• Published in: NecSys 2018
• Authors: Jiyeon Nam, Gyunghoon Park*, Taekyoo Kim, and Hyungbo Shim
• Abstract: In this paper, we address the problem of finding the moment at which an attack to a cyber-physical system initiates, which we call the “moment of attack.” The proposed algorithm is not a real-time method, but the search is performed a posteriori. Nevertheless, the problem becomes of particular interest for forensic evidence, or for high-cost manufacturing processes. In fact, when a production system is attacked, the manufactured output before the attack does not have to be discarded if exact time of the attack is found. To tackle the problem for “temporarily stealthy” sensor attack of polynomial types (with which the conventional real-time anomaly detectors hardly estimate the moment of attack), we propose a batch-type detection algorithm for the moment of attack via the back-and-forth observer approach.

Our work is about the detection of moment of attack on cyber-physical systems.

In some cases, detection time is often delayed from the moment of attack.

When we recognize the attack, we want to save the clean product before attack instead throw all of them away. Especially, in the case of expensive process like the production of gold bar. Therefore, we want to know the moment of attack.

We consider the stable and observable LTI SISO system under sensor attack. The system belows is observable canonical form.

$$\dot{x}(\tau) = Ax(\tau) + b u(\tau)$$

$$y(\tau) = Cx(\tau) + a(\tau)$$

The sensor attack is polynomial-in-time form initiated at $$\tau^a,$$ the moment of attack, as follows.

If $$\tau \geq \tau^a$$,

$$a(\tau) = a_0 + a_1 (\tau-\tau^a) + \cdots + \frac{a_m}{m!} (\tau-\tau^a),$$

else,

$$a(\tau) = 0.$$

Our goal is to detect the moment of attack posteriorly.

Conventional approach to detect attack is anomaly detector based on the Luenberger observer. When the ramp attack initiated at 10 sec is injected to the sensor, conventional anomaly detector hardly detect the moment of attack.

So, this is our idea for improvement. First, we use virtual corrupted state information rather than just output. Second, we utilize non-smoothness in attacked output signal.

We introduce new variable $$\xi$$ where this non-smoothness is clearly observed. The variable $$\xi$$ undergoes jump at $$\tau^a$$ as much as $$\Delta(\tau^a)$$. And $$\xi$$ dynamics change from $$\tau^a$$, disturbance term appears.

The black line is $$\xi$$ state trajectory and the pink line is estimate of $$\xi$$. The variable $$\xi$$ jumps at $$\tau^a$$, so we want to estimate $$\xi(\tau)$$ to find  $$\tau^a.$$ However, the pink continuous estimator cannot follow jump immediately like below figure.

So we introduce the back-and-forth observer. The back-and-forth observer is iterative observer using the stored information $$u(\tau)$$ and $$y(\tau)$$ from $$0$$ to $$\Omega.$$ From arbitrary initial condition, the pink line $$\hat{\xi}$$ estimates $$\xi.$$ And its final condition becomes the initial condition of the green line, backward estimation. This procedure is repeated.

Like above left figure, the forward estimation and the backward estimation make a difference around $$\tau^a.$$ So if we estimate the difference well, we can find $$\tau^a.$$ After some iteration, before $$\tau^a$$ in the above right figure, the transient estimation error is diminished so that the estimation error without attack is well-converged like the red and blue line. However, after $$\tau^a,$$ because of the presence of attack, the red $$\hat{\xi}_f$$ and blue $$\hat{\xi}_b$$ cannot estimate $$\xi$$ well.

For more accurate estimation after $$\tau^a$$, we introduce the high-gain observer to suppress the disturbance in $$\xi$$ dynamics. Because of the high-gain approach, the dark red forward estimation and the dark blue backward estimation in the below figure become much closer to $$\xi$$ trajectory after $$\tau^a.$$

Therefore, we propose temporal residual.

$$r(t;k) := \| \Lambda_\epsilon (\hat{\xi}_f – \hat{\xi}_b) \|$$

$$\Lambda_\epsilon := {\rm diag} \{1/\epsilon^{n-1}, \cdots, 1/\epsilon^0\}$$

After the introduction of back-and-forth observer and high-gain observer, this residual is scaled difference between the forward estimation and backward estimation. At $$\tau^a$$, the difference between forward and backward estimation is big because of the jump of $$\xi.$$ Also, it is scaled by $$\Lambda_\epsilon,$$ so it is getting bigger.

This is our main result. With sufficiently large iteration $$k$$ and sufficiently small high gain parameter $$\epsilon,$$ the proposed algorithm detects the moment of the attack with given accuracy. Moreover, as iteration $$k$$ goes to infinity and as high-gain parameter $$\epsilon$$ goes to zero, more accurate information of $$\tau^a$$ is obtained.

Now, it is the simulation result under noise. Conventional anomaly detector cannot detect $$\tau^a$$ because of small peak is covered by noise. However, our residual shows loud and clear peak at $$\tau^a$$ even though there is noise.