Active Attack Detection and Control in Constrained Cyber-Physical Systems Under Prevented Actuation Attack
aa r X i v : . [ ee ss . S Y ] J a n Active Attack Detection and Control in Constrained Cyber-PhysicalSystems Under Prevented Actuation Attack
Mehdi Hosseinzadeh,
Member, IEEE , and Bruno Sinopoli,
Fellow, IEEE
Abstract — This paper proposes an active attack detectionscheme for constrained cyber-physical systems. Despite passiveapproaches where the detection is based on the analysis of theinput-output data, active approaches interact with the system bydesigning the control input so to improve detection. This paperfocuses on the prevented actuation attack, where the attackerprevents the exchange of information between the controllerand actuators. The proposed scheme consists of two units: 1)detection, and 2) control. The detection unit includes a set ofparallel detectors, which are designed based on the multiple-model adaptive estimation approach to detect the attack and toidentify the attacked actuator(s). For what regards the controlunit, a constrained optimization approach is developed todetermine the control input such that the control and detectionaims are achieved. In the formulation of the detection andcontrol objective functions, a probabilistic approach is usedto reap the benefits of the a priori information availability. Theeffectiveness of the proposed scheme is demonstrated througha simulation study on an irrigation channel.
I. I
NTRODUCTION
Cyber-Physical Systems (CPSs) often employ distributednetworks of embedded sensors and actuators that interactwith the physical environment. The availability of cheapcommunication technologies (e.g., internet) has certainlyimproved scalability and functionality features in severalapplications. However, they have made CPSs susceptible tocyber security threats. This makes the cyber security to beof primary importance in safe operation of CPSs.By assuming that sensors-to-controller and controller-to-actuators communication channels are the only ones in CPSsexecuted via internet and malicious agents can alter dataflows in these channels, in general two classes of cyberattacks can be considered: (i) False Data Injection (FDI), and(ii) Denials of Service (DoS). A FDI (a.k.a. deception attack)affects the data integrity of packets by modifying their pay-loads [1]–[3]. A DoS is the one that the attacker needs onlyto disrupt the system by preventing communication betweenthe components. In this paper, we focus on a specific type ofDoS attack, so-called Prevented Actuation Attack (PA2) [4],[5], where the attacker prevents the exchange of informationbetween the controller and the actuators. An attacker canlaunch such attacks on the physical layer or cyber layer.Examples of real-world PA2 are: sleep deprivation tortureattack [6] (a.k.a. battery exhaustion attack) that exhauststhe battery of a surveillance robot or a medical implant
This research has been supported by National Science Foundation underaward numbers ECCS-1932530.M. Hosseinzadeh and B. Sinopoli are with the Department of Elec-trical and Systems Engineering, Washington University in St. Louis,St. Louis, Missouri, USA (email: [email protected]; [email protected]). until it can no longer function; door lock attack [7] thatsuppresses the operation of a smart door by injecting ‘close’command every time an ‘open’ command is received; andfatigue bearing attack [8] that restrains the operation of thelubricant system in wind turbines to damage gearboxess.Regardless of the type of attack, attack detection ap-proaches presented in the literature can be classified as: (i)passive approaches, and (ii) active approaches. Note thatwe use the same terminology of the fault literature [9] toclassify attack detection approaches, as faults and attacksusually manifest themselves similarly in control systemsdespite their natural differences. In passive approaches, theinput-output data of the system are measured (remotely oron-site), analyzed for any possible stealthy behavior, and thena decision about an attack is made. The passive approachesare widely studied and commonly used in many today’sapplications, e.g., [10]–[14]. However, they might not be ableto recognize an attack when the input-output data are notinformative enough. Also, they do not address stability/safetyof the system during detection horizon , a time interval fromthe instant an attack occurs to the instant when it is detected.The active approaches interact with the system during thedetection horizon by means of a suitably designed inputsignal that is injected into the system to increase the qualityof detection, shorten the detection horizon, and enforcestability/safety during the detection horizon. Contrary to thepassive approaches, the active approaches are historicallyyounger and still under development. To the best of theauthors’ knowledge, the only existing active attack detectionapproach in the literature is the physical authentication(a.k.a. digital watermarking) [15]–[17]. The core idea of thismethod is to inject a known noisy input to the system andobserve its effect on the output of the system. Thus, if anattacker is unaware of this physical watermark, the systemcannot be adequately emulated, as the attacker is unable toconsistently generate the component of the output associatedwith this known noisy input. The physical authentication,which is mainly used in detection of replay attack (a.k.a.playback attack) [18], can be effective if the noise injectedat the system input is large enough to achieve good detectionperformance, which may degrade the control performance.Moreover, this method injects the noisy input irrespectiveof the probability of attack occurrence, which leads tounneeded loss in control performance. Furthermore, in thecase of constrained systems [19]–[21], as shown in [22],the extra uncertainty injected to the system due to the noisyinput should be taken into account in the design procedure,which leads to tighter constraints, and consequently moreonservative behavior.This paper answers the following question:
How to deter-mine the control input sequence for a constrained CPS suchas to improve the detection performance without degrad-ing the control performance?
Inspired by [23], this paperanswers this question in the case of PA2. The proposedstructure consists of two units: (i) detection unit, and (ii)control unit. The detection unit uses a priori information andinput-output data of the system over the detection horizonwith a certain length to generate a decision variable whichrepresents the situation of the system. More precisely, thedetection unit recognizes the existence/inexistence of PA2and distinguishes attacked actuators. The control unit gener-ates the control input which is optimal according to a costfunction and guarantees constraint satisfaction at all times.Both control and detection aims are defined in the form ofstochastic objective functions, i.e., they are uncertain dueto noises and initial condition. The open-loop informationprocessing strategy [24] is then used to express the stochasticobjective functions as deterministic functions. Finally, inorder to evaluate the quality of the control input sequence interms of detection and control aims, a compromise betweenthe two aims is defined in the form of a multi-objectiveoptimization problem whose solution can be computed bymeans of available optimization tools.II. P
ROBLEM S TATEMENT
Consider the following discrete-time LTI system: x k +1 = Ax k + Bu k + w k , (1) y k = Cx k + v k , (2)where x k ∈ R n is the state vector at time k , u k ∈ R p is the control input at time k , y k ∈ R m is the vector ofmeasurements from the sensors at time k , and the processnoise w k ∈ R n and the measurement noise v k ∈ R m are mutually independent white Gaussian noises with zeromean and covariance matrices H w ∈ R n × n and H v ∈ R m × m , respectively. We assume that the initial state x isindependent of w k and v k , and has a Gaussian distributionwith the known mean ¯ x and covariance matrix H x, (0 , .In mathematical terms, the PA2 on the i -th actuator isequivalent to zeroing the i -th column in the matrix B . Thus,the dynamics of attack-free and under attack systems can beexpressed using a single difference equation in the followingform: x k +1 | µ = Ax k | µ + B µ u k + w k , (3) y k | µ = Cx k | µ + v k , (4)where µ ∈ { µ , · · · , µ p } is the index of the mode of thesystem, each µ i having a known distribution P ( µ i ) , B µ is thecorresponding input matrix, x k | µ is the state of the systemoperating in mode µ with x | µ = x , and y k | µ is the outputof the system operating in mode µ .Suppose that the system is subject to the following expec-tational linear constraints:E (cid:2) G x x k | µ i + G u u k (cid:3) ≤ g, ∀ k ≥ , i ∈ { , · · · , p } (5) where E [ · ] is the expectation function, and G x ∈ R n c × n , G u ∈ R n c × p , and g ∈ R n c , with n c as the number ofconstraints. Problem 1:
Consider system (3)-(4) which is subject toconstraints (5). Suppose
N > as the detection horizon,chosen by the designer. Find a control sequence u k , k =0 , · · · , N − such that at time N the mode of the systemis identified with high probability of correctness, whileoptimal control performance and constraint satisfaction areguaranteed during the detection horizon.Before starting with the solution of Problem 1, let uscompute the conditional probability density functions of thestate and output. According to (3), for the control sequence u , · · · , u N − , the mean value of the state at time k is ¯ x k | µ = A k ¯ x | µ + A k − B µ u + · · · + B µ u k − , (6)and the covariance matrix of the state at times k and l ( k ≥ l )can be computed as H x, ( k,l ) | µ := E (cid:8) ( x k | µ − ¯ x k | µ )( x l | µ − ¯ x l | µ ) T (cid:9) = A k H x, (0 , (cid:0) A l (cid:1) T + A k − H w (cid:0) A l − (cid:1) T + A k − H w (cid:0) A l − (cid:1) T + · · · + A k − l H w , (7)where H x, ( k,l ) | µ = (cid:0) H x, ( l,k ) | µ (cid:1) T ∈ R n × n . Therefore, theconditional probability density function of the state for theinterval [0 , N ] can be expressed as: P (cid:0) x N (cid:12)(cid:12) µ, u N − (cid:1) ∼ N (cid:0) ¯ x N | µ , H x | µ (cid:1) , (8)where x N := [( x ) T , · · · , ( x N ) T ] T ∈ R n ( N +1) , u N − := [( u ) T , · · · , ( u N − ) T ] T ∈ R pN , ¯ x N | µ :=[(¯ x | µ ) T , · · · , (¯ x N | µ ) T ] T ∈ R n ( N +1) , and H x, ( i − ,j − | µ isthe element ( i.j ) of H x | µ ∈ R n ( N +1) × n ( N +1) .Similarly, the conditional probability density function ofthe output for the the interval [0 , N ] can be expressed as P (cid:0) y N (cid:12)(cid:12) µ, u N − (cid:1) ∼ N (cid:0) ¯ y N | µ , H y | µ (cid:1) , (9)where y N := [( y ) T , · · · , ( y N ) T ] T ∈ R m ( N +1) , and ¯ y N | µ := [(¯ y | µ ) T , · · · , (¯ y N | µ ) T ] T ∈ R m ( N +1) with ¯ y k | µ = C ¯ x k | µ , k = 0 , · · · , N as the mean value of the output attime k . Also, H y | µ ∈ R m ( N +1) × m ( N +1) is the covariancematrix of the output, where the ( i, j ) element is H y, ( i,j ) | µ = ( CH x, ( i − ,j − | µ C T , i > jCH x, ( i − ,j − | µ C T + H v i = j . (10)III. D ETECTION U NIT
The system (3)-(4) can be seen as a p -model system,where each model corresponds to one mode. Thus, in orderto detect existence/inexistence of PA2, and to identify whichactuator(s) is under attack, it is only needed to identify thetrue µ at the end of detection horizon. The fact that oneof the p models is the true one can be modeled by ahypothesis random variable that must belong to a discrete Without loss of generality and for the sake of simplicity we assume thedetection horizon starts from 0. et of hypothesis { µ , · · · , µ p } , where the event µ i meansthat the i -th model is the one that is generating the data.One Bayesian approach to hypothesis testing is to basedecisions on the posterior probabilities, i.e., the probabilityof the mode µ i conditioned by the input-output data. Inmathematical terms, the posterior probabilities at time k aredenoted as P (cid:0) µ i (cid:12)(cid:12) y k , u k − (cid:1) , where at time k = 0 theposterior probabilities are equal to the prior probabilities,i.e., P (cid:0) µ i (cid:12)(cid:12) u T (cid:1) = P ( µ i ) .The conditioned posterior probabilities can be computedusing the Multiple-Model Adaptive Estimator (MMAE)structure [25]–[27]. The MMAE (a.k.a. partitioned algo-rithm) involves the parallel operation of p Kalman filters(each matched to one of the postulated models), where theresiduals of the Kalman filters are used to compute theconditional posterior probabilities. The rationale is that thehighest posterior probability corresponds to the true modelof the system. It is shown that the correct model can beidentified “almost surely” [28], [29].It is easy to show that when the attack happens sometimewithin a detection horizon, it might remain undetected untilthe end of the following detection horizon. It can be alsoshown that in the case of a smart attack (i.e., the attackhappens sometime within a detection horizon and lasts for awisely selected period of time), a single detector might notbe adequate to detect the attack. Therefore, we propose todeploy N parallel detectors, where the d -th detector identifiesthe mode ˆ µ d via ˆ µ d = arg max i ∈{ , , ··· , p } P (cid:0) µ i (cid:12)(cid:12) y N , u N − (cid:1) . (11)We assume that every detector identifies the mode ofthe system only in N time steps. Note that N defines thethe trade-off between the detection quality and detectionperformance. Large values of N decreases the probabilityof making an incorrect decision during the transient of theposterior probabilities. However, when the attack duration istoo small compared to the length of the detection horizon,the attack might remain undetected.IV. C ONTROL U NIT
A. Control Objective Function
The control aim is to track the desired reference r k ∈ R m while penalizing the control effort. The control objectivefunction can be formulated as J c ( u N − ) = E " N X k =0 k y k − r k k Q + N − X k =0 k u k k R (12)where Q = Q T ∈ R m × m is a positive semi-definite matrixand R = R T ∈ R p × p is a positive definite matrix.The objective function (12) is a stochastic function, wherethe uncertainties are due to noises and the initial condition.In this paper, instead of using deterministic approaches (i.e.,assuming uncertainties as upper-bounded signals), we willfocus on probabilistic approaches, where available a priori information can be used in obtaining the optimal controlsequence. In particular, we will use the open loop approach. This approach is based on the information available at thebeginning of each detection horizon (i.e., ¯ x and H x, (0 , ),while the measurements during the detection horizon are notused. Theorem 1:
Consider system (3)-(4), and control objectivefunction (12). Suppose that the open loop approach is usedto determine the control sequence, i.e., the entire controlsequence u N − is determined at the beginning of theprediction horizon. Then, control objective function (12) canbe expressed as an explicit function of the control sequence. Proof:
When the open loop approach is used, theobjective function (12) can be expressed as J c ( · ) = Tr Q N X k =0 E h y k y Tk (cid:12)(cid:12)(cid:12) u N − i! + N X k =0 r Tk Qr k − N X k =0 r Tk Q E h y k (cid:12)(cid:12)(cid:12) u N − i + N − X k =0 u Tk Ru k , (13)where Tr ( · ) is the trace function. We know that E h y k y Tk (cid:12)(cid:12) u N − i = p X i =1 P ( µ i ) (cid:16) ¯ y k | µ i ¯ y Tk | µ i + H y, ( k,k ) | µ i (cid:17) , (14)where Cov ( · ) is the covariance function. Thus, the controlobjective function can be rewritten as J c ( · ) = Tr Q N X k =0 2 p X i =1 P ( µ i ) (cid:16) ¯ y k | µ i ¯ y Tk | µ i + H y, ( k,k ) | µ i (cid:17)! + N − X k =0 u Tk Ru k + N X k =0 r Tk Qr k − N X k =0 2 p X i =1 P ( µ i ) r Tk Q ¯ y k | µ i , (15)which due to the fact that ¯ y k | µ = C ¯ x k | µ , it implies that: J c ( · ) = N X k =0 2 p X i =1 P ( µ i )¯ x Tk | µ i C T QC ¯ x k | µ i + N − X k =0 u Tk Ru k − N X k =0 2 p X i =1 P ( µ i ) r Tk QC ¯ x k | µ i + N X k =0 r Tk Qr k + Tr Q N X k =0 2 p X i =1 P ( µ i ) H y, ( k,k ) | µ i ! . (16)Finally, according to (6), (16) can be rewritten as J c ( · ) = N X k =0 2 p X i =1 P ( µ i ) u T k − F u k − + N − X k =0 u Tk Ru k + N X k =0 2 p X i =1 P ( µ i ) F u k − + F , (17)where F , F , and F are given in (18)-(20), respectively.This completes the proof. Cov ( Y, Y ) = E { Y Y T } − E { Y } ( E { Y } ) T for the random vector Y . . Detection Objective Function Suppose that the detector given in (11) is used to identifythe mode of the system. In order to determine the controlsequence during the detection horizon such that the proba-bility of an incorrect identification is minimized, we can usethe following detection objective function J d ( u N ) , E (cid:2) σ (ˆ µ ) (cid:3) , (21)where σ (ˆ µ ) is zero when the identified mode is the actualmode of the system, and is non-zero (we set it to 1 forsimplicity) otherwise. Note that since the control sequence u N − is assumed to be applied at time k = 0 , only the firstdetection horizon is taken into account in the formulationof the detection objective function. In other words, thedetermined control signal is optimal only for Detector Theorem 2:
Consider system (3)-(4), and detection objec-tive function (21). Suppose that the open loop approach isused to determine the control sequence. Then, the detectionobjective function can be upper bounded with an explicitfunction of the control sequence.
Proof:
By using the open loop approach, the detectionobjective function (21) can be expressed as J d ( · ) = E (cid:2) σ (ˆ µ ) (cid:12)(cid:12) u N − (cid:3) = Z R m ( N +1) p X i =1 σ (ˆ µ ) P (cid:0) µ i (cid:12)(cid:12) y N , u N − (cid:1) · P ( y N (cid:12)(cid:12) u N − ) dy N , (22)which according to Bayes’ theorem, it implies that J d ( · ) = Z R m ( N +1) p X i =1 σ (ˆ µ ) P ( y N (cid:12)(cid:12) µ i , u N − ) P ( µ i ) dy N , (23)which is concluded due to the fact that the probability ofthe mode µ i conditioned by only input data is equal to theprobability of the mode µ i .The right side of (23) cannot be computed analytically andits numerical evaluation is computationally expensive. Due P ( µ i | u N − ) = P ( u N − | µ i ) P ( u N − ) P ( µ i ) = P ( µ i ) , since u N − isdeterministic, and consequently P ( u N − | µ i ) = P ( u N − ) = 1 . to this reason, in the following we will find an upper boundfor the detection objective function J d ( u , · · · , u N − ) .Since ≤ σ (ˆ µ ) ≤ , it implies that: J d ( · ) ≤ Z R m ( N +1) p X i =1 P ( y N (cid:12)(cid:12) µ i , u N − ) P ( µ i ) dy N . (24)Following the same arguments presented in [30], the rightside of (24) can be upper bounded as Z R m ( N +1) p X µ =1 P ( y N (cid:12)(cid:12) µ i , u N − ) P ( µ i ) dy N ≤ ˆ J d ( u N ) , (25)where ˆ J d ( u N ) = p X i =1 2 p X j = i +1 q P ( µ i ) P ( µ j ) e − φ ij , (26)with φ ij = 14 (cid:0) ¯ y N | µ j − ¯ y N | µ i (cid:1) T (cid:0) H y | µ i + H y | µ j (cid:1) − · (cid:0) ¯ y N | µ j − ¯ y N | µ i (cid:1) + 12 ln det (cid:16) H y | µi + H y | µj (cid:17)q det ( H y | µ i ) det ( H y | µ j ) (27)where det ( · ) is the determinant function. It is noteworthythat according to (6)-(7), (10), and since ¯ y k | µ i = C ¯ x k | µ i ,the upper bound ˆ J d ( · ) given in (26) is an explicit functionof the control sequence. This completes the proof. C. Constraints
By using the open loop approach, the expectational con-straints given in (5) take the following form:E (cid:2) G x x k | µ i + G u u k (cid:12)(cid:12) u k − (cid:3) ≤ g ⇒ G x ( A k ¯ x | µ i + A k − B µ i u + · · · + B µ i u k − )+ G u u k ≤ g, (28)which is an explicit function of the control sequence. F = B Tµ i ( A k − ) T C T QCA k − B µ i · · · B Tµ i ( A k − ) T C T QCB µ i ... . . . ... ( B µ i ) T C T QCA k − B µ i · · · ( B µ i ) T C T QCB µ i , (18) F =2(¯ x | µ i ) T ( A k ) T Q (cid:2) A k − B µ i A k − B µ i · · · B µ i (cid:3) − r Tk QC (cid:2) A k − B µ i A k − B µ i · · · B µ i (cid:3) , (19) F = N X k =0 2 p X i =0 P ( µ i )(¯ x | µ i ) T ( A k ) T C T QCA k ¯ x | µ i + Tr Q N X k =0 2 p X i =1 P ( µ i ) H y, ( k,k ) | µ i ! + N X k =0 r Tk Qr k + N X k =0 2 p X i =0 P ( µ i ) r T QCA k ¯ x | µ i . (20) . Proposed Solution One possible way to pursue both control and detectionaims is to let one of the objective functions to take arbitraryvalue up to a known upper limit value, and then to enforcethis as a constraint and minimize the other objective function.Therefore, the following two optimization problems can beconsidered u ∗ N − = arg min u N − J c ( · ) given in (17)s.t. (28) is satisfied ∀ i, ∀ k ≥ J d ( · ) given in (26) ≤ ¯ J d , (29)or u ∗ N − = arg min u N − ˆ J d ( · ) given in (26)s.t. (28) is satisfied ∀ i, ∀ k ≥ J c ( · ) given in (17) ≤ ¯ J c , (30)where ¯ J d and ¯ J c are maximum acceptable levels of thedetection and control objective functions, respectively.The objective function (17) and constraints given in (28)are convex in u N − . The objective function (26) is concave,as φ ij as in (27) is a quadratic function of u N − (with apositive definite matrix), and consequently convex in u N − .Thus, problems (29)-(30) are in general non-convex. We use bmibnb [31] to numerically compute their solutions.V. S IMULATION S TUDY – I
RRIGATION C HANNEL
In this section we will use the developed method to controlthe level of water in pools 9 and 10 of the Haughton mainchannel, as shown in Fig. 1. The water levels in the channelare controlled by overshot gates located along the channel.The stretch of a channel between two gates is referred to as areach or a pool. We assume that the communication betweenthe controller and the gates is through internet.The water level in the g -th pool ( g ∈ { , } ) of theirrigation channel can be modeled as [32] ˙ y g ( t ) = α g − ,in h / g − ( t − τ g − ) − α g,out h / g ( t ) + d g − ( t ) , (31)where y g ( t ) is the water level in the pool, h g ( t ) is the headover the gate (the height of water above the gate), τ g isthe time delay which accounts for the time it takes for thewater to travel from the upstream gate to the downstreamgate in the g -th pool, d g ( t ) represents offtakes to farms andside channels, and α g,in and α g,out are constants whichincorporates the effect of the discharge coefficients. Thereal value of the parameters is given in TABLE I. Forthe sake of simplicity we assume there is no offtake, i.e., d g = 0 , g = 8 , .The sampling time is 10 [min], and the control signal isthe head over the gate. We assume that initial water level inpool 9 and 10 is 6.60 [m] and 5.60 [m], respectively. Also,we assume that w k ∼ N ( , . I ) and v k ∼ N ( , . I ) ,where I is the × identity matrix and is the zero vectorwith appropriate size. The water level in pools should notexceed 15 [m]. The system is subject to actuator saturation[33], i.e., the control signals cannot be negative. Fig. 1. Side view of the Haughton main channel; pools 9 and 10.TABLE IP
ARAMETERS OF THE H AUGHTON M AIN C HANNEL [34].Parameter g = 8 g = 9 g = 10 α g,in [1/m ] 0.0208 0.0700 0.0142 α g,out [1/m ] 0.0278 0.0614 0.0156 τ g [min] 6 3 16 Since there are three actuators, eight different modes canbe defined. We assume that a priori probability of the i -thmode is P ( µ i ) = 0 . , ∀ i .Suppose that Q = I , R = I , the detection horizon is200 [min], and the level of detection and control objectivefunctions must not exceed and , respectively.We assume that for k ∈ [0 , , [200 , , [360 , , [580 , the mode of the system is 1, for k ∈ [80 , themode of the system is 8, for k ∈ [300 , the mode of thesystem is 2, and for k ∈ [480 , the mode of the systemis 7. Note that for comparison purposes, we also simulate apure control formulation, i.e., u ∗ N − = ( arg min u N − J c ( · ) given in (17)s.t. (28) is satisfied ∀ i, ∀ k ≥ . (33)The achieved normalized values of the control and detec-tion objection functions are shown in Fig. 2 and 3, wherecontrol and detection costs obtained by the formulation (33)are assumed as the base unit quantity for control and detec-tion costs, respectively. As expected, compromise betweencontrol and detection aims increases the control cost J c .However, it decreases the detection cost ˆ J d which meansthat probability of misidentification is minimized.VI. C ONCLUSION
This paper proposed an optimization approach for activeattack detection and control of constrained CPSs systemssubject to expectational linear constraints. This paper mainlyfocused on PA2 attack, where the attacker prevents theexchange of information between the controller and theactuators. A set of parallel detectors based on hypothesistesting approach was proposed. Using a probabilistic ap-proach to deal with uncertainties, the detection and controlaims were formulated as two separate stochastic objec-tive functions. The open loop approach was deployed totransfer the stochastic functions to deterministic ones. Twoalternative compromise between detection and control aimswere presented in the form of a constrained optimizationproblem. The effectiveness of the proposed active approachwas validated through simulation studies. ig. 2. Normalized control cost by formulations (33), (29), and (30).Fig. 3. Normalized detection cost by formulations (33), (29), and (30). R EFERENCES[1] Y. Mo, J. P. Hespanha, and B. Sinopoli, “Resilient detection in thepresence of integrity attacks,”
IEEE Trans. Signal Process. , vol. 62,no. 1, pp. 31–43, Jan. 2014.[2] Y. Mo, E. Garone, A. Casavola, and B. Sinopoli, “False data injectionattacks against state estimation in wireless sensor networks,” in
Proc.49th IEEE Conf. Decision and Control , Hilton Atlanta Hotel, Atlanta,GA, USA, Dec. 15-17, 2010, pp. 5967–5972.[3] C.-Z. Bai, F. Pasqualetti, and V. Gupta, “Data-injection attacks instochastic control systems: Detectability and performance tradeoffs,”
Automatica , vol. 82, pp. 251–260, Aug. 2017.[4] G. Loukas,
Cyber-Physical Attacks: A Growing Invisible Threat .Butterworth-Heinemann, 2015.[5] L. K. Carvalho, Y.-C. Wu, R. Kwong, and S. Lafortune, “Detectionand prevention of actuator enablement attacks in supervisory controlsystems,” in
Proc. 13th Int. Workshop Discrete Event Systems , Xi’an,China, May 30-Jun. 1, 2016, pp. 298–305.[6] F. Stajano and R. Anderson, “The resurrecting duckling: Security is-sues for ad-hoc wireless networks,” in
Proc. Cambridge Int. WorkshopSecurity Protocols , Cambridge, United Kingdom, Apr. 19-21, 1999,pp. 172–182.[7] Y. Ha, S.-H. Jang, K.-W. Kim, and J. W. Yoon, “Side channel attackon digital door lock with vibration signal analysis: Longer passworddoes not guarantee higher security level,” in
Proc. IEEE Int. Conf.Multisensor Fusion and Integration for Intelligent Systems , Daegu,South Korea, Nov. 16-18, 2017, pp. 103–110.[8] H. Wu, J. Liu, J. Liu, M. Cui, X. Liu, and H. Gao, “Power grid reli-ability evaluation considering wind farm cyber security and rampingevents,”
Appl. Sci. , vol. 9, no. 15, Jul. 2019.[9] M. Hosseinzadeh and F. R. Salmasi, “Determination of maximum solarpower under shading and converter faults- a prerequisite for failure-tolerant power management systems,”
Simul. Model Pract. Theory ,vol. 62, pp. 14–30, Mar. 2016.[10] Y. Mo, R. Chabukswar, and B. Sinopoli, “Detecting integrity attackson SCADA systems,”
IEEE Trans. Control Syst. Technol. , vol. 22,no. 4, pp. 1396–1407, Jul. 2014.[11] H. Zhang, P. Cheng, L. Shi, and J. Chen, “Optimal DoS attackscheduling in wireless networked control system,”
IEEE Trans. ControlSyst. Technol. , vol. 24, no. 3, pp. 843–852, May 2016.[12] Y. Li, D. E. Quevedo, S. Dey, and L. Shi, “SINR-based DoS attackon remote state estimation: A game-theoretic approach,”
IEEE Trans.Control Netw. Syst. , no. 3, pp. 632–642, Sep. 2017.[13] Y. Li, D. Shi, and T. Chen, “False data injection attacks on networkedcontrol systems: A stackelberg game analysis,”
IEEE Trans. Autom.Control , vol. 63, no. 10, pp. 3503–3509, Oct. 2018. [14] R. Zhang and P. Venkitasubramaniam, “False data injection anddetection in lqg systems: A game theoretic approach,”
IEEE Trans.Netw. Syst. , 2019.[15] Y. Mo, S. Weerakkody, and B. Sinopoli, “Physical authenticationof control systems: designing watermarked control inputs to detectcounterfeit sensor outputs,”
IEEE Control Syst. Mag. , vol. 35, no. 1,pp. 93–109, Feb. 2015.[16] T. Irita and T. Namerikawa, “Detection of replay attack on smartgrid with code signal and bargaining game,” in
Proc. 2017 AmericanControl Conf. , Seattle, WA, USA, May 24-26, 2017, pp. 2112–2117.[17] H. S. S´anchez, D. Rotondo, T. Escobet, V. Puig, J. Saludes, andJ. Quevedo, “Detection of replay attacks in cyber-physical systemsusing a frequency-based signature,”
J. Franklin Inst. , vol. 356, no. 5,pp. 2798–2824, Mar. 2019.[18] Y. Mo and B. Sinopoli, “Secure control against replay attacks,” in
Proc.47th Annu. Allerton Conf. Communication, Control, and Computing ,Allerton House, Illinois, USA, Sep. 30-Oct. 2, 2009, pp. 911–918.[19] M. Hosseinzadeh, A. Cotorruelo, D. Limon, and E. Garone, “Con-strained control of linear systems subject to combinations of inter-sections and unions of concave constraints,”
IEEE Control Syst. Lett ,vol. 3, no. 3, pp. 571–576, Jul. 2019.[20] M. Hosseinzadeh, B. Sinopoli, and A. F. Bobick, “An explicit referencegovernor for time-varying linear constraints,” in
Proc. 59th IEEE Conf.Decision and Control , Jeju Island, Korea (South), Dec. 14-18, 2020,pp. 3323–3328.[21] M. Hosseinzadeh and E. Garone, “An explicit reference governor forthe intersection of concave constraints,”
IEEE Trans. Autom. Control ,vol. 65, no. 1, pp. 1–11, Jan. 2020.[22] M. Hosseinzadeh, B. Sinopoli, and E. Garone, “Feasibility and detec-tion of replay attack in networked constrained cyber-physical systems,”in
Proc. 2019 57th Annual Allerton Conference on Communication,Control, and Computing , Allerton Park and Retreat Center,Monticello,IL, USA, Sep. 24-27, 2019, pp. 712–717.[23] I. Punˇcoch´aˇr, J. ˇSirok´y, and M. ˇSimandl, “Constrained active faultdetection and control,”
IEEE Trans. Autom. Control , vol. 60, no. 1,pp. 253–258, Jan. 2015.[24] M. ˇSimandl and I. Punˇcoch´aˇr, “Active fault detection and control:Unified formulation and optimal design,”
Automatica , vol. 45, no. 9,pp. 2052–2059, Sep. 2009.[25] S. Fekri, M. Athans, and A. Pascoal, “RMMAC: A novel robustadaptive control scheme– Part I: Architecture,” in
Proc. 43rd IEEEConf. Decision and Control , Atlantis, Paradise Island, Bahamas, Dec.14-17, 2004, pp. 1134–1139.[26] V. Hassani, A. P. Aguiar, M. Athans, and A. M. Pascoal, “Multiplemodel adaptive estimation and model identification using a minimumenergy criterion,” in
Proc. 2009 American Control Conf. , St. Louis,MO, USA, Jun. 10-12, 2009, pp. 518–523.[27] N. Sadati, M. Hosseinzadeh, and G. A. Dumont, “Multi-model robustcontrol of depth of hypnosis,”
Biomed. Signal Process. , vol. 40, pp.443–453, Feb. 2018.[28] S. Fekri, M. Athans, and A. Pascoal, “Issues, progress and new resultsin robust adaptive control,”
Int. J. Adapt. Control Signal Process. ,vol. 20, no. 10, pp. 519–579, Dec. 2006.[29] D. Rotondo, V. Hassani, and A. Cristofaro, “A multiple model adaptivearchitecture for the state estimation in discrete-time uncertain LPVsystems,” in
Proc. 2017 American Control Conf. , Sheraton SeattleHotel, May 24-26, 2017, pp. 2393–2398.[30] L. Blackmore and B. Williams, “Finite horizon control design foroptimal discrimination between several models,” in
Proc. 45th IEEEConf. Decision and Control , San Diego, CA, USA, Dec. 13-15, 2006,pp. 1147–1152.[31] J. Lofberg, “YALMIP: A toolbox for modeling and optimization inMATLAB,” in
Proc. IEEE Int. Symp. Computer Aided Control Syst.Design , Taipei, Taiwan, Sep. 2-4, 2004, pp. 284–289.[32] P. Zhang and E. Weyer, “A reference model approach to performancemonitoring of control loops with applications to irrigation channels,”
Int. J. Adapt. Control Signal Process. , vol. 19, no. 10, pp. 797–818,Dec. 2005.[33] M. Hosseinzadeh and M. J. Yazdanpanah, “Robust adaptive passivity-based control of open-loop unstable affine nonlinear systems subjectto actuator saturation,”
IET Control Theory A. , vol. 11, no. 16, pp.2731–2742, Nov. 2017.[34] E. Weyer, “System identification of an open water channel,”