Wireless Control Under Jamming Attacks with Bounded Average Interference Power*

Proceedings of the 20th World Congress Proceedings of 20th The International Federation of Congress Automatic Control Proceedings of the the 20th World World Congress Proceedings of the 20th World Congress The International Federation of Automatic Control Available online at www.sciencedirect.com Toulouse, France, July 9-14, 2017 The International Federation of The International Federation of Automatic Automatic Control Control Toulouse, France, July 9-14, 2017 Toulouse, France, July 9-14, 2017 Toulouse, France, July 9-14, 2017

ScienceDirect

IFAC PapersOnLine 50-1 (2017) 8405–8410

Wireless Control Under Jamming Attacks Wireless Control Under Jamming Wireless Control Under Jamming Attacks ⋆⋆ Wireless Control Under Jamming Attacks Attacks with Bounded Average Interference Power ⋆ with Bounded Average Interference Power with with Bounded Bounded Average Average Interference Interference Power Power ⋆ Ahmet Cetinkaya ∗∗ Hideaki Ishii ∗∗ Tomohisa Hayakawa ∗∗ ∗∗ Ahmet Cetinkaya ∗∗ Hideaki Hideaki Ishii ∗∗ Tomohisa Hayakawa ∗∗ Ahmet Ahmet Cetinkaya Cetinkaya Hideaki Ishii Ishii Tomohisa Tomohisa Hayakawa Hayakawa ∗∗ ∗ ∗ Department of Computer Science ∗ Department of Computer Science ∗ Department of Science Tokyo Insitute of Technology, Yokohama, 226-8502, Japan Department of Computer Computer Science Tokyo Insitute Technology, Yokohama, 226-8502, Japan ∗∗ Insitute of Tokyo of Technology, Yokohama, 226-8502, Japan Department of Systems and Control Engineering Tokyo Japan ∗∗ Insitute of Technology, Yokohama, 226-8502, ∗∗ Department of Systems and Control Engineering ∗∗ Department of Systems and Control Engineering Tokyo Institute of Technology, Tokyo 152-8552, Japan Department of Systems and Control Engineering Tokyo Institute of Technology, Tokyo 152-8552, Japan Tokyo 152-8552, (e-mails:[email protected], [email protected], Tokyo Institute Institute of of Technology, Technology, Tokyo Tokyo 152-8552, Japan Japan (e-mails:[email protected], [email protected], (e-mails:[email protected], [email protected], [email protected]) (e-mails:[email protected], [email protected], [email protected]) [email protected]) [email protected]) Abstract: The effect of jamming attacks on the stability of a networked control system is Abstract: The of jamming the stability aa networked system Abstract: The effect of attacks on the stability of control system is explored. this effect networked system, attacks control on input areof to be control transmitted on is a Abstract:In The effect of jamming jamming attacks on thepackets stability ofassumed a networked networked control system is explored. In this networked system, control input packets are assumed to be transmitted on aa explored. In this networked system, control input packets are assumed to be transmitted on wireless channel that faces jamming attacks by a malicious agent. Probability of transmission explored. In this networked system, control input packets are assumed to be transmitted on a wireless channel that faces jamming attacks by a malicious agent. Probability of transmission wireless channel that faces jamming aa malicious agent. Probability of transmission failures on this channel depends on theattacks power by of the interference signals emitted by the jamming wireless channel that faces jamming attacks by malicious agent. Probability of transmission failures this channel on the the signals emitted by failures on onWe thisinvestigate channel depends depends on where the power power of the interference interference signals emitted by the the jamming jamming attacker. the case the of attacker’s interference power is time-varying but failures on this channel depends on the power of the interference signals emitted by the jamming attacker. We investigate the case where the attacker’s interference power is time-varying but attacker. We investigate the case where the attacker’s interference power is time-varying but bounded in average. We obtain almost sure asymptotic stability conditions for the closed-loop attacker. We investigate the case where the attacker’s interference power is time-varying but bounded in average. We obtain almost sure asymptotic stability conditions for the closed-loop bounded in average. We obtain almost sure asymptotic stability conditions for the closed-loop system. For obtaining these stability conditions, we utilize nondecreasing and concave functions bounded in average. We obtain almost sure asymptotic stability conditions for the closed-loop system. For obtaining these stability conditions, we utilize and concave functions system. For these conditions, we nondecreasing and functions of the attacker’s interference power that upper-bound the nondecreasing transmission failure probability. We system. For obtaining obtaining these stability stability conditions, we utilize utilize nondecreasing and concave concave functions of the attacker’s interference power that upper-bound the transmission failure probability. We of the attacker’s interference power that upper-bound the transmission failure probability. present a numerical example to demonstrate the efficacy oftransmission our results. failure probability. We of the attacker’s interference power that upper-bound the We present a numerical example to demonstrate the efficacy of our results. present a numerical example to demonstrate the efficacy of our results. present a numerical example to demonstrate the efficacy of our results. © 2017, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Keywords: Networked control, cyber-security, wireless networks Keywords: Networked control, Keywords: control, cyber-security, cyber-security, wireless wireless networks networks Keywords: Networked Networked control, cyber-security, wireless networks 1. INTRODUCTION networked state estimation problem where the probability 1. INTRODUCTION networked state estimation where the probability networked state problem where the 1. INTRODUCTION of transmission failures on problem the network on the 1. INTRODUCTION networked state estimation estimation problem wheredepends the probability probability of transmission failures on the network depends on the of transmission failures on the network depends the transmission power, power ofthe the network channel noise, andon power Wireless communication channels have recently been uti- of transmission failures on depends on the transmission power, power of the channel noise, and power Wireless communication channels have recently been utitransmission power, power of the channel noise, and power Wireless communication channels have recently been utiof the interference signal emitted by an attacker. The lized for transmission of measurement and control data in transmission power, power of the channel noise, and power Wireless communication channels have recently been utithe interference signal emitted by an lized of and control data in of the signal emitted by attacker. The lized for for transmission transmission of measurement measurement and are control data in of network models in those capture theattacker. effect of The the networked control systems. These channels easier to set of the interference interference signalworks emitted by an an attacker. The lized for transmission of measurement and control data in network models in those works capture the effect of the networked control systems. These channels are easier to set network models in those works capture the effect of networked control systems. These channels are easier to set jamming signals’ interference power on the occurrence of up than dedicated wired communication lines, but they network models ininterference those works capture theoccurrence effect of the the networked control systems. These channels are easier tothey set jamming signals’ power on the of up than dedicated wired communication lines, but jamming signals’ interference power on the occurrence of up than dedicated wired communication lines, but they transmission failures. are pronededicated to jamming attacks. In particular, Pelechrinis jamming signals’ interference power on the occurrence of up than wired communication lines, but they transmission failures. are prone to jamming attacks. In particular, Pelechrinis transmission failures. are prone to jamming attacks. In particular, Pelechrinis et al. (2011) points out that a jamming attacker can transmission failures. are prone to jamming attacks. In particular, Pelechrinis In this paper we consider a discrete-time linear networked et (2011) points out jamming attacker et al. al. disrupt (2011) the points out that that a jamming attacker can easily communication a wireless channelcan by In this paper we consider aa discrete-time linear networked et al. (2011) points out that aa on jamming attacker can In this we linear networked control system, where the control actions sent over a easily disrupt the communication on a wireless channel by In this paper paper we consider consider a discrete-time discrete-time linear networked easily disrupt the communication on a wireless channel by emitting electromagnetic waves to the wireless medium. It control system, where the control actions sent a easily disrupt the communication on a wireless channel by control system, where the control actions sent over a wireless channel may fail to be transmitted to theover plant. emitting electromagnetic waves to the wireless medium. It control system, where the control actions sent over a emitting electromagnetic waves to the wireless medium. It is therefore important towaves address jamming attacks from wireless channel may fail to be transmitted to the plant. emitting electromagnetic to the wireless medium. It wireless channel may fail to be transmitted to the plant. Transmission failures may happen due to channel noise or is therefore important to address jamming attacks from wireless channel may fail to be transmitted to the plant. is therefore important to address jamming attacks from the viewpoint of the cyber-security of control systems failures to noise is therefore important to address jamming attacks from Transmission Transmissioncaused failures may happen due to channel channel noise or or interference bymay the happen jammingdue signal of an attacker. the the control failures may happen due to channel noise or the viewpoint viewpoint of2008; the cyber-security cyber-security of2015). control systems systems Transmission (Cárdenas et al.,of Sandberg et al.,of interference caused by the jamming signal of an attacker. the viewpoint of the cyber-security of control systems interference caused by the jamming signal of an attacker. We employ a model similar to those in Li et al. (2016) and (Cárdenas et al., 2008; Sandberg et al., 2015). interference caused by the jamming signal of an attacker. (Cárdenas et et al., al., 2008; Sandberg Sandberg et al., al., 2015). 2015). employ model similar to those in Li et al. (2016) and (Cárdenas We employ model to in al. (2016) Zhang et al.aaa(2016), where the probability transmission Networked control2008; problems underetmalicious jamming at- We We employ model similar similar to those those in Li Li et etof al. (2016) and and Zhang et al. (2016), where the probability of transmission Networked control problems under malicious jamming atZhang et (2016), where the probability of transmission Networked control problems under under malicious jamming at- failures onal. the wireless channel depends on the power of tacks have been investigated in a few recent works (Amin Zhang et al. (2016), where the probability of transmission Networked control problems malicious jamming aton channel depends on power tacks been investigated aa few recent failures on the the wireless wireless channel by depends on the the attacker. power of of tacks have been investigatedetin in al., few recent works (Amin the interference signals emitted the jamming et al.,have 2009; Bhattacharya 2013; Li works et al.,(Amin 2015; failures failures on the wireless channel depends on the power of tacks have been investigated in a few recent works (Amin the interference signals emitted by the jamming attacker. et al., 2009; Bhattacharya et al., 2013; Li et al., 2015; the interference signals emitted by the jamming attacker. et al., 2009; Bhattacharya et al., 2013; Li et al., 2015; De Persis andBhattacharya Tesi, 2015, 2016) by2013; usingLimethods from the interference signals emitted by the jamming attacker. et al., 2009; et al., et al., 2015; We analyze almost sure asymptotic stability of the closedDe Tesi, 2015, 2016) methods from De Persis Persis and Tesi, 2015,Furthermore, 2016) by by using using methods et from control andand game theory. in Cetinkaya al. We We analyze almost sure system asymptotic stability of the the closedDe Persis and Tesi, 2015, 2016) by using methods from almost sure asymptotic of loopanalyze networked control understability the assumption that control and game theory. Furthermore, in Cetinkaya et al. We analyze almost sure system asymptotic stability of the closedclosedcontrol 2016a), and game game theory. Furthermore, Cetinkaya et al. (2015, wetheory. explored networkedin control problem loop networked control under the assumption that control and Furthermore, in Cetinkaya et al. loop networked control system under the assumption that the attacker’s time-varying interference power is bounded (2015, 2016a), we explored networked control problem loop networked control system under the assumption that (2015, the 2016a), we explored explored networked control problem problem under combined effects ofnetworked malicious jamming attacks the attacker’s time-varying interference power is bounded (2015, 2016a), we control the attacker’s time-varying interference power is bounded in average. This assumption aligns with the observation under the combined effects of malicious jamming attacks the attacker’s time-varying interference power is bounded under the combined effects of malicious jamming attacks and random packet losses happen due to congestion This assumption aligns with the observation under the combined effectsthat of malicious jamming attacks in in average. average. This aligns with the that an adversary with limited energy cannot and random packet that due average. This assumption assumption aligns withresources the observation observation andchannel randomnoise. packet losses thatahappen happen due to to congestion congestion or Welosses utilized binary-valued process to in that an adversary with limited energy resources cannot and random packet losses that happen due to congestion that an adversary with limited energy resources cannot attack a wireless channel with arbitrarily large interference or channel noise. We utilized a binary-valued process to that an adversary with limited energy resources cannot or channel channel noise.caused We utilized utilized a binary-valued binary-valued process to attack a wireless channel with arbitrarily large interference indicate failures by jamming attacks andprocess employed or noise. We a to attack a wireless channel with arbitrarily large interference powers at all time instants. This is because generating and indicate failures caused by jamming attacks and employed attack a wireless channel with arbitrarily large interference indicate failuresmodel caused by jamming attacks and of employed aindicate probabilistic to by describe the attacks occurrence failures powers at all time instants. This is because generating and failures caused jamming and employed powers at all time instants. This is because generating and emitting interference signals in jamming attacks consume a probabilistic model to describe the occurrence of failures atinterference all time instants. This is becauseattacks generating and a probabilistic probabilistic model to describe describe the occurrence occurrence of failures failures in transmissionmodel of state and control input packets. How- powers emitting signals in jamming consume a to the of emitting interference signals in jamming attacks consume energy (Xu et al., 2005; Pelechrinis et al., 2011). in transmission of state and control input packets. Howemitting interference signals in jamming attacks consume in transmission of state and control input packets. However, the effect of the jamming signals’ interference power energy (Xu (Xu et et al., al., 2005; 2005; Pelechrinis Pelechrinis et et al., al., 2011). 2011). in transmission of state and control input packets. power How- energy ever, effect jamming interference (Xu etanalysis al., 2005; al., 2011). ever, the effect of of the thefailures jamming signals’ interference power energy on thethe transmission wassignals’ not specifically modeled The stability inPelechrinis this paper et differs from the analever, the effect of the jamming signals’ interference power on the failures stability analysis in this paper differs from transmisthe analon those the transmission transmission failures was was not not specifically specifically modeled modeled The The stability analysis in this paper differs the in studies. ysis in other works that consider probabilistic on the transmission failures was not specifically modeled The in stability analysis in this paperprobabilistic differs from from transmisthe analanalin those studies. ysis other works that consider in those studies. ysis in other works that consider probabilistic transmission in failures attacks (e.g.,probabilistic Kellett et al. (2005); in those studies. other without works that consider transmisRecently, Li et al. (2016) and Zhang et al. (2016) inves- ysis sion failures without attacks (e.g., Kellett et al. (2005); sion failures (e.g., Kellett et (2005); Ishii (2009); without Lemmonattacks and Hu (2011); Okano Ishii Recently, Li (2016) Zhang et (2016) failures without attacks (e.g., Kellett et al. al.and (2005); Recently,optimal Li et et al. al. (2016) and and and Zhang et al. al.strategies (2016) invesinvestigated transmission attack in a sion Ishii (2009); Lemmon and Hu (2011); Okano and Ishii Recently, Li et al. (2016) and Zhang et al. (2016) invesIshii (2009); Lemmon and Hu (2011); Okano and Ishii (2014)). In those works, transmission failures are modeled tigated optimal transmission and attack strategies in a (2009); Lemmon and Hu (2011); Okano and Ishii tigated optimal optimal transmission transmission and and attack attack strategies strategies in in aa Ishii (2014)). In those works, transmission failures are modeled ⋆ tigated This work was supported in part by the JST CREST Grant (2014)). In those those processes works, transmission transmission failures are modeled modeled using stochastic with known statistical proper⋆ (2014)). In works, failures are This work was supported in part by the JST CREST Grant ⋆ using stochastic processes with known statistical properNo. JPMJCR15K3 and by JSPS underby Grant-in-Aid for Scientific This work in the Grant ⋆ using stochastic known statistical ties. However, in processes this paper,with failures depend on theproperadverThis work was was supported supported in part part the JST JST CREST CREST Grant using stochastic processes with known statistical properNo. JPMJCR15K3 and by JSPS JSPS underbyGrant-in-Aid Grant-in-Aid for Scientific Scientific ties. However, in this paper, failures depend on the adverResearch Grant No. and 15H04020. No. JPMJCR15K3 by under for ties. However, in this paper, failures depend on the adverNo. JPMJCR15K3 and by JSPS under Grant-in-Aid for Scientific ties. However, in this paper, failures depend on the adverResearch Grant No. 15H04020. Research Grant No. 15H04020.

Research Grant No. 15H04020. Copyright 8739Hosting by Elsevier Ltd. All rights reserved. 2405-8963 © © 2017 2017, IFAC IFAC (International Federation of Automatic Control) Copyright © 2017 IFAC 8739 Copyright © 2017 8739 Peer review responsibility of International Federation of Automatic Copyright © under 2017 IFAC IFAC 8739Control. 10.1016/j.ifacol.2017.08.1568

Proceedings of the 20th IFAC World Congress 8406 Ahmet Cetinkaya et al. / IFAC PapersOnLine 50-1 (2017) 8405–8410 Toulouse, France, July 9-14, 2017

sary’s attack strategy which is not known by the system operator with certainty. As a result, we cannot use exact transmission failure probabilities in the stability analysis. Our analysis and results are also different from those in Li et al. (2016) and Zhang et al. (2016), despite the similarity of our network model. In particular, Li et al. (2016) and Zhang et al. (2016) explore optimal power assignment in a state estimation problem from the viewpoints of the sensor and the attacker. The main contribution of our paper is that we obtain stability conditions by using the upper bound for the average interference power of the attacker. In assessing stability, we also employ a nondecreasing and concave upper bound on the function that determines the transmission failure probability for a given interference power. The paper is organized as follows. In Section 2, we explain the networked control problem and describe the wireless communication channel as well as the jamming attacks. In Section 3, we derive stability conditions for the networked control system. We present a numerical example to demonstrate our results in Section 4. Finally, we provide concluding remarks in Section 5. We use a fairly standard notation in the paper. Specifically, N and N0 respectively denote the set of positive and nonnegative integers. Moreover, �·� denotes the Euclidean norm. The notations P[·] and E[·] respectively denote the probability and the expectation on a probability space (Ω, F, P). Furthermore, we utilize 1[E] : Ω → {0, 1} for the indicator of the event E ∈ F, that is, 1[E](ω) = 1, ω ∈ E, and 1[E](ω) = 0, ω ∈ / E, where E ∈ F. 2. NETWORKED CONTROL SYSTEM Consider the networked control system in Fig. 1. Here the plant is the discrete-time linear system given by x(t + 1) = Ax(t) + Bu(t), x(0) = x0 ∈ Rn , t ∈ N0 , (1) where A ∈ Rn×n is the system matrix and B n×m is the input matrix; furthermore, x(t) ∈ Rn and u(t) ∈ Rm respectively denote the state and the control input vectors. In this paper, we explore the case where the uncontrolled (u(t) ≡ 0) system (1) is unstable. We utilize a network control framework where the plant and the controller exchange state measurement and control input packets to achieve stability of the closed-loop system. In particular, we consider the situation where an unreliable wireless communication channel is used for transmission of the control input packets. Transmissions on this wireless channel may fail at times due to channel noise or interference caused by the jamming signal of an attacker. We note that by using an approach similar to the one in Cetinkaya et al. (2016b), the results presented in this paper can be extended to the case where both the state and the control input channels face attacks. For simplicity of presentation, we assume that packet exchanges between the plant and the controller are attempted at each time instant. However, the results in this paper can be adapted to incorporate the event-triggered packet exchange scheme of Cetinkaya et al. (2015). We use a binary-valued process {l(t) ∈ {0, 1}}t∈N0 to indicate success or failure of control input packet transmis-

Fig. 1. Operation of networked control system under jamming attacks sions over the wireless communication channel as depicted in Fig. 1. When a transmission is successful (l(t) = 0), the transmitted control input is applied at the plant side. On the other hand, when there is a transmission failure (l(t) = 1), the control input at the plant side is set to 0. Thus, in this characterization, the control input u(t) applied at the plant side is given by u(t)  (1 − l(t)) Kx(t), t ∈ N0 , (2) m×n where K ∈ R represents the feedback gain. In the next subsection, we characterize the communication channel and the transmission failure indicator {l(t) ∈ {0, 1}}t∈N0 under jamming attacks. 2.1 Wireless Communication Channel Characterization Wireless communication channels face transmission failures due to issues such as fading and interference. Stochastic models have been used in the literature to describe these issues and their effect on the occurrence of communication errors (see Goldsmith (2005); Proakis and Salehi (2007) and the references therein). Recently, Li et al. (2016) explored a stochastic model that also takes into account the effect of interference coming from an attacker. There, the probability of error-free transmission of a packet is a function of Signal to Interference plus Noise Ratio (SINR), which is the ratio of the transmission power of the signal to the sum of the interference power of the attacker and the power of the channel noise. A similar model was also used by Zhang et al. (2016). In this paper, we utilize a model that accounts for the channel noise as well as the power of the attacker’s interference signal. In particular, we consider the case where the transmission power of the control input packets and the power of the channel noise do not change over time, whereas the interference power of the attacker is allowed to be time-varying. We use the process {v(t) ∈ [0, ∞)}t∈N0 to represent the attacker’s interference power. In this paper, we consider characterizations that allow both deterministic and stochastic rules in the generation of v(·). To identify the probability of failures in the transmission of control inputs, we employ the Borel-measurable, nondecreasing function p : [0, ∞) → [0, 1]. In particular, the failure probability at time t given that the jamming attacker sets the interference power to v ∗ ∈ [0, ∞) is represented by (3) P[l(t) = 1|v(t) = v ∗ ] = p(v ∗ ), where v(t) ∈ [0, ∞) is the interference power at time t. The case where v(t) = 0 corresponds to the situation where

8740

Proceedings of the 20th IFAC World Congress Ahmet Cetinkaya et al. / IFAC PapersOnLine 50-1 (2017) 8405–8410 Toulouse, France, July 9-14, 2017

there is no attack at time t. In that case, there may still be a transmission failure due to channel noise, if p(0) > 0. In other words, p(0) represents the probability of failure due to channel noise when there is no attack. We further assume that if the process v(·) is given and deterministic, then l(t1 ) and l(t2 ) are independent of each other for t1 �= t2 , t1 , t2 ∈ N0 . This means if v(·) is constant, then l(·) is a Bernoulli process. For precise characterization, we define l(t) by l(t)  1[r(t) ≤ p(v(t))],

(4)

where, for each t ∈ N0 , r(t) is a random variable distributed uniformly in [0, 1]. We assume that r(0), r(1), . . ., are mutually independent. Furthermore, {r(t) ∈ [0, 1]}t∈N0 and {v(t) ∈ [0, ∞)}t∈N0 are assumed to be mutually independent. Notice that (4) implies (3). Intuitively, when v(t) is large so that p(v(t)) is close to 1, it is likely that r(t) ≤ p(v(t)), and therefore by (4), a transmission failure is likely to occur. A special case of the characterization in (4) is that if the interference power v(t) is equal to a fixed constant v˜ at each t, then l(·) becomes a Bernoulli process with failure probability P[l(t) = 1] = p(˜ v ). In this paper, in comparison to this constant power case, we are more interested in scenarios where the attacker manipulates the interference power v(t) at each time so as to destabilize the networked control system. We note that the assumption on the mutual independence of {r(t) ∈ [0, 1]}t∈N0 and {v(t) ∈ [0, ∞)}t∈N0 restricts the class of attacks that we deal with, but it is not overly so. With this assumption, the attacker is not allowed to have access to the state and the control input information for generating attack strategies, since both the state and the control input depend on r(·). However, the attacker may still be knowledgeable of the system model and generate damaging attacks. Furthermore, the attacker’s interference power at different times are allowed to depend on each other for the stochastic case. Remark 1. The work by Li et al. (2016) considers communication on an additive white Gaussian noise channel with quadrature amplitude modulation scheme (see also Goldsmith (2005)). In that work, an error detection mechanism is also employed to detect bit errors in transmitted packets caused by the channel noise and the attacker’s interference signal. The transmission of a packet is considered to be successful, if the packet arrives at the destination without error. Li et al. (2016) investigates the general situation that both the transmission power and the attacker’s interference power may change over time. A special case of that setup overlaps with the scenario that we consider in this paper. In this scenario, the transmission power is constant, and the transmission failures can be characterized as (4) with  π  p(v) = 2Q , (5) c v + σ2  ∞ s2 where Q(y)  √12π y e− 2 ds, c ∈ (0, ∞) is a constant associated with the parameters of the communication protocol, π ∈ (0, ∞) is the transmission power, and σ 2 ∈ (0, ∞) is the power of the channel noise.

8407

Establishing the following lemma is a key step for obtaining the main results of this paper. Specifically, it provides a way to express the expectation of a product of affine functions that involve the transmission failure indicator l(·) (given by (4)) with an expectation term that involves the attacker’s interference power v(·). Lemma 2. For all α0 , α1 ∈ R, and t1 , t2 ∈ N0 such that t1 < t2 , we have t2 −1 t2 −1 (α1 l(i) + α0 )] = E[ (α1 p(v(i)) + α0 )]. (6) E[ i=t1

i=t1

The proof of this result is given in Cetinkaya et al. (2016c). In the proof, we utilize a set construction method similar to the one used in Section 1.4 of Durrett (2010) for obtaining inequalities that involve integrals with respect to measures. We remark that the assumption on the mutual independence of {r(t)}t∈N0 and {v(t)}t∈N0 is also essential for obtaining the result in Lemma 2. Without this assumption, (6) cannot be established and in some cases t2 −1 t2 −1 we have E[ i=t (α1 l(i) + α0 )] < E[ i=t (α1 p(v(i)) + 1 1 t2 −1 (α1 l(i) + α0 )], and moreover, in some other cases E[ i=t 1 t2 −1 α0 )] > E[ i=t1 (α1 p(v(i)) + α0 )]. 2.2 Jamming Attacks with Bounded Average Power

Generating and emitting interference signals in jamming attacks consume energy (Xu et al., 2005; Pelechrinis et al., 2011). Therefore, a malicious agent with limited energy resources cannot attack a wireless channel with arbitrarily large interference powers at all time instants. We take this observation into account and consider an attack model where the interference power of the attacker is bounded in average. Specifically, we assume that interference power process {v(t) ∈ [0, ∞)}t∈N0 satisfies the following. Assumption 3. There exist scalars κ ≥ 0 and v ≥ 0 such that  t−1   P (7) v(i) ≤ κ + vt = 1, t ∈ N. i=0

t−1 By this characterization, 1t i=0 v(i), the average interference power for the first t time steps, is upper-bounded by κ t +v, almost surely. Here, the scalar v is the key parameter characterizing this upper bound. We remark that (7) allows high interference powers at certain times as long as the average power stays bounded. In particular, the attacker can preserve energy by not attacking for a sufficiently long duration and then generate an interference with large power v(t) so that p(v(t)) is close to 1, which makes a failure very likely at time t. Note that when κ = 0, (7) implies v(t) ≤ (t + 1)v. Scenarios where v(t) > (t + 1)v for some t ∈ N0 can be modeled by setting κ > 0. In the literature of cyber-security of networked control systems, there are other characterizations for describing malicious attacks. For instance, in Shisheh Foroush and Martínez (2013), the attacker periodically repeats cycles of jamming and sleeping. Furthermore, the characterization in De Persis and Tesi (2015, 2016) allows modeling various attack scenarios as long as the length of attack durations is bounded by a certain ratio of total time. In Cetinkaya et al. (2015, 2016a), we followed the approach in De Persis and

8741

Proceedings of the 20th IFAC World Congress 8408 Ahmet Cetinkaya et al. / IFAC PapersOnLine 50-1 (2017) 8405–8410 Toulouse, France, July 9-14, 2017

Our analysis on p indicates that in the case where cπ−3σ 2 ≤ 0, p is a concave function and pˆ given by (9) 3 is identical to p. Fig. 2 shows an example for the other 2 case where cπ−3σ > 0. Notice that in this case p is not a 3 concave function, but pˆ is.

0.6 0.4 pˆ(v)

0.2

p(v)

0.0 0

2

4

6

8

10

v

Fig. 2. Comparison of p(·) and pˆ(·) given respectively by (5) and (9) with c = 1, π = 3, σ 2 = 0.4 Tesi (2015) and considered a discrete-time characterization where the packet exchange attempts that fail due to malicious attacks are upper bounded almost surely by a certain ratio of the total time. The characterization with Assumption 3 is similar to those in Cetinkaya et al. (2015, 2016a) in the sense that it allows us to describe an upper bound on the average strength of the attacker without knowing the attacker’s specific actions at each time. The difference is that here we consider the power of the interference signals for determining the strength of the attacker. On the other hand, in Cetinkaya et al. (2015, 2016a), the interference power was not considered; the strength of an attack strategy was determined based directly on how many packet failures it causes. 2.3 Upper-Bounding Function for Failure Probabilities Assumption 3 allows the jamming attacker to use different interference powers at different times. For instance, the attacker can periodically change the power level between two scalars vmin > 0 and vmax > vmin . In this case min Assumption 3 holds with v = vmax +v . Furthermore, 2 the average transmission failure probability is given by p(vmax )+p(vmin ) . Notice that when the transmission failure 2 probability function p is convex in the interval [vmin , vmax ], min ) ≥ p(v). Hence, when p is not a concave then p(vmax )+p(v 2 function, p(v) cannot be used in stability analysis to indicate an upper bound on average transmission failure probability. To overcome this issue, we utilize a concave function that upper-bounds p. Specifically, let pˆ: [0, ∞) → [0, 1] denote a continuous, nondecreasing, and concave function such that pˆ(v) ≥ p(v), v ∈ [0, ∞). (8) Note that a concave function is necessarily continuous in the interior of its domain. Hence, the function pˆ defined on the interval [0, ∞) is continuous on the open interval (0, ∞). Here, we also require pˆ to be continuous at 0, i.e., limv→0+ pˆ(v) = pˆ(0). Note that for a given p, there always exists a continuous, nondecreasing, and concave upper-bounding function pˆ. For instance the following result presents an upperbounding function pˆ for p given in (5) in Remark 1. Proposition 4. Consider the function p(·) given by (5). 2 Let ψ  max{0, cπ−3σ }. The function pˆ: [0, ∞) → [0, 1] 3 defined by pˆ(v)  p(v + ψ), v ∈ [0, ∞), (9) is continuous, nondecreasing, and concave; furthermore, it satisfies (8). Proof. See Cetinkaya et al. (2016c).



In the next section, we utilize the scalar v ≥ 0 from Assumption 3 together with the upper-bounding function pˆ to obtain sufficient conditions for the stability of the networked control system (1), (2). 3. STABILITY ANALYSIS In this section, we investigate almost sure asymptotic stability of the networked control system (1), (2). The following is the discrete-time version of the almost sure asymptotic stability definition in Xie (2011). Definition 5. The zero solution x(t) ≡ 0 of the system (1), (2), is almost surely stable if, for each ǫ > 0 and p¯ > 0, there exists δ = δ(ǫ, p¯) > 0 such that if �x(0)� < δ, then P[ sup �x(t)� > ǫ] < p¯. (10) t∈N0

Moreover, the zero solution x(t) ≡ 0 is asymptotically stable almost surely if it is almost surely stable and P[ lim �x(t)� = 0] = 1. (11) t→∞

The main challenge in the stability analysis of the system (1), (2) is that we do not know the exact stochastic (or deterministic) rule that governs the evolution of v(·). For almost sure asymptotic stability analysis, we utilize an upper bound on the expectation of a function of the jamming attacker’s interference power v(·). Specifically, the t−1 next result provides an upper bound for E[ i=0 f (v(i))], where f (·) is a nondecreasing and concave function. Lemma 6. Let f : [0, ∞) → (0, ∞) be a nondecreasing and concave function. Suppose that the attacker’s interference power process {v(t) ∈ [0, ∞)}t∈N0 satisfies Assumption 3. Then for all t ∈ N, we have t−1   κ E f (v(i)) ≤ f t ( + v). (12) t i=0 t−1 The term E[ i=0 f (v(i))] in (12) is used in the stability analysis in the following part to represent the effect of the jamming attack. Note that as indicated t−1by Lemma 6, the attack scenario that maximizes E[ i=0 f (v(i))] is given by v(i) = κt + v for each i ∈ {1, . . . , t}. We remark that the attack scenario with equal interference powers for each time is not necessarily the worst-case scenario from the perspective of stabilization. Furthermore, there may be other scenarios that achieve larger number of packet losses in average. The advantage of Lemma t−1 6 is that it allows us to obtain an upper bound for E[φ i=0 l(i) ] (with φ > 1), which is an indicator of the expected number of packet losses in the first t time steps. In particular, we use Lemma 6 with f (v)  (φ − 1)ˆ p(v) + 1, v ∈ [0, ∞), where pˆ(v) is a nondecreasing and concave function (8). We then employ the inequality t−1 satisfying t−1 l(i) E[φ i=0 ] ≤ E[ i=0 f (v(i))] together with (12).

Next, by utilizing Lemma 6, we explore almost sure asymptotic stability of the networked control system (1),

8742

Proceedings of the 20th IFAC World Congress Ahmet Cetinkaya et al. / IFAC PapersOnLine 50-1 (2017) 8405–8410 Toulouse, France, July 9-14, 2017

(2). For obtaining stability conditions, we will use some of the results from our previous work (Cetinkaya et al., 2016a), where we also considered the stability problem for a networked control system. In that work, the failure indicator process {l(t) ∈ {0, 1}}t∈N0 for the networked control system was assumed to satisfy the inequality t−1 ∞ � � P[ l(i) > ρt] < ∞, (13) t=1

i=0

with a scalar ρ ∈ [0, 1]. This assumption was shown to be general enough to capture some random and malicious packet loss models, but the model in Section 2.1 was not considered in that work.

In Proposition 7 below, we extend the results in Cetinkaya et al. (2016a) and show that under Assumption 3, transmission failure indicator process l(·) defined in Section 2.1 also satisfies (13). Proposition 7. Suppose that the attacker’s interference power process {v(t) ∈ [0, ∞)}t∈N0 satisfies Assumption 3 with v ≥ 0 such that pˆ(v) < 1. Then the transmission failure indicator process {l(t) ∈ {0, 1}}t∈N0 given by (4) satisfies (13) for all ρ ∈ (ˆ p(v), 1). Due to space limitations, the proof of this result is given in Cetinkaya et al. (2016c). In the proof, we follow an approach based on using Markov’s inequality for obtaining Chernoff-type tail distribution inequalities (see Lemma A.1 of Cetinkaya et al. (2016a), Section 1.9 of Billingsley (2012)). Furthermore, Lemmas 2 and 6 are also essential in the proof. In the next result, we use Proposition 7 to establish the stability of the networked control system. Theorem 8. Consider the closed-loop networked control system (1), (2). Suppose that the attacker’s interference power process {v(t) ∈ [0, ∞)}t∈N0 satisfies Assumption 3. If there exist a positive-definite matrix P ∈ Rn×n , and scalars β ∈ (0, 1), ϕ ∈ [1, ∞) such that T

βP − (A + BK) P (A + BK) ≥ 0,

(14)

T

ϕP − A P A ≥ 0, (15) (16) (1 − pˆ(v)) ln β + pˆ(v) ln ϕ < 0, then the zero solution x(t) ≡ 0 of the closed-loop system is asymptotically stable almost surely. Proof. By (16), we have pˆ(v) < 1. It then follows from Proposition 7 of this paper together with Lemma 3.3 of Cetinkaya et al. (2016a) that � 1 t−1 lim sup l(i) ≤ pˆ(v), t t→∞ i=0 almost surely. The result then follows from Theorem 3.5 of Cetinkaya et al. (2016a) with ρ = pˆ(v).  Theorem 8 provides a method to assess the stability of the system (1), (2) under jamming attacks that satisfy Assumption 3. The scalar β in condition (14) characterizes the stability of the closed-loop dynamics when the control input transmissions are successful. On the other hand the instability of the open-loop dynamics when transmissions fail is represented by ϕ in (15). The condition (16) involves both β and ϕ as well as pˆ(v), which represents an upper bound on the effect of the jamming attacks. If the average interference power of the attacker and hence the scalar v in

8409

Assumption 3 is sufficiently small, then pˆ(v) satisfies (16). In such cases we have almost sure asymptotic stability under any attack scenario that satisfies Assumption 3. We remark that there may be many ways to select pˆ, since there are infinitely many concave functions upperbounding the function p. If pˆ is selected as a very loose bound on p, then pˆ(v) may be unnecessarily large and the left-hand side of (16) may be positive. To prevent conservativeness of the results, it is ideal if pˆ can be selected so that pˆ(v) is sufficiently close to p(v). Note that if p is a concave function, then pˆ can be selected so that pˆ(v) = p(v), v ≥ 0. In that case, we have pˆ(v) = p(v) in (16). Notice that if p is not a concave function, in certain cases we have pˆ(v) > p(v) for all concave upper-bounding functions pˆ, and as a result we cannot replace pˆ(v) with p(v) in (16) for stability analysis. Note that conditions (14)–(16) can be checked using a numerical method similar to the one provided in Section 3.B of Cetinkaya et al. (2016a). This method is based on iterating over a set of values of β and ϕ that satisfy (16). In each iteration, we assess the feasibility of matrix inequalities (14) and (15), which are linear in P when β, ϕ, and K are fixed. Furthermore, the method provided in Corollary 3.8 in Cetinkaya et al. (2016a) can be used in designing a feedback gain K that guarantees stability. We remark that Theorem 8 takes into account all attack scenarios achievable under Assumption 3 including the worst-case scenarios which may take different forms for each system and are difficult to identify by the system operator. We demonstrate the efficacy of Theorem 8 in the following section. 4. NUMERICAL EXAMPLE Consider the networked control system (1), (2) with � � � � 0 0.1 −1 , K = [ −0.9277 −1.2615 ]. ,B = A= 1 1.1 1.8 We explore the wireless channel characterized in Remark 1. Specifically, the transmission probability function p : [0, ∞) → [0, 1] is assumed to be given by (5) with c = 1, π = 3, σ 2 = 0.4. By Proposition 4, the function pˆ given in (9) is a continuous, nondecreasing and concave upper bound for the function p. For this wireless channel, we consider an attack strategy that satisfies Assumption 3 with κ = 0 and v = 3.5. Specifically, the attacker’s interference power process v(·) is assumed to be given by v(0) = 0 and  t−1 �  y(t), if y(t) + v(i) ≤ v(t + 1), v(t) = t ∈ N, (17) i=0  0, otherwise,

where y(t), for each t ∈ N, is a random variable that is distributed uniformly in the interval [5, 15], and y(0), y(1), . . ., are mutually independent. In this strategy, the interference power of the attacker is either 0 or a power level between 5 and 15. Specifically, it follows from (17) and 5 > v that the attacker needs to preserve energy by not attacking for a duration before emitting an interference signal with power between 5 and 15.

8743

ln �x(t)�

Proceedings of the 20th IFAC World Congress 8410 Ahmet Cetinkaya et al. / IFAC PapersOnLine 50-1 (2017) 8405–8410 Toulouse, France, July 9-14, 2017

0 −5 −10 −15

0

5

10 Time[t]

15

20

Fig. 3. Sample paths of ln x(t) when the jamming attacker uses the strategy (17)

In this example pˆ(v) = 0.41422. To assess stability, we check conditions (14)–(16) of Theorem 8, by using a numerical method similar to the one in Section 3.B of Cetinkaya et al. (2016a). We note that (14)–(16) hold with   0.7728 0.8554 , β = 0.3, ϕ = 5.4884. (18) P = 0.8554 3.2649 Hence it follows from Theorem 8 that the closed-loop system is almost surely asymptotically stable under the attack scenario given by (17). We obtain 250 sample trajectories of ln �x(·)� by using the same initial condition x0 = [1, 1]T with different sample paths for v(·) and l(·). As seen in Fig. 3, all trajectories of ln �x(·)� approach −∞, indicating convergence of the state to 0. 5. CONCLUSION We explored the control problem of a linear plant over a wireless communication channel that faces attacks. The probability of transmission failures on this channel depends on the power of the interference signal coming from an attacker. We investigated closed-loop stability for the scenarios where the power of the attacker’s interference signal is time-varying but bounded in average. We obtained sufficient conditions for almost sure asymptotic stability of the closed-loop system. In future research, we will investigate the case where the closed-loop system dynamics involve disturbance that represent process noise, quantization errors, and data injection attacks by an attacker. REFERENCES Amin, S., Cárdenas, A.A., and Sastry, S.S. (2009). Safe and secure networked control systems under denial-ofservice attacks. In Proc. 12th HSCC, 31–45. Bhattacharya, S., Gupta, A., and Başar, T. (2013). Jamming in mobile networks: A game-theoretic approach. J. Num. Algeb. Control Optim., 3(1), 1–30. Billingsley, P. (2012). Probability and Measure. Wiley. Cárdenas, A.A., Amin, S., and Sastry, S. (2008). Research challenges for the security of control systems. In Proc. Conf. Hot Topics in Security. Cetinkaya, A., Ishii, H., and Hayakawa, T. (2015). Eventtriggered control over unreliable networks subject to jamming attacks. In Proc. IEEE Conf. Dec. Contr., 4818–4823. Cetinkaya, A., Ishii, H., and Hayakawa, T. (2016a). Networked control under random and malicious packet losses. IEEE Trans. Autom. Control, to appear. http://dx.doi.org/10.1109/TAC.2016.2612818.

Cetinkaya, A., Ishii, H., and Hayakawa, T. (2016b). Random and malicious packet transmission failures on multi-hop channels in networked control systems. In Proc. IFAC NecSys, 49–54. Cetinkaya, A., Ishii, H., and Hayakawa, T. (2016c). Wireless control under jamming attacks with bounded average interference power. Technical Report. De Persis, C. and Tesi, P. (2016). Networked control of nonlinear systems under denial-of-service. Syst. Control Lett., 96, 124–131. De Persis, C. and Tesi, P. (2015). Input-to-state stabilizing control under denial-of-service. IEEE Trans. Autom. Control, 60(11), 2930–2944. Durrett, R. (2010). Probability: Theory and Examples. Cambridge University Press. Goldsmith, A. (2005). Wireless Communications. Cambridge University Press. Ishii, H. (2009). Limitations in remote stabilization over unreliable channels without acknowledgements. Automatica, 45(10), 2278–2285. Kellett, C.M., Mareels, I.M.Y., and Nešic, D. (2005). Stability results for networked control systems subject to packet dropouts. Proc. 16th IFAC W. Congress. Lemmon, M. and Hu, X.S. (2011). Almost sure stability of networked control systems under exponentially bounded bursts of dropouts. In Proc. 14th HSCC, 301–310. Li, Y., Quevedo, D.E., Dey, S., and Shi, L. (2016). SINR-based DoS attack on remote state estimation: A game-theoretic approach. IEEE Trans. Control Netw. Syst., to appear. http://dx.doi.org/10.1109/TCNS.2016.2549640. Li, Y., Shi, L., Cheng, P., Chen, J., and Quevedo, D.E. (2015). Jamming attacks on remote state estimation in cyber-physical systems: A game-theoretic approach. IEEE Trans. Autom. Control, 60(10), 2831–2836. Okano, K. and Ishii, H. (2014). Stabilization of uncertain systems with finite data rates and Markovian packet losses. IEEE Trans. Control Netw. Syst., 1(4), 298–307. Pelechrinis, K., Iliofotou, M., and Krishnamurty, S.V. (2011). Denial of service attacks in wireless networks: The case of jammers. IEEE Commun. Surveys Tuts., 13(2), 245–257. Proakis, J.G. and Salehi, M. (2007). Digital Communications. McGraw-Hill. Sandberg, H., Amin, S., and Johansson, K.H. (2015). Special issue on cyberphysical security in networked control systems. IEEE Control Syst. Mag., 35(1). Shisheh Foroush, H. and Martínez, S. (2013). On singleinput controllable linear systems under periodic DoS jamming attacks. In Proc. SIAM Conf. Contr. Appl. Xie, W.C. (2011). Dynamic stability of structures. Cambridge University Press. Xu, W., Trappe, W., Zhang, Y., and Wood, T. (2005). The feasibility of launching and detecting jamming attacks in wireless networks. In Proc. 6th ACM Int. Symp. Mobile Ad Hoc Network. Comput., 46–57. Zhang, H., Qi, Y., Wu, J., Fu, L., and He, L. (2016). DoS attack energy management against remote state estimation. IEEE Trans. Control Netw. Syst., to appear. http://dx.doi.org/10.1109/TCNS.2016.2614099.

8744