Koopman Operator-based Detection-Isolation of
Cyberattack: A Case Study on Electric Vehicle Charging
Abstract
One of the key challenges towards the reliable operation of cyber-physical systems (CPS) is the threat of cyberattacks on system actuation signals and measurements. In recent years, system theoretic research has focused on effectively detecting and isolating these cyberattacks to ensure proper restorative measures. Although both model-based and model-free approaches have been used in this context, the latter are increasingly becoming more popular as complexities and model uncertainties in CPS increases. Thus, in this paper we propose a Koopman operator-based model-free cyberattack detection-isolation scheme for CPS. The algorithm uses limited system measurements for its training and generates real-time detection-isolation flags. Furthermore, we present a simulation case study to detect and isolate actuation and sensor attacks in a Lithium-ion battery system of a plug-in electric vehicle during charging.
1 INTRODUCTION
Cyber-physical systems (CPSs) have become an integral part of the modern infrastructure attributing to their significant addition in improved control and computational efficiency [1]. However, the operational reliability of CPSs hinges on the accurate sensor measurements, and reliable actuation which may be corrupted by cyberattacks [2]. Thus, much research has been focused on ensuring attack detection under both sensor and actuation attacks [3, 4, 5, 6]. Authors in [7, 8, 9] have proposed control-theoretic frameworks for various cyberattack policies and analyzed fundamental limitations in detecting them. In addition to detection, isolating the source of the attack is equally important to ensure mitigation and quick recovery after attack [10]. In the context of cyberattack isolation, multiple observers-based filters have been designed to isolate actuation attacks and sensor attacks in [11, 12]. Similarly, a model-based data-driven isolation approach has been exploited in [13] for mobile robots. In these works [11, 12, 13], complete model knowledge and considerable training data have been used for isolation. However, reliable system model knowledge and sufficient training data are not always available for nonlinear systems with complex dynamics. Hence, data-driven model-free approaches are often preferable for such systems [14].
Model-free data-driven approaches based on the Koopman Operator (KO) have thus received a considerable amount of attention in recent years [15, 16]. Unlike other model-free data-driven approaches such as machine learning, the Koopman analysis can identify the presence of anomaly in the case of unforeseen scenarios and insufficient training data [14, 17]. In [18] and[17], authors focused on clustering of the Koopman Modes to identify the presence of anomalies and cyberattacks in system measurement, respectively. Moreover, [17] utilized embedding of spatial information in the Koopman modes to distinguish between sensor attacks and natural changes in system behavior. However, these model-free methods have not addressed the issue of isolation between the occurrence of an actuation attack vs a sensor attack on the system.
To address these research gaps, our contributions in this work are as follows.
-
1.
We propose a KO-based real-time detection-isolation scheme for actuation and sensor attacks in CPS.
-
2.
The proposed scheme assumes no knowledge of the system model, requires only system measurements, and is trained online with limited data.
-
3.
We also derive the analytical conditions where actuation and sensor cyberattacks will be indistinguishable and thereby formalizing the fundamental limitations of the proposed isolation scheme.
-
4.
Finally, we present a case study on compromised charging of a Lithium-ion battery system for a plug-in electric vehicle to illustrate the efficacy of our scheme.
The rest of the paper is organized as follows: Section 2 presents the theoretical background for Koopman analysis. Section 3 explains the framework for this work and Section 4 introduces the proposed detection- isolation scheme. Next, we present our simulation case study on the plug-in electric vehicles under cyberattack during charging in Section 5. Finally, Section 6 concludes our work.
Notations: In this paper, denotes the time derivative of the vector ; denotes the Frobenious norm; denotes the Moore-Penrose (Pseudo) inverse of the matrix .
2 PRELIMINARIES ON KOOPMAN OPERATOR
In this section, we first present a brief overview of the KO analysis and then discuss a data-driven approach for the practical implementation of the operator.
2.1 Definition
Let us first consider a CPS such that the physical part exhibits nonlinear dynamics defined as
(1) |
where is the state vector, is the control input, is the output, and denotes the nonlinear output function. Here the system dynamics is a (continuously differentiable) nonlinear function and the flow map is a solution of the ODE (1) for the time between . Our primary objective in using KO theory is to obtain an linear, infinite-dimensional state dynamics that approximate the nonlinear, finite-dimensional state dynamics in (1) [19]. Additionally, data-driven approaches towards approximating the KO have enabled us to learn the dynamics of systems with uncertainty, nonlinearity, and complexity using computationally efficient algorithms and limited data (vide references in [15]).
To define the KO, let us consider an infinite-dimensional Hilbert space of observable functions . Furthermore, since the boundedness of the KO is not guaranteed, we assume that our KO has infinitely many discreet eigenvalues corresponding to infinitely many eigen-observables. Then the set of KO on this space of observables, is defined using the Koopman eigenfunctions (KEF), , and the corresponding Koopman eigenvalues (KEV), , as [20]:
(2) |
The primary significance of (2) lies in the fact that the KO evolves the KEFs linearly. Now, we can consider be any vector-valued observable function that lies on the space where the KEFs are the eigen-observables. Then can be expanded in terms of KEFs as Here the Koopman Modes (KM) are the coefficients of the projection of onto the span [21]. Furthermore, such expansion in terms of KEFs and KMs is referred to as Koopman Mode Decomposition (KMD).
Remark 1.
It should be noted from (2), that the KEFs and KEVs are solely dependent on the system dynamics and the function space . On the other hand, the KMs are specific to the observable .
Next, using assumptions in [15], if the observable function lies in the subspace spanned by the finite set of KEFs, a good approximation can be achieved by . Moreover, we can assume that the measurements of the system (1) are special observable functions [16]. This is mathematically expressed in the following assumption.
Assumption 1.
There exist a finite subset of KEFs for , such that the system (1) can be represented as In other words, we can estimate a finite subset of KEFs such that the lies in the subspace . Here are the KMs asSOCiated with the measurements.
2.2 Implementation
Delay Embedding is a data-driven approach where Taken’s theorem is exploited to obtain a reliable approximation of system states from a consecutive measurement data sequence [22]. This also provides a means to learn a lower dimensional Koopman invariant space and the corresponding KMD [23]. We consider here that only the measurement and input data matrices are available and we arrange them as follows.
(3) | ||||
(4) | ||||
(5) |
Here ; and for the system (1) at the -th time instant; is the embedded delay. Next, we assume that for sufficiently embedded data matrices, we can obtain Koopman linear approximation for the system (1) from the optimization problem posed below.
(6) | ||||
(7) |
The analytical least-square solution of (7) can be found as . Notably, for our proposed scheme, the delay method is applied over a sliding window to first learn the model and subsequently predict it over a receding horizon. Hence, we define a moving window sequence of observations and for we split the window into two sub-sequence: and . We note here that the learning window is larger than the prediction window and the sliding window is moved ahead with amount after every prediction window. Moreover, is the from (3). With these preliminaries on KO theory and the methods of its numerical computation, we are now ready to discuss the framework of our problem.
3 PROBLEM FRAMEWORK
Let us consider the nonlinear system (1) under cyberattack such that this cyberattack can be either an actuation attack or a sensor attack . The attacked physical part of the CPS is then given by:
(8) |
Here we assume that the system model is unknown and only the system measurements and the control input signal are available to us. Our objective is to detect and isolate the presence of these attacks and .
Assumption 2.
In this framework, stealthy attacks such as zero dynamic attacks or covert attacks which simultaneously manipulate actuation and measurements are not considered because of their inherent undetectability using residual-based detection systems [2, 24]. Similarly, sensor attacks that can spoof the behavior of actuation attacks are also not considered for the isolation scheme.
To achieve our objective, we utilize (6)-(7) to obtain the measurement prediction . Furthermore, we assume there is a prediction window over which the predictions are based on the uncompromised system learning while the corresponding measurements are from the compromised system. Therefore, a residual-based detection filter can capture the presence of cyberattacks in the prediction window . In particular,
following Assumption 1, we have
(9) |
Then, is sent to the detection-isolation scheme to detect and isolate the presence of cyberattacks and as shown in the block diagram of the proposed scheme for a nonlinear CPS in Fig 1. From (9), it is evident that if either KEFs or the KMs of the system are changed, then the predicted will be different from the measured . At the same time, it is clear from (8) that the actuation attack explicitly affects the system dynamics while sensor attack affects the system measurements or the observable functions. Consequently, referring to Remark 1, we can posit that actuation attack affects the KEFs part and the sensor attack affects the KMs part of the system measurement. With this notion, we will present our proposed scheme.
![Refer to caption](x1.png)
4 DETECTION- ISOLATION SCHEME
The KO-based detection-isolation scheme consists of three main steps. Generation of (i) an approximate linear model of the system, (ii) an attack detection decision a flag, (iii) an appropriate actuation or sensor attack isolation flag.
4.1 Detection scheme
Now, we can assert that there exists a prediction window during which the system (1) is under an actuation attack or a sensor attack. Consequently, during this prediction window , we can represent the corrupted system measurement using either the modified KEFs for actuation attacks or the modified KMs for sensor attacks. The corrupted measurement is then given by:
(10) |
Meanwhile, no attack is present in that learning window, and thus our prediction will solely be based on our learning of our nominal system model. This prediction is given by (9). Now, using the actual and predicted measurement (10)-(9), we define our detection residual as . For asyncrnous actuation and sensor attacks satisfying Assumption 2, this residual is given by
(11) |
We note here, we droped from the variable for the brevity of notation. Now, it is evident from (11) that in the absence of any attack, the KEFs and KMs remain unchanged i.e. and . This implies that the residual (11) will remain close to zero under no attack.
Our detection scheme utilizes this to make a no-attack decision, and when the residual first crosses a predefined threshold, the attack flag is turned on. This threshold is set above the fluctuations of the residual signal under nominal system conditions [25]. Additionally, we note here that this residual does not continue to cross the threshold after the next learning window as the algorithm starts to assimilate the attack signature into the system model. However, the residual again crosses the threshold once the attack has been removed from the system. Thus, the threshold crossing is utilized to generate (turn on or off) an attack flag.
4.2 Isolation scheme
Upon detection of a cyberattack, the proposed isolator is activated to ascertain if the attack is injected via actuation or measurement.
This isolation scheme is based on the behavior of the residual signal (11). In particular, we know that during actuation attack the generated detection residual , where . Alternatively, during sensor attack, the detection residual , where . This implies that is either a linear combination of with weights during an actuation attack or a linear combination of with weights during sensor attack.
However, we note here that the adversary can craft a sensor attack such that the output of the system is indistinguishable from a case of an actuation attack. Such actuation-attack-spoofing sensor attacks will satisfy:
(12) |
Thus, their signature on the detector residual will be identically equal to Hence, these actuation-attack-spoofing sensor attacks will remain undetected and (12) gives the analytical condition on the measurement which creates fundamental limitation on this measurement-based isolation scheme. By Assumption 2, we do not consider such non-isolable attacks in this work.
Consequently, to isolate between actuation and sensor attacks satisfying Assumption 2, we check whether we can find a set of vectors whose linear combinations using the unchanged KMs match with the residual . If such basis vectors are found, then the is generated due to actuation attacks (since KMs are unchanged) and it is generated by sensor attack otherwise. Exploiting this idea, we define our isolation residual as the following optimization:
(13) |
Essentially, this optimization (13) tries to find the basis for the residual signal with the unchanged weights or KMs over the prediction window. This implies that for some small positive , we can define our isolation rule as: and
Next, we prove the above intuition mathematically for two cases of actuation and sensor attack.
Case 1 (Actuation attack): For this case, and replacing this in the definition of (13) we get
(14) |
Furthermore, rearranging the terms and noting that the minimization can be obtained for we can deduce
(15) |
Case 2 (Sensor attack): Conversely, in the case of a sensor attack: . Now, inserting this expression into the definition of (13) and rearranging the terms:
(16) |
Using reverse triangle inequality for (16) yields:
(17) |
We note here that the second term in (17) is . Since Assumption 2 is true, from (12) we claim that there exists no such that . This in turn implies that the optimization in (17) is not able to find a such that . Moreover, by Assumption 2, as this will imply a zero-dynamics attack. Thus, these two restrictions on (17) guarantee that . Consequently, this proves that for some the residual for the sensor attack case.
Choice of threshold for isolation residual: The choice of threshold for the isolation scheme relies on the choice of . This number can be determined by finding the isolation residual of the system under maximum actuation attack capacity i.e.
5 A CASE STUDY ON ELECTRIC VEHICLE CHARGING
In this section, we present the simulation case study on cyberattack scenarios on a plug-in electric-vehicle (PEV) through the electric vehicle supply equipment (EVSE) at charging stations. A recent report from Sandia National Lab on the risk assessment of EVSE created a threat model and clearly indicated how the attacks on automotive charging will be exacerbated as more PEVs are equipped with extreme fast charging, DC fast charging, etc [26].
For this case study, following [26] we will consider: (i) the corruption of communication between the electric vehicle communication controller (EVCC) and supply equipment communication controller (SECC), (ii) the corruption of the battery management system (BMS) and charger firmware, and (iii) corruption of communication between EVSE and charging station cloud-based control. Here, the terminal voltage measurement of the PEV battery is sent from the BMS to the EVCC and finally to the cloud controller. Corruption of this measurement along this communication is considered as a sensor attack. Similarly, charging current policies are sent from the cloud controller to the EVCC and finally to BMS. The corruption of this current command is our actuation attack. Figure 2 shows these potential cyberattack vectors between the cloud-based charging control, EVSE, and PEV.
![Refer to caption](x2.png)
For this study, we generated the terminal voltage measurements for the battery of the PEV using a nonlinear equivalent circuit model for a prismatic cell Li-ion battery [27]:
(18) | ||||
Here and denote the state of charge (SOC) and the nominal capacity of the battery, respectively. The states and are the voltages across the two resistance capacitance pair, representing the diffusion of lithium in the solid and electrolyte. The SOC dependent resistances and capacitances in (18) are defined as for .
The parameters are given in Table 1. We also note here that represents the ambient temperature. Finally, the measured terminal voltage of the battery is defined in terms of the system states as , where OCV denotes the open circuit voltage of the battery which has a strong dependence on the SOC instant of the battery and can be obtained from OCV-SOC plot [27]. Furthermore, specifies charging, and specifies discharging scenario. The PEV is charged with a constant current constant voltage (CCCV) policy and the charging cycle is generated by the cloud-based controller of the charging station. Additionally, the rated battery capacity is assumed to be and the internal series resistance is considered as .
We note here that our analysis is based on the model of a battery cell, instead of a battery pack. However, our work can be extended to the battery pack by cascading multiple battery cells [28]. This will be addressed in our future work.
, | , |
---|---|
, | , |
, | , |
, | , |
, | , |
, | , |
, | |
, | |
. |
The PEV is considered to start charging with SOC with a current under the CCCV policy. Furthermore, we consider a control protocol to charge the PEV up-to SOC, since typically PEVs are not charged fully [28]. To implement our detection-isolation scheme for this PEV charging scenario, we adopted the delay embedding based data-driven approach for Koopman-operator approximation. We considered a moving window of snapshots in time with the embedded delay (3). This moving window consisted of a learning window of 15, followed by a prediction window of 8. Then, using the nominal terminal voltage measurement data, we define our detection threshold as [25]. To define the isolation threshold, we plotted the isolation residual with maximum actuation attack capacity for this battery, which we consider to be 5C rate charging current or . Considering the maximum isolation residual for an actuation attack for , we defined the isolation threshold as . Next, we will present the two case studies of actuation attack and sensor attack scenarios on this battery and demonstrate the efficacy of our scheme.
5.1 Case I: Actuation attack
![Refer to caption](x3.png)
In this scenario, we consider that the input signal is corrupted by the adversary to achieve overcharging. The battery model under attack can be obtained from (18) as
(19) |
To achieve overcharging, a high charging current is given to the battery, between and (shown in plot of Fig. 3). This causes the battery to overcharge, as is evident from (top plot) and SOC ( plot) of Fig. 3. Now, from the plot in Fig. 3, we observe that the detector residual crosses the threshold twice – once when the attack begins and once when the attack ends. Hence, the detection flag is set to 1 between the subsequent threshold crossings (shown in plot of Fig. 3). The detection occurs within of the attack, which shows the efficiency of our detection algorithm. Next, we analyze the performance of our isolation scheme. From the plot of Fig. 3, we observe that the isolation residual remains below the isolation threshold for actuation attack, and the isolation flag in set to 1 in the last plot of Fig. 3. Thus, the scheme correctly identifies the detected attack is an actuation attack, and achieves cyberattack isolation.
5.2 Case II: Sensor attack
In this scenario, the adversary alters the measured terminal voltage , without corrupting the charging current command generated by the cloud-based controller. Hence, the corresponding battery model can be defined as
(20) |
![Refer to caption](x4.png)
The adversary can force the battery to overcharge by corrupting the sensor data and communicating lower to the controller, since the battery charging protocol is based on . We simulated this particular scenario by injecting a false voltage data to the controller from to (shown in top plot of Fig. 4). Due to this terminal voltage corruption, the plot of Fig. 4 shows the SOC of the battery exhibiting eventual overcharging of the cell. Additionally, such sensor attack delays the constant voltage charging of the battery as shown in the plot of Fig. 4. Under this sensor attack scenario, the detection residual crosses the threshold ( plot) in the beginning and the end of the attack injection. The detection flag is thus set to 1 between these two crossing to indicate the presence of a cyberattack. The generated detection flag is shown in the plot of Fig. 4. After detection, the isolation scheme is activated and the isolation residual is calculated. For this case, we observe that the isolation residual crosses the isolation threshold (as shown in the plot). Accordingly, the isolation flag is set to 2 to indicate the presence of sensor attack in the system (as shown in the plot of Fig. 4). Thus, we validate the performance of the isolation scheme.
6 CONCLUSIONS
In this work, we have used a Koopman operator-based model-free approach for the detection and isolation of actuation and sensor attacks in CPS. We have utilized delay embedding method to show that signature of the actuation and sensor attack on the Koopman operator modes and eigenfunctions can be used to detect and isolate cyberattacks in CPS. Most importantly, this detection-isolation scheme uses only system measurement and learns the system model with limited data. This is important for faster and efficient generation of attack flags in presence of cyberthreats. Additionally, we have derived conditions where such isolation scheme will fail owing to the presence of actuation-attack-spoofing sensor attack. We also presented a case study of cyberattack on a Lithium-ion battery powered PEV, charged by EVSE. The simulation results show that our proposed scheme can detect and isolate the presence of corrupted charging policies (actuation attack) and corrupted measurement (sensor attack).
References
- [1] M. Taheri, K. Khorasani, N. Meskin, and I. Shames, “Data-driven koopman operator based cyber-attacks for nonlinear control affine cyber-physical systems,” in 2022 IEEE 61st Conference on Decision and Control (CDC), pp. 6769–6775, IEEE, 2022.
- [2] F. Pasqualetti, F. Dörfler, and F. Bullo, “Attack detection and identification in cyber-physical systems,” IEEE transactions on automatic control, vol. 58, no. 11, pp. 2715–2729, 2013.
- [3] T. Roy and S. Dey, “Actuator anomaly detection in linear parabolic distributed parameter cyber-physical systems,” IEEE Transactions on Control Systems Technology, 2023.
- [4] A.-Y. Lu and G.-H. Yang, “Secure luenberger-like observers for cyber–physical systems under sparse actuator and sensor attacks,” Automatica, vol. 98, pp. 124–129, 2018.
- [5] T. Roy and S. Dey, “Actuator anomaly detection in linear parabolic distributed parameter cyber-physical systems,” IEEE Transactions on Control Systems Technology, pp. 1–12, 2023.
- [6] S. Ghosh and T. Roy, “Security of cyber-physical systems under compromised switching,” in 2023 IEEE Conference on Control Technology and Applications (CCTA), pp. 1034–1039, IEEE, 2023.
- [7] A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson, “Revealing stealthy attacks in control systems,” in 2012 50th Annual Allerton Conference on Communication, Control, and Computing (Allerton), pp. 1806–1813, IEEE, 2012.
- [8] Y. Chen, S. Kar, and J. M. Moura, “Optimal attack strategies subject to detection constraints against cyber-physical systems,” IEEE Transactions on Control of Network Systems, vol. 5, no. 3, pp. 1157–1168, 2017.
- [9] K. Zhang, C. Keliris, T. Parisini, and M. M. Polycarpou, “Stealthy integrity attacks for a class of nonlinear cyber-physical systems,” IEEE Transactions on Automatic Control, vol. 67, no. 12, pp. 6723–6730, 2021.
- [10] A. Kanellopoulos and K. G. Vamvoudakis, “A moving target defense control framework for cyber-physical systems,” IEEE Transactions on Automatic Control, vol. 65, no. 3, pp. 1029–1043, 2019.
- [11] X. Zhang, F. Zhu, J. Zhang, and T. Liu, “Attack isolation and location for a complex network cyber-physical system via zonotope theory,” Neurocomputing, vol. 469, pp. 239–250, 2022.
- [12] S. Ghosh, N. Saha, and T. Roy, “A cyberattack detection-isolation scheme for cav under changing driving environment,” arXiv preprint arXiv:2305.11328, 2023.
- [13] P. Guo, H. Kim, N. Virani, J. Xu, M. Zhu, and P. Liu, “Exploiting physical dynamics to detect actuator and sensor attacks in mobile robots,” arXiv preprint arXiv:1708.01834, 2017.
- [14] M. Bakhtiaridoust, M. Yadegar, N. Meskin, and M. Noorizadeh, “Model-free geometric fault detection and isolation for nonlinear systems using koopman operator,” IEEE Access, vol. 10, pp. 14835–14845, 2022.
- [15] S. L. Brunton, “Notes on koopman operator theory,” Universität von Washington, Department of Mechanical Engineering, Zugriff, vol. 30, 2019.
- [16] A. Surana and A. Banaszuk, “Linear observer synthesis for nonlinear systems using koopman operator framework,” IFAC-PapersOnLine, vol. 49, no. 18, pp. 716–723, 2016.
- [17] S. P. Nandanoori, S. Kundu, S. Pal, K. Agarwal, and S. Choudhury, “Model-agnostic algorithm for real-time attack identification in power grid using koopman modes,” in 2020 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pp. 1–6, IEEE, 2020.
- [18] A. Gholami, A. Vosughi, and A. K. Srivastava, “Denoising and detection of bad data in distribution phasor measurements using filtering, clustering, and koopman mode analysis,” IEEE Transactions on Industry Applications, vol. 58, no. 2, pp. 1602–1610, 2022.
- [19] B. O. Koopman, “Hamiltonian systems and transformation in hilbert space,” Proceedings of the National Academy of Sciences, vol. 17, no. 5, pp. 315–318, 1931.
- [20] D. Bruder, X. Fu, and R. Vasudevan, “Advantages of bilinear koopman realizations for the modeling and control of systems with unknown dynamics,” IEEE Robotics and Automation Letters, vol. 6, no. 3, pp. 4369–4376, 2021.
- [21] I. Mezić, “Spectral properties of dynamical systems, model reduction and decompositions,” Nonlinear Dynamics, vol. 41, pp. 309–325, 2005.
- [22] M. Kamb, E. Kaiser, S. L. Brunton, and J. N. Kutz, “Time-delay observables for koopman: Theory and applications,” SIAM Journal on Applied Dynamical Systems, vol. 19, no. 2, pp. 886–917, 2020.
- [23] H. Arbabi and I. Mezic, “Ergodic theory, dynamic mode decomposition, and computation of spectral properties of the koopman operator,” SIAM Journal on Applied Dynamical Systems, vol. 16, no. 4, pp. 2096–2126, 2017.
- [24] T. Roy and S. Dey, “Secure traffic networks in smart cities: Analysis and design of cyber-attack detection algorithms,” in 2020 American Control Conference (ACC), pp. 4102–4107, IEEE, 2020.
- [25] S. X. Ding, Model-based fault diagnosis techniques: design schemes, algorithms, and tools. Springer Science & Business Media, 2008.
- [26] J. Johnson, B. Anderson, B. Wright, J. Quiroz, T. Berg, R. Graves, J. Daley, K. Phan, M. Kunz, R. Pratt, et al., “Cybersecurity for electric vehicle charging infrastructure.,” tech. rep., Sandia National Lab.(SNL-NM), Albuquerque, NM (United States), 2022.
- [27] N. A. Samad, J. B. Siegel, and A. G. Stefanopoulou, “Parameterization and validation of a distributed coupled electro-thermal model for prismatic cells,” in Dynamic systems and control conference, vol. 46193, p. V002T23A006, American Society of Mechanical Engineers, 2014.
- [28] S. Dey and M. Khanra, “Cybersecurity of plug-in electric vehicles: Cyberattack detection during charging,” IEEE Transactions on Industrial Electronics, vol. 68, no. 1, pp. 478–487, 2020.