- Published in: The Society of Instrument and Control Engineers (SICE) 2019
- DOI: 10.23919/SICE.2019.8859930
- Authors: Jihan Kim and Hyungbo Shim
- Abstract: The zero-dynamics attack is well-known for its lethality and stealthiness.
This infamous attack has usually been studied as a type of actuator attack. In this paper, however, we focus on the zero-dynamics attack having a form of a sensor attack. In particular, when the system monitors abnormal behavior of the plant using the anomaly detector, an undetectable sensor attack can be generated, which deceives the anomaly detector. It is noticed that this sensor attack is not so effective when the plant is stable even if the attack is still undetectable. In view of this point, we propose to reexamine the so-called “generalized hold” as a countermeasure against the undetectable sensor attack. Specifically, using the fact that the output feedback composed of the “generalized hold” can stabilize the unstable systems by selecting an appropriate hold function, we show that the plant can be safe from the undetectable sensor attack.
This post only
What is Zero-dynamics sensor attack?
A classical method to reveal (or detect) malicious sensor attacks is to equip the control system with the anomaly detector, which assesses whether the attack exists or not by checking a residual signal that is defined as the difference of the measured output and the estimated output.
When the size of the residual becomes larger than a predefined threshold (usually, the threshold is set to be a reasonable value so that it does not respond to the sensor noise), it raises the alarm.
These anomaly detectors can easily detect simple sensor faults or attacks. Unfortunately, however, there exists a sensor attack that is stealthy to the anomaly detector. This is the case when attackers have full model knowledge and they have full accessibility to the sensor network so that it is possible to inject the zero-dynamics attack through the sensor network. We call this zero-dynamics sensor attack. In what follows, we show how the zero-dynamics sensor attack can be constructed in the sampled-data system framework.
Consider a sampled-data system controlled by a digital controller consisting of state feedback, state estimator, and anomaly detector. Those are given by the followings:
where is the sampling period of the digital devices, and is continuous-time system, and .
where the gains are assumed to guarantee the stability of , respectively.
From now on, we construct a zero-dynamics sensor attack on the above system. The first thing to do is to find the target system whose input and output are the attack signal and the residual signal , respectively. With an error variable , the target system is given by
By simply designing the zero-dynamics attack to the target system, the attacker can construct an undetectable sensor attack, which can be written as
where is the zero-dynamics of the target system.
Note from the attacker’s dynamics that the attack signal is effective only when the system matrix is unstable.
How can the zero-dynamics sensor attack be defended?
The zero-dynamics sensor attack is powerful, because it is impossible to detect, and it makes the system states go to the unsafe region when the sampled-data system is unstable. Indeed, since a lot of physical plants include unstable mode, many of the sampled-data systems are vulnerable to such sensor attack.
In this work, noting the fact that whether the attack is effective or not depends on the stability of the sampled-data system, we focus on to incapacitate the attack itself by stabilizing the sampled-data system rather than detecting the attack directly. To realize this idea, we propose to add the generalized hold feedback loop as the following block diagram.
Actually, it is well-known that by choosing the generalized hold function appropriately, the poles of the sampled-data system can be moved into arbitrary locations. Hence, adopting this fact, we would like to move the poles of the sampled-data system inside the unit circle to neutralize the zero-dynamics sensor attack.
The generalized hold is a signal holding device that converts a discrete-time signal into a continuous one by multiplying a predetermined function defined on .
i.e., $$v(t) = f_g(t-kT_s)v_k, kT_s\le t < (k+1)T_s.$$
Then, with the generalized hold function , the continuous-time input becomes $$u(kT_s +t) = u_k +f_g(t)y_k, 0\le t < T_s,$$
and then, the overall sampled-data system is altered as
where . It is noted that the poles of can be assigned to desired locations with appropriate since is observable.
When the desired is given, there are two ways to find generalized hold function .
- Find a continuous :
$$f_g(t) = B^\top e^{A^\top(T_s-t)}W_c^{-1}F_g,$$
where is the controllability Gramian - Find a piecewise constant :
Consider a piecewise constant with subintervals, i.e.,
$$f_g(t)=f_i, \frac{(i-1)T_s}{N}\le t < \frac{iT_s}{N}, i=1,\dots,N.$$
Then, it follows that
$$F_g = \sum_{l=0}^{N}f_l\int_{\frac{(l-1)T_s)}{N}}^{\frac{lT_s}{N}}e^{A(T_s-\tau)}Bd\tau,$$
which can be rewritten as
$$F_g=\begin{bmatrix}A_{\mathsf d,N}^{N-1}B_{\mathsf d,N}&\cdots&A_{\mathsf d,N}B_{\mathsf d,N}&B_{\mathsf d,N} \end{bmatrix}f,$$
where .
Hence, $$f= \begin{bmatrix}A_{\mathsf d,N}^{N-1}B_{\mathsf d,N}&\cdots&A_{\mathsf d,N}B_{\mathsf d,N}&B_{\mathsf d,N} \end{bmatrix}^\dagger F_g.$$
Suppose we have moved the discrete-time poles of the sampled-data system into the stable region by using one of the above methods. Then, there may be two different attackers. The first attacker does not notice the supplemented generalized hold loop so that he/she may inject the same attack that of the original one. In that case, since the zero dynamics of the target system is shifted from to , the injected attack is not stealthy anymore. On the other hand, the second attacker clever enough to knows the existence of the added generalized hold so that he/she can reconstruct the attack signal using the altered zero-dynamics (i.e., ). But even if he/she does that, is stable so the attack signal is nothing but the vanishing perturbation, which is not very harmful to the system.
Further Discussions
Shifting the discrete-time poles of the system by employing the generalized hold function may cause an undesirable distortion in the inter-sample behavior of the sampled-data system. This is because for changing poles of the system, a large hold gain may be required. Hence, in order to attenuate such a drawback, we are going to design the generalized hold gain in an optimal way to minimize the fluctuation of the inter-sample behavior.
Comments are closed.