Embed Size (px)
Citation preview
IN , SECONDDEGREE PROJECT WIRELESS SYSTEMS 120 CREDITSCYCLE
, STOCKHOLM SWEDEN 2016
Design of Optimal Energy FlowControl with Privacy-CostTrade-Off in Smart Grids
HUI ZHU
KTH ROYAL INSTITUTE OF TECHNOLOGY
SCHOOL OF ELECTRICAL ENGINEERING
Abstract
As a promising field, the development of smart grid has drawn more and moreattention from many countries. A smart meter plays a significant role in asmart grid. It replaces the traditional electricity meter with the ability to fre-quently transmit instantaneous energy consumptions of the consumer to theenergy provider of the smart grid. From the view of electricity suppliers, it isbeneficial for planning, controlling and billing. However, from consumers’ per-spective, the high-resolution energy record may lead to privacy problem, whichmeans the consumers’ behaviour can be revealed by analysing the smart meterreadings.
In this thesis project, we will focus on the privacy leakage problem of the smartmeter. We study the problem of optimal privacy-cost trade-o� in a smart gridequipped with an energy provider, an alternative energy source, a smart meter,and an energy control unit. The privacy leakage is modelled as unauthorizeddetections of the consumer’s behaviours based on the smart meter readings ofenergy supplies from the energy provider. The control strategy is designed tomanage the energy inflows to satisfy the instantaneous energy demands of theconsumer and also to optimally trade o� the privacy risk and energy cost. Toevaluate the privacy risk, we use a Bayesian detection-operational privacy met-ric. Di�erent scenarios are considered for which we show that their optimizationproblems can be reduced to linear programmings. Therefore, based on this ob-servation, we propose optimal control strategy design algorithms to solve theoptimization problems e�ciently.
Sammanfattning
Inom ett potentiellt område, har utvecklingen av smarta elnät dragit mer ochmer uppmärksamhet från många länder. En smart elmätare spelar en signifikantroll i ett smart elnät. Den ersätter den traditionella elmätaren med förmågan attofta överföra den momentana energiförbrukning som konsumenten mottar av en-ergileverantören av smarta elnät. Från elleverantörens sida, är det fördelaktigtför planering, styrning och fakturering. Men från konsumenternas perspektivkan den högupplösta energiförbrukningen leda till integritetsproblem, vilket in-nebär att konsumenternas beteende kan avslöjas genom att analysera de smartamätaravläsningarna.
I detta projekt kommer vi fokusera på integritetsproblemen som dessa mätareger upphov till. Vi studerar problemet med att balansera integritetsproblemeti ett smart elnät bestående av en energileverantör, en alternativ energikälla, ensmart mätare, och en energistyrenhet. Den personliga integriteten äventyras dåen obehörig kan få tillgång till konsumentens beteende baserat på de smartamätvärdena av energiförbrukningen från energileverantören. Kontrollstrateginär utformad för att hantera energiinflödet för att tillfredsställa de momentanaenergibehov konsumenten har, och även för att optimalt avväga privatlivs riskoch energikostnader. För att utvärdera den personliga integriteten risk, an-vänder vi en Bayesiansk upptäckt dvs. operativ integritets uträkning. Olikascenarier beaktas och deras optimeringsproblem kan reduceras till linjära pro-grammeringar. Baserat på observationen är motsvarande kontrollstrategi meddesignade algoritmer att föredra.
Acknowledgment
I would like to express my deep gratitude to Assoc. Prof. Tobias Oechteringat the department of Communication Theory of Royal Institute of Technology(KTH), for providing me the opportunity to work on the master thesis projectand supervising it. I would like to express my special gratitude and thanks tomy supervisor Mr. Zuxing Li, PhD student at KTH, for his constant super-vision and careful proofreading as well as for his support and encouragementin completing the project. Also my thanks to all my dear friends with whomI have a meaningful two-year master life in Stockholm. Finally, my dedicatedgratitude goes to my parents for their constant support during my studies.
Contents
1 Introduction 11.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Literature Review . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Project Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 41.4 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Background 52.1 Bayesian Detection Theory . . . . . . . . . . . . . . . . . . . . . 52.2 Convex Optimization . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 Smart Grid Model 93.1 General Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 93.2 Mathematical Definitions . . . . . . . . . . . . . . . . . . . . . . 103.3 Privacy Leakage Problem . . . . . . . . . . . . . . . . . . . . . . 11
4 Optimal Energy Flow Control 134.1 Bayesian Hypothesis Detection Model of Privacy Leakage . . . . 134.2 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.3 Optimal Energy Flow Control with Privacy-Cost Trade-O� . . . 17
4.3.1 Problem Formulation . . . . . . . . . . . . . . . . . . . . 174.3.2 Person-by-Person Optimality . . . . . . . . . . . . . . . . 184.3.3 Linear Programming . . . . . . . . . . . . . . . . . . . . . 194.3.4 Person-by-Person Optimization Algorithm . . . . . . . . . 22
4.4 Optimal Flow Control Based on Accumulated Information . . . . 234.4.1 Bayesian Hypothesis Detection Model for Privacy Leakage 234.4.2 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244.4.3 Problem Formulation and Algorithm Design . . . . . . . . 25
5 Simple Case Study 285.1 Simple Case Settings . . . . . . . . . . . . . . . . . . . . . . . . . 285.2 Control Based on Instantaneous Information . . . . . . . . . . . 29
5.2.1 Energy Flow Control Matrix . . . . . . . . . . . . . . . . 295.2.2 Implementation of Person-by-Person Optimization Algo-
rithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305.3 Control Based on Accumulated Information . . . . . . . . . . . . 34
5.3.1 Energy Flow Control Matrix . . . . . . . . . . . . . . . . 345.3.2 Implementation of Person-by-Person Optimization Algo-
rithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
i
5.4 Model Without Privacy-Preserving Scheme . . . . . . . . . . . . 365.5 Numerical Results . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.5.1 Privacy-Cost Trade-O� . . . . . . . . . . . . . . . . . . . 375.5.2 Privacy Enhancement . . . . . . . . . . . . . . . . . . . . 39
6 Conclusions and Future Work 416.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
ii
List of Figures
1.1 A minute-level load profile of a typical day for a home.[17] . . . . 2
2.1 Graph of a convex function. [4] . . . . . . . . . . . . . . . . . . . 62.2 A simple convex set and non-convex set. The set on the right is
non-convex since the line segment between two points has somepart which is not contained in the set. [4] . . . . . . . . . . . . . 8
3.1 Smart grid model. . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1 Smart grid model without privacy-preserving schemes. . . . . . . 365.2 Privacy-cost trade-o�s for the optimal energy control designs
{púYt|Xt,Zt
}tœT and {púYt|Xt,Zt,Y t≠1}tœT . . . . . . . . . . . . . . . . 38
5.3 Enhancement of privacy-preserving performance of model withcontrol based on instantaneous information with ⁄ = 0.15. . . . . 39
5.4 Enhancement of privacy-preserving performance of model withcontrol based on accumulated information with ⁄ = 0.6. . . . . . 40
iii
List of Tables
5.1 Settings of conditional p.m.f.s {pXt,Zt|H}tœ{1,2} . . . . . . . . . . 295.2 Energy flow control matrix �t based on the instantaneous infor-
mation in time slot t œ {1, 2} . . . . . . . . . . . . . . . . . . . . 305.3 Implementation of person-by-person optimization algorithm for
control based on instantaneous information (to be continued inTable 5.4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.4 Implementation of person-by-person optimization algorithm forcontrol based on instantaneous information (continued from Ta-ble 5.3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.5 Energy flow control matrix �2
based on the accumulated infor-mation in time slot 2 . . . . . . . . . . . . . . . . . . . . . . . . . 35
iv
Chapter 1
Introduction
1.1 MotivationBetter management of energy consumption plays a significant role in achievingsustainable development of energy use. In the traditional electrical grid, util-ity provider usually cannot predict energy demand, which prevents the energyproviders perfectly matching the energy supplies with the demands. Sometimes,the provided energy is far more than the actual demands, which results in a greatwaste of energy and might also lead to additional Green-house Gas emissions.
Therefore, in order to realize e�cient management of energy generation anddistribution, more and more traditional power grids are upgraded to smart gridsin recent years. The smart grid is an energy network which operates followingthe real-time consumer’s energy demand through control and communicationtechnologies [5]. Electronic power conditioning as well as the control of theproduction and distribution of electricity are important aspects of the smartgrid [16].
From the perspective of the suppliers, intelligent communications assist toflatten the peak demand. For example, during peak-demand time periods, somesmart appliances will be turned o� and energy storage will supply part of theenergy demand, which reduces the energy provided for the peak demand. Infor-mation systems of the smart grid could implement predictive analysis on energydata collected by the smart meters, which enables utilities to predict demand sothat energy generation can be better matched with demand. Meanwhile, newenergy sources and storage technologies can be appropriately jointly managedwith traditional energy generator by means of the demand prediction. From theperspective of the consumers, they can manage their usage of energy accordingto time-of-use (TOU) energy price, which results in a reduction of the electric-ity bill [14]. Consumer will also benefit from the new energy storage source onenergy cost-savings.
However, along with these advantages come the new privacy/security chal-lenges. Since the smart meter performs high-frequency energy data collectionand reporting, consumers’ behavior can be revealed from smart meter readingswhich are full of information about the residential appliance usage [10]. Fig-ure 1.1 shows a minute-level load profile of a typical day for a home. It isobvious to see from the figure that the residents’ behavior can be detected from
1
the changes in energy consumptions due to appliance switch-on/o� events[22].For example, the residents’ presence at home can be revealed from the sev-eral peaks during 7:00 AM - 9:00 AM and 16:30 PM - 23:00 PM. Meanwhile,on observing the peaks belonging to the consumption of water heater during7:00 AM - 9:00 AM, one can infer that the resident may take a shower in themorning. Since Figure 1.1 is a load profile in a minute level, according to ourintuition, there should be more leakage of consumer’s privacy than a day-levelload profile. And it is proved in [15] that di�erent monitoring granularity willidentify di�erent consumption patterns. With low granularity of data, one canonly identify consumers’ presence. With high granularity of data, one can evenidentify the activities of appliances with burst power such as kettles or co�eemachines. If the high-resolution smart meter readings are taken illegal use ofby an adversary, many privacy/security risks will be exposed. As the author in[8] said, one can even identify the TV channels being watched by the resident.So privacy leakage problem has become an urgent issue to solve with the moreand more deployment of smart meters.
Figure 1.1: A minute-level load profile of a typical day for a home.[17]
However, since reporting fine-granular consumption measurements is veryessential for control and communication systems in a smart grid, we cannotavoid revealing privacy-sensitive energy consumption data of the consumer ifwe want to realize the e�cient management of energy generation and distri-bution [7]. So necessary privacy-preserving schemes should be proposed whenhandling privacy-sensitive data. The smart grid is expected to completely re-place the traditional electricity grid. Therefore, the solution to the privacyleakage problem has become a crucial research topic.
2
1.2 Literature ReviewPrivacy leakage problem has become a potential privacy threat along with thewide deployment of smart meters. Therefore, privacy issues in smart grid are amain focus of current research.
Di�erent privacy-preserving schemes have been developed regarding the smartmeter privacy problem. Generally, they can be classified into these categories:anonymization[6], aggregation[3], encryption[12], obfuscation[11], negotiation[18]and energy management[9]. In [6], the authors anonymized the identity of high-frequency metering data. A secure third party escrow mechanism was proposedfor this authenticated anonymous metering data. In [3], a trusted third party(TTP) was designed as an aggregation proxy. The TTP sumed up all smart me-ters’ readings during one period and sent the aggregation data to the electricitysupplier (ES) in order to prevent ES detecting consumers’ behavior from indi-vidual energy consumption. And the authors showed that the proposed solutionwith TTP performs perfectly under certain conditions. In [12], an encryptionmethod was proposed to protect the privacy of a consumer through the dataaggregation of smart meters readings of the consumer and his neighbours. Ob-fuscation scheme was exploited in [11]. It obfuscated the privacy-prone datawhile guaranteeing the performance of state estimation. In the regional trans-mission organizations (RTOs), a new competitive-privacy problem was intro-duced in [18], which deals with conflicting desires of sharing data to guaranteenetwork reliability and hiding data for secure and privacy reasons. To solve thisproblem, a lossy source coding problem formulation was used and a trade-o�between utility and privacy was approached.
There have been some literatures putting forward solutions to the privacypreserving smart metering system based on di�erent reporting time granularitiesof the smart meter. In [13], the proposed system guaranteed the secure storageof smart meter readings and supported multiple time granularities. In thissystem, the consumer granted a service provider an access right over smartmeter readings at a specific time granularity. The granted service provider wasonly allowed to get the power consumption at a time unit of this specified timegranularity in order to prevent the consumer’s privacy being exposed to anunauthorized provider.
Our area of interest is the implementation of energy management technol-ogy in solving privacy problem of smart meter. We will analyse the e�ect ofthe distortion of reported measurements to enhance the consumer’s privacy.The distortion can be realized by the rechargeable battery or alternative en-ergy source. There have been some relevent research works in this area. In[9], the authors introduced an energy management scheme using a rechargeablebattery and implementing a power mixing algorithm. And they also proposedthree di�erent privacy metrics to evaluate the privacy leakage degree. In [8], theauthors showed that privacy preservation can be achieved by using alternativeenergy source. They characterized the privacy-power function from an informa-tion theoretic perspective. Energy harvesting and storage devices can be jointlyutilized to residences to mitigate the privacy leakage. In [16], energy harvesting(EH) mechanisam enabled the integration of renewable resources such as solarenergy and wind energy. It showed that EH enhanced the privacy-preservingperformance and a rechargeable battery improved both the privacy preservationand energy e�ciency, since they all reduced the consumers’ dependence on the
3
energy supplier. In [22], the authors proposed an on-line control algorithm ofthe battery operations, which can solve the privacy problem and also cut downthe electricity bill.
Some previous works on smart meter privacy analyse the privacy leakageproblem from a perspective of information theory, e.g., privacy leakage is mea-sured by the relative entropy (Kullback Leibler distance) [9] and mutual in-formation rate [8]. In [19], a new framework abstracting both the privacy andutility was presented by jointly using the tools of information theory and hiddenMarkov model.
1.3 Project ObjectivesIn this project, we study the privacy leakage problem from a Bayesian detection-operational perspective. First, a simple smart grid model needs to be set upand detection-operational privacy metric should be proposed. Based on the es-tablished model, its detection-operational privacy risk should be characterized.Meanwhile, the energy cost-saving should be taken into account. Finally, theoptimal energy flow control design with privacy-cost trade-o� should be identi-fied.
1.4 OutlineThe rest of the thesis is organized as follow: Chapter 2 introduces the studiedsmart grid model. A general description of the smart grid model is given.We also explain the mathematical definitions of the smart grid settings andparameters which will be used in the following studies.
Then a brief introduction of the background about the methods we use inthis thesis will be given in Chapter 3, including the Bayesian detection theoryand convex optimization.
An optimal energy control strategy is studied in Chapter 3. First, we focuson the control strategy based on instantaneous information. Detailed evalua-tions of the minimal Bayesian risk of the adversary and the expected energy-costsaving of the consumer are given. A privacy-cost trade-o� problem formulationis proposed. Next, a person-by-person optimization algorithm is proposed tosolve the privacy-trade-o� problem. After studying the design of control strat-egy based on instantaneous information, we further study the control strategydepending on the accumulated information in a similar way.
In Chapter 4, the privacy-cost trade-o� problem is studied for a simplecase. A detailed explanation for the implementation of the person-by-personoptimization algorithm is given. The numerical results of the simulation areshown along with a comprehensive analysis.
In Chapter 5, a summary of the obtained results is given along with futureworks.
4
Chapter 2
Background
In this chapter, we briefly introduce the background of the methods we use inthis thesis. Since we formulate the problem as a Bayesian hypothesis detectionproblem, first the Bayesian detection theory will be introduced. Then therewill be a brief description of convex optimization and linear programming. Thelatter is the optimization tool used to obtain the optimal control strategy inorder to achieve a privacy-cost trade-o�.
2.1 Bayesian Detection TheoryThe book [21] gives a comprehensive introduction to Bayesian detection theory.When a detector uses Bayesian detection as the decision rule, minimizing theBayesian risk or average cost will be the objective to make a decision.
Now, let us consider a simple binary hypothesis testing problem with thetwo hypotheses denoted by H
0
and H1
. Based on the observation y defined onthe domain Y, the detector makes a decision H
0
or H1
to infer on the hypoth-esis realization. Let r(Hi, Hj)i,jœ{0,1} denote the cost of making a decision Hi
when hypothesis Hj is true. The prior probabilities of the two hypotheses aredenoted by P (H
0
) and P (H1
) respectively. Suppose that the observation y isgenerated following the two conditional densities p(y|H
0
) and p(y|H1
). We havethe Bayesian risk R as:
R =1ÿ
i=0
1ÿ
j=0
r(Hi, Hj)P (Hi, Hj) (2.1)
which can be further expanded as
R = r(H0
, H1
)P (H1
) + r(H1
, H0
)P (H0
)
≠ÿ
yœYP (H
0
|y)1!
r(H1
, H0
) ≠ r(H0
, H0
)"P (y|H
0
)P (H0
)2
≠ÿ
yœYP (H
1
|y)1!
r(H0
, H1
) ≠ r(H1
, H1
)"P (y|H
1
)P (H1
)2
(2.2)
where P (H0
|y) and P (H1
|y) are probabilities of deciding hypothesis H0
and H1
by the detector based on the observation y. Assuming r(H1
, H0
) > r(H0
, H0
),
5
Figure 2.1: Graph of a convex function. [4]
r(H0
, H1
) > r(H1
, H1
), the minimization of the Bayesian risk results in a like-lihood ratio test (LRT):
P (y|H1
)P (y|H
0
)H1?H0
!r(H
1
, H0
) ≠ r(H0
, H0
)"P (H
0
)!r(H
0
, H1
) ≠ r(H1
, H1
)"P (H
1
)(2.3)
If specific choices of cost r(Hi, Hj)i,jœ{0,1} and prior probabilities P (H0
),P (H
1
) are assigned, the LRT will be reduced to the following special cases:
• r(H1
, H1
) = r(H0
, H0
) = 0, r(H1
, H0
) = r(H0
, H1
) = 1.
P (y|H1
)P (y|H
0
)H1?H0
P (H0
)P (H
1
) (2.4)
Minimal probability of error (min PE).
• r(H1
, H1
) = r(H0
, H0
) = 0, r(H1
, H0
) = r(H0
, H1
) = 1and P (H
0
) = P (H1
)
P (y|H1
)P (y|H
0
)H1?H0
1 (2.5)
Maximum likelihood (ML).
2.2 Convex OptimizationIn [4], a comprehensive discussion of convex optimization is given. Here, we willgive a brief explanation of the relevant knowledge about convex optimizationused in this thesis.
• Convex Functions
Geometrically, if a function f is convex, any line segment between (x, f(x))and (y, f(y)), which is the so-called chord from x to y, lies on or abovethe graph of f (Figure 2.1)
6
Algebraically, if a function f is convex, for any x and y, and ◊ with0 Æ ◊ Æ 1, we have
f(◊x + (1 ≠ ◊)y) Æ ◊f(x) + (1 ≠ ◊)f(y) (2.6)
We say f is concave if ≠f is convex, i.e., the chord from x to y lies on orbelow the graph of f .Therefore it is easy to find that linear functions are both convex andconcave.
• Convex Optimization Problem
An optimization problem can be solved by convex optimization, if all con-straints of the problem are convex functions and the objective is a convexfunction if minimizing, or a concave function if maximizing. A convexoptimization problem is one of the form
minimize f0
(x)subject to fi(x) Æ bi, i = 1, ..., m
(2.7)
where the functions f0
, ... ,fm: IRn æ IR are convex, i.e., satisfy
fi(–x + —y) Æ –fi(x) + —fi(y)
for all x, y œ IRn and all –, — œ IR with – + — = 1, – Ø 0, — Ø 0
• Convex Set
In a convex optimization problem, a set C is convex if the line segmentbetween any two points in C lies in C, i.e., for any x
1
, x2
œ C and any ◊with 0 Æ ◊ Æ 1, we have
◊x1
+ (1 ≠ ◊)x2
œ C
Figure 2.2 shows a convex set on the left-hand side and a non-convex seton the right-hand side.With a convex objective and a feasible convex set, there exists only oneoptimal solution, which is also the global optimal.Hyperplanes and halfspaces are important examples of convex sets whichwe will encounter in the following studies. A hyperplane is a set of theform
{x|aT x = b},
where a œ IRn, a ”= 0 and b œ IR. A hyperplane divides IRn into twohalfspaces. A halfspace is a set of the form
{x|aT x Æ b},
where a ”= 0
7
Figure 2.2: A simple convex set and non-convex set. The set on the right isnon-convex since the line segment between two points has some part which isnot contained in the set. [4]
• Convex vs. Non-convex
For non-convex optimization problems, it will take exponential time to getan optimal solution and determine that the optimal solution is a globaloptimal. However, convex problems can be solved e�ciently and reliablyeven for large sizes. A variety of methods can be implemented to solve theconvex optimization problem. This is the reason why we should try to re-duce non-convex problems into convex problems if possible. In this thesis,we use CVX [1], a MATLAB software for disciplined convex programming,to solve the optimization problem.
• Linear Programming Problems
According to (2.7), a linear programming problem is a special case of aconvex optimization problem. The methods for convex optimization prob-lems can also be used to solve linear programming problems. Generally, alinear programming problem is defined as
minimize cT x
subject to aTi (x) Æ bi, i = 1, ..., m
(2.8)
where the objective and constraint functions are all linear. Here the vec-tors c, a
1
, ..., am œ IRn and scalars b1
, ..., bm œ IR are problem parametersthat specify the objective and constraint functions.
8
Chapter 3
Smart Grid Model
In this chapter, the studied smart grid model is described in detail. We considerthe smart grid model shown in Figure 3.1.
3.1 General DefinitionsThe considered smart grid model consists of the following parts:
• Consumer (C)having di�erent demand profiles corresponding to di�erent behaviours,such as heating water, using co�ee machine, etc. Some behaviours maystay unchanged in a time period, such as watching TV, taking a shower,etc.
• Alternative Energy Source (AE)an energy source installed in consumer’s residence, independently provid-ing random amount of energy to a consumer. It should be noted that thispart of energy will not be recorded by smart meter and is free of charge.
• Control Unit (CU)a control center in the consumer’s residence, requesting an energy supplyfrom energy provider according to an optimal control strategy by observingconsumer’s energy demand and the energy provided by AE. The optimalcontrol strategy of CU should always guarantee the instantaneous energydemand of the consumer and optimally trade o� the privacy-preservingand cost-saving objectives.
• Smart Meter (SM)an electronic device that records consumer’s energy consumption frequentlyand communicates the information back to the energy provider for moni-toring and billing.
• Energy Provider (EP)the utility provider for providing energy to consumer, also taking chargeof billing and monitoring.
9
C(H)
EPAE
CU SM ^
ZT
YT AD
(H)YT
YT
XT
Figure 3.1: Smart grid model.
• Adversary (AD)an informed and greedy adversary, who has access to the smart meterreadings and infer on the privacy behaviours of consumer. In practice, anAD can be a compromised authorized manager of AE.
3.2 Mathematical DefinitionsIn the following, we will denote a random variable by a capital letter, its realiza-tion by the lower-case letter, and its definition domain by the calligraphic letter.Let XT stand for a random vector [X
1
, . . . , XT ] and xT stand for a realizationvector [x
1
, . . . , xT ].In the smart grid model shown in Figure 3.1, we represent an energy flow
by a solid arrow and an information flow by a dashed arrow. We quantize theenergy demands and supplies to convert an infinite number of possibilities toa finite number of conditions. In this way, we discretize the continuous energyflows in real life in order to decrease the complexity of the proposed smart gridmodel. We set proper quantization levels so that avoid the loss of precisioncaused by discretizing the energy flows as much as possible. Therefore, each ofthe energy supplies and demands are defined on a finite domain. With a T -slottime period T = {1, . . . , T}, the accumulated energy demands and supplies arediscretized and reported at discrete times.
• Consumer (C)As mentioned in Section 3.1, the consumer might have di�erent privacybehaviours which may stay unchanged during this T -slot time period.Therefore, the random private behaviour of C during the T -slot time pe-riod T is modelled as an n-ary hypothesis H. Conditioned on the be-haviour realisation h, an m-ary instantaneous energy demand Xt, t œ T ,is independently generated.
• Alternative Energy Source (AE)A k-ary random energy supply Zt, t œ T , is independently generated byAE.
• Control Unit (CU)On observing Xt and Zt, CU requests an s-ary energy supply Yt, t œ T
10
from EP according to the optimal control strategy, which satisfies theinstantaneous energy demand Xt jointly with energy supply Zt from AEand reduce energy cost as much as possible.
• Smart Meter (SM)The smart meter (SM) records the energy supplies Y T during the T -slottime period T from EP.
• Adversary (AD)The smart meter readings Y T are assumed to be intercepted by an ADto infer on the private behaviour of the consumer by making a guess H,which leads to a privacy leakage problem.
For the consumer, the n-ary behaviour hypothesis H is defined on the domainH = {h
1
, . . . , hn} during the time period T and is generated following the priordistribution pH(·). Given each hypothesis realization h œ H, we assume thatthe energy demand Xt of the consumer in a time slot t œ T is conditionallyindependently generated according to the p.m.f. pXt|H(·|h) and is defined onthe domain X = {x
1
, . . . , xm}. In the same time slot t, we also assume that theenergy supply Zt from the alternative energy source is independently generatedaccording to the p.m.f. pZt
(·) and is defined on the domain Z = {z1
, . . . , zk}.Based on (xt, zt) œ X ◊ Z only, the control unit requests a random energysupply Yt defined on the domain Y = {y
1
, . . . , ys} from the energy provider intime slot t according to the strategy
Yt = �t(xt, zt)
which is characterized by the p.m.f. pYt|Xt,Zt(·|xt, zt). Here, it is assumed that
max(Y) + min(Z) Ø max(X ) such that there exist energy control strategieswhich can always meet the instantaneous energy demand of the consumer bythe energy supplies. Note that we assume all energy demands and supplies aredefined on finite sets
3.3 Privacy Leakage ProblemThe privacy leakage problem considered here is that the smart meter readings ofenergy supplies from the energy provider Y T are utilized by the adversary, whichmight be the energy provider itself, to infer on the behaviour of the consumer,i.e., to make a guess H defined on the domain H. Given the observations of theadversary yT œ YT , denote the decision strategy of the adversary by
H = �(yT )
which can be characterized by the p.m.f. as pˆH|Y T (·|yT ). Here, it is assumed
that the adversary is informed and greedy:
• Informed
– Has the information of observation yT .
– Has full knowledge of smart grid settings: (conditional) p.m.f.s pH ,{pXt|H}tœT , {pZt
}tœT and {pYt|Xt,Zt}tœT .
11
• Greedy
– Infers on the private behaviour of the consumer by making an optimaldecision.
To solve the privacy leakage problem, a privacy risk metric needs to bedefined first. Then using the proposed metric, we design the energy flow controlstrategy to suppress the privacy leakage to the informed and greedy adversary.
In this thesis, privacy leakage is modelled as an unauthorized Bayesian de-tection of the adversary on the behaviour hypothesis. We assume {pXt|H}tœT ,and {pZt
}tœT are all fixed and we focus on studying the property of the energyflow control strategy {pYt|Xt,Zt
}tœT .
12
Chapter 4
Optimal Energy FlowControl
In this chapter, we will give a comprehensive explanation of the privacy leak-age problem from the perspective of Bayesian hypothesis detection. First, theachievable minimal Bayesian risk of the adversary will be selected as the metricfor privacy. The expected energy cost-savings constraints will be taken intoaccount along with privacy-preserving objective. Next, the privacy-cost trade-o� problem will be formulated, which will lead to the design principle for theoptimal energy control strategy. It will be shown that the complex problem canbe reduced to a set of linear programming problems in the proposed person-by-person optimization algorithm. In the end, we extend the study on a morepowerful control unit based on the accumulated information.
4.1 Bayesian Hypothesis Detection Model of Pri-vacy Leakage
For an adversary in a smart grid, the smart meter privacy leakage is gener-ally interpreted as the uncertainty of the adversary about consumer’s privatebehaviour based on his observations. In other words, more uncertainty of theadversary means less privacy leakage of the consumer. To model the privacyleakage problem from a more operational perspective, the Bayesian hypothesisdetection model is implemented in this thesis project.
According to the Bayesian detection theory, to represent the Bayesian risk,the detection costs of the adversary need to be known. They are assigned follow-ing our privacy-preserving design interest. Let r(h, h) with (h, h) œ H2 denotethe detection cost of the adversary to make a decision h when the behaviourhypothesis realization is h. As mentioned before, H denotes the n-ary behaviourhypothesis defined on the domain H = {h
1
, ..., hn} during the T -slot time periodT = {1, . . . , T}. Based on these parameters, the Bayesian risk of the adversary“ could be expanded as
13
“ =ÿ
(
ˆh,h)œH2
r(h, h)pˆH,H(h, h)
=ÿ
(
ˆh,h)œH2
ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
r(h, h)pˆH,H,XT ,Y T ,ZT (h, h, xT , yT , zT )
=ÿ
(
ˆh,h)œH2
ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
r(h, h)pˆH|H,XT ,Y T ,ZT (h|h, xT , yT , zT )pH,XT ,Y T ,ZT (h, xT , yT , zT )
=ÿ
(
ˆh,h)œH2
ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
r(h, h)pˆH|Y T (h|yT )pY T |H,XT ,ZT (yT |h, xT , zT )pH,XT ,ZT (h, xT , zT )
=ÿ
(
ˆh,h)œH2
ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
r(h, h)pˆH|Y T (h|yT )pY T |XT ,ZT (yT |xT , zT )
pXT |H,ZT (xT |h, zT )pH,ZT (h, zT )
=ÿ
(
ˆh,h)œH2
ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
r(h, h)pˆH|Y T (h|yT )pY T |XT ,ZT (yT |xT , zT )
pXT |H(xT |h)pZT |H(zT |h)pH(h)
=ÿ
(
ˆh,h)œH2
ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
r(h, h)pˆH|Y T (h|yT )pY T |XT ,ZT (yT |xT , zT )
pXT |H(xT |h)pZT (zT )pH(h)
=ÿ
(
ˆh,h)œH2
ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
r(h, h)pˆH|Y T (h|yT )pH(h)
Ÿ
tœTpYt|Xt,Zt
(yt|xt, zt)pXt|H(xt|h)pZt(zt)
(4.1)Now the Bayesian risk of the adversary “ is obtained. Since the prior dis-
tribution of the behaviour hypothesis pH , the smart grid settings {pXt|H}tœT ,{pZt
}tœT , {pYt|Xt,Zt}tœT , and the detection costs {r(h, h)}
(
ˆh,h)œH are given, itis obvious to see that “ is a function of the decision strategy of the adversaryp
ˆH|Y T and the energy flow control strategy {pYt|Xt,Zt}tœT . Since the adversary
is greedy, the optimal decision strategy �ú or púˆH|Y T
will always be used toachieve the minimal Bayesian risk “ú as shown in (4.2).
“ú({pYt|Xt,Zt}tœT ) = min
pH|Y T
“(pˆH|Y T , {pYt|Xt,Zt
}tœT ) (4.2)
14
The problem is a centralized detection problem. Substituting (4.1) in (4.2)leads to the optimal decision strategy for the adversary as shown in (4.3). Theoptimal decision strategy �ú is a deterministic likelihood test depending on{pYt|Xt,Zt
}tœT .
�ú(yT , {pYt|Xt,Zt}tœT )
= arg minˆhœH
Y______]
______[
ÿ
hœHr(h, h)pH(h)
ÿ
xT œX T
ÿ
zT œZT
Ÿ
tœTpYt|Xt,Zt
(yt|xt, zt)pXt|H(xt|h)pZt(zt)
¸ ˚˙ ˝likelihood: pY T |H (yT |h)
Z______
______\
(4.3)
Thus, the achievable minimal Bayesian risk is
“ú({pYt|Xt,Zt}tœT )
=ÿ
yT œYT
minˆhœH
Iÿ
hœHr(h, h)pH(h)
ÿ
xT œX T
ÿ
zT œZT
Ÿ
tœTpYt|Xt,Zt
(yt|xt, zt)pXt|H(xt|h)pZt(zt)
J
(4.4)
In this study, we use the minimal Bayesian risk of the adversary “ú as theprivacy metric for the considered smart meter privacy leakage problem. From(4.4), “ú is found to be a function with respect to energy flow control strat-egy {pYt|Xt,Zt
}tœT . Our privacy-preserving objective is to decrease the privacyleakage as low as possible, which means to increase the minimal Bayesian riskof the adversary as high as possible. According to this principle, we maximizethe minimal Bayesian risk of the adversary “ú by designing the optimal energyflow control strategy {pYt|Xt,Zt
}tœT .
There is an upper bound on “ú independent of {pYt|Xt,Zt}tœT as
“ú Æ minˆhœH
Iÿ
hœHr(h, h)pH(h)
J
(4.5)
where the constant term on the right-hand side is the Bayesian risk when theadversary always makes the decision h œ H regardless of any observation yT œYT .
15
4.2 UtilitiesDue to the implementation of the alternative energy source in consumer’s resi-dence, which supplies the energy to consumer free of charge, consumer can getq
tœT (xt ≠ yt) amount of free energy. In practice, the cost per unit energy sup-ply from the energy provider is generally time-variant. Let ct denote the costper unit energy supply in a time slot t œ T . So the energy cost-saving for theconsumer in the time slot t is (xt ≠ yt)ct. The expected energy cost-saving ◊during time period T given the smart grid design is evaluated as follows:
◊ =ÿ
xT œX T
ÿ
yT œYT
pXT ,Y T (xT , yT )ÿ
tœTct(xt ≠ yt)
=ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
ÿ
hœHpXT ,Y T ,ZT ,H(xT , yT , zT , h)
ÿ
tœTct(xt ≠ yt)
=ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
ÿ
hœHpY T |XT ,ZT ,H(yT |xT , zT , h)pXT ,ZT ,H(xT , zT , h)
ÿ
tœTct(xt ≠ yt)
=ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
ÿ
hœHpY T |XT ,ZT (yT |xT , zT )pXT |ZT ,H(xT |zT , h)pZT ,H(zT , h)
ÿ
tœTct(xt ≠ yt)
=ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
ÿ
hœHpY T |XT ,ZT (yT |xT , zT )pXT |H(xT |h)pZT |H(zT |h)pH(h)
ÿ
tœTct(xt ≠ yt)
=ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
ÿ
hœHpY T |XT ,ZT (yT |xT , zT )pXT |H(xT |h)pZT (zT )pH(h)
ÿ
tœTct(xt ≠ yt)
=ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
ÿ
hœHpH(h)
Y]
[Ÿ
jœTpYj |Xj ,Zj
(yj |xj , zj)pXj |H(xj |h)pZj(zj)
Z^
\ÿ
tœTct(xt ≠ yt)
(4.6)
From (4.6), we discover that the expected energy cost-saving ◊ during timeperiod T is also a function of {pYt|Xt,Zt
}tœT , which could be written as ◊({pYt|Xt,Zt}tœT )
as well.Besides the utility of cost-saving, the energy control strategy should always
meet the instantaneous energy demand of the consumer as well, i.e., we have aconstraint of pYt|Xt,Zt
(yt|xt, zt) = 0, if xt > yt + zt.
16
4.3 Optimal Energy Flow Control with Privacy-Cost Trade-O�
4.3.1 Problem Formulation
According to (4.4) and (4.6), the energy control strategy {pYt|Xt,Zt}tœT can be
designed to suppress the privacy risk or to reduce the energy cost. However,the two objectives do not necessarily lead to the same design of energy controlstrategy. Here, we take both objectives into account to design an optimal en-ergy control strategy which can achieve a trade-o� between the two objectives.Given the smart grid settings pH , {pXt|H}tœT , {pZt}tœT , the detection costs{r(h, h)}
(
ˆh,h)œH2 , and the cost per unit energy supply {ct}tœT , the privacy-costtrade-o� problem can be formulated as
{púYt|Xt,Zt
}tœT = argmaxpYt|Xt,Zt
œPt,’tœT“ú({pYt|Xt,Zt
}tœT )
s.t. ◊({pYt|Xt,Zt}tœT ) Ø ⁄
(4.7)
where ⁄ is the lower bound constraint on the expected cost-saving which canbe decided by us. Note that there exist a feasible range for ⁄. The expectedenergy cost-saving constraint should be set within this feasible range, otherwisethere is no feasible control strategies.
A Pt is a set of {pYt|Xt,Zt}tœT defined as
Pt =
Y___]
___[pYt|Xt,Zt
:
pYt|Xt,Zt(yt|xt, zt) Ø 0, ’(xt, yt, zt)
pYt|Xt,Zt(yt|xt, zt) = 0, if xt > yt + zt
ÿ
ytœYpYt|Xt,Zt
(yt|xt, zt) = 1, ’(xt, zt)
Z___
___\. (4.8)
Note that the definition of Pt guarantees that the instantaneous energy de-mand of the consumer can be always satisfied at time t. In the formulatedproblem (4.7), the main objective to suppress the privacy risk to the lowest isconstrained by a guaranteed amount of expected cost-saving ⁄.
17
4.3.2 Person-by-Person Optimality
In the following, we will show an approach to the proposed trade-o� problem in(4.7). Note that (4.7) is not a convex optimization problem. So it is di�cult toderive the global optimal energy flow control strategy {pú
Yt|Xt,Zt}tœT by solving
(4.7) directly. Here, the person-by-person optimality argument is adopted todecompose (4.7) into simpler problems.
Remark 1. For any t œ T , the global optimal strategy púYt|Xt,Zt
is also a person-by-person optimal strategy given {pú
Yj |Xj ,Zj}jœ(T \{t})
.
The person-by-person optimality argument is self-evident. If it is violated,we can always find a person-by-person optimal strategy p�
Yt|Xt,Ztsuch that
“ú(p�
Yt|Xt,Zt, {pú
Yj |Xj ,Zj}jœ(T \{t})
) > “ú(púYt|Xt,Zt
, {púYj |Xj ,Zj
}jœ(T \{t})
), i.e., theassumption that pú
Yt|Xt,Ztis the global optimal strategy is violated.
In our problem formulation, there should be an optimal strategy for everytime slot. Remark 1 enlightens us to solve (4.7) in an alternative way. Given thesmart grid settings pH , {pXt|H}tœT , {pZt
}tœT , detection costs {r(h, h)}(
ˆh,h)œH2 ,the cost per unit energy supply {ct}tœT , and the optimal control strategies{pú
Yj |Xj ,Zj}jœ(T \{t})
, the problem (4.7) reduces to
púYt|Xt,Zt
= argmaxpYt|Xt,Zt
œPt
“ú(pYt|Xt,Zt, {pú
Yj |Xj ,Zj}jœ(T \{t})
)
s.t. ◊(pYt|Xt,Zt, {pú
Yj |Xj ,Zj}jœ(T \{t})
) Ø ⁄(4.9)
The explanation for (4.9) is, in a T -slot time period, if we know the optimalcontrol strategies for all the other slots except for the t-th slot, we can use theseinformation to derive the person-by-person optimal control strategy in time slott, which is the global optimal for time slot t.
However, the formulation of objective function (4.9) depends on the optimaldecision strategy of the adversary. To determine the objective formulation andfinally solve the trade-o� problem, we still need to further study the propertiesof (4.9).
18
4.3.3 Linear Programming
Now, we will further derive the properties of (4.9). It will be proved that (4.9)can be solved by a set of linear programmings.
The objective “ú(pYt|Xt,Zt, {pú
Yj |Xj ,Zj}jœ(T \{t})
) of (4.9) can be expanded inthe following way.
“ú(pYt|Xt,Zt, {pú
Yj |Xj ,Zj}jœ(T \{t})
)
=ÿ
yT œYT
minˆhœH
Iÿ
hœHr(h, h)pH(h)
ÿ
xT œX T
ÿ
zT œZT
pYt|Xt,Zt(yt|xt, zt)
pXt|H(xt|h)pZt(zt)
Ÿ
jœT ,j ”=t
púYj |Xj ,Zj
(yj |xj , zj)pXj |H(xj |h)pZj(zj)
Z^
\
(4.10)
(4.10) has di�erent formulations depending on the optimal decision strategy ofthe adversary �ú, which further depends on the energy control strategy pYt|Xt,Zt
.It has been shown that �ú is a deterministic strategy. However, it does not nec-essarily indicates that the adversary will use this deterministic strategy only tomake a decision. Actually, other random strategies may also be utilized by theadversary. In our case, we only consider these deterministic strategies for theadversary for simplicity. Since Y T and H are defined on finite sets with q = sT
and n elements respectively, there are l = nq deterministic decision strategiesfor the adversary. Denote a deterministic decision strategy of the adversary by�i and 1 Æ i Æ l. We can decompose (4.10) into l optimization problems eachof which has a unique objective formulation corresponding to a deterministicdecision strategy as the optimal strategy for the adversary. So the feasible con-trol strategy domain Pt is also decomposed into l corresponding subsets each ofwhich consists of control strategies leading to the same deterministic strategyas the optimal strategy for the adversary.
A feasible control strategy subset Pút (�i) is defined in (4.11). It character-
izes the optimality of �i in terms of pYt|Xt,Zt. Given h and yT , a constraint in
(4.11) could be represented as a linear function ft of pYt|Xt,Ztshown in (4.12).
(4.11) satisfies the greedy detection setting for the adversary, which means theadversary makes decisions according to decision strategy �i if the energy flowcontrol strategy pYt|Xt,Zt
is in the subset Pút (�i).
19
Pút (�i) =
Y________]
________[
pYt|Xt,Ztœ Pt :
’yT œ YT and ’h œ H,
ÿ
hœH(r(h, h) ≠ r(�i(yT ), h))pH(h)
Iÿ
xT œX T
ÿ
zT œZT
pYt|Xt,Zt(yt|xt, zt)
pXt|H(xt|h)pZt(zt)
Ÿ
jœT ,j ”=t
púYj |Xj ,Zj
(yj |xj , zj)pXj |H(xj |h)pZj(zj)
Z^
\ Ø 0
Z________
________\
(4.11)
ft(pYt|Xt,Zt, {pú
Yj |Xj ,Zj}jœ(T \{t})
, h, �i(yT ), yT )
=ÿ
hœH(r(h, h) ≠ r(�i(yT ), h))pH(h)
Iÿ
xT œX T
ÿ
zT œZT
pYt|Xt,Zt(yt|xt, zt)
pXt|H(xt|h)pZt(zt)Ÿ
jœT ,j ”=t
púYj |Xj ,Zj
(yj |xj , zj)pXj |H(xj |h)pZj (zj)
Z^
\ Ø 0
(4.12)
Therefore, the subset Pút (�i) is defined by a set of linear constraints of
pYt|Xt,Zt. When pYt|Xt,Zt
œ Pút (�i), �ú = �i and the objective “ú(pYt|Xt,Zt
, {púYj |Xj ,Zj
}jœ(T \{t})
)reduces to the linear objective “ú(pYt|Xt,Zt
, {púYj |Xj ,Zj
}jœ(T \{t})
, �i) of pYt|Xt,Zt
as
“ú(pYt|Xt,Zt, {pú
Yj |Xj ,Zj}jœ(T \{t})
, �i)
=ÿ
yT œYT
ÿ
hœHr(�i(yT ), h)pH(h)
Iÿ
xT œX T
ÿ
zT œZT
pYt|Xt,Zt(yt|xt, zt)
pXt|H(xt|h)pZt(zt)
Ÿ
jœT ,j ”=t
púYj |Xj ,Zj
(yj |xj , zj)pXj |H(xj |h)pZj(zj)
Z^
\
(4.13)
Now, we have decomposed the objective in (4.9) to a set of linear objec-tives. Given the linear objective function and the linear constraint, it will bemuch easier to do the optimization by linear programming. The optimal controlstrategy can be obtained as follows:
púYt|Xt,Zt
= max1ÆiÆl
Y]
[
argmaxpYt|Xt,Zt
œPút (�i)
“ú(pYt|Xt,Zt, {pú
Yj |Xj ,Zj}jœ(T \{t})
, �i)
s.t. ◊(pYt|Xt,Zt, {pú
Yj |Xj ,Zj}jœ(T \{t})
) Ø ⁄
Z^
\ .(4.14)
20
The optimization problem (4.14) means that the candidates for púYt|Xt,Zt
canbe restricted to {pú
Yt|Xt,Zt(�i)}1ÆiÆl where pú
Yt|Xt,Zt(�i) denotes an optimal so-
lution of an inner optimization problem. Any inner optimization in (4.14) is alinear programming problem since the objective and constraints are both linearfunctions of pYt|Xt,Zt
. Therefore, an optimal candidate púYt|Xt,Zt
(�i) is su�cientto be in the linear constraints intersection set of the inner optimization prob-lem which consists of the intersections of di�erent linear inequality constraintboundary hyperplanes with all linear equality constraint hyperplanes. More de-tails about the linear constraints are provided in Appendix A.
21
4.3.4 Person-by-Person Optimization Algorithm
Following the previous analysis, we propose a person-by-person optimization al-gorithm to design the optimal energy flow control strategy {pú
Yt|Xt,Zt}tœT . De-
note a person-by-person optimal control strategy in the time slot t by p�
Yt|Xt,Zt.
Given {p�
Yj |Xj ,Zj}jœ(T \{t})
, define Pt({p�
Yj |Xj ,Zj}jœ(T \{t})
, �i) and “ú(pYt|Xt,Zt, {p�
Yj |Xj ,Zj}jœ(T \{t})
, �i)similarly as (4.11) and (4.13) respectively. For each step in the person-by-personoptimization, fix {p�
Yj |Xj ,Zj}jœ(T \{t})
and update p�
Yt|Xt,Ztby solving the linear
programmings as follows:
p�
Yt|Xt,Zt= max
1ÆiÆlY_]
_[
argmaxpYt|Xt,Zt
œPt({p�Yj |Xj ,Zj
}jœ(T \{t}),�i)
“ú(pYt|Xt,Zt, {p�
Yj |Xj ,Zj}jœ(T \{t})
, �i)
s.t. ◊(pYt|Xt,Zt, {p�
Yj |Xj ,Zj}jœ(T \{t})
) Ø ⁄
Z_
_\.
(4.15)
The proposed person-by-person optimization always converges since thereexists an upper bound on the privacy metric “ú as shown in (4.5) and “ú is notdecreased in each step. So we can set a convergence condition for ending the sim-ulation. The convergence condition is that the di�erence between the optimalvalues obtained from two successive rounds of simulation is not larger than 0.01.
Note that the person-by-person optimization only leads to the local optimalcontrol strategy depending on the initial settings. In the proposed Algorithm 1,the person-by-person optimization is operated under a large number of initialsettings to approach the global optimal control strategy.
Algorithm 1 Person-by-Person Optimization Algorithm
Input: initial settings {{p�,vYt|Xt,Zt
}tœT }vœ{1,...,e} where e is a large number1: set a convergence condition2: v Ω 13: while v Æ e do4: while convergence condition is not satisfied do5: for t œ T do6: update p�,v
Yt|Xt,Ztfollowing (4.15)
7: end for8: end while9: v Ω v + 1
10: end whileOutput: {pú
Yt|Xt,Zt}tœT Ω {p�,v
Yt|Xt,Zt}tœT which maximizes the privacy metric
“ú
22
4.4 Optimal Flow Control Based on Accumu-lated Information
In the formulated problem in Section 4.3, the control unit is assumed to alwaysdetermine a random energy supply Yt based on the instantaneous energy de-mand and supply xt and zt only. Here, we consider a more powerful controlunit to determine the random energy supply from the energy provider basedon the accumulated available information, i.e., the control strategy at t œ T ischaracterized by the conditional p.m.f. pYt|Xt,Zt,Y t≠1 .
4.4.1 Bayesian Hypothesis Detection Model for PrivacyLeakage
We use the same metrics “ú, ◊, and solve the same structure (4.7) for the opti-mal energy control strategy {pú
Yt|Xt,Zt,Y t≠1}tœT .
The Bayesian hypothesis detection model is still used for this problem. Fol-lowing the previous studies, The Bayesian risk of the adversary is evaluatedas:
“ =ÿ
(
ˆh,h)œH2
r(h, h)pˆH,H(h, h)
=ÿ
(
ˆh,h)œH2
ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
r(h, h)pˆH,H,XT ,Y T ,ZT (h, h, xT , yT , zT )
=ÿ
(
ˆh,h)œH2
ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
r(h, h)pˆH|Y T (h|yT )pY T |XT ,ZT (yT |xT , zT )
pXT |H(xT |h)pZT (zT )pH(h)
=ÿ
(
ˆh,h)œH2
ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
r(h, h)pˆH|Y T (h|yT )pH(h)
Ÿ
tœTpYt|Xt,Zt,Y t≠1(yt|xt, zt, yt≠1)pXt|H(xt|h)pZt|H(zt|h)
(4.16)
Compared with (4.1), we can find that the setting of control based on theaccumulated information only leads to a di�erent energy control strategy. In thiscase, the Bayesian risk of the adversary “ is a function of the decision strategyof the adversary p
ˆH|Y T and the energy control strategy {pYt|Xt,Zt,Y t≠1}tœT . So
23
according to the previous studies, we can get the optimal decision strategy andthe achievable minimal Bayesian risk of the adversary as follows:
�ú(yT , {pYt|Xt,Y t≠1,Zt}tœT )
= arg minˆhœH
Y______]
______[
ÿ
hœHr(h, h)pH(h)
ÿ
xT œX T
ÿ
zT œZT
Ÿ
tœTpYt|Xt,Y t≠1,Zt(yt|xt, yt≠1, zt)pXt|H(xt|h)pZt
(zt)
¸ ˚˙ ˝likelihood: pY T |H (yT |h)
Z______
______\
(4.17)
“ú({pYt|Xt,Y t≠1,Zt}tœT )
=ÿ
yT œYT
minˆhœH
Iÿ
hœHr(h, h)pH(h)
ÿ
xT œX T
ÿ
zT œZT
Ÿ
tœTpYt|Xt,Y t≠1,Zt(yt|xt, yt≠1, zt)pXt|H(xt|h)pZt(zt)
J
(4.18)
Note that the upper bound shown in (4.5) also holds for the metric “ú here.
4.4.2 UtilitiesUsing the same method and same smart grid settings, we still assume ct denotesthe cost per unit energy supply in a time slot t œ T . The expected energy cost-saving for control based on accumulated information is evaluated as follow:
◊ =ÿ
xT œX T
ÿ
yT œYT
pXT ,Y T (xT , yT )ÿ
tœTct(xt ≠ yt)
=ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
ÿ
hœHpXT ,Y T ,ZT ,H(xT , yT , zT , h)
ÿ
tœTct(xt ≠ yt)
=ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
ÿ
hœHpY T |XT ,ZT (yT |xT , zT )pXT |H(xT |h)pZT (zT )pH(h)
ÿ
tœTct(xt ≠ yt)
=ÿ
xT œX T
ÿ
yT œYT
ÿ
zT œZT
ÿ
hœHpH(h)
Y]
[Ÿ
jœTpYj |Xj ,Zj ,Y j≠1(yj |xj , zj , yj≠1)pXj |H(xj |h)pZj
(zj)
Z^
\ÿ
tœTct(xt ≠ yt)
(4.19)
Here, it is discovered that ◊ now is a function of {pYt|Xt,Y t≠1,Zt}tœT as ◊({pYt|Xt,Y t≠1,Zt}tœT ).
24
4.4.3 Problem Formulation and Algorithm DesignWe have obtained the privacy metric “ú and expected energy cost-saving ◊. Theyare functions regarding to control strategy {pYt|Xt,Y t≠1,Zt}tœT . Obviously, wecan use the results of previous studies directly. The problem of optimizingcontrol strategy based on accumulated information is formulated as:
{púYt|Xt,Y t≠1,Zt}tœT = argmax
pYt|Xt,Y t≠1,Zt œPt,’tœT“ú({pYt|Xt,Y t≠1,Zt}tœT )
s.t. ◊({pYt|Xt,Y t≠1,Zt}tœT ) Ø ⁄
(4.20)
where ⁄ is the lower bound constraint on the expected cost-saving and a Pt isa set of {pYt|Xt,Y t≠1,Zt}tœT defined as
Pt =
Y___]
___[pYt|Xt,Y t≠1,Zt :
pYt|Xt,Y t≠1,Zt(yt|xt, yt≠1, zt) Ø 0, ’(xt, yt, zt)pYt|Xt,Y t≠1,Zt(yt|xt, yt≠1, zt) = 0, if xt > yt + ztÿ
ytœYpYt|Xt,Y t≠1,Zt(yt|xt, yt≠1, zt) = 1, ’(xt, yt≠1, zt)
Z___
___\.
(4.21)
Similarly, using the person-by-person optimality introduced in Section 3, theobjective “ú({pYt|Xt,Y t≠1,Zt}tœT ) of (4.20) can be further expanded as:
“ú(pYt|Xt,Y t≠1,Zt , {púYj |Xj ,Y j≠1,Zj }jœ(T \{t})
)
=ÿ
yT œYT
minˆhœH
Iÿ
hœHr(h, h)pH(h)
ÿ
xT œX T
ÿ
zT œZT
pYt|Xt,Y t≠1,Zt(yt|xt, yt≠1, zt)
pXt|H(xt|h)pZt(zt)
Ÿ
jœT ,j ”=t
púYj |Xj ,Y j≠1,Zj (yj |xj , yj≠1, zj)pXj |H(xj |h)pZj
(zj)
Z^
\
(4.22)
There exists di�erent formulations for (4.22) depending on the optimal deci-sion strategy �ú of the adversary, which further depends on the energy controlstrategy pYt|Xt,Y t≠1,Zt . Similarly, �ú is still a deterministic strategy as shown in(4.17). Therefore, a feasible control strategy subset Pú
t (�i) is defined in (4.23):
25
Pút (�i) =
Y___________]
___________[
pYt|Xt,Y t≠1,Zt œ Pt :’yT œ YT and ’h œ H,
ÿ
hœH(r(h, h) ≠ r(�i(yT ), h))pH(h)
Iÿ
xT œX T
ÿ
zT œZT
pYt|Xt,Y t≠1,Zt(yt|xt, yt≠1, zt)
pXt|H(xt|h)pZt(zt)
Ÿ
jœT ,j ”=t
púYj |Xj ,Y j≠1,Zj (yj |xj , yj≠1, zj)pXj |H(xj |h)pZj
(zj)
Z^
\ Ø 0
Z___________
___________\
(4.23)
The subset Pút (�i) is defined by a set of linear constraints of pYt|Xt,Y t≠1,Zt .
Therefore, when pYt|Xt,Y t≠1,Zt œ Pút (�i), �ú = �i, the objective “ú(pYt|Xt,Y t≠1,Zt , {pú
Yj |Xj ,Y j≠1,Zj }jœ(T \{t})
)reduces to the linear objective “ú(pYt|Xt,Y t≠1,Zt , {pú
Yj |Xj ,Y j≠1,Zj }jœ(T \{t})
, �i).In this case, we reduce the complex optimization problem in (4.22) to a set oflinear programmings as:
“ú(pYt|Xt,Y t≠1,Zt , {púYj |Xj ,Y j≠1,Zj }jœ(T \{t})
, �i)
=ÿ
yT œYT
ÿ
hœHr(�i(yT ), h))pH(h)
Iÿ
xT œX T
ÿ
zT œZT
pYt|Xt,Y t≠1,Zt(yt|xt, yt≠1, zt)
pXt|H(xt|h)pZt(zt)
Ÿ
jœT ,j ”=t
púYj |Xj ,Y j≠1,Zj (yj |xj , yj≠1, zj)pXj |H(xj |h)pZj
(zj)
Z^
\
(4.24)
Finally, similar with (4.14), the optimal control strategy based on accumulatedinformation can be obtained as follows:
púYt|Xt,Y t≠1,Zt = max
1ÆiÆlY]
[
argmaxpYt|Xt,Y t≠1,Zt œPú
t (�i)
“ú(pYt|Xt,Y t≠1,Zt , {púYj |Xj ,Y j≠1,Zj }jœ(T \{t})
, �i)
s.t. ◊(pYt|Xt,Y t≠1,Zt , {púYj |Xj ,Y j≠1,Zj }jœ(T \{t})
) Ø ⁄
Z^
\ .
(4.25)
A similar person-by-person optimization algorithm to design the optimal en-ergy flow control strategy {pú
Yt|Xt,Y t≠1,Zt}tœT is proposed in Algorithm 2. Basedon (4.25), denote a person-by-person optimal control strategy in the time slot tby p�
Yt|Xt,Y t≠1,Zt . Given {p�
Yj |Xj ,Y j≠1,Zj }jœ(T \{t})
, define Pt({p�
Yj |Xj ,Y j≠1,Zj }jœ(T \{t})
, �i)and “ú(pYt|Xt,Y t≠1,Zt , {p�
Yj |Xj ,Y j≠1,Zj }jœ(T \{t})
, �i) according to (4.23) and (4.24)respectively. For each step in the person-by-person optimization, fix {p�
Yj |Xj ,Y j≠1,Zj }jœ(T \{t})
and update p�
Yt|Xt,Y t≠1,Zt by solving the linear programmings as follows:
26
p�
Yt|Xt,Y t≠1,Zt = max1ÆiÆl
Y_]
_[
argmaxpYt|Xt,Y t≠1,Zt œPt({p�
Yj |Xj ,Y j≠1,Zj}jœ(T \{t}),�i)
“ú(pYt|Xt,Y t≠1,Zt , {p�
Yj |Xj ,Y j≠1,Zj }jœ(T \{t})
, �i)
s.t. ◊(pYt|Xt,Y t≠1,Zt , {p�
Yj |Xj ,Y j≠1,Zj }jœ(T \{t})
) Ø ⁄
Z_
_\.
(4.26)
Note for each time slot, the accumulated information is di�erent. Therefore,di�erent from the control based on instantaneous information, control strategybased on accumulated information will have di�erent formulations for di�erenttime slots, which should be noticed in the simulation. More details about it willbe given in Chapter 5.
Algorithm 2 Person-by-Person Optimization Algorithm
Input: initial settings {{p�,vYt|Xt,Y t≠1,Zt}tœT }vœ{1,...,e} where e is a large number
1: set a convergence condition2: v Ω 13: while v Æ e do4: while convergence condition is not satisfied do5: for t œ T do6: update p�,v
Yt|Xt,Y t≠1,Zt following (4.26)7: end for8: end while9: v Ω v + 1
10: end whileOutput: {pú
Yt|Xt,Y t≠1,Zt}tœT Ω {p�,vYt|Xt,Y t≠1,Zt}tœT which maximizes the pri-
vacy metric “ú
27
Chapter 5
Simple Case Study
In this chapter, the optimal energy flow control designs with privacy-cost trade-o� will be shown for a simple case. First, di�erent energy flow control matricesbased on instantaneous information and accumulated information will be dis-cussed. Then, a detailed explanation for the implementation of the person-by-person optimization algorithm for these two designs will be given. In the nu-merical result section, the privacy-cost trade-o� for both design is shown. Theprivacy enhancement by introducing the proposed privacy-preserving mecha-nism is also testified.
5.1 Simple Case SettingsWe consider the system model shown in Figure 3.1 with a binary behaviourhypothesis H of the consumer and a binary decision H made by the adversaryduring a 2-slot time period T = {1, 2}. H and H are both defined on the do-main H = {h
1
, h2
}. Here, we are interested in suppressing the privacy risk bymaximizing the probability of error of the adversary. Out of our own privacy-preserving design interests, the detection costs of the adversary are assigned as
r(h1
, h1
) = r(h2
, h2
) = 0
r(h1
, h2
) = r(h2
, h1
) = 1
such that the minimal Bayesian risk “ú reduces to the minimal probability oferror of the informed and greedy adversary.
The energy demand and energy supplies Xt, Zt and Yt are assumed to havetwo states as X = {3.5, 4} (kWh), Z = {2, 2.5} (kWh) and Y = {1.5, 4} (kWh).It is obvious that there exist energy flow control strategies which can alwaysmeet the instantaneous energy demand. We use randomly generated condi-tional p.m.f.s {pXt,Zt|H}tœT shown in Table 5.1. Considering the practical case,we use time of use (TOU) pricing in simulation. For the cost per unit energysupply in di�erent time slots, they are set as c
1
= 0.274e, c2
= 0.155e, follow-ing the study in [20].
28
Table 5.1: Settings of conditional p.m.f.s {pXt,Zt|H}tœ{1,2}
t=1 hx
1
,z1 (3.5,2) (4,2) (3.5,2.5) (4,2.5)
h1 0.02 0.48 0.025 0.475h2 0.29 0.21 0.27 0.23
t=2 hx
2
,z2 (3.5,2) (4,2) (3.5,2.5) (4,2.5)
h1 0.015 0.36 0.025 0.6h2 0.22 0.15 0.36 0.27
Based on Table 5.1, for simplicity of the following evaluations, denote {At}tœ{1,2}as the matrix of the conditional p.m.f.s {pXt,Zt|H}tœ{1,2} with h = h
1
. De-note {Bt}tœ{1,2} as the matrix of the conditional p.m.f.s {pXt,Zt|H}tœ{1,2} withh = h
2
. So we have {At}tœ{1,2} and {Bt}tœ{1,2} regarding to time slot 1 and 2as follows
A1
=#0.02 0.48 0.025 0.475
$
B1
=#0.29 0.21 0.27 0.23
$
A2
=#0.015 0.36 0.025 0.6
$
B2
=#0.22 0.15 0.36 0.27
$
In the following, we will denote a matrix by upper-case Latin or Greek letters.Let A
(i1,ik)(j1,jl)
stand for the sub-matrix of a given matrix A formed from rowsi1
, ..., ik and columns j1
, ..., jl from A. Let A(i1,ik)(ú)
or A(ú)(j1,jl)
stand for thesub-matrix of a given matrix A formed from rows i
1
, ..., ik and all columns orelse all rows and columns j
1
, ..., jl from A.
5.2 Control Based on Instantaneous Information5.2.1 Energy Flow Control MatrixWhen the control strategy is made based on instantaneous information, theenergy flow control strategy can be represented by an (m ◊ k) ◊ s matrix{�t}tœ{1,2}, i.e., {pYt|Xt,Zt
}tœ{1,2} = {�t}tœ{1,2} According to the simple casesettings, m = k = s = 2. So, the (2 ◊ 2) ◊ 2 energy flow control matrix{�t}tœ{1,2} based on instantaneous information is shown in Table 5.2. Notethat {�t}tœ{1,2} has the same formulation for each time slot.
Here, for simplicity, let {�t(ú)(1)
}tœ{1,2} represent the probabilities for theenergy control unit requesting yt = 1.5 (kWh) energy supply from the energyprovider on observing xt and zt. Similarly, let {�t(ú)(2)
}tœ{1,2} represent theprobabilities for the energy control unit requesting yt = 4 (kWh) energy supplyfrom the energy provider while observing xt and zt.
�t(ú)(1)
=
S
WWU
p(yt = 1.5|xt = 3.5, zt = 2)p(yt = 1.5|xt = 4, zt = 2)
p(yt = 1.5|xt = 3.5, zt = 2.5)p(yt = 1.5|xt = 4, zt = 2.5)
T
XXV
29
Table 5.2: Energy flow control matrix �t based on the instantaneous informationin time slot t œ {1, 2}
xt,zt
yt 1.5 4
(3.5,2) �t(ú)(1)
(1) �t(ú)(2)
(1)(4,2) �t(ú)(1)
(2) �t(ú)(2)
(2)(3.5,2.5) �t(ú)(1)
(3) �t(ú)(2)
(3)(4,2.5) �t(ú)(1)
(4) �t(ú)(2)
(4)
�t(ú)(2)
=
S
WWU
p(yt = 4|xt = 3.5, zt = 2)p(yt = 4|xt = 4, zt = 2)
p(yt = 4|xt = 3.5, zt = 2.5)p(yt = 4|xt = 4, zt = 2.5)
T
XXV
5.2.2 Implementation of Person-by-Person OptimizationAlgorithm
Here, assume we want to get the person-by-person optimal control strategyp�
Y1|X1,Z1(or ��
1
) for time slot 1. Given p�
Y2|X2,Z2(or ��
2
), denote the 4 combi-nations of observation y2 = [y
1
, y2
] as: a = [1.5, 1.5], b = [1.5, 4], c = [4, 1.5] andd = [4, 4], the objective in the person-by-person optimization problem (4.15)can be expanded as shown in (5.1). Note that {fl}l={a,b,c,d}, {gl}l={a,b,c,d} islinear functions with respect to �
1(ú)(1)
or �1(ú)(2)
. We simplify these terms tosimplify further analysis.
30
“ú(pY1|X1,Z1 , p�
Y2|X2,Z2 , �i)
=ÿ
y2œY2
ÿ
hœHr(�i(y2), h)pH(h)
Iÿ
x2œX 2
ÿ
z2œZ2
pY1|X1,Z1(y1
|x1
, z1
)
pX1,Z1|H(x1
, z1
|h)p�
Y2|X2,Z2(y2
|x2
, z2
)pX2,Z2|H(x2
, z2
|h)Ô
=r(�i(a), h1
) pH(h1
)A1
�1(ú)(1)
A2
��
2(ú)(1)¸ ˚˙ ˝fa
+r(�i(a), h2
) pH(h2
)B1
�1(ú)(1)
B2
��
2(ú)(1)¸ ˚˙ ˝ga
+ r(�i(b), h1
) pH(h1
)A1
�1(ú)(1)
A2
��
2(ú)(2)¸ ˚˙ ˝fb
+r(�i(b), h2
) pH(h2
)B1
�1(ú)(1)
B2
��
2(ú)(2)¸ ˚˙ ˝gb
+ r(�i(c), h1
) pH(h1
)A1
�1(ú)(2)
A2
��
2(ú)(1)¸ ˚˙ ˝fc
+r(�i(c), h2
) pH(h2
)B1
�1(ú)(2)
B2
��
2(ú)(1)¸ ˚˙ ˝gc
+ r(�i(d), h1
) pH(h1
)A1
�1(ú)(2)
A2
��
2(ú)(2)¸ ˚˙ ˝fd
+r(�i(d), h2
) pH(h2
)B1
�1(ú)(2)
B2
��
2(ú)(2)¸ ˚˙ ˝gd
(5.1)
According to the assigned detection costs of the adversary,when �i(y2) = h
1
:
r(�i(y2), h1
) = 0 and r(�i(y2), h2
) = 1
when �i(y2) = h2
:
r(�i(y2), h1
) = 1 and r(�i(y2), h2
) = 0
Therefore, the objective “ú shown in (5.1) is decomposed into 16 optimizationproblems each of which has a unique objective corresponding to a deterministicdecision strategy as the optimal strategy for the adversary. The feasible controlstrategy domain Pt is also decomposed into 16 corresponding subsets. Based onthe definition of a feasible control strategy subset shown in (4.11), Pú
t (�i)1ÆiÆ16
can be characterized for its corresponding objective formulation of (5.1).Based on above evaluations, the detailed implementation of one round person-
by-person optimization algorithm for obtaining the person-by-person optimalcontrol strategy p�
Y1|X1,Z1(or ��
1
) in time slot 1 according to optimization prob-lem (4.15) is given in Table 5.3 and Table 5.4. After ��
1
is obtained, it will befixed to get person-by-person optimal energy flow control matrix ��
2
for timeslot 2 in the same way.
31
Table 5.3: Implementation of person-by-person optimization algorithm for con-trol based on instantaneous information (to be continued in Table 5.4)
Commonconstraintboundary
i Objectiveformulation Pú
t (�i)Optimalvalue “�
{i}
Optimalmatrix ��
1{i}Person-by-personoptimal
◊ Ø ⁄
�1
œ Pt
1 fa + fb + fc + fd
fa Æ ga
fb Æ gb
fc Æ gc
fd Æ gd
“�
{1} ��
1{1}“� = max
1ÆiÆ16
“�
{i}
��
1
= ��
1{arg max
1ÆiÆ16“�
{i}}2 fa + fb + fc + gd
fa Æ ga
fb Æ gb
fc Æ gc
fd Ø gd
“�
{2} ��
1{2}
3 fa + fb + gc + fd
fa Æ ga
fb Æ gb
fc Ø gc
fd Æ gd
“�
{3} ��
1{3}
4 fa + gb + fc + fd
fa Æ ga
fb Ø gb
fc Æ gc
fd Æ gd
“�
{4} ��
1{4}
5 ga + fb + fc + fd
fa Ø ga
fb Æ gb
fc Æ gc
fd Æ gd
“�
{5} ��
1{5}
6 fa + fb + gc + gd
fa Æ ga
fb Æ gb
fc Ø gc
fd Ø gd
“�
{6} ��
1{6}
7 fa + gb + fc + gd
fa Æ ga
fb Ø gb
fc Æ gc
fd Ø gd
“�
{7} ��
1{7}
8 ga + fb + fc + gd
fa Ø ga
fb Æ gb
fc Æ gc
fd Ø gd
“�
{8} ��
1{8}
“
�{i}: the optimal value “ for i
thobjective formulation
�
�1{i}: the optimal energy flow control matrix �1 for i
thobjective formulation
32
Table 5.4: Implementation of person-by-person optimization algorithm for con-trol based on instantaneous information (continued from Table 5.3)
Commonconstraintboundary
i Objectiveformulation Pú
t (�i)Optimalvalue “�
{i}
Optimalmatrix ��
1{i}Person-by-personoptimal
◊ Ø ⁄
�1
œ Pt
9 fa + gb + gc + fd
fa Æ ga
fb Ø gb
fc Ø gc
fd Æ gd
“�
{9} ��
1{9}“� = max
1ÆiÆ16
“�
{i}
��
1
= ��
1{arg max
1ÆiÆ16“�
{i}}10 ga + fb + gc + fd
fa Ø ga
fb Æ gb
fc Ø gc
fd Æ gd
“�
{10} ��
1{10}
11 ga + gb + fc + fd
fa Ø ga
fb Ø gb
fc Æ gc
fd Æ gd
“�
{11} ��
1{11}
12 fa + gb + gc + gd
fa Æ ga
fb Ø gb
fc Ø gc
fd Ø gd
“�
{12} ��
1{12}
13 ga + fb + gc + gd
fa Ø ga
fb Æ gb
fc Ø gc
fd Ø gd
“�
{13} ��
1{13}
14 ga + gb + gc + fd
fa Ø ga
fb Ø gb
fc Ø gc
fd Æ gd
“�
{14} ��
1{14}
15 ga + gb + fc + gd
fa Ø ga
fb Ø gb
fc Æ gc
fd Ø gd
“�
{15} ��
1{15}
16 ga + gb + gc + gd
fa Ø ga
fb Ø gb
fc Ø gc
fd Ø gd
“�
{16} ��
1{16}
“
�{i}: the optimal value “ for i
thobjective formulation
�
�1{i}: the optimal energy flow control matrix �1 for i
thobjective formulation
33
5.3 Control Based on Accumulated Information5.3.1 Energy Flow Control MatrixWhen the control strategy is made based on accumulated information, the en-ergy flow control strategy in time slot 1 can still be represented as an (m◊k)◊smatrix �
1
, i.e., pY1|X1,Z1 = �1
. Since there is no other available accumulatedinformation except for the instantaneous information in time slot 1. �
1
basedon accumulated information has the same formulation as shown in Table 5.2.However, in time slot 2, the control unit can use the accumulated informationin time slot 1 together with the instantaneous information in time slot 2 todetermine the instantaneous energy supply. So the energy flow control strategyin time slot 2 is represented as an (m ◊ k) ◊ (m ◊ k ◊ s ◊ s) matrix �
2
, i.e.,pY2|X2,Z2,Y 1 = �
2
. �T2
is shown in Table 5.5.It is clear to see from Table 5.5 that the control unit utilizes energy demands
x1
, x2
and energy supplies from alternative energy source z1
, z2
in both timeslot 1 and time slot 2. The energy supply from the energy provider y
1
in timeslot 1 is also taken into account by the control unit while determining energysupply y
2
in time slot 2.
5.3.2 Implementation of Person-by-Person OptimizationAlgorithm
Based on the evaluations for control based on instantaneous information, sim-ilarly, the person-by-person optimization problem shown in (4.26) also has 16di�erent objective formulations, each of them corresponding to a deterministicdecision strategy as the optimal strategy for the adversary. So the same imple-mentation of person-by-person optimization algorithm given in Table 5.3 andTable 5.4 is also available for optimizing the control strategy based on accu-mulated information. The only di�erence concerned here is that the changedformation of energy flow control matrix �
2
in time slot 2.
34
Table 5.5: Energy flow control matrix �2
based on the accumulated informationin time slot 2
y2 x
1
, z1
y1
x2
z2 xa,za xb,za xa,zb xb,zb
ya
xa, za
yap(ya|[xa, xa], [za, za], ya) p(ya|[xa, xb], [za, za], ya) p(ya|[xa, xa], [za, zb], ya) p(ya|[xa, xb], [za, zb], ya)
xb, za
yap(ya|[xb, xa], [za, za], ya) p(ya|[xb, xb], [za, za], ya) p(ya|[xb, xa], [za, zb], ya) p(ya|[xb, xb], [za, zb], ya)
xa, zb
yap(ya|[xa, xa], [zb, za], ya) p(ya|[xa, xb], [zb, za], ya) p(ya|[xa, xa], [zb, zb], ya) p(ya|[xa, xb], [zb, zb], ya)
xb, zb
yap(ya|[xb, xa], [zb, za], ya) p(ya|[xb, xb], [zb, za], ya) p(ya|[xb, xa], [zb, zb], ya) p(ya|[xb, xb], [zb, zb], ya)
xa, za
ybp(ya|[xa, xa], [za, za], yb) p(ya|[xa, xb], [za, za], yb) p(ya|[xa, xa], [za, zb], yb) p(ya|[xa, xb], [za, zb], yb)
xb, za
ybp(ya|[xb, xa], [za, za], yb) p(ya|[xb, xb], [za, za], yb) p(ya|[xb, xa], [za, zb], yb) p(ya|[xb, xb], [za, zb], yb)
xa, zb
ybp(ya|[xa, xa], [zb, za], yb) p(ya|[xa, xb], [zb, za], yb) p(ya|[xa, xa], [zb, zb], yb) p(ya|[xa, xb], [zb, zb], yb)
xb, zb
ybp(ya|[xb, xa], [zb, za], yb) p(ya|[xb, xb], [zb, za], yb) p(ya|[xb, xa], [zb, zb], yb) p(ya|[xb, xb], [zb, zb], yb)
yb
xa, za
yap(yb|[xa, xa], [za, za], ya) p(yb|[xa, xb], [za, za], ya) p(yb|[xa, xa], [za, zb], ya) p(yb|[xa, xb], [za, zb], ya)
xb, za
yap(yb|[xb, xa], [za, za], ya) p(yb|[xb, xb], [za, za], ya) p(yb|[xb, xa], [za, zb], ya) p(yb|[xb, xb], [za, zb], ya)
xa, zb
yap(yb|[xa, xa], [zb, za], ya) p(yb|[xa, xb], [zb, za], ya) p(yb|[xa, xa], [zb, zb], ya) p(yb|[xa, xb], [zb, zb], ya)
xb, zb
yap(yb|[xb, xa], [zb, za], ya) p(yb|[xb, xb], [zb, za], ya) p(yb|[xb, xa], [zb, zb], ya) p(yb|[xb, xb], [zb, zb], ya)
xa, za
ybp(yb|[xa, xa], [za, za], yb) p(yb|[xa, xb], [za, za], yb) p(yb|[xa, xa], [za, zb], yb) p(yb|[xa, xb], [za, zb], yb)
xb, za
ybp(yb|[xb, xa], [za, za], yb) p(yb|[xb, xb], [za, za], yb) p(yb|[xb, xa], [za, zb], yb) p(yb|[xb, xb], [za, zb], yb)
xa, zb
ybp(yb|[xa, xa], [zb, za], yb) p(yb|[xa, xb], [zb, za], yb) p(yb|[xa, xa], [zb, zb], yb) p(yb|[xa, xb], [zb, zb], yb)
xb, zb
ybp(yb|[xb, xa], [zb, za], yb) p(yb|[xb, xb], [zb, za], yb) p(yb|[xb, xa], [zb, zb], yb) p(yb|[xb, xb], [zb, zb], yb)
({ya = 1.5, yb = 4, xa = 3.5, xb = 4, za = 2, zb = 2.5}(kWh))
35
Figure 5.1: Smart grid model without privacy-preserving schemes.
5.4 Model Without Privacy-Preserving SchemeTo testify the privacy enhancement introduced by the studied privacy-preservingscheme (control unit and alternative energy source), we consider a simple smartgrid model shown in Figure 5.1.
In this model, there is no control unit and alternative energy source. Theadversary can access to the exact energy consumption data of consumer throughthe smart meter readings, i.e., Y T = XT . The complete consumer’s energydemand profile is exposed to the adversary. Based on previous studies, we havethe Bayesian risk of the adversary in this model as
“ =(r(h1
, h1
) ≠ r(h2
, h1
))pH(h1
)ÿ
xT œX T
pH|XT (h1
|xT )Ÿ
tœTpXt|H(xt|h1
)
+(r(h2
, h2
) ≠ r(h1
, h2
))pH(h2
)ÿ
xT œX T
pH|XT (h2
|xT )Ÿ
tœTpXt|H(xt|h2
)
+r(h1
, h2
)pH(h2
) + r(h2
, h1
)pH(h1
)
(5.2)
The achievable minimal Bayesian risk of the adversary in this model is
“ú =ÿ
xT œX T
minˆhœH
Y_____]
_____[
ÿ
hœHr(h, h)pH(h)
ÿ
xT œX T
Ÿ
tœTpXt|H(xt|h)
¸ ˚˙ ˝likelihood: pXT |H (xT |h)
Z_____
_____\
=ÿ
xT œX T
;min
Ó(r(h
1
, h1
) ≠ r(h2
, h1
))pH(h1
)Ÿ
tœTpXt|H(xt|h1
);
(r(h2
, h2
) ≠ r(h1
, h2
))pH(h2
)Ÿ
tœTpXt|H(xt|h2
)Ô<
+ r(h1
, h2
)pH(h2
) + r(h2
, h1
)pH(h1
)
(5.3)
36
5.5 Numerical Results
5.5.1 Privacy-Cost Trade-O�In this subsection, we show the optimal energy flow control designs with privacy-cost trade-o� for the proposed simple case. Equal prior probabilities of hypoth-esis realizations are set as pH(h
1
)=pH(h2
)=0.5. Note the introduced upperbound on “ú in Chapter 4, Section 4.1. Following the settings here, the privacymetric satisfies “ú Æ min(pH(h
1
), pH(h2
)) = 0.5.
Two kinds of optimal energy flow control strategies: Design 1. {púYt|Xt,Zt
}tœTand Design 2. {pú
Yt|Xt,Zt,Y t≠1}tœT are obtained by using person-by-person op-timization algorithm. The simulation result is shown in Figure 5.2.
Each dashed line shows how the privacy risk changes against increasing ex-pected energy cost-saving constraints. Blue dashed line corresponds to the op-timal design 1. {pú
Yt|Xt,Zt}tœT . Red dashed line corresponds to the optimal
design 2. {púYt|Xt,Zt,Y t≠1}tœT . There is a common characteristic for each of
the dashed line: three segments can be identified depending on di�erent rangesof cost-saving threshold ⁄. In the flat segment, when ⁄ is below a threshold,“ú = 0.5. It implies that the consumer can achieve some cost-savings while thesmart meter readings are completely useless for the adversary. Since the privacymetric achieves the maximum, the privacy-preserving performance is the bestin this range. In the trade-o� segment, the minimal probability of error “ú getssmaller with the increase of the expected energy cost-saving constraint ⁄. Itindicates that more savings on energy cost will lead to a worse performance onpreserving the privacy of the consumer. When ⁄ is larger than another specificthreshold, there is no feasible energy control strategy which can satisfy the ex-pected cost-saving constraints.
Comparing blue dashed line corresponding to the optimal design 1{púYt|Xt,Zt
}tœTwith red dashed line corresponding to the optimal design 2 {pú
Yt|Xt,Zt,Y t≠1}tœT ,it is obvious to find that the flat segment of red dashed line is longer than bluedashed line. And the red dashed line is always above or equal to the blue dashedline. It implies that optimal design 2 has a larger feasible range of ⁄. The con-sumer can save more money on energy cost without increased risk of privacyleakage. The better performance is achieved due to more information availableto the control unit since accumulated information is used for determining anoptimal energy flow control strategy.
37
0 0.1 0.2 0.3 0.4 0.5 0.60.3
0.35
0.4
0.45
0.5
0.55
λ
γ*
optimal design 1optimal design 2
0.7
Figure 5.2: Privacy-cost trade-o�s for the optimal energy control designs{pú
Yt|Xt,Zt}tœT and {pú
Yt|Xt,Zt,Y t≠1}tœT .
38
0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5
pH(h
1)
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
γ*
Case 1
Case 3
Figure 5.3: Enhancement of privacy-preserving performance of model with con-trol based on instantaneous information with ⁄ = 0.15.
5.5.2 Privacy EnhancementHere, based on the simple case settings, we show the enhancement of the privacy-preserving performance by comparing the achievable minimal Bayesian riskof the adversary considering the model with and without privacy-preservingschemes.
Note that we denote the model with control based on instantaneous infor-mation as Case1, the model with control based on accumulated information asCase2, and the model without privacy-preserving schemes as Case3.
For the smart grid model with privacy-preserving schemes, we fix the cost-saving threshold ⁄ for Case1 and Case2, respectively. According to Algorithm1 and Algorithm 2, the achievable minimal Bayesian risk of the adversary isobtained with respect to di�erent prior probabilities: pH(h
1
).
For Case3, according to (5.3), the minimal Bayesian risk of the adversary isalso calculated regarding to di�erent prior probabilities: pH(h
1
).
Figure 5.3 shows the privacy-preserving performances for Case1 and Case3.Here, we fix the cost-saving threshold ⁄ in Case1 to 0.15. It is obvious to findthat “ú of Case 1 is always larger than “ú of Case 3 and can be maximized tothe upper bound, i.e., “ú = min(pH(h
1
), pH(h2
)). It indicates that with theimplementation of optimal energy flow control strategy based on instantaneousinformation in the smart grid, the privacy-preserving performance is greatly im-proved.
39
0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5
pH(h
1)
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
γ*
Case 2
Case 3
Figure 5.4: Enhancement of privacy-preserving performance of model with con-trol based on accumulated information with ⁄ = 0.6.
Figure 5.4 shows the privacy-preserving performances for Case2 and Case3.Since it has been validated in Figure 5.2 that with the optimal energy controlstrategy based on accumulated information, the consumer can save more moneyon energy cost without increased risk of privacy leakage. Here, we increase ⁄ inCase2 to 0.6 and fix it to see how much the privacy-preserving performance canbe enhanced with more required savings on energy cost. From Figure 5.4, wefind that the minimal Bayesian risk “ú of Case2 cannot always be maximizedto the upper bound due to the privacy-cost trade-o�. However, it is still higherthan “ú of Case3. It indicates that even with more energy cost-savings, ourprivacy-preserving scheme can still obtain an acceptable privacy enhancement.
Based on these results, we can conclude that with the proposed energy flowcontrol strategies, we can greatly decrease the risk of privacy leakage of theconsumer introduced by the detection of smart meter readings in a smart grid.The privacy-preserving performance can be improved with less energy cost-saving. If more energy cost-saving are requested, less privacy enhancement willbe obtained.
40
Chapter 6
Conclusions and FutureWork
6.1 SummaryIn this thesis project, we focus on the smart meter privacy problem which ismodelled as an unauthorized detection on the privacy hypothesis and design anenergy flow control strategy to achieve a trade-o� between privacy leakage andexpected energy cost-saving.
This preliminary study of privacy leakage problem is based on a simplesmart grid model. In this model, the accumulated energy demands and suppliesduring time period T are discretized and reported for discrete time slots. Themodel consists of a consumer, an alternative energy source, an energy controlunit, a smart meter and an energy provider. The alternative energy source in-dependently generates random energy supplies to the consumer, which are freeof charge and enhance the privacy. The energy control unit adopts an energyflow control strategy {pYt|Xt,Zt
}tœT to request an energy supply from the en-ergy provider according to the optimal energy flow control strategy based onthe observations of the energy demand of the consumer and the energy sup-ply from the alternative energy source. The energy flow control strategy shouldguarantee that the instantaneous energy demand of the consumer can be alwayssatisfied. The smart meter records the energy supplies from the energy providerin each time slot. The privacy leakage is assumed to come from an unauthorizedutilization of the smart meter readings by a greedy and informed adversary toinfer on the private behaviour of the consumer.
To decrease the privacy leakage risk, we utilize the randomly generated al-ternative energy and design an optimal energy flow control strategy for thecontrol unit. In addition, we take into account the expected energy cost-savingintroduced by the free alternative energy source. It means the optimal energycontrol strategy is expected to achieve a privacy-cost trade-o� on the premiseof satisfying the instantaneous energy demands of the customer.
We formulate a Bayesian detection operational smart meter privacy model
41
and propose a privacy metric measuring the minimal Bayesian risk of a greedyand informed adversary. The designed optimal energy flow control strategyshould maximize the achievable minimal Bayesian risk of the adversary in orderto preserve the privacy of the consumer. At the same time, it should save theenergy cost above an acceptable constraint and also ensures the instantaneousenergy demand of the consumer. We identify that the di�cult problem to opti-mize the energy control strategy can be reduced to a set of linear programmingproblems. Based on the observations, a person-by-person optimization algo-rithm is proposed. With operating under a large number of initial settings, theoptimal control strategy which is most close to a global optimal control strategyis approached.
This problem is then extended to include a more powerful control unit basedon accumulated information. The setting of control based on accumulated in-formation leads to a di�erent energy flow control strategy {pYt|Xt,Zt,Y t≠1}tœT .With the same privacy leakage metric and cost-saving constraint, using a simi-lar person-by-person optimization algorithm. The optimization problem for thesetting of control based on accumulated information can be also reduced to aset of linear programming problems in each step.
Then, the privacy-cost trade-o� problem is evaluated for a simple case. Inthis simple case, we assume a simple smart grid model with a binary consumerbehaviour hypothesis during a 2-slot time period. Each of the energy demandand energy supplies is assumed to have two states. With these smart gridsettings, di�erent energy flow control matrices based on instantaneous informa-tion and accumulated information are discussed. A detailed explanation for theimplementation of the person-by-person optimization algorithm for these twodesigns is given. In the numerical results, we show the privacy-preserving per-formance of these two optimal energy control strategies with respect to di�erentcost-saving constraints. The privacy-cost trade-o� for both designs is shown.The results show that it is possible to realize the energy cost-savings and thebest privacy-preserving performance at the same time. The results also showthat the control unit based on accumulated information performs better. Theprivacy leakage regarding to di�erent prior probabilities for models with andwithout privacy-preserving schemes are also shown. There is an obvious pri-vacy enhancement introduced by the proposed privacy-preserving mechanism.
Most of the optimization problems are not convex. The complexity and costto solve this kind of problem is high. The person-by-person optimality proposedin this thesis o�ers a general approach for decreasing the complexity of solvingmany non-convex optimization problems. When modelling the smart grid, wedo quantization of the energy demands and supplies. It also o�ers an alternativeway for simplifying the energy flows in order to decrease the complexity of thesmart grid model.
Smart meter security has been a challenge in recent years. In order to carryout their functionality, smart meters should be networked to the energy suppli-ers. It indicates that anyone else connected to the same network can observeothers’ energy usage readings to infer on a consumer’s behaviour [2]. The privacybehaviours of the consumer will be exposed, such as certain religious customs or
42
the absence for holidays or an evening out. It violates human rights and leadsto several ethical problems. Considering the negative ethical impacts, thereis extensive opposition against the roll-out of smart meters. The Netherlandshad even stopped the compulsory roll-out of smart meters. The privacy-leakageproblem of the smart meter hinders the development of the smart grid alongwith many economical and environmental benefits such as energy and cost sav-ings. To protect consumer’s privacy, e�cient protection mechanism for privacy-sensitive energy consumption data should be proposed by our government inthe form of legislation. At the same time, privacy-preserving schemes are neces-sary to solve the privacy-leakage problem of the smart meter in order to ensurethe healthy development of smart grid. Only in this way, people can enjoy theeconomic benefits, social benefits and environmental benefits of the smart gridas much as possible.
6.2 Future WorkIn this thesis work, the optimal privacy-cost trade-o� in a smart grid is studied.It is validated by a simple smart grid model with randomly generated smartgrid settings, energy demands and supplies. In the future, we will validate itwith a more complex smart grid model and using real data collected from apractical smart grid for the smart grid settings, energy demands and supplies.In this complex model, the adversary can be uninformed. The smart meter canhave di�erent reporting periods. Besides the privacy-cost trade-o�, we will alsoconsider other trade-o� formulations, e.g., optimizing a weighted-sum objectiveof the two parameters.
43
AppendixA
Linear constraintsHere, the detailed explanation of the linear constraints for the optimizationproblem (4.14) is provided.
The union of linear constraint intersection sets of all inner linear program-ming problems in (4.14) results in the constraint intersection set Iú
t which con-sists of the following constraints boundary hyperplanes:
For the linear inequality constraints boundary hyperplanes, we have:
• Expected cost-saving constraint boundary hyperplane
◊(pYt|Xt,Zt, {pú
Yj |Xj ,Zj}jœ(T \{t})
) Ø ⁄
• Non-negative energy control strategy p.m.f constraint boundary hyper-plane
pYt|Xt,Zt(yt|xt, zt) Ø 0
• Greedy detection constraint boundary hyperplane
r(�i(yT ), h))pH(h)I
ÿ
xT œX T
ÿ
zT œZT
pYt|Xt,Zt(yt|xt, zt)
pXt|H(xt|h)pZt(zt)
Ÿ
jœT ,j ”=t
púYj |Xj ,Zj
(yj |xj , zj)pXj |H(xj |h)pZj(zj)
Z^
\ Ø 0
For the linear equality constraints boundary hyperplanes, we have:
pYt|Xt,Zt(yt|xt, zt) = 0, if xt > yt + zt
ÿ
ytœYpYt|Xt,Zt
(yt|xt, zt) = 1, ’(xt, zt)
Combine all of the linear inequality and equality constraints boundary hyper-planes together, Iú
t is defined as (1) and púYt|Xt,Zt
œ Iút .
44
Iút =
Y___]
___[pYt|Xt,Zt
:
◊(pYt|Xt,Zt, {pú
Yj |Xj ,Zj}jœ(T \{t})
) Ø ⁄
pYt|Xt,Zt(yt|xt, zt) = 0, if xt > yt + zt
ÿ
ytœYpYt|Xt,Zt
(yt|xt, zt) = 1, ’(xt, zt)
Z___
___\
€
xœX ,yœY,zœZ
Y___]
___[pYt|Xt,Zt
:
pYt|Xt,Zt(yt|xt, zt) Ø 0, ’(xt, yt, zt)
pYt|Xt,Zt(yt|xt, zt) = 0, if xt > yt + zt
ÿ
ytœYpYt|Xt,Zt
(yt|xt, zt) = 1, ’(xt, zt)
Z___
___\
€
yT œYT ,(ˆh,�i(yT))œH
Y____]
____[
pYt|Xt,Zt:
ft(pYt|Xt,Zt, {pú
Yj |Xj ,Zj}jœ(T \{t})
, h, �i(yT ), yT ) Ø 0pYt|Xt,Zt
(yt|xt, zt) = 0, if xt > yt + ztÿ
ytœYpYt|Xt,Zt
(yt|xt, zt) = 1, ’(xt, zt)
Z____
____\
(1)
45
Bibliography
[1] Cvx: Matlab software for disciplined convex programming. http://cvxr.
com/cvx/, 2015.
[2] Todd Baumeister. Literature review on smart grid cyber security. Col-laborative Software Development Laboratory at the University of Hawaii,2010.
[3] Jens-Matthias Bohli, Christoph Sorge, and Osman Ugus. A privacy modelfor smart metering. In Proceedings of Communications Workshops (ICC),2010 IEEE International Conference on, pages 1–5, 2010.
[4] Stephen Boyd and Lieven Vandenberghe. Convex Optimization. CambridgeUniversity Press, 2004.
[5] United States Federal Energy Regulatory Commission. Federal energy reg-ulatory commission assessment of demand response & advanced metering.
[6] Costas Efthymiou and Georgios Kalogridis. Smart grid privacy viaanonymization of smart metering data. In Proceedings of Smart Grid Com-munications (SmartGridComm) 2010, pages 238–243, October 2010.
[7] Z. Erkin, J. R. Troncoso-Pastoriza, R. L. Lagendijk, and F. Perez-Gonzalez.An overview of privacy-preserving data aggregation in smart metering sys-tems. Signal Processing Magazine, IEEE, 3, February 2013.
[8] Jesus Gomez-Vilardebo and Deniz Gunduz. Smart meter privacy for multi-ple users in the presence of an alternative energy source. Information Foren-sics and Security, IEEE Transactions on, 10(1):132–141, August 2014.
[9] Georgios Kalogridis, Costas Efthymiou, Stojan Z. Denic, Tim A. Lewis,and Rafael Cepeda. Privacy for smart meters: Towards undetectable ap-pliance load signatures. In Proceedings of Smart Grid Communications(SmartGridComm) 2010, pages 232–237, 2010.
[10] Georgios Kalogridis, Zhong Fan, and Sagar Basutkar. A�ordable privacyfor home smart meters. pages 77–84. Parallel and Distributed Processingwith Applications Workshops (ISPAW), 2011 Ninth IEEE InternationalSymposium on, May 2011.
[11] Younghun Kim, Edith C.-H. Ngai, and Mani B. Srivastava. Cooperativestate estimation for preserving privacy of user behaviors in smart grid.In Proceedings of Smart Grid Communications (SmartGridComm) 2011,pages 220–225, 2011.
46
[12] Fenjun Li, Bo Luo, and Peng Liu. Secure information aggregation for smartgrids using homomorphic encryption. In Proceedings of SmartGridComm2010, pages 327–332, 2010.
[13] Hsiao-Ying Lin, Shiuan-Tzuo Shen, and Bao-Shuh P. Lin. A privacy pre-serving smart metering system supporting multiple time granularities. InSoftware Security and Reliability Companion (SERE-C), 2012 IEEE SixthInternational Conference on, pages 119–126, 2012.
[14] Yilin Mo, Ti�any Hyun-Jin Kim, Kenneth Brancik, Dona Dickinson, HeejoLee, Adrian Perrig, and Bruno Sinopoli. Cyber-physical security of a smartgrid infrastructure. Proceedings of the IEEE, 100(1):195–209, January 2012.
[15] Andres Molina-Markham, Prashant Shenoy, Kevin Fu, Emmanuel Cecchet,and David Irwin. Private memoirs of a smart meter. In Proceedings of the2nd ACM Workshop on Embedded Sensing Systems for Energy-E�ciencyin Building, pages 61–66, 2010.
[16] D. G O. Tan and H. V. Poor. Increasing smart meter privacy throughenergy harvesting and storage devices. IEEE Journal on Selected Areas inCommunications, 31(7):1331–1341, 2013.
[17] I. Richardson, A. Thomson, D. Infield, and C. Cli�ord. Domestic electric-ity use: A high-resolution energy demand model. Energy and Buildings,42:1878–1887, 2010.
[18] L. Sankar, S. Kar, R. Tandon, and H.V. Poor. Competitive privacy in thesmart grid: An information-theoretic approach. In Proceedings of SmartGrid Communications (SmartGridComm) 2011, pages 220–225, 2011.
[19] Lalitha Sankar, S. Raj Rajagopalan, Soheil Mohajer, and H. Vincent Poor.Smart meter privacy: A theoretical framework. Smart Grid, IEEE Trans-actions on, 4:837–846, 2013.
[20] J. Schleich and M. Klobasa. How much shift in demand? findings from afield experiment in germany. In in Proceedings of ECEEE 2013 SummerStudy, pages 1919–1925, 2013.
[21] Pramod K. Varshney. Distributed Detection and Data Fusion. Springer,1996.
[22] Lei Yang, Xu Chen, Junshan Zhang, and H. Vincent Poor. Optimal privacy-preserving energy management for smart meters. In INFOCOM, 2014 Pro-ceedings IEEE, pages 513–521, 2014.
47
TRITA TRITA-EE 2016:025ISSN 1653-5146
www.kth.se
![THESIS TITLE A THESIS SUBMITTED TO THE MIDDLE EAST ...ii.metu.edu.tr/system/files/documents/thesis... · [SAMPLE 1] Approval of the thesis: THESIS TITLE Submitted by STUDENT NAME](https://img.pdfslide.net/doc/110x75/6019035f39977162fc4f0b03/thesis-title-a-thesis-submitted-to-the-middle-east-iimetuedutrsystemfilesdocumentsthesis.jpg)
![[ TYPE THESIS TITLE ]](https://img.pdfslide.net/doc/110x75/589ae8541a28abcd468bbadf/-type-thesis-title-.jpg)
