Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Power Interpretable Causal ODE Networks: A Unified Model for Explainable Anomaly Detection and Root Cause Analysis in Power Systems

Yue Sun, Likai Wang, Rick S. Blum, Parv Venkitasubramaniam

TL;DR

PICODE Networks is proposed, a unified, causality-informed architecture that jointly performs anomaly detection along with the explanation why it is detected as an anomaly, including root cause localization, anomaly type classification, and anomaly shape characterization.

Abstract

Anomaly detection and root cause analysis (RCA) are critical for ensuring the safety and resilience of cyber-physical systems such as power grids. However, existing machine learning models for time series anomaly detection often operate as black boxes, offering only binary outputs without any explanation, such as identifying anomaly type and origin. To address this challenge, we propose Power Interpretable Causality Ordinary Differential Equation (PICODE) Networks, a unified, causality-informed architecture that jointly performs anomaly detection along with the explanation why it is detected as an anomaly, including root cause localization, anomaly type classification, and anomaly shape characterization. Experimental results in power systems demonstrate that PICODE achieves competitive detection performance while offering improved interpretability and reduced reliance on labeled data or external causal graphs. We provide theoretical results demonstrating the alignment between the shape of anomaly functions and the changes in the weights of the extracted causal graphs.

Power Interpretable Causal ODE Networks: A Unified Model for Explainable Anomaly Detection and Root Cause Analysis in Power Systems

TL;DR

PICODE Networks is proposed, a unified, causality-informed architecture that jointly performs anomaly detection along with the explanation why it is detected as an anomaly, including root cause localization, anomaly type classification, and anomaly shape characterization.

Abstract

Anomaly detection and root cause analysis (RCA) are critical for ensuring the safety and resilience of cyber-physical systems such as power grids. However, existing machine learning models for time series anomaly detection often operate as black boxes, offering only binary outputs without any explanation, such as identifying anomaly type and origin. To address this challenge, we propose Power Interpretable Causality Ordinary Differential Equation (PICODE) Networks, a unified, causality-informed architecture that jointly performs anomaly detection along with the explanation why it is detected as an anomaly, including root cause localization, anomaly type classification, and anomaly shape characterization. Experimental results in power systems demonstrate that PICODE achieves competitive detection performance while offering improved interpretability and reduced reliance on labeled data or external causal graphs. We provide theoretical results demonstrating the alignment between the shape of anomaly functions and the changes in the weights of the extracted causal graphs.
Paper Structure (19 sections, 4 theorems, 31 equations, 6 figures, 3 tables)

This paper contains 19 sections, 4 theorems, 31 equations, 6 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Notations and Problem definition
  4. Methodology
  5. Anomaly Detection
  6. Root Cause Localization
  7. Anomaly Type Classification
  8. Anomaly Shape Characterization
  9. Theoretical Analysis
  10. Experiments
  11. Experiment Settings
  12. Anomaly Simulation
  13. Baselines
  14. Results and Analysis
  15. Anomaly Detection
  16. ...and 4 more sections

Key Result

Theorem 1

Let $f(z) = \|\tilde{\beta}_j(z) - \beta_j\|^2$ represent the squared error in the $j$-th coefficient when the target vector is perturbed as $\tilde{\mathbf{Y}} = \mathbf{Y} + z\mathbf{v}$. If the original estimator produces a perfect estimate for $\beta_j$ (i.e., $\hat{\beta}_j = \beta_j$), then: where $d_j$ is the $j$-th component of $\mathbf{d} = (\mathbf{X}^T\mathbf{X} + \lambda \mathbf{I})^{

Figures (6)

  • Figure 1: (a) Traditional models perform either anomaly detection or root cause localization. (b) We encode time series using domain knowledge (e.g., phase-angle differences) for explainability. (c) Our model unifies detection, localization, type classification, and shape characterization by leveraging a learned causal dependency graph.
  • Figure 2: Comparison of Measurement and Cyber Anomalies in a Two-variable System (a) Normal state. (b) Measurement anomaly affects the measurement of a variable without altering underlying ODEs. (c) Measurement anomaly does not propagate to dependent variables. (d) Cyber anomaly alters the underlying ODE and lead to an anomaly. (e) Cyber anomaly propagates anomaly to dependent variables.
  • Figure 3: Illustration of PICODE framework on a 3-variable dynamical system. Voltage magnitude and angle measurements are encoded into domain-informed Cartesian components to form the input state $S(t)$. PICODE is trained on data from the normal period to learn the baseline causality matrix $C$ via an ODE-based model. When an anomaly is detected in new data, the model is retrained using this anomalous segment to obtain an updated causality matrix $C'$. Differences between $C$ and $C'$ are analyzed to identify patterns indicative of measurement or cyber anomaly. Based on the structural change in the causal graph, the anomaly type is classified using Eq. (\ref{['eq:anomaly-type']}). Root cause localization is then performed using Eq. (\ref{['eq:get-root-cause']}). Finally, the anomaly’s progression is assessed by evaluating changes in the causal influence of the root variable over time.
  • Figure 4: Single line diagram of the IEEE 68-bus test system.
  • Figure 5: (a) Graph representation $\mathcal{G}$ of causality relationship in the IEEE 68-bus system. (b) Adjacency matrix of the physical connection graph $\mathcal{G}$.
  • ...and 1 more figures

Theorems & Definitions (10)

  • Definition 1
  • Definition 2
  • Theorem 1: Monotonicity in Measurement Anomaly
  • proof
  • Theorem 2: Monotonicity of Cyber Anomaly
  • proof
  • Theorem 1: Monotonicity in Measurement Anomaly
  • proof
  • Theorem 2: Monotonicity of Cyber Anomaly
  • proof