Heng Zhang,Peng Cheng,Ling Shi,Jiming Chen

2015-01-01

Abstract:Security of Cyber-Physical Systems (CPS) has gained increasing attention in recent years. Most existing works mainly investigate the system performance given some attacking patterns. In this paper, we investigate how an attacker should schedule its Denial-of-Service (DoS) attacks to degrade the system performance. Specifically, we consider the scenario where a sensor sends its data to a remote estimator through a wireless channel, while an energy-constrained attacker decides whether to jam the channel at each sampling time. We construct optimal attack schedules to maximize the expected average estimation error at the remote estimator. We also provide the optimal attack schedules when a special intrusion detection system (IDS) at the estimator is given. We further discuss the optimal attack schedules when the sensor has energy constraint. Numerical examples are presented to demonstrate the effectiveness of the proposed optimal attack schedules. Index Terms State estimation, DoS attack, energy constraint.

Heng Zhang,Peng Cheng,Ling Shi,Jiming Chen

DOI: https://doi.org/10.1109/tac.2015.2409905

IF: 6.549

2015-01-01

IEEE Transactions on Automatic Control

Abstract:Security of Cyber-Physical Systems (CPS) has gained increasing attention in recent years. Most existing works mainly investigate the system performance given some attacking patterns. In this technical note, we investigate how an attacker should schedule its Denial-of-Service (DoS) attacks to degrade the system performance. Specifically, we consider the scenario where a sensor sends its data to a remote estimator through a wireless channel, while an energy-constrained attacker decides whether to jam the channel at each sampling time. We construct optimal attack schedules to maximize the expected average estimation error at the remote estimator. We also provide the optimal attack schedules when a special intrusion detection system (IDS) at the estimator is given. We further discuss the optimal attack schedules when the sensor has energy constraint. Numerical examples are presented to demonstrate the effectiveness of the proposed optimal attack schedules.

Zhuping Wang,Sheng Gao,Hao Zhang,Huaicheng Yan,Tenghui Li

DOI: https://doi.org/10.1109/tcns.2024.3372134

IF: 4.347

2024-01-01

IEEE Transactions on Control of Network Systems

Abstract:The energy allocation problem of malicious denial-of-service (DoS) attacks for state estimation in cyber-physical systems (CPSs) is investigated in this paper. An optimal energy allocation strategy for DoS attacks in CPSs under multi-sensor network fusion estimation is proposed. To describe the channel packet loss characteristic, a signal-to-interference-plus-noise ratio (SINR) model is introduced. Compared with the existing DoS attack strategies, the increase of the channel packet loss rate with the increase in energy injected by the attacker is considered. Meanwhile, the behavioral tendency of the attacker concerning the sensors with different parameters is taken into account, leveraging the additional sensing accuracy matrix. Moreover, the quantified relationship between the attacker and the remote estimator error covariance is derived and the optimal energy allocation strategy problem is transformed into a convex optimization problem to be solved. Finally, a simulation example is presented to verify the effectiveness of the proposed mechanism.

computer science, information systems,automation & control systems

Lianghong Peng,Ling Shi,Xianghui Cao,Changyin Sun

DOI: https://doi.org/10.1109/TAC.2017.2775344

IF: 6.549

2018-01-01

IEEE Transactions on Automatic Control

Abstract:Recently, the security issue of wireless cyber-physical systems (CPS) has attracted much attention from different communities. In this paper, we consider energy-efficient optimal attack power schedule against remote state estimation of wireless CPS under constrained denial-of-service attacks based on channels' signal-to-interference-plus-noise ratio (SINR). We propose a wireless communication mode...

Xiao-Hui Liu,Jiuxiang Dong,Guang-Hong Yang

DOI: https://doi.org/10.1109/tsmc.2023.3305287

2024-01-01

Abstract:In this article, the optimal denial-of-service (DoS) attack scheduling problem for multichannel cyber–physical systems (CPSs) from the attackers’ perspective is investigated, where state sensors deliver data to a remote estimator over multiple channels. It is essential to find an optimal attack scheduling strategy to disrupt the remote state estimator thanks to attacker’s energy limitations. In our work, an interesting conclusion is proven that the mathematical expectation of attack number is a constant under different attack strategies when the attacker uses up all his energy to attack the system with a given number of channels. Second, a novel index for evaluating the effectiveness of attack strategies is proposed. Then, a scheduling strategy for optimal DoS attacks during multichannel communication is given based on the above. Eventually, the effectiveness of the proposed strategy is analyzed numerically.

Menglin Li,Jiahu Qin,Ling Shi,Xinghuo Yu,Huijun Gao

DOI: https://doi.org/10.1109/ccdc.2017.7978649

2017-01-01

Abstract:This paper considers a Denial-of-Service (DoS) attack scheduling problem. Specifically, a sensor employs the wireless link to send the data packet to the remote estimator at each time step, while an energy-constrained attacker launches DoS attacks against the remote state estimation, and designs an optimal attack strategy to maximize damage to the remote estimation quality. The packet will drop if the channel is jammed. In most of the existing works on DoS attacks, it is assumed that the wireless channel is perfect, i.e., the packet dropout never occurs in the absence of attack. However, this is far from the practical situation. To encompass the lossy nature of wireless networks, we study the scenario of lossy networks in which the packet may drop even without attack, and construct the optimal attack strategy that maximizes the average expected estimation error at the remote estimator over lossy networks. Numerical simulations are provided to demonstrate the effectiveness of the theoretical results.

Xianghui Cao,Changyin Sun

DOI: https://doi.org/10.1109/ascc.2017.8287298

2017-01-01

Abstract:Remote state estimation in which wireless sensors transmit data to a remote device for estimating the state of a physical process is an important issue in cyber-physical systems (CPS). Since the wireless channel is open-access, adversaries can easily launch denial-of-service (DoS) attacks and cause significant estimation performance deterioration, regardless of the use of cryptographic techniques for sensor data security. Most existing studies on DoS attacks in CPS often assume perfect channels. In this paper, we study the impact and strategies of DoS attacks in a more practical scenario where the wireless channel suffer from stochastic background traffics. We propose a probabilistic attack scheme in which the attacker senses the channel state and only executes DoS when the sensing result indicates an idle channel. Specifically, with the proposed probabilistic attack scheme, the attacker launches DoS with a certain probability once the channel is sensed idle. We theoretically analyze the stability of the estimation process and investigate the problem of optimal attack strategy under attackers energy constraint.

Junhui Zhang,Jitao Sun,Hai Lin

DOI: https://doi.org/10.1016/j.automatica.2021.109517

IF: 6.4

2021-01-01

Automatica

Abstract:In this paper, we focus on the design of optimal schedules for denial-of-service (DoS) attacks to degrade the performance of a remote state estimator of a networked system, where measurements of un-computational sensors are transmitted through a band-limited wireless channel under the round-robin protocol. Since attacker only has limited energy to jam the network, the attacker has to determine whether to jam the channel or not at each time step. In this paper, we propose a general error cost function in which average error and terminal error only become its particular cases. Then we analyze the properties of evolution of estimation error covariance under different schedules and further determine optimal attack schedules with respect to our proposed error cost. Examples are provided to illustrate the design of the optimal attack schedules.

Xinxin Yang,Yuqing Ni,Zhe Wu,Wen Yang,Fei Liu

DOI: https://doi.org/10.1002/rnc.7172

IF: 3.8973

2024-01-01

International Journal of Robust and Nonlinear Control

Abstract:This article examines resource scheduling optimization for cyber-physical systems that include a smart sensor, a remote estimator, and an attacker. The attacker's objective is to use denial-of-service (DoS) attack to jam the wireless channel, causing packet loss and reducing system performance. We consider a more realistic scenario where other interfering sources exist and conduct research based on the signal-to-interference-plus-noise ratio (SINR) model. Through this model, we investigate two cases: constant high or low interference power and time-varying interference power. Different levels of attack power lead to varying packet loss rates, and the same attack power may result in different packet loss rates in different interference environments. Therefore, the attacker needs to consider the impact of other interferences to find the optimal attack strategy that increases the estimation error of the information-physical system while reducing energy consumption. We describe this optimization problem in a Markov decision process (MDP) framework and demonstrate the existence of an optimal deterministic Markovian strategy. We also establish the monotonicity of the optimal strategy in two different cases and investigate the extreme case. Simulation results support our theoretical results.

Lianghong Peng,Xianghui Cao,Changyin Sun,Yu Cheng

DOI: https://doi.org/10.1007/978-3-319-42836-9_29

IF: 6

2018-01-01

Neurocomputing

Abstract:Recently, the security issues of Cyber-Physical Systems (CPS) have gained a growing amount of research attention. As a typical application of CPS, remote state estimation systems over wireless channels are vulnerable to various cyber attacks, such as channel jamming attacks. Standing on the point of the jamming attacker, this paper investigates the problem of optimal attack schedule under energy constraints against a wireless state estimation system, where two sensors transmit data to a remote estimator over two independent wireless channels. Due to its radio constraint, the attacker is assumed to only launch jamming attack on one of the two channels at a time. We formulate the problem of optimal attack schedule as a nonlinear program which aims to maximize the remote estimation error covariance subjecting to the attacker's energy constraint. We then theoretically derive the optimal schedule and shows that it depends on the attacker's energy budget, the physical system dynamics and the channel properties. Finally, the theoretical results are validated and evaluated through numerical simulations.

Jiahu Qin,Menglin Li,Ling Shi,Xinghuo Yu

DOI: https://doi.org/10.1109/tac.2017.2756259

IF: 6.549

2017-01-01

IEEE Transactions on Automatic Control

Abstract:The recent years have seen a surge of security issues of cyber-physical systems (CPS). In this paper, denial-of-service (DoS) attack scheduling is investigated in depth. Specifically, we consider a system where a remote estimator receives the data packet sent by a sensor over a wireless network at each time instant, and an energy-constrained attacker that cannot launch DoS attacks all the time designs the optimal DoS attack scheduling to maximize the attacking effect on the remote estimation performance. Most of the existing works concerning DoS attacks focus on the ideal scenario in which data packets can be received successfully if there is no DoS attack. To capture the unreliability nature of practical networks, we study the packet-dropping network in which packet dropouts may occur even in the absence of attack. We derive the optimal attack scheduling scheme that maximizes the average expected estimation error, and the one which maximizes the expected terminal estimation error over packet-dropping networks. We also present some countermeasures against DoS attacks, and discuss the optimal defense strategy, and how the optimal attack schedule can serve for more effective and resource-saving countermeasures. We further investigate the optimal attack schedule with multiple sensors. The optimality of the theoretical results is demonstrated by numerical simulations.

Lianghong Peng,Xianghui Cao,Hongbao Shi,Changyin Sun

DOI: https://doi.org/10.1016/j.jfranklin.2018.06.016

IF: 4.246

2018-01-01

Journal of the Franklin Institute

Abstract:In cyber-physical systems (CPS), cyber threats emerge in many ways which can cause significant destruction to the system operation. In wireless CPS, adversaries can block the communications of useful information by channel jamming, incurring the so-called denial of service (DoS) attacks. In this paper, we investigate the problem of optimal jamming attack scheduling against remote state estimation wireless network. Specifically, we consider that two wireless sensors report data to a remote estimator through two wireless communication channels lying in two unoverlapping frequency bands, respectively. Meanwhile, an adversary can select one and only one channel at a time to execute jamming attack. We prove that the optimal attack schedule is continuously launching attack on one channel determined based on the system dynamics matrix. The theoretical results are validated by numerical simulations.

Ruimeng Gan,Yangyang Wang,Zhe Xiao,Heng Zhang,Xin Wang,Ming Yang

DOI: https://doi.org/10.1002/itl2.370

2022-01-01

Internet Technology Letters

Abstract:In this paper, the security issue in cyber-physical system (CPS) is investigated. In order to maximize the attack effect and save the limited energy, the energy efficiency problem is investigated from the perspective of the jammer. This problem is established as a mixed-integer programming problem firstly, and then a necessary condition is presented to explore the optimal energy for a given attack number. Moreover, an energy efficiency optimization (EEO) algorithm is proposed to derive the optimal attack schedule. Lastly, some numerical results are shown to validate the effectiveness of the proposed algorithm.

Junhui Zhang,Jitao Sun

DOI: https://doi.org/10.1016/j.sysconle.2020.104771

IF: 2.742

2020-01-01

Systems & Control Letters

Abstract:In this paper, we consider multiple-attackers schedule problem against remote state estimation in cyber-physical systems (CPSs). Compared with the existing results in which only one type of attacker is considered, we aim to address the case that Denial-of-Service (DoS) attacker and linear deception attacker exist in CPSs simultaneously. With limited resource, the two attackers have to, cooperatively, decide whether to launch or not and which type of attack to inject at each time and further determine optimal schedule over a finite time horizon to degrade the performance of system at the largest. First of all, the evolutions of remotely estimated state and error covariance under an attack schedule are derived. Next, we regard average error and terminal error as performance indexes of systems, respectively, and analyze their intrinsic properties to find out the corresponding optimal attack scheduling schemes. Finally, an example is given to show the effectiveness of our theoretical results.

Dan Ye,Mengyao Mei,Jiang Wei

DOI: https://doi.org/10.1109/tcsii.2021.3122431

2021-01-01

IEEE Transactions on Circuits & Systems II Express Briefs

Abstract:We consider the security problem of remote state estimation in cyber-physical systems. The sensor sends data under round-robin protocol to the remote side while denial-of-service (DoS) attacker could interfere this process. Due to the energy-constrained DoS attack, it needs to decide whether to launch attacks to the wireless channel. In this work, two different cases for multi-sensor running Kalman filter are studied, i.e., sensors have limited or sufficient computational abilities. Furthermore, to capture the unreliability of the communication network, the occurrence of packet loss in the absence of attack is considered. Based on the evolution process of estimation error covariance, we first propose the sufficient condition to guarantee the optimality of the attack allocation strategy which maximally degrades the system performance. Then, the optimal attack sequence is given in a closed-form and shown to be monotonic with respect to time. Finally, a simulation example is given to illustrate the effectiveness of our proposed attack strategy.

Yanan Du,Sai Xu,Shuai Han

DOI: https://doi.org/10.1109/ICC45855.2022.9839018

2022-01-01

Abstract:To have a good understanding of attackers' behaviour and seek effective defensive measures, an optimal strategy of false data injection (FDI) and denial-of-service (DoS) attacks is proposed to intrude sensors and transmission channels of cyber-physical systems (CPSs) from the perspective of an attacker. Specifically, all sensors of CPSs make measurements of the state and send them to a fusion center for state estimation. Intruders attempt to modify the measurements and block innovations' transmission by respectively launching FDI and DoS attacks to maliciously degrade the system estimation performance. A cost function is introduced to quantify the estimation performance. In order to maximize the cost function, it is important for the attacker to decide which sensors and transmission channels to intrude due to energy constraint. A convex optimization problem is formed, by solving which the optimal attack strategy is obtained. Simulations demonstrate the optimality of our proposed attack strategy.

Huanhuan Yuan,Yuanqing Xia,Hongjiu Yang

DOI: https://doi.org/10.1109/tsmc.2020.2964586

2021-01-01

IEEE Transactions on Systems Man and Cybernetics Systems

Abstract:This article considers a cyber-physical system with multiple remote state estimation subsystems under denial-of-service (DoS) attack. Suppose that there are multiple distributed estimation systems, in each of which, a sensor monitors the system and sends its local estimation to a remote estimator over one of multiple wireless channels. A DoS attacker emits noise power to jam the wireless channels. A scheduler is installed to dispatch each sensor to transmit information through the specific channel to minimize the total estimation error covariance on account of energy-saving. Whereas, the DoS attacker attempts to jam a channel to realize an opposite objective. With considering interference from other individuals, a multisensor multichannel remote state estimation model is constructed. A myopic policy and a long-term online interaction strategy under varying network environment are investigated and compared by solving a two-player zero-sum game and a Markov game, respectively. Simulations are provided to demonstrate our results.

Cong Zhang,Jie Wang,Qingchen Liu,Weiming Fu,Wei Xing Zheng

DOI: https://doi.org/10.1016/j.jfranklin.2023.07.012

IF: 4.246

2023-01-01

Journal of the Franklin Institute

Abstract:In this paper, we focus on the optimal power control for the sensors and attackers in a remote state estimation process, which guarantees the achievement of the estimation task under the denial-of-service (DoS) attack. In the remote estimation process under the DoS attack, each sensor observes the target state and transmits its local estimates to the remote estimator via a wireless network, communications in which are disrupted by jamming signals. For the wireless network, while most of the existing works on the resilient remote state estimation consider time-invariant channel state information (CSI) model, we pay attention to the fading channel network, in which the channel state is fixed and the channel model can be characterized by a generalized finite-state Markov chain. We model the conflicting nature among the sensor and the attacker as a general-sum stochastic game, proposing a Nash Q-learning algorithm to find the optimal power control strategies for the two players. Moreover, the monotone structure of these strategies is constructed with a sufficient condition. Taking into account the practical applications, we also consider the case where the sensor and the attacker only know partial information of each other and employ the Bayesian game to model it. Based on the channel information of each player and its believes of the channel distribution of the opponent, the type-contingent energy strategies are obtained. Finally, simulation results are given to verify our results.

Kemi Ding,Yuzhe Li,Daniel E. Quevedo,Subhrakanti Dey,Ling Shi

DOI: https://doi.org/10.1016/j.automatica.2016.12.020

IF: 6.4

2017-04-01

Automatica

Abstract:This paper considers a cyber-physical system (CPS) under denial-of-service (DoS) attacks. The measurements of a sensor are transmitted to a remote estimator over a multi-channel network, which may be congested by a malicious attacker. Among these multiple communication paths with different characteristics and properties at each time step, the sensor needs to choose a single channel for sending data packets while reducing the probability of being attacked. In the meanwhile, the attacker needs to decide the target channel to jam under an energy budget constraint. To model this interactive decision-making process between the two sides, we formulate a two-player zero-sum stochastic game framework. A Nash Q-learning algorithm is proposed to tackle the computation complexity when solving the optimal strategies for both players. Numerical examples are provided to illustrate the obtained results.

Jiahu Qin,Menglin Li,Jie Wang,Ling Shi,Yu Kang,Wei Xing Zheng

DOI: https://doi.org/10.1016/j.automatica.2020.109090

IF: 6.4

2020-01-01

Automatica

Abstract:We consider a scenario in which a DoS attacker with the limited power resource and the purpose of degrading the system performance, jams a wireless network through which the packet from a sensor is sent to a remote estimator. To degrade the estimation quality most effectively with a given energy budget, the attacker aims to solve the problem of how much power to obstruct the channel each time, which is the recently proposed optimal attack energy management problem. The existing works are built on an ideal network model in which the packet dropout never occurs when the attack is absent. To encompass wireless transmission losses, we introduce the signal-to-interference-plus-noise ratio-based network. First we focus on the case when the attacker employs the constant power level. To maximize the expected terminal estimation error at the remote estimator, we provide some more relaxed sufficient conditions compared with the existing work for the existence of an explicit solution to the optimal static attack energy management problem and the solution is constructed. For the other important index of system performance, the average expected estimation error, the associated sufficient conditions are also derived based on a different analysis approach with the existing work. And a feasible method is presented for both indexes to seek the optimal constant attack power level when the system fails to meet the proposed sufficient conditions. Then when the real-time ACK information can be acquired, a Markov decision process (MDP) based algorithm is designed to solve the optimal dynamic attack energy management problem. We further study the optimal tradeoff between attack energy and system degradation. Specifically, by moving the energy constraint into the objective function to maximize the system index and minimize the energy consumption simultaneously, the other MDP based algorithm is proposed to find the optimal dynamic attack power policy which is further shown to have a monotone structure. The theoretical results are illustrated by simulations.