic. 2022. 99% False Positives: System Security (2011).
A Qualitative Study of { SOC } Analysts’ Perspectives on Security Alarms. In 31st [29] Stefano Longari, Daniel Humberto Nova Valcarcel, Mattia Zago, Michele Carmi-
USENIX Security Symposium (USENIX Security 22). 2783–2800. nati, and Stefano Zanero. 2020. CANnolo: An anomaly detection system based on
[4] Mohammad Ashrafuzzaman, Saikat Das, Yacine Chakhchoukh, Sajjan Shiva, and LSTM autoencoders for controller area network. IEEE Transactions on Network
Frederick T Sheldon. 2020. Detecting stealthy false data injection attacks in the and Service Management 18, 2 (2020), 1913–1924.
smart grid using ensemble-based machine learning. Computers & Security 97 [30] Yiqi Lu, Yongpan Li, Da Xie, Enwei Wei, Xianlu Bao, Huafeng Chen, and Xi-
(2020), 101994. ancheng Zhong. 2018. The application of improved random forest algorithm on

308
ACSAC ’23, December 04–08, 2023, Austin, TX, USA Dustin Kern, Christoph Krauß, and Matthias Hollick

the prediction of electric vehicle charging load. Energies 11, 11 (2018), 3207. Poschmann, and Samarjit Chakraborty. 2013. Security challenges in automotive
[31] Srinidhi Madabhushi and Rinku Dewri. 2021. Detection of Demand Manipulation hardware/software architecture design. In 2013 Design, Automation & Test in
Attacks on a Power Grid. In International Conference on Privacy, Security and Europe Conference & Exhibition (DATE). IEEE, 458–463.
Trust. IEEE. [43] Mohammad Ali Sayed, Mohsen Ghafouri, Ribal Atallah, Mourad Debbabi, and
[32] Maigha and M. L. Crow. 2016. Cost-constrained dynamic optimal electric vehicle Chadi Assi. 2023. Protecting the Future Grid: An Electric Vehicle Robust Miti-
charging. IEEE Transactions on Sustainable Energy 8, 2 (2016), 716–724. gation Scheme Against Load Altering Attacks on Power Grids. arXiv preprint
[33] Seyedamirabbas Mousavian, Melike Erol-Kantarci, Lei Wu, and Thomas Ortmeyer. arXiv:2308.07526 (2023).
2017. A risk-based optimization model for electric vehicle infrastructure response [44] Saleh Soltan, Prateek Mittal, and H Vincent Poor. 2018. BlackIoT: IoT botnet
to cyber attacks. IEEE Transactions on Smart Grid 9, 6 (2017), 6160–6169. of high wattage devices can disrupt the power grid. In 27th USENIX Security
[34] Ali Bou Nassif, Manar Abu Talib, Qassim Nasir, and Fatima Mohamad Dakalbab. Symposium.
2021. Machine learning for anomaly detection: A systematic review. Ieee Access [45] Florian Sommer, Jürgen Dürrwang, and Reiner Kriesten. 2019. Survey and
9 (2021), 78658–78700. classification of automotive security attacks. Information 10, 4 (2019), 148.
[35] Xiangyu Niu, Jiangnan Li, Jinyuan Sun, and Kevin Tomsovic. 2019. Dynamic [46] Bo Wang, Payman Dehghanian, Shiyuan Wang, and Massimo Mitolo. 2019. Elec-
detection of false data injection attack in smart grid using deep learning. In 2019 trical safety considerations in large-scale electric vehicle charging stations. IEEE
IEEE Power & Energy Society Innovative Smart Grid Technologies Conference (ISGT). Transactions on Industry Applications 55, 6 (2019), 6603–6612.
IEEE, 1–6. [47] Jacob Wurm, Yier Jin, Yang Liu, Shiyan Hu, Kenneth Heffner, Fahim Rahman,
[36] OCA. 2020. Open Charge Point Protocol 2.0.1. Open Standard. Open Charge and Mark Tehranipoor. 2016. Introduction to cyber-physical system security: A
Alliance, Netherlands. www.openchargealliance.org/protocols/ocpp-201/ cross-layer perspective. IEEE Transactions on Multi-Scale Computing Systems 3, 3
[37] F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. (2016), 215–227.
Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cour- [48] Yue Yang and Jiarou Li. 2022. Electric Vehicle Charging Anomaly Detection
napeau, M. Brucher, M. Perrot, and E. Duchesnay. 2011. Scikit-learn: Machine Method Based on Multivariate Gaussian Distribution Model. In Proceedings of
Learning in Python. Journal of Machine Learning Research 12 (2011), 2825–2830. the Asia Conference on Electrical, Power and Computer Engineering. 1–6.
[38] Marco AF Pimentel, David A Clifton, Lei Clifton, and Lionel Tarassenko. 2014. A [49] Jin Ye, Lulu Guo, Bowen Yang, Fangyu Li, Liang Du, Le Guan, and Wenzhan
review of novelty detection. Signal processing 99 (2014), 215–249. Song. 2020. Cyber–physical security of powertrain systems in modern electric
[39] Panagiotis I Radoglou-Grammatikis and Panagiotis G Sarigiannidis. 2019. Se- vehicles: Vulnerabilities, challenges, and future visions. IEEE Journal of Emerging
curing the smart grid: A comprehensive compilation of intrusion detection and and Selected Topics in Power Electronics 9, 4 (2020), 4639–4657.
prevention systems. IEEE Access 7 (2019), 46595–46620. [50] Stefano Zanero. 2018. When cyber got real: Challenges in securing cyber-physical
[40] Thomas Rosenstatter, Tomas Olovsson, and Magnus Almgren. 2021. V2C: A Trust- systems. In 2018 IEEE SENSORS. IEEE, 1–4.
Based Vehicle to Cloud Anomaly Detection Framework for Automotive Systems. [51] Maria Zhdanova, Julian Urbansky, Anne Hagemeier, Daniel Zelle, Isabelle Her-
In Proceedings of the 16th International Conference on Availability, Reliability and rmann, and Dorian Höffner. 2022. Local Power Grids at Risk–An Experimental
Security. 1–10. and Simulation-based Analysis of Attacks on Vehicle-To-Grid Communication.
[41] Ron Ross, Victoria Pillitteri, Richard Graubart, Deborah Bodeau, and Rosalie In Annual Computer Security Applications Conference. 42–55.
McQuaid. 2019. Developing Cyber Resilient Systems: A Systems Security Engineering [52] Ce Zhou, Qiben Yan, Zhiyuan Yu, Eshan Dixit, Ning Zhang, Huacheng Zeng, and
Approach. NIST SP 800-160. Alireza Safdari Ghanhdari. 2023. ChargeX: Exploring State Switching Attack on
[42] Florian Sagstetter, Martin Lukasiewycz, Sebastian Steinhorst, Marko Wolf, Electric Vehicle Charging Systems. arXiv preprint arXiv:2305.08037 (2023).
Alexandre Bouard, William R Harris, Somesh Jha, Thomas Peyrin, Axel

309