Portal de Periódicos da CAPES

Sensor attack detection for cyber‐physical systems based on frequency domain partition

2020; Institution of Engineering and Technology; Volume: 14; Issue: 11 Linguagem: Inglês

10.1049/iet-cta.2019.1140

1751-8652

Caoyuan Gu, Jun‐Wei Zhu, Wen‐An Zhang, Li Yu,

Physical Unclonable Functions (PUFs) and Hardware Security

IET Control Theory & ApplicationsVolume 14, Issue 11 p. 1452-1466 Research ArticleFree Access Sensor attack detection for cyber-physical systems based on frequency domain partition Cao-Yuan Gu, College of Information Engineering, Zhejiang University of Technology, 310023 Hangzhou, People's Republic of China Zhejiang Joint Key Laboratory of Embedded System, 310023 Hangzhou, People's Republic of ChinaSearch for more papers by this authorJun-Wei Zhu, Corresponding Author junweizhu1001@zjut.edu.cn College of Information Engineering, Zhejiang University of Technology, 310023 Hangzhou, People's Republic of China Zhejiang Joint Key Laboratory of Embedded System, 310023 Hangzhou, People's Republic of ChinaSearch for more papers by this authorWen-An Zhang, College of Information Engineering, Zhejiang University of Technology, 310023 Hangzhou, People's Republic of China Zhejiang Joint Key Laboratory of Embedded System, 310023 Hangzhou, People's Republic of ChinaSearch for more papers by this authorLi Yu, College of Information Engineering, Zhejiang University of Technology, 310023 Hangzhou, People's Republic of China Zhejiang Joint Key Laboratory of Embedded System, 310023 Hangzhou, People's Republic of ChinaSearch for more papers by this author Cao-Yuan Gu, College of Information Engineering, Zhejiang University of Technology, 310023 Hangzhou, People's Republic of China Zhejiang Joint Key Laboratory of Embedded System, 310023 Hangzhou, People's Republic of ChinaSearch for more papers by this authorJun-Wei Zhu, Corresponding Author junweizhu1001@zjut.edu.cn College of Information Engineering, Zhejiang University of Technology, 310023 Hangzhou, People's Republic of China Zhejiang Joint Key Laboratory of Embedded System, 310023 Hangzhou, People's Republic of ChinaSearch for more papers by this authorWen-An Zhang, College of Information Engineering, Zhejiang University of Technology, 310023 Hangzhou, People's Republic of China Zhejiang Joint Key Laboratory of Embedded System, 310023 Hangzhou, People's Republic of ChinaSearch for more papers by this authorLi Yu, College of Information Engineering, Zhejiang University of Technology, 310023 Hangzhou, People's Republic of China Zhejiang Joint Key Laboratory of Embedded System, 310023 Hangzhou, People's Republic of ChinaSearch for more papers by this author First published: 16 June 2020 https://doi.org/10.1049/iet-cta.2019.1140Citations: 5AboutSectionsPDF ToolsRequest permissionExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Share a linkShare onEmailFacebookTwitterLinked InRedditWechat Abstract This study is concerned with the attack detection (AD) problems in finite frequency domain for cyber-physical systems with sensor attack. The frequency domain is divided into three frequency domains of low, medium and high, multiple AD filters are designed to work simultaneously. The attack detectionAD problem is transformed into a multi-objective optimisation schemes for each finite frequency domain. Finally, the experimental results of networked motion control system are given to verify the effectiveness and superiority of proposed method. 1 Introduction Due to the rapid development of modern industry and network communication technology, cyber-physical systems (CPSs) integrated by computing, network and physical processes are playing an increasingly important role in key infrastructure, government and daily life. Their application fields include but are not limited to transportation networks, smart grids, industrial production and other key areas. CPSs are a large-scale, geographically dispersed system in which embedded devices (such as sensors and actuators) are networked to sense, monitor and control the physical world [1, 2]. Due to physical or technological limitations, data between sensors, actuators and other network components may be transmitted through the network without proper security protection. External attackers can invade the system by network protocols, tamper with internal data or inject false data, thus causing a series of economic losses. Therefore, CPSs attack detection (AD) has become an important research field [3–8]. Because attack is a kind of man-made signals, it has a certain attack strategy, which can change with the attacker's will at any time, including but not limited to frequency, amplitude, attack time and so on, which brings challenges to AD. In view of AD of CPSs, some scholars have considered model-free methods. The detection problem of model-free fake data injection attack is studied in [9–11]. Another scholars adopt a model-based approach. In [12], different network attack models are constructed into a unified model with uncertainty, and the necessary conditions for ensuring network security of the system are given. A CPSs AD method based on discrete event system is proposed in [13]. The security state estimation problem of CPSs under sparse sensor attack is studied in [14]. Based on a new switching gradient descent algorithm, an observer-based state estimation update algorithm is proposed. In [15], state feedback and observer-based controller are used, the distributed and uniform control of multi-agent systems under DoS attacks is studied. A resilient ADobserver is proposed in [16] to study the problem of AD and security estimation under the condition that the system is simultaneously attacked by fake data injection attack from the physical layer and jamming attack from the network layer. A distributed estimator is constructed in [17], and the design problem of a finite horizon distributed estimator is transformed into a minimisation problem of a uncertain quadratic form. In [18], the unique properties of undetectable and indistinguishable attacks on CPSs is studied, a finite-time detector is proposed to solve the problem of AD, and another limited-time alarm event-driven supervisory estimator to solve the safety state estimation problem. In [19, 20], the attack strategies and defense methods of fake data injection attacks are studied separately. Dos attacks, replay attacks and deceptive attacks in CPSs were studied in [21–26]. The above model-free methods mainly use historical data for offline analysis, or needs to know the system structure or some prior knowledge. It cannot consider overly complex disturbance. However, the AD problems emphasise real-time because attacks are more destructive than faults and are not suitable for detection after an attack occurs. Most model-based AD methods also mainly design observers or filters in the full frequency domain to detect attacks [14–17, 23, 27–29], but this cannot fully meet the actual needs. For example, in the trajectory tracking control of some motion control systems, the tracking accuracy must be ensured. When the system is attacked by low amplitude and high frequency stealthy attack signals, it is difficult to distinguish whether the system is under attack by human eyes, but burrs will appear in the tracking trajectory, making the precision of the processed product unqualified, which will cause certain economic losses. In order to solve the above problems, it is necessary to distinguish the frequency characteristics of attacks and define performance indicators in different frequency domains. In order to solve the above problems, Iwasaki et al. [30] proposed the generalised Kalman–Yakubovich–Popov (GKYP) lemma. By applying GKYP lemma, various properties of dynamic systems in a finite frequency domain can be transformed into LMI conditions, and performances in different frequency domains can be optimised. The GKYP lemma is first applied to fault detection. For example, the GKYP lemma is used to study the finite frequency domain fault detection problem of a class of Takagi–Sugeno fuzzy models, see [31–38]. In [39], for the network control system with the missing amount, the considered neural network is modelled as a Markov jump system using the stop time, and the concept of the finite frequency domain random exponent is introduced to measure the sensitivity of the residual. In [40], the fault detection of switch system with servo input and sensor stuck fault is studied. The robust control problems with finite frequency domain constraints is studied in [41, 42]. In [43], a two-dimensional non-linear system fault detection observer is designed, and two performance indexes are used to optimise the system. The design of fault detection filters for finite frequency-domain uncertain linear discrete time systems with regional pole assignment is studied in [44]. In the above fault detection articles based on the finite frequency domain, most of the faults considered are distributed in the low frequency band or high frequency band, and the medium frequency band is not considered. However, in the aspect of AD, this is not in line with the actual situation, because the attack is man-made and may exist in low, medium and high frequency bands, which makes the traditional fault detection methods in the finite frequency domain unable to be directly applied in the AD problems. In summary, this study is concerned with the AD problem in finite frequency domain for CPSs with sensor attacks. The experimental results verify the effectiveness and superiority of the methods. The main contributions of this study are as follows: (i) Consider the frequency domain characteristics of the attack signal. The frequency domain is divided into multiple subdomains, and introduce the finite frequency performance indexes. Compared with the traditional full frequency domain method (including the fault detection filter and observer-based fault detection methods), this method has better detection performance; (ii) The proposed method can effectively detect a class of low amplitude high frequency stealthy attack signals, which are difficult to be detected by traditional full frequency domain methods [10–13]. (iii) Existing finite frequency domain fault/AD methods mainly consider zero frequency or low frequency signals [37, 45], and less consider signals in the medium and high frequency domains. We considered both low, medium, and high frequency signals, and the results are more general. The rest of the study is structured as follows: Section 2 outlines the specific issues studied; Section 3 discusses the design of the AD filters in detail; Section 4 conducts experiments on the networked motion control system and gives experimental results; finally the main conclusions are given in Section 5. The following notations are used throughout this study. A symmetric matrix, and denote positive definiteness and negative definiteness. The symmetric terms in a symmetric matrix are denoted by *. For a matrix A, its transpose and complex conjugate transpose are denoted by and , . 2 Preliminaries and problem statement 2.1 System description Consider the following networked control system model (1)where is the state space vector, is the system output, and represent external disturbance and sensor attack respectively, and belong to , which is the space of square-integrable vector functions. A, , C, , are known matrices with appropriate dimensions. Remark 1.In the existing literature, most think that the sensor end of the system is attacked, so the problems considered are general. The fault signals considered in most fault detection problems are mainly at zero or low frequency, and their frequency bands are relatively stable, and often use full frequency domain methods. However, the attack signal is added by the attacker from the outside, which can be changed according to the attacker's wishes. Therefore, we divide the entire frequency domain into multiple subdomains and perform multi-objective optimisation for each subdomain to obtain better detection performance. Meanwhile, it also has a good detection performance for a class of low amplitude high frequency stealthy attack signals that are difficult to be detected by the traditional full frequency domain methods. Remark 2.The stealthy attack mentioned in this study refers to a class of low amplitude and high frequency attack signals similar to noise signals [19, 46]. Such attack signals are difficult to be detected effectively by using traditional full detection methods. The damages of stealthy attacks to the CPS system are mainly as follows: (i) The control performance of the physical process for CPS can be undermined by stealthy attacks. In the experiment, the measurement information is used in the control law. The steady performances of the states deteriorate under stealthy attacks. This means the requirement of high-precision cannot be met for some motor driven devices, such as sewing machine and cutting machine. (ii) Since chattering phenomena for the control signal will occur under stealthy attacks, the control actions of actuators will oscillate heavily. As a consequence, the service lives of the actuators and some other components will be reduced significantly [47]. For this type of signal, we consider its frequency characteristics and perform multi-objective optimisation to achieve detection of this type of signal. 2.2 AD filter In order to detect sensor attacks, AD filter is designed as follows: (2)where is the filter states, denotes the residual signal which carries information on the time of the occurrence of attack, , , , are filter parameters to be determined. Let , the global augmented dynamic AD system can described by (1) and (2) (3)where 2.3 Finite frequency performance index In this section, for the purpose of AD, we define some finite frequency domain performance indices. In practice, the impact of the attack may occupy different frequency domains. Therefore, we consider the following finite frequency interval for frequency in attack : (4)where , , are given real scalars. Remark 3.As the frequency of the attack signal changes with time, different frequencies will have different effects on the residual. Therefore, we divide the full frequency domain into multiple subdomains.When and , denote the low frequency range: (5)where , are assumed to be known positive real scalars. where and , or and , denotes the high frequency range or medium frequency range. In the sequel, we give the following two definitions on finite frequency and performance indexes for the system (3). Definition 1.The system (3) has a finite frequency index bound , if under zero initial condition, the following inequality holds for all solution of (3) (6)where is a given real positive scalar, it denotes the worst case criterion for the effect of external disturbance on the residual . Definition 2.The system (3) has a finite frequency index bound , if under zero initial condition, the following inequality holds for all solution of (3): (7)where is a given real positive scalar, it is a measurement of the sensor attack sensitivity in the worst case from to residual . Remark 4.By Definitions 1 and 2, we can perform multi-objective optimisation for each subdomain. For Definition 1, the smaller is, the smaller the effect of external disturbance on residual output is, and the system (3) has better robustness against external disturbance. For Definition 2, the larger is, the greater the effect of sensor attack on residual output is, and the system (3) is more sensitive to sensor attack. Next, according to Definitions 1 and 2, design the performance indexes of AD filter for each subdomain. 2.4 AD scheme 2.4.1 Low frequency AD filter design The low frequency AD problem can be solved if system (3) satisfies the following conditions (i) For the cases of attack free and attack, in order to minimise the effect of the disturbance on the residual output , it needs to be satisfied: (8) (ii) For the low frequency attack, in order to maximise the effect of the sensor attack on the residual output , it needs to be satisfied (9) (iii) For the medium frequency attack, in order to minimise the effect of the sensor attack on the residual output , it needs to be satisfied (10) (iv) For the high frequency attack, in order to minimise the effect of the sensor attack on the residual output , it needs to be satisfied (11) 2.4.2 Medium frequency AD filter design The medium frequency AD problem can be solved if system (3) satisfies the following conditions (i) For the cases of attack free and attack, in order to minimise the effect of the disturbance on the residual output , it needs to be satisfied: (12) (ii) For the low frequency attack, in order to minimise the effect of the sensor attack on the residual output , it needs to be satisfied (13) (iii) For the medium frequency attack, in order to maximise the effect of the sensor attack on the residual output , it needs to be satisfied (14) (iv) For the high frequency attack, in order to minimise the effect of the sensor attack on the residual output , it needs to be satisfied (15) 2.4.3 High frequency AD filter design The high frequency AD problem can be solved if AD filter (2) satisfies the following conditions (i) For the cases of attack free and attack, in order to minimise the effect of the disturbance on the residual output , it needs to be satisfied: (16) (ii) For the low frequency attack, in order to minimise the effect of the sensor attack on the residual output , it needs to be satisfied (17) (iii) For the medium frequency attack, in order to maximise the effect of the sensor attack on the residual output , it needs to be satisfied (18) (iv) For the high frequency attack, in order to maximise the effect of the sensor attack on the residual output , it needs to be satisfied (19) Remark 5.Disturbances and attacks have different transfer functions to residual. The performance index is used to attenuate the effect of the disturbance on the residual, and the performance index is used to make the residual sensitive to attacks in the specific frequency domain. Therefore, the disturbance will not trigger the AD filter alarm. Remark 6.The specific performance indexes of the AD filter of each subdomains are given above. Through these performance indexes, better AD results can be obtained. 2.4.4 Detection threshold design In this section, the threshold for detecting faults is designed and the AD logic unit is based on the results proposed by [48]. Use the following residual evaluation function: (20) This residual evaluation function represents the average energy in a time window , where is the window length, is the initial moment and is the length of time. The threshold is defined as (21) Define the following logical relationships to detect whether an attack has occurred: (22) The CPSs under sensor attack is shown in Fig. 1, where , , represent external disturbance, sensor attacks and system output, respectively. , , represent the residual outputs of the low, medium, and high frequency AD filters, respectively. Fig. 1Open in figure viewerPowerPoint CPSs under sensor attack 3 Main results Before continuing with the main results, some lemmas need to be introduced. Lemma 1.GKYP lemma [19]Given a system (A,B,C,D) and a symmetric matrix with appropriate dimensions, the following two conclusions are equivalent: (i) Finite frequency domain inequality (23) (ii) There are Hermitian conjugate matrices P and Q, which satisfy , and (24) Where is shown in the following Table 1, LF, MF, HF represent low frequency, medium frequency, high frequency, respectively. Lemma 2.Projection lemma [49]Let U, V, be given. There exists a matrix F satisfying: (25)if and only if the following two conditions hold (26) (27)where and are arbitrary matrices whose columns form a basis of the nullspace of U and V, respectively. Lemma 3.Finsler's Lemma [45]Let , , . Let be any matrix such that . The following statement are equivalent (i) (ii) (iii) (iv) Lemma 4.[50] Given a positive scalar , the system (3) satisfies the performance (8) in full frequency domain, if there exist matrices such that the following inequality holds : (28)here Table 1. Different finite frequency ranges LF MF HF Next, based on Lemmas 1–4, the design of each AD filter is described in detail. 3.1 Low frequency AD filter design According to the performance indexes of low frequency AD filter in Section 2.4, the design is as follow. Theorem 1.The low frequency AD filter satisfies the performance indexes in Section 2.4, if there exist matrices variables such that the following inequalities holds: (29) (30) (31) (32)where is shown in (28), and (33)where and (34)where and (35)where The parameter matrices of the low frequency AD filter are given by where represents spectral decomposition of N. Proof.Inequalities (29)–(32) are discussed in detail here. (1) Inequality (29) has been described in Lemma 4 and the proof is omitted here. (2) For inequality (30), if there exist matrices , such that the following inequality holds (36)where , . Let with . Then (36) can be reformulated as: (37)which has the same form of the inequality (26) with On the other hand has the same form of inequality (27). The following null space bases calculations yields , From Lemma 2, the following inequality will be equivalent to (37) (38)where F is an additional matrix variable which is introduced via Lemma 2, F has the following form . where X is a non-singular matrix. and v should be chosen beforehand. It can be seen that (39) provides a sufficient condition for (38). (39)where . Assume that X has the following form with and being non-singular. Defining and using the congruence transformation for the inequality (39), and suppose has the following form Then (39) can be reformulated as (40)where In the following, (40) will be converted into an LMI condition by using Finsler's Lemma. (41)where and , . Via the definition of negative-definite matrix, (41) can be described as follows: (42)where is a non-zero vector. It is easily seen that is full rank of column and if G is defined as (43) Applying Finsler's Lemma, we can conclude that (42) holds if and only if the following inequality holds for some L with appropriate dimensions: (44) In order to facilitate subsequent processing, we restrict the matrix L to be where , should be chosen beforehand. Therefore, (44) can be expressed as (45)where Considering the form of X, define the following variables: Finally, (44) and (29) are equivalent. This completes the proof for (29). (3) For inequality (30), if there exist matrices , such that the following inequality holds (46)where Let where Then (46) can be reformulated as: (47)which has the same form of the inequality (26) with On the other hand has the same form of inequality (27). The following null space bases calculations yields , From Lemma 2, the following inequality will be equivalent to (47) (48)where X is an additional non-singular matrix variable which is introduced via Lemma 2. It can be seen that (49) provides a sufficient condition for (48). (49)where . Assume that X has the following form with and being non-singular. Defining and using the congruence transformation for the inequality (49), and suppose has the following form Then (49) can be reformulated as: (50)where By applying the Schur complement lemma, the following inequality will be equivalent to (50) (51) Considering the form of X, define the following variables: By converting the complex linear matrix inequality into a real linear matrix inequality, (51) and (31) are equivalent. This completes the proof for (31). (4) For inequality (32), if there exist matrices , such that the following inequality holds (52)where Let where Then (52) can be reformulated as: (53)which has the same form of the inequality (26) with On the other hand has the same form of inequality (27). The following null space bases calculations yields , From Lemma 2, the following inequality will be equivalent to (53) (54)where X is an additional non-singular matrix variable which is introduced via Lemma 2. It can be seen that (55) provides a sufficient condition for (54). (55)where .Assume that X has the following form with and being non-singular.Defining and using the congruence transformation for the inequality (55), and suppose has the following form Then (55) can be reformulated as (56)where By applying the Schur complement lemma, the following inequality will be equivalent to (56) (57)Considering the form of X, define the following variables: Finally, (56) and (32) are equivalent. This completes the proof for (32). □ Remark 7.In the fault detection articles such as [20–25, 27–30], most of them only consider the existence of external disturbances and single frequency domain faults in the system. However, the attack signals can be switched as the attacker's wishes, so more performance indexes are needed to optimise each subdomain. The above proofs illustrate the specific deduction of each performance indexes of low frequency AD filter in detail. By dividing the frequency domain into three frequency domains: low, medium and high, and the performance indexes of different frequency domains are optimised. The low frequency AD filter can attenuate disturbance in the full frequency domain, and is insensitive to attack in the medium and high frequency domains, but sensitive to attack in the low frequency domain, so as to realise effective detection of low frequency attacks. Compared with the traditional full frequency domain methods, this method has better detection performance. Remark 8.In [20–25, 27], the fault considered is concentrated in the low and high frequency domains, the medium frequency domain is ignored, which is in line with the logic of fault detection, because in practice, the fault mainly occurs at low frequency or high frequency. However, this does not apply to AD problems, because the attack can change with the attacker's wishes. Therefore, it is necessary to consider the performance indexes of the medium frequency domain. Because there are complex numbers in GKYP lemma in medium frequency domain, it can not be solved directly.To solve the feasibility problem for complex LMIs, the following equivalent statements are used where M is the complex Hermitian matrix, and are the real part and the imaginary part, respectively. The above transformation solves the feasibility problem for complex LMIs. 3.2 Medium frequency AD filter design According to the performance indexes of medium frequency AD filter in Section 2.