Taylor T. Johnson

Detection of False-Data Injection Attacks in Cyber-Physical DC Microgrids

Power electronics-intensive dc microgrids use increasingly complex software-based controllers and communication networks. They are evolving into cyber-physical systems (CPS) with sophisticated interactions between physical and computational processes, making them vulnerable to cyber attacks. This paper presents a framework to detect possible false-data injection attacks (FDIAs) in cyber-physical dc microgrids. The detection problem is formalized as identifying a change in sets of inferred candidate invariants. Invariants are microgrids properties that do not change over time. Both the physical plant and the software controller of CPS can be described as Simulink/Stateflow (SLSF) diagrams. The dynamic analysis infers the candidate invariants over the input/output variables of SLSF components. The reachability analysis generates the sets of reachable states (reach sets) for the CPS modeled as hybrid automata. The candidate invariants that contain the reach sets are called the actual invariants. The candidate invariants are then compared with the actual invariants, and any mismatch indicates the presence of FDIA. To evaluate the proposed methodology, the hybrid automaton of a dc microgrid, with a distributed cooperative control scheme, is presented. The reachability analysis is performed to obtain the reach sets and, hence, the actual invariants. Moreover, a prototype tool, HYbrid iNvariant GEneratoR, is extended to instrument SLSF models, obtain candidate invariants, and identify FDIA.

Order-reduction abstractions for safety verification of high-dimensional linear systems

Order-reduction is a standard automated approximation technique for computer-aided design, analysis, and simulation of many classes of systems, from circuits to buildings. To be used as a sound abstraction for formal verification, a measure of the similarity of behavior must be formalized and computed, which we develop in a computational way for a class of asymptotic stable linear systems as the main contributions of this paper. We have implemented the order-reduction as a sound abstraction process through a source-to-source model transformation in the HyST tool and use SpaceEx to compute sets of reachable states to verify properties of the full-order system through analysis of the reduced-order system. Our experimental results suggest systems with thousand of state variables can be reduced to systems with tens of state variables such that the order-reduction overapproximation error is small enough to prove or disprove safety properties of interest using current reachability analysis tools. Our results illustrate this approach is effective in tackling the state-space explosion problem for verification of high-dimensional linear systems.

Automatically finding bugs in a commercial cyber-physical system development tool chain with SLforge

Cyber-physical system (CPS) development tool chains are widely used in the design, simulation, and verification of CPS data-flow models. Commercial CPS tool chains such as MathWorks Simulink generate artifacts such as code binaries that are widely deployed in embedded systems. Hardening such tool chains by testing is crucial since formally verifying them is currently infeasible. Existing differential testing frameworks such as CyFuzz can not generate models rich in language features, partly because these tool chains do not leverage the available informal Simulink specifications. Furthermore, no study of existing Simulink models is available, which could guide CyFuzz to generate realistic models. To address these shortcomings, we created the first large collection of public Simulink models and used the collected models properties to guide random model generation. To further guide model generation we systematically collected semi-formal Simulink specifications. In our experiments on several hundred models, the resulting SLforge generator was more effective and efficient than the state-of-the-art tool CyFuzz. SLforge also found 8 new confirmed bugs in Simulink.

On reachable set estimation for discrete-time switched linear systems under arbitrary switching

This paper addresses the problem of reachable set estimation for discrete-time switched systems under arbitrary switching. By introducing a novel conception called M-step sequence which is capable of characterizing all possible subsystem activation orders during M discrete-time steps, a Lyapunov function based approach is proposed to derive a set of bounding ellipsoids to estimate the reachable set. The proposed approach can cover the previous switched Lyapunov function approach and yields less conservativeness. Moreover, it can be shown that the M-step sequence method can also reduce the conservativeness in stability analysis for discrete-time switched systems under arbitrary switching in contrast to switched Lyapunov function method. Several numerical examples are provided to illustrate our approach.

Cyber-Physical Specification Mismatches

Embedded systems use increasingly complex software and are evolving into cyber-physical systems (CPS) with sophisticated interaction and coupling between physical and computational processes. Many CPS operate in safety-critical environments and have stringent certification, reliability, and correctness requirements. These systems undergo changes throughout their lifetimes, where either the software or physical hardware is updated in subsequent design iterations. One source of failure in safety-critical CPS is when there are unstated assumptions in either the physical or cyber parts of the system, and new components do not match those assumptions. In this work, we present an automated method toward identifying unstated assumptions in CPS. Dynamic specifications in the form of candidate invariants of both the software and physical components are identified using dynamic analysis (executing and/or simulating the system implementation or model thereof). A prototype tool called Hynger (for HYbrid iNvariant GEneratoR) was developed that instruments Simulink/Stateflow (SLSF) model diagrams to generate traces in the input format compatible with the Daikon invariant inference tool, which has been extensively applied to software systems. Hynger, in conjunction with Daikon, is able to detect candidate invariants of several CPS case studies. We use the running example of a DC-to-DC power converter and demonstrate that Hynger can detect a specification mismatch where a tolerance assumed by the software is violated due to a plant change. Another case study of an automotive control system is also introduced to illustrate the power of Hynger and Daikon in automatically identifying cyber-physical specification mismatches.

Model Validation of PWM DC–DC Converters

This paper presents hybrid automaton modeling, comparative model validation, and formal verification of stability through reachability analysis of pulse width modulation (PWM) dc–dc converters. Conformance degree provides a measure of closeness between the proposed hybrid automata models and experimental data. Nondeterminism due to variations in circuit parameters is modeled using interval matrices. In direct contrast to the unsound and computationally-intensive Monte Carlo simulation, reachability analysis is introduced to overapproximate the set of reachable states and ensure stable operation of PWM dc–dc converters. Using a 200xa0W experimental prototype of a buck converter, hybrid automata models of open-loop, and hysteresis-controlled converters are first validated against experimental data using their conformance degrees. Next, converter stability is formally verified through reachability analysis and informally validated using Monte Carlo simulations and experimental results.

Improving Asthma Management in the Elementary School Setting: An Education and Self-management Pilot Project

Purpose: To increase daily asthma symptom self‐assessments of elementary school students using Green Means Go, an asthma education and self‐assessment program, via a partnership between an elementary school and a school of nursing. Methods: Over four months, accelerated MSN nursing students provided small group education sessions to teach students and teachers to identify asthma symptoms by Asthma Action Plan (AAP) zones and actions for each zone. To promote continuity of care between school and home, a teacher‐parent communication log during yellow zone days was encouraged. Results: Students with asthma (n = 90), teachers (n = 12) and parents (n = 1) participated. Previously no students performed daily self‐assessments and at program end, all students accurately identified symptoms, AAP zones, and action steps. A total of 789 symptom self‐assessments were recorded. Teachers reported increased asthma knowledge. One parent attended an education session and one home visit was completed. No communication logs were returned. Conclusions: Partnerships between elementary and nursing schools may be an effective strategy for delivery of health programs to high‐risk children with chronic diseases. Self‐assessment of symptoms and taking appropriate actions at school are critical components of early asthma intervention, particularly when a school nurse is not always available. Training teachers to follow a childs AAP within school policies is a critical second step. Home visits showed potential as a strategy for engaging parents. Practice implications: In the current climate of school nurse shortages, management of asthma‐related episodes in school can be improved with similar partnerships and programs that promote health education and self‐management. Highlights:Improvement needed to identify children in school with an asthma diagnosisChildren are frequently unprepared to self‐assess or manage asthma in school settings.Schools depend on nurses to recognize asthma symptoms and provide asthma interventions when needed.Decreasing number of school nurses leads to gaps in asthma care.Self‐assessment may help children receive asthma care in the absence of a school nurse.

Reachability Analysis for One Dimensional Linear Parabolic Equations

Abstract Partial differential equations (PDEs) mathematically describe a wide range of phenomena such as fluid dynamics, or quantum mechanics. Although great achievements have been accomplished in the field of numerical methods for solving PDEs, from a safety verification (or falsification) perspective, methods are still needed to verify (or falsify) a system whose dynamics is specified as a PDE that may depend not only on space, but also on time. As many cyber-physical systems (CPS) involve sensing and control of physical phenomena modeled as PDEs, reachability analysis of PDEs provides novel methods for safety verification and falsification. As a first step to address this challenging problem, we propose a reachability analysis approach leveraging the well-known Galerkin Finite Element Method (FEM) for a class of one-dimensional linear parabolic PDEs with fixed but uncertain inputs and initial conditions, which is a subclass of PDEs that is useful for modeling, for instance, heat flows. In particular, a continuous approximate reachable set of the parabolic PDE is computed using linear interpolation. Since a complete conservativeness is hardly achieved by using the approximate reachable set, to enhance the conservativeness, we investigate the error bound between the numerical solution and the exact analytically unsolvable solution to bloat the continuous approximate reachable set. This bloated reachable set is then used for safety verification and falsification. In the case that the safety specification is violated, our approach produces a numerical trace to prove that there exists an initial condition and input that lead the system to an unsafe state.

A curated corpus of simulink models for model-based empirical studies

Recent years have seen many empirical studies of model-based cyber-physical systems and commercial CPS development tool chains such as Matlab/Simulink. To benefit such research, this paper presents the by-far largest corpus of freely available Simulink models to date, containing over 1,000 models. Surprising findings based on this corpus include that (a) tool support for metric collection is not adequate and (b) users do not reuse model components as they would in object-oriented programs. The paper both confirms and contradicts earlier findings that are based on significantly fewer models, suggesting the utility of the corpus for future research. While others have not yet leveraged this model corpus, we hope that our freely available corpus and infrastructure will benefit future model-based empirical research and tool development efforts, by reducing the model-collection overhead and thus easing evaluation.