Robustness of attack-resilient state estimators

2014 IEEE/RSJ International Conference on Intelligent Robots and Systems, 2014

In this paper we present a methodology to control ground robots under malicious attack on sensors. Within the term attack we intend any malicious disturbance injection on sensors, actuators, and controller that would compromise the safety of a robot. In order to guarantee resilience against attacks, we use a control-level technique implemented within a recursive algorithm that takes advantage of redundancy in the information received by the controller. We use the case study of a vehicle cruise-control, however, the strategy we present in this work is general for several applications. Our methodology relays on redundancy in the sensor measurements: specifically we consider N velocity measurements and use a recursive filtering technique that estimates the state of the system while being resilient against sensor attacks by acting on the variance of the measurements noise. Finally, we move our focus on hardware validation demonstrating our algorithm through extensive outdoor experiments conducted on two unmanned ground robots.

IEEE Transactions on Control of Network Systems

Several recent incidents have clearly illustrated the susceptibility of cyber-physical systems (CPS) to attacks, raising attention to security challenges in these systems. The tight interaction between information technology and the physical world has introduced new vulnerabilities that cannot be addressed with the use of standard cryptographic security techniques. Accordingly, the problem of state estimation in the presence of sensor and actuator attacks has attracted significant attention in the past. Unlike the existing work, in this paper we consider the problem of attack-resilient state estimation in the presence of bounded-size noise. We focus on the most general model for sensor attacks where any signal can be injected via compromised sensors. Specifically, we present an l0-based state estimator that can be formulated as a mixed-integer linear program and its convex relaxation based on the l1 norm. For both attack-resilient state estimators, we derive rigorous analytic bounds on the stateestimation errors caused by the presence of noise. Our analysis shows that the worst-case error is linear with the size of the noise, and thus the attacker cannot exploit the noise to introduce unbounded state-estimation errors. Finally, we show how the l0 and l1-based attack-resilient state estimators can be used for sound attack detection and identification; we provide conditions on the size of attack vectors that ensure correct identification of compromised sensors.

European Journal of Control, 2019

In the present paper, a model-based fault/attack tolerant scheme is proposed to cope with cyberthreats on Cyber-Physicals Systems. A common scheme based on observers is designed and a state feedback control based on an aperiodic event-triggered framework is given with control synthesis and condition on the switching time. Classical fault tolerant control with Bi-linear Matrix Inequality (BMI) approaches are used to achieve novel and better security strategy based on an event-triggered control implementation. The purpose of using the event-based implementation would be to reduce (limit) the total number of transmissions to only instances when the networked control system (NCS) needs attention. Simulation results on a real-time laboratory three tank system are given to show the attack-tolerant control ability despite data deception attacks on both actuators and sensors. A detection/isolation scheme based on residual observers bank is also proposed.

IEEE Control Systems, 2017

R ecent years have witnessed a significant increase in the number of securityrelated incidents in control systems. These include high-profile attacks in a wide range of application domains, from attacks on critical infrastructure, as in the case of the Maroochy Water breach [1], and industrial systems (such as the StuxNet virus attack on an industrial supervisory control and data acquisition system [2], [3] and the German Steel Mill cyberattack [4], [5]), to attacks on modern vehicles [6]-[8]. Even high-assurance military systems were shown to be vulnerable to attacks, as illustrated in the highly publicized downing of the RQ-170 Sentinel U.S. drone [9]-[11]. These incidents have greatly raised awareness of the need for security in cyberphysical systems (CPSs), which feature tight coupling of computation and

HiCoNS'12 - Proceedings of the 1st ACM International Conference on High Confidence Networked Systems, 2012

Cyber-secure networked control is modeled, analyzed, and experimentally illustrated in this paper. An attack space defined by the adversary's system knowledge, disclosure, and disruption resources is introduced. Adversaries constrained by these resources are modeled for a networked control system architecture. It is shown that attack scenarios corresponding to replay, zero dynamics, and bias injection attacks can be analyzed using this framework. An experimental setup based on a quadruple-tank process controlled over a wireless network is used to illustrate the attack scenarios, their consequences, and potential counter-measures.

2015 54th IEEE Conference on Decision and Control (CDC), 2015

We consider the problem of attack-resilient state estimation in the presence of noise. We focus on the most general model for sensor attacks where any signal can be injected via the compromised sensors. An l0-based state estimator that can be formulated as a mixed-integer linear program and its convex relaxation based on the l1 norm are presented. For both l0 and l1-based state estimators, we derive rigorous analytic bounds on the state-estimation errors. We show that the worst-case error is linear with the size of the noise, meaning that the attacker cannot exploit noise and modeling errors to introduce unbounded state-estimation errors. Finally, we show how the presented attack-resilient state estimators can be used for sound attack detection and identification, and provide conditions on the size of attack vectors that will ensure correct identification of compromised sensors. This material is based on research sponsored by DARPA under agreement number FA8750-12-2-0247. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DARPA or the U.

AIAA Scitech 2019 Forum

The goal of this thesis is to develop a defense methodology for a cyber-physical system (CPS) by which an attempted stealthy cyber-attack is detected in near real time. Improvements in networked communication have enabled vast and complex dynamic control systems to exploit networked control schemes to seamlessly integrate parts and processes. These cyber-physical systems exhibit a level of flexibility that was previously unavailable but also introduce communication channels that are vulnerable to outside interference and malicious intervention. This thesis considers the effects of a type of stealthy attack on a class of CPS that can be modeled as linear time-invariant systems. The effects of this attack are studied from both the perspective of the attacker as well as the defender. A previously developed method for conducting stealthy attacks is introduced and analyzed. This method consists of injecting malicious actuation signals into the control input of a CPS and then designing a sensor attack to conceal the effect of the actuator attack. The result is an attack that cannot be detected upon inspection of the Kalman filter residual. Successful implementation of this attack is shown to require the attacker to attain perfect model knowledge in order for the attack to be stealthy. Based on the execution of past attacks on CPS, this thesis proposes an attacker who starts their attack by "fishing" for critical and confidential system information such as the model parameters. A method is then proposed in which the defender attempts to feed the attacker a slightly falsified model, baiting the fishing attacker with data that will make an attack detectable. Because the attacker's model is no longer correct, their attack design will induce a mean-shift in the Kalman filter residual, breaking the stealthiness of the original attack formula. It is then shown that the defender can not only detect this faulty attack, but use observations of the Kalman filter residual to regain more accurate state estimates, mitigating the effect of the attack.

Automatica, 2021

Network-based attacks on control systems may alter sensor data delivered to the controller, effectively causing degradation in control performance. As a result, having access to accurate state estimates, even in the presence of attacks on sensor measurements, is of critical importance. In this paper, we analyze performance of resilient state estimators (RSEs) when any subset of sensors may be compromised by a stealthy attacker. Specifically, we consider systems with the well-known l0-based RSE and two commonly used sound intrusion detectors (IDs). For linear time-invariant plants with bounded noise, we define the notion of perfect attackability (PA) when attacks may result in unbounded estimation errors while remaining undetected by the employed ID (i.e., stealthy). We derive necessary and sufficient PA conditions, showing that a system can be perfectly attackable even if the plant is stable. While PA can be prevented with the use the standard cryptographic mechanisms (e.g., message authentication) that ensure data integrity under network-based attacks, their continuous use imposes significant communication and computational overhead. Consequently, we also study the impact that even intermittent use of data authentication has on RSE performance guarantees in the presence of stealthy attacks. We show that if messages from some of the sensors are even intermittently authenticated, stealthy attacks could not result in unbounded state estimation errors.

Lecture Notes in Computer Science, 2013

This paper presents design and simulation of a low cost and low false alarm rate method for improved cyber-state awareness of critical control systems-the Known Secure Sensor Measurements (KSSM) method. The KSSM concept relies on physical measurements to detect malicious falsification of the control systems state. The KSSM method can be incrementally integrated with already installed control systems for enhanced resilience. This paper reviews the previously developed theoretical KSSM concept and then describes a simulation of the KSSM system. A simulated control system network is integrated with the KSSM components. The effectiveness of detection of various intrusion scenarios is demonstrated on several control system network topologies.

ArXiv, 2018

Research evidence in Cyber-Physical Systems (CPS) shows that the introduced tight coupling of information technology with physical sensing and actuation leads to more vulnerability and security weaknesses. But, the traditional security protection mechanisms of CPS focus on data encryption while neglecting the sensors which are vulnerable to attacks in the physical domain. Accordingly, researchers attach utmost importance to the problem of state estimation in the presence of sensor attacks. In this work, we present SecSens, a novel approach for secure nonlinear state estimation in the presence of modeling and measurement noise. SecSens consists of two independent algorithms, namely, SecEKF and SecOPT, which are based on Extended Kalman Filter and Maximum Likelihood Estimation, respectively. We adopt a holistic approach to introduce security awareness among state estimation algorithms without requiring specialized hardware, or cryptographic techniques. We apply SecSens to securely loc...