Abstract: In order to reduce the false alarm rate and improve the scalability of practical application, a real-time advanced metering infrastructure attack detection method with two layers based on attack reconstruction is proposed. The first layer used the ratio of harmonic mean to arithmetic mean of total power consumption data to identify differences in time series behavior. The second layer used the sum of residuals under the ratio curve measurement to confirm whether the difference in the first layer was related to the attack. The attack reconstruction scheme used the observed changes of the direction, symbol and size of the proposed measurement to associate the signature with different attack types, so as to guide the site security officer or require the control mechanism to make an appropriate response. The experimental results of two real AMI (Advanced Metering Infrastructure) datasets show the effectiveness of the proposed method.