Koopman Operator-based Detection-Isolation of
Cyberattack: A Case Study on Electric Vehicle Charging

Let us first consider a CPS such that the physical part exhibits nonlinear dynamics defined as

$\displaystyle\dot{x}=f(x(t),u(t));\quad y(t)=h(x(t)),$

(1)

where $x\in\mathbf{X}\subset\mathbb{R}^{d}$ is the state vector, $u\in\mathbf{U}\subset\mathbb{R}^{p}$ is the control input, $y\in\mathbb{R}^{q}$ is the output, and $h:\mathbf{X}\rightarrow\mathbb{R}^{q}$ denotes the nonlinear output function. Here the system dynamics $f:\mathbf{X}\times\mathbf{U}\rightarrow\mathbb{R}^{d}$ is a (continuously differentiable) nonlinear function and the flow map $\Phi^{t}(x,u)$ is a solution of the ODE (1) for the time between $[0,t]$. Our primary objective in using KO theory is to obtain an linear, infinite-dimensional state dynamics that approximate the nonlinear, finite-dimensional state dynamics in (1) [19]. Additionally, data-driven approaches towards approximating the KO have enabled us to learn the dynamics of systems with uncertainty, nonlinearity, and complexity using computationally efficient algorithms and limited data (vide references in [15]).

To define the KO, let us consider an infinite-dimensional Hilbert space of observable functions $\mathcal{F}$. Furthermore, since the boundedness of the KO is not guaranteed, we assume that our KO has infinitely many discreet eigenvalues corresponding to infinitely many eigen-observables. Then the set of KO on this space of observables, $\mathcal{K}^{t}:\mathcal{F}\rightarrow\mathcal{F}$ is defined using the Koopman eigenfunctions (KEF), $\phi\in\mathcal{F}$, and the corresponding Koopman eigenvalues (KEV), $\lambda\in\mathbb{C}$, as [20]:

$\displaystyle\left[\mathcal{K}^{t}\phi\right](x,u)=\phi\left(\Phi^{t}(x,u)\right)=e^{\lambda t}\phi(x,u);$

(2)

The primary significance of (2) lies in the fact that the KO evolves the KEFs linearly. Now, we can consider ${\hat{\psi}}(x)\in\mathbb{C}^{k}$ be any vector-valued observable function that lies on the space $\mathcal{F}=\text{span}\{\phi_{i}\}_{i=1}^{\infty}$ where the KEFs $\phi_{i}:\mathbf{X}\rightarrow\mathbb{C}$ are the eigen-observables. Then ${\hat{\psi}}(x)$ can be expanded in terms of KEFs as ${\hat{\psi}}(x)=\sum_{i=1}^{\infty}\phi_{i}v_{i}^{\hat{\psi}}.$ Here the Koopman Modes (KM) $v_{i}^{\hat{\psi}}\in\mathbb{C}^{k}$ are the coefficients of the projection of ${\hat{\psi}}(x)$ onto the span$\{\phi_{i}\}_{i=1}^{\infty}$ [21]. Furthermore, such expansion in terms of KEFs and KMs is referred to as Koopman Mode Decomposition (KMD).

Delay Embedding is a data-driven approach where Taken’s theorem is exploited to obtain a reliable approximation of system states from a consecutive measurement data sequence [22]. This also provides a means to learn a lower dimensional Koopman invariant space and the corresponding KMD [23]. We consider here that only the measurement and input data matrices are available and we arrange them as follows.

		$\displaystyle Y_{b}=\begin{bmatrix}D_{1}&D_{2}&\cdots&D_{m-\tau-1}\end{bmatrix},$		(3)
		$\displaystyle Y_{s}=\begin{bmatrix}D_{2}&D_{3}&\cdots&D_{m-\tau}\end{bmatrix},$		(4)
		$\displaystyle U_{b}=\begin{bmatrix}u_{1+\tau}&u_{2+\tau}&\cdots&u_{m-1}\end{bmatrix}.$		(5)

Here $D_{l}=\begin{bmatrix}y_{l}^{T}&u_{l}^{T}&y_{l+1}^{T}&u_{l+1}^{T}&\cdots&y_{l+\tau}^{T}\end{bmatrix}^{T}$; $y_{l}\in\mathbb{R}^{q}$ and $u_{l}\in\mathbb{R}^{p}$ for the system (1) at the $l$-th time instant; $\tau$ is the embedded delay. Next, we assume that for sufficiently embedded data matrices, we can obtain Koopman linear approximation for the system (1) from the optimization problem posed below.

	$\displaystyle Y_{s}\approx AY_{b}+BU_{b},$			(6)
	$\displaystyle\min\limits_{\Lambda}||Y_{s}-\,\Lambda\Upsilon||_{F},\,\,\,\Upsilon=\begin{bmatrix}Y_{b}&U_{b}\end{bmatrix}^{T},$	$\displaystyle\,\,\,\Lambda=\begin{bmatrix}A&B\end{bmatrix}.$		(7)

The analytical least-square solution of (7) can be found as $\Lambda=Y_{s}\Upsilon^{\dagger}$. Notably, for our proposed scheme, the delay method is applied over a sliding window to first learn the model and subsequently predict it over a receding horizon. Hence, we define a moving window sequence of $W$ observations and for $\tilde{W}<W$ we split the window into two sub-sequence: $\text{Learning window:}\,\,\quad\mathfrak{L}\in\{s-W,\cdots,s-\tilde{W}\},$ and $\text{Prediction window:}\quad\mathfrak{P}\in\{s-\tilde{W}+1,\cdots,s\}$. We note here that the learning window $\mathfrak{L}$ is larger than the prediction window $\mathfrak{P}$ and the sliding window is moved ahead with $\tilde{W}-1$ amount after every prediction window. Moreover, $W-\tilde{W}$ is the $m$ from (3). With these preliminaries on KO theory and the methods of its numerical computation, we are now ready to discuss the framework of our problem.

Now, we can assert that there exists a prediction window $\mathfrak{P}$ during which the system (1) is under an actuation attack or a sensor attack. Consequently, during this prediction window $\mathfrak{P}$, we can represent the corrupted system measurement using either the modified KEFs $\tilde{\phi}_{i}(x)$ for actuation attacks or the modified KMs $\tilde{v}_{i}^{h}$ for sensor attacks. The corrupted measurement is then given by:

$${y}=\begin{cases}\sum\limits_{i=1}^{n}\tilde{\phi}_{i}(x)v_{i}^{h},&\text{if actuation attack};\\ \sum\limits_{i=1}^{n}\phi_{i}(x)\tilde{v}_{i}^{h},&\text{if sensor attack}.\end{cases}$$

(10)

Meanwhile, no attack is present in that learning window, and thus our prediction will solely be based on our learning of our nominal system model. This prediction is given by (9). Now, using the actual and predicted measurement (10)-(9), we define our detection residual as $r_{D}=y-\hat{y}$. For asyncrnous actuation and sensor attacks satisfying Assumption 2, this residual is given by

$$r_{D}=\begin{cases}\sum\limits_{i=1}^{n}\left(\tilde{\phi}_{i}-{\phi_{i}}\right)v_{i}^{h},&\text{if actuation attack};\\ \sum\limits_{i=1}^{n}\phi_{i}\left(\tilde{v}_{i}^{h}-{v}_{i}^{h}\right),&\text{if sensor attack}.\end{cases}$$

(11)

We note here, we droped $x$ from the variable $\phi_{i}(x)$ for the brevity of notation. Now, it is evident from (11) that in the absence of any attack, the KEFs and KMs remain unchanged i.e. $\tilde{\phi}_{i}-{\phi}_{i}=0$ and $\tilde{v}_{i}^{h}-{v}_{i}^{h}=0$. This implies that the residual $r_{D}$ (11) will remain close to zero under no attack.

Our detection scheme utilizes this to make a no-attack decision, and when the residual $\|r_{D}\|$ first crosses a predefined threshold, the attack flag is turned on. This threshold is set above the fluctuations of the residual signal under nominal system conditions [25]. Additionally, we note here that this residual does not continue to cross the threshold after the next learning window as the algorithm starts to assimilate the attack signature into the system model. However, the residual again crosses the threshold once the attack has been removed from the system. Thus, the threshold crossing is utilized to generate (turn on or off) an attack flag.

Upon detection of a cyberattack, the proposed isolator is activated to ascertain if the attack is injected via actuation or measurement.

This isolation scheme is based on the behavior of the residual signal (11). In particular, we know that during actuation attack the generated detection residual $r_{D}=\sum\limits_{i=1}^{n}\Delta\phi_{i}v_{i}^{h}$, where $\Delta\phi_{i}=\left[\tilde{\phi}_{i}-{\phi}_{i}\right]$. Alternatively, during sensor attack, the detection residual $r_{D}=\sum\limits_{i=1}^{n}\phi_{i}\Delta v_{i}$, where $\Delta v_{i}=\left[\tilde{v}_{i}^{h}-{v}_{i}^{h}\right]$. This implies that $r_{D}$ is either a linear combination of $\{\Delta{\phi}_{i}\}$ with weights $v_{i}^{h}$ during an actuation attack or a linear combination of $\{{\phi}_{i}\}$ with weights $\Delta v_{i}^{h}$ during sensor attack.

However, we note here that the adversary can craft a sensor attack such that the output of the system is indistinguishable from a case of an actuation attack. Such actuation-attack-spoofing sensor attacks will satisfy:

$\displaystyle y=\sum\limits_{i=1}^{n}\tilde{\phi}_{i}(x)v_{i}^{h}=\sum\limits_{i=1}^{n}\phi_{i}(x)\tilde{v}_{i}^{h}.$

(12)

Thus, their signature on the detector residual will be identically equal to $r_{D}=\sum\limits_{i=1}^{n}\phi_{i}\Delta v_{i}=\sum\limits_{i=1}^{n}\Delta\phi_{i}v_{i}^{h}.$ Hence, these actuation-attack-spoofing sensor attacks will remain undetected and (12) gives the analytical condition on the measurement which creates fundamental limitation on this measurement-based isolation scheme. By Assumption 2, we do not consider such non-isolable attacks in this work.

Consequently, to isolate between actuation and sensor attacks satisfying Assumption 2, we check whether we can find a set of vectors ${\widehat{\Delta\phi}_{i}}$ whose linear combinations using the unchanged KMs $v_{i}^{h}$ match with the residual $r_{D}$. If such basis vectors are found, then the $r_{D}$ is generated due to actuation attacks (since KMs are unchanged) and it is generated by sensor attack otherwise. Exploiting this idea, we define our isolation residual $r_{I}(t)$ as the following optimization:

$\displaystyle r_{I}=\min_{\widehat{\Delta\phi}_{i}}\left\|\sum\limits_{i=1}^{n}\widehat{\Delta\phi}_{i}v_{i}^{h}-r_{D}\right\|.$

(13)

Essentially, this optimization (13) tries to find the basis for the residual signal $r_{D}$ with the unchanged weights or KMs $v_{i}^{h}$ over the prediction window. This implies that for some small positive $\epsilon\in\mathbb{R}$, we can define our isolation rule as: $0\leqslant r_{I}\leqslant\epsilon\quad\text{implies actuation attack},$ and $r_{I}>\epsilon>0\quad\text{implies sensor attack.}$

Next, we prove the above intuition mathematically for two cases of actuation and sensor attack.

Case 1 (Actuation attack): For this case, $r_{D}=\sum\limits_{i=1}^{n}\Delta\phi_{i}v_{i}^{h}$ and replacing this $r_{D}$ in the definition of $r_{I}$ (13) we get

$\displaystyle r_{I}$

$\displaystyle=\min_{\widehat{\Delta\phi}_{i}}\left\|\sum\limits_{i=1}^{n}\widehat{\Delta\phi}_{i}v_{i}^{h}-\sum\limits_{i=1}^{n}\Delta\phi_{i}v_{i}^{h}\right\|.$

(14)

Furthermore, rearranging the terms and noting that the minimization can be obtained for $\widehat{\Delta\phi}_{i}=\Delta\phi_{i}$ we can deduce

$\displaystyle r_{I}=\min_{\widehat{\Delta\phi}_{i}}\left\|\sum\limits_{i=1}^{n}\left[\widehat{\Delta\phi}_{i}-\Delta\phi_{i}\right]v_{i}^{h}\right\|\leqslant\epsilon.$

(15)

Case 2 (Sensor attack): Conversely, in the case of a sensor attack: $r_{D}=\sum\limits_{i=1}^{n}\phi_{i}(x)\Delta v_{i}$. Now, inserting this expression into the definition of $r_{I}$ (13) and rearranging the terms:

$\displaystyle r_{I}$

$\displaystyle=\min_{\widehat{\Delta\phi}_{i}}\left\|\sum\limits_{i=1}^{n}\left[\widehat{\Delta\phi}_{i}+\phi_{i}\right]{v}_{i}^{h}-\sum\limits_{i=1}^{n}\phi_{i}\tilde{v}_{i}^{h}\right\|.$

(16)

Using reverse triangle inequality for (16) yields:

$\displaystyle r_{I}$

$\displaystyle\geqslant\min_{\widehat{\Delta\phi}_{i}}\left|\,\left\|\sum\limits_{i=1}^{n}\left[\widehat{\Delta\phi}_{i}+\phi_{i}\right]{v}_{i}^{h}\right\|-\left\|\sum\limits_{i=1}^{n}\phi_{i}\tilde{v}_{i}^{h}\right\|\,\right|.$

(17)

We note here that the second term in (17) is $y(t)$. Since Assumption 2 is true, from (12) we claim that there exists no $\tilde{\phi}_{i}(x)$ such that $\sum\limits_{i=1}^{n}\tilde{\phi}_{i}(x)v_{i}^{h}=\sum\limits_{i=1}^{n}\phi_{i}(x)\tilde{v}_{i}^{h}$. This in turn implies that the optimization in (17) is not able to find a $\widehat{\Delta\phi}_{i}$ such that $\left\|\sum\limits_{i=1}^{n}\left[\widehat{\Delta\phi}_{i}+\phi_{i}(x)\right]{v}_{i}^{h}\right\|=\left\|\sum\limits_{i=1}^{n}\phi_{i}(x)\tilde{v}_{i}^{h}\right\|$. Moreover, by Assumption 2, $y(t)\not\equiv 0$ as this will imply a zero-dynamics attack. Thus, these two restrictions on (17) guarantee that $r_{I}\neq 0$. Consequently, this proves that for some $\epsilon>0,$ the residual $r_{I}>\epsilon$ for the sensor attack case.

Choice of threshold for isolation residual: The choice of threshold for the isolation scheme relies on the choice of $\epsilon$. This number can be determined by finding the isolation residual of the system under maximum actuation attack capacity i.e. $\|\delta_{u}\|_{max}\leqslant\|u_{max}\|.$

In this scenario, we consider that the input signal $I_{c}$ is corrupted by the adversary to achieve overcharging. The battery model under attack can be obtained from (18) as

$\displaystyle\dot{\tilde{X}}=A(\tilde{X})\tilde{X}+B(\tilde{X})\left(I_{c}+\delta_{u}\right),\quad\tilde{V}_{t}=OCV-\left(I_{c}+\delta_{u}\right)R_{s}-\tilde{V}_{1}-\tilde{V}_{2}.$

(19)

To achieve overcharging, a high charging current is given to the battery, between $700s$ and $1600s$ (shown in $3^{\text{rd}}$ plot of Fig. 3). This causes the battery to overcharge, as is evident from $V_{t}$ (top plot) and SOC ($2^{\text{nd}}$ plot) of Fig. 3. Now, from the $4^{\text{th}}$ plot in Fig. 3, we observe that the detector residual crosses the threshold twice – once when the attack begins and once when the attack ends. Hence, the detection flag is set to 1 between the subsequent threshold crossings (shown in $5^{\text{th}}$ plot of Fig. 3). The detection occurs within $1s$ of the attack, which shows the efficiency of our detection algorithm. Next, we analyze the performance of our isolation scheme. From the $6^{\text{th}}$ plot of Fig. 3, we observe that the isolation residual remains below the isolation threshold for actuation attack, and the isolation flag in set to 1 in the last plot of Fig. 3. Thus, the scheme correctly identifies the detected attack is an actuation attack, and achieves cyberattack isolation.

The adversary can force the battery to overcharge by corrupting the sensor data and communicating lower $V_{t}$ to the controller, since the battery charging protocol is based on $V_{t}$. We simulated this particular scenario by injecting a false voltage data to the controller from $700s$ to $1600s$ (shown in top plot of Fig. 4). Due to this terminal voltage corruption, the $2^{\text{nd}}$ plot of Fig. 4 shows the SOC of the battery exhibiting eventual overcharging of the cell. Additionally, such sensor attack delays the constant voltage charging of the battery as shown in the $3^{\text{rd}}$ plot of Fig. 4. Under this sensor attack scenario, the detection residual crosses the threshold ($4^{\text{th}}$ plot) in the beginning and the end of the attack injection. The detection flag is thus set to 1 between these two crossing to indicate the presence of a cyberattack. The generated detection flag is shown in the $5^{\text{th}}$ plot of Fig. 4. After detection, the isolation scheme is activated and the isolation residual $r_{I}$ is calculated. For this case, we observe that the isolation residual crosses the isolation threshold (as shown in the $6^{\text{th}}$ plot). Accordingly, the isolation flag is set to 2 to indicate the presence of sensor attack in the system (as shown in the $7^{\text{th}}$ plot of Fig. 4). Thus, we validate the performance of the isolation scheme.