Active GLR detector for resilient LQG controller in networked control systems T. Rhouma** , J.Y. Keller*, D. Sauter*, K. Chabir**, M.N. Abdelkrim** **Gabès University, ENIG, Tunisie *Lorraine University, France
Presented by
Jean-Yves Keller
[email protected]
Outlines Safety of Cyber Physical System (CPS) Description of malicious actions in CPS Linear Quadratic Gaussian (LQG) controller subject to zero dynamic attack Resilient LQG controller from active Fault Detection and Isolation (FDI) scheme Perspectives
Safety of Cyber Physical System (CPS)
Natural actions Disturbances
Faults
Malicious actions Cyber attacks
Malwares
CPS
Physical system
Network
Cyber system
A CPS may be subject to natural or malicious actions
Natural actions Disturbances
Malicious actions
Faults
Cyber attacks
Malwares
CPS
Physical system
Network
Cyber system
Intrusion Detection Systems (IDS)
Control Law Goals Stability, Robustness, Tolerance (Control theory)
Goals Confidentiality, Integrity, Disponbility (Computer science)
Security of CPS The CPS safety must be studied from control theory view point for the safety of physical system and from computer science view point for the security of information
Natural actions Disturbances
Malicious actions
Faults
Cyber attacks
Malwares
CPS
Physical system
Network
Cyber system
Intrusion Detection Systems (IDS)
Control Law Goals Stability, Robustness, Tolerance (Control theory)
Goals Confidentiality, Integrity, Disponbility (Computer science) Resilience Security of CPS
Resilience is the ability of the IDS to quickly recover normal situation after the occurrence of malicious actions
Natural actions Disturbances
Malicious actions
Faults
Cyber attacks
Malwares
CPS
Physical system
Network
Cyber system
Intrusion Detection Systems (IDS)
Control Law Goals Stability, Robustness, Tolerance (Control theory) Resilience
Goals Confidentiality, Integrity, Disponbility (Computer science) Resilience Security of CPS
Goal of this paper Design a resilient control law having the ability to quickly recover normal situation after the occurrence of malicious actions
Description of malicious actions in CPS
Malicious actions in NCS (Networked Control Systems) can be summarized as follows
uk
Plant
yk
Unreliable Network
A2
Controller
A2 : Denial Of Service (DOS) attacks on measurements
A. Cardenas, S. Amin, S. Sastry “Secure control: Towards survivable cyber-physical systems” First International Workshop on Cyber-Physical System, Beijing, China, pp. 495-500, 2008
Malicious actions in NCS (Networked Control Systems) can be summarized as follows
uk
Plant
yk
Unreliable Network
A4
Controller
A4 : Denial Of Service (DOS) attacks on control signal
A. Cardenas, S. Amin, S. Sastry “Secure control: Towards survivable cyber-physical systems” First International Workshop on Cyber-Physical System, Beijing, China, pp. 495-500, 2008
Malicious actions in NCS (Networked Control Systems) can be summarized as follows
Plant
yk
Unreliable Network
A1
uk
Controller
A1 : Deception attacks on measurements (false data injection)
A. Cardenas, S. Amin, S. Sastry “Secure control: Towards survivable cyber-physical systems” First International Workshop on Cyber-Physical System, Beijing, China, pp. 495-500, 2008
Malicious actions in NCS (Networked Control Systems) can be summarized as follows
uk
Plant
Unreliable Network
A3
Controller
yk
A3 : Deception attacks on control signal (false data injection)
A. Cardenas, S. Amin, S. Sastry “Secure control: Towards survivable cyber-physical systems” First International Workshop on Cyber-Physical System, Beijing, China, pp. 495-500, 2008
Malicious actions in NCS (Networked Control Systems) can be summarized as follows
A5
uk
Plant
Unreliable Network
Controller
yk
A5 : Physical attacks on the plant (close to traditional actuator or sensor faults)
A. Cardenas, S. Amin, S. Sastry “Secure control: Towards survivable cyber-physical systems” First International Workshop on Cyber-Physical System, Beijing, China, pp. 495-500, 2008
Malicious actions in NCS (Networked Control Systems) can be summarized as follows
uk
Unreliable Network
A3
Plant
Attacker
Controller
A1
yk
Covert attack (two coordinated false data injections)
R. Smith ”A decoupled feedback structure for covertly appopriating network control system” IFAC Wold Congress, Milan, 20011
Malicious actions in NCS (Networked Control Systems) can be summarized as follows
uk
Unreliable Network
A3
Plant
yk
Attacker
Controller
yk−τ
Replay attack (False data injection coordinated with a delay on output)
Y. Mo, B. Sinopoli “Secure control against replay attacks” Allerton Conf. on Communication, Control, and Computation, 2012
Malicious actions in NCS (Networked Control Systems) can be summarized as follows
Plant
yk
Unreliable Network
uk
Controller A6
A6 : Malware infecting the executable program of controllers (Stuxnet) Stuxnet can be viewed as a replay attack
Y. Mo, B. Sinopoli “Secure control against replay attacks” Allerton Conf. on Communication, Control, and Computation, 2012
Standard LQG controller subject to zero dynamic attack
Networked Control System (NCS) xk uk
Plant
yk
Network
LQG controller
The plant Linear discrete-time stochastic system xk+1 = Axk + Buk + wk yk = Cxk + vk
affected by zero mean white gaussian state and measurement state noises of covariance ' ! $T + )! wk $# w j & ) ! W 0 $ & E (# , =# &δk, j # v )" k &%#" v j &% ) " 0 V % * -
W ≥0
V >0
Networked Control System (NCS) xk uk
Plant
yk
Network
LQG controller
Without data loss induced by the network, the optimal LQG controller includes
NCS with optimal Linear Quadratic Controller (LQG) xk uk
Plant
yk = xk
Network
uk = −Lxk
LQG controller
The LQ controller uk = −Lxk S = AT SA + Q − AT SB(BT SB + R)−1 BT SA L = (BT SB + R)−1 BT SA +- 1 %T −1 (/J = min lim E , ' ∑ xkT Qxk + ukT Ruk *0 T →∞ )-1 . T &k=0 Q≥0
R>0
NCS with optimal Linear Quadratic Controller (LQG) xk uk
Plant
yk
Network
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller
γk
The Kalman filter xˆk+1/k = Axˆk/k−1 + Buk + K k (yk − Cxˆk/k−1 ) Pk+1/k = (A − K k C)Pk /k−1 (A − K k C)T + K k VK kT + W
K k = APk/k−1C T (CPk/k−1C T +V )−1
where
γ k = yk − Cxˆk/k−1 is
of covariance
the innovation sequence
Qk = CPk/k−1C T +V
Monitoring of the NCS xk uk
yk
Plant
Network
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller
γk
Threshold level λ
Decision test
Passive Chi-squared decision test H1 Tk = γ kT Qk−1γ k
where
λ
≥ < H0
H1
λ H0
: Fault hypothesis
: No Fault hypothesis
is a threshold level fixing the rate of false alarms
NCS with optimal LQG controller xk uk
Plant
yk
Network
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller
γk Decision test
Threshold level λ
Assumptions (A,C) (A, B)
detectable stabilisable
(A,W 1/2 ) (A,Q1/2 )
stabilisable detectable
⇒
The two Riccati equations are stable ⇒ lim xk The nominal NCS is stable k→∞
→0
NCS subject to covert attack (two coordinated deception attack) xk Plant
yk
Attacker
νk
uk
+
Network
dk
−
+
dk ≠ 0 ∀k ≥ t
+
uk
ν k ≠ 0 ∀k ≥ t
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Assumption The attacker knows the state model of the plant Goal of the attacker Destabilize the NCS while remaining undetectable from passive decision test
NCS subject to covert attack xk = xk + Δxka
uk
+
Network
yk = yk + Δyka
Plant
dk
+
νk
Attacker
−
+
dk ≠ 0 ∀k ≥ t
uk
ν k ≠ 0 ∀k ≥ t
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
How to reach this goal Freely choose
dk ≠ 0 ∀k ≥ t
from the additive consequence
and compute
(Δxka , Δyka )
of
dk ≠ 0
on
ν k ∀k ≥ t
(xk , yk )
a Δxk+1 = AΔxka + Bdk
ν k = Δyka = CΔxka
with
Δxta = 0
at the intrusion time
described by
Model of the plant viewed by the controller under covert attack
Plant viewed by the controller
xk = xk + Δxka
uk
+
Network
dk
yk = yk + Δyka
Plant
+
νk
Attacker
−
+
dk ≠ 0 ∀k ≥ t
uk
ν k ≠ 0 ∀k ≥ t
uk = −Lxˆk/k
xˆk/k
y!k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Point of view defender Under
Δxta = 0 ,
the model of the plant under attack viewed by the controller xk+1 = Axk + B(uk + dk ) + wk y!k = Cxk + Δyka − ν k + vk
Model of the plant viewed by the controller under covert attack
Plant viewed by the controller
xk = xk + Δxka
uk
+
Network
dk
yk = yk + Δyka
Plant
+
νk
Attacker
−
+
dk ≠ 0 ∀k ≥ t
uk
ν k ≠ 0 ∀k ≥ t
uk = −Lxˆk/k
xˆk/k
y!k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Point of view defender Under
Δxta = 0 ,
the model of the plant under attack viewed by the controller xk+1 = Axk + B(uk + dk ) + wk y!k = Cxk + Δyka − ν k + vk
coincides with the model of the nominal plant xk+1 = Axk + Buk + wk yk = Cxk + vk
Model of the plant viewed by the controller under covert attack
xk = xk + Δxka
uk
Plant
Plant viewed by the controller
yk
Network
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller
γk Decision test
Threshold level λ
Point of view defender Under
Δxta = 0 ,
the model of the plant under attack viewed by the controller xk+1 = Axk + B(uk + dk ) + wk y!k = Cxk + Δyka − ν k + vk
coincides with the model of the nominal plant xk+1 = Axk + Buk + wk yk = Cxk + vk
NCS subject to covert attack xk
uk
+
Network
dk
Plant
yk
+
Attacker −
+
dk ≠ 0 ∀k ≥ t
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Simultaneous attack on inputs and outputs is not very realistic Question With deception attack only applied to control signals, is it possible for an attacker to destabilize the NCS while remaining undetectable?
NCS subject to zero dynamic attack xk
uk
+
Network
Plant
dk
yk
Attacker
+
dk ≠ 0 ∀k ≥ t
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Answer Yes from a zero dynamic attack if the plant has at leat one unstable invariant zero when there exists λ > 1 " % so that the system matrix $ I λ − A −B ' losse its normal rank #
C
0 &
(Structural vulnerability of the plant) A. Teixiera, I. Shames, H. Sandberg, K.H. Johansson “Revealing stealthy attacks in control systems” th 50 Annual Allerton Conference on Communication, Control, and Computation, 2012
NCS subject to zero dynamic attack xk
uk
+
Network +
yk
Plant
dk
Attacker
dk = α gλ k−t ∀k ≥ t
dk ≠ 0 ∀k ≥ t
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
How to reach this goal With a closed-loop deception attack described by a Δ!xk+1 = (A − BG)Δ!xka dk = −GΔ!xka
"
%" ξ %
I λ − A −B where state feedback gain G = g(ξ )+ and initial condition Δx!ta = αξ obtained from $# C 0 '&$$ g '' = 0 so that # & Δ!xka = αξλ k−t with dk = α gλ k−t where α is a scaling factor satisfies destabilizing goal lim Δ!xka → ∞ and stealthy goal Δ!yka = CΔ!xka = 0 ∀k ≥ t k→∞
NCS subject to zero dynamic attack
Plant viewed by the controller
xk = xk + Δxka
uk
+
Network
yk = yk + Δyka
Plant
dk
Attacker
dk = α gλ k−t ∀k ≥ t
+
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Point of view defender a The solution Δ!xka = αξλ k−t to the autonomous system Δ!xk+1 = (A − BG)Δ!xka do not correspond to the additive consequence Δxka of the attack on the state variables of the plant A zero dynamic attack can be expressed from the additive consequence of the attack as follows a Δxk+1 = (A − BG)Δxka + ξαδt+1
dk = −GΔ!xka
where αδt+1 is a one step advanced pulse of unknown size α and occurrence time and δ the Kronecker symbol t+1
NCS subject to zero dynamic attack
Plant viewed by the controller
xk = xk + Δxka
uk
+
Network
yk = yk + Δyka
Plant
dk
Attacker
dk = α gλ k−t ∀k ≥ t
+
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Point of view defender Augmented state model of the plant viewed by the controller " x $ k+1 $ Δx a # k+1
% " ' = $ A −BG ' # 0 A − BG &
%" xk '$ &$# Δxka
% " % " % " % ' + $ B ' u + $ 0 'αδ + $ I ' w k t+1 k ' # 0 & ξ '& 0& $ # # & ! x # k ' yk = !" C 0 #$& +v & Δx a ' k " k $
NCS subject to zero dynamic attack
Plant viewed by the controller
xk = xk + Δxka
uk
+
Network
dk
yk = yk + Δyka
Plant
Attacker
dk = α gλ k−t ∀k ≥ t
+
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Point of view defender From the state transformation " x! $ k $ Δx a # k
% " %" x % ' = $ I −I '$ k ' ' # 0 I &$ Δx a ' & # k &
NCS subject to zero dynamic attack
Plant viewed by the controller
xk = xk + Δxka
uk
+
Network
dk
yk = yk + Δyka
Plant
Attacker
dk = α gλ k−t ∀k ≥ t
+
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Point of view defender we obtain the transformed augmented state model of the plant " x! $ k+1 $ Δx a # k+1
% " 0 '=$ A ' # 0 A − BG &
%" x!k '$ &$# Δxka ! ! # yk = " C C $& & "
% " % ' + $ B 'u ' # 0 & k & x!k # '+ v k a ' Δxk $
" −ξ % " % 'αδt+1 + $ I ' wk +$ $# ξ '& #0&
NCS subject to zero dynamic attack
Plant viewed by the controller
xk = xk + Δxka
uk
dk
+
Network
yk = yk + Δyka
Plant
Attacker
dk = α gλ k−t ∀k ≥ t
+
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Point of view defender From CΔxka = 0
∀k ≥ t
signifying that
Δxka
is unobservable, we can derive the n-order model of the plant x!k+1 = A!xk + Buk − ξαδt+1 + wk
yk = Cx!k + vk
showing that
Δyka = −CA k−tξα ∀k ≥ t
NCS subject to zero dynamic attack
Plant viewed by the controller
xk = xk + Δxka
uk
+
Network
dk
yk = yk − CA k−tξα
Plant
Attacker
dk = α gλ k−t ∀k ≥ t
+
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Point of view defender From Δyka = −CAk−tξα ∀k ≥ t we conclude that a zero dynamic attack may be quasi undetectable with α near to zero and ξ orthogonal to the left eigenevector of A associated to unstable eigenvalues A. Teixiera, I. Shames, H. Sandberg, K.H. Johansson “Revealing stealthy attacks in control systems” th 50 Annual Allerton Conference on Communication, Control, and Computation, 2012
Illustrative example with Matlab Standard LQG controller subject to zero dynamic attack
Standard LQG controller under zero dynamic attack uk
+
Network
dk
Plant
dk = α gλ k−t ∀k ≥ t
Attacker
+
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
The plant ⎡0.6 0 0.34 0.35⎤ ⎢ ⎥ 0 0.8 0 0.37⎥ A = ⎢ ⎢ 0 0 0.5 0 ⎥ ⎢ ⎥ 0 0 0.9 ⎥⎦ ⎢⎣ 0
⎡1 ⎢ 1 B = ⎢ ⎢0 ⎢ ⎣⎢0
0 0⎤ ⎥ 0 1⎥ 0 2⎥ ⎥ 1 1⎦⎥
⎡1 0 0 0⎤ ⎢ ⎥ C = ⎢0 1 0 0⎥ ⎢0 0 0 1⎥ ⎣ ⎦
has a real unstable invariant zero The matrix
A
is stable
dim(ker(C)) = 1
λ = 1.18
Standard LQG controller under zero dynamic attack 100 80
.
60 40 20 0 -20 -40 -60 -80 -100
0
20
40
Zero dynamic attack
60 times
dk = α gλ
k−t
80
100
120
with α very close to zero
350 300 250 200 150 100
The unmeasured state xk3
50 0 -50
0
20
The state
40
[
xk = x1k
60 times
xk2
xk3
80
]
T xk4 of
100
120
the plant
14
Threshold level
H1
12
Tk = γ kT Qk−1γ k
10
8
≥
µ
< H0
6
4
2
0
0
20
40
60 times
80
Detection variable of the passive defender
100
120
Resilient LQG controller from active FDI scheme
Active FDI scheme for covert attack detection
uk
yk
Plant
Replay attack
Network
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter
yk−τ
LQG controller γk
ek
Data injection
Decision test
Threshold level λk
Active FDI scheme Active FDI schemes consist in adding a non destabilizing signal ek at the input of the plant, for example to reveal the presence of replay attack as in Y. Mo, B. Sinopoli “Secure control against replay attacks” Allerton Conf. on Communication, Control, and Computation, 2012
Active FDI scheme for zero dynamic attack
uk
+
Network
dk
Plant
yk
Attacker dk = α gλ k−t ∀k ≥ t
+
uk
IDS uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Distributed active FDI scheme This paper proposes a dual version from the Intrusion Detection System (IDS) able to cancel the destabilizing signal d k before the occurrence of catastrophic damage on the plant (Resilience of the cyber system)
Active FDI scheme for zero dynamic attack
uk
+
Network
dk
Plant
yk
Attacker dk = α gλ k−t ∀k ≥ t
+
uk
IDS uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Distributed active FDI scheme Assumption The decision test cannot receive information from IDS in real time
Active FDI scheme for zero dynamic attack Plant viewed by the controller
uk
+
Network
dk
Plant
yk
Attacker dk = α gλ k−t ∀k ≥ t
+
IDS
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Design of the active FDI scheme When the IDS stops the attack at time r the model of the plant viewed by the controller switches from x!k+1 = A!xk + Buk − ξαδt+1 + wk
yk = C!xk + vk
to xk+1 = Axk + Bu k − ξαδt+1 + ξνδr+1 + wk yk = Cxk + vk
where the pulse ν = αλ r−t is greater than
α
since
λ >1
Active FDI scheme for zero dynamic attack Plant viewed by the controller
uk
+
Network
Plant
dk
yk
Attacker dk = α gλ k−t ∀k ≥ t
+
IDS
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
Decision test
Threshold level λ
Design of the active FDI scheme or from the nominal state model model of the plant xk+1 = Axk + Buk + wk yk = Cxk + vk
to xk+1 = Axk + Buk + ξνδr+1 + wk yk = Cxk + vk
when the attack is stealthy with
α
near to zero
Active FDI scheme for zero dynamic attack
uk
+
Network
dk
yk
Plant
Attacker dk = α gλ k−t ∀k ≥ t
+
IDS
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter LQG controller γk
GLR detector
Threshold level λ
Active FDI scheme from the GLR detector From the model of the plant viewed by the controller xk+1 = Axk + Buk + ξνδr+1 + wk yk = Cxk + vk
the GLR test consists in detecting the pulse
νδr+1 ,
estimating its size and occurrence time
Resilient LQG controller from active FDI scheme uk
+
Network
dk
yk
Plant
Attacker dk = α gλ k−t ∀k ≥ t
+
IDS
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter Updating
γk
GLR detector
Threshold level λ
Resilient LQG controller
Active FDI scheme from the GLR detector From the model of the plant viewed by the controller xk+1 = Axk + Buk + ξνδr+1 + wk yk = Cxk + vk
the GLR test consist in detecting the pulse νδr+1 , estimating its size and occurrence time and updating the Kalman filter to improve its tracking ability
Resilient LQG controller from active FDI scheme uk
Network
dk
+
yk
Plant
dk = α gλ k−t ∀k ≥ t
Attacker
+
IDS uk
uk = −Lxˆk/k
xˆk/k
Kalman filter Reinitialization
γk
GLR detector
Threshold level
λ
Event-based AKF
The resilient LQG controller quickly recovering the nominal behaviour of the LQG controller leads to the following event-based adaptive Kalman filter Pulse detection uk
yk
Nominal Kalman filter
Reinitialization of the Kalman filter (Tracking ability)
H1
γk
T (k)
>
Pulse estimation
H0
ˆ = a(k, r) ˆ −1 b(k, r) ˆ νˆ (k, r)
H1
λ
≤ H0
ˆ = a(k, r) ˆ −1 Pν (k, r) rˆ = arg(
Kalman filter’s updating strategy new xˆk/k−1 new Pk/k−1
new old ˆ νˆ (k, r) ˆ xˆk/k−1 = xˆk/k−1 + f (k, r)
Pknew /k−1
=
Pkold /k−1 +
ˆ ν (k, r) ˆ f (k, r) ˆT f (k, r)P
ˆ νˆ (k, r)
ˆ Pν (k, r)
# r∈% $
) + b(k, r)2 + * .) max &, a(k, r) + + / k−M k ('
Resilient LQG controller from active FDI scheme uk
Network
+
dk
yk
Plant Attacker
dk = α gλ k−t ∀k ≥ t
+
IDS uk
uk = −Lxˆk/k
xˆk/k
Kalman filter Reinitialization
γk
GLR detector
Threshold level
λ=0
Unstable UIKF
When the threshold level is fixed at zero, the event-based adaptive Kalman filter recovers the Unknown Input Kalman Filter (UIKF) designed on xk+1 = Axk + Buk + Bgdk + wk yk = Cxk + vk
but the UIKF is unstable for non minimum phase systems The minimum value of
λ
so that the event-based Kalman filter remains stochasticaly stable is an open question for future work
Illustrative example Resilient LQG controller under zero dynamic attack
Resilient LQG controller under zero dynamic attack uk
Network
+
yk
Plant dk
Attacker
dk = α gλ k−t ∀k ≥ t
+
IDS
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter Resilient LQG controller
γk
Reinitialization
Threshold level λ fixing a low rate of false alarms
GLR test
Zero dynamic attack signal 150
d k with α
very close to zero
input attack sequence
100
50
0
-50
-100
-150
0
10
20
30
40
50 times
60
70
80
Occurrence time of the zero dynamic attack: t = 40
90
100
Resilient LQG controller under zero dynamic attack uk
Network
+
yk
Plant dk
Attacker
dk = α gλ k−t ∀k ≥ t
+
IDS
uk
uk = −Lxˆk/k
xˆk/k
Kalman filter Resilient LQG controller
γk
Reinitialization GLR test
Threshold level λ fixing a low rate of false alarms
First step of the active FDI
150
input attack sequence
100
50
0
-50
-100
-150
0
10
20
30
40
50 times
60
70
Stopped time of the attack: r = 70
80
90
100
Resilient LQG controller under zero dynamic attack Detection variable of the active defender
4
2
x 10
1.8 1.6
GLR detector
1.4
Abrutly detectable consequence of the attack
1.2 1 0.8 0.6 0.4
Stealthy attack
0.2 0
Threshold level 0
10
20
30
40
50 times
60
70
80
90
100
Resilient LQG control law
200
100
Control law
0
Adaptativity Resilience
-100
-200
-300
-400
0
10
20
30
40
50 times
60
70
80
90
100
States of the plant
600
400
System State
200
0
Adaptativity Resilience
-200
-400
-600
0
10
20
30
40
50 times
60
70
80
90
100
Perspectives Transform stealthy attaks to virtual detectable faults by coding the control signal and sensor outputs uk
S −1
Plant
Decoding matrix
yk
Q
Encoding matrix
Attacker
Network
S
Encoding matrix uk
Q−1
Decoding matrix
Controller
F. Miao Q. Zhu M. Pajic, G.J. Pappas “Coding sensor outputs for injection attacks detection” CDC, pp. 15-17, 2014
