-
On well-posedness of the leak localization problem in parallel pipe networks
Authors:
Victor Molnö,
Henrik Sandberg
Abstract:
With the advent of integrated sensor technology (smart flow meters and pressure sensors), various new numerical algorithms for leak localization (a core element of water distribution system operation) have been developed. However, there is a lack of theory regarding the limitations of leak localization. In this work, we contribute to the development of such a theory by introducing an example water…
▽ More
With the advent of integrated sensor technology (smart flow meters and pressure sensors), various new numerical algorithms for leak localization (a core element of water distribution system operation) have been developed. However, there is a lack of theory regarding the limitations of leak localization. In this work, we contribute to the development of such a theory by introducing an example water network structure with parallel pipes that is tractable for analytical treatment. We define the leak localization problem for this structure and show how many sensors and what conditions are needed for the well-posedness of the problem. We present a formula for the leak position as a function of measurements from these sensors. However, we also highlight the risk of finding false but plausible leak positions in the multiple pipes. We try to answer the questions of how and when the leaking pipe can be isolated. In particular, we show that nonlinearities in the pipes' head loss functions are essential for the well-posedness of the isolation problem. We propose procedures to get around the pitfall of multiple plausible leak positions.
△ Less
Submitted 15 March, 2024;
originally announced March 2024.
-
Electrical Fault Localisation Over a Distributed Parameter Transmission Line
Authors:
Daniel Selvaratnam,
Amritam Das,
Henrik Sandberg
Abstract:
Motivated by the need to localise faults along electrical power lines, this paper adopts a frequency-domain approach to parameter estimation for an infinite-dimensional linear dynamical system with one spatial variable. Since the time of the fault is unknown, and voltages and currents are measured at only one end of the line, distance information must be extracted from the post-fault transients. T…
▽ More
Motivated by the need to localise faults along electrical power lines, this paper adopts a frequency-domain approach to parameter estimation for an infinite-dimensional linear dynamical system with one spatial variable. Since the time of the fault is unknown, and voltages and currents are measured at only one end of the line, distance information must be extracted from the post-fault transients. To properly account for high-frequency transient behaviour, the line dynamics is modelled directly by the Telegrapher's equation, rather than the more commonly used lumped-parameter approximations. First, the governing equations are non-dimensionalised to avoid ill-conditioning. A closed-form expression for the transfer function is then derived. Finally, nonlinear least-squares optimisation is employed to search for the fault location. Requirements on fault bandwidth, sensor bandwidth and simulation time-step are also presented. The result is a novel end-to-end algorithm for data generation and fault localisation, the effectiveness of which is demonstrated via simulation.
△ Less
Submitted 20 October, 2023;
originally announced October 2023.
-
Resilient Scheduling of Control Software Updates in Radial Power Distribution Systems
Authors:
Kin Cheong Sou,
Henrik Sandberg
Abstract:
In response to newly found security vulnerabilities, or as part of a moving target defense, a fast and safe control software update scheme for networked control systems is highly desirable. We here develop such a scheme for intelligent electronic devices (IEDs) in power distribution systems, which is a solution to the so-called software update rollout problem. This problem seeks to minimize the ma…
▽ More
In response to newly found security vulnerabilities, or as part of a moving target defense, a fast and safe control software update scheme for networked control systems is highly desirable. We here develop such a scheme for intelligent electronic devices (IEDs) in power distribution systems, which is a solution to the so-called software update rollout problem. This problem seeks to minimize the makespan of the software rollout, while guaranteeing safety in voltage and current at all buses and lines despite possible worst-case update failure where malfunctioning IEDs may inject harmful amounts of power into the system. Based on the nonlinear DistFlow equations, we derive linear relations relating software update decisions to the worst-case voltages and currents, leading to a decision model both tractable and more accurate than previous models based on the popular linearized DistFlow equations. Under reasonable protection assumptions, the rollout problem can be formulated as a vector bin packing problem and instances can be built and solved using scalable computations. Using realistic benchmarks including one with 10,476 buses, we demonstrate that the proposed method can generate safe and effective rollout schedules in real-time.
△ Less
Submitted 23 July, 2023;
originally announced July 2023.
-
Complexity reduction for resilient state estimation of uniformly observable nonlinear systems
Authors:
Junsoo Kim,
** Gyu Lee,
Henrik Sandberg,
Karl H. Johansson
Abstract:
A resilient state estimation scheme for uniformly observable nonlinear systems, based on a method for local identification of sensor attacks, is presented. The estimation problem is combinatorial in nature, and so many methods require substantial computational and storage resources as the number of sensors increases. To reduce the complexity, the proposed method performs the attack identification…
▽ More
A resilient state estimation scheme for uniformly observable nonlinear systems, based on a method for local identification of sensor attacks, is presented. The estimation problem is combinatorial in nature, and so many methods require substantial computational and storage resources as the number of sensors increases. To reduce the complexity, the proposed method performs the attack identification with local subsets of the measurements, not with the set of all measurements. A condition for nonlinear attack identification is introduced as a relaxed version of existing redundant observability condition. It is shown that an attack identification can be performed even when the state cannot be recovered from the measurements. As a result, although a portion of measurements are compromised, they can be locally identified and excluded from the state estimation, and thus the true state can be recovered. Simulation results demonstrate the effectiveness of the proposed scheme.
△ Less
Submitted 18 April, 2023;
originally announced April 2023.
-
The Fundamental Limitations of Learning Linear-Quadratic Regulators
Authors:
Bruce D. Lee,
Ingvar Ziemann,
Anastasios Tsiamis,
Henrik Sandberg,
Nikolai Matni
Abstract:
We present a local minimax lower bound on the excess cost of designing a linear-quadratic controller from offline data. The bound is valid for any offline exploration policy that consists of a stabilizing controller and an energy bounded exploratory input. The derivation leverages a relaxation of the minimax estimation problem to Bayesian estimation, and an application of Van Trees' inequality. We…
▽ More
We present a local minimax lower bound on the excess cost of designing a linear-quadratic controller from offline data. The bound is valid for any offline exploration policy that consists of a stabilizing controller and an energy bounded exploratory input. The derivation leverages a relaxation of the minimax estimation problem to Bayesian estimation, and an application of Van Trees' inequality. We show that the bound aligns with system-theoretic intuition. In particular, we demonstrate that the lower bound increases when the optimal control objective value increases. We also show that the lower bound increases when the system is poorly excitable, as characterized by the spectrum of the controllability gramian of the system map** the noise to the state and the $\mathcal{H}_\infty$ norm of the system map** the input to the state. We further show that for some classes of systems, the lower bound may be exponential in the state dimension, demonstrating exponential sample complexity for learning the linear-quadratic regulator offline.
△ Less
Submitted 27 March, 2023;
originally announced March 2023.
-
Attack Impact Evaluation for Stochastic Control Systems through Alarm Flag State Augmentation
Authors:
Hampei Sasahara,
Takashi Tanaka,
Henrik Sandberg
Abstract:
This note addresses the problem of evaluating the impact of an attack on discrete-time nonlinear stochastic control systems. The problem is formulated as an optimal control problem with a joint chance constraint that forces the adversary to avoid detection throughout a given time period. Due to the joint constraint, the optimal control policy depends not only on the current state, but also on the…
▽ More
This note addresses the problem of evaluating the impact of an attack on discrete-time nonlinear stochastic control systems. The problem is formulated as an optimal control problem with a joint chance constraint that forces the adversary to avoid detection throughout a given time period. Due to the joint constraint, the optimal control policy depends not only on the current state, but also on the entire history, leading to an explosion of the search space and making the problem generally intractable. However, we discover that the current state and whether an alarm has been triggered, or not, is sufficient for specifying the optimal decision at each time step. This information, which we refer to as the alarm flag, can be added to the state space to create an equivalent optimal control problem that can be solved with existing numerical approaches using a Markov policy. Additionally, we note that the formulation results in a policy that does not avoid detection once an alarm has been triggered. We extend the formulation to handle multi-alarm avoidance policies for more reasonable attack impact evaluations, and show that the idea of augmenting the state space with an alarm flag is valid in this extended formulation as well.
△ Less
Submitted 30 January, 2023;
originally announced January 2023.
-
Comparison of encrypted control approaches and tutorial on dynamic systems using LWE-based homomorphic encryption
Authors:
Junsoo Kim,
Dongwoo Kim,
Yongsoo Song,
Hyungbo Shim,
Henrik Sandberg,
Karl H. Johansson
Abstract:
Encrypted control has been introduced to protect controller data by encryption at the stage of computation and communication, by performing the computation directly on encrypted data. In this article, we first review and categorize recent relevant studies on encrypted control. Approaches based on homomorphic encryption, multi-party computation, and secret sharing are introduced, compared, and then…
▽ More
Encrypted control has been introduced to protect controller data by encryption at the stage of computation and communication, by performing the computation directly on encrypted data. In this article, we first review and categorize recent relevant studies on encrypted control. Approaches based on homomorphic encryption, multi-party computation, and secret sharing are introduced, compared, and then discussed with respect to computational complexity, communication load, enabled operations, security, and research directions. We proceed to discuss a current challenge in the application of homomorphic encryption to dynamic systems, where arithmetic operations other than integer addition and multiplication are limited. We also introduce a homomorphic cryptosystem called ``GSW-LWE'' and discuss its benefits that allow for recursive multiplication of encrypted dynamic systems, without use of computationally expensive bootstrap** techniques.
△ Less
Submitted 11 October, 2022;
originally announced October 2022.
-
Modeling and Analysis of a Coupled SIS Bi-Virus Model
Authors:
Sebin Gracy,
Philip E. Paré,
Ji Liu,
Henrik Sandberg,
Carolyn L. Beck,
Karl Henrik Johansson,
Tamer Başar
Abstract:
The paper deals with the setting where two viruses (say virus 1 and virus 2) coexist in a population, and they are not necessarily mutually exclusive, in the sense that infection due to one virus does not preclude the possibility of simultaneous infection due to the other. We develop a coupled bi-virus susceptible-infected-susceptible (SIS) model from a 4n-state Markov chain model, where n is the…
▽ More
The paper deals with the setting where two viruses (say virus 1 and virus 2) coexist in a population, and they are not necessarily mutually exclusive, in the sense that infection due to one virus does not preclude the possibility of simultaneous infection due to the other. We develop a coupled bi-virus susceptible-infected-susceptible (SIS) model from a 4n-state Markov chain model, where n is the number of agents (i.e., individuals or subpopulation) in the population. We identify a sufficient condition for both viruses to eventually die out, and a sufficient condition for the existence, uniqueness and asymptotic stability of the endemic equilibrium of each virus. We establish a sufficient condition and multiple necessary conditions for local exponential convergence to the boundary equilibrium (i.e., one virus persists, the other one dies out) of each virus. Under mild assumptions on the healing rate, we show that there cannot exist a coexisting equilibrium where for each node there is a nonzero fraction infected only by virus 1; a nonzero fraction infected only by virus 2; but no fraction that is infected by both viruses 1 and 2. Likewise, assuming that healing rates are strictly positive, a coexisting equilibrium where for each node there is a nonzero fraction infected by both viruses 1 and 2, but no fraction is infected only by virus 1 (resp. virus 2) does not exist. Further, we provide a necessary condition for the existence of certain other kinds of coexisting equilibria. We show that, unlike the competitive bivirus model, the coupled bivirus model is not monotone. Finally, we illustrate our theoretical findings using an extensive set of in-depth simulations.
△ Less
Submitted 29 June, 2024; v1 submitted 23 July, 2022;
originally announced July 2022.
-
Green Routing Game: Strategic Logistical Planning using Mixed Fleets of ICEVs and EVs
Authors:
Hampei Sasahara,
György Dán,
Saurabh Amin,
Henrik Sandberg
Abstract:
This paper introduces a "green" routing game between multiple logistic operators (players), each owning a mixed fleet of internal combustion engine vehicle (ICEV) and electric vehicle (EV) trucks. Each player faces the cost of delayed delivery (due to charging requirements of EVs) and a pollution cost levied on the ICEVs. This cost structure models: 1) limited battery capacity of EVs and their cha…
▽ More
This paper introduces a "green" routing game between multiple logistic operators (players), each owning a mixed fleet of internal combustion engine vehicle (ICEV) and electric vehicle (EV) trucks. Each player faces the cost of delayed delivery (due to charging requirements of EVs) and a pollution cost levied on the ICEVs. This cost structure models: 1) limited battery capacity of EVs and their charging requirement; 2) shared nature of charging facilities; 3) pollution cost levied by regulatory agency on the use of ICEVs. We characterize Nash equilibria of this game and derive a condition for its uniqueness. We also use the gradient projection method to compute this equilibrium in a distributed manner. Our equilibrium analysis is useful to analyze the trade-off faced by players in incurring higher delay due to congestion at charging locations when the share of EVs increases versus a higher pollution cost when the share of ICEVs increases. A numerical example suggests that to increase marginal pollution cost can dramatically reduce inefficiency of equilibria.
△ Less
Submitted 1 April, 2022;
originally announced April 2022.
-
Leakage Localization in Water Distribution Networks: A Model-Based Approach
Authors:
Ludvig Lindstrom,
Sebin Gracy,
Sindri Magnusson,
Henrik Sandberg
Abstract:
The paper studies the problem of leakage localization in water distribution networks. For the case of a single pipe that suffers from a single leak, by taking recourse to pressure and flow measurements, and assuming those are noiseless, we provide a closed-form expression for leak localization, leak exponent and leak constant. For the aforementioned setting, but with noisy pressure and flow measur…
▽ More
The paper studies the problem of leakage localization in water distribution networks. For the case of a single pipe that suffers from a single leak, by taking recourse to pressure and flow measurements, and assuming those are noiseless, we provide a closed-form expression for leak localization, leak exponent and leak constant. For the aforementioned setting, but with noisy pressure and flow measurements, an expression for estimating the location of the leak is provided. Finally, assuming the existence of a single leak, for a network comprising of more than one pipe and assuming that the network has a tree structure, we provide a systematic procedure for determining the leak location, the leak exponent, and the leak constant
△ Less
Submitted 31 March, 2022;
originally announced April 2022.
-
Attack Impact Evaluation by Exact Convexification through State Space Augmentation
Authors:
Hampei Sasahara,
Takashi Tanaka,
Henrik Sandberg
Abstract:
We address the attack impact evaluation problem for control system security. We formulate the problem as a Markov decision process with a temporally joint chance constraint that forces the adversary to avoid being detected throughout the considered time period. Owing to the joint constraint, the optimal control policy depends not only on the current state but also on the entire history, which lead…
▽ More
We address the attack impact evaluation problem for control system security. We formulate the problem as a Markov decision process with a temporally joint chance constraint that forces the adversary to avoid being detected throughout the considered time period. Owing to the joint constraint, the optimal control policy depends not only on the current state but also on the entire history, which leads to the explosion of the search space and makes the problem generally intractable. It is shown that whether an alarm has been triggered or not, in addition to the current state is sufficient for specifying the optimal decision at each time step. Augmentation of the information to the state space induces an equivalent convex optimization problem, which is tractable using standard solvers.
△ Less
Submitted 31 March, 2022;
originally announced March 2022.
-
Scale Fragilities in Localized Consensus Dynamics
Authors:
Emma Tegling,
Bassam Bamieh,
Henrik Sandberg
Abstract:
We consider distributed consensus in networks where the agents have integrator dynamics of order two or higher ($n\ge 2$). We assume all feedback to be localized in the sense that each agent has a bounded number of neighbors and consider a scaling of the network through the addition of agents in a modular manner, i.e., without re-tuning controller gains upon addition. We show that standard consens…
▽ More
We consider distributed consensus in networks where the agents have integrator dynamics of order two or higher ($n\ge 2$). We assume all feedback to be localized in the sense that each agent has a bounded number of neighbors and consider a scaling of the network through the addition of agents in a modular manner, i.e., without re-tuning controller gains upon addition. We show that standard consensus algorithms, which rely on relative state feedback, are subject to what we term scale fragilities, meaning that stability is lost as the network scales. For high-order agents ($n\ge 3$), we prove that no consensus algorithm with fixed gains can achieve consensus in networks of any size. That is, while a given algorithm may allow a small network to converge, it causes instability if the network grows beyond a certain finite size. This holds in families of network graphs whose algebraic connectivity, that is, the smallest non-zero Laplacian eigenvalue, is decreasing towards zero in network size (e.g. all planar graphs). For second-order consensus ($n = 2$) we prove that the same scale fragility applies to directed graphs that have a complex Laplacian eigenvalue approaching the origin (e.g. directed ring graphs). The proofs for both results rely on Routh-Hurwitz criteria for complex-valued polynomials and hold true for general directed network graphs. We survey classes of graphs subject to these scale fragilities, discuss their scaling constants, and finally prove that a sub-linear scaling of nodal neighborhoods can suffice to overcome the issue.
△ Less
Submitted 26 January, 2023; v1 submitted 22 March, 2022;
originally announced March 2022.
-
Asymptotic Security using Bayesian Defense Mechanism with Application to Cyber Deception
Authors:
Hampei Sasahara,
Henrik Sandberg
Abstract:
This paper addresses the question whether model knowledge can guide a defender to appropriate decisions, or not, when an attacker intrudes into control systems. The model-based defense scheme considered in this study, namely Bayesian defense mechanism, chooses reasonable reactions through observation of the system's behavior using models of the system's stochastic dynamics, the vulnerability to be…
▽ More
This paper addresses the question whether model knowledge can guide a defender to appropriate decisions, or not, when an attacker intrudes into control systems. The model-based defense scheme considered in this study, namely Bayesian defense mechanism, chooses reasonable reactions through observation of the system's behavior using models of the system's stochastic dynamics, the vulnerability to be exploited, and the attacker's objective. On the other hand, rational attackers take deceptive strategies for misleading the defender into making inappropriate decisions. In this paper, their dynamic decision making is formulated as a stochastic signaling game. It is shown that the belief of the true scenario has a limit in a stochastic sense at an equilibrium based on martingale analysis. This fact implies that there are only two possible cases: the defender asymptotically detects the attack with a firm belief, or the attacker takes actions such that the system's behavior becomes nominal after a finite time step. Consequently, if different scenarios result in different stochastic behaviors, the Bayesian defense mechanism guarantees the system to be secure in an asymptotic manner provided that effective countermeasures are implemented. As an application of the finding, a defensive deception utilizing asymmetric recognition of vulnerabilities exploited by the attacker is analyzed. It is shown that the attacker possibly stops the attack even if the defender is unaware of the exploited vulnerabilities as long as the defender's unawareness is concealed by the defensive deception.
△ Less
Submitted 6 December, 2023; v1 submitted 7 January, 2022;
originally announced January 2022.
-
A Bayesian Nash equilibrium-based moving target defense against stealthy sensor attacks
Authors:
David Umsonst,
Serkan Sarıtaş,
György Dán,
Henrik Sandberg
Abstract:
We present a moving target defense strategy to reduce the impact of stealthy sensor attacks on feedback systems. The defender periodically and randomly switches between thresholds from a discrete set to increase the uncertainty for the attacker and make stealthy attacks detectable. However, the defender does not know the exact goal of the attacker but only the prior of the possible attacker goals.…
▽ More
We present a moving target defense strategy to reduce the impact of stealthy sensor attacks on feedback systems. The defender periodically and randomly switches between thresholds from a discrete set to increase the uncertainty for the attacker and make stealthy attacks detectable. However, the defender does not know the exact goal of the attacker but only the prior of the possible attacker goals. Here, we model one period with a constant threshold as a Bayesian game and use the Bayesian Nash equilibrium concept to find the distribution for the choice of the threshold in that period, which takes the defender's uncertainty about the attacker into account. To obtain the equilibrium distribution, the defender minimizes its cost consisting of the cost for false alarms and the cost induced by the attack. We present a necessary and sufficient condition for the existence of a moving target defense and formulate a linear program to determine the moving target defense. Furthermore, we present a closed-form solution for the special case when the defender knows the attacker's goals. The results are numerically evaluated on a four-tank process.
△ Less
Submitted 31 May, 2022; v1 submitted 12 November, 2021;
originally announced November 2021.
-
Privacy Guarantees for Cloud-based State Estimation using Partially Homomorphic Encryption
Authors:
Sawsan Emad,
Amr Alanwar,
Yousra Alkabani,
M. Watheq El-Kharashi,
Henrik Sandberg,
Karl H. Johansson
Abstract:
The privacy aspect of state estimation algorithms has been drawing high research attention due to the necessity for a trustworthy private environment in cyber-physical systems. These systems usually engage cloud-computing platforms to aggregate essential information from spatially distributed nodes and produce desired estimates. The exchange of sensitive data among semi-honest parties raises priva…
▽ More
The privacy aspect of state estimation algorithms has been drawing high research attention due to the necessity for a trustworthy private environment in cyber-physical systems. These systems usually engage cloud-computing platforms to aggregate essential information from spatially distributed nodes and produce desired estimates. The exchange of sensitive data among semi-honest parties raises privacy concerns, especially when there are coalitions between parties. We propose two privacy-preserving protocols using Kalman filter and partially homomorphic encryption of the measurements and estimates while exposing the covariances and other model parameters. We prove that the proposed protocols achieve satisfying computational privacy guarantees against various coalitions based on formal cryptographic definitions of indistinguishability. We evaluate the proposed protocols to demonstrate their efficiency using data from a real testbed.
△ Less
Submitted 4 April, 2022; v1 submitted 8 November, 2021;
originally announced November 2021.
-
Experimental evaluation of sensor attacks and defense mechanisms in feedback systems
Authors:
David Umsonst,
Henrik Sandberg
Abstract:
In this work, we evaluate theoretical results on the feasibility of, the worst-case impact of, and defense mechanisms against a stealthy sensor attack in an experimental setup. We demonstrate that for a controller with stable dynamics the stealthy sensor attack is possible to conduct and the theoretical worst-case impact is close to the achieved practical one. However, although the attack should t…
▽ More
In this work, we evaluate theoretical results on the feasibility of, the worst-case impact of, and defense mechanisms against a stealthy sensor attack in an experimental setup. We demonstrate that for a controller with stable dynamics the stealthy sensor attack is possible to conduct and the theoretical worst-case impact is close to the achieved practical one. However, although the attack should theoretically be possible when the controller has integral action, we show that the integral action slows the attacker down and the attacker is not able to remain stealthy if it has not perfect knowledge of the controller state. In addition to that, we investigate the effect of different anomaly detectors on the attack impact and conclude that the impact under detectors with internal dynamics is smaller. Finally, we use noise injection into the controller dynamics to unveil the otherwise stealthy attacks.
△ Less
Submitted 28 April, 2022; v1 submitted 5 November, 2021;
originally announced November 2021.
-
Multi-Layer SIS Model with an Infrastructure Network
Authors:
Philip E. Pare,
Axel Janson,
Sebin Gracy,
Ji Liu,
Henrik Sandberg,
Karl H. Johansson
Abstract:
This paper deals with the spread of diseases over both a population network and an infrastructure network. We develop a layered networked spread model for a susceptible-infected-susceptible (SIS) pathogen-borne disease spreading over a human contact network and an infrastructure network, and refer to it as a layered networked susceptible-infected-water-susceptible (SIWS) model. The SIWS network is…
▽ More
This paper deals with the spread of diseases over both a population network and an infrastructure network. We develop a layered networked spread model for a susceptible-infected-susceptible (SIS) pathogen-borne disease spreading over a human contact network and an infrastructure network, and refer to it as a layered networked susceptible-infected-water-susceptible (SIWS) model. The SIWS network is in the healthy state (also referred to as the disease-free equilibrium) if none of the individuals in the population are infected nor is the infrastructure network contaminated; otherwise, we say that the network is in the endemic state (also referred to as the endemic equilibrium). First, we establish sufficient conditions for local exponential stability and global asymptotic stability (GAS) of the healthy state. Second, we provide sufficient conditions for existence, uniqueness, and GAS of the endemic state. Building off of these results, we provide a necessary, and sufficient, condition for the healthy state to be the unique equilibrium of our model. Third, we show that the endemic equilibrium of the SIWS model is worse than that of the networked SIS model without any infrastructure network, in the sense that at least one subpopulation has strictly larger infection proportion at the endemic equilibrium in the former model than that in the latter. Fourth, we study an observability problem, and, assuming that the measurements of the sickness-levels of the human contact network are available, provide a necessary and sufficient condition for estimation of the pathogen levels in the infrastructure network. Furthermore, we provide another sufficient, but not necessary, condition for estimation of pathogen levels in the infrastructure network.
△ Less
Submitted 20 September, 2021;
originally announced September 2021.
-
Finite sample guarantees for quantile estimation: An application to detector threshold tuning
Authors:
David Umsonst,
Justin Ruths,
Henrik Sandberg
Abstract:
In threshold-based anomaly detection, we want to tune the threshold of a detector to achieve an acceptable false alarm rate. However, tuning the threshold is often a non-trivial task due to unknown detector output distributions. A detector threshold that provides an acceptable false alarm rate is equivalent to a specific quantile of the detector output distribution. Therefore, we use quantile esti…
▽ More
In threshold-based anomaly detection, we want to tune the threshold of a detector to achieve an acceptable false alarm rate. However, tuning the threshold is often a non-trivial task due to unknown detector output distributions. A detector threshold that provides an acceptable false alarm rate is equivalent to a specific quantile of the detector output distribution. Therefore, we use quantile estimators based on order statistics to estimate the detector threshold. The estimation of quantiles from sample data has a more than a century long tradition and we provide three different distribution-free finite sample guarantees for a class of quantile estimators. The first is based on the Dworetzky-Kiefer-Wolfowitz inequality, the second utilizes the Vysochanskij-Petunin inequality, and the third is based on exact confidence intervals for a beta distribution. These guarantees are then compared and used in the detector threshold tuning problem. We use both simulated data as well as data obtained from an experimental setup with the Temperature Control Lab to validate the guarantees provided.
△ Less
Submitted 28 April, 2022; v1 submitted 25 May, 2021;
originally announced May 2021.
-
A Model Randomization Approach to Statistical Parameter Privacy
Authors:
Ehsan Nekouei,
Henrik Sandberg,
Mikael Skoglund,
Karl H. Johansson
Abstract:
In this paper, we study a privacy filter design problem for a sequence of sensor measurements whose joint probability density function (p.d.f.) depends on a private parameter. To ensure parameter privacy, we propose a filter design framework which consists of two components: a randomizer and a nonlinear transformation. The randomizer takes the private parameter as input and randomly generates a ps…
▽ More
In this paper, we study a privacy filter design problem for a sequence of sensor measurements whose joint probability density function (p.d.f.) depends on a private parameter. To ensure parameter privacy, we propose a filter design framework which consists of two components: a randomizer and a nonlinear transformation. The randomizer takes the private parameter as input and randomly generates a pseudo parameter. The nonlinear map** transforms the measurements such that the joint p.d.f. of the filter's output depends on the pseudo parameter rather than the private parameter. It also ensures that the joint p.d.f. of the filter's output belongs to the same family of distributions as that of the measurements. The nonlinear transformation has a feedforward-feedback structure that allows real-time and causal generation of the disguised measurements with low complexity using a recursive structure. The design of the randomizer is formulated as an optimization problem subject to a privacy constraint, in terms of mutual information, and it is shown that the optimal randomizer is the solution of a convex optimization problem. Using information-theoretic inequalities, we show that the performance of any estimator of the private parameter, based on the output of the privacy filter, is limited by the privacy constraint. The structure of the nonlinear transformation is studied in the special cases of independent and identically distributed, Markovian, and Gauss-Markov measurements. Our results show that the privacy filter in the Gauss-Markov case can be implemented as two one-step ahead Kalman predictors and a set of minimum mean square error predictors. The Kalman predictors significantly reduce the complexity of computing the disguised measurements. A numerical example on occupancy privacy in a building automation system illustrates the approach.
△ Less
Submitted 22 May, 2021;
originally announced May 2021.
-
Geometrical Characterization of Sensor Placement for Cone-Invariant and Multi-Agent Systems against Undetectable Zero-Dynamics Attacks
Authors:
Jianqi Chen,
Jieqiang Wei,
Wei Chen,
Henrik Sandberg,
Karl H. Johansson,
Jie Chen
Abstract:
Undetectable attacks are an important class of malicious attacks threatening the security of cyber-physical systems, which can modify a system's state but leave the system output measurements unaffected, and hence cannot be detected from the output. This paper studies undetectable attacks on cone-invariant systems and multi-agent systems. We first provide a general characterization of zero-dynamic…
▽ More
Undetectable attacks are an important class of malicious attacks threatening the security of cyber-physical systems, which can modify a system's state but leave the system output measurements unaffected, and hence cannot be detected from the output. This paper studies undetectable attacks on cone-invariant systems and multi-agent systems. We first provide a general characterization of zero-dynamics attacks, which characterizes fully undetectable attacks targeting the non-minimum phase zeros of a system. This geometrical characterization makes it possible to develop a defense strategy seeking to place a minimal number of sensors to detect and counter the zero-dynamics attacks on the system's actuators. The detect and defense scheme amounts to computing a set containing potentially vulnerable actuator locations and nodes, and a defense union for feasible placement of sensors based on the geometrical properties of the cones under consideration.
△ Less
Submitted 10 May, 2021;
originally announced May 2021.
-
Asymptotic Security by Model-based Incident Handlers for Markov Decision Processes
Authors:
Hampei Sasahara,
Henrik Sandberg
Abstract:
This study investigates general model-based incident handler's asymptotic behaviors in time against cyber attacks to control systems. The attacker's and the defender's dynamic decision making is modeled as an equilibrium of a dynamic signaling game. It is shown that the defender's belief on existence of an attacker converges over time for any attacker's strategy provided that the stochastic dynami…
▽ More
This study investigates general model-based incident handler's asymptotic behaviors in time against cyber attacks to control systems. The attacker's and the defender's dynamic decision making is modeled as an equilibrium of a dynamic signaling game. It is shown that the defender's belief on existence of an attacker converges over time for any attacker's strategy provided that the stochastic dynamics of the control system is known to the defender. This fact implies that the rational behavior of the attacker converges to a harmless action as long as the defender possesses an effective counteraction. The obtained result supports the powerful protection capability achieved by model-based defense mechanisms.
△ Less
Submitted 24 March, 2021;
originally announced March 2021.
-
Epistemic Signaling Games for Cyber Deception with Asymmetric Recognition
Authors:
Hampei Sasahara,
Henrik Sandberg
Abstract:
This study provides a model of cyber deception with asymmetric recognition represented by private beliefs. Signaling games, which are often used in existing works, are built on the implicit premise that the receiver's belief is public information. However, this assumption, which leads to symmetric recognition, is unrealistic in adversarial decision making. For a precise evaluation of risks arising…
▽ More
This study provides a model of cyber deception with asymmetric recognition represented by private beliefs. Signaling games, which are often used in existing works, are built on the implicit premise that the receiver's belief is public information. However, this assumption, which leads to symmetric recognition, is unrealistic in adversarial decision making. For a precise evaluation of risks arising from cognitive gaps, this paper proposes epistemic signaling games based on the Mertens-Zamir model, which explicitly quantifies players' asymmetric recognition. Equilibria of the games are analytically characterized with an interpretation.
△ Less
Submitted 11 May, 2021; v1 submitted 4 March, 2021;
originally announced March 2021.
-
Data-Driven Set-Based Estimation using Matrix Zonotopes with Set Containment Guarantees
Authors:
Amr Alanwar,
Alexander Berndt,
Karl Henrik Johansson,
Henrik Sandberg
Abstract:
We propose a method to perform set-based state estimation of an unknown dynamical linear system using a data-driven set propagation function. Our method comes with set-containment guarantees, making it applicable to safety-critical systems. The method consists of two phases: (1) an offline learning phase where we collect noisy input-output data to determine a function to propagate the state-set ah…
▽ More
We propose a method to perform set-based state estimation of an unknown dynamical linear system using a data-driven set propagation function. Our method comes with set-containment guarantees, making it applicable to safety-critical systems. The method consists of two phases: (1) an offline learning phase where we collect noisy input-output data to determine a function to propagate the state-set ahead in time; and (2) an online estimation phase consisting of a time update and a measurement update. It is assumed that known finite sets bound measurement noise and disturbances, but we assume no knowledge of their statistical properties. These sets are described using zonotopes, allowing efficient propagation and intersection operations. We propose a new approach to compute a set of models consistent with the data and noise-bound, given input-output data in the offline phase. The set of models is utilized in replacing the unknown dynamics in the data-driven set propagation function in the online phase. Then, we propose two approaches to perform the measurement update. Simulations show that the proposed estimator yields state sets comparable in volume to the 3σ confidence bounds obtained by a Kalman filter approach, but with the addition of state set-containment guarantees. We observe that using constrained zonotopes yields smaller sets but with higher computational costs than unconstrained ones.
△ Less
Submitted 27 March, 2022; v1 submitted 26 January, 2021;
originally announced January 2021.
-
Networked Multi-Virus Spread with a Shared Resource: Analysis and Mitigation Strategies
Authors:
Axel Janson,
Sebin Gracy,
Philip E. Paré,
Henrik Sandberg,
Karl H. Johansson
Abstract:
The paper studies multi-competitive continuous-time epidemic processes in the presence of a shared resource. We consider the setting where multiple viruses are simultaneously prevalent in the population, and the spread occurs due to not only individual-to-individual interaction but also due to individual-to-resource interaction. In such a setting, an individual is either not affected by any of the…
▽ More
The paper studies multi-competitive continuous-time epidemic processes in the presence of a shared resource. We consider the setting where multiple viruses are simultaneously prevalent in the population, and the spread occurs due to not only individual-to-individual interaction but also due to individual-to-resource interaction. In such a setting, an individual is either not affected by any of the viruses, or infected by one and exactly one of the multiple viruses. We classify the equilibria into three classes: a) the healthy state (all viruses are eradicated), b) single-virus endemic equilibria (all but one viruses are eradicated), and c) coexisting equilibria (multiple viruses simultaneously infect separate fractions of the population). We provide i) a sufficient condition for exponential (resp. asymptotic) eradication of a virus; ii) a sufficient condition for the existence, uniqueness and asymptotic stability of a single-virus endemic equilibrium; iii) a necessary and sufficient condition for the healthy state to be the unique equilibrium; and iv) for the bi-virus setting (i.e., two competing viruses), a sufficient condition and a necessary condition for the existence of a coexisting equilibrium. Building on these analytical results, we provide two mitigation strategies: a technique that guarantees convergence to the healthy state; and, in a bi-virus setup, a scheme that employs one virus to ensure that the other virus is eradicated. The results are illustrated in a numerical study of a spread scenario in Stockholm city.
△ Less
Submitted 15 November, 2020;
originally announced November 2020.
-
Power Injection Attacks in Smart Distribution Grids with Photovoltaics
Authors:
Martin Lindström,
Hampei Sasahara,
Xingkang He,
Henrik Sandberg,
Karl Henrik Johansson
Abstract:
In order to protect smart distribution grids from intrusions, it is important to understand possible risks and impacts of attacks. We study the worst-case attack strategy of a power injection attack against the physical layer of a smart distribution grid with a high penetration of photovoltaic resources. We derive both the worst attack signal and worst attack location: The worst attack signal is a…
▽ More
In order to protect smart distribution grids from intrusions, it is important to understand possible risks and impacts of attacks. We study the worst-case attack strategy of a power injection attack against the physical layer of a smart distribution grid with a high penetration of photovoltaic resources. We derive both the worst attack signal and worst attack location: The worst attack signal is a step function which switches its sign at the final stage, and the worst attack location is the node with the largest impedance to the grid substation. Numerical examples on a European benchmark model verify the developed results. Finally, both theoretical and numerical results are used to discuss feasible defense strategies against power injection attacks.
△ Less
Submitted 6 April, 2021; v1 submitted 11 November, 2020;
originally announced November 2020.
-
Distributed Design of Glocal Controllers via Hierarchical Model Decomposition
Authors:
Hampei Sasahara,
Takayuki Ishizaki,
Jun-ichi Imura,
Henrik Sandberg,
Karl Henrik Johansson
Abstract:
This paper proposes a distributed design method of controllers having a glocal (global/local) information structure for large-scale network systems. Distributed design, independent design of all subcontrollers that constitute a structured controller, facilitates scalable controller synthesis. While existing distributed design methods confine attention to the decentralized or distributed informatio…
▽ More
This paper proposes a distributed design method of controllers having a glocal (global/local) information structure for large-scale network systems. Distributed design, independent design of all subcontrollers that constitute a structured controller, facilitates scalable controller synthesis. While existing distributed design methods confine attention to the decentralized or distributed information structures, this study addresses distributed design of glocal-structured controllers. Glocal control exploits the nature that network system's behavior can typically be represented as a superposition of spatially local fluctuations and global interarea oscillations by incorporating a global coordinating subcontroller with local decentralized subcontrollers. The key idea to distributed design of glocal controllers is to represent the original network system as a hierarchical cascaded system composed of reduced-order models representing the global and local dynamics, referred to as hierarchical model decomposition. Distributed design is achieved by independently designing and implementing subcontrollers for the reduced-order models while preserving the cascade structure. This paper provides a condition for existence of the hierarchical model decomposition, a specific representation of the hierarchical system, a clustering method appropriate for the proposed approach, and a robust extension. Numerical examples of a power grid evidence the practical relevance of the proposed method.
△ Less
Submitted 9 November, 2020;
originally announced November 2020.
-
Disconnection-aware Attack Detection and Isolation with Separation-based Detector Reconfiguration
Authors:
Hampei Sasahara,
Takayuki Ishizaki,
Jun-ichi Imura,
Henrik Sandberg
Abstract:
This study addresses incident handling during an adverse event for dynamical networked control systems. Incident handling can be divided into five steps: detection, analysis, containment, eradication, and recovery. For networked control systems, the containment step can be conducted through physical disconnection of an attacked subsystem. In accordance with the disconnection, the equipped attack d…
▽ More
This study addresses incident handling during an adverse event for dynamical networked control systems. Incident handling can be divided into five steps: detection, analysis, containment, eradication, and recovery. For networked control systems, the containment step can be conducted through physical disconnection of an attacked subsystem. In accordance with the disconnection, the equipped attack detection unit should be reconfigured to maintain its detection capability. In particular, separating the detection subunit associated with the disconnected subsystem is considered as a specific reconfiguration scheme in this study. This paper poses the problem of disconnection-aware attack detection and isolation with the separation-based detector reconfiguration. The objective is to find an attack detection unit that preserves its detection and isolation capability even under any possible disconnection and separation. The difficulty arises from network topology variation caused by disconnection that can possibly lead to stability loss of the distributed observer inside the attack detection unit. A solution is proposed based on an existing controller design technique referred to as retrofit control. Furthermore, an application to low-voltage power distribution networks with distributed generation is exhibited. Numerical examples evidence the practical use of the proposed method through a benchmark distribution network.
△ Less
Submitted 4 October, 2021; v1 submitted 23 September, 2020;
originally announced September 2020.
-
Maximizing Privacy in MIMO Cyber-Physical Systems Using the Chapman-Robbins Bound
Authors:
Rijad Alisic,
Marco Molinari,
Philip E. Paré,
Henrik Sandberg
Abstract:
Privacy breaches of cyber-physical systems could expose vulnerabilities to an adversary. Here, privacy leaks of step inputs to linear-time-invariant systems are mitigated through additive Gaussian noise. Fundamental lower bounds on the privacy are derived, which are based on the variance of any estimator that seeks to recreate the input. Fully private inputs are investigated and related to transmi…
▽ More
Privacy breaches of cyber-physical systems could expose vulnerabilities to an adversary. Here, privacy leaks of step inputs to linear-time-invariant systems are mitigated through additive Gaussian noise. Fundamental lower bounds on the privacy are derived, which are based on the variance of any estimator that seeks to recreate the input. Fully private inputs are investigated and related to transmission zeros. Thereafter, a method to increase the privacy of optimal step inputs is presented and a privacy-utility trade-off bound is derived. Finally, these results are verified on data from the KTH Live-In Lab Testbed, showing good correspondence with theoretical results.
△ Less
Submitted 8 September, 2020;
originally announced September 2020.
-
Data-Driven Distributed Mitigation Strategies and Analysis of Mutating Epidemic Processes
Authors:
Philip E Pare,
Sebin Gracy,
Henrik Sandberg,
Karl Henrik Johansson
Abstract:
In this paper we study a discrete-time SIS (susceptible-infected-susceptible) model, where the infection and healing parameters and the underlying network may change over time. We provide conditions for the model to be well-defined and study its stability. For systems with homogeneous infection rates over symmetric graphs,we provide a sufficient condition for global exponential stability (GES) of…
▽ More
In this paper we study a discrete-time SIS (susceptible-infected-susceptible) model, where the infection and healing parameters and the underlying network may change over time. We provide conditions for the model to be well-defined and study its stability. For systems with homogeneous infection rates over symmetric graphs,we provide a sufficient condition for global exponential stability (GES) of the healthy state, that is, where the virus is eradicated. For systems with heterogeneous virus spread over directed graphs, provided that the variation is not too fast, a sufficient condition for GES of the healthy state is established.
△ Less
Submitted 22 October, 2020; v1 submitted 17 August, 2020;
originally announced August 2020.
-
How to Secure Distributed Filters Under Sensor Attacks
Authors:
Xingkang He,
Xiaoqiang Ren,
Henrik Sandberg,
Karl H. Johansson
Abstract:
We study how to secure distributed filters for linear time-invariant systems with bounded noise under false-data injection attacks. A malicious attacker is able to arbitrarily manipulate the observations for a time-varying and unknown subset of the sensors. We first propose a recursive distributed filter consisting of two steps at each update. The first step employs a saturation-like scheme, which…
▽ More
We study how to secure distributed filters for linear time-invariant systems with bounded noise under false-data injection attacks. A malicious attacker is able to arbitrarily manipulate the observations for a time-varying and unknown subset of the sensors. We first propose a recursive distributed filter consisting of two steps at each update. The first step employs a saturation-like scheme, which gives a small gain if the innovation is large corresponding to a potential attack. The second step is a consensus operation of state estimates among neighboring sensors. We prove the estimation error is upper bounded if the filter parameters satisfy a condition. We further analyze the feasibility of the condition and connect it to sparse observability in the centralized case. When the attacked sensor set is known to be time-invariant, the secured filter is modified by adding an online local attack detector. The detector is able to identify the attacked sensors whose observation innovations are larger than the detection thresholds. Also, with more attacked sensors being detected, the thresholds will adaptively adjust to reduce the space of the stealthy attack signals. The resilience of the secured filter with detection is verified by an explicit relationship between the upper bound of the estimation error and the number of detected attacked sensors. Moreover, for the noise-free case, we prove that the state estimate of each sensor asymptotically converges to the system state under certain conditions. Numerical simulations are provided to illustrate the developed results.
△ Less
Submitted 22 June, 2021; v1 submitted 11 April, 2020;
originally announced April 2020.
-
Bounding Privacy Leakage in Smart Buildings
Authors:
Rijad Alisic,
Marco Molinari,
Philip E. Paré,
Henrik Sandberg
Abstract:
Smart building management systems rely on sensors to optimize the operation of buildings. If an unauthorized user gains access to these sensors, a privacy leak may occur. This paper considers such a potential leak of privacy in a smart residential building, and how it may be mitigated through corrupting the measurements with additive Gaussian noise. This corruption is done in order to hide the occ…
▽ More
Smart building management systems rely on sensors to optimize the operation of buildings. If an unauthorized user gains access to these sensors, a privacy leak may occur. This paper considers such a potential leak of privacy in a smart residential building, and how it may be mitigated through corrupting the measurements with additive Gaussian noise. This corruption is done in order to hide the occupancy change in an apartment. A lower bound on the variance of any estimator that estimates the change time is derived. The bound is then used to analyze how different model parameters affect the variance. It is shown that the signal to noise ratio and the system dynamics are the main factors that affect the bound. These results are then verified on a simulator of the KTH Live-In Lab Testbed, showing good correspondence with theoretical results.
△ Less
Submitted 29 March, 2020;
originally announced March 2020.
-
Asymptotic Security of Control Systems by Covert Reaction: Repeated Signaling Game with Undisclosed Belief
Authors:
Hampei Sasahara,
Serkan Saritas,
Henrik Sandberg
Abstract:
This study investigates the relationship between resilience of control systems to attacks and the information available to malicious attackers. Specifically, it is shown that control systems are guaranteed to be secure in an asymptotic manner by rendering reactions against potentially harmful actions covert. The behaviors of the attacker and the defender are analyzed through a repeated signaling g…
▽ More
This study investigates the relationship between resilience of control systems to attacks and the information available to malicious attackers. Specifically, it is shown that control systems are guaranteed to be secure in an asymptotic manner by rendering reactions against potentially harmful actions covert. The behaviors of the attacker and the defender are analyzed through a repeated signaling game with an undisclosed belief under covert reactions. In the typical setting of signaling games, reactions conducted by the defender are supposed to be public information and the measurability enables the attacker to accurately trace transitions of the defender's belief on existence of a malicious attacker. In contrast, the belief in the game considered in this paper is undisclosed and hence common equilibrium concepts can no longer be employed for the analysis. To surmount this difficulty, a novel framework for decision of reasonable strategies of the players in the game is introduced. Based on the presented framework, it is revealed that any reasonable strategy chosen by a rational malicious attacker converges to the benign behavior as long as the reactions performed by the defender are unobservable to the attacker. The result provides an explicit relationship between resilience and information, which indicates the importance of covertness of reactions for designing secure control systems.
△ Less
Submitted 25 March, 2020;
originally announced March 2020.
-
Actuator Security Index for Structured Systems
Authors:
Sebin Gracy,
Jezdimir Milosevic,
Henrik Sandberg
Abstract:
Given a network with the set of vulnerable actuators (and sensors), the security index of an actuator equals the minimum number of sensors and actuators that needs to be compromised so as to conduct a perfectly undetectable attack using the said actuator. This paper deals with the problem of computing actuator security indices for discrete-time LTI network systems. Firstly, we show that, under a s…
▽ More
Given a network with the set of vulnerable actuators (and sensors), the security index of an actuator equals the minimum number of sensors and actuators that needs to be compromised so as to conduct a perfectly undetectable attack using the said actuator. This paper deals with the problem of computing actuator security indices for discrete-time LTI network systems. Firstly, we show that, under a structured systems framework, the actuator security index is generic. Thereafter, we provide graph-theoretic conditions for computing the structural actuator security index. The said conditions are in terms of existence of linkings on appropriately-defined directed (sub)graphs. Based on these conditions, we present an algorithm for computing the structural index.
△ Less
Submitted 12 March, 2020;
originally announced March 2020.
-
Analysis, Online Estimation, and Validation of a Competing Virus Model
Authors:
Philip E. Pare,
Damir Vrabac,
Henrik Sandberg,
Karl H. Johansson
Abstract:
In this paper we introduce a discrete time competing virus model and the assumptions necessary for the model to be well posed. We analyze the system exploring its different equilibria. We provide necessary and sufficient conditions for the estimation of the model parameters from time series data and introduce an online estimation algorithm. We employ a dataset of two competing subsidy programs fro…
▽ More
In this paper we introduce a discrete time competing virus model and the assumptions necessary for the model to be well posed. We analyze the system exploring its different equilibria. We provide necessary and sufficient conditions for the estimation of the model parameters from time series data and introduce an online estimation algorithm. We employ a dataset of two competing subsidy programs from the US Department of Agriculture to validate the model by employing the identification techniques. To the best of our knowledge, this work is the first to study competing virus models in discrete-time, online identification of spread parameters from time series data, and validation of said models using real data. These new contributions are important for applications since real data is naturally sampled.
△ Less
Submitted 28 January, 2020;
originally announced January 2020.
-
On the confidentiality of controller states under sensor attacks
Authors:
David Umsonst,
Henrik Sandberg
Abstract:
With the emergence of cyber-attacks on control systems it has become clear that improving the security of control systems is an important task in today's society. We investigate how an attacker that has access to the measurements transmitted from the plant to the controller can perfectly estimate the internal state of the controller. This attack on sensitive information of the control loop is, on…
▽ More
With the emergence of cyber-attacks on control systems it has become clear that improving the security of control systems is an important task in today's society. We investigate how an attacker that has access to the measurements transmitted from the plant to the controller can perfectly estimate the internal state of the controller. This attack on sensitive information of the control loop is, on the one hand, a violation of the privacy, and, on the other hand, a violation of the security of the closed-loop system if the obtained estimate is used in a larger attack scheme. Current literature on sensor attacks often assumes that the attacker has already access to the controller's state. However, this is not always possible. We derive conditions for when the attacker is able to perfectly estimate the controller's state. These conditions show that if the controller has unstable poles a perfect estimate of the controller state is not possible. Moreover, we propose a defence mechanism to render the attack infeasible. This defence is based on adding uncertainty to the controller dynamics. We also discuss why an unstable controller is only a good defence for certain plants. Finally, simulations with a three-tank system verify our results.
△ Less
Submitted 5 November, 2021; v1 submitted 8 January, 2020;
originally announced January 2020.
-
Analysis and distributed control of periodic epidemic processes
Authors:
Sebin Gracy,
Philip. E. Pare,
Henrik Sandberg,
Karl Henrik Johansson
Abstract:
This paper studies epidemic processes over discrete-time periodic time-varying networks. We focus on the susceptible-infected-susceptible (SIS) model that accounts for a (possibly) mutating virus. We say that an agent is in the disease-free state if it is not infected by the virus. Our objective is to devise a control strategy which ensures that all agents in a network exponentially (resp. asympto…
▽ More
This paper studies epidemic processes over discrete-time periodic time-varying networks. We focus on the susceptible-infected-susceptible (SIS) model that accounts for a (possibly) mutating virus. We say that an agent is in the disease-free state if it is not infected by the virus. Our objective is to devise a control strategy which ensures that all agents in a network exponentially (resp. asymptotically) converge to the disease-free equilibrium (DFE). Towards this end, we first provide a) sufficient conditions for exponential (resp. asymptotic) convergence to the DFE; and b) a necessary and sufficient condition for asymptotic convergence to the DFE. The sufficient condition for global exponential stability (GES) (resp. global asymptotic stability (GAS)) of the DFE is in terms of the joint spectral radius of a set of suitably-defined matrices, whereas the necessary and sufficient condition for GAS of the DFE involves the spectral radius of an appropriately-defined product of matrices. Subsequently, we leverage the stability results in order to design a distributed control strategy for eradicating the epidemic.
△ Less
Submitted 17 November, 2020; v1 submitted 20 November, 2019;
originally announced November 2019.
-
Disconnection-aware Attack Detection in Networked Control Systems
Authors:
Hampei Sasahara,
Takayuki Ishizaki,
Jun-ichi Imura,
Henrik Sandberg
Abstract:
This study deals with security issues in dynamical networked control systems. The goal is to establish a unified framework of the attack detection stage, which includes the four processes of monitoring the system state, making a decision based on the monitored signal, disconnecting the corrupted subsystem, and operating the remaining system during restoration. This paper, in particular, considers…
▽ More
This study deals with security issues in dynamical networked control systems. The goal is to establish a unified framework of the attack detection stage, which includes the four processes of monitoring the system state, making a decision based on the monitored signal, disconnecting the corrupted subsystem, and operating the remaining system during restoration. This paper, in particular, considers a disconnection-aware attack detector design problem. Traditionally, observer-based attack detectors are designed based on the system model with a fixed network topology and cannot cope with a change of the topology caused by disconnection. The disconnection-aware design problem is mathematically formulated and a solution is proposed in this paper. A numerical example demonstrates the effectiveness of the proposed detector through an inverter-based voltage control system in a benchmark model.
△ Less
Submitted 27 February, 2020; v1 submitted 12 November, 2019;
originally announced November 2019.
-
Two-Way Coding and Attack Decoupling in Control Systems Under Injection Attacks
Authors:
Song Fang,
Karl Henrik Johansson,
Mikael Skoglund,
Henrik Sandberg,
Hideaki Ishii
Abstract:
In this paper, we introduce the concept of two-way coding, which originates in communication theory characterizing coding schemes for two-way channels, into control theory, particularly to facilitate the analysis and design of feedback control systems under injection attacks. Moreover, we propose the notion of attack decoupling, and show how the controller and the two-way coding can be co-designed…
▽ More
In this paper, we introduce the concept of two-way coding, which originates in communication theory characterizing coding schemes for two-way channels, into control theory, particularly to facilitate the analysis and design of feedback control systems under injection attacks. Moreover, we propose the notion of attack decoupling, and show how the controller and the two-way coding can be co-designed to nullify the transfer function from attack to plant, rendering the attack effect zero both in transient phase and in steady state.
△ Less
Submitted 4 September, 2019;
originally announced September 2019.
-
Secure distributed filtering for unstable dynamics under compromised observations
Authors:
Xingkang He,
Xiaoqiang Ren,
Henrik Sandberg,
Karl Henrik Johansson
Abstract:
In this paper, we consider a secure distributed filtering problem for linear time-invariant systems with bounded noises and unstable dynamics under compromised observations. A malicious attacker is able to compromise a subset of the agents and manipulate the observations arbitrarily. We first propose a recursive distributed filter consisting of two parts at each time. The first part employs a satu…
▽ More
In this paper, we consider a secure distributed filtering problem for linear time-invariant systems with bounded noises and unstable dynamics under compromised observations. A malicious attacker is able to compromise a subset of the agents and manipulate the observations arbitrarily. We first propose a recursive distributed filter consisting of two parts at each time. The first part employs a saturation-like scheme, which gives a small gain if the innovation is too large. The second part is a consensus operation of state estimates among neighboring agents. A sufficient condition is then established for the boundedness of estimation error, which is with respect to network topology, system structure, and the maximal compromised agent subset. We further provide an equivalent statement, which connects to 2s-sparse observability in the centralized framework in certain scenarios, such that the sufficient condition is feasible. Numerical simulations are finally provided to illustrate the developed results.
△ Less
Submitted 18 March, 2019;
originally announced March 2019.
-
Two-Way Coding in Control Systems Under Injection Attacks: From Attack Detection to Attack Correction
Authors:
Song Fang,
Karl Henrik Johansson,
Mikael Skoglund,
Henrik Sandberg,
Hideaki Ishii
Abstract:
In this paper, we introduce the method of two-way coding, a concept originating in communication theory characterizing coding schemes for two-way channels, into (networked) feedback control systems under injection attacks. We first show that the presence of two-way coding can distort the perspective of the attacker on the control system. In general, the distorted viewpoint on the attacker side as…
▽ More
In this paper, we introduce the method of two-way coding, a concept originating in communication theory characterizing coding schemes for two-way channels, into (networked) feedback control systems under injection attacks. We first show that the presence of two-way coding can distort the perspective of the attacker on the control system. In general, the distorted viewpoint on the attacker side as a consequence of two-way coding will facilitate detecting the attacks, or restricting what the attacker can do, or even correcting the attack effect. In the particular case of zero-dynamics attacks, if the attacks are to be designed according to the original plant, then they will be easily detected; while if the attacks are designed with respect to the equivalent plant as viewed by the attacker, then under the additional assumption that the plant is stabilizable by static output feedback, the attack effect may be corrected in steady state.
△ Less
Submitted 17 January, 2019; v1 submitted 16 January, 2019;
originally announced January 2019.
-
Estimating the Impact of Cyber-Attack Strategies for Stochastic Control Systems
Authors:
Jezdimir Milosevic,
Henrik Sandberg,
Karl Henrik Johansson
Abstract:
Risk assessment is an inevitable step in implementation of a cyber-defense strategy. An important part of this assessment is to reason about the impact of possible attacks. In this paper, we propose a framework for estimating the impact of cyber-attacks in stochastic linear control systems. The framework can be used to estimate the impact of denial of service, rerouting, sign alternation, replay,…
▽ More
Risk assessment is an inevitable step in implementation of a cyber-defense strategy. An important part of this assessment is to reason about the impact of possible attacks. In this paper, we propose a framework for estimating the impact of cyber-attacks in stochastic linear control systems. The framework can be used to estimate the impact of denial of service, rerouting, sign alternation, replay, false data injection, and bias injection attacks. For the stealthiness constraint, we adopt the Kullback-Leibler divergence between residual sequences during the attack. Two impact metrics are considered: (1) The probability that some of the critical states leave a safety region; and (2) The expected value of the infinity norm of the critical states. For the first metric, we prove that the impact estimation problem can be reduced to a set of convex optimization problems. Thus, the exact solution can be found efficiently. For the second metric, we derive an efficient to calculate lower bound. Finally, we demonstrate how the framework can be used for risk assessment on an example.
△ Less
Submitted 13 November, 2018;
originally announced November 2018.
-
Synchronization of Kuramoto oscillators in a bidirectional frequency-dependent tree network
Authors:
Matin Jafarian,
Xinlei Yi,
Mohammad Pirani,
Henrik Sandberg,
Karl Henrik Johansson
Abstract:
This paper studies the synchronization of a finite number of Kuramoto oscillators in a frequency-dependent bidirectional tree network. We assume that the coupling strength of each link in each direction is equal to the product of a common coefficient and the exogenous frequency of its corresponding head oscillator. We derive a sufficient condition for the common coupling strength in order to guara…
▽ More
This paper studies the synchronization of a finite number of Kuramoto oscillators in a frequency-dependent bidirectional tree network. We assume that the coupling strength of each link in each direction is equal to the product of a common coefficient and the exogenous frequency of its corresponding head oscillator. We derive a sufficient condition for the common coupling strength in order to guarantee frequency synchronization in tree networks. Moreover, we discuss the dependency of the obtained bound on both the graph structure and the way that exogenous frequencies are distributed. Further, we present an application of the obtained result by means of an event-triggered algorithm for achieving frequency synchronization in a star network assuming that the common coupling coefficient is given.
△ Less
Submitted 9 December, 2018; v1 submitted 17 September, 2018;
originally announced September 2018.
-
Ensuring Privacy with Constrained Additive Noise by Minimizing Fisher Information
Authors:
Farhad Farokhi,
Henrik Sandberg
Abstract:
The problem of preserving the privacy of individual entries of a database when responding to linear or nonlinear queries with constrained additive noise is considered. For privacy protection, the response to the query is systematically corrupted with an additive random noise whose support is a subset or equal to a pre-defined constraint set. A measure of privacy using the inverse of the trace of t…
▽ More
The problem of preserving the privacy of individual entries of a database when responding to linear or nonlinear queries with constrained additive noise is considered. For privacy protection, the response to the query is systematically corrupted with an additive random noise whose support is a subset or equal to a pre-defined constraint set. A measure of privacy using the inverse of the trace of the Fisher information matrix is developed. The Cramer-Rao bound relates the variance of any estimator of the database entries to the introduced privacy measure. The probability density that minimizes the trace of the Fisher information (as a proxy for maximizing the measure of privacy) is computed. An extension to dynamic problems is also presented. Finally, the results are compared to the differential privacy methodology.
△ Less
Submitted 28 August, 2018;
originally announced August 2018.
-
Actuator Security Indices Based on Perfect Undetectability: Computation, Robustness, and Sensor Placement
Authors:
Jezdimir Milosevic,
Andre Teixeira,
Henrik Sandberg,
Karl Henrik Johansson
Abstract:
This paper proposes an actuator security index based on the definition of perfect undetectability. This index can help a control system operator to localize the most vulnerable actuators in the networked control system, which can then be secured. Particularly, the security index of an actuator equals the minimum number of sensors and actuators that needs to be compromised, such that a perfectly un…
▽ More
This paper proposes an actuator security index based on the definition of perfect undetectability. This index can help a control system operator to localize the most vulnerable actuators in the networked control system, which can then be secured. Particularly, the security index of an actuator equals the minimum number of sensors and actuators that needs to be compromised, such that a perfectly undetectable attack against that actuator can be conducted. A method for computing the index for small scale networked control systems is derived, and it is shown that the index can potentially be increased by placing additional sensors. The difficulties that appear once the system is of a large scale are then outlined: the problem of calculating the index is NP--hard, the index is vulnerable to system variations, and it is based on the assumption that the attacker knows the entire model of the system. To overcome these difficulties, a robust security index is introduced. The robust index can be calculated in polynomial time, it is unaffected by the system variations, and it can be related to both limited and full model knowledge attackers. Additionally, we analyze two sensor placement problems with the objective to increase the robust indices. We show that both of these problems have submodular structures, so their suboptimal solutions with performance guarantees can be obtained in polynomial time. Finally, the theoretical developments are illustrated through numerical examples.
△ Less
Submitted 15 February, 2019; v1 submitted 11 July, 2018;
originally announced July 2018.
-
The interconnection of quadratic droop voltage controllers is a Lotka-Volterra system: implications for stability analysis
Authors:
Matin Jafarian,
Henrik Sandberg,
Karl H. Johansson
Abstract:
This paper studies the stability of voltage dynamics for a power network in which nodal voltages are controlled by means of quadratic droop controllers with nonlinear AC reactive power as inputs. We show that the voltage dynamics is a Lotka-Volterra system, which is a class of nonlinear positive systems. We study the stability of the closed-loop system by proving a uniform ultimate boundedness res…
▽ More
This paper studies the stability of voltage dynamics for a power network in which nodal voltages are controlled by means of quadratic droop controllers with nonlinear AC reactive power as inputs. We show that the voltage dynamics is a Lotka-Volterra system, which is a class of nonlinear positive systems. We study the stability of the closed-loop system by proving a uniform ultimate boundedness result and investigating conditions under which the network is cooperative. We then restrict to study the stability of voltage dynamics under a decoupling assumption (i.e., zero relative angles). We analyze the existence and uniqueness of the equilibrium in the interior of the positive orthant for the system and prove an asymptotic stability result.
△ Less
Submitted 30 January, 2018; v1 submitted 26 October, 2017;
originally announced October 2017.
-
Secure Estimation and Zero-Error Secrecy Capacity
Authors:
Moritz Wiese,
Tobias J. Oechtering,
Karl Henrik Johansson,
Panos Papadimitratos,
Henrik Sandberg,
Mikael Skoglund
Abstract:
We study the problem of securely estimating the states of an unstable dynamical system subject to nonstochastic disturbances. The estimator obtains all its information through an uncertain channel which is subject to nonstochastic disturbances as well, and an eavesdropper obtains a disturbed version of the channel inputs through a second uncertain channel. An encoder observes and block-encodes the…
▽ More
We study the problem of securely estimating the states of an unstable dynamical system subject to nonstochastic disturbances. The estimator obtains all its information through an uncertain channel which is subject to nonstochastic disturbances as well, and an eavesdropper obtains a disturbed version of the channel inputs through a second uncertain channel. An encoder observes and block-encodes the states in such a way that, upon sending the generated codeword, the estimator's error is bounded and such that a security criterion is satisfied ensuring that the eavesdropper obtains as little state information as possible. Two security criteria are considered and discussed with the help of a numerical example. A sufficient condition on the uncertain wiretap channel, i.e., the pair formed by the uncertain channel from encoder to estimator and the uncertain channel from encoder to eavesdropper, is derived which ensures that a bounded estimation error and security are achieved. This condition is also shown to be necessary for a subclass of uncertain wiretap channels. To formulate the condition, the zero-error secrecy capacity of uncertain wiretap channels is introduced, i.e., the maximal rate at which data can be transmitted from the encoder to the estimator in such a way that the eavesdropper is unable to reconstruct the transmitted data. Lastly, the zero-error secrecy capacity of uncertain wiretap channels is studied.
△ Less
Submitted 14 July, 2017; v1 submitted 16 December, 2016;
originally announced December 2016.
-
Retrofit Control: Localization of Controller Design and Implementation
Authors:
Takayuki Ishizaki,
Tomonori Sadamoto,
Jun-ichi Imura,
Henrik Sandberg,
Karl Henrik Johansson
Abstract:
In this paper, we propose a retrofit control method for stable network systems. The proposed approach is a control method that, rather than an entire system model, requires a model of the subsystem of interest for controller design. To design the retrofit controller, we use a novel approach based on hierarchical state-space expansion that generates a higher-dimensional cascade realization of a giv…
▽ More
In this paper, we propose a retrofit control method for stable network systems. The proposed approach is a control method that, rather than an entire system model, requires a model of the subsystem of interest for controller design. To design the retrofit controller, we use a novel approach based on hierarchical state-space expansion that generates a higher-dimensional cascade realization of a given network system. The upstream dynamics of the cascade realization corresponds to an isolated model of the subsystem of interest, which is stabilized by a local controller. The downstream dynamics can be seen as a dynamical model representing the propagation of interference signals among subsystems, the stability of which is equivalent to that of the original system. This cascade structure enables a systematic analysis of both the stability and control performance of the resultant closed-loop system. The resultant retrofit controller is formed as a cascade interconnection of the local controller and an output rectifier that rectifies an output signal of the subsystem of interest so as to conform to an output signal of the isolated subsystem model while acquiring complementary signals neglected in the local controller design, such as interconnection signals from neighboring subsystems. Finally, the efficiency of the retrofit control method is demonstrated through numerical examples of power systems control and vehicle platoon control.
△ Less
Submitted 12 March, 2018; v1 submitted 8 November, 2016;
originally announced November 2016.
-
Optimal State Estimation with Measurements Corrupted by Laplace Noise
Authors:
Farhad Farokhi,
Jezdimir Milosevic,
Henrik Sandberg
Abstract:
Optimal state estimation for linear discrete-time systems is considered. Motivated by the literature on differential privacy, the measurements are assumed to be corrupted by Laplace noise. The optimal least mean square error estimate of the state is approximated using a randomized method. The method relies on that the Laplace noise can be rewritten as Gaussian noise scaled by Rayleigh random varia…
▽ More
Optimal state estimation for linear discrete-time systems is considered. Motivated by the literature on differential privacy, the measurements are assumed to be corrupted by Laplace noise. The optimal least mean square error estimate of the state is approximated using a randomized method. The method relies on that the Laplace noise can be rewritten as Gaussian noise scaled by Rayleigh random variable. The probability of the event that the distance between the approximation and the best estimate is smaller than a constant is determined as function of the number of parallel Kalman filters that is used in the randomized method. This estimator is then compared with the optimal linear estimator, the maximum a posteriori (MAP) estimate of the state, and the particle filter.
△ Less
Submitted 1 September, 2016;
originally announced September 2016.
-
Uncertain Wiretap Channels and Secure Estimation
Authors:
Moritz Wiese,
Karl Henrik Johansson,
Tobias J. Oechtering,
Panos Papadimitratos,
Henrik Sandberg,
Mikael Skoglund
Abstract:
Uncertain wiretap channels are introduced. Their zero-error secrecy capacity is defined. If the sensor-estimator channel is perfect, it is also calculated. Further properties are discussed. The problem of estimating a dynamical system with nonstochastic disturbances is studied where the sensor is connected to the estimator and an eavesdropper via an uncertain wiretap channel. The estimator should…
▽ More
Uncertain wiretap channels are introduced. Their zero-error secrecy capacity is defined. If the sensor-estimator channel is perfect, it is also calculated. Further properties are discussed. The problem of estimating a dynamical system with nonstochastic disturbances is studied where the sensor is connected to the estimator and an eavesdropper via an uncertain wiretap channel. The estimator should obtain a uniformly bounded estimation error whereas the eavesdropper's error should tend to infinity. It is proved that the system can be estimated securely if the zero-error capacity of the sensor-estimator channel is strictly larger than the logarithm of the system's unstable pole and the zero-error secrecy capacity of the uncertain wiretap channel is positive.
△ Less
Submitted 1 May, 2016;
originally announced May 2016.
-
From Control System Security Indices to Attack Identifiability
Authors:
Henrik Sandberg,
André M. H. Teixeira
Abstract:
In this paper, we investigate detectability and identifiability of attacks on linear dynamical systems that are subjected to external disturbances. We generalize a concept for a security index, which was previously introduced for static systems. The generalized index exactly quantifies the resources necessary for targeted attacks to be undetectable and unidentifiable in the presence of disturbance…
▽ More
In this paper, we investigate detectability and identifiability of attacks on linear dynamical systems that are subjected to external disturbances. We generalize a concept for a security index, which was previously introduced for static systems. The generalized index exactly quantifies the resources necessary for targeted attacks to be undetectable and unidentifiable in the presence of disturbances. This information is useful for both risk assessment and for the design of anomaly detectors. Finally, we show how techniques from the fault detection literature can be used to decouple disturbances and to identify attacks, under certain sparsity constraints.
△ Less
Submitted 19 April, 2016;
originally announced April 2016.