Randomized Transmissions for Networked Control Under High-Frequency Jamming⁎

7th IFAC Workshop on Distributed Estimation 7th IFAC Workshop on Distributed Estimation and and 7th IFAC Workshop on Distributed and 7th IFACin Workshop onSystems Distributed Estimation Estimation Control Networked Availableand online at www.sciencedirect.com Control in Networked Systems Control in Networked Systems 7th IFAC Workshop on Distributed Estimation and Control Networked Systems16-17, Chicago, IL, USA, Chicago,in IL, USA, September September 16-17, 2019 2019 Chicago, IL, USA, September 16-17, 2019 Control in Networked Systems Chicago, IL, USA, September 16-17, 2019 Chicago, IL, USA, September 16-17, 2019

ScienceDirect

IFAC PapersOnLine 52-20 (2019) 375–380

Randomized Transmissions for Networked Randomized Transmissions for Networked Randomized Transmissions for Networked  Randomized Transmissions for Networked Control Under High-Frequency Jamming High-Frequency Jamming  Control Under Control High-Frequency Jamming Control Under Under High-Frequency Jamming ∗ ∗∗ ∗∗∗

Ahmet Cetinkaya Hayakawa ∗∗∗ ∗∗ ,, Tomohisa Ahmet Cetinkaya ∗∗∗ ,,, Hideaki Hideaki Ishii Ishii ∗∗ ∗∗∗ Ahmet , Tomohisa Tomohisa Hayakawa Hayakawa ∗∗∗ Ahmet Cetinkaya Cetinkaya ∗ , Hideaki Hideaki Ishii Ishii ∗∗ ∗∗ , Tomohisa Hayakawa ∗∗∗ Ahmet Cetinkaya , Hideaki Ishii , Tomohisa Hayakawa ∗ ∗ National Institute of Informatics, Tokyo, 101-8430, Japan ∗ of Informatics, Tokyo, 101-8430, Japan National Institute Institute of Tokyo, 101-8430, ∗ National ∗∗ of Informatics, Informatics, Tokyo, 101-8430, Japan Japan ∗∗ Department of Computer Science, ∗ National Institute ∗∗ Department of Computer Science, National Institute of Informatics, Tokyo, 101-8430, Japan ∗∗ Department of Computer Science, Department of Computer Science, Tokyo Insitute of Technology, Yokohama, 226-8502, Japan ∗∗ Tokyo Insitute of Yokohama, 226-8502, of Computer Science, Tokyo InsituteDepartment of Technology, Technology, Yokohama, 226-8502, Japan Japan ∗∗∗ Insitute Tokyo of Technology, Yokohama, 226-8502, Japan ∗∗∗ of Systems and Control Engineering, ∗∗∗ Department of Systems and Control Engineering, Tokyo Insitute of Technology, Yokohama, 226-8502, Japan ∗∗∗ Department Department of Systems and Control Engineering, Department of Systems and Control Engineering, Tokyo Institute of ofofTechnology, Technology, Tokyo 152-8552, Japan ∗∗∗ Tokyo Institute Tokyo 152-8552, Japan Department Systems and Control Engineering, Tokyo Institute of Technology, Tokyo 152-8552, Japan Tokyo Institute of Technology, Tokyo 152-8552, Japan Tokyo Institute of Technology, Tokyo 152-8552, Japan Abstract We explore networked problem aa linear continuous-time under Abstract We explore the the networked control control problem of of continuous-time plant plant under Abstract We the control of aa linear linear plant under Abstract attacks. We explore explore the networked networked control problem problem offramework linear continuous-time continuous-time plant under jamming We introduce a state-feedback control where the sensor transmits jamming attacks. We introduce a state-feedback control framework where the sensor transmits Abstract We explore the networked control problem of a linear continuous-time plant under jamming attacks. attacks. We We introduce introduce a a state-feedback state-feedback control control framework framework where where the the sensor sensor transmits transmits jamming state information packets to the controller at random time instants. We show that our state information packets to the controller at random time instants. We show that our jamming attacks. We introduce a state-feedback control framework where the sensor transmits state information packets to the controller at random time instants. We show that state information packets to the can controller at random timewith instants. We showfrequencies that our our randomized transmission approach handle jamming attacks high occurrence randomized transmission approach can handle jamming attacks with high occurrence frequencies state information packets to the can controller at random timewith instants. We showfrequencies that our randomized transmission approach handle jamming attacks high occurrence randomized transmission approach can handle jamming attacks with high occurrence frequencies and closed-loop stability can be achieved as long as the average jamming duration is sufficiently and closed-loop stability can be achieved as long as the average jamming duration is frequencies sufficiently randomized transmission approach can handle jamming with high occurrence and stability can be as as the average jamming duration and closed-loop closed-loop stability can be achieved achieved as long long as theaattacks average jamming duration is is sufficiently sufficiently small. We illustrate the efficacy of our approach with numerical example. small. We illustrate the efficacy of our approach with aa average numerical example. and closed-loop stability can be achieved as long as the jamming duration is sufficiently small. We illustrate the efficacy of our approach with numerical example. small. We illustrate the efficacy of our approach with a numerical example. small. We illustrate the efficacy of our approach with a numerical example. Copyright © 2019. The Authors. Published by Elsevier Ltd. All rights reserved. Keywords: Networked Control, Malicious jamming attacks, Randomized Randomized transmissions transmissions Keywords: Networked Control, Malicious jamming Keywords: Networked Control, Control, Malicious Malicious jamming jamming attacks, attacks, Randomized Randomized transmissions transmissions Keywords: Networked attacks, Keywords: Networked Control, Malicious jamming attacks, Randomized transmissions 1. INTRODUCTION output-feedback control, control, multi-agent multi-agent consensus, consensus, and and nonnon1. INTRODUCTION output-feedback 1. INTRODUCTION INTRODUCTION output-feedback control, multi-agent and nonoutput-feedback control, respectively. multi-agent consensus, consensus, andutilize non1. linear control problems, These works linear control problems, respectively. These works utilize 1. INTRODUCTION output-feedback control, multi-agent consensus, and nonlinear control problems, respectively. These works utilize linear control problems, respectively. These works utilize periodic and event-based transmission approaches with Developing secure control approaches has become a very Developing secure control approaches has become aa very periodic and event-based transmission approaches with linear control problems, respectively. These works utilize Developing secure control approaches has become very periodic and event-based transmission approaches with periodic and event-based transmission approaches with Developing secure control approaches has become a very architectures in cyber deterministic communication times. An attacker who is important task, as many control important task, many control architectures in deterministic communication times. An attacker who is Developing secureas control approaches has become acyber very periodic and event-based transmission approaches with important task, as many control architectures in cyber deterministic communication times. An attacker who is important task, as many control architectures in cyber deterministic communication times. An attacker who is physical systems use communication networks that are knowledgeable about such a transmission approach can physical systems use communication networks that are knowledgeable about such a transmission approach can important task, asusemany control architectures in cyber deterministic communication times. An attacker who is physical systems communication networks that are knowledgeable about such a transmission approach can knowledgeable about such a transmission approach can physical systems use communication networks that are block all communication attempts even by only utilizing actively targeted by cyber attackers. As pointed out by actively attackers. pointed out by block all communication attempts even by only utilizing physical systems by use cyber communication networks about such a transmission approach can actively targeted targeted by cyber attackers. As As pointedthat out are by knowledgeable block all communication attempts even by only utilizing actively targeted by cyber attackers. As pointed out by block energy all communication attempts even by only may utilizing resources. In particular, the attacker just Sandberg et and et aaa vulnerable Sandberg et al. (2015) and Lun et al. (2019), vulnerable small energy resources. In particular, the attacker just actively by cyber attackers. As pointed out by small block all communication attempts even by only may utilizing Sandbergtargeted et al. al. (2015) (2015) and Lun Lun et al. al. (2019), (2019), vulnerable small energy resources. In particular, the may just small energy resources. In very particular, the attacker attacker may just Sandberg et al. (2015) and Lun et al. (2019), a vulnerable emit jamming signals for short durations around the network may lead to a range of critical cyber-security network may lead to a range of critical cyber-security emit jamming jamming signals for for very short durations durations around the Sandbergmay et al.lead (2015) and Lun et al. (2019),cyber-security a vulnerable emit small energy resources. In particular, the attacker may just network to a range of critical signals very short around the emit jamming signals for very short durations around the network may lead to a range of critical cyber-security communication attempt times. Thus, for such transmission issues in a control system. For instance, attackers who have issues in a control system. For instance, attackers who have communication attempt times. Thus, for such transmission network may lead to a range of critical cyber-security emit jamming signals for very short durations around the issues in a control system. For instance, attackers who have communication attempt times. Thus, for such transmission issues in a control system. For instance, attackers who have communication attempt times. Thus, for such transmission approaches, it is necessary that the occurrences of attacks knowledge on the properties of the network and the system knowledge on the properties the network and the system approaches, necessary that the of issues in a control system. Forof instance, attackers who have communication times. for such transmission knowledge on the properties of the network and the system approaches, it it is isattempt necessary thatThus, the occurrences occurrences of attacks attacks knowledge on the properties of the network and the system approaches, it is necessary that the occurrences of attacks are less frequent than the occurrences of communication can data in and can alter the data in measurement/control packets and are less frequent than the occurrences of communication knowledge on the properties of the network andpackets the system it is necessary that the occurrences of attacks can alter alter the the data in measurement/control measurement/control packets and approaches, are less frequent than the occurrences of communication can alter the data in measurement/control packets and are less frequent than the occurrences of communication attempts. even inject false information in the system without getting even inject false information in the system without getting attempts. can alter the data in measurement/control packets and are less frequent than the occurrences of communication even inject false information in the system without getting attempts. even injectFurthermore, false information in thewith system without getting attempts. detected. attackers limited information detected. attackers limited information even injectFurthermore, false information in thewith system without getting attempts. detected. Furthermore, attackers with limited information Our goal paper to transdetected. Furthermore, attackers with limited information goal in in this this paper is is to utilize utilize randomized randomized transmay still be able to disrupt the normal operation of aaa Our Our this is randomized transmay still be able to disrupt the normal operation of detected. Furthermore, attackers with limited information Our goal goaltoin intackle this paper paper is to to utilize utilize randomized transmay still be able to disrupt the normal operation of missions the networked control problem under may still be able to disrupt the normal operation of a missions to tackle the networked control problem under Our goal in this paper is to utilize randomized transnetworked control system by preventing delivery of packets missions to tackle the networked control problem under networked control by preventing delivery of packets may still be able system to disrupt the normal operation of a jamming missions to tackle the networked control problem under networked control system by preventing delivery of packets attacks, where the attack frequency may not be networked control system by preventing delivery of packets jamming attacks, where the attack frequency may not be missions to tackle the networked control problem under through denial-of-service (DoS) attacks. In particular, jamming attacks, where the attack frequency may not be through denial-of-service (DoS) attacks. In particular, networked control system by(DoS) preventing delivery of packets jamming attacks, wherewe the attack the frequency may control not be through denial-of-service attacks. In particular, restricted. Specifically, consider networked through denial-of-service (DoS) attacks. In particular, restricted. Specifically, we consider the networked control jamming attacks, where the attack frequency may not be jamming attacks (Pelechrinis et al., 2011), which are restricted. Specifically, we consider the networked control jamming attacks (Pelechrinis et al., 2011), which are through denial-of-service (DoS) attacks. In particular, restricted. Specifically, we consider the networked control jamming attacks (Pelechrinis et al., 2011), which are of a continuous-time linear plant. In our framework, the jamming attacks (Pelechrinis et al., 2011), which are of a continuous-time linear plant. In our framework, the restricted. Specifically, we consider the networked control DoS attacks on wireless channels, may cause significant of a continuous-time linear plant. In our framework, the DoS attacks on wireless channels, may cause significant jamming attacks (Pelechrinis et al., are of a continuous-time linear plant. In ourmeasurements framework, the DoS attacks attacks on wireless wireless channels, may2011), cause which significant sensor at the the plant plant side side sends the state state to DoS on channels, may cause significant sensor at sends the to a continuous-time linear plant. In ourmeasurements framework, the problems in wireless networked control. sensor at plant side sends the measurements to problems in wireless networked control. DoS attacks on wireless channels, may cause significant of sensor at the the at plant side sends the state state measurements to problems in wireless networked control. the controller random time instants that are unknown to problems in wireless networked control. the controller at random time instants that are unknown sensor at the plant side sends the state measurements to the controller at random time instants that are unknown problems in wireless networked control. controller at random time instants that are unknown to the attacker. Furthermore, a timer is utilized at the plant Recently, jamming and other DoS attacks have been studRecently, jamming and other DoS attacks have been studattacker. Furthermore, aa timer is utilized at the plant the controller at random time instants that are unknown to Recently, jamming and other DoS attacks have been studattacker. Furthermore, timer is utilized at the plant the attacker. Furthermore, a timer is utilized at the plant Recently, jamming and other DoS attacks have been studside to manage the switching between the last input from ied in a number of works from the perspective of control ied in aa number of works from the perspective of control side to manage the switching between the last input from Recently, jamming and other DoS attacks have been stud- the attacker. Furthermore, a timer is utilized at the plant ied in number of works from the perspective of control side to manage the switching between the last input from side to manageand thethe switching between the last input from ied in a(see number of works from the for perspective of control theory Cetinkaya et al. (2019) an overview). The the controller zero input. input. We obtain obtain sufficient contheory Cetinkaya et al. (2019) an overview). The zero We sufficient conied in a(see number of works from the for perspective of control sidecontroller to manageand thethe switching between the last input from theory (see Cetinkaya et al. al. (2019) for an overview). overview). The the the controller and the zero input. We obtain sufficient contheory (see Cetinkaya et (2019) for an The the controller and the zero input. We obtain sufficient conditions of almost sure asymptotic stabilization and show transmission failure models utilized in those works take transmission failure models utilized in those works take ditions of almost sure asymptotic stabilization and show theory (see Cetinkaya et al. (2019) for an overview). The the controller and the zero input. We obtain sufficient contransmission failure failure models models utilized utilized in in those those works works take take ditions of almost sure asymptotic stabilization and show transmission ditions of almost sure asymptotic stabilization and show that our randomized framework can achieve stabilization into account the uncertainty in the generation of attacks. into account the uncertainty in the generation of attacks. that our randomized framework can achieve stabilization transmission failure models utilized in those works take ditions of almost sure asymptotic stabilization and show into account the uncertainty in the generation of attacks. that our randomized framework can achieve stabilization that our randomized framework can achieve stabilization into account the uncertainty in the differ generation of attacks. regardless of the frequency of jamming attacks as long As result, models from models As result, attack models typically from the models regardless of the frequency of jamming attacks as long as as into the uncertainty in the differ generation of attacks. our randomized framework can achieve stabilization As aaaa account result, attack attack models typically typically differ from the the models that regardless of the frequency of jamming attacks as regardless of the frequency of jamming attacks as long long as as As result, attack models typically differ from the models used in the literature for describing nonmalicious packet the average jamming duration is sufficiently small. used in the literature for describing nonmalicious packet the average jamming duration is sufficiently small. As a result, attack models typically differ from the models regardless of the frequency of jamming attacks as long as used in the literature for describing nonmalicious packet the average jamming duration is sufficiently small. the average jamming duration is sufficiently small. used in the literature for describing nonmalicious packet drops (Hespanha et al., 2007). For instance, the model drops et For instance, model used the literature for 2007). describing average jamming duration is sufficiently small. dropsin(Hespanha (Hespanha et al., al., 2007). For nonmalicious instance, the the packet model the Randomization approaches have been utilized previously drops (Hespanha et al., 2007). For instance, the model Randomization approaches approaches have have been been utilized utilized previously previously proposed by Tesi (2015) allows the timproposed by De Persis and Tesi (2015) allows the timdrops (Hespanha et al.,and 2007). instance, Randomization approaches have beendifferent utilizedways. previously proposed by De De Persis Persis and TesiFor (2015) allowsthe themodel tim- Randomization in communication networks in aa few Ranproposed by De Persis and Tesi (2015) allows the timin communication networks in few different ways. Ranas long as the total Randomization approaches have been utilized previously ing of the attacks to be arbitrary in communication networks in a few different ways. Raning of the attacks to be arbitrary as long as the total proposed byattacks De Persis and Tesi (2015) allows the total tim- in communication networks in a few different ways. Raning of the to be arbitrary as long as the dom access schemes and random waiting times have been ing of the attacks to be arbitrary as long as the total dom access schemes and random waiting times have been duration and the frequency of the occurrences of attacks in communication networks in a few different ways. dom access schemes and random waiting times have been duration and the frequency of the occurrences of attacks ing of theand attacks to be arbitrary as long as ofthe total dom access schemes and random waiting times have Ranbeen duration the frequency of the occurrences attacks utilized for avoiding packet collisions in the carrier-sense duration and the frequency of the occurrences of attacks utilized for avoiding packet collisions in the carrier-sense dom access schemes and random waiting times have been are bounded. This model has been utilized also in reutilized for avoiding packet collisions in the carrier-sense are bounded. This model has been utilized also in reduration and the frequency of the occurrences of attacks utilized for avoiding packet collisions in the carrier-sense are bounded. bounded. This This model model has has been been utilized utilized also also in in rere- multiple access (CSMA) method (Schwartz, 2004). A ranare multiple access (CSMA) method (Schwartz, 2004). A ranutilized for avoiding packet collisions in the carrier-sense cent works by Feng and Tesi (2017), Senejohnny et al. multiple access (CSMA) method (Schwartz, 2004). A cent works by Feng and Tesi Senejohnny et al. are has (2017), been utilized also in access (CSMA) method (Schwartz, 2004). A ranrancent bounded. works by by This Fengmodel and Tesi Tesi (2017), Senejohnny et real. multiple dom access scheme has also been employed in wireless cent works Feng and (2017), Senejohnny et al. dom access scheme has also been employed in wireless multiple access (CSMA) method (Schwartz, 2004). A ran(2017), and Kato et al. (2019) for exploring predictive dom access scheme has also been employed in wireless (2017), and Kato et al. (2019) for exploring predictive cent works by Feng and Tesi (2017), Senejohnny et al. dom access scheme has also been employed in wireless (2017), and Kato et al. (2019) for exploring predictive control systems by Calvo-Fullana et al. (2017) and Gatsis (2017), and Kato et al. (2019) for exploring predictive dom control systems by Calvo-Fullana et al. (2017) and Gatsis access scheme has also been employed in wireless control systems by Calvo-Fullana et al. (2017) and Gatsis  This work is supported by JST ERATO HASUO Metamathemat(2017), and Kato et al. (2019) for exploring predictive control systems by Calvo-Fullana et al. (2017) and Gatsis  et for channel access  work is supported by JST ERATO HASUO Metamathematet al. al. (2018) (2018) tobyallow allow for decentralized decentralized channel access This work by ERATO HASUO  This control systemsto Calvo-Fullana et al. (2017) and Gatsis et al. to for decentralized channel access This work is is supported supported by JST JST ERATO HASUO MetamathematMetamathematics for Systems Design Project (No. JPMJER1603), by JST CREST et al. (2018) (2018) to allow allow formultiple decentralized channel access  scheduling. In those works, sensors and controllers ics for Systems Design Project (No. JPMJER1603), by JST CREST ics for Systems Design Project (No. JPMJER1603), by JST CREST This work is supported by JST ERATO HASUO Metamathematscheduling. In those works, sensors and controllers et al. (2018) to allow formultiple decentralized channel access scheduling. In those works, multiple sensors and controllers ics for No. Systems Design Project (No. JPMJER1603), by JST CREST Grant JPMJCR15K3, and by JSPS under Grant-in-Aid for Scischeduling. In those works, multiple sensors and controllers Grant No. JPMJCR15K3, and by JSPS under Grant-in-Aid for Sciattempt to transmit packets on a channel at random time Grant JPMJCR15K3, and by under Grant-in-Aid for ics for No. Systems Design Project JPMJER1603), by JST CREST attempt to transmit packets on aa channel at random time scheduling. In those works, multiple sensors and controllers Grant No. JPMJCR15K3, and (No. by JSPS JSPS [email protected], Grant-in-Aid for SciSciattempt to transmit packets on channel at random time entific Research Grant No. 18H01460. Emails: attempt to transmit packets on against a channel at random time entific Research Research Grant No. No. 18H01460. 18H01460. Emails: [email protected], instants. To increase resiliency malicious nodes in entific Grant Emails: [email protected], Grant No. JPMJCR15K3, and by JSPS under Grant-in-Aid for Sciinstants. To increase resiliency against malicious nodes in entific Research Grant No. 18H01460. Emails: [email protected], attempt to transmit packets on a channel at random time [email protected], [email protected] instants. To increase resiliency against malicious nodes in [email protected], [email protected] instants. To increase resiliency against malicious nodes in [email protected], [email protected] entific Research Grant No. 18H01460. Emails: [email protected], [email protected], [email protected] instants. To increase resiliency against malicious nodes in [email protected], [email protected]

2405-8963 Copyright © 2019. The Authors. Published by Elsevier Ltd. All rights reserved. Copyright © under 2019 IFAC IFAC 375 Control. Peer review responsibility of International Federation of Automatic Copyright © 2019 375 Copyright © 375 Copyright © 2019 2019 IFAC IFAC 375 10.1016/j.ifacol.2019.12.184 Copyright © 2019 IFAC 375

2019 IFAC NecSys 376 Chicago, IL, USA, September 16-17, 2019Ahmet Cetinkaya et al. / IFAC PapersOnLine 52-20 (2019) 375–380

a multi-agent system, Dibaji et al. (2018) used randomness in quantization and scheduling of inter-agent communications. Moreover, Pöpper et al. (2010) used randomized frequency hopping methods to reduce the effect of jamming in wireless networks.

We organize the paper as follows. The networked control problem under jamming attacks and our control framework with the randomized transmission approach are discussed in Section 2. We then provide the closed-loop stability analysis in Section 3, and present an example in Section 4. Finally, we conclude the paper in Section 5. Throughout the paper, we represent nonnegative and positive integers by N0 and N, respectively. We use E[·] and P[·] to respectively denote the expectation and the probability measure on a probability space (Ω, F, P), where F is the σ-algebra that includes the events concerning the random variables associated with our transmission protocol. The indicator the the event E ∈ F is denoted by 1[E] : Ω → {0, 1}, where 1[E](ω) = 1, ω ∈ E, and 1[E](ω) = 0, ω ∈ / E. We use  ·  to denote the Euclidean norm for vectors and the associated induced matrix norm for matrices. For a given positive-definite 1 1 matrix P ∈ Rn×n , M P  P 2 M P − 2  denotes the P 1 weighted norm of matrix M ∈ Rn×n , where P 2 ∈ Rn×n is the unique square-root of P , and moreover, λmax (P ) represents the largest eigenvalue of P . 2. NETWORKED CONTROL UNDER JAMMING

)))

We note that our randomization approach is more closely related to that in our previous work on multi-agent consensus under jamming attacks (Kikuchi et al., 2017). There, we showed that by randomizing the transmission instants, the agents can successfully communicate with each other infinitely many times in the long run, and thus, consensus is achieved eventually. In the networked control problem of this paper, infinitely many successful transmissions does not guarantee stability. As a key step in our stability analysis, here we show that an upper bound on the longrun average number of failed transmission attempts can be obtained in terms of the upper bound of the average attack duration.

Figure 1. Networked control system with randomized trans-

missions under jamming attacks. The sensor is equipped with a random number generator (RNG) to decide state packet transmission instants. A timer at the plant side decides the control input by switching between 0 and the last control packet kept with zero order hold (ZOH).

fails. Moreover, l(i) = 0 indicates that there is no attack and x(ti ) is successfully transmitted to the controller. 2.1 Jamming attacks Before we explain our communication and control approaches, we first discuss about possible jamming attack strategies that a networked control system may face. In this paper, we represent the timing of jamming attacks by connected sets (intervals) Ak ⊂ [0, ∞), k ∈ N0 , that satisfy Aj ∩ Ak = ∅ for j = k, and a < b for every a ∈ Ak , b ∈ Ak+1 , k ∈ N0 . During each interval Ak , the attacker jams the network and blocks any communication attempt that occurs inside that interval. For a given time frame [τ, t) ⊂ [0, ∞), we use A (τ, t) ⊆ [τ, t) to denote the set of times where the jamming attack is active, that is, A (τ, t)  ∪k∈N0 Ak ∩ [τ, t).

(2) Furthermore, the total duration of the attacks in the same interval is given by |A (τ, t)|. Notice that l(i) = 1[ti ∈ A (0, ti )], i ∈ Ni , (3)

that is, the ith communication attempt fails if the attempt time ti is inside one of the attack intervals. We denote the number of attack intervals in a given time frame [τ, t) by n(τ, t) ∈ N0 , which is given as ∞  n(τ, t)  1[Ak ∩ [τ, t) = ∅]. k=0

Consider the networked control problem depicted in Fig. 1 of a continuous-time plant described by x(t) ˙ = Ax(t) + Bu(t), x(0) = x0 , t ∈ [0, ∞), (1)

where x(t) ∈ Rn is the state, u(t) ∈ Rm is the control input applied to the plant, A ∈ Rn×n is the unstable system matrix, and B ∈ Rn×m is the input matrix. The pair (A, B) is assumed to be stabilizable. The state x(t) is measured and attempted to be transmitted to the controller over a network at time instants t0 , t1 , t2 , . . . ∈ [0, ∞) with ti < ti+1 , i ∈ N0 . We consider the case where the network is subject to jamming attacks. In particular, if the jamming attacker is active at a transmission attempt time ti , then the transmission of the state information x(ti ) fails. We use l(i) ∈ {0, 1} to indicate whether a jamming attack is present at time ti or not. Specifically, l(i) = 1 indicates that there is a jamming attack at time ti and the transmission attempt at that time 376

In this paper, we consider jamming attacks that are restricted in their average duration as follows. Assumption 1. There exist κA ≥ 0 and ρA ∈ [0, 1) such that for each t ≥ 0, |A (0, t)| ≤ κA + ρA t. (4)

The scalar ρA ∈ (0, 1) in Assumption 1 can be regarded as an upper bound on the average duration of attacks in long intervals, as (4) implies lim supt→∞ |A (0, t)|/t ≤ ρA . The scalar κA ≥ 0, on the other hand, describes the initial capabilities of the attacker. In particular, under Assumption 1, the attacker can initially jam the network for κA /(1 − ρA ) units of time. Attackers with large energy resources can be described with large values of κA . Assumption 1 allows us to model the capabilities of attackers through the duration of attacks that they launch without specifying their particular strategies. This modeling approach was proposed in De Persis and Tesi (2015)

2019 IFAC NecSys Chicago, IL, USA, September 16-17, 2019Ahmet Cetinkaya et al. / IFAC PapersOnLine 52-20 (2019) 375–380

Figure 2. Illustration of transmission attempt times under the

randomized transmission protocol. The attempts at t0 and t3 fail due to jamming attacks (indicated with pink shaded regions), whereas those at t1 and t2 are successful.

and utilized in recent works, e.g., Feng and Tesi (2017); Senejohnny et al. (2017); Kato et al. (2019). Note that under Assumption 1, jamming attacks are allowed to stop and restart at arbitrary time instants as long as (4) holds. If the communication attempt times ti , i ∈ N0 , are known to the attacker, then the attacker can jam the network with attacks of very short durations around the communication attempt times ti , i ∈ N0 , and preserve energy to be used later. In particular, periodic and deterministic eventtriggered communication approaches may be vulnerable to such attack strategies. As discussed in De Persis and Tesi (2015), if the attacker is allowed to attack at a frequency larger than the maximum frequency of communication attempts, then all communication may be blocked even if Assumption 1 is satisfied. To avoid such situations, the frequency of attacks are restricted in the abovementioned works. In particular, these works consider scenarios where n(0, t) ≤ νA + σA t,

t ≥ 0,

(5)

holds with scalars νA ≥ 0 and σA ∈ (0, 1/T ), where T is the minimum interval between consecutive communication attempts. Differently, from those works, in this paper we do not restrict the number n(τ, t) of attacks in any interval [τ, t). More specifically, we allow the system to be subject to attacks with very high frequency. ∗

∗

2.2 Randomized Communication Approach To mitigate attacks with very high frequency, we introduce an approach using a randomized communication strategy, where the transmission attempt times ti , i ∈ N0 , are random variables. In particular, the following definition provides a characterization of the transmission attempt times as uniformly distributed random variables. Definition 2. (Randomized communication protocol). The transmissions on the network are attempted at random times t0 , t1 , . . . , given by tk  k∆ + δk , k ∈ N0 , where ∆ > 0 is a fixed scalar, and δk , k ∈ N0 , are independent random variables that are distributed uniformly in the interval [0, ∆). The key idea behind the randomization approach in Definition 2 is that a random transmission attempt time ti is not known to the attacker a priori. We used such a randomized communication protocol in our previous work Kikuchi et al. (2017). There, we showed that each agent of a multi-agent system can achieve infinitely many successful transmissions with its neighbors by following the randomized communication protocol. Moreover, the jamming attacks were assumed to be constrained in a way that is more restrictive compared to Assumption 1. In particular, it was assumed that |A (τ, t)| ≤ κA + ρA (t − τ ), τ ≥ 0, t ∈ [τ, ∞), (6) 377

377

where κA ≥ 0 and ρA ∈ [0, 1). Notice that the set of jamming attack strategies satisfying Assumption 1 is strictly larger than those that satisfy (6). In particular, the maximum length of a continuous jamming attack satisfying (6) is necessarily bounded by κA (1 − ρA )−1 . There is not a similar bound for Assumption 1. In particular, under Assumption 1, an attacker can launch arbitrarily long continuous jamming attacks after waiting for a sufficiently long duration without jamming. In this paper, we will show that a result similar to that in Kikuchi et al. (2017) holds even under Assumption 1. Note that for achieving consensus in multi-agent systems, as discussed in Kikuchi et al. (2017), it is sufficient that agents make infinitely many successful communications with each other in the long run. On the other hand, for the networked control problem of this paper, infinitely many successful transmissions are not sufficient for achieving stability. In Section 3, we will show that if ρA in Assumption 1 is sufficiently small, then the randomized communication protocol guarantees that the long-run average number of successful transmissions is sufficiently large ensuring stability. An important advantage of our communication and control approaches is that they do not require jamming attacks to be restricted in their frequencies. Our approach differs from randomization in TCP-like communication protocols with acknowledgements. In such protocols, when there is a packet collision, a retransmission can be scheduled to happen after a random waiting time to avoid a secondary collision. In our framework, randomization is introduced to mitigate jamming attacks, and moreover, acknowledgement messages and retransmissions are not needed. Thus, a UDP-like protocol can be utilized. Remark 3. For secure operation, the random number generation mechanism at the plant side has to be secure so that the attacker does not obtain information about the generated random time sequence t0 , t1 , . . .. If, for instance, the plant-side mechanism employs a pseudo random number generator that is known to the attacker, then the attacker may successfully predict communication attempt instants. With secure random number generators, the time instants t0 , t1 , . . . cannot be known by the attacker. If t0 , t1 , . . . are generated online, they cannot be known by the controller either. Therefore, the controller needs to be in listening-mode to successfully receive the state measurement packets. We note however that the random time tk+1 can be generated and transmitted to the controller along with the state measurement x(tk ) at time tk . If the controller does not receive this information due to an attack, then it stays in listening-mode; however, if it successfully receives the information at time tk , then it can sleep until tk+1 to preserve energy. 2.3 Control Law For stabilizing the linear system (1), we utilize a state feedback control law, which we illustrate in Fig. 1. Specifically, if there is a successful transmission attempt at time ti , then the control input at the plant side is set to Kx(ti ), where K ∈ Rm×n is the feedback gain. If the next transmission attempt at time ti+1 is successful, then the control input is changed to Kx(ti+1 ). If, on the other hand, the attempt at time ti+1 fails, then input Kx(ti ) is kept for a fixed duration, and then it is reset to zero.

2019 IFAC NecSys 378 Chicago, IL, USA, September 16-17, 2019Ahmet Cetinkaya et al. / IFAC PapersOnLine 52-20 (2019) 375–380

To formulate the control law, first let x(t) ∈ Rn be the most recent state information that is available to the controller at time t. Specifically, the vector x(t) is given by x(0) = 0 and ˙ x(t)  0, t ∈ [0, ∞) \ {t0 , t1 , . . .}, (7)  − l(i) = 0, x(ti ), t = ti , i ∈ N0 . (8) x(ti )  x(t− otherwise, i ),

The control input applied to the plant is then given by (9) u(t) = 1[η(t) > 0]Kx(t), where η(0) = 0, and

(10) η(t) ˙  −1, t ∈ [0, ∞) \ {t0 , t1 , . . .},  (i + 2)∆ − ti , l(i) = 0, t = ti , i ∈ N0 . (11) η(ti )  otherwise, η(t− i ),

Here, the scalar η(t) acts as a timer. More specifically, when there is a successful transmission attempt at time ti , η(t) is set to a positive value (i + 2)∆ − ti . The scalar η(t) then decreases continuously with the decrease rate 1. If the next transmission attempt at time ti+1 fails, η(t) eventually becomes zero at time (i + 2)∆, and at that time the control input is reset to zero as indicated in (9). If, on the other hand, the transmission attempt at time ti+1 is successful, η(t) is reset to (i+3)∆−ti+1 , and therefore, the control input is directly changed from Kx(ti ) to Kx(ti+1 ), since x(t) becomes x(ti+1 ) at time ti+1 . Using the timer η(·) allows us to characterize the control input in a compact way. We note that the impulsive characterizations with timers were utilized previously for deterministic selftriggered controllers in multi-agent systems in Senejohnny et al. (2017). Here in this paper, {η(t) ∈ R}t∈[0,∞) is a piecewise-continuous stochastic process due to randomness in the characterization of the transmission attempt times. 3. STABILITY ANALYSIS In this section, we provide an analysis of the networked control system (1), (9) with the randomized transmission protocol and obtain sufficient conditions that guarantee asymptotic stabilization under jamming attacks. For simplicity of presentation, we restrict our attention to “deterministic jamming attacks” discussed by Kikuchi et al. (2017). In such attacks, the attack intervals are given by Ak (ω) = Ak , ω ∈ Ω, where Ak , k ∈ N0 , are fixed sets. Under deterministic attacks, jamming indicators l(0), l(1), . . . are independent random variables with distributions that depend on the attacker’s strategies in the respective intervals [0, ∆), [∆, 2∆), . . .. We note that our analysis approach can also be extended to the case of “communication-aware attacks” of Kikuchi et al. (2017) as well as “state-dependent attacks” of Cetinkaya et al. (2018), where l(0), l(1), . . . are random variables that are conditionally independent given the attacker’s strategy. In our analysis of the networked control system (1), (9), we utilize almost sure asymptotic stability notion (see Section 6.1 in Xie (2011) and Definition 3.1 in Cetinkaya et al. (2017)). In particular, we show that under any attack strategy with a sufficiently small average attack duration bound ρA , our framework with randomized transmissions can guarantee P[limt→∞ x(t) = 0] = 1. 378

In our analysis, we use a Lyapunov-like function V : Rn → [0, ∞) given by V (x)  xT P x,

x ∈ Rn ,

where P ∈ Rn×n is a positive-definite matrix satisfying (A + BK)T P + P (A + BK) ≤ −γP, (12)

AT P + P A ≤ ϕP (13) with scalars γ > 0 and ϕ > 0. Note that we can always find P , K, and γ satisfying (12), since (A, B) is stabilizable.

The scalar ϕ in (13) is an upper bound on the increase rate of V (x(t)) during intervals when the system runs in the uncontrolled mode (u(t) ≡ 0). On the other hand, the scalar γ is an upper bound on the decrease rate of the function V (z(t)) of the state z(t) of a stable system z(t) ˙ = (A + BK)z(t), z(0) = z0 , t ≥ 0, (14)

since V (z(t)) ≤ e−γt V (z0 ) holds by (12). We remark that (14) is not a direct representation of the controlled mode of the closed-loop system (1), (9), since our control law employs the sampled state data x(ti ) and not the actual state x(t). Nevertheless, as we show in the following result, if the scalar ∆ in our randomized transmission protocol is selected to be small enough, then there exists a scalar β  β(∆) ∈ (0, γ] that can be used as the decrease rate of V (x(t)) for the controlled mode of the closed-loop networked control system (1), (9). Lemma 4. Consider the networked control system (1), (9) under the randomized transmission protocol. Let P ∈ Rn×n be a positive-definite matrix and γ, ϕ be positive scalars that satisfy (12) and (13). If the interval length ∆ of the randomized communication protocol satisfies   1 γϕ ∆ < ln 1 + , (15) ϕ 2A + BKP (2BKP + γ) then   2 eϕ∆ − 1 A + BKP (16) β  γ − 2BKP ϕ − 2 (eϕ∆ − 1) A + BKP satisfies 0 < β ≤ γ. Moreover, if the transmission at time ti is successful (l(i) = 0), then (17) V˙ (x(t)) ≤ −βV (x(t)), t ∈ [ti , (i + 2)∆). If, on the other hand, the transmission at time ti fails (l(i) = 1), then (18) V˙ (x(t)) ≤ ϕV (x(t)), t ∈ [ti , ti+1 ). Proof. The proof is omitted due to space limitations. 

The inequality (17) in Lemma 4 provides the intervals for which the Lyapunov-like function V (·) is guaranteed to decay. In particular, (17) implies that if l(i) = 0, then V (x((i + 2)∆)) ≤ e−β∆ V (x((i + 1)∆)),

(19) which indicates that a successful transmission attempt in the interval [i∆, (i + 1)∆) (at time ti ) guarantees a decay of the Lyapunov-like function in the following interval [(i + 1)∆, (i + 2)∆). On the other hand, (18) provides the intervals for which V (·) may grow. In particular, if l(i) = 1, then by (18), we have V (x(ti+1 )) ≤ eϕ(ti+1 −(i+1)∆) V (x((i + 1)∆)). Using this inequality, we can also show that if l(i) = 1, then

2019 IFAC NecSys Chicago, IL, USA, September 16-17, 2019Ahmet Cetinkaya et al. / IFAC PapersOnLine 52-20 (2019) 375–380

V (x((i + 2)∆)) ≤ eϕ∆ V (x((i + 1)∆)), (20) ˙ since ϕ > −β implies that V (x(t)) ≤ ϕV (x(t)) holds for the time interval [ti+1 , (i + 2)∆) (regardless of whether l(i + 1) = 0 or l(i + 1) = 1). As a consequence, it follows from (19) obtained for the case of l(i) = 0 and (20) obtained for the case of l(i) = 1 that V (x((i + 2)∆)) ≤ l(i)eϕ∆ V (x((i + 1)∆))

+ (1 − l(i))e−β∆ V (x((i + 1)∆)). (21) This inequality is critical in our analysis. Specifically, by using this inequality, we will show that if the longrun average number of failed transmission attempts are sufficiently small, then stability can be guaranteed. To establish a bound on the average number of transmission failures under our randomized transmission protocol, we provide the following key result. Theorem 5. Consider deterministic jamming attacks that satisfy Assumption 1 with ρA < 1. The jamming indicator process {l(i) ∈ {0, 1}}i∈N0 under the randomized transmission protocol satisfies ∞ k−1   P[ l(i) > ρk] < ∞, (22) i=0

k=1

for ρ ∈ (ρA , 1], and moreover, it holds almost surely lim sup k→∞

 1 k−1 l(i) ≤ ρA . k i=0

(23)

Proof. First, let τi  |A (i∆, (i + 1)∆)| and pi  τ∆i for i ∈ N0 . Note that τi ∈ [0, ∆] denotes the total length of all jamming intervals in the time window [i∆, (i + 1)∆). Moreover, since ti is uniformly distributed in this interval, we have E[l(i)] = P[ti ∈ A (i∆, (i + 1)∆)] = τ∆i = pi . Now, by Assumption 1, k−1     1 k−1 1 k−1 pi = τi = |A (i∆, (i + 1)∆)| ∆ i=0 ∆ i=0 i=0 1 κA 1 + ρA k. (24) = |A (0, k∆)| ≤ (κA + ρA k∆) = ∆ ∆ ∆ Let ε  ρ − ρA and k ∗  inf{k ∈ {2, 3, . . .} : κ∆A ≤ εk 2 }. By k−1 ε ∗ (24), i=0 pi − ρA k ≤ 2 k for k ≥ k . Hence, P[

k−1  i=0

l(i) > ρk] = P[

k−1 

(l(i) − pi ) +

i=0 k−1 

= P[

i=0

(l(i) − pi ) >

k−1  i=0

pi − ρA k > εk]

ε k], 2

k ≥ k ∗ . (25)

As l(0), l(1), . . . are independent random variables under deterministic attacks and E[l(i)] = pi , we use Hoeffding’s inequality (Theorem 2.8 of Boucheron et al. (2013)) to get k−1 2 P[ i=0 (l(i) − pi ) > 2ε k] ≤ e−ε k/8 , k ∈ N. Thus, by (25), ∞ 

P[

k−1 

l(i) > ρk]

i=0 k=1 ∗ k −1 k−1 

=

k=1

≤ k∗ +

P[

l(i) > ρk] +

i=0

∞ 

k=k∗

e−ε

2

k/8

∞ 

P[

k−1 

(l(i) − pi ) >

i=0 k=k∗ −(k∗ −1)ε2 /8

= k∗ +

e

eε2 /8 − 1

ε k] 2

,

which implies (22). Now, Lemma 3.3 of Cetinkaya et al. (2017) together with (22) implies (23).  379

379

Theorem 5 shows that regardless of the frequency of attacks, the long-run average number of failed transmission attempts is always bounded by ρA , which is the upper bound of average attack duration characterized in Assumption 1. Now we present the main result of the paper, which provides a sufficient condition on ρA to guarantee almost sure asymptotic stability. Theorem 6. Consider the networked control system (1), (9) under the randomized transmission protocol with the interval length ∆ satisfying (15), where P ∈ Rn×n is a positive-definite matrix and γ, ϕ are positive scalars that satisfy (12) and (13). If ρA ϕ − (1 − ρA )β < 0 (26) holds with β given by (16), then under any jamming attack strategy that satisfies Assumption 1, we have P[ lim x(t) = 0] = 1. (27) t→∞

Proof. By Lemma 4, we obtain (21), which implies V (x((k + 1)∆)) ≤ ξ(k)V (x(∆)), k ∈ N, k−1 where ξ(k)  i=0 (l(i)eϕ∆ + (1 − l(i))e−β∆ ). Now, let k−1 µ(k)  ln[ξ(k)] and note that µ(k) = ∆ i=0 (l(i)ϕ − (1 − l(i))β). By using (23) in Theorem 5 and (26),      1 1 k−1 lim sup µ(k) = ∆ (ϕ + β) lim sup l(i) − β k→∞ k k→∞ k i=0   (28) ≤ ∆ ρA ϕ − (1 − ρA )β < 0, almost surely. Therefore, we have limk→∞ µ(k) = −∞, and thus, limk→∞ ξ(k) = 0, almost surely. Noting that V (∆) is bounded by V (∆) ≤ eϕ∆ V (x0 ), we obtain P[limk→∞ V (x(k∆)) = 0] = 1, which implies (27).  Theorem 6 indicates that if the average jamming attack duration bound ρA is sufficiently small so that (26) holds, then the state converges to the origin with probability one. Notice that (26) does not depend on the frequency of jamming attacks indicating that the randomized transmission protocol can be utilized under high frequency jamming attacks. This is further illustrated in the next section. The scalar κA in Assumption 1 does not appear in the stability condition (26). This is because asymptotic stability is affected by the long run average number of failures, and bounds on the average attack duration. Hence, the average number of failures in the long run depend only on ρA and not κA . We note, however, that convergence can be made slower by attack strategies that satisfy Assumption 1 with larger κA values. 4. NUMERICAL EXAMPLE Consider the networked control system (1), (9) with     0 1 0 A= ,B = , K = [−1 − 1]. 0.1 0.1 1

First, we use Theorem 6 to identify a bound on the tolerable average jamming duration. Note that for this system, (12) and (13) hold with   1.88 0.936 γ = 0.873, ϕ = 1.31, P = , 0.936 2.077

2019 IFAC NecSys 380 Chicago, IL, USA, September 16-17, 2019Ahmet Cetinkaya et al. / IFAC PapersOnLine 52-20 (2019) 375–380

Table 1. Mean mN and standard deviation sN of the average state norm N (T ) for different jamming attack frequencies fA ∈ {2, 20, 200, 2000}

x(t)

1 0 0

2

4

6

8

10

mN sN

x(t)

1 0 0

2

4

6

8

10

Time [t]

Figure 3. Sample paths of state norm x(t) under attacks with different frequencies fA (Top: fA = 20, Bottom fA = 2)

and moreover, ∆ = 0.1 in the randomized transmission protocol satisfies (15). We set β as in (16) and observe that the stability condition (26) holds for every ρA ∈ [0, 0.166]. It follows from Theorem 6 that the closed-loop system is stable under any attack strategy satisfying Assumption 1 with average jamming duration bound ρA = 0.166. For illustration, we set ρA = 0.166 and consider periodic attacks with jamming intervals Ak  [k/fA , (k + ρA )/fA ], k ∈ N0 , where fA > 0 denotes the occurrence frequency of attacks. Top and bottom plots in Fig. 3 show 100 sample paths of the state norm obtained under different attack frequencies but with the same parameter choice for the randomized transmission protocol (∆ = 0.1) and the same initial condition x0 = [−1, 1]T . Notice that in the case with higher frequency (top plot) the trajectories show more variation. To compare the convergence performance of our approach for different attack frequencies, we also calculate T the average state norm N (T )  (1/T ) 0 x(t)dt with T = 10 for 100 sample paths obtained under attack frequencies fA ∈ {2, 20, 200, 2000}. Table 1 shows the mean mN and the standard deviation sN of N (T ). Notice that the convergence performance is similar in all cases, indicating the effectiveness of the randomized transmission protocol for both low and high frequency attacks. 5. CONCLUSION We proposed a randomized transmission approach for networked control systems under jamming attacks and obtained sufficient stability conditions. Our results indicate that stability can be achieved through the randomized approach as long as the average duration of jamming attacks is bounded. An advantage of our approach is that it does not require jamming attacks to be constrained in their frequencies. Our future works include systematic design of the feedback gain. REFERENCES Boucheron, S., Lugosi, C., and Massart, P. (2013). Concentration Inequalities: A Nonasymptotic Theory of Independence. Oxford University Press. Calvo-Fullana, M., Antón-Haro, C., Matamoros, J., and Ribeiro, A. (2017). Random access policies for wireless networked control systems with energy harvesting sensors. In Proc. Amer. Control Conf., 3042–3047. Cetinkaya, A., Ishii, H., and Hayakawa, T. (2017). Networked control under candom and malicious packet losses. IEEE Trans. Autom. Control, 62(5), 2434–2449. 380

fA = 2

fA = 20

fA = 200

fA = 2000

0.2853 0.0088

0.2928 0.0178

0.2895 0.0159

0.2913 0.019

Cetinkaya, A., Ishii, H., and Hayakawa, T. (2018). Statedependent jamming interference in networked stabilization. In Proc. IEEE Conf. Dec. Control, 7249–7254. Cetinkaya, A., Ishii, H., and Hayakawa, T. (2019). An overview on denial-of-service attacks in control systems: Attack models and security analyses. Entropy, 21(2). Article no. 210. De Persis, C. and Tesi, P. (2015). Input-to-state stabilizing control under Denial-of-Service. IEEE Trans. Autom. Control, 60(11), 2930–2944. Dibaji, S.M., Ishii, H., and Tempo, R. (2018). Resilient randomized quantized consensus. IEEE Trans. Autom. Control, 63(8), 2508–2522. Feng, S. and Tesi, P. (2017). Resilient control under Denial-of-Service: Robust design. Automatica, 79, 42– 51. Gatsis, K., Ribeiro, A., and Pappas, G.J. (2018). Random access design for wireless control systems. Automatica, 91, 1–9. Hespanha, J.P., Naghshtabrizi, P., and Xu, Y. (2007). A survey of recent results in networked control systems. Proc. IEEE, 95(1), 138–172. Kato, R., Cetinkaya, A., and Ishii, H. (2019). Stabilization of nonlinear networked control systems under denialof-service attacks: A linearization approach. In Proc. Amer. Control Conf., 1444–1449. Kikuchi, K., Cetinkaya, A., Hayakawa, T., and Ishii, H. (2017). Stochastic communication protocols for multiagent consensus under jamming attacks. In Proc. IEEE Conf. Dec. Control, 1657–1662. Lun, Y.Z., D’Innocenzo, A., Smarra, F., Malavolta, I., and Di Benedetto, M.D. (2019). State of the art of cyber-physical systems security: An automatic control perspective. J. Syst. Software, 149, 174–216. Pelechrinis, K., Iliofotou, M., and Krishnamurty, S.V. (2011). Denial of service attacks in wireless networks: The case of jammers. IEEE Commun. Surv. Tut., 13(2), 245–257. Pöpper, C., Strasser, M., and Čapkun, S. (2010). Antijamming broadcast communication using uncoordinated spread spectrum techniques. IEEE J. Sel. Areas Com., 28(5), 703–715. Sandberg, H., Amin, S., and Johansson, K.H. (2015). Special issue on cyberphysical security in networked control systems. IEEE Control Syst. Mag., 35(1). Schwartz, M. (2004). Mobile Wireless Communications. Cambridge University Press. Senejohnny, D., Tesi, P., and De Persis, C. (2017). A jamming-resilient algorithm for self-triggered network coordination. IEEE Trans. Control Netw. Syst., 5(3), 981–990. Xie, W.C. (2011). Dynamic Stability of Structures. Cambridge University Press.