Secure Luenberger-like observers for cyber–physical systems under sparse actuator and sensor attacks

Secure Luenberger-like observers for cyber–physical systems under sparse actuator and sensor attacks

Automatica 98 (2018) 124–129 Contents lists available at ScienceDirect Automatica journal homepage: www.elsevier.com/locate/automatica Brief paper ...
Download PDF
836KB Sizes 0 Downloads 39 Views
Report

Automatica 98 (2018) 124–129

Contents lists available at ScienceDirect

Automatica journal homepage: www.elsevier.com/locate/automatica

Brief paper

Secure Luenberger-like observers for cyber–physical systems under sparse actuator and sensor attacks✩ An-Yang Lu a , Guang-Hong Yang a,b, * a b

College of Information Science and Engineering, Northeastern University, Shenyang 110819, PR China State Key Laboratory of Synthetical Automation for Process Industries, Northeastern University, Shenyang 110819, PR China

article

info

Article history: Received 17 January 2017 Received in revised form 6 August 2018 Accepted 20 August 2018

Keywords: Cyber–physical systems Sparse actuator and sensor attacks Secure state estimation Secure Luenberger-like observer Linear matrix inequality

a b s t r a c t This paper investigates the secure state estimation problem for cyber–physical systems (CPSs) under sparse actuator and sensor attacks. By introducing the notion of orthogonal complement matrix, a necessary and sufficient condition for the state observability is provided. Then, based on the least square technique, a new projection operator is proposed to reconstruct the state from a set of successive measurements. Besides, by constructing an augmented system where the attacks are seen as part of the augmented state vector, a novel secure Luenberger-like observer is proposed, and sufficient conditions for the existence of the desired observer are proposed in terms of linear matrix inequalities (LMIs). It is shown that the proposed observability condition can be reduced to the sparse observability. A distinguishing point is that the attacks may be still unavailable even if the state is observable, and besides estimating the state, the attacks are also reconstructed by the proposed algorithm and observer according to their observability automatically. © 2018 Elsevier Ltd. All rights reserved.

1. Introduction Recently, cyber–physical systems (CPSs) have attracted much attention of the scientific community. Tight coupling of computation and communication substrates of CPSs has introduced significant changes in the standard design methods. Meanwhile, the integration between computation and physical processes means the deep interaction of all the physical and cyber components, i.e., power grids, water and gas distribution and deep sea exploiting systems (Yan et al., 2016). Thus, various problems have been studied, such as stability analysis (De Persis & Tesi, 2015; Farraj, Hammad, & Kundur, 2018), fault detection (Gu & Li, 2018; Manandhar, Cao, Hu, & Liu, 2014) and security problems (Amin, Cardenas, & Sastry, 2009; Sridhar, Hahn, & Govindarasu, 2012; Zheng, Deng, Anguluri, Zhu, & Pasqualetti, 2016). Especially, the increasing set of functionalities, network interoperability, and system design complexity may introduce security ✩ This work was supported in part by the Funds of National Science of China (Grant Nos. 61621004, 61420106016 and 61773097), and the Research Fund of State Key Laboratory of Synthetical Automation for Process Industries, PR China (Grant No. 2018ZCX03). The material in this paper was not presented at any conference. This paper was recommended for publication in revised form by Associate Editor Shreyas Sundaram under the direction of Editor Christos G. Cassandras. Corresponding author at: College of Information Science and Engineering, Northeastern University, Shenyang 110819, PR China. E-mail addresses: [email protected] (A.-Y. Lu), [email protected] (G.-H. Yang).

*

https://doi.org/10.1016/j.automatica.2018.09.003 0005-1098/© 2018 Elsevier Ltd. All rights reserved.

vulnerabilities, and the interaction between information technology and physical world have made CPSs vulnerable to malicious attacks beyond the standard cyber attacks (Pajic et al., 2014). Thus, the need for novel methods to enhance the security of CPSs has motivated several research directions recently (Teixeira, Sou, Sandberg, & Johansson, 2015). Such as false-date injection attacks analysis (Sandberg, Teixeira, & Johansson, 2010), performance degradation under stealthy deception attacks (Mo & Sinopoli, 2016), secure control framework for resource-limited adversaries (Teixeira, Shames, Sandberg, & Johansson, 2015), observer-based attack detection and identification (Pasqualetti, Dörfler, & Bullo, 2013), and secure state estimation (Fawzi, Tabuada, & Diggavi, 2014). Secure state estimation, which is to estimate the state from the corrupted measurements, has attracted considerable attention from the control community. While secure state estimation under sparse attacks is intrinsically a combinatorial problem, the strategies for such problem can be categorized into (i) brute force search: such as observer-based methods in Chong, Wakaiki, and Hespanha (2015), Lu and Yang (2017a) and Xie and Yang (2018), filter-based method in Mishra, Shoukry, Karamchandani, Diggavi, and Tabuada (2015), and L0 decoder in Pajic et al. (2014); (ii) convex relaxations: such as L1 /Lr decoder in Fawzi et al. (2014) and Pajic, Lee, and Pappas (2017), and gradient descent algorithms in Shoukry and Tabuada (2016). On the one hand, estimating the state from the corrupted measurements by brute force search

A.-Y. Lu, G.-H. Yang / Automatica 98 (2018) 124–129

suffers from scalability issues. On the other hand, the convex relaxations ensure that the state is reconstructed in polynomial time with correctness guarantees for reduced set of systems. Since the actuators, sensors and controllers need to communicate with each other, in addition to sensor (sensor to controller communication link), actuator (controller to actuator communication link) may also be attacked. However, most previous results only consider the sensor attacks. Although some discussions on sparse actuator attacks have been given in Fawzi et al. (2014), sufficient and necessary conditions for the state observability under actuator attacks have not been studied. This is the main motivation of this paper. Besides, while the stability of CPSs may be destroyed by the actuator attacks even if the state is reconstructed accurately, besides estimating the state, estimating the attacks from the corrupted measurements is also meaningful. In Shoukry and Tabuada (2016), the sparse sensor attack estimations are provided by a convex projection operator, based on which Lu and Yang (2017b) provides a non-convex one. Moreover, a Luenberger-like observer is also provided in Shoukry and Tabuada (2016) to estimate the state and attacks for its higher promise of scalability for new measurements. Since these methods may not apply to CPSs under sparse actuator attacks, how to provide the attack estimations also motivates this study. This paper investigates the secure state estimation problem under sparse actuator and sensor attacks. The main contributions can be summarized as follows: (i) By extending the works in Fawzi et al. (2014) and Shoukry and Tabuada (2016) with both actuator and sensor attacks taken into account, a necessary and sufficient condition for the observability under sparse actuator and sensor attacks is constructed by introducing the notion of orthogonal complement matrix. It is shown that for the existence of actuator attacks, the state and attacks are not always available simultaneously. (ii) For the systems under sparse actuator and sensor attacks, novel projection operator and secure Luenberger-like observer are proposed to estimate the state and attacks from the corrupted measurements. Especially, the proposed observer, obtained by solving a class of linear matrix inequalities (LMIs), can provide the state estimation with smaller time-delay than that in Shoukry and Tabuada (2016). This paper is organized as follows. In Section 2, the system description and problem statement are presented. The main results are expressed in Sections 3 and 4. In Section 5, an example is given. Finally, Section 6 concludes this paper. Notation. For a matrix M ∈ Rp×q , M T denotes its transpose, M > 0 (M < 0) denotes positive (negative) definiteness, λm (M) denotes its smallest eigenvalue, and span(M) ⊆ Rp is spanned by its columns. Given a vector v ∈ Rn , ∥v∥ is its Euclidean norm, supp(v ) is the support of v . For a set of vectors vi , (v1 , . . . , vn ) denotes [v1T · · · vnT ]T . R denotes the set of reals. ⋆ˆ denotes the estimation of ⋆. 0 and I are zero and unit matrices with appropriate dimensions, respectively. Besides, Table 1 provides some other frequently used symbols.

125

Table 1 Table of notations.

Iu /Iy : IΓˆ : IΓˆ :

{1, 2, . . . , nu }./{1, 2, . . . , ny }.

Matrix consisting of rows indexed by Γˆ of I. diag {IΓˆ , . . . , IΓˆ } with τ blocks. diag {I , IΓu , IΓy }.

¯ Γu ,Γy : I

satisfying |supp(au (t))| ≤ su and |supp(ay (t))| ≤ sy , are the actuator and sensor attacks, respectively. The set of attacked channels is unknown but fixed. By collecting τ successive observations (from t − τ + 1 to t, t ≥ τ ), the output can be rewritten as follows: Y (t) =Ox(t − τ + 1) + F Au (t) + Ay (t) + Dd D(t)

=Qz(t) + Dd D(t)

(2)

where z(t) = (x(t − τ + 1), Au (t), Ay (t)), Q = [O F I ], Dd = Fd + diag {D, . . . , D}, F = [0; [H 0]],

⎡ C ⎢ CA O=⎢ ⎣ ...

CAτ −1

⎡ CB ⎥ ⎢ CAB ⎥, H = ⎢ . ⎦ ⎣ .. ⎤

CAτ −2 B

0 CB

.. .

CAτ −3 B

··· ··· .. .

0 0⎥

···

CB



.. ⎥ .⎦

Fd is defined as F with B replaced by Bd , Y (t) = Y˜ (t) − F U (t), U (t) = (u(t − τ + 1), . . . , u(t)). Y˜ (t), Au (t), Ay (t) and D(t) are defined as U (t) with u replaced by y, au , ay and d, respectively. It is assumed that ∥D(t)∥ ≤ dM . Definition 2.1 (Shoukry & Tabuada, 2016). If block vector A = (A1 , . . . , Aτ ) ∈ Ss , then |∪i∈{1,...,τ } supp(Ai )| ≤ s. Definition 2.2 (Orthogonal Complement Matrix). For a matrix M, M ⊥ is an orthogonal complement matrix of M, and the following statements are available: (i) MM ⊥ = 0, and {v|M v = 0} = span(M ⊥ ), 2 2 (ii) setting M ⊥ = ((M ⊥ )T )⊥ , [M ⊥ M ⊥ ] is an orthogonal matrix 2

and MM ⊥ is of full column rank. 2.2. Problem statement In this paper, our objective is to estimate the state from the measurements in the presence of sparse actuator and sensor attacks. In the following, two problems are provided. The first one is borrowed from Shoukry and Tabuada (2016) to analyze the observability. The second one is designing a secure Luenberger-like observer to estimate the state and attacks from the corrupted measurements under disturbance. Problem 1 (Static Batch Optimization). Design a decoder to construct the state estimation xˆ (t − τ + 1) from a batch of measurements in the noiseless case.

2. Preliminaries

Similar to Shoukry and Tabuada (2016), Problem 1 will be solved by solving the following optimization problem:

2.1. System description

arg

Consider the following linear discrete-time system: x(t + 1) = Ax(t) + B(u(t) + au (t)) + Bd d(t) y(t) = Cx(t) + ay (t) + Dd(t)

min

zˆ ∈Rnx ×Ssu ×Ssy

∥Y (t) − Q zˆ (t)∥2

(3)

where zˆ = (xˆ (t − τ + 1), Aˆu (t), Aˆy (t)). (1)

where x(t) ∈ Rnx is the state vector, u(t) ∈ Rnu is the control input, y(t) ∈ Rny is the output, and d(t) ∈ Rnd is the bounded disturbance. Matrices A, B, Bd , C and D represent the system matrices with appropriate dimensions, and (A, C ) is observable. au (t) and ay (t),

Problem 2 (Secure Luenberger-like Observer). Luenberger-like observer such that lim ∥x(t) − xˆ (t)∥2 ≤ φ (dM )

t →∞

where φ (dM ) (φ (0) = 0) is a bounded function of dM .

Construct a

(4)

126

A.-Y. Lu, G.-H. Yang / Automatica 98 (2018) 124–129

Remark 1. When the state observability under s-sparse sensor attacks has been characterized by 2s-sparse observability in Mishra et al. (2015), Pajic et al. (2017) and Shoukry and Tabuada (2016), this paper extends the works in Fawzi et al. (2014) and Shoukry and Tabuada (2016) by taking both sparse actuator and sensor attack into account. In the following sections, the observability of the systems under sparse actuator and sensor attacks will be systematically analyzed with the help of Definition 2.2. Besides, for the systems under both actuator and sensor attacks, novel projection operator and secure Luenberger-like observer will be designed to estimate the state and attacks. 3. Static batch optimization When Problem 1 asks for xˆ by solving the optimization problem (3), there may be many pairs zˆ minimize ∥Y − Q zˆ ∥2 (since Q has nontrivial kernels) which is the major difficulty. Therefore, this section is divided into two subsections: the first one discusses the solvability, and the second one provides a projection operator to solve Problem 1. For clarity, in the following, x, Au , Ay , z, Y and D denote x(t − τ + 1), Au (t), Ay (t), z(t), Y (t) and D(t), respectively. 3.1. Solvability In this subsection, a necessary and sufficient condition for the solvability of Problem 1 is provided. Theorem 3.1 (Existence and Uniqueness of xˆ of Problem 1). The following statements are equivalent: (i) ∥Y − Q zˆ ∥ = 0, where zˆ ∈ Rnx × Ssu × Ssy , yields ∥x − xˆ ∥ = 0. (ii) for all Γu ⊆ Iu and Γy ⊂ Iy satisfying |Γu | = 2su and |Γy | = 2sy , Q¯ Γxu ,Γy = 0 ∈ Rnx ×∗ ,

⎡¯x

QΓu ,Γy



⎢Q¯ u ⎥ ⊥ T T T ⎣ Γu ,Γy ⎦ = QΓu ,Γy , QΓu ,Γy = [O F IΓu IΓy ] = Q I¯Γu ,Γy . y Q¯ Γ ,Γ u

Proof. (i) H⇒ (ii): Suppose for the sake of contradiction that there exist Γu and Γy satisfying |Γu | = 2su and |Γy | = 2sy such that Q¯ Γxu ,Γy ̸ = 0 while (i) holds. Then, there exists ex ̸ = 0 ∈ Rnx such that e = (ex , eu , ey ) ∈ span(QΓ⊥u ,Γy ) which implies QΓu ,Γy e = 0 (ref. Definition 2.2-(i)). Then, splitting Γu = Γu1 ∪Γu2 and Γy = Γy1 ∪Γy2 satisfying |Γu1 | = |Γu2 | = su and |Γy1 | = |Γy2 | = sy , and setting xˆ = x − ex ,

As discussed in Remark 2, only ∥x − xˆ ∥ = 0 is guaranteed by Theorem 3.1-(ii). The following corollary helps to discuss the existence and uniqueness of Bau and ay of (3) (the proof is similar to that of Theorem 3.1). Corollary 3.2. The following statements are equivalent: (i) ∥Y − Q zˆ ∥ = 0, where zˆ ∈ Rnx × Ssu × Ssy , yields ∥zi − zˆi ∥ = 0 where zi (zˆi ) is the ith element of z (zˆ ). (ii) for all Γu ⊆ Iu and Γy ⊂ Iy satisfying |Γu | = 2su and |Γy | = 2sy , the ith row of I¯ ΓT u ,Γy QΓ⊥u ,Γy is zero vector. Remark 3. Based on Corollary 3.2, whether au (t) and ay (t) can be reconstructed from Y can be determined by verifying whether y partial or all rows of Q¯ Γuu ,Γy and Q¯ Γu ,Γy (defined in Theorem 3.1) are zero vectors, e.g., Q¯ Γxu ,Γy = 0 and Q¯ Γuu ,Γy ̸ = 0 imply that x can be reconstructed but Au cannot. However, such fact has not been pointed out in Fawzi et al. (2014). 3.2. Projection operator While Section 3.1 provides a necessary and sufficient condition for the solvability of Problem 1, this subsection focuses on reconstructing the state from the corrupted measurements by the following projection operator.

Step 1: For each Γu ⊆ Iu and Γy ⊂ Iy satisfying |Γu |= su and

|Γy |= sy , set

Γ Γ zˆΓyu = I¯ ΓT u ,Γy RΓu ,Γy z¯Γyu

(6)

Γ where z¯Γyu = (P¯ Γlru ,Γy )−1 RTΓu ,Γy I¯ Γu ,Γy P T V , 2

R¯ Γu ,Γy = [RΓu ,Γy (PΓlru ,Γy )⊥ ], RΓu ,Γy = (PΓlru ,Γy )⊥ , P(lrΓu ,Γy ) = I¯ Γu ,Γy P T P I¯ ΓT u ,Γy , and

Au =IΓT u1 IΓu1 IΓT u eu , Aˆu = −IΓT u2 IΓu2 IΓT u eu

P¯ (lrΓu ,Γy ) = RTΓu ,Γy P(lrΓu ,Γy ) RΓu ,Γy .

Ay =IΓT y1 IΓy1 IΓT y ey , Aˆy = −IΓT y2 IΓy2 IΓT y ey

Γ

Step 2: Π (V , P) = arg minzˆ Γu ||P zˆΓyu − V ||. Γy

it follows from QΓu ,Γy e = 0 that Q (ex , IΓT u eu , IΓT y ey ) = Q (x − xˆ , Au − Aˆu , Ay − Aˆy ) (5)

where z , zˆ ∈ R × Ssu × Ssy are defined in (2) and (3), respectively. Considering that x − xˆ = ex ̸ = 0, (5) implies that (i) does not hold. (ii) H⇒ (i): This is still proved by contradiction. While (ii) holds, suppose that there exist z, zˆ ∈ Rnx × Ssu × Ssy with xˆ ̸ = x such that ∥Qz − Q zˆ ∥ = 0. Then, there exist Γu and Γy satisfying |Γu | = 2su and |Γy | = 2sy such that (5) holds which means that e ∈ span(QΓ⊥u ,Γy ) (ref. Definition 2.2-(i)) where e = (ex , eu , ey ), nx

ex = x − xˆ ̸ = 0, eu = Au − Aˆu and ey = Ay − Aˆy . Thus, e is a linear combination of the columns of QΓ⊥u ,Γy , and ex ̸ = 0 implies Q¯ Γxu ,Γy ̸ = 0 which contradicts (ii).

is 2sy -observable). Thus, the proposed conditions characterized by orthogonal complement matrix are more general. Moreover, different from Shoukry and Tabuada (2016) where ay (t) can be obtained from x and Y directly, in Theorem 3.1, only ∥x − xˆ ∥ = 0 is guaranteed. Besides, although sy < ny /2 is necessary, there is no such constraint on su , and 2su should be regarded as nu while 2su ≥ nu .

Algorithm 1 (Projection Operator): Π (V , P)

y

= Qz − Q zˆ = 0

Remark 2. Theorem 3.1 analyzes the state observability of the systems under sparse actuator and sensor attacks. Besides, if au (t) = 0, Theorem 3.1 is reduced to Theorem 3.2 in Shoukry and Tabuada (2016) (since [O IΓT y ]⊥ = [] implies that (A, C )

Proposition 3.3. For a vector V ∈ Rnv , the projection operator Π (V , P) : Rnv → Rnx ×Ssu ×Ssy , where P ∈ Rnv ×nx +nu τ +ny τ , provides a zˆ ∈ Rnx × Ssu × Ssy such that for any z ′ ∈ Rnx × Ssu × Ssy

∥P zˆ − V ∥ ≤ ∥Pz ′ − V ∥.

(7)

Proof. (7) implies that Π (V , P) is used to find the z ′ ∈ Rnx × Ssu × Ssy that minimizes ∥Pz ′ − V ∥. Considering that z ′ ∈ Rnx × Ssu × Ssy , there exist Γu ⊆ Iu and Γy ⊂ Iy satisfying |Γu | = su and |Γy | = sy such that Γ

(a)

Γ

Pz ′ =P I¯ ΓT u ,Γy zΓyu = P I¯ ΓT u ,Γy R¯ Γu ,Γy R¯ TΓu ,Γy zΓyu

=P I¯ΓT u ,Γy RΓu ,Γy z¯ΓΓyu

(b)

(8)

A.-Y. Lu, G.-H. Yang / Automatica 98 (2018) 124–129 Γ

Γ

Γ

1 where zΓyu = I¯ Γu ,Γy z ′ , z¯Γyu = RΓu ,Γy zΓyu ; (a) holds for that R¯ − Γu ,Γy =

R¯ Γu ,Γy (ref. Definition 2.2-(ii)), (b) holds for that P I¯ Γu ,Γy (PΓu ,Γy ) = T

T

lr



0. Besides, it follows from Definition 2.2-(ii), P I¯ ΓT u ,Γy RΓu ,Γy is of full

127

where z˜ (t) ∈ Rnx +nu τ +ny τ , zˆ (t) ∈ Rnx × Ssu × Ssy , P = P¯ 1/2 E, and P¯ > 0 will be defined in Theorem 4.1.

mizing ∥P I¯ ΓT u ,Γy RΓu ,Γy z¯Γyu − V ∥. While z¯Γyu defined in Algorithm 1 is

Remark 6. Since Π (P z˜ (t), P) is operated by brute force search, the proposed secure observer is still a brute force method. However, different from Theorem 3.4 where τ should be large enough such that Theorem 3.1-(ii) holds, (10) provides xˆ (t − τ + 1) with smaller time-delay τ − 1.

the solution, (6) ensures that ∥P zˆΓyu − V ∥ reaches the minimum. Finally, Step 2 of Algorithm 1 provides a z ′ = Π (V , P) which minimizes the right side of (7) through searching the optimal Γu and Γy . The proof is completed.

Before designing the observer (10), for all Γu ⊆ Iu and Γy ⊂ Iy satisfying |Γu | = 2su and |Γy | = 2sy , (i) it is assumed that there exists matrix SΓu ,Γy such that

Based on Proposition 3.3, Problem 1 is solved in the following theorem.

SΓu ,Γy [F IΓT u IΓT y ] = [B1 I Γu 0].

column rank which means that P¯ Γlru ,Γy in Algorithm 1 is invertible. Then, for certain Γu and Γy , minimizing ∥Pz ′ − V ∥ is transformed Γ into solving the following least square problem: find the z¯Γyu miniΓ

Γ

Γ

Theorem 3.4. For given vector Y = Qz where matrix Q is known and z ∈ Rnx × Ssu × Ssy is the vector to be reconstructed, if Theorem 3.1-(ii) holds, zˆ = (xˆ , Aˆu , Aˆy ) = Π (Y , Q ) provides the state estimation xˆ = x. Proof. It follows from (7) that ∥Y − Q zˆ ∥ ≤ ∥Y − Qz ∥ = 0, and then, xˆ = x is obtained from Theorem 3.1. Remark 4. Based on Theorem 3.1 and Proposition 3.3, Algorithm 1 solves Problem 1 well, and Aˆu and Aˆy also provide the available information of attacks (ref. Corollary 3.2). However, τ should be large enough such that Theorem 3.1-(ii) holds, and only the timedelay state x(t − τ + 1) is obtained at time t. Remark 5. When the projection operator in Shoukry and Tabuada (2016) avoids brute-force search at the cost of introducing a restrict convergence condition, the soundness and correctness are guaranteed by Π (Y , Q ) at the cost of brute-force search. Moreover, since QΓlru ,Γy (defined in Algorithm 1 with P replaced by Q ) may be not invertible, Definition 2.2 is utilized in Algorithm 1. 4. Secure Luenberger-like observer design In this section, Problem 2 provided in Section 2.2 is taken into account. Motivated by Remark 4, the objective is to estimate the state with smaller time-delay under sparse attacks and disturbance. In the following, the system (1) is reconstructed in Section 4.1, then, a novel secure Luenberger-like observer is proposed in Section 4.2. 4.1. Model reconstruction Combining (1) and (2), the following augmented system is obtained:

¯ ¯ Ez(t + 1) =Az(t) + B¯ u¯ (t) + B¯ d d(t)

(9)

Y (t) =Qz(t) + Dd D(t)

[ E=

I 0

0 F

]

[

0 ¯ A ,A = I −OA

B1

−OB1

]

[

0 ¯ B1 ,B = 0 −OB1

Then, there exist matrices A¯ SΓu ,Γy and QΓSu ,Γy such that A¯ Γu ,Γy = A¯ SΓu ,Γy EΓu ,Γy , QΓu ,Γy = QΓSu ,Γy EΓu ,Γy

2 (ii) set EΓRu ,Γy = EΓu ,Γy RΓu ,Γy where RΓu ,Γy = EΓ⊥u ,Γy , and R¯ Γu ,Γy =

[RΓu ,Γy EΓ⊥u ,Γy ] (ref. Definition 2.2-(ii), EΓRu ,Γy is of full column rank and R¯ Γu ,Γy is invertible). Then, it is easy to obtain that 1 EΓu ,Γy = EΓRu ,Γy [I 0]R¯ − Γu ,Γy .

(13)

Theorem 4.1. For given scalars α, β > 0, if there exist a matrix S ∈ R(nx +nu τ +ny τ )×ny τ and a symmetric positive definite matrix P¯ ∈ R(nx +ny τ )×(nx +ny τ ) such that

[

−ΦΓ11u ,Γy ∗

] ΦΓ12u ,Γy <0 −4P¯

(14)

¯ ΓR ,Γ , β I }, ΦΓ12,Γ = = diag {(1 − α )(EΓRu ,Γy )T PE u y u y 4[(P¯ A¯ Γu ,Γy − SQΓu ,Γy )RΓu ,Γy P¯ B¯ d −[SDd 0]]T , Γu ⊆ Iu , Γy ⊂ Iy , |Γu | = 2su and |Γy | = 2sy , then the observer (10) with L = P¯ −1 S provides ¯ the estimation xˆ satisfying (4) with φ (dM ) = 2β d2M /(αλm (P)). where ΦΓ11u ,Γy

Proof. Combining (9) and (10), the error system is

¯ E e˜ (t + 1) =A¯ L eˆ (t) + B¯ dL d(t)

(15)

where e˜ (t) = z(t) − z˜ (t), eˆ (t) = z(t) − zˆ (t), A¯ L = A¯ − LQ , B¯ dL = B¯ d − [LDd 0]. The proof is divided into three steps. Step 1: Consider the following Lyapunov function candidate V (t) = eˆ T (t)P eˆ (t).

(16)

where P is defined after (10). Based on (16), one has V (t + 1) =(e˜ (t + 1) + ez (t + 1))T P eˆ (t + 1)

¯ e˜ (t + 1) ≤4e˜ T (t + 1)E T PE

]

(12)

where ξΓu ,Γy = ξ I¯ ΓT u ,Γy , ξ ∈ {E , A¯ , Q }, (11) yields (12).

(a)

¯ = (D(t), D(t + 1)), where u¯ (t) = (U (t), Y (t + 1)), d(t)

(11)

(17)

where ez (t) = z˜ (t) − zˆ (t), and (a) is obtained from (7). Then, combining (15), (16) and (17) yields

0 I

B1 = [B 0], and B¯ d is defined as B¯ with B and I replaced by Bd and −Dd , respectively.

¯ V (t + 1) − (1 − α )V (t) − β d¯ T (t)d(t)

4.2. Secure Luenberger-like observer design

¯ = 4[A¯ L B¯ dL ] P [A¯ L B¯ dL ] − diag {(1 − α )P , β I }. where Φ Step 2: Considering that z(t), zˆ (t) ∈ Rnx × Ssu × Ssy , there exist Γu , Γy satisfying |Γu | = 2su and |Γy | = 2sy such that eˆ (t) = I¯ ΓT u ,Γy I¯ Γu ,Γy eˆ (t) which implies that

zˆ (t + 1) =Π (P z˜ (t + 1), P)

(18)

T

In this subsection, based on the augmented system (9), the following Luenberger-like observer is proposed: E z˜ (t + 1) =A¯ zˆ (t) + B¯ u¯ (t) + L(Y (t) − Q zˆ (t))

¯ TΦ ¯ ¯ (eˆ (t), d(t)) ≤ (eˆ (t), d(t))

(10)

(a)

E eˆ (t) = EΓu ,Γy I¯ Γu ,Γy eˆ (t) = EΓRu ,Γy eˆ RΓu ,Γy (t)

(19)

128

A.-Y. Lu, G.-H. Yang / Automatica 98 (2018) 124–129

1 ¯ ˆ (t), (a) is obtained from (13). where eˆ RΓu ,Γy (t) = [I 0]R¯ − Γu ,Γy IΓu ,Γy e Meanwhile, combining (19) with (12) yields

A¯ Γu ,Γy I¯ Γu ,Γy eˆ (t) =A¯ Γu ,Γy RΓu ,Γy eˆ RΓu ,Γy (t)

(20)

QΓu ,Γy I¯ Γu ,Γy eˆ (t) =QΓu ,Γy RΓu ,Γy eˆ Γu ,Γy (t).

(21)

R

Then, from (18), one can deduce that

¯ V (t + 1) − (1 − α )V (t) − β d¯ T (t)d(t) (22)

(b)

(a)

˜ Γu ,Γy eˆ Rd,Γ ,Γ (t) ≤ 0 ≤ (eˆ Rd,Γu ,Γy (t))T Φ u y

¯ (a) is obtained by substituting where eˆ Rd,Γu ,Γy (t) = (eˆ RΓu ,Γy (t), d(t)), (19)–(21) into (18), and (b) holds for that

˜ Γu ,Γy =4[(A¯ Γu ,Γy + LQΓu ,Γy )RΓu ,Γy B¯ dL ]T Φ P¯ [(A¯ Γu ,Γy + LQΓu ,Γy )RΓu ,Γy B¯ dL ] ¯ ΓR ,Γ , β I } < 0 − diag {(1 − α )(EΓRu ,Γy )T PE u y which is obtained from (14) by Schur complement. Step 3: Based on the description above, one has

Fig. 1. (a) The state x3 and its estimations. (b) The actuator attack au and its estimations (Case I).

(a)

i−1 V (t) <(1 − α )m V (t − m) + Σim β d2M =1 2(1 − α ) (b)

<(1 − α )t V (0) + 2β d2M /α

(23)

where (a) is obtained by using (22) recursively (dM is defined after (2)), (b) is obtained from the fact that Σit=+11 (1−α )i−1 ≤ 1/α . Finally, (16) and (23) yield

¯ ∥x(t) − xˆ (t)∥2 ≤ ∥E eˆ (t)∥2 ≤ V (t)/λm (P) t ¯ + φ (dM ) ≤ (1 − α ) V (0)/λm (P)

(24)

which completes the proof. Remark 7. In Theorem 4.1, the main difficulty is that EΓu ,Γy may be not of full column rank. Thus, the assumption (11) (which yields (12)) is introduced such that ΦΓ11u ,Γy > 0 which ensures that (14) is solvable. Although Sridhar et al. (2012) already presents a Luenberger observer requiring that τ should be large enough such that Theorem 3.1-(ii) holds, such requirement is unnecessary for the proposed observer. As discussed in Remark 6, the estimation xˆ (t − τ + 1) is provided with smaller time-delay.

¯ where P¯ > 0, is irreversible, only the Remark 8. Since P = E T PE, convergence of ∥E eˆ (t)∥ is obtained from (23). As shown in (24), ∥x(t) − xˆ (t)∥ is proved convergent. Meanwhile, (12) implies that B(au (t − τ + 1) − aˆ u (t − τ + 1)) is also convergent. 5. Example Considering a two-link planar robot with revolute joints and actuation at the shoulder (Lee & Dullerud, 2006) with a sampling period h = 0.005 s, the system (1) is obtained with 0.9992 ⎢−0.3369 A=⎣ 0.0008 0.3263



0.0050 0.9992 0 0.0008

0.0003 0.1240 1.0007 0.2786







0 0 0.0003⎥ ⎢ 0.2239 ⎥ , B=⎣ ⎦ 0.0050⎦ 0 1.0007 −0.0232

Bd = B, C = [C1T C2T C3T C4T ]T , C1 = [1 1 0 1], C2 = [1 1 2 1], C3 = [2 0 1 1], C4 = [0 0 1 1], and D = 0.1[1 1 1 1]T . Assume that x(0) = [5 0 − 5 0]T , su = 1 and sy = 1. Besides, such system is operated with the control input u(t) = Kx(t) where K = [−57.6271 − 6.4497 − 62.1460 − 8.2758] (only u(t) is known for the observer). In the following, tp = ht, and unless otherwise noted, au (t) = 5sin(0.5tp ) and ay (t) = [0 10cos(tp ) 0 0]T .

Fig. 2. The state x4 and its estimations (Case II).

Case I: d(t) = 0. (i) Problem 1 (static batch optimization): While Theorem 3.1(ii) holds for τ ≥ 3, based on Theorem 3.4, Problem 1 is solved by Algorithm 1: zˆ (t) = Π (Y (t), Q ) where Y contains three successive observations. (ii) Problem 2 (secure Luenberger-like observer): Setting τ = 2 ((11) holds), α = 0.01, and β = 0.1, the observer (10) is obtained by solving (14), and (4) with dM = 0 implies that limt →∞ xˆ (t) = x(t) . Fig. 1 shows that both the proposed projection operator and observer reconstruct the state and attacks well. Case II. d(t) = cos(π tp ). The L0 decoder in Fawzi et al. (2014), the projection operator (Algorithm 1) and the observer (10) obtained in Case I-(ii) are utilized to estimate the state, respectively. As shown in Fig. 2, compared with the existing L0 decoder and the proposed projection operator, the proposed observer performs better disturbance rejection performance. Besides, it is worth noting that while τ ≥ 3 is necessary for the proposed projection operator and the existing L0 decoder (Fawzi et al., 2014) the proposed observer (10), which works for τ = 2 here, provides the time-delay state estimation xˆ (t − 1). This fact verifies Remark 6.

A.-Y. Lu, G.-H. Yang / Automatica 98 (2018) 124–129

Case III: d(t) = 0. Reset the last column of C as 0. Setting τ = 3, while Theorem 3.1-(ii) still holds (Q¯ Γxu ,Γy = 0), y

Q¯ Γuu ,Γy and Q¯ Γu ,Γy (defined in Theorem 3.1) are not zero matrices for

Γu = {1} and Γy = {1, 2} which implies that Au and Ay may not

be reconstructed (ref. Corollary 3.2 and Remark 3): Setting Au (3) = Q¯ {u1},{1,2} ν = (0, −0.61, −1.26) and Ay (3) = y I{T2} Q¯ {1},{1,2} ν = (0, . . . , 0, −0.133, 0, 0) (ν can be any vector with appropriate dimension, ν = [1 1]T here), then adopting Algorithm 1, zˆ = Π (Y (3), Q ) provides xˆ = x(0), Aˆu (3) = (0, −1.2, 0) ̸ = Au (3) and Aˆy (3) = (0, . . . , 0, 0.133, 0, 0, 0) ̸ = Ay (3). Case IV: Random d(t), au (t) and ay (t). Referring to Pajic et al. (2017), we evaluate the state-estimation error ϵ = ∥x(0) − xˆ (0)∥ in 10 000 experiments for various attack and noise realizations. The sensor attack set is chosen uniformly at random from {{1}, {2}, {3}, {4}}, and the values of au (t), ay (t) and d(t) are generated randomly according to Gaussian distributions with zero mean (the covariance for d(t) is 1, the covariance for au (t) is 10 000 (actually, it can be any positive scalar) and so does ay (t)). Using the proposed projection operator (Algorithm 1), the average, maximum and minimum value of ϵ are 0.5277, 2.5916 and 0.0085, respectively. Thus, the proposed method has strong guarantees on correctness under different attacks satisfying the sparsity assumption. Based on the description above, Problems 1 and 2 are solved well by using the proposed projection operator (Algorithm 1) and secure Luenberger-like observer (10), respectively. 6. Conclusions In this paper, the secure state estimation problem for CPSs under sparse actuator and sensor attacks has been investigated. First, a necessary and sufficient condition for the observability has been provided by introducing the notion of orthogonal complement matrix which also can describe sparse observability. Second, for the existence of actuator attacks, a new projection operator has been proposed to reconstruct the state. Third, a novel secure Luenberger-like observer has been proposed to estimate the state and attacks with the help of the proposed projection operator. Sufficient conditions for the existence of the desired observer have been provided in terms of LMIs. It is shown that the proposed observer estimates the state well despite the sparse actuator and sensor attacks and the disturbance. Finally, a two-link planar robot example has been given to illustrate the effectiveness of the proposed methods. For future works, the proposed method can be extended for attack tolerant control. Besides, studying the worst-case attacks (designed with the knowledge of disturbance) is also interesting and challenging.

129

Lee, J. W., & Dullerud, G. E. (2006). Uniform stabilization of discrete-time switched and markovian jump linear systems. Automatica, 42(2), 205–218. Lu, A. Y., & Yang, G. H. (2017a). Secure state estimation for cyber-physical systems under sparse sensor attacks via a switched Luenberger observer. Information Sciences, 417, 454–464. Lu, A. Y., & Yang, G. H. (2017b). Switched projected gradient descent algorithms for secure state estimation under sparse sensor attacks. Automatica submitted for publication. Manandhar, K., Cao, X., Hu, F., & Liu, Y. (2014). Detection of faults and attacks including false data injection attack in smart grid using Kalman filter. IEEE Transactions on Control of Network Systems, 1(4), 370–379. Mishra, S., Shoukry, Y., Karamchandani, N., Diggavi, S., & Tabuada, P. (2015). Secure state estimation: Optimal guarantees against sensor attacks in the presence of noise. In IEEE international symposium on information theory (ISIT 2015) (pp. 2929–2933). Mo, Y., & Sinopoli, B. (2016). On the performance degradation of cyber-physical systems under stealthy integrity attacks. IEEE Transactions on Automatic Control, 61(9), 2618–2624. Pajic, M., Lee, I., & Pappas, G. J. (2017). Attack-resilient state estimation for noisy dynamical systems. IEEE Transactions on Control of Network Systems, 4(1), 82–92. Pajic, M., Weimer, J., Bezzo, N., Tabuada, P., Sokolsky, O., & Lee, I., et al. (2014). Robustness of attack-resilient state estimators. In Proceedings of ACM/IEEE international conference on cyber-physical systems (ICCPS) (pp. 163–174), Berlin, Germany. Pasqualetti, F., Dörfler, F., & Bullo, F. (2013). Attack detection and identification in cyber-physical systems. IEEE Transactions on Automatic Control, 58(11), 2715–2729. Sandberg, H., Teixeira, A., & Johansson, K. H. (2010). On security indices for state estimators in power networks. In Proceedings of the first workshop on secure control systems (SCS 2010), Stockholm, Sweden. Shoukry, Y., & Tabuada, P. (2016). Event-triggered state observers for sparse sensor noise/attacks. IEEE Transactions on Automatic Control, 61(8), 2079–2091. Sridhar, S., Hahn, A., & Govindarasu, M. (2012). Cyber-physical system security for the electric power grid. Proceedings of the IEEE, 100(1), 210–224. Teixeira, A., Shames, I., Sandberg, H., & Johansson, K. H. (2015). A secure control framework for resource-limited adversaries. Automatica, 51, 135–148. Teixeira, A., Sou, K. C., Sandberg, H., & Johansson, K. H. (2015). Secure control systems: a quantitative risk management approach. IEEE Control System Magazine, 35(1), 24–45. Xie, C. H., & Yang, G. H. (2018). Secure estimation for cyber-physical systems with adversarial attacks and unknown inputs: an L2 -gain method. International Journal of Robust and Nonlinear Control, 28(6), 2131–2143. Yan, J., Chen, C. L., Luo, X. Y., Yang, X., Hua, C. C., & Guan, X. P. (2016). Distributed formation control for teleoperating cyber-physical system under time delay and actuator saturation constrains. Information Sciences, 370–371, 680–694. Zheng, B., Deng, P., Anguluri, R., Zhu, Q., & Pasqualetti, F. (2016). Cross-layer codesign for secure cyber-physical systems. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 35(5), 699–711.

An-Yang Lu received the B.S. and M.S. degrees in mathematics from Northeastern University, China, in 2014 and 2016, respectively. He is now pursuing the Ph.D. degree in Control Theory and Control Engineering at Northeastern University, China. His current research interests focus on fault detection, switched systems, and cyber–physical systems.

References Amin, S., Cardenas, A. A., & Sastry, S. S. (2009). Safe and secure networked control systems under denial-of-service attacks. Hybrid Systems: Computation and Control, 5469, 31–45. Chong, M., Wakaiki, M., & Hespanha, J. (2015). Observability of linear systems under adversarial attacks. In Proceedings of American control conference (ACC) (pp. 2439–2444), Chicago, IN, USA. De Persis, C., & Tesi, P. (2015). Input-to-state stabilizing control under denial-ofservice. IEEE Transactions on Automatic Control, 60(11), 2930–2944. Farraj, A., Hammad, E., & Kundur, D. (2018). A cyber-physical control framework for transient stability in smart grids. IEEE Transactions on Smart Grid, 9(2), 1205–1215. Fawzi, H., Tabuada, P., & Diggavi, S. (2014). Secure estimation and control for cyberphysical systems under adversarial attacks. IEEE Transactions on Automatic Control, 59(6), 1454–1467. Gu, Y., & Li, X. J. (2018). Fault detection for sector-bounded non-linear systems with servo inputs and sensor stuck faults. Journal of Control and Decision. http: //dx.doi.org/10.1080/23307706.2018.1439778.

Guang-Hong Yang (SM04) received the B.S. and M.S. degrees in Mathematics, and Ph.D. degree in control theory and control engineering with Northeast University, Shenyang, China, in 1983, 1986, and 1994, respectively. From 2001 to 2005, he was a Research Scientist/Senior Research Scientist with the National University of Singapore, Singapore. He is currently a Professor and the dean with the College of Information Science and Engineering, Northeastern University. His current research interests include fault-tolerant control, fault detection and isolation, cyber–physical systems, and robust control. He is a Deputy Editor-in-Chief for the Journal of Control and Decision, an Editor for the International Journal of Control, Automation and Systems, and an Associate Editor for the International Journal of Systems Science, the IET Control Theory and Applications and the IEEE Transactions on Fuzzy Systems.