Chongrong Fang,Yifei Qi,Jiming Chen,Rui Tan,Wei Xing Zheng

DOI: https://doi.org/10.1109/tac.2019.2950072

IF: 6.549

2019-01-01

IEEE Transactions on Automatic Control

Abstract:In this technical note, the tradeoff between the attack detectability and the performance degradation in stochastic cyber-physical systems is investigated. We consider a linear time-invariant system in which the attack detector performs a hypothesis test on the innovation of the Kalman filter to detect malicious tampering with the actuator signals. We adopt a notion of attack stealthiness to quantify the degree of stealth by limiting the maximum achievable exponents of both false alarm probability and detection probability below certain thresholds. And the conditions for any actuator attack to have a specific level of stealthiness are derived. Additionally, we characterize the upper bound of the performance degradation induced by attacks with a given extent of stealthiness that produces independent and identically distributed Gaussian innovations, and design the attack, which achieves the stated upper bound for right-invertible systems. Finally, our results are illustrated via numerical examples.

Yi Gao,Yunji Li,Ziyan Hua,Junjie Chen,Yajun Wu

DOI: https://doi.org/10.3390/info15100649

2024-01-01

Information

Abstract:In modern industrial applications, production quality, system performance, process reliability, and safety have received considerable attention. This article proposes a dynamic event-triggered attack estimator for Markovian jump stochastic systems susceptible to actuator deception attacks. Utilizing the developed estimator, the presented attack-tolerant control strategy can tolerate the effects of such attacks and ensure the mean-square convergence of the overall closed-loop system. A dynamic event-triggered mechanism is implemented on the sensor side to optimize communication efficiency. To address the potential threat of deception attacks, a plug-and-play (PnP) secure monitoring and control architecture is introduced. This architecture facilitates the seamless integration of the designed attack-tolerant controller with the nominal feedback controller, thereby enhancing system security without requiring significant modifications to the existing control structure. The practicality and effectiveness of the proposed approaches are demonstrated through experimental results on a switched boost converter circuit.

Kosuke Kimura,Hideaki Ishii

2023-03-22

Abstract:For networked control systems, cyber-security issues have gained much attention in recent years. In this paper, we consider the so-called zero dynamics attacks, which form an important class of false data injection attacks, with a special focus on the effects of quantization in a sampled-data control setting. When the attack signals must be quantized, some error will be necessarily introduced, potentially increasing the chance of detection through the output of the system. In this paper, we show however that the attacker may reduce such errors by avoiding to directly quantize the attack signal. We look at two approaches for generating quantized attacks which can keep the error in the output smaller than a specified level by using the knowledge of the system dynamics. The methods are based on a dynamic quantization technique and a modified version of zero dynamics attacks. Numerical examples are provided to verify the effectiveness of the proposed methods.

Systems and Control

Amir Khazraei,Miroslav Pajic

2023-10-07

Abstract:In this work, we focus on analyzing vulnerability of nonlinear dynamical control systems to stealthy false data injection attacks on sensors. We start by defining the stealthiness notion in the most general form where an attack is considered stealthy if it would be undetected by any intrusion detector, i.e., any intrusion detector could not do better than a random guess. Depending on the level of attacker's knowledge about the plant model, controller, and the system states, two different attack models are considered. For each attack model, we derive the conditions for which the system will be vulnerable to stealthy impactful attacks, in addition to finding a methodology for designing such sequence of false data injection attacks. When the attacker has complete knowledge about the system, we show that if the closed loop system is incrementally exponentially stable while the open loop plant is incrementally unstable, then the system is vulnerable to stealthy yet impactful attacks on sensors. However, in the second attack model, with less knowledge about the system, additional conditions need to be satisfied and the level of stealthiness depends on the accuracy of attacker's knowledge about the system. We also consider the impact of stealthy attacks on state estimation, and show that if the closed loop control system including the estimator is incrementally stable, then the state estimation in the presence of attack converges to the attack free estimates. Finally, we illustrate our results on numerical case studies.

Systems and Control

Peng Yu,Jingliang Wei,Ruizhe Jia,Jimin Wang,Jin Guo

DOI: https://doi.org/10.1002/acs.3674

IF: 3.369

2023-08-21

International Journal of Adaptive Control and Signal Processing

Abstract:Summary In this paper, we discuss the security control problem of cyber physical systems based on identifying false data injection attacks. First, the unknown adversary randomly attacks the measurement output, a mechanism is set in the sensor to update the measurement output to the constant, called the one‐valued quantized mechanism. Then, the Bienayme–Chebyshev inequality and the one‐valued quantized mechanism are utilized to design an identification algorithm, the estimated value of the false data injection attack and the minimum identification time can be obtained. Furthermore, based on the LMI theory, sampled‐data control gains with and without attacks are obtained to ensure the system mean‐square exponential stable, respectively. And the corresponding maximum sampling period of the controller is obtained. Finally, numerical examples verify the correctness and effectiveness of the theory.

automation & control systems,engineering, electrical & electronic

Wenmin He,Shi Li,Choon Ki Ahn,Jian Guo,Zhengrong Xiang

DOI: https://doi.org/10.1109/jsyst.2021.3111978

IF: 4.802

2021-01-01

IEEE Systems Journal

Abstract:Cyber-physical systems (CPSs) can be accessed and controlled remotely, which increases their application prospects; however, these characteristics also make them more vulnerable to cyberattacks. In addition, an increasing number of resource-saving sampled-data control methods have attracted attention in the field of research. How to ensure the stability of the system that is attacked by cyberattacks and to reduce further the communication resources is a challenge. In this article, we study the security control problem of stochastic interconnected CPSs under two-channel denial-of-service attacks based on sampled-data output-feedback. First, the state observer and controller are designed with only the system output of the sampling points in the nonattack intervals. Next, the time intervals related to stable and unstable dynamics are distinguished. By analyzing the Lyapunov function in the intervals classified as previously mentioned respectively, the relationship between the sampling period and attack characteristics is derived to ensure that the system is globally mean-square uniformly ultimately bounded. The simulation results are presented to substantiate the analysis.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Yilin Mo,Bruno Sinopoli

DOI: https://doi.org/10.1145/2185505.2185514

2012-01-01

Abstract:In this paper we consider the integrity attack on Cyber-Physical System(CPS), which is modeled as a discrete linear time-invariant system equipped with a Kalman filter, LQG controller and chi(2) failure detector. An attacker wishes to disturb the system by injecting external control inputs and fake sensor measurements. In order to perform the attack without being detected, the adversary will need to carefully design its actions to fool the failure detector as abnormal sensor measurements will result in an alarm. The adversary's strategy is formulated as a constrained control problem. In this paper, we characterize the reachable set of the system state and estimation error under the attack, which provides a quantitative measure of the resilience of the system. To this end, we will provide an ellipsoidal algorithm to compute the outer approximation of the reachable set. We also prove a necessary condition under which the reachable set is unbounded, indicating that the attacker can successfully destabilize the system.

Steven X. Ding,Linlin Li,Dong Zhao,Chris Louen,Tianyu Liu

DOI: https://doi.org/10.48550/arXiv.2103.00210

2021-06-05

Abstract:This draft addresses issues of detecting stealthy integrity cyber-attacks on automatic control systems in the unified control and detection framework. A general form of integrity cyber-attacks that cannot be detected using the well-established observer-based technique is first introduced as kernel attacks. The well-known replay, zero dynamics and covert attacks are special forms of the kernel attacks. Existence conditions for the kernel attacks are presented. It is demonstrated, in the unified framework of control and detection, that all kernel attacks can be structurally detected when not only the observer-based residual, but also the control signal based residual signals are generated and used for the detection purpose. Based on the analytical results, two schemes for detecting the kernel attacks are then proposed, which allow reliable attack detection without loss of control performance. While the first scheme is similar to the well-established moving target method and auxiliary system aided detection scheme, the second detector is realised with encrypted transmissions of control and monitoring signals in the feedback control system that prevents adversary to gain system knowledge by means of eavesdropping attacks. Both schemes are illustrated by examples of detecting replay, zero dynamics and covert attacks and an experimental study on a three-tank control system.

Systems and Control

Yilin Mo,Bruno Sinopoli

DOI: https://doi.org/10.1109/tac.2015.2498708

IF: 6.549

2015-01-01

IEEE Transactions on Automatic Control

Abstract:This technical note analyzes the effect of stealthy integrity attacks on Cyber-Physical Systems, which is modeled as a Stochastic Linear Time-Invariant (LTI) system equipped with a linear filter, a linear feedback controller and chi(2) failure detector. An attacker wishes to induce perturbation in the control loop by compromising a subset of the sensors and injecting an exogenous control input, without incurring detection from an anomaly detector. We show how the problem can be modeled, from the attacker's standpoint, as a constrained control problem and that the characterization of the maximum perturbation can be posed as reachable set computation, which we solve using ellipsoidal calculus.

Zhiyu Duan,Airong Wei,Xianfu Zhang,Bo Sun

DOI: https://doi.org/10.1002/rnc.7646

IF: 3.8973

2024-10-09

International Journal of Robust and Nonlinear Control

Abstract:In this paper, the sampled‐data‐driven event‐triggered secure control is discussed for a class of uncertain nonlinear cyber‐physical systems under multiple attacks containing deception attacks and replay attacks. Compared with exisiting research, the studied systems take into account the uncertainty and coupling that may occur in practical situations. Notably, deception attacks impede the application of a gain design approach in control design. To address this issue, an artful state transformation is presented to convert the considered system into an auxiliary system. Based on this, a novel sampled‐data‐driven attack compensation scheme is devised via the gain design approach, and an event‐triggered mechanism is further introduced into the scheme to cancel needless control updates, which successfully ensures state convergence meanwhile resisting the impact of multiple attacks. Particularly, the designed control scheme not only utilizes data efficiently but also avoids Zeno behaviour automatically by judging triggering conditions in sampled points. Finally, the validity of the results is verified through two simulation examples.

automation & control systems,engineering, electrical & electronic,mathematics, applied

Jiancun Wu,Chen Peng,Jin Zhang,Engang Tian

DOI: https://doi.org/10.1109/TCYB.2024.3350331

Abstract:This article aims to analyze H∞ stability of a class of networked control systems (NCSs) under random denial of service (DoS) attacks and design a sampled-data-based state feedback security controller to mitigate the influence of attacks. Different from the existing random attacks, the information about the maximum duration time of DoS attacks can be captured by introducing a predesigned logical processor. Then, based on the periodic sampling technique, the probability of attack occurrence and the resultant number of maximum allowable consecutive packet dropouts can be calculated, which is quite significant to investigating the security problem of NCSs. A DoS-dependent security controller which makes full use of the attack probability information and the number of attack-induced packet dropouts is designed. A novel networked sampled-data system model is first established that enables us to deal with the random DoS attacks phenomena and the time-varying delay induced by attacks under a uniform framework. By structuring a suitable Lyapunov-Krasovskii functional, the relationship between mean square asymptotic stability and attack characteristics is obtained. Finally, the reliability and applicability of the presented control strategy in eliminating the influence of DoS attacks are validated by two practical engineering applications.

Xiaohua Liu,Feiqi Deng,Pengyu Zeng,Xiaobin Gao,Xueyan Zhao

DOI: https://doi.org/10.1109/access.2021.3069379

IF: 3.9

2021-01-01

IEEE Access

Abstract:This paper concerns the sampled-data resilient control for hybrid nonlinear stochastic systems under periodic denial of service (P-DoS) attacks. First of all, considering that the system is attacked by P-DoS and using the zero-order holder (ZOH) technique to further analyze the impact of such attacks on the control input. Secondly, via using the time-delay transform method, the attacked sampled-data resilient control system is modeled as a switched stochastic nonlinear time-delay closed-loop system. Thirdly, by using the piecewise Lyapunov functional method, the sufficient conditions to guarantee the mean square exponential stability of the attacked system are given. Then, according to these sufficient conditions, the controller parameters are solved when specific Lyapunov functional and controller design are given. Finally, an example is given to illustrate the efficiency of our results.

Sheng Gao,Hao Zhang,Zhuping Wang,Chao Huang,Huaicheng Yan

DOI: https://doi.org/10.1109/tnse.2023.3292403

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:The system security of linear cyber-physical systems (CPSs) with repetitive movement characteristics under injection attacks is investigated in this article. The optimal data-driven injection attack strategies through iterative learning are proposed without utilizing the knowledge of the system model. A switching attack strategy with high concealment, flexibility, and low energy consumption is established. Finding the optimal attack strategy that maximizes the quadratic cost function of the system is the main objective of this article. Different from the existing attack strategies, the proposed one applies the attack input data from the previous iteration at the same sampling time to update the current attack input, thereby improving the attack effect. Furthermore, in order to overcome the difficulty that the attacker is unaware of the attacked system model, a system identification method based on input and output (I/O) data is used to construct a virtual model. An improved projection estimation approach is developed to estimate the parameters of the virtual model with the assistance of the matrix inverse lemma. Finally, a networked direct current (DC) motor simulation is applied to verify the effectiveness of the presented schemes.

Chengwei Wu,Weiran Yao,Wei Pan,Guanghui Sun,Jianxing Liu,Ligang Wu

DOI: https://doi.org/10.1109/tcns.2021.3094782

IF: 4.347

2021-01-01

IEEE Transactions on Control of Network Systems

Abstract:This article investigates the secure control problem for cyber-physical systems when the malicious data are injected into the cyber realm, which directly connects to the actuators. Based on moving target defense (MTD) and reinforcement learning, we propose a novel proactive and reactive defense control scheme. First, the system $(A,B)$ is modeled as a switching system consisting of several controllable pairs $(A,\mathcal {B}_{l})$ to facilitate the construction of the MTD control scheme. The controllable pairs $(A,\mathcal {B}_{l})$ can be altered to update system dynamics under certain unpredictable switching probabilities for each subsystem, which can prevent the adversaries from effective attacks. Second, both attack detection and isolation schemes are designed to accurately locate and exclude the compromised actuators from a switching sequence. Third, a reinforcement learning algorithm based on the zero-sum game theory is proposed to design the defense control scheme when there exist no controllable subsystems to switch. To demonstrate the effectiveness of the defense control scheme, a three-tank system under unknown cyber attacks is illustrated.

Rongkuan Ma,Peng Cheng,Zhenyong Zhang,Wenwen Liu,Qingxian Wang,Qiang Wei

DOI: https://doi.org/10.1109/jiot.2019.2931349

IF: 10.6

2019-01-01

IEEE Internet of Things Journal

Abstract:In an industrial cyber-physical system (iCPS), the controller plays a critical role in guaranteeing reliability and stability. Therefore, redundant controller architecture is a well-adopted approach by distributed control systems (DCS), supervisory control and data acquisition (SCADA), and other typical iCPSs. They monitor and control the critical industrial process, such as power generation, chemical industry, water treatment plant, etc. Redundant controller architecture has been designed and largely implemented in response to unpredictable mechanical failures. However, this structure initially proposed for guaranteeing reliability and safety may expand the cyber-attack surface, posing the risk that an attacker may take advantage of this architecture for stealthy attacks. In this article, we analyze the vulnerability arising from the redundant controller architecture and propose a combined attack methodology against these redundant controller architecture systems in a stealthy manner. We find several 0-day vulnerabilities of the real-world devices from three manufacturers and further implement the combined attack over these devices. Our experimental results over various types of real-world devices show that the redundant controller architecture can be exploited to compromise all tested systems stealthily. We also present guidelines for mitigating this risk.

Paul Griffioen,Sean Weerakkody,Bruno Sinopoli

DOI: https://doi.org/10.1109/tac.2020.3005686

IF: 6.549

2021-05-01

IEEE Transactions on Automatic Control

Abstract:This article considers the design and analysis of multiple moving target defenses for recognizing and isolating attacks on cyber-physical systems. We consider attackers who perform integrity attacks on some set of sensors and actuators in a control system. In such cases, it has been shown that a model aware adversary can carefully design attack vectors to bypass bad data detection and identification filters while causing damage to the control system. To counter such an attacker, we propose the moving target defense which introduces stochastic, time-varying parameters in the control system. The underlying random dynamics of the system limit an attacker's knowledge of the model and inhibit his or her ability to construct stealthy attack sequences. Moreover, the time-varying nature of the dynamics thwarts adaptive adversaries. We explore three main designs. First, we consider a hybrid system where parameters within the existing plant are switched among multiple modes. We demonstrate how such an approach can enable both the detection and identification of malicious nodes. Next, we investigate the addition of an extended system with dynamics that are coupled to the original plant but do not affect the system performance. Here, an attack on the original system will affect the authenticating subsystem and in turn be revealed by a set of sensors measuring the extended plant. Finally, we propose the use of sensor nonlinearities to enhance the effectiveness of the moving target defense. The nonlinear dynamics act to conceal normal operational behavior from an attacker who has tampered with the system state, further hindering an attacker's ability to glean information about the time-varying dynamics. In all cases mechanisms for analysis and design are proposed. Finally, we analyze attack detectability for each moving target defense by investigating expected lower bounds on the detection statistic. Our contributions are also tested via simulation.

automation & control systems,engineering, electrical & electronic

Xiaohua Liu,Feiqi Deng,Pengyu Zeng,Xiaobin Gao,Xueyan Zhao

DOI: https://doi.org/10.1080/00207721.2022.2158445

IF: 2.648

2022-01-01

International Journal of Systems Science

Abstract:This paper studies the sampled-data resilient control for stochastic nonlinear cyber-physical systems (CPSs) under denial-of-service (DoS) attacks. First, under the sampled-data control scheme, DoS attacks are described and under-considered in the stochastic nonlinear CPSs. Secondly, according to the influence of DoS attack, a new switching stochastic nonlinear closed-loop system is established under a full-state feedback controller. Then, by using the piecewise Lyapunov functional method, sufficient conditions are provided to ensure the mean square exponential stability of the obtained closed-loop system. In addition, some criterions are given to design controller parameters. Finally, an example is given to illustrate the effectiveness of our results.

Kai-Yu Wang,Dan Ye,Tian-Yu Zhang

DOI: https://doi.org/10.1109/tsmc.2024.3356028

2024-01-01

IEEE Transactions on Systems, Man, and Cybernetics: Systems

Abstract:This article investigates a data-driven design strategy of undetectable attacks against distributed control systems. The objective of the attacker is to worsen the estimation performance and maintain undetectability through compromising partial communication links. First, the existence condition of undetectable attacks is proposed based on the null space of system matrices. Then, the subspace identification method is applied to generate the null space and construct the undetectable attack sequence utilizing the gathered system input–output data. Besides, the impact of the undetectable attack is evaluated by solving an optimization problem involving attack undetectability and energy constraints. To launch the undetectable attack at any time during the system operation, an auxiliary attack sequence is designed. Finally, the simulation results verify the effectiveness of data-driven undetectable attacks.

automation & control systems,computer science, cybernetics

Yilin Mo,B. Sinopoli

2010-01-01

Abstract:This paper analyzes the effects of false data injection attacks on Control System. We assume that the system, equipped with a Kalman filter and LQG controller, is used to monitor and control a discrete linear time invariant Gaussian system. We further assume that the system is equipped with a failure detector. An attacker wishes to destabilize the system by compromising a subset of sensors and sending corrupted readings to the state estimator. In order to inject fake sensor measurements without being detected the attacker needs to carefully design its inputs to fool the failure detector, since abnormal sensor measurements usually trigger an alarm from the failure detector. We will provide a necessary and sufficient condition under which the attacker could destabilize the system while successfully bypassing the failure detector. A design method for the defender to improve the resilience of the CPS against such kind of false data injection attacks is also provided.

Xiao Tan,Pio Ong,Paulo Tabuada,Aaron D. Ames

2024-09-13

Abstract:Cyber-physical systems can be subject to sensor attacks, e.g., sensor spoofing, leading to unsafe behaviors. This paper addresses this problem in the context of linear systems when an omniscient attacker can spoof several system sensors at will. In this adversarial environment, existing results have derived necessary and sufficient conditions under which the state estimation problem has a unique solution. In this work, we consider a severe attacking scenario when such conditions do not hold. To deal with potential state estimation uncertainty, we derive an exact characterization of the set of all possible state estimates. Using the framework of control barrier functions, we propose design principles for system safety in offline and online phases. For the offline phase, we derive conditions on safe sets for all possible sensor attacks that may be encountered during system deployment. For the online phase, with past system measurements collected, a quadratic program-based safety filter is proposed to enforce system safety. A 2D-vehicle example is used to illustrate the theoretical results.

Systems and Control