Published in: The Society of Instrument and Control Engineers (SICE) 2019
DOI: 10.23919/SICE.2019.8859930
Authors: Jihan Kim and Hyungbo Shim
Abstract: The zero-dynamics attack is well-known for its lethality and stealthiness.
This infamous attack has usually been studied as a type of actuator attack. In this paper, however, we focus on the zero-dynamics attack having a form of a sensor attack. In particular, when the system monitors abnormal behavior of the plant using the anomaly detector, an undetectable sensor attack can be generated, which deceives the anomaly detector. It is noticed that this sensor attack is not so effective when the plant is stable even if the attack is still undetectable. In view of this point, we propose to reexamine the so-called “generalized hold” as a countermeasure against the undetectable sensor attack. Specifically, using the fact that the output feedback composed of the “generalized hold” can stabilize the unstable systems by selecting an appropriate hold function, we show that the plant can be safe from the undetectable sensor attack.

This post only sketches the main ideas of the paper. For more technical details, refer to the paper.

What is Zero-dynamics sensor attack?

A classical method to reveal (or detect) malicious sensor attacks is to equip the control system with the anomaly detector, which assesses whether the attack exists or not by checking a residual signal that is defined as the difference of the measured output and the estimated output.
When the size of the residual becomes larger than a predefined threshold (usually, the threshold is set to be a reasonable value so that it does not respond to the sensor noise), it raises the alarm.
These anomaly detectors can easily detect simple sensor faults or attacks. Unfortunately, however, there exists a sensor attack that is stealthy to the anomaly detector. This is the case when attackers have full model knowledge and they have full accessibility to the sensor network so that it is possible to inject the zero-dynamics attack through the sensor network. We call this zero-dynamics sensor attack. In what follows, we show how the zero-dynamics sensor attack can be constructed in the sampled-data system framework.

Overall sampled-data system under consideration

Consider a sampled-data system controlled by a digital controller consisting of state feedback, state estimator, and anomaly detector. Those are given by the followings:

Sampled-data system compromised by the sensor attack

where $T_s$ is the sampling period of the digital devices, and $(A, B, C)$ is continuous-time system, and $A_{\mathsf d}:=e^{A T_s}, B_{\mathsf d}: = \int_{0}^{T_s}e^{A(T_s-\tau)}Bd\tau, C_{\mathsf d}:=C$ .

Digital controller with the observer, state feedback, and anomaly detector

where the gains $L, K$ are assumed to guarantee the stability of $A_{\mathsf d}+B_{\mathsf d}K, A_{\mathsf d}-LC_{\mathsf d}$ , respectively.

From now on, we construct a zero-dynamics sensor attack on the above system. The first thing to do is to find the target system whose input and output are the attack signal $a_k$ and the residual signal $r_k$ , respectively. With an error variable $e:=\hat x- x$ , the target system is given by

By simply designing the zero-dynamics attack to the target system, the attacker can construct an undetectable sensor attack, which can be written as

where $A_{\mathsf d}$ is the zero-dynamics of the target system.

Note from the attacker’s dynamics that the attack signal $a_k$ is effective only when the system matrix $A_{\mathsf d}$ is unstable.

How can the zero-dynamics sensor attack be defended?

The zero-dynamics sensor attack is powerful, because it is impossible to detect, and it makes the system states go to the unsafe region when the sampled-data system is unstable. Indeed, since a lot of physical plants include unstable mode, many of the sampled-data systems are vulnerable to such sensor attack.

In this work, noting the fact that whether the attack is effective or not depends on the stability of the sampled-data system, we focus on to incapacitate the attack itself by stabilizing the sampled-data system rather than detecting the attack directly. To realize this idea, we propose to add the generalized hold feedback loop as the following block diagram.

Sampled-data control system with the generalized hold feedback loop

Actually, it is well-known that by choosing the generalized hold function appropriately, the poles of the sampled-data system can be moved into arbitrary locations. Hence, adopting this fact, we would like to move the poles of the sampled-data system inside the unit circle to neutralize the zero-dynamics sensor attack.

The generalized hold is a signal holding device that converts a discrete-time signal $v_k$ into a continuous one $v(t)$ by multiplying a predetermined function $f_g(t)$ defined on $[0,T_s)$ .
i.e., $$v(t) = f_g(t-kT_s)v_k, kT_s\le t < (k+1)T_s.$$

Then, with the generalized hold function $f_g(t)$ , the continuous-time input becomes $$u(kT_s +t) = u_k +f_g(t)y_k, 0\le t < T_s,$$
and then, the overall sampled-data system is altered as

where $F_g=\int_{0}^{T_s}e^{A(T_s-\tau)}Bf_g(\tau)d\tau$ . It is noted that the poles of $A_{\mathsf d}+F_gC_{\mathsf d}$ can be assigned to desired locations with appropriate $F_g$ since $(A_{\mathsf d}, C_{\mathsf d})$ is observable.

When the desired $F_g$ is given, there are two ways to find generalized hold function $f_g(t)$ .

Find a continuous $f_g(t)$ :
$$f_g(t) = B^\top e^{A^\top(T_s-t)}W_c^{-1}F_g,$$
where $W_c$ is the controllability Gramian
Find a piecewise constant $f_g(t)$ :
Consider a piecewise constant $f_g(t)$ with $N$ subintervals, i.e.,
$$f_g(t)=f_i, \frac{(i-1)T_s}{N}\le t < \frac{iT_s}{N}, i=1,\dots,N.$$
Then, it follows that
$$F_g = \sum_{l=0}^{N}f_l\int_{\frac{(l-1)T_s)}{N}}^{\frac{lT_s}{N}}e^{A(T_s-\tau)}Bd\tau,$$
which can be rewritten as
$$F_g=\begin{bmatrix}A_{\mathsf d,N}^{N-1}B_{\mathsf d,N}&\cdots&A_{\mathsf d,N}B_{\mathsf d,N}&B_{\mathsf d,N} \end{bmatrix}f,$$
where $f:=[f_1,\cdots,f_N]^\top, A_{\mathsf d,N}:=e^{AT_s/N}, B_{\mathsf d,N}:=\int_{0}^{T_s/N}e^{A(T_s/N-\tau)}Bd\tau$ .
Hence, $$f= \begin{bmatrix}A_{\mathsf d,N}^{N-1}B_{\mathsf d,N}&\cdots&A_{\mathsf d,N}B_{\mathsf d,N}&B_{\mathsf d,N} \end{bmatrix}^\dagger F_g.$$

Suppose we have moved the discrete-time poles of the sampled-data system into the stable region by using one of the above methods. Then, there may be two different attackers. The first attacker does not notice the supplemented generalized hold loop so that he/she may inject the same attack that of the original one. In that case, since the zero dynamics of the target system is shifted from $A_{\mathsf d}$ to $A_{\mathsf d}+F_gC_{\mathsf d}$ , the injected attack is not stealthy anymore. On the other hand, the second attacker clever enough to knows the existence of the added generalized hold so that he/she can reconstruct the attack signal using the altered zero-dynamics (i.e., $A_{\mathsf d}+F_gC_{\mathsf d}$ ). But even if he/she does that, $A_{\mathsf d}+F_gC_{\mathsf d}$ is stable so the attack signal is nothing but the vanishing perturbation, which is not very harmful to the system.

Further Discussions

Shifting the discrete-time poles of the system by employing the generalized hold function may cause an undesirable distortion in the inter-sample behavior of the sampled-data system. This is because for changing poles of the system, a large hold gain may be required. Hence, in order to attenuate such a drawback, we are going to design the generalized hold gain in an optimal way to minimize the fluctuation of the inter-sample behavior.

A Countermeasure against Zero-dynamics sensor attack via Generalized hold feedback

What is Zero-dynamics sensor attack?

How can the zero-dynamics sensor attack be defended?

Further Discussions