scan.json (29576B)
1 { 2 "paper": { 3 "title": "LESSON: Multi-Label Adversarial False Data Injection Attack for Deep Learning Locational Detection", 4 "authors": [ 5 "Jiwei Tian", 6 "Chao Shen", 7 "Buhong Wang", 8 "Xiaofang Xia", 9 "Meng Zhang", 10 "Chenhao Lin", 11 "Qian Li" 12 ], 13 "year": 2024, 14 "venue": "IEEE Transactions on Dependable and Secure Computing", 15 "arxiv_id": "2401.16001", 16 "doi": "10.1109/TDSC.2024.3353302" 17 }, 18 "checklist": { 19 "artifacts": { 20 "code_released": { 21 "applies": true, 22 "answer": false, 23 "justification": "No source code repository or URL is mentioned anywhere in the paper." 24 }, 25 "data_released": { 26 "applies": true, 27 "answer": true, 28 "justification": "The paper uses standard IEEE test systems (14-bus, 30-bus, 118-bus) available via Matpower [55], a publicly available toolbox. Data generation procedures are fully specified so datasets can be recreated." 29 }, 30 "environment_specified": { 31 "applies": true, 32 "answer": false, 33 "justification": "The paper mentions 'Pytorch is used to train the corresponding NAL models' but provides no version, dependency list, or environment specification." 34 }, 35 "reproduction_instructions": { 36 "applies": true, 37 "answer": false, 38 "justification": "No reproduction instructions, README, or scripts are provided. The mathematical formulation is given but no step-by-step implementation guide." 39 } 40 }, 41 "statistical_methodology": { 42 "confidence_intervals_or_error_bars": { 43 "applies": true, 44 "answer": false, 45 "justification": "All results (success rates Psuc, perturbation magnitudes ρc and ρa) are reported as point estimates without confidence intervals or error bars." 46 }, 47 "significance_tests": { 48 "applies": true, 49 "answer": false, 50 "justification": "The paper makes comparative claims (e.g., LESSON-1 easier than LESSON-4, larger systems more vulnerable) based solely on comparing raw success rate numbers without any statistical significance tests." 51 }, 52 "effect_sizes_reported": { 53 "applies": true, 54 "answer": false, 55 "justification": "Raw success rates and perturbation magnitudes are reported, but no formal effect sizes comparing against baselines or across conditions. Differences between conditions are described qualitatively without standardized effect size measures." 56 }, 57 "sample_size_justified": { 58 "applies": true, 59 "answer": false, 60 "justification": "500 correctly-predicted samples are selected per scenario with no justification for this number. No power analysis is discussed." 61 }, 62 "variance_reported": { 63 "applies": true, 64 "answer": false, 65 "justification": "No variance, standard deviation, or spread measures are reported for any results. All metrics appear to be single-run aggregates." 66 } 67 }, 68 "evaluation_design": { 69 "baselines_included": { 70 "applies": true, 71 "answer": false, 72 "justification": "No prior multi-label adversarial attack methods are compared against. The paper claims to be the first in this area but does not compare against single-label AFDIA methods adapted to the multi-label setting or other potential baselines." 73 }, 74 "baselines_contemporary": { 75 "applies": true, 76 "answer": false, 77 "justification": "No baselines are included, so contemporariness cannot be assessed." 78 }, 79 "ablation_study": { 80 "applies": true, 81 "answer": true, 82 "justification": "The four LESSON variants (LESSON-1 through LESSON-4) systematically vary two objective dimensions, effectively serving as an ablation of objective constraints. Additional analyses vary learning rate (Figs. 5-7), FDIA scale (Fig. 3), and perturbation range (Fig. 8)." 83 }, 84 "multiple_metrics": { 85 "applies": true, 86 "answer": true, 87 "justification": "Three evaluation metrics are used: attack success rate (Psuc), average state variable perturbation magnitude (ρc, Eq. 19), and average measurement perturbation magnitude (ρa, Eq. 20)." 88 }, 89 "human_evaluation": { 90 "applies": false, 91 "answer": false, 92 "justification": "Human evaluation is irrelevant for evaluating adversarial attack success rates against automated detection systems." 93 }, 94 "held_out_test_set": { 95 "applies": true, 96 "answer": true, 97 "justification": "Section IV-A: 'The entire dataset was then randomly divided at a 2:1 ratio, with 20,000 samples for training and 10,000 samples for testing.' The LESSON attacks are evaluated on correctly-predicted test samples." 98 }, 99 "per_category_breakdown": { 100 "applies": true, 101 "answer": true, 102 "justification": "Results are broken down by power system size (14-bus, 30-bus, 118-bus), FDIA attack scale (small, medium, large), LESSON attack type (1-4), and learning rate values. Figures 2-8 provide detailed breakdowns." 103 }, 104 "failure_cases_discussed": { 105 "applies": true, 106 "answer": true, 107 "justification": "Section IV-C discusses declining success rates with large FDIA scales (e.g., LESSON-2 on 14-bus dropping from 98.73% to 24.37%). Section IV-D discusses learning rates causing success rates to 'quickly decrease to 0.' The paper explicitly analyzes when and why attacks fail." 108 }, 109 "negative_results_reported": { 110 "applies": true, 111 "answer": true, 112 "justification": "Significant negative results are reported: large-scale FDIA attacks have much lower success rates (Fig. 3), excessive learning rates cause failure (Figs. 5-7), and reduced perturbation ranges lower success rates (Fig. 8)." 113 } 114 }, 115 "claims_and_evidence": { 116 "abstract_claims_supported": { 117 "applies": true, 118 "answer": true, 119 "justification": "The abstract claims 'effectiveness of the proposed attack framework, posing serious and pressing security concerns in smart grids,' which is supported by the experimental results showing high success rates, especially for the 118-bus system (100% for all four types at small scale)." 120 }, 121 "causal_claims_justified": { 122 "applies": true, 123 "answer": true, 124 "justification": "Causal claims about factors affecting success rate (FDIA scale, learning rate, perturbation range, system size) are supported by controlled single-variable experiments. For example, Section IV-C systematically varies only the FDIA scale while holding other parameters constant." 125 }, 126 "generalization_bounded": { 127 "applies": true, 128 "answer": false, 129 "justification": "The paper claims 'serious and pressing security concerns in smart grids' but tests only on DC state estimation with synthetic data on three IEEE test systems. Footnote 1 acknowledges DC limitation ('we think that AC state estimation models are also likely to have similar flaws') but this is speculation. The title and abstract imply broader applicability than what is demonstrated." 130 }, 131 "alternative_explanations_discussed": { 132 "applies": true, 133 "answer": false, 134 "justification": "The paper does not consider alternative explanations for why attacks succeed. For example, the high success rate on 118-bus could be due to overfitting of the NAL model rather than inherent vulnerability. No robustness checks against different NAL architectures or training procedures are discussed." 135 }, 136 "proxy_outcome_distinction": { 137 "applies": true, 138 "answer": true, 139 "justification": "The paper directly measures attack success rate (whether adversarial perturbations bypass both BDD and NAL detection), which is exactly what it claims to measure. There is no proxy gap between the measurement and the claim." 140 } 141 }, 142 "setup_transparency": { 143 "model_versions_specified": { 144 "applies": true, 145 "answer": true, 146 "justification": "Table II provides complete CNN architectures for all three NAL models (14-bus, 30-bus, 118-bus), specifying every layer (convolution kernel sizes, BatchNorm, LeakyReLU, Flatten, FullyConnect, Sigmoid). The models are trained from scratch, not pre-trained." 147 }, 148 "prompts_provided": { 149 "applies": false, 150 "answer": false, 151 "justification": "No prompting is used. The paper works with CNN models for attack detection, not language models." 152 }, 153 "hyperparameters_reported": { 154 "applies": true, 155 "answer": true, 156 "justification": "Key hyperparameters are reported: Adam initial learning rates (0.0005-0.2), maximum iterations (500), state perturbation range µ (0.5 and 1 rad), noise standard deviation (2% of mean measurements), FDIA scale variances (ν²=0.02, 0.1, 0.5), train/test split ratio (2:1)." 157 }, 158 "scaffolding_described": { 159 "applies": false, 160 "answer": false, 161 "justification": "No agentic scaffolding is used. The approach is an optimization-based adversarial attack framework." 162 }, 163 "data_preprocessing_documented": { 164 "applies": true, 165 "answer": true, 166 "justification": "Section IV-A 'Dataset Generation' details: load generation from Uniform distribution (80%-120% of baseload), noise distribution (zero-mean Gaussian, 2% std dev), FDIA vector generation (random target variables, three variance scales), and sample composition (15,000 normal + 15,000 attacked)." 167 } 168 }, 169 "limitations_and_scope": { 170 "limitations_section_present": { 171 "applies": true, 172 "answer": true, 173 "justification": "Section V (Conclusion) contains three substantive paragraphs discussing specific limitations: white-box assumption, attack cost idealization, scalability uncertainty, and lack of defense methods." 174 }, 175 "threats_to_validity_specific": { 176 "applies": true, 177 "answer": true, 178 "justification": "The paper discusses specific threats: 'the premise of the white-box LESSON attack may not always be accurate,' 'the assumption of attack cost in the attack model is ideal,' 'we do not have conclusive experimental evidence to prove the relationship between attack success rate and the size of the power grid,' and 'effective defense methods against multi-label adversarial examples have not been studied yet.'" 179 }, 180 "scope_boundaries_stated": { 181 "applies": true, 182 "answer": true, 183 "justification": "The paper explicitly states what was NOT tested: black-box attacks ('we will investigate black-box multi-label adversarial false data injection attacks' as future work), AC state estimation (footnote 1), limited attack resources ('we need to explore and analyze this problem in the follow-up work'), and defense methods." 184 } 185 }, 186 "data_integrity": { 187 "raw_data_available": { 188 "applies": true, 189 "answer": false, 190 "justification": "No raw data (generated measurement samples, trained models, or attack results) is released. Only aggregated results in figures are shown." 191 }, 192 "data_collection_described": { 193 "applies": true, 194 "answer": true, 195 "justification": "Section IV-A provides detailed synthetic data generation: Matpower test systems, load distributions U(80%*baseload, 120%*baseload), noise characteristics, FDIA vector generation with three variance scales, and dataset composition (30,000 total samples)." 196 }, 197 "recruitment_methods_described": { 198 "applies": false, 199 "answer": false, 200 "justification": "No human participants. Data is synthetically generated from standard IEEE power system test cases." 201 }, 202 "data_pipeline_documented": { 203 "applies": true, 204 "answer": true, 205 "justification": "The full pipeline is documented: Matpower systems → load generation → measurement simulation with noise → FDIA vector injection (3 scales × 5000 each) → 2:1 train/test split → NAL model training → selection of 500 correctly-predicted samples → LESSON attack evaluation." 206 } 207 }, 208 "conflicts_of_interest": { 209 "funding_disclosed": { 210 "applies": true, 211 "answer": true, 212 "justification": "Extensive funding is disclosed in the footnote: National Key R&D Program of China, NSFC grants, Shaanxi Province programs, China Postdoctoral Science Foundation, and Fundamental Research Funds for Central Universities." 213 }, 214 "affiliations_disclosed": { 215 "applies": true, 216 "answer": true, 217 "justification": "All author affiliations are clearly listed: Xi'an Jiaotong University, Air Force Engineering University, and Xidian University." 218 }, 219 "funder_independent_of_outcome": { 220 "applies": true, 221 "answer": true, 222 "justification": "Funding sources are Chinese government research agencies and foundations with no financial stake in whether the LESSON attack framework succeeds or fails." 223 }, 224 "financial_interests_declared": { 225 "applies": true, 226 "answer": false, 227 "justification": "No competing interests or financial interests statement is included in the paper." 228 } 229 }, 230 "contamination": { 231 "training_cutoff_stated": { 232 "applies": false, 233 "answer": false, 234 "justification": "The paper trains its own CNN models from scratch on synthetic data. It does not evaluate a pre-trained model's capability on any benchmark." 235 }, 236 "train_test_overlap_discussed": { 237 "applies": false, 238 "answer": false, 239 "justification": "Same as above — no pre-trained model with opaque training data is evaluated." 240 }, 241 "benchmark_contamination_addressed": { 242 "applies": false, 243 "answer": false, 244 "justification": "Same as above — the CNN models are trained from scratch on data the authors generate, so benchmark contamination in the pre-training sense does not apply." 245 } 246 }, 247 "human_studies": { 248 "pre_registered": { 249 "applies": false, 250 "answer": false, 251 "justification": "No human participants. The study uses synthetic power system simulation data." 252 }, 253 "irb_or_ethics_approval": { 254 "applies": false, 255 "answer": false, 256 "justification": "No human participants." 257 }, 258 "demographics_reported": { 259 "applies": false, 260 "answer": false, 261 "justification": "No human participants." 262 }, 263 "inclusion_exclusion_criteria": { 264 "applies": false, 265 "answer": false, 266 "justification": "No human participants." 267 }, 268 "randomization_described": { 269 "applies": false, 270 "answer": false, 271 "justification": "No human participants." 272 }, 273 "blinding_described": { 274 "applies": false, 275 "answer": false, 276 "justification": "No human participants." 277 }, 278 "attrition_reported": { 279 "applies": false, 280 "answer": false, 281 "justification": "No human participants." 282 } 283 }, 284 "cost_and_practicality": { 285 "inference_cost_reported": { 286 "applies": true, 287 "answer": false, 288 "justification": "No computation time, wall-clock time, or cost per attack is reported for the adversarial perturbation generation process. The maximum iteration count (500) is stated but not the actual time required." 289 }, 290 "compute_budget_stated": { 291 "applies": true, 292 "answer": false, 293 "justification": "No GPU hours, hardware specifications, or total computational budget is stated for either model training or attack generation." 294 } 295 }, 296 "experimental_rigor": { 297 "seed_sensitivity_reported": { 298 "applies": true, 299 "answer": false, 300 "justification": "No mention of random seeds or sensitivity analysis across seeds. Data generation and model training involve randomness but seed handling is not discussed." 301 }, 302 "number_of_runs_stated": { 303 "applies": true, 304 "answer": false, 305 "justification": "The paper states 500 samples are selected per scenario but does not state whether experiments were repeated across multiple runs with different random initializations." 306 }, 307 "hyperparameter_search_budget": { 308 "applies": true, 309 "answer": false, 310 "justification": "Multiple learning rates are tested (0.0005-0.2) but no hyperparameter search budget or methodology is reported. It is unclear how the default learning rate of 0.001 was selected." 311 }, 312 "best_config_selection_justified": { 313 "applies": true, 314 "answer": true, 315 "justification": "The paper systematically reports results across all tested configurations (Figs. 5-7) rather than cherry-picking the best one, and provides analysis of when each learning rate is appropriate." 316 }, 317 "multiple_comparison_correction": { 318 "applies": false, 319 "answer": false, 320 "justification": "No statistical significance tests are performed, so multiple comparison correction is not applicable." 321 }, 322 "self_comparison_bias_addressed": { 323 "applies": true, 324 "answer": false, 325 "justification": "The authors evaluate their own LESSON attack framework without acknowledging self-comparison bias. No independent evaluation or comparison against independently implemented baselines is provided." 326 }, 327 "compute_budget_vs_performance": { 328 "applies": true, 329 "answer": false, 330 "justification": "No compute budget is reported at all. The relationship between computation and attack success is not analyzed, though iteration count (500 max) is fixed." 331 }, 332 "benchmark_construct_validity": { 333 "applies": true, 334 "answer": false, 335 "justification": "The paper uses IEEE test systems (14, 30, 118 bus) without discussing whether these synthetic benchmarks represent real-world power grid conditions. Footnote 1 acknowledges the DC vs AC limitation but does not address the broader question of whether simulated results transfer to real grids." 336 }, 337 "scaffold_confound_addressed": { 338 "applies": false, 339 "answer": false, 340 "justification": "No scaffolding is involved. The approach is a direct optimization-based attack." 341 } 342 }, 343 "data_leakage": { 344 "temporal_leakage_addressed": { 345 "applies": true, 346 "answer": false, 347 "justification": "No discussion of temporal leakage. The train/test split is random rather than temporal, and there is no analysis of whether this matters for the synthetic data generation process." 348 }, 349 "feature_leakage_addressed": { 350 "applies": true, 351 "answer": false, 352 "justification": "No discussion of whether the attack generation process (which has access to the NAL model parameters in the white-box setting) constitutes a form of feature leakage relative to realistic attack scenarios." 353 }, 354 "non_independence_addressed": { 355 "applies": true, 356 "answer": false, 357 "justification": "Training and test samples are generated from the same distribution (same Matpower systems, same load distributions) with a random split. The structural similarity between train and test is not discussed." 358 }, 359 "leakage_detection_method": { 360 "applies": true, 361 "answer": false, 362 "justification": "No leakage detection or prevention method is used or discussed." 363 } 364 } 365 }, 366 "scan_version": 3, 367 "active_modules": [ 368 "experimental_rigor", 369 "data_leakage" 370 ], 371 "claims": [ 372 { 373 "claim": "All four LESSON attack types achieve 100% success rate on the IEEE 118-bus system at small FDIA scale.", 374 "evidence": "Fig. 2(a) shows Psuc = 100% for all four LESSON types on the 118-bus system with learning rate 0.001 and small-scale FDIA.", 375 "supported": "strong" 376 }, 377 { 378 "claim": "The most difficult attack (LESSON-4) still achieves >60% success rate on 14-bus and 30-bus systems at small scale.", 379 "evidence": "Fig. 2(a) shows LESSON-4 success rates above 60% for both the 14-bus and 30-bus systems.", 380 "supported": "moderate" 381 }, 382 { 383 "claim": "FDIA attack scale significantly impacts attack success rate, with larger scales reducing success.", 384 "evidence": "Fig. 3 and Section IV-C show systematic decline: LESSON-2 on 14-bus drops from 98.73% (small) to 74.42% (medium) to 24.37% (large scale).", 385 "supported": "strong" 386 }, 387 { 388 "claim": "Larger power systems are more vulnerable to LESSON attacks than smaller ones.", 389 "evidence": "Fig. 3 shows 118-bus has consistently higher success rates than 14-bus and 30-bus, especially for difficult attack types and large FDIA scales. For large-scale LESSON-4: 118-bus achieves 42.21% vs much lower rates for smaller systems.", 390 "supported": "moderate" 391 }, 392 { 393 "claim": "Adam's initial learning rate has attack-type-dependent effects: LESSON-2 and LESSON-4 require smaller learning rates.", 394 "evidence": "Figs. 5-7 and Section IV-D show that for LESSON-2 and LESSON-4 (Objective Two₂), learning rates above 0.001 cause rapid success rate decline to 0, while LESSON-1 and LESSON-3 tolerate rates up to 0.01-0.1.", 395 "supported": "strong" 396 }, 397 { 398 "claim": "Objective One (maintaining original estimation error) has greater impact on attack difficulty than Objective Two (hiding all labels).", 399 "evidence": "Section IV-B: 'Objective One has a greater impact on the attack success rate. Specifically, keeping the original induced estimation error unchanged (targeted LESSON) obviously increases the difficulty of attack. On the contrary, the impact of Objective Two is relatively small.'", 400 "supported": "moderate" 401 } 402 ], 403 "methodology_tags": [ 404 "benchmark-eval" 405 ], 406 "key_findings": "The LESSON framework demonstrates that multi-label FDIA locational detectors based on deep learning are vulnerable to adversarial attacks, achieving 100% success on the 118-bus system across all four attack variants at small scale. Attack success decreases with larger FDIA scales due to physical constraints limiting perturbation space, and larger power grids are paradoxically more vulnerable. The paper identifies that maintaining the original estimation error (targeted attacks) is a harder constraint than hiding all meter labels, and that Adam's learning rate must be carefully tuned per attack type.", 407 "red_flags": [ 408 { 409 "flag": "No baselines", 410 "detail": "Despite claiming to be 'the first work to explore multi-label adversarial example attacks in power systems,' the paper provides no comparison against adapted single-label AFDIA methods or other potential attack baselines. The absolute success rates are unanchored." 411 }, 412 { 413 "flag": "No error bars or variance", 414 "detail": "All results (success rates, perturbation magnitudes) are reported as single point estimates. With 500 samples per scenario and random data generation, variance across different random draws is unknown." 415 }, 416 { 417 "flag": "Synthetic data only", 418 "detail": "All experiments use synthetically generated data on simulated IEEE test systems with DC state estimation. No validation on real power system data or AC models is provided, despite claims about threats to 'practical large-scale power systems.'" 419 }, 420 { 421 "flag": "Strong white-box assumption", 422 "detail": "The attacker is assumed to have full knowledge of both the power grid and NAL model parameters. While acknowledged in limitations, all experimental results depend on this assumption, limiting practical applicability claims." 423 }, 424 { 425 "flag": "Overclaiming generalization", 426 "detail": "The paper claims results pose 'serious and imperative security breach and risk for practical large-scale power systems' but tests only DC state estimation on 3 synthetic IEEE bus systems. The gap between tested conditions and claimed applicability is large." 427 } 428 ], 429 "cited_papers": [ 430 { 431 "title": "ConAML: Constrained adversarial machine learning for cyber-physical systems", 432 "authors": ["J. Li", "Y. Yang", "J. S. Sun", "K. Tomsovic", "H. Qi"], 433 "year": 2021, 434 "relevance": "Proposes constrained adversarial ML methods for cyber-physical systems, directly relevant to adversarial attacks against AI-based security in critical infrastructure." 435 }, 436 { 437 "title": "Joint adversarial example and false data injection attacks for state estimation in power systems", 438 "authors": ["J. Tian", "B. Wang", "Z. Wang", "K. Cao", "J. Li", "M. Ozay"], 439 "year": 2022, 440 "relevance": "Prior work by some of the same authors introducing AFDIA concept for single-label detectors, directly extended in this paper to multi-label settings." 441 }, 442 { 443 "title": "Towards deep learning models resistant to adversarial attacks", 444 "authors": ["A. Madry", "A. Makelov", "L. Schmidt", "D. Tsipras", "A. Vladu"], 445 "year": 2018, 446 "relevance": "Foundational work on PGD-based adversarial attacks and robust training, whose projected gradient descent technique is used in the LESSON framework extensions." 447 }, 448 { 449 "title": "Explaining and harnessing adversarial examples", 450 "authors": ["I. J. Goodfellow", "J. Shlens", "C. Szegedy"], 451 "year": 2014, 452 "arxiv_id": "1412.6572", 453 "relevance": "Seminal work on adversarial examples (FGSM) that underpins the adversarial ML techniques applied in this paper." 454 }, 455 { 456 "title": "Multi-label adversarial perturbations", 457 "authors": ["Q. Song", "H. Jin", "X. Huang", "X. Hu"], 458 "year": 2018, 459 "relevance": "First universal adversarial attack framework for multi-label classifiers, which LESSON adapts to the power systems domain with physical constraints." 460 }, 461 { 462 "title": "Multiguard: Provably robust multi-label classification against adversarial examples", 463 "authors": ["J. Jia", "W. Qu", "N. Gong"], 464 "year": 2022, 465 "relevance": "Proposes provable defenses for multi-label classifiers against adversarial examples, directly relevant as a potential countermeasure to LESSON attacks." 466 }, 467 { 468 "title": "Domain knowledge alleviates adversarial attacks in multi-label classifiers", 469 "authors": ["S. Melacci", "G. Ciravegna", "A. Sotgiu", "A. Demontis", "B. Biggio", "M. Gori", "F. Roli"], 470 "year": 2022, 471 "relevance": "Shows domain knowledge can defend multi-label classifiers against adversarial attacks, relevant as a defense strategy against the attacks proposed in this paper." 472 }, 473 { 474 "title": "Practical black-box attacks against machine learning", 475 "authors": ["N. Papernot", "P. McDaniel", "I. Goodfellow", "S. Jha", "Z. B. Celik", "A. Swami"], 476 "year": 2017, 477 "relevance": "Foundational black-box adversarial attack methodology that the authors identify as future work direction for extending LESSON." 478 }, 479 { 480 "title": "On credibility of adversarial examples against learning-based grid voltage stability assessment", 481 "authors": ["Q. Song", "R. Tan", "C. Ren", "Y. Xu", "Y. Lou", "J. Wang", "H. B. Gooi"], 482 "year": 2022, 483 "relevance": "Evaluates adversarial attacks against ML-based power grid stability assessment, directly relevant to adversarial ML in power system security." 484 }, 485 { 486 "title": "Towards adversarial-resilient deep neural networks for false data injection attack detection in power grids", 487 "authors": ["J. Li", "Y. Yang", "J. S. Sun", "K. Tomsovic", "H. Qi"], 488 "year": 2023, 489 "relevance": "Investigates defenses (random input padding) against AFDIA, relevant as a potential countermeasure to LESSON attacks." 490 }, 491 { 492 "title": "Exploring targeted and stealthy false data injection attacks via adversarial machine learning", 493 "authors": ["J. Tian", "B. Wang", "J. Li", "Z. Wang", "B. Ma", "M. Ozay"], 494 "year": 2022, 495 "relevance": "Extends AFDIA to targeted attacks with parallel optimization, directly building toward the LESSON framework proposed here." 496 } 497 ], 498 "engagement_factors": { 499 "practical_relevance": { 500 "score": 1, 501 "justification": "Domain-specific attack framework for power grid security researchers; not immediately usable by general practitioners." 502 }, 503 "surprise_contrarian": { 504 "score": 1, 505 "justification": "Extends known adversarial ML vulnerabilities to multi-label classifiers in power systems; challenges trust in these detectors but follows expected adversarial ML patterns." 506 }, 507 "fear_safety": { 508 "score": 2, 509 "justification": "Demonstrates attacks that could evade power grid security systems, raising concerns about critical infrastructure vulnerability to adversarial ML." 510 }, 511 "drama_conflict": { 512 "score": 0, 513 "justification": "No controversy or conflict; standard academic adversarial attack research." 514 }, 515 "demo_ability": { 516 "score": 0, 517 "justification": "No code, demo, or tool released." 518 }, 519 "brand_recognition": { 520 "score": 0, 521 "justification": "From Chinese academic institutions (Xi'an Jiaotong University, Air Force Engineering University); not widely recognized labs in the AI/ML community." 522 } 523 } 524 }