Deception-based Sensor Scheduling for Remote Estimation under DoS Attacks

6th IFAC Workshop on Distributed Estimation and Control in Networked Systemson Distributed Estimation and Control in 6th IFAC Workshop Networked Systemson Distributed Estimation and Control in 6th IFAC IFAC Workshop Workshop September 8-9, 2016.onTokyo, JapanEstimation and Control in 6th Distributed Networked Systems September 8-9, 2016. Tokyo, Japan Available online at www.sciencedirect.com Networked Systems Networked September Systems 8-9, 2016. Tokyo, Japan September September 8-9, 8-9, 2016. 2016. Tokyo, Tokyo, Japan Japan

ScienceDirect

IFAC-PapersOnLine 49-22 Sensor (2016) 169–174Scheduling for Deception-based Deception-based Sensor Scheduling for Deception-based Sensor Scheduling for Deception-based Sensor Scheduling for Remote Estimation under DoS Attacks Deception-based Sensor Scheduling for Remote Estimation under DoS Attacks Remote Estimation under DoS Attacks Remote Estimation under DoS Attacks Remote Estimation under Attacks ∗ Kemi Ding ∗∗ Xiaoqiang Ren ∗∗ DoS Ling Shi ∗

Kemi Ding ∗ Xiaoqiang Ren ∗ Ling Shi ∗ Kemi Kemi Ding Ding ∗∗∗ Xiaoqiang Xiaoqiang Ren Ren ∗∗∗ Ling Ling Shi Shi ∗∗∗ ∗ Kemi Ding Xiaoqiang Ren Ling Shi ∗ Department of Electronic and Computer Engineering, Hong Kong Department of Electronic and Computer Engineering, Hong Kong ∗University of Science and Technology, Clear Water Bay, Kowloon, Department of Electronic and Computer Engineering, Hong Kong ∗ of Science and Technology, Clear Water Bay, Kowloon, ∗ Department of Electronic and Computer Engineering, Kong ∗University Department of Electronic and Computer Engineering, Hong Hong Kong

Department of Electronic and Computer Engineering, Hong Kong Hong Kong (e-mail:{kdingaa, xren, eesling}@ust.hk). University Science and Technology, Clear Water Bay, Kowloon, Hongof Kong (e-mail:{kdingaa, xren, eesling}@ust.hk). University of Science and Technology, Clear Water Bay, Kowloon, University of Science and Technology, Clear Water Bay, Kowloon, Hong Hong Kong Kong (e-mail:{kdingaa, (e-mail:{kdingaa, xren, xren, eesling}@ust.hk). eesling}@ust.hk). Hong Kong (e-mail:{kdingaa, xren, eesling}@ust.hk). Abstract: This paper addresses security issues of a cyber-physical Abstract: This paper addresses security issues of a cyber-physical system system (CPS) (CPS) under under denialdenialof-service (DoS) attacks. The measurements of a sensor are transmitted to a remote estimator Abstract: This paper addresses security issues of a cyber-physical system (CPS) under denialof-service (DoS) attacks. The measurements of aofsensor are transmitted to(CPS) a remote estimator Abstract: This paper addresses security issues a cyber-physical system under denialAbstract: This paper addresses security issues ofsensor a cyber-physical system (CPS) under denialover a vulnerable communication channel, which may be congested by an intelligent attacker. of-service (DoS) attacks. The measurements of a are transmitted to a remote estimator over a vulnerable communication channel, which may be congested by an intelligent attacker. of-service (DoS) attacks. The measurements of a sensor are transmitted to a remote estimator of-service (DoS) attacks. The measurements of a sensor are transmitted to a remote estimator Aiming at improving the estimation accuracy under a limited energy budget, we propose over a vulnerable communication channel, which may be congested by an intelligent attacker. Aiming at improving the estimation accuracy under a congested limited energy budget, we attacker. propose over a communication channel, which may by intelligent over a vulnerable vulnerable communication channel, which may be be congested by an an intelligent attacker. a novel acknowledgement-based (ACK-based) cheating for the sensor to confuse the at improving the estimation accuracy under aascheme limited energy budget, we propose aAiming novel acknowledgement-based (ACK-based) cheating scheme for the sensor to confuse the Aiming at improving the estimation accuracy under limited energy budget, we propose Aiming atfrom improving theprove estimation accuracy under ascheme limited energy budget, we propose attacker, which we an optimal deception-based transmission schedule within the a novel acknowledgement-based (ACK-based) cheating for the sensor to confuse attacker, from which we prove an optimal deception-based transmission schedule within the a novel acknowledgement-based (ACK-based) cheating scheme for the sensor to confuse the a novel acknowledgement-based (ACK-based) cheating scheme for the sensor to confuse whole transmission/deception schedule sets. The schedule has a very simple structure. Numerical attacker, from which we prove an optimal deception-based transmission schedule within the whole transmission/deception schedule sets. The schedule has atransmission very simple structure. Numerical attacker, from which we we prove prove an optimal optimal deception-based transmission schedule within within the attacker, from which an deception-based schedule the comparisons are the developed results. whole transmission/deception schedule sets. The schedule has aa very simple structure. Numerical comparisons are provided provided to to illustrate illustrate the developed results. whole transmission/deception schedule sets. The schedule has very simple structure. Numerical whole transmission/deception schedule sets. The schedule has a very simple structure. Numerical comparisons are provided to illustrate the developed results. comparisons provided to the results. © 2016, IFAC are (International of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. comparisons are provided Federation to illustrate illustrate the developed developed results. 1. INTRODUCTION Another 1. INTRODUCTION Another fundamental fundamental factor factor receiving receiving considerable considerable attenattention in the design of CPSs is the energy consumption. 1. INTRODUCTION Another fundamental factor receiving considerable attention in the design of CPSs is the energy consumption. 1. INTRODUCTION Another fundamental factor receiving considerable attenAnother fundamental factor receiving considerable atten1. INTRODUCTION Since most sensor nodes use on-board batteries, which are tion in the design of CPSs is the energy consumption. In recent years, cyber-physical systems (CPSs) have been Since most sensor nodes use on-board batteries, which are in the design of CPSs is the energy consumption. In recent years, cyber-physical systems (CPSs) have been tion tion in the design of CPSs is the energy consumption. difficult to replace or recharge, the energy for sensing, comSince most sensor nodes use on-board batteries, which are aaIn topic of great interest in a wide range of scientific recent years, cyber-physical systems (CPSs) have been difficult to replace or recharge, the energy for sensing, comSince most sensor nodes use on-board batteries, which are topic ofyears, greatcyber-physical interest in asystems wide range ofhave scientific In recent (CPSs) been Since most sensor nodes use on-board batteries, which are and especially transmission is limited. Motivated difficult to replace or recharge, the energy for sensing, comIn recent years, cyber-physical systems (CPSs)ofhave been putation and industrial fields. Typically, a CPS encompasses three a topic of great interest in a wide range scientific putation and especially transmission is limited. Motivated difficult to replace or recharge, the energy for sensing, comand industrial fields. Typically, awide CPS range encompasses three difficult a topic of great interest in a of scientific to replace or recharge, the energy for sensing, comby this, recent studies tradeoff putation and especially is limited.the Motivated aand topic of great interest in a awide of scientific independently interacting components, computational eleindustrial fields. Typically, CPS range encompasses three this, several several recent transmission studies investigating investigating the tradeoff putation and especially transmission is Motivated independently interacting components, computational ele- by and industrial fields. aaand CPS encompasses three putation andconstrained especially transmission is limited. limited. Motivated and industrial fields. Typically, Typically, CPScontrol encompasses three between the energy and the estimation perforby this, several recent studies investigating the tradeoff ments, communication networks systems (the independently interacting components, computational elebetween the constrained energy and the estimation perforby this, several recent studies investigating the tradeoff ments, communication networks and control systems (the independently interacting components, computational eleby this, several recent studies investigating the tradeoff independently interacting components, computational elemance have been carried out: Shi et al. (2011); Mo et between the constrained energy and the estimation 3C). tight is to stability, ments,The communication networks and control control systems (the mance have been carriedenergy out: Shi etthe al. estimation (2011); Moperforet al. al. between the constrained energy and the estimation perfor3C). The tight integration integration is beneficial beneficial to the the stability, ments, communication networks and systems (the between the constrained and perfor(2012); Ren et al. (2014). In Shi et al. (2011), the authors mance have been carried out: Shi et al. (2011); Mo et al. ments, communication networks and control systems (the performance, robustness and efficiency of physical systems. 3C). The tight integration is beneficial to the stability, (2012); Ren et al. (2014). In Shi et al. (2011), the authors mance have been carried out: Shi et al. (2011); Mo et performance, robustness and is efficiency of physical systems. mance 3C). The integration beneficial to stability, have been carried out: Shi etal.al. (2011); Mo et al. al. proposed an optimal periodic sensor transmission power (2012); Ren et al. (2014). In Shi et (2011), the authors 3C). Theoftight tight integration is beneficial to the the to stability, Because this, CPSs are commonly referred as the performance, robustness and efficiency of physical systems. anetoptimal periodic sensor transmission power (2012); Ren al. (2014). In Shi et al. (2011), the authors Because of this, CPSs are commonly referred tosystems. as the proposed performance, robustness and efficiency of physical (2012); Ren et al. (2014). In Shi et al. (2011), the authors performance, robustness and efficiency of physical systems. scheduling for remote state estimation under a constrained an periodic sensor transmission power next generation of engineered systems referred and their their various Because of this, of CPSs are commonly to various as the proposed scheduling foroptimal remote state estimation under a constrained proposed an optimal periodic sensor transmission power next generation engineered systems and Because of CPSs are referred to as an optimal periodic sensor transmission power energy budget. Mo et al. (2012) studied the problem of scheduling for remote state estimation under a constrained Because of this, this, CPSs are commonly commonly referred to various as the the proposed applications include smart grids, aerospace engineering, next generation of engineered systems and their energy budget. Mo et al. (2012) studied the problem of scheduling for remote state estimation under a constrained applications include smart grids, aerospace engineering, next generation of engineered systems and their various scheduling for remote state estimation under a constrained infinite-horizon sensor scheduling under two classes of proenergy budget. Mo et al. (2012) studied the problem of next generation of engineered systems and their various transportation systems, ubiquitous health care systems, applications include smart grids, aerospace engineering, infinite-horizon sensor scheduling under two classes of proenergy budget. Mo et al. (2012) studied the problem of transportation systems, ubiquitous health care systems, energy applications include smart grids, engineering, budget. Mo etonline al. (2012) studied the problem of tocols, of which the packet-loss information will infinite-horizon sensor scheduling under two classes of proapplications include smart grids, aerospace aerospace engineering, etc. transportation systems, ubiquitous health care systems, tocols, of which the online packet-loss information will infinite-horizon sensor scheduling under two classes of proetc. transportation systems, ubiquitous health care systems, infinite-horizon sensor scheduling under two classes of protransportation systems, ubiquitous health care systems, be sent back to the sensor through acknowledgements tocols, which information will etc. be sentof to the the online sensor packet-loss through acknowledgements tocols, of which the online packet-loss information will However, etc. ofback which the online packet-loss information will (ACKs). This ACK-based sensor scheduling can improve be sent back to the sensor through acknowledgements etc. However, the the security security issue issue of of CPSs CPSs is is much much more more critical critical tocols, (ACKs). This ACK-based sensor scheduling can improve be sent back to the sensor through acknowledgements than of traditional control/network systems and it requires be sent back to the sensor through acknowledgements However, the security issue of CPSs is much more critical the system performance compared to the traditional offline (ACKs). This ACK-based sensor scheduling can improve than of traditional control/network systems and it requires However, the issue is much more critical the system performance compared to the traditional offline However, the security security issue of of CPSs CPSssystems isvulnerability muchand more critical (ACKs). This ACK-based sensor scheduling can improve more To be of than of ofattention. traditional control/network it requires requires This ACK-based sensor scheduling can improve schemes demonstrated in Han et al. (2014). Also, based the system performance compared to the traditional offline more attention. Tocontrol/network be specific, specific, the the vulnerability of the the (ACKs). than traditional systems and it schemes demonstrated in Han et al. (2014). Also, based the system performance compared to the traditional offline than of traditional control/network systems and it requires communication is by more attention. attention. layer, To be bewhich specific, the vulnerability vulnerability of the the on the system performance compared to the traditional offline this protocol, Ren et al. (2014) considered two transschemes demonstrated in Han et al. (2014). Also, based communication layer, which is caused caused by its its broadcast broadcast more To specific, the of on this protocol, Ren et al. (2014) considered two transschemes demonstrated in Han et al. (2014). Also, based more attention. To be specific, the vulnerability of the nature and easy-to-access medium, will expose control demonstrated inal. Han et al. (2014). Also, based communication layer, which whichmedium, is caused caused byexpose its broadcast broadcast mission power levels and proposed an optimal stationary on this protocol, Ren et (2014) considered two transnature and easy-to-access willby control schemes communication layer, is its mission power levels and proposed an optimal stationary on this protocol, Ren et al. (2014) considered two transcommunication layer, whichmedium, is caused by its broadcast systems to many potential threats and malicious cyber on this protocol, Ren et al. (2014) considered two transnature and easy-to-access will expose control schedule within the whole schedule set. Such research, mission power levels and proposed an optimal stationary systems to many potential threats and malicious cyber nature and easy-to-access medium, will expose control schedulepower withinlevels the and whole schedule set. Suchstationary research, nature easy-to-access medium, will malicious expose such control mission proposed an optimal attacks. Since many safety-critical as systems and to many many potential threatsinfrastructures, and cyber power levels and proposed an set. optimal stationary however, has failed to address the security issues. From this schedule within the whole schedule Such research, attacks. Since manypotential safety-critical infrastructures, such as mission systems to threats and malicious cyber however, has failed to address the security issues. From this schedule within the whole schedule set. Such research, systems to many potential threats and malicious cyber natural systems, utilities, water attacks. gas Sincepipeline many safety-critical safety-critical infrastructures, such as point schedule within the whole schedule set.issues. Such research, view, Zhang et al. (2015) investigated the energyhowever, has failed to address the security From this natural gas pipeline systems, power power utilities, and andsuch water attacks. Since many infrastructures, as point view, Zhang et al. (2015) investigated the energyhowever, has failed to address the security issues. From this attacks. Since many safety-critical infrastructures, such as systems, depend greatly upon CPSs, any attacks may lead hasattack failed to address the by security issues. From this natural gas gas pipeline systems, powerany utilities, and water constrained policy taken aa DoS attacker based point view, Zhang et al. (2015) investigated the energysystems, depend greatly upon CPSs, attacksand maywater lead however, natural pipeline systems, power utilities, constrained attack policy taken by DoS attacker based natural gas pipeline systems, power utilities, and water point view, Zhang et al. (2015) investigated the energyto significant losses to national economies or even of human point view, Zhang et al. (2015) investigated the energysystems, depend greatly upon CPSs, any attacks may lead on inferred online information. Considering the simple constrained attack policy taken by a DoS attacker based to significant losses to national economies or even of human systems, depend greatly CPSs, any may lead on inferred attack online policy information. Considering the simple systems, depend greatly upon CPSs, any attacks attacks may lead constrained taken by aa DoS based lives. For in aa upon recent incident the to significant significant losses to national economies or even even of human constrained attack policy taken by DoS attacker attacker based structure of the ACK packet, the attacker may also have on inferred online information. Considering the simple lives. For example, example, innational recenteconomies incident on on the Ukrainian Ukrainian to losses to or of human structure of the ACK packet, the attacker may also have on inferred online information. Considering the simple to significant losses to national economies or even of human power grid, Ics.sans.org (2016), cyber attackers blocked the lives. For example, in a recent incident on the Ukrainian on inferred online information. Considering the simple access to the ACK and deteriorate the estimation quality of the ACK packet, the attacker may also have powerFor grid,example, Ics.sans.org (2016), cyber attackers blocked the structure lives. in a recent incident on the Ukrainian access to the ACK andpacket, deteriorate the estimation quality structure of the ACK packet, the attacker may also have lives. For example, in the a(2016), recent incident on the Ukrainian information flow from physical plant and caused a powstructure of the ACK the attacker may also have power grid, Ics.sans.org cyber attackers blocked the more efficiently as investigated by Li et al. (2015b,a). access to the ACK and deteriorate the estimation quality information flow from the physical plant and caused a powpower grid, Ics.sans.org (2016), cyber attackers blocked the more efficiently as investigated by Li et al. (2015b,a). power grid, Ics.sans.org (2016), cyber attackers blocked the access to to the the ACK ACK and and deteriorate deteriorate the the estimation estimation quality quality er failure to hundreds of thousands of homes in Ukraine. access information flow from the physical plant and caused a powmore efficiently asattention investigated by Li et al.to (2015b,a). er failure to flow hundreds of thousands of homes in Ukraine. information from the physical and aa powinformation from the physical plant plant and caused caused powSo very has been countermeamore investigated Li et (2015b,a). Previous of have mainly with efficiently asattention investigated by Li paid et al. al.to (2015b,a). er failure failure studies to flow hundreds of security thousands of homes homes indealt Ukraine. So far, far,efficiently very little littleas has by been paid countermeaPrevious studies of CPS CPS security have mainlyin dealt with more er to hundreds of thousands of Ukraine. sures that can be taken by the sensor to reduce the So far, very little attention has been paid to countermeaer failure to hundreds of thousands of homes in Ukraine. two typical classes of attacks, as discussed in Cardenas Previous studies of CPS security have mainly dealt with sures that can be taken by the sensor to reduce the disclodiscloSo far, very little attention has been paid to two typical classes of attacks, as have discussed in dealt Cardenas Previous studies of CPS security mainly with far, verycan little attention hasus been paid to countermeacountermeasure of ACKs, which motivates to investigate a potential sures that be taken by the sensor to reduce the discloPrevious studies of of CPS security have mainly dealt with So et al. (2008): deception (integrity) attacks and denial-oftwo typical classes attacks, as discussed in Cardenas sure of ACKs, which motivates us to investigate a potential sures that can be taken by the sensor to reduce the discloet al. (2008): deception (integrity) attacks and denial-oftwo typical classes of as in Cardenas sures that can which be taken by the sensor to reduce the disclotwo typical classes of attacks, attacks, as discussed discussed in denial-ofCardenas class of DoS-attack-remedy schemes via some ACK-based sure of ACKs, motivates us to investigate a potential service (DoS) attacks. The latter are common and easy et al. (2008): deception (integrity) attacks and of DoS-attack-remedy schemes via some ACK-based sure of ACKs, which motivates us to investigate a potential service (DoS) deception attacks. The latter are common and easy class et al. (2008): (integrity) attacks and denial-ofsure of ACKs, which motivates us to investigate a potential “tricks”. Aiming at improving the estimation performance, class of DoS-attack-remedy schemes via some ACK-based et al. (2008): deception (integrity) attacks and denial-ofto implement practical In the we service (DoS) in attacks. Thesystems. latter are are common and easy easy Aiming at improving the estimation class of DoS-attack-remedy DoS-attack-remedy schemes via some someperformance, ACK-based to implement in practical systems. In common the following, following, we “tricks”. service (DoS) attacks. The latter and class of schemes via ACK-based the sensor is required to take some easy-to-use “fake” “tricks”. Aiming at improving the estimation performance, service (DoS) attacks. Thesystems. latter are common and easy consider the scenario where a sensor transmits its local to implement in practical In the following, we the sensor is required to take some easy-to-use “fake” acac“tricks”. Aiming at improving the estimation performance, consider the scenario wheresystems. a sensorIntransmits its local to implement in practical the following, we “tricks”. Aiming at improving the estimation performance, to manipulate the ACKs, which can not only protect the sensor is required to take some easy-to-use “fake” acto implement in underlying practical systems. In the following, we tions estimation of an physical process to a remote consider the scenario where a sensor transmits its local tions to manipulate the ACKs, which can not only protect the sensor is required to take some easy-to-use “fake” acestimation of an underlying physical process to a remote consider the scenario where aa sensor transmits its local the sensor is required toACKs, take the some easy-to-use “fake” acconsider the scenario where sensorprocess transmits itsremote local ACK packets but also confuse attacker (leading to even tions to manipulate the which can not only protect estimator via a vulnerable communication channel in the estimation of an underlying physical to a packets but also confuse the attacker (leading to even tions to manipulate the ACKs, which can not only protect estimator via a vulnerable communication channel in the ACK estimation of an underlying physical process to a remote tions to manipulate the ACKs, which can not only protect fewer attacks). Coupled with this deception scheme, we ACK packets but also confuse the attacker (leading to even estimation of an underlying physical process to a remote presence DoS attacks. estimatorof via a vulnerable vulnerable communication channel channel in in the the fewer attacks). Coupled withthe this deception scheme, we ACK packets but also confuse the attacker (leading to even even presence ofvia DoS attacks. communication estimator a ACK packets but also confuse attacker (leading to also investigate the optimal sensor transmission scheduling fewer attacks). Coupled with this deception scheme, we estimator via a vulnerable communication channel in the presence of DoS attacks. also investigate the optimal sensor transmission scheduling fewer attacks). Coupled with this deception scheme, we presence of DoS attacks. fewer attacks). Coupled with this deception scheme, we  with limited energy overhead. Compared with previous also investigate the optimal sensor transmission scheduling presence of DoS attacks. The work by K. Ding and L. Shi is supported by an HKUST  The work by K. Ding and L. Shi is supported by an HKUST with limited energy overhead. Compared with previous also investigate the optimal sensor transmission scheduling also investigate the optimal sensor transmission scheduling  The work with limited energy overhead. Compared with previous internal research fund IEG15EG01. by K. Ding and L. Shi is supported by an HKUST  The work with internal research fund IEG15EG01. by Ding and  with limited limited energy energy overhead. overhead. Compared Compared with with previous previous The work by K. K. Ding and L. L. Shi Shi is is supported supported by by an an HKUST HKUST internal research fund IEG15EG01.

internal internal research research fund fund IEG15EG01. IEG15EG01. Copyright © 2016 IFAC 169 Copyright © 2016 169Hosting by Elsevier Ltd. All rights reserved. 2405-8963 © 2016, IFAC IFAC (International Federation of Automatic Control) Copyright © 2016 IFAC 169 Peer review©under of International Federation of Automatic Copyright 2016 responsibility IFAC 169 169Control. Copyright © 2016 IFAC 10.1016/j.ifacol.2016.10.391

2016 IFAC NECSYS 170 September 8-9, 2016. Tokyo, Japan

Kemi Ding et al. / IFAC-PapersOnLine 49-22 (2016) 169–174

and vk . The time-invariant pair (A, C) is assumed to be √ detectable and (A, Q) is stabilizable.

Fig. 1. System model works, the main contributions of this work are summarized as follows: • No single study exists which addresses the CPS security issues via manipulating the ACK packets. This work sheds new light on the deception-based sensor transmission scheduling to mitigate the effects of DoS attacks; • Within the entire coupled energy-constrained strategy space (which contains the transmission and deception scheme pair), we prove an optimal strategy with a very simple structure based on majorization theory; • We also develop an analytical expression of the optimal infinite-horizon estimation error covariance and provide necessary and sufficient conditions for the stability of the optimal schedule. The remainder of the paper is organized as follows. Section 2 illustrates the mathematical models of the remote estimation system. Section 3 demonstrates the optimal schedule, while a closed-form averaged error covariance under this framework is also provided. Some examples and concluding remarks are presented in Section 4 and Section 5, respectively. Notations: Sn+ (or Sn++ ) is the set of n by n positive semidefinite matrices (or positive definite matrices). When X ∈ Sn+ (or X ∈ Sn++ ), we write X ≥ 0 (or X > 0). For functions h, g, h ◦ g is defined as the function composition h(g(·)). The subscripts s and a denote the sensor and the attacker, respectively. The function δkj = 0 if k = j and δkj = 1 if k = j, and Y1k stands for the sequence {y1 , y2 , . . . , yk }. 2. PROBLEM FORMULATION In this section, we will introduce the mathematical model of the system structure depicted in Fig. 1 and indicate the problem of concern. 2.1 Kalman Filter Preliminaries Consider the following linear time-invariant (LTI) system: (1) xk+1 = Axk + wk , yk = Cxk + vk , where the state vector of the system at time k is denoted by xk ∈ Rn , the noisy measurement obtained by the sensor is yk ∈ Rm , and wk ∈ Rn , vk ∈ Rm represent zero-mean i.i.d Gaussian random noises with E[wk wj  ] = δkj Q (Q ≥ 0), E[vk vj  ] = δkj R (R > 0), and E[wk vj  ] = 0 ∀j, k. The initial state x0 is a zero-mean Gaussian random vector with covariance Σ0 ≥ 0, which is uncorrelated with wk 170

With the advanced smart sensors from Hovareshti et al. (2007), the estimation/control performance of the current system can be highly improved. With storage and computing abilities, the smart sensor in Fig. 1 is able to process the collected measurements Y1k by running a Kalman filter, instead of transmitting them directly, and then estimate the process state xk locally, denoted by x ˆsk . This minimum mean-squared error (MMSE) estimate of the process state is given by x ˆsk = E[xk |Y1k ], with its corresponding estimation error covariance Pks  E[(xk − x ˆsk )(xk − x ˆsk ) |Y1k ]. These terms are computed via the Kalman filter as follows: s s x ˆsk|k−1 = Aˆ = APk−1 A + Q, xsk−1 , Pk|k−1 s s Kk = Pk|k−1 C  [CPk|k−1 C  + R]−1 ,

xsk−1 + Kk (yk − CAˆ xsk−1 ), x ˆsk = Aˆ

s , Pks = (I − Kk C)Pk|k−1

where the iteration starts from x ˆs0 = 0 and P0s = Σ0 . To simplify notations, we define the Lyapunov and Riccati operators h and g˜ : Sn+ → Sn+ as h(X)  AXA + Q, g˜(X)  X − XC  [CXC  + R]−1 CX.

Because of the stabilizability and detectability assumptions, the estimation error covariance Pks converges exponentially to a unique fixed point P of h ◦ g˜ mentioned in Anderson and Moore (2012). For simplicity, we ignore the transient periods and assume that the Kalman filter at the sensor has entered steady state; i.e., (2) Pks = P , k ≥ 1. According to Shi et al. (2011), the steady-state error covariance P has the following property. Proposition 1. For 0 ≤ t1 < t2 , the following inequality holds Tr[P ] ≤ Tr[ht1 (P )] < Tr[ht2 (P )]. (3) 2.2 Communication Under DoS Attacks As depicted in Fig. 1, the sensor, with the consideration of limited transmission energy, is required to decide whether to send the obtained estimate x ˆsk to the remote estimator or not. Let the binary variables γk define the selection of the sensor; that is, γk = 1 illustrates that the sensor transmits x ˆsk as a packet to the estimator and γk = 0 otherwise. We assume the channel between the sensor and the estimator is memoryless and it has independent additive white Gaussian noises (AWGN). To measure the non-ideal packet losses, we introduce the packet-errorrate (PER), which is monotonically increasing with the signal-to-noise-ratio (SNR) for any modulation scheme. In practice, by launching DoS attacks, the aggressive attacker may interfere with the transmission and disturb the arrival of the data packet. Therefore, the signal-tointerference-plus-noise-ratio (SINR) in Tse and Viswanath (2005) rather than SNR is adopted in a general form

2016 IFAC NECSYS September 8-9, 2016. Tokyo, Japan

Kemi Ding et al. / IFAC-PapersOnLine 49-22 (2016) 169–174

of PER in order to quantify the packet loss under DoS attacks; i.e., Es SIN R = , P ER = f (SIN R), (4) Ea + n0 in which n0 is the power of the additive white channel noise, and Es > 0 and Ea ≥ 0 1 correspond to the transmission power of the sensor and the interference power of the attacker, respectively. Under this scenario (i.e., the erasure channel), the arrival of the packet can be characterized by a binary random process (Bernoulli process), denoted by ηk , in which ηk = 0 represents the occurrence of packet loss. Assuming independence between the choice made by the sensor γk and the packet transmission, we have Pr(ηk = 1) = θks · (1 − P ERk ),

(5)

 Pr(γk = 1) ∈ [0, 1] represents that in which the sensor transmits the data packet w.p. θks at time k. Hence, the transmission schedule of the sensor over the infinite-horizon is denoted by Θs = {θ1s , θ2s , θ3s , . . .}. Similarly, the attacker would also make a choice among its possible energy levels to launch DoS attacks, with the purpose to effectively interfere with the transmission. Let Θa = {θ1a , θ2a , θ3a , . . .} be the offensive strategy and θka ≥ 0 denotes the jamming energy released by the attacker at time k. θks

In this work, we consider a communication-feedback mechanism between the estimator and the sensor shown in Fig. 1: the remote estimator will inform the sensor of the packet-loss information (i.e., ηk ) via sending back a short acknowledgement frame immediately. This mechanism is an essential block of media access control (MAC) protocols (e.g., the TCP/IP protocol). Since the sensor has a comprehensive understanding of the communication dynamics based on the collected ACKs, it can develop an effective transmission schedule to improve the system performance; i.e., θks depends on the previous ACK sequence η1k−1 . Here, the ACK is assumed to be reliably received by the sensor. Analogously, the attacker can also obtain the ACKs through channel eavesdropping technologies and launch targeted DoS attacks with deadly destruction. To avoid the disclosure of the feedback information and confuse the attacker at the same time, a private/secret agreement about the ACK transmission mechanism between the sensor and the estimator is reached during the communication. As for the general MAC protocol, the event ACK = 0 represents the packet loss, which is common knowledge shared by the three agents, especially the attacker. Even in this seemingly adverse situation, the sensor can gain some benefit by taking advantage of the “inertial thinking” of the attacker. To be precise, an addition bit containing an ACK-reverse instruction, denoted by φk , will be inserted in the preamble and sent to the estimator before packet transmission; then, according to the received instruction φk , the estimator will modify the current ACK information. For example, if φk = 1 and the packet is lost, ACK = 1 instead of ACK = 0 will be sent back to the sensor; without private knowledge of φk , the attacker is convinced that the packet 1

Without loss of generality, the channel gain is taken to be unity, and therefore the received SINR can be defined based on the transmission powers instead of the actual received power.

171

171

has arrived successfully by overhearing the spurious ACK, which is denoted by η˜k : η˜k  ηk ⊕ φk , (6) in which operator ⊕ represents a binary addition. However, the real occurrence of packet loss ηk can be obtained by the sensor with the known Φ = {φ1 , φ2 , . . .}. These deception tricks played by the sensor are similar to encryption technologies, but with a different purpose: the sensor expects that the attacker obtains fake information instead of nothing. 2.3 Remote Estimation Based on the received data packets, the remote estimator generates the MMSE estimate of the process xk denoted by x ˆk , with corresponding error covariance Pk . Precisely, after receiving x ˆsk successfully, the estimator synchronizes its estimate x ˆk with it; otherwise, the estimator simply predicts the estimate based on its previous estimate using the system model (1). As a result, a simple recursion of x ˆk , obtained in Shi et al. (2011),  s x ˆk , ηk = 1, x ˆk = (7) Aˆ xk−1 , otherwise. Consequently, the error covariance Pk at time k is Pk  E[(xk − x ˆk )(xk − x ˆ k ) ]  P, ηk = 1, = h(Pk−1 ), otherwise,

(8)

where P stands for the steady-state error covariance shown in (2). Without loss of generality, we assume that the initial packet x ˆs0 is known by the estimator and hence P0 = P . From (8), we can obtain that at a given time k, Pk can only take values in the finite set {P , h(P ), h2 (P ), . . . , hk (P )}. For notational brevity, we define a random variable τk ∈ Z as the holding time: 2 τk  k − max {l : ηl = 1}, (9) 0≤l≤k

which represents the intervals between the present moment k and the most recent time that the data packet has been successfully received by the estimator. Based on (8), it is easy to obtain the relationship between the holding time and the estimation error covariance at the remote estimator Pk , Pk = hτk (P ), (10) and the iteration of the holding time,  0, if ηk = 1, (11) τk = τk−1 + 1, otherwise. 2.4 Problem of Interest As mentioned previously, the sensor attempts to improve the estimation quality through the deception-based strategy {Θs , Φ}. (Recall that Θs represents the sensor transmission schedule and Φ stands for the cheating mechanism.) To quantify the estimation quality, we consider an 2

In the rest of this paper, we will omit the subscript of τk when the underlying time index k is obvious from the context; when it is ambiguous, the subscript will be indicated.

2016 IFAC NECSYS 172 September 8-9, 2016. Tokyo, Japan

Kemi Ding et al. / IFAC-PapersOnLine 49-22 (2016) 169–174

infinite-horizon formula, defined as the average expected estimation error covariance: +∞ 1 Js (Θs , Θa , Φ) = lim sup Tr[Pk ]. (12) n→+∞ n k=1

Correspondingly, the average energy cost is denoted by +∞ 1 E s (Θs ) = lim sup γ k Es . (13) n→+∞ n k=1

In summary, we are interested in answering this question: supposing the underlying attack strategy Θa is monotonically increasing on τ , and limited energy budget Es > 0 is clear, what is the optimal coupled strategy {Θs , Φ} for the sensor within the whole possible strategy set? In short, we wish to solve the following optimization problem: Problem 2. (14) min Js (Θs , Θa , Φ) s.t. E s (Θs ) ≤ Es . Θs ,Φ

3. ONLINE SCHEDULE UNDER DOS ATTACK In this section, we describe the intrinsic evolution of the error covariance by the Markov chain theory and provide an explicit optimal solution for the aforementioned optimization problem. 3.1 Markov Decision Process Because of the communication feedback, the sensor will obtain the online information η0k (˜ η0k is also known by the sensor) at the end of the k-th time interval and infer Pk from (10) before deciding whether to send the latest packet x ˆsk+1 or not at time k +1. Different from the sensor, the attacker only has access to the manipulated online information η˜k . Via processing its collected information η˜k following (9), the attacker can obtain the manipulated holding time, denoted by τ˜k and build a misinformed belief that the remote error covariance is P˜k = hτ˜k (P ). Based on the obtained online information, the attacker tends to deliberate over its attack strategy in order to disrupt the communication without expending more effort than required. We assume the jamming energy θka is an τ ) is increasing function on the holding time; i.e., Ea  Ea (˜ monotonically increasing. This scenario is reasonable since the attacker aims at degrading the estimation accuracy and the error covariance Pk has a monotonic characteristic, as shown in Prop. 1.

Fig. 2. Markov chain transition process optimal schedule within the stationary ones is easier than doing so among the whole schedule set, and we will show in the next section that an optimal schedule can be a stationary one. Suppose that the information set of the attacker is identical to that of the sensor (i.e., φk = 0 and η˜k = ηk for all k). Under the stationary framework, the process is a timehomogeneous Markov chain, described by a time-invariant transition probability matrix:   p0 1 − p0   1 − p1 (16) T(Θs , Θa ) =  p1 , .. .. . .

where the entry Ti,j represents the transition probability from the state τk = i to τk+1 = j and the other default entries are 0. Note that the probability pi = θs (τk = i) · q(Es , τk ) and q = 1 − P ER(Es , Ea (τk = i)) according to (5). Let Π = (π0 , π1 , π2 , . . .) be the stationary state distribution of the time-homogeneous Markov process for any initial state, and it satisfies: +∞ 

Π = Π · T,

πi = 1,

(17)

i=0

in which the probability πi ∈ [0, 1], ∀i ≥ 0.

By employing the vector π, the average error covariance defined in (12) is given as (if converged): Js (Θs , Θa , Φ) =

+∞ 

πi Tr[hi (P )],

(18)

i=0

and the average energy cost defined in (13) is E s (Θs , Θa , Φ) =

+∞ 

πi θs (i)Es .

(19)

i=0

3.2 Optimal Sensor Schedule

Next, we define the state of the Markov chain as the holding time τk . Apparently, at time k, the possible value of τk contained in the state set Zk is countable: (15) Zk = {τk : 0, 1, 2, . . . , k}, and note that τ˜k ∈ Zk . It is obvious that the current state τk only depends on the last state τk−1 and the r.v. ηk from (11). Hence, the sequence of random states τk forms a Markov chain, and the transition process is depicted in Fig. 2. Moreover, τ˜k also follows the Markov property, however, with different transition probabilities.

Any stationary transmission schedule Θs , as discussed in the previous section, will lead to a steady-state distribution Π, and we include its properties in the following lemma. Lemma 3. Suppose that the attacker launches DoS attacks with a time-invariant jamming energy a0 . For any stationary transmission schedule Θs s.t. E s ≤ Es , its limiting distribution Π has the following properties: qEs πn+1 = (1 − pn )πn ≤ πn , π0 ≤ , (20) Es in which pn = θs (τ = n) · q and q = 1 − P ER(Es , a0 ).

Since the infinite-horizon cost, (see (12) (13)) is considered, without loss of any generality, we focus on stationary ones, in which the probabilities over packet-transmission only depend on the state; i.e., θks = θs (τk ). Finding an

The proof is straightforward according to (17) and (19). Based on this lemma, we can obtain the main theorem: Theorem 4. Given the energy budget Es and the attack strategy Ea (˜ τ ), we have the following results:

172

2016 IFAC NECSYS September 8-9, 2016. Tokyo, Japan

Kemi Ding et al. / IFAC-PapersOnLine 49-22 (2016) 169–174

• An optimal scheme pair {Θs , Φ } for Problem 2 is:  0, if τ < τ0 ,   (τ + 1)E  q − E 0 s s  , if τ = τ0 , (21) θs (τ ) =  Es q  1, otherwise, where τ0 is the largest integer satisfying the inequality: Es − Es , (22) τ≤ qEs and the coupled cheating mechanism is Φ = {φk : φk = 1, k ≥ 1}. (23) • Under the optimal schedule pair {Θs , Φ }, the stationary distribution is given by   E q   s , if τ ≤ τ0 , Es π(τ ) =  2   (q − Es q (τ0 + 1) )(1 − q)τ −τ0 −1 , otherwise. Es

Proof. First, for any given time-invariant interference energy a0 , we propose a structure of the stationary transmission schedule and expect to find the optimal parameters by solving the optimization problem (14). The proposed stationary structure is as follows: Θs (τ ) = (0, θ, 1, . . .), (24) 1×τ0 in which 0 ∈ R . Under this schedule, we can obtain the stationary distribution from (17): Π = (π0 , . . . , π0 , π0 (1 − θq)(1 − q)τ −τ0 −1 , . . .),    τ0 +1 times

where q = 1 − P ER(Es , a0 ). Since Tr[hτ (P )] is monotonically increasing on τ , the minimum averaged error covariance Js defined in (18) is obtained with the largest π0 , τ0 and θ. According to Lemma 3, we suppose that qE  π0 = Ess . To find the optimal τ0 and θ, we have 1 = (τ0 + 1)π0 + (1 − θq)π0 + ≤ (τ0 + 1)π0 +

+∞  j=1

+∞  j=2

(1 − q)j π0 (25)

(1 − q)j π0 .

Hence, the largest τ0 can be easily obtained from the aforementioned inequality. Moreover, we have +∞  E s = Es · [θπ0 + (1 − θq)π0 (1 − q)j ] ≤ Es (26) j=0

and obtain the optimal θ (τ0 ) = the equality holds.

(τ0 +1)Es q−Es Es q

such that

Second, under fixed jamming energy a0 , we prove that the proposed strategy is an optimal solution to Problem 2 among the stationary schedule set. Consider an arbitrary stationary schedule Θs , and from Lemma 3 we can obtain that π0 = π1 = · · · = πτ0 ≥ π0 ≥ πτ 0 ,  where Π = (π0 , π1 , . . .) represents the stationary distribution of Θs . We can define that τ1 = min{τ : πτ ≥ πτ } and obtain that for all τ ≤ τ1 , τ τ   πτ ≥ πτ . (27) k=1

k=1

173

173

Moreover, we have πτ = πτ 1

τ −1

k=τ1

(1 − θks q) ≥ πτ1 (1 − q)τ −τ1 = πτ , τ ≥ τ1 .

Hence, we can obtain that for all τ > τ1 ∞ ∞ τ τ     πτ = 1 − πτ ≥ 1 − πτ = πτ . k=1

k=τ +1

k=τ +1

k=1

Consequently, we can conclude that the steady-state distribution of the arbitrary stationary scheme is weakly majored by that of the optimal steady state, denoted by Π ≺ Π. (Note that the elements in the probability sequence are sorted in decreasing order.) Based on the monotonically increasing property of Tr[hτ (P )], we can obtain that Js (Θs , a0 ) ≤ Js (Θs , a0 ) according to the Hardy-Littlewood inequality proposed by Hardy et al. (1952). Next, we attempt to obtain the relationship between τ and τ˜ under this coupled cheating schedule Π . Based on the iterations of τk and τ˜k , we have that if (τk−1 , τ˜k−1 ) = (τ, τ˜) then  (τ + 1, 0), if ηk = 0, (28) (τk , τ˜k ) = (0, τ˜ + 1), otherwise.

Equivalently, τ˜k = 0 if τk ≥ 1. Therefore, based on the spurious information, the jamming energy adopted by the attacker is given as follows: ˜a (Φ)  Ea (˜ E τk ) = Ea (0), if τk ≥ 1. (29)

Last, we will show the optimality of the proposed scheme pair among all the possible such pairs. Consider a possible scheme pair with an arbitrary transmission scheme and an ˆ arbitrary cheating mechanism, denoted by {Θs , Φ }. Let Φ be a cheating mechanism s.t. τ˜k = 0 for all τk ≥ 0. Since Ea (0) ≤ Ea (τ ) for all τ , we obtain that the transition probability of the Markov process under the latter scheme ˆ (i.e., Pr(ηk = 1) = q·θs (τk ) and q = 1−P ER(Es , Ea (0)) Φ ∂Js is less than that of the former one. Based on ∂Pr(η < 0, k =1) we can conclude that ˜a (Φ ), Φ ) ≥ Js (Θ , Ea (0), Φ) ˆ = Js (Θ , E ˜a (Φ), ˆ Φ). ˆ Js (Θs , E s s ˆs From Lemma 3, there exists a stationary schedule Θ  ˆ ˆ ˆ s.t. Js (Θs , Ea (0), Φ) ≤ Js (Θs , Ea (0), Φ). According to the previous discussion, the proposed stationary transmission schedule Θs is an optimal solution for the minimizaˆ s , Ea (0), Φ) ˆ with the respective contion problem min Js (Θ straint. Moreover, we can prove that ˆ = Js (Θ , E ˜a , Φ ), Js (Θ , Ea (0), Φ) s

s

since θs (τ = 0) = 0 under the optimal schedule Θs , and ˜a when τk = 0 p0 = Pr(η) = 0 regardless of the value of E (see (29) for the other cases).  Remark 5. The cheating scheme Φ is of common sense and is easy to accomplish. Since φk = 1 for all k, an agreement that if the packet is dropped then ACK = 0 should be achieved in advance between the sensor and the estimator. For the optimal transmission schedule Θs , a similar result can be obtained to those in Ren et al. (2014) and Mo et al. (2012), but our proof is different from theirs and is derived from majorization theory.

2016 IFAC NECSYS 174 September 8-9, 2016. Tokyo, Japan

Kemi Ding et al. / IFAC-PapersOnLine 49-22 (2016) 169–174

Averaged error covariance:

12 10

Averaged error covariance:

8

Consistently cheating Φ⋆ No cheating Φ = 0

6

14 12

Uniform transmission schedule Θ1 Optimal transmission schedule Θ⋆s

1 k

k

Channel and energy c L n0 Es q 1 1 0.2 4 0.75

1 k

k

i=0 Pi

Parameters for dynamic system A C Q R P 1.2 0.7 0.8 0.8 0.9245

i=0 Pi

Table 1. Summary of parameters

4

10 8 6 4 2 0

0

1000

2000

3000

4000

5000

Time: k

Fig. 4. Comparison under cheating mechanism Φ 2 0

REFERENCES 0

1000

2000

3000

4000

5000

Time: k

Fig. 3. Comparison under transmission schedule Θs 4. SIMULATION AND EXAMPLES In this section, we illustrate the proposed optimal scheme pair via some comparisons. For simplicity, we consider a scalar dynamic system with the parameters depicted in Tab. 1. In addition, we adopt a general form of PER for an AWGN (wireless) channel, as in Tse and Viswanath (2005), that is, P ER(SIN R) = 1 − c · (SIN R)−L , and the channel parameters are also shown in Tab. 1. To reduce the computational burden, we impose the restriction that the states set Zk is finite; i.e., τk ∈ [0, 11] for all k. We obtain the results summarized as follows: Example 1: Let Es = 1.2, and we obtain the optimal transmission schedule Θs = [0, 0, 0, 0.89, 1, . . .]. With Θs , we compare the averaged error covariance in the absence of cheating with that of the “consistently” cheating case (i.e., Φ ). The comparison result is shown in Fig. 3, and it can be observed that the cheating mechanism Φ can highly improve the estimation quality under DoS attacks and its corresponding averaged error covariance converges rapidly. Example 2: Let Es = 2, and the optimal transmission schedule is Θs = [0, 0.67, 1, . . .]. Assume that the sensor adopts the “consistently” cheating mechanism Φ . We consider the non-stationary transmission scheme followE ing a Bernoulli distribution, i.e., Θ1 = {θks ∼ B(1, Ess )}, and note that it also satisfies the energy constraint E s ≤ Es . The simulation result is depicted in Fig. 4, which shows that the optimal schedule Θs outperforms the other non-stationary schedule Θ1 . 5. CONCLUSION The purpose of the current study was to investigate CPS security issues between a sensor and a remote estimator with DoS-attack threats, and an optimal transmission schedule coupled with a cheating mechanism was proposed. This is the first time that an ACK-based deception mechanism for the sensor has been used to explore the remote state estimation problem. This research will serve as a basis for future studies into DoS-attack countermeasures in CPS design. 174

Anderson, B.D. and Moore, J.B. (2012). Optimal Filtering. Courier Corporation. Cardenas, A.A., Amin, S., and Sastry, S. (2008). Secure control: Towards survivable cyber-physical systems. In Proc. IEEE 28th Int. Conf. Distributed Computing System Workshops, 495–500. Han, D., Cheng, P., Chen, J., and Shi, L. (2014). An online sensor power schedule for remote state estimation with communication energy constraint. IEEE Trans. on Automatic Control, 59(7), 1942–1947. Hardy, G., Littlewood, J., and P´olya, G. (1952). Inequalities. Cambridge University Press. Hovareshti, P., Gupta, V., and Baras, J.S. (2007). Sensor scheduling using smart sensors. In Proc. IEEE 46th Annu. Conf. Decision and Control, 494–499. Ics.sans.org (2016). Sans industrial control systems security blog—current reporting on the cyber attack in ukraine resulting in power outage—sans institute. URL https://ics.sans.org/blog/2016/01/09. Li, Y., Quevedo, D.E., Dey, S., and Shi, L. (2015a). Fake-acknowledgment attack on ack-based sensor power schedule for remote state estimation. In Proc. IEEE 54th Annu. Conf. Decision and Control, 5795–5800. Li, Y., Shi, L., Cheng, P., Chen, J., and Quevedo, D. (2015b). Jamming attacks on remote state estimation in cyber-physical systems: A game-theoretic approach. IEEE Trans. on Automatic Control, 60(10), 2831–2836. Mo, Y., Sinopoli, B., Shi, L., and Garone, E. (2012). Infinite-horizon sensor scheduling for estimation over lossy networks. In Proc. IEEE 51st Annu. Conf. Decision and Control, 3317–3322. Ren, Z., Cheng, P., Chen, J., Shi, L., and Zhang, H. (2014). Dynamic sensor transmission power scheduling for remote state estimation. Automatica, 50(4), 1235– 1242. Shi, L., Cheng, P., and Chen, J. (2011). Sensor data scheduling for optimal state estimation with communication energy constraint. Automatica, 47(8), 1693–1698. Tse, D. and Viswanath, P. (2005). Fundamentals of Wireless Communication. Cambridge University Press. Zhang, H., Cheng, P., Shi, L., and Chen, J. (2015). Optimal denial-of-service attack scheduling with energy constraint. IEEE Trans. on Automatic Control, 60(11), 3023–3028.