Open Access
Issue
Security and Safety
Volume 1, 2022
Article Number 2022005
Number of page(s) 16
Section Industrial Control
DOI https://doi.org/10.1051/sands/2022005
Published online 22 July 2022

© The Author(s) 2022. Published by EDP Sciences and China Science Publishing & Media Ltd.

Licence Creative CommonsThis is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction

With the development of computer and communication technology, the network has been rapidly applied to most aspects of society in recent decades. Although the network has brought convenience to people’s lives, it is vulnerable to hackers because of its high degree of openness, to name just a few, Bushehr, the only nuclear power plant in Iran, was hacked in 2010 causing all centrifuges to shut down; Colonial Pipeline, the major oil and gas pipeline company in the USA, was hacked in 2021 and forced to shut down all of its pipeline operating systems. Therefore, cyber security is an important part of ensuring national security and social stability. The above systems are classified as the cyber-physical systems[13], which integrate computing, networking, and physical processes, whose cyber security has been paid more and more attention by researchers.

Cyber security, which is one of the main issues of informatization, mainly includes cyberattack, attack detection, and security defense. Cyberattack refers to any type of offensive action on a computer equipment, network, or infrastructure from the network layer. There are two commonly used methods for cyberattack, namely, cracking of the system password to steal the information of the attacked system [47] and implementing elaborately designed attack strategies to destroy the attacked system [815].Different from the cyberattack on the side of the offensive, attack detection represents the timely discovery of vulnerabilities in the system and alarm from the perspective of the defender. The detection mechanisms for the corresponding attacks have been extensively studied, such as denial-of-service (DoS) attack detection [16], replay attack detection [17], and false data injection (FDI) attack detection [18, 19]. Security defense denotes the security protection of the system from the perspective of the defender. Many researchers have implemented secure control or resilient control strategy under attack to reduce or avoid the damage caused by attackers [2026]. All of the aforementioned works on cyber security focus on existing classic attack strategies. Unfortunately, the continuous update of attack strategies makes the existing detection mechanisms and defense strategies ineffective. Therefore, this paper mainly designs an attack strategy on the attacker’s side. One of the research motivations was to enable defenders to understand the behavior of unknown attackers more deeply, and then design corresponding defense strategies to better protect the system.

To date, two main categories of cyberattacks exist, namely denial-of-service (DoS) attacks [12, 13, 27] and deception attacks, among which deception attacks include replay attacks and injection attacks [10, 28]. DoS attack is destroying the target object, making it unable to serve normal users, resulting in information packet loss or delay, etc. Massive research results have been reported on DoS attack strategy design and secure control, see [2022] and the references therein. The replay attack refers to injecting external inputs without being detected; the attacker hijacks the sensor, observes and records its readings for a period of time, and then repeats these readings when executing the attack [28]. Since the data of replay attack come from a normal system, it is difficult to be detected. Therefore, some detection mechanisms for replay attacks are proposed in [17, 29, 30]. For false data injection attack, the attacker injects the meticulously designed false information to disturb the normal operation of the system. More recently, Chen et al. [31] have studied the attack strategy of attackers against CPSs from the vantage point of optimal control. Wu and Jian [32] have also designed a switching data injection attack scheme from the attacker’s side. After that, they have further considered the optimal feedback attack problem and the optimal location switching attack problems, respectively [10, 11]. The design of the above attack strategies is based on the assumption that the information of the attacked system is completely known. The fact that a part of the information of the attacked system is inaccessible is a natural extension of the attack strategy design that all information can be accessed. Up to now, when the information of the attacked system is completely unknown, that is, the attacked system is model free for the attacker, there is a neural network learning method to design the attack strategy [33]. However, in most cases, it is a natural fact that the attacker is not completely unaware of the attacked system through long-term information eavesdropping. If the attacked system is regarded as a black box and the attack strategy is directly designed by the learning method, the useful information obtained by eavesdropping will be wasted and the adaptability of the obtained attack strategy will be insufficient. Making good use of this information in the design of attack strategy is the main motivation to promote us to study the problems proposed in this paper.

In this paper, a new attack strategy for cyber-physical systems under the system states and external input inaccessible is proposed. The main contributions of this paper are summarized as follows:

  • (1)

    A new data injection attack method is proposed from the perspective of attackers, in which attackers use system output to construct attack strategy in the form of dynamic feedback. The objective function of attacker is defined as the linear quadratic function and the corresponding algebraic Riccati equation is derived by solving the defined objective function.

  • (2)

    Since the attacker cannot access the system states and external input information of the attacked system, it is difficult for the attacker to maximize the output error of the attacked system with the least energy consumption. In this paper, a modified Luenberger observer-based method is introduced to solve the aforementioned attack optimization problem.

  • (3)

    During the design of the attack strategy, the value of the designed observer is adopted as the dynamic auxiliary virtual states to deal with the difficulty that the unknown parameter matrices of the attack strategy cannot be solved directly.

The rest of this paper is organized as follows. The problem formulation about a class of linear time-invariant system is shown in Section 2. The schemes of dynamic observer and false data injection attack based on dynamic observation and output feedback are described in Section 3. In Section 4, the efficiency of proposed scheme is illustrated by a networked magnetic levitation steel ball movement system example. Finally, this paper is concluded in Section 5.

Notations: R n $ \mathbb{R^{n}} $ denotes the n-dimensional Euclidean space. Let M R p × m $ M\in\mathbb{R^{p\times m}} $ and N R p × n $ N\in\mathbb{R^{p\times n}} $, [ M , N ] R p × ( m + n ) $ [M,N]\in\mathbb{R^{p\times (m+n)}} $. Let M R m × p $ M\in\mathbb{R^{m\times p}} $ and N R n × p $ N\in\mathbb{R^{n\times p}} $, [ M ; N ] R ( m + n ) × p $ [M;N]\in\mathbb{R^{(m+n)\times p}} $. M T indicates the transposed matrix of matrix M. M −1 denotes the inverse matrix of matrix M. diag(N, M) represents diagonal matrix with diagonal entries N and M. eig(M)

refers to the eigenvalue of matrix M. Re(M) is defined as the real part of the element of matrix M. f M $ \frac{\partial f}{\partial M} $ stands for the first order partial derivative of f with respect to matrix M. Matrices and vectors are assumed to hold appropriate dimensions if they are not explicitly stated.

2. Problem formulation

Consider a class of linear time-invariant system described by

x ˙ ( t ) = A x ( t ) + B u ( t ) + E d ( t ) , y ( t ) = C x ( t ) + D u ( t ) + F d ( t ) , $$ \begin{aligned} \begin{aligned} \dot{x}(t)&=Ax(t)+Bu(t)+Ed(t),\\ y(t)&=Cx(t)+Du(t)+Fd(t), \end{aligned} \end{aligned} $$(1)

where x ∈ ℝ n is the state, u ∈ ℝ l is the control input, y ∈ ℝ m is the measured output, d(t)∈ℝ p is the external disturbance, and A, B, C, D, E, and F are known constant matrices with compatible dimensions. External disturbance d(t) is generated by linear autonomous differential equation expressed as

d ˙ ( t ) = A ~ d d ( t ) , d ( 0 ) = d 0 , $$ \begin{aligned} \dot{d}(t)=\tilde{A}_dd(t),\ d(0)=d_0, \end{aligned} $$(2)

where d0 is arbitrary initial value.

The tracking error of system (1) can be expressed as

e ( t ) = y ( t ) y r ( t ) , $$ \begin{aligned} e(t)=y(t)-y_{r}(t), \end{aligned} $$(3)

where y r (t) is the desired output, and y r (t) is given by

y ˙ r ( t ) = A ~ yr y r ( t ) , y r ( 0 ) = y r 0 , $$ \begin{aligned} \dot{y}_{r}(t)=\tilde{A}_{yr}y_{r}(t),\ y_{r}(0)=y_{r_0}, \end{aligned} $$(4)

where y r0 is an arbitrary initial value.

Combining the system state of system (1) and the tracking error (3), the trajectory tracking system can be written as

x ˙ ( t ) = A x ( t ) + B u ( t ) + E ζ ζ ( t ) , y ( t ) = C x ( t ) + D u ( t ) + F ¯ ζ ( t ) , e ( t ) = C x ( t ) + D u ( t ) + F ζ ζ ( t ) , $$ \begin{aligned} \begin{aligned} \dot{x}(t)&=Ax(t)+Bu(t)+E_{\zeta }\zeta (t),\\ y(t)&=Cx(t)+Du(t)+\bar{F}\zeta (t),\\ e(t)&=Cx(t)+Du(t)+F_{\zeta }\zeta (t), \end{aligned} \end{aligned} $$(5)

where

ζ ( t ) = [ y r ( t ) d ( t ) ] , [ E ζ F ¯ F ζ ] = [ 0 E 0 F I F ] , $$ \begin{aligned} \zeta (t)=\begin{bmatrix} y_{r}(t)\\ d(t) \end{bmatrix}, \begin{bmatrix} E_{\zeta }\\ \bar{F}\\ F_{\zeta } \end{bmatrix}=\begin{bmatrix} 0&E\\ 0&F\\ -I&F \end{bmatrix}, \end{aligned} $$

ζ(t) satisfies

ζ ˙ ( t ) = A ~ ζ ζ ( t ) = [ A ~ yr 0 0 A ~ d ] ζ ( t ) , ζ ( 0 ) = ζ 0 , $$ \begin{aligned} \dot{\zeta }(t)=\tilde{A}_{\zeta }\zeta (t)=\begin{bmatrix} \tilde{A}_{yr}&0\\ 0&\tilde{A}_{d} \end{bmatrix}\zeta (t),\ \zeta (0)=\zeta _0, \end{aligned} $$

where 0 and I are the zero and identity matrix of appropriate dimensions, respectively.

Through the linear quadratic tracker (LQT), the control input is designed as

u ( t ) = K 1 x ( t ) + K 2 ζ ( t ) , $$ \begin{aligned} u(t)=K_{1}x(t)+K_{2}\zeta (t), \end{aligned} $$(6)

where K1 and K2 are known constant matrices with compatible dimensions.

For system (5), the following assumption is needed.

Assumption 1 The pair (A, B) is stabilizable,

( [ C , F ¯ ] , [ A E ζ 0 A ~ ζ ] ) $$ \begin{aligned} \left([C,\bar{F}],\left[\begin{array}{ll} A&E_{\zeta }\\ 0&\tilde{A}_{\zeta } \end{array}\right]\right) \end{aligned} $$

is detectable.

Remark 1 The first part of Assumption 1 is quite standard in the literature to design the attack strategy because it is meaningful for the attackers to destroy stable systems. The latter part of Assumption 1 is necessary for the design of the attack strategy in this paper, when it is undetectable, the attack strategy to achieve the maximum deviation of the system output from the desired output cannot be designed due to the lack of information related to the desired output.

3. Design of optimal data injection attack strategy

3.1. Attack structure

Since the controller transmits the control signal to the actuator through the wireless transmission channel, the attacker achieves the purpose by intercepting the control signal transmitted through the wireless transmission channel and tampering with the signal. The false data injection attack is expressed as

u ~ ( t ) = K 1 x ( t ) + K 2 ζ ( t ) + Γ a u a ( t ) , $$ \begin{aligned} \begin{aligned} \tilde{u}(t)=K_{1}x(t)+K_{2}\zeta (t)+\mathrm{\Gamma }_au_{a}(t), \end{aligned} \end{aligned} $$(7)

where u ~ ( t ) $ \tilde{u}(t) $ is the attacked control input, Γ a is the attack weight matrix with compatible dimension, and u a ( t ) R q $ u_{a}(t)\in \mathbb{R}^{q} $ is the attack input.

Combining trajectory tracking systems (5) and (7), the attacked system is

x ~ ˙ ( t ) = ( A + B K 1 ) x ~ ( t ) + ( E ζ + B K 2 ) ζ ( t ) + B Γ a u a ( t ) , y ~ ( t ) = ( C + D K 1 ) x ~ ( t ) + ( F ¯ + D K 2 ) ζ ( t ) + D Γ a u a ( t ) , e ~ ( t ) = ( C + D K 1 ) x ~ ( t ) + ( F ζ + D K 2 ) ζ ( t ) + D Γ a u a ( t ) , $$ \begin{aligned} \begin{aligned} \dot{\tilde{x}}(t)&=(A+BK_{1})\tilde{x}(t)+(E_{\zeta }+BK_{2})\zeta (t)+B\mathrm{\Gamma }_au_{a}(t),\\ \tilde{y}(t)&=(C+DK_{1})\tilde{x}(t)+(\bar{F}+DK_{2})\zeta (t)+D\mathrm{\Gamma }_au_{a}(t),\\ \tilde{e}(t)&=(C+DK_{1})\tilde{x}(t)+(F_{\zeta }+DK_{2})\zeta (t)+D\mathrm{\Gamma }_au_{a}(t), \end{aligned} \end{aligned} $$(8)

where x ~ ( t ) $ \tilde{x}(t) $ and e ~ ( t ) $ \tilde{e}(t) $ are the attacked state and unmeasured tracking error, respectively.

The key design of the data injection attack structure is described as

u a ( t ) = C a η ( t ) , η ˙ ( t ) = A a η ( t ) + B a y ~ ( t ) , $$ \begin{aligned} \begin{aligned} u_{a}(t)&=C_{a}\eta (t),\\ \dot{\eta }(t)&=A_{a}\eta (t)+B_{a}\tilde{y}(t), \end{aligned} \end{aligned} $$(9)

where A a , B a , and C a are the designed attack matrices with compatible dimensions, u a (0) is an arbitrarily small initial value and η(t) is the designed auxiliary virtual state of the attack input.

The following assumptions are needed to design an attack strategy for the attacker.

Assumption 2 The attacker has complete knowledge of system (5) matrices through eavesdropping the system information for sufficient time.

Assumption 3 In the FDI attack, the attacker has the ability to inject the calculated false data vector u a (t) into the actuators synchronously with the system input signals.

The purpose of the attacker in this subsection is to use as little energy as possible to make the system tracking error maximum deviate from 0. The objective function can be described as

J 1 ( e ~ ( t ) , u a ( t ) ) = 1 2 t 0 t f ( e ~ T ( t ) Q e ~ ( t ) + u a T ( t ) R u a ( t ) ) d t , $$ \begin{aligned} \begin{aligned} J_{1}\left(\tilde{e}(t),u_{a}(t)\right)={\frac{1}{2}}\int _{t_{0}}^{t_{f}} \left(-\tilde{e}^{T}(t)Q\tilde{e}(t)+u_{a}^{T}(t)Ru_{a}(t)\right) \mathrm{d}t, \end{aligned} \end{aligned} $$(10)

where t0 and t f are the start time and end time of the injection attack, respectively. It is worth mentioning that u a T ( t ) R u a ( t ) $ u_{a}^{T}(t)Ru_{a}(t) $ represents the energy consumption of the attacker. Then, the problem of data injection attack can be expressed as the optimal problem.

Problem 1

min u a ( t ) J 1 ( e ~ ( t ) , u a ( t ) ) s.t. { x ~ ˙ ( t ) = ( A + B K 1 ) x ~ ( t ) + ( E ζ + B K 2 ) ζ ( t ) + B Γ a u a ( t ) , e ~ ( t ) = ( C + D K 1 ) x ~ ( t ) + ( F ζ + D K 2 ) ζ ( t ) + D Γ a u a ( t ) , ζ ˙ ( t ) = A ~ ζ ζ ( t ) , u a ( t ) = C a η ( t ) , η ˙ ( t ) = A a η ( t ) + B a y ~ ( t ) , Q 0 , R > 0 . $$ \begin{aligned} \begin{aligned}&\min \limits _{u_{a}(t)}\quad J_{1}(\tilde{e}(t),u_{a}(t))\\&\quad \text{ s.t.}\quad \left\{ \begin{array}{l} \dot{\tilde{x}}(t)=(A+BK_{1})\tilde{x}(t)+(E_{\zeta }+BK_{2})\zeta (t)+B\mathrm{\Gamma }_au_{a}(t),\\ \tilde{e}(t)=(C+DK_{1})\tilde{x}(t)+(F_{\zeta }+DK_{2})\zeta (t)+D\mathrm{\Gamma }_au_{a}(t),\\ \dot{\zeta }(t)=\tilde{A}_{\zeta }\zeta (t),\\ u_{a}(t)=C_{a}\eta (t),\\ \dot{\eta }(t)=A_{a}\eta (t)+B_{a}\tilde{y}(t),\\ Q\ge 0,R>0. \end{array}\right. \end{aligned} \end{aligned} $$

Due to inaccessible system states and external input data information from the perspective of the attacker, Problem 1 cannot be solved. Therefore, the dynamic observer is applied in the design of the attack strategy.

3.2. Design of dynamic observer

Note that system state x ~ ( t ) $ \tilde{x}(t) $, external disturbance d(t), and desired output y r (t) are unknown to the attacker. Thus, the attacker can use the modified Luenberger observer to observe state x(t) and external input ζ(t), the observer is designed as

ξ ˙ ( t ) = A ¯ ξ ( t ) + B ¯ u ~ ̂ ( t ) + L ( y ~ ( t ) C ¯ ξ ( t ) D u ~ ̂ ( t ) ) , $$ \begin{aligned} \dot{\xi }(t)=\bar{A}\xi (t)+\bar{B}\hat{\tilde{u}}(t)+L(\tilde{y}(t)-\bar{C}\xi (t)-D\hat{\tilde{u}}(t)), \end{aligned} $$(11)

where ξ(t) is the estimation of [x(t),ζ(t)] T , u ~ ̂ ( t ) $ \hat{\tilde{u}}(t) $ is the estimated control input based on the observation of [x(t),ζ(t)] T , which satisfies u ~ ̂ ( t ) = [ K 1 , K 2 ] ξ ( t ) + Γ a u a ( t ) $ \hat{\tilde{u}}(t)=[K_{1}, K_{2}]\xi(t)+\mathrm{\Gamma}_au_{a}(t) $, L is the observation matrix, and

A ¯ = [ A E ζ 0 A ~ ζ ] , B ¯ = [ B 0 ] , $$ \begin{aligned} \bar{A}=\left[\begin{array}{ll} A&E_{\zeta }\\ 0&\tilde{A}_{\zeta } \end{array}\right], \bar{B}= \left[\begin{array}{ll} B\\ 0 \end{array}\right], \end{aligned} $$

and C ¯ = [ C , F ¯ ] $ \bar{C}=[C, \bar{F}] $.

Lemma 1 Under Assumptions 1, for the attacked system (8) and the observer (11), if L satisfies the condition Re ( eig ( A ¯ L C ¯ + ( B ¯ L D ) [ K 1 , K 2 ] ) ) < 0 $ \mathrm{Re}(\mathrm{eig}(\bar{A}-L\bar{C}+(\bar{B}-LD)[K_{1}, K_{2}])) < 0 $, then lim t → ∞ e x ξ (t)=0, where e x ξ (t)=[x(t),ζ(t)] T  − ξ(t) denotes the observation error.

Proof. Combined with u ~ ( t ) $ \tilde{u}(t) $, u ~ ̂ ( t ) $ \hat{\tilde{u}}(t) $, the attacked system (8) and the observer (11), the derivative of the observation error e x ξ (t) can be expressed as

e ˙ x ξ ( t ) = [ x ~ ˙ ( t ) ζ ˙ ( t ) ] ξ ˙ ( t ) = A ¯ [ x ~ ( t ) ζ ( t ) ] + B ¯ u ~ ( t ) [ A ¯ ξ ( t ) + B ¯ u ~ ̂ ( t ) + L ( y ~ ( t ) C ¯ ξ ( t ) D u ~ ̂ ( t ) ) ] , = A ¯ [ x ~ ( t ) ζ ( t ) ] + B ¯ ( [ K 1 , K 2 ] [ x ~ ( t ) ζ ( t ) ] + Γ a u a ( t ) ) [ A ¯ ξ ( t ) + B ¯ ( [ K 1 , K 2 ] ξ ( t ) + Γ a u a ( t ) ) + L ( [ ( C + D K 1 ) , ( F ¯ + D K 2 ) ] [ x ~ ( t ) ζ ( t ) ] + D Γ a u a ( t ) C ¯ ξ ( t ) D ( [ K 1 , K 2 ] ξ ( t ) + Γ a u a ( t ) ) ) ] , = ( A ¯ L C ¯ + ( B ¯ L D ) [ K 1 , K 2 ] ) ( [ x ~ ( t ) ζ ( t ) ] ξ ( t ) ) , = ( A ¯ L C ¯ + ( B ¯ L D ) [ K 1 , K 2 ] ) e x ξ ( t ) , $$ \begin{aligned} \begin{aligned} \dot{e}_{x\xi }(t)&=\begin{bmatrix} \dot{\tilde{x}}(t)\\ \dot{\zeta }(t) \end{bmatrix}-\dot{\xi }(t)\\&=\bar{A}\begin{bmatrix} \tilde{x}(t)\\ \zeta (t) \end{bmatrix}+\bar{B}\tilde{u}(t)-\left[\bar{A}\xi (t)+\bar{B}\hat{\tilde{u}}(t)+L\left(\tilde{y}(t)-\bar{C}\xi (t)-D\hat{\tilde{u}}(t)\right)\right],\\&=\bar{A}\begin{bmatrix} \tilde{x}(t)\\ \zeta (t) \end{bmatrix}+\bar{B}\left([K_{1}, K_{2}]\begin{bmatrix} \tilde{x}(t)\\ \zeta (t) \end{bmatrix}+\mathrm{\Gamma }_{a}u_a(t)\right)-\bigg [\bar{A}\xi (t)+\bar{B}\left(\left[K_{1}, K_{2}\right]\xi (t)+\mathrm{\Gamma }_{a}u_a(t)\right)\\&+L\bigg (\left[\left(C +DK_{1}\right), (\bar{F}+DK_{2})\right]\begin{bmatrix} \tilde{x}(t)\\ \zeta (t) \end{bmatrix}+D\mathrm{\Gamma }_au_{a}(t)-\bar{C}\xi (t)-D\left([K_{1}, K_{2}]\xi (t)+\mathrm{\Gamma }_{a}u_a(t)\right)\bigg )\bigg ],\\&=\left(\bar{A}-L\bar{C}+(\bar{B}-LD)[K_{1}, K_{2}]\right)\left(\begin{bmatrix} \tilde{x}(t)\\ \zeta (t) \end{bmatrix}-\xi (t)\right),\\&=\left(\bar{A}-L\bar{C}+(\bar{B}-LD)[K_{1}, K_{2}]\right)e_{x\xi }(t), \end{aligned} \end{aligned} $$(12)

thus, through the theory of observer design, when Re ( eig ( A ¯ L C ¯ + ( B ¯ L D ) [ K 1 , K 2 ] ) ) < 0 $ \mathrm{Re}\left(\mathrm{eig}\left(\bar{A}-L\bar{C}+(\bar{B}-LD)[K_{1}, K_{2}]\right)\right) < 0 $ is satisfied, lim t → ∞ e x ξ (t)=0, which indicates that when t → ∞, the estimation ξ(t) is equal to [x(t),ζ(t)] T .

This is end of proof

It is worth pointing out that the designed auxiliary virtual state η(t) is determined by the attacker. When observation ξ(t) is selected by the attacker as the designed auxiliary virtual state η(t), Problem 1 can be transformed into Problem 2.

Problem 2

min u a ( t ) J 1 ( e ~ ̂ ( t ) , u a ( t ) ) s . t . { ξ ˙ ( t ) = A ¯ ξ ( t ) + B ¯ u ~ ̂ ( t ) + L ( y ~ ( t ) C ¯ ξ ( t ) D u ~ ̂ ( t ) ) , e ~ ̂ ( t ) = [ ( C + D K 1 ) , ( F ζ + D K 2 ) ] ξ ( t ) + D Γ a u a ( t ) , u ~ ̂ ( t ) = [ K 1 , K 2 ] ξ ( t ) + Γ a u a ( t ) , u a ( t ) = C a η ( t ) , η ˙ ( t ) = A a η ( t ) + B a y ~ ( t ) , η ( t ) = ξ ( t ) , Q 0 , R > 0 . $$ \begin{aligned} \begin{aligned}&\min \limits _{u_{a}(t)}\quad J_{1}(\hat{\tilde{e}}(t),u_{a}(t))\\&\quad \mathrm{s.t.}\quad \left\{ \begin{array}{l} \dot{\xi }(t)=\bar{A}\xi (t)+\bar{B}\hat{\tilde{u}}(t)+L(\tilde{y}(t)-\bar{C}\xi (t)-D\hat{\tilde{u}}(t)),\\ \hat{\tilde{e}}(t)=[(C+DK_{1}), (F_{\zeta }+DK_{2})]\xi (t)+D\mathrm{\Gamma }_au_{a}(t),\\ \hat{\tilde{u}}(t)=[K_{1}, K_{2}]\xi (t)+\mathrm{\Gamma }_au_{a}(t),\\ u_{a}(t)=C_{a}\eta (t),\\ \dot{\eta }(t)=A_{a}\eta (t)+B_{a}\tilde{y}(t),\\ \eta (t)=\xi (t),\\ Q\ge 0,R>0. \end{array}\right. \end{aligned} \end{aligned} $$

The block diagram of the attacked system is shown in Figure 1. As can be seen from Figure 1, the attacker first obtains the system output y ~ ( t ) $ \tilde{y}(t) $ by eavesdropping, which is transmitted from the plant to the controller using the sensor. Then, system output y ~ ( t ) $ \tilde{y}(t) $ and the estimated value of the designed observer are applied to construct (9). Next, optimal attack input u a (t) can be obtained by solving Problem 2. Finally, optimal attack input u a (t) is injected into control input u(t) wirelessly transmitted from the controller to the actuator so that the control input obtained by the actuator is tampered with u ~ ( t ) $ \tilde{u}(t) $ to complete the attack.

thumbnail Figure 1.

Block diagram of the attacked system

3.3. Main results

Before presenting the main result, the key lemma is first introduced.

Lemma 2 ([34) , [35]] The optimal problem is expressed as

min u ( t ) J 2 ( x ( t ) , u ( t ) ) = 1 2 t 0 t f ( x T ( t ) Q x ( t ) + u T ( t ) R u ( t ) ) d t s . t . { x ˙ ( t ) = A x ( t ) + B u ( t ) , Q 0 , R > 0 . $$ \begin{aligned} \begin{aligned}&\min \limits _{u(t)} \quad J_{2}(x(t),u(t))= \frac{1}{2}\int _{t_{0}}^{t_{f}} (x^{T}(t)Qx(t)+u^{T}(t)Ru(t))\, \mathrm{d}t\\&\mathrm{s.t.}\quad \left\{ \begin{array}{l} {\dot{x}(t)}=Ax(t)+Bu(t),\\ {Q \ge 0},R>0. \end{array}\right. \end{aligned} \end{aligned} $$

If requirement Q ≥ 0 is not satisfied, a necessary and sufficient condition to provide a unique solution to the affine-quadratic continuous-time optimal problem is

R + B T P B > 0 , $$ \begin{aligned} R+B^{T}PB>0, \end{aligned} $$

where P is the solution of the following Algebraic Riccati Equation

P A + A T P P ( R + B T P B ) 1 P + Q = 0 . $$ \begin{aligned} PA+A^{T}P-P\left(R+B^{T}PB\right)^{-1}P+Q=0. \end{aligned} $$

Theorem 1 Under Assumptions 1–3, if (R−Γ a T D T Q DΓ a ) >  0 holds and the observation ξ(t) is selected by the attacker as the designed auxiliary virtual state η(t), the matrices of the optimal attack strategy designed as (9) can be obtained by solving Problem 2, which are expressed as

A a = A ¯ + B ¯ K ¯ L C ¯ L D K ¯ + ( B ¯ L D ) Γ a ( R Γ a T D T Q D Γ a ) 1 ( Γ a T D T Q C ¯ e Γ a T D T B a T P ) , B a = L , C a = ( R Γ a T D T Q D Γ a ) 1 ( Γ a T D T Q C ¯ e Γ a T D T B a T P ) $$ \begin{aligned} \begin{aligned} A_a&=\bar{A}+\bar{B}\bar{K}-L\bar{C}-LD\bar{K}+(\bar{B}-LD)\mathrm{\Gamma }_{a}\left(R-\mathrm{\Gamma }^{T}_aD^{T}QD\mathrm{\Gamma }_a\right)^{-1}\left(\mathrm{\Gamma }^{T}_aD^{T}Q\bar{C}_e-\mathrm{\Gamma }^{T}_aD^{T}B_{a}^{T}P\right),\\ B_a&=L,\\ C_a&=\left(R-\mathrm{\Gamma }^{T}_aD^{T}QD\mathrm{\Gamma }_a\right)^{-1}\left(\mathrm{\Gamma }^{T}_aD^{T}Q\bar{C}_e-\mathrm{\Gamma }^{T}_aD^{T}B_{a}^{T}P\right) \end{aligned} \end{aligned} $$(13)

where P satisfies the following equation

P Ξ + Ξ T P P Ψ P Θ = 0 , $$ \begin{aligned} \begin{aligned} P\mathrm{\Xi }+\mathrm{\Xi }^{T}P-P\mathrm{\Psi } P-\mathrm{\Theta }=0, \end{aligned} \end{aligned} $$(14)

and

Ξ = A ¯ + B ¯ K ¯ L ( C ¯ C ~ ) + B ¯ Γ a ( R Γ a T D T Q D Γ a ) 1 Γ a T D T Q C ¯ e , Ψ = B ¯ Γ a ( R Γ a T D T Q D Γ a ) 1 Γ a T D T B a T B a D Γ a ( R Γ a T D T Q D Γ a ) 1 Γ a T D T B a T + B a D Γ a × ( R Γ a T D T Q D Γ a ) 1 Γ a T B ¯ T , Θ = C ¯ e T Q C ¯ e + C ¯ e Q D Γ a ( R Γ a T D T Q D Γ a ) 1 Γ a T D T Q C ¯ e , C ¯ e = C ~ + D K ¯ , C ~ = [ C , F ζ ] , K ¯ = [ K 1 , K 2 ] . $$ \begin{aligned} \begin{aligned}&\mathrm{\Xi }=\bar{A}+\bar{B}\bar{K}-L(\bar{C}-\tilde{C})+\bar{B}\mathrm{\Gamma }_{a}\left(R-\mathrm{\Gamma }^{T}_aD^{T}QD\mathrm{\Gamma }_a\right)^{-1}\mathrm{\Gamma }^{T}_aD^{T}Q\bar{C}_e,\\&\mathrm{\Psi }=\bar{B}\mathrm{\Gamma }_{a}\left(R-\mathrm{\Gamma }^{T}_aD^{T}QD\mathrm{\Gamma }_a\right)^{-1}\mathrm{\Gamma }^{T}_aD^{T}B^{T}_a-B_{a}D\mathrm{\Gamma }_{a}\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a\right)^{-1}\mathrm{\Gamma }^{T}_{a}D^{T}B^{T}_{a}+B_aD\mathrm{\Gamma }_{a}\\&\qquad \ \times \left(R-\mathrm{\Gamma }^{T}_aD^{T}QD\mathrm{\Gamma }_a\right)^{-1}\mathrm{\Gamma }^{T}_a\bar{B}^{T},\\&\mathrm{\Theta }=\bar{C}^{T}_eQ\bar{C}_e+\bar{C}_eQD\mathrm{\Gamma }_a\left(R-\mathrm{\Gamma }^{T}_aD^{T}QD\mathrm{\Gamma }_a\right)^{-1}\mathrm{\Gamma }^{T}_aD^{T}Q\bar{C}_e,\\&\bar{C}_e=\tilde{C}+D\bar{K},\ \tilde{C}=[C, F_{\zeta }],\ \bar{K}=[K_{1}, K_{2}]. \end{aligned} \end{aligned} $$

Proof. If the attacker utilizes observation ξ(t) as designed auxiliary virtual state η(t), then attacked control input (7) based on the observation of [x(t),ζ(t)] T can be rewritten as

u ~ ̂ ( t ) = [ K 1 , K 2 ] η ( t ) + Γ a u a ( t ) , K ¯ η ( t ) + Γ a u a ( t ) , $$ \begin{aligned} \begin{aligned} \hat{\tilde{u}}(t)&=[K_{1}, K_{2}]\eta (t)+\mathrm{\Gamma }_au_{a}(t),\\&\triangleq \bar{K}\eta (t)+\mathrm{\Gamma }_au_{a}(t), \end{aligned} \end{aligned} $$(15)

where K ¯ $ \bar{K} $ is described in Theorem 1.

Combining (9), (11) and (15), one has

η ˙ ( t ) = A ¯ η ( t ) + B ¯ K ¯ η ( t ) + B ¯ Γ a u a ( t ) + L ( y ~ ( t ) C ¯ η ( t ) D K ¯ η ( t ) D Γ a u a ( t ) ) , = ( A ¯ + B ¯ K ¯ L C ¯ L D K ¯ + ( B ¯ L D ) Γ a C a ) η ( t ) + L y ~ ( t ) , $$ \begin{aligned} \begin{aligned} \dot{\eta }(t)&=\bar{A}\eta (t)+\bar{B}\bar{K}\eta (t)+\bar{B}\mathrm{\Gamma }_au_{a}(t)+L(\tilde{y}(t)-\bar{C}\eta (t)-D\bar{K}\eta (t)-D\mathrm{\Gamma }_au_{a}(t)),\\&=(\bar{A}+\bar{B}\bar{K}-L\bar{C}-LD\bar{K}+(\bar{B}-LD)\mathrm{\Gamma }_{a}{C_{a}})\eta (t)+L\tilde{y}(t), \end{aligned} \end{aligned} $$(16)

thus, A a = A ¯ + B ¯ K ¯ L C ¯ L D K ¯ + ( B ¯ L D ) Γ a C a $ A_a=\bar{A}+\bar{B}\bar{K}-L\bar{C}-LD\bar{K}+(\bar{B}-LD)\mathrm{\Gamma}_{a}{C_{a}} $ and B a  = L.

Inserting (15) into the attacked tracking error e ~ ( t ) $ \tilde{e}(t) $ based on the observation of [x(t),ζ(t)] T , one has

e ~ ̂ ( t ) = [ ( C + D K 1 ) , ( F ζ + D K 2 ) ] η ( t ) + D Γ a u a ( t ) = C ¯ e η ( t ) + D Γ a u a ( t ) , $$ \begin{aligned} \begin{aligned} \hat{\tilde{e}}(t)=[(C+DK_{1}),(F_{\zeta }+DK_{2})]\eta (t)+D\mathrm{\Gamma }_au_{a}(t)=\bar{C}_{e}\eta (t)+D\mathrm{\Gamma }_au_{a}(t), \end{aligned} \end{aligned} $$(17)

therefore, the integrated term of the objective function (10) can be reorganized as

e ~ ̂ T ( t ) Q e ~ ̂ ( t ) + u a T ( t ) R u a ( t ) , = ( C ¯ e η ( t ) + D Γ a u a ( t ) ) T Q ( C ¯ e η ( t ) + D Γ a u a ( t ) ) + u a T ( t ) R u a ( t ) , = η T ( t ) C ¯ e T Q C ¯ e η ( t ) η T ( t ) C ¯ e T Q D Γ a u a ( t ) u a T ( t ) Γ a T D T Q C ¯ e η ( t ) + u a T ( t ) ( R Γ a T D T Q D Γ a ) u a ( t ) , $$ \begin{aligned} \begin{aligned}&-\hat{\tilde{e}}^{T}(t)Q\hat{\tilde{e}}(t)+u_{a}^{T}(t)Ru_{a}(t),\\&=-\left(\bar{C}_{e}\eta (t)+D\mathrm{\Gamma }_au_{a}(t)\right)^{T}Q\left(\bar{C}_{e}\eta (t)+D\mathrm{\Gamma }_au_{a}(t)\right)+u_{a}^{T}(t)Ru_{a}(t),\\&=-\eta ^{T}(t)\bar{C}^{T}_{e}Q\bar{C}_{e}\eta (t)-\eta ^{T}(t)\bar{C}^{T}_{e}QD\mathrm{\Gamma }_au_{a}(t)-u^{T}_{a}(t)\mathrm{\Gamma }^{T}_{a}D^{T}Q\bar{C}_{e}\eta (t)+u_{a}^{T}(t)\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a\right)u_{a}(t), \end{aligned} \end{aligned} $$(18)

then, the Hamilton function is defined as

H ( η ( t ) , u a ( t ) , λ ( t ) , t ) = 1 2 ( η T ( t ) C ¯ e T Q C ¯ e η ( t ) η T ( t ) C ¯ e T Q D Γ a u a ( t ) u a T ( t ) Γ a T D T Q C ¯ e η ( t ) + u a T ( t ) ( R Γ a T D T Q D Γ a ) u a ( t ) ) + λ T ( t ) ( A a η ( t ) + B a C ¯ e η ( t ) + B a D Γ a u a ( t ) ) , $$ \begin{aligned} \begin{aligned} \mathrm{H}\left(\eta (t),u_{a}(t),\lambda (t),t\right)=&\frac{1}{2}\left(-\eta ^{T}(t)\bar{C}^{T}_{e}Q\bar{C}_{e}\eta (t)-\eta ^{T}(t)\bar{C}^{T}_{e}QD\mathrm{\Gamma }_au_{a}(t)-u^{T}_{a}(t)\mathrm{\Gamma }^{T}_{a}D^{T}Q\bar{C}_{e}\eta (t)\right.\\&\left. {+}u_{a}^{T}(t)\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a\right)u_{a}(t)\right)+\lambda ^{T}(t)\left(A_a\eta (t)+B_a\bar{C}_{e}\eta (t)+B_aD\mathrm{\Gamma }_{a}u_a(t)\right), \end{aligned} \end{aligned} $$(19)

where λ(t) is the co-state vector.

Through the optimal theory [35], H u a ( t ) = 0 $ \frac{\partial \mathrm{H}}{\partial u_{a}(t)}=0 $ is applied,

H u a ( t ) = Γ a T D T Q C ¯ e η ( t ) + ( R Γ a T D T Q D Γ a ) u a ( t ) + Γ a T D T B a T λ ( t ) = 0 , $$ \begin{aligned} \begin{aligned} \frac{\partial \mathrm{H}}{\partial u_{a}(t)}=-\mathrm{\Gamma }^{T}_{a}D^{T}Q\bar{C}_{e}\eta (t)+\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a\right)u_{a}(t)+\mathrm{\Gamma }^{T}_{a}D^{T}B^{T}_{a}\lambda (t)=0, \end{aligned} \end{aligned} $$(20)

the optimal attack input is obtained as

u a ( t ) = ( R Γ a T D T Q D Γ a ) 1 ( Γ a T D T Q C ¯ e η ( t ) Γ a T D T B a T λ ( t ) ) , $$ \begin{aligned} \begin{aligned} u_{a}^{*}(t)=\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a)^{-1}(\mathrm{\Gamma }^{T}_{a}D^{T}Q\bar{C}_{e}\eta (t)-\mathrm{\Gamma }^{T}_{a}D^{T}B^{T}_{a}\lambda (t)\right), \end{aligned} \end{aligned} $$(21)

combined with the co-state equation,

λ ˙ ( t ) = H η ( t ) = C ¯ e T Q C ¯ e η ( t ) + C ¯ e T Q D Γ a u a ( t ) ( A a + B a C ¯ e ) T λ ( t ) , = C ¯ e T Q C ¯ e η ( t ) + C ¯ e T Q D Γ a ( R Γ a T D T Q D Γ a ) 1 ( Γ a T D T Q C ¯ e η ( t ) Γ a T D T B a T λ ( t ) ) ( A a + B a C ¯ e ) T λ ( t ) , = [ C ¯ e T Q C ¯ e + C ¯ e Q D Γ a ( R Γ a T D T Q D Γ a ) 1 Γ a T D T Q C ¯ e ] η ( t ) [ ( A a + B a C ¯ e ) T + C ¯ e T Q D Γ a ( R Γ a T D T Q D Γ a ) 1 Γ a T D T B a T ] λ ( t ) , $$ \begin{aligned} \begin{aligned} \dot{\lambda }(t)=-\frac{\partial \mathrm{H}}{\partial \eta (t)}&=\bar{C}^{T}_{e}Q\bar{C}_{e}\eta (t)+\bar{C}^{T}_{e}QD\mathrm{\Gamma }_au_{a}(t)-(A_a+B_a\bar{C}_{e})^{T}\lambda (t),\\&=\bar{C}^{T}_{e}Q\bar{C}_{e}\eta (t)+\bar{C}^{T}_{e}QD\mathrm{\Gamma }_a\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a)^{-1}(\mathrm{\Gamma }^{T}_{a}D^{T}Q\bar{C}_{e}\eta (t)-\mathrm{\Gamma }^{T}_{a}D^{T}B^{T}_{a}\lambda (t)\right)\\&\quad -\left(A_a+B_a\bar{C}_{e}\right)^{T}\lambda (t),\\&=\left[\bar{C}^{T}_eQ\bar{C}_e+\bar{C}_eQD\mathrm{\Gamma }_a\left(R-\mathrm{\Gamma }^{T}_aD^{T}QD\mathrm{\Gamma }_a\right)^{-1}\mathrm{\Gamma }^{T}_aD^{T}Q\bar{C}_e\right]\eta (t)-\left[\left(A_a+B_a\bar{C}_{e}\right)^{T}\right.\\&\left.\quad \ +\,\,\bar{C}^{T}_{e}QD\mathrm{\Gamma }_a\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a\right)^{-1}\mathrm{\Gamma }^{T}_{a}D^{T}B^{T}_{a}\right]\lambda (t), \end{aligned} \end{aligned} $$(22)

letting λ(t)=P η(t), (21) and (22) can be rewritten as

u a ( t ) = ( R Γ a T D T Q D Γ a ) 1 ( Γ a T D T Q C ¯ e Γ a T D T B a T P ) η ( t ) = C a η ( t ) , $$ \begin{aligned} \begin{aligned} u_{a}^{*}(t)=\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a\right)^{-1}\left(\mathrm{\Gamma }^{T}_{a}D^{T}Q\bar{C}_{e}-\mathrm{\Gamma }^{T}_{a}D^{T}B^{T}_{a}P\right)\eta (t)=C_a\eta (t), \end{aligned} \end{aligned} $$(23)

thus, C a is obtained, and

λ ˙ ( t ) = P η ˙ ( t ) = P ( ( A a + B a C ¯ e ) η ( t ) + B a D Γ a ( R Γ a T D T Q D Γ a ) 1 ( Γ a T D T Q C ¯ e Γ a T D T B a T P ) η ( t ) ) , $$ \begin{aligned} \begin{aligned} \dot{\lambda }(t)&=P\dot{\eta }(t)\\&=P\left(\left(A_a+B_a\bar{C}_{e}\right)\eta (t)+B_aD\mathrm{\Gamma }_{a}\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a\right)^{-1}\left(\mathrm{\Gamma }^{T}_{a}D^{T}Q\bar{C}_{e}-\mathrm{\Gamma }^{T}_{a}D^{T}B^{T}_{a}P\right)\eta (t)\right), \end{aligned} \end{aligned} $$(24)

Since (22) and (24) are equal, the preliminary algebraic Riccati equation can be described as

P ( ( A a + B a C ¯ e ) + B a D Γ a ( R Γ a T D T Q D Γ a ) 1 ( Γ a T D T Q C ¯ e Γ a T D T B a T P ) ) = [ C ¯ e T Q C ¯ e + C ¯ e Q D × Γ a ( R Γ a T D T Q D Γ a ) 1 Γ a T D T Q C ¯ e ] [ ( A a + B a C ¯ e ) T + C ¯ e T Q D Γ a ( R Γ a T D T Q D Γ a ) 1 Γ a T D T B a T ] P , $$ \begin{aligned} \begin{aligned}&P\left(\left(A_a+B_a\bar{C}_{e}\right)+B_aD\mathrm{\Gamma }_{a}\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a\right)^{-1}\left(\mathrm{\Gamma }^{T}_{a}D^{T}Q\bar{C}_{e}-\mathrm{\Gamma }^{T}_{a}D^{T}B^{T}_{a}P\right)\right)=\bigg [\bar{C}^{T}_eQ\bar{C}_e+\bar{C}_eQD\\&\times \mathrm{\Gamma }_a\left(R-\mathrm{\Gamma }^{T}_aD^{T}QD\mathrm{\Gamma }_a\right)^{-1}\mathrm{\Gamma }^{T}_aD^{T}Q\bar{C}_e\bigg ]\!-\!\bigg [\left(A_a+B_a\bar{C}_{e}\right)^{T}\!+\!\bar{C}^{T}_{e}QD\mathrm{\Gamma }_a\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a\right)^{-1}\mathrm{\Gamma }^{T}_{a}D^{T} B^{T}_{a}\bigg ]P,\\ \end{aligned} \end{aligned} $$(25)

by means of Lemma 2, the optimal solution for Problem 2 is unique if and only if ( R Γ a T D T Q D Γ a ) > 0 $ \left(R-\mathrm{\Gamma}^{T}_{a}D^{T}QD\mathrm{\Gamma}_a\right) > 0 $.

Since A a contains C a , C a contains P, and (25) contains A a , in order to avoid the unknown matrix when solving in (25), combining (16), (23), and (25), one can obtain

P [ A ¯ + B ¯ K ¯ L C ¯ L D K ¯ + ( B ¯ L D Γ a ) ( R Γ a T D T Q D Γ a ) 1 ( Γ a T D T Q C ¯ e Γ a T D T B a T P ) + B a C ¯ e + B a D Γ a ( R Γ a T D T Q D Γ a ) 1 ( Γ a T D T Q C ¯ e Γ a T D T B a T P ) ] + [ A ¯ + B ¯ K ¯ L C ¯ L D K ¯ + ( B ¯ L × D Γ a ) ( R Γ a T D T Q D Γ a ) 1 ( Γ a T D T Q C ¯ e Γ a T D T B a T P ) + B a C ¯ e + B a D Γ a ( R Γ a T D T Q D Γ a ) 1 × ( Γ a T D T Q C ¯ e Γ a T D T B a T P ) ] T P P B a D Γ a ( R Γ a T D T Q D Γ a ) 1 Γ a T D T B a T P C ¯ e T Q C ¯ e + C ¯ e Q × D Γ a ( R Γ a T D T Q D Γ a ) 1 Γ a T D T Q C ¯ e = 0 , $$ \begin{aligned} \begin{aligned}&P\left[\bar{A}+\bar{B}\bar{K}-L\bar{C}-LD\bar{K}+\left(\bar{B}-LD\mathrm{\Gamma }_{a}\right)\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a\right)^{-1}\left(\mathrm{\Gamma }^{T}_{a}D^{T}Q\bar{C}_{e}-\mathrm{\Gamma }^{T}_{a}D^{T}B^{T}_{a}P\right)+B_a\bar{C}_{e}\right.\\&\left.+B_aD\mathrm{\Gamma }_{a}\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a\right)^{-1}\left(\mathrm{\Gamma }^{T}_{a}D^{T}Q\bar{C}_{e}-\mathrm{\Gamma }^{T}_{a}D^{T}B^{T}_{a}P\right)\right]+\left[\bar{A}+\bar{B}\bar{K}-L\bar{C}-LD\bar{K}+\left(\bar{B}-L\right.\right.\\&\left.{\times }D\mathrm{\Gamma }_{a}\right)\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a\right)^{-1}\left(\mathrm{\Gamma }^{T}_{a}D^{T}Q\bar{C}_{e}-\mathrm{\Gamma }^{T}_{a}D^{T}B^{T}_{a}P\right)+B_a\bar{C}_{e}+B_aD\mathrm{\Gamma }_{a}\left(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a\right)^{-1}\\&\left.{\times }\left(\mathrm{\Gamma }^{T}_{a}D^{T}Q\bar{C}_{e}-\mathrm{\Gamma }^{T}_{a}D^{T}B^{T}_{a}P\right)\right]^{T}P-PB_{a}D\mathrm{\Gamma }_{a}(R-\mathrm{\Gamma }^{T}_{a}D^{T}QD\mathrm{\Gamma }_a)^{-1}\mathrm{\Gamma }^{T}_{a}D^{T}B^{T}_{a}P-\bar{C}^{T}_eQ\bar{C}_e+\bar{C}_eQ\\&{\times }D\mathrm{\Gamma }_a\left(R-\mathrm{\Gamma }^{T}_aD^{T}QD\mathrm{\Gamma }_a\right)^{-1}\mathrm{\Gamma }^{T}_aD^{T}Q\bar{C}_e=0, \end{aligned} \end{aligned} $$(26)

then, B a  = L and C ¯ e = [ C , F ζ ] + D K ¯ $ \bar{C}_e=[C, F_{\zeta}]+D\bar{K} $ are used to simplify (26) to obtain (14).

This is end of proof. ▫

The application of Theorem 1 is transformed into the false data injection attack algorithm based on dynamic observation feedback, as shown in Algorithm 1.

Algorithm 1The false data injection attack algorithm based on dynamic observation feedback.

1: Initialize: The system matrices A, B, C, D, Eζ, Fζ, Ãζ, K1, and K2;

Set sampling time τ, the start time and end time of the injection attack t0 and tf, suitable initial observation η(0), and suitable weighting matrices Q and R, satisfying Q ≥ 0 and R > 0.

2: Step 1. Calculate the matrices of the observer, ĀB̅C̅;

Select suitable observation matrix L, satisfying Re(eig(Ā − LC̅ + (B̅ − LD)[K1, K2])) < 0;

Set weight attack matrix Γa, satisfying (R − ΓTa DT QDΓa) > 0;

Calculate matrices C̅e, K̅, Ξ, ψ, Θ and solve equation (14) to obtain P;

Calculate matrices of the attack strategy Aa, Ba, and Ca.

3: while ttf do

4: Step 2. Update η(t), ỹ(t) and ũ̂(t + τ);

Calculate observation η(t + τ) as calculate η(t + τ) ← (Aaτ + I)η(t) + Baτỹ(t) or η(t + τ) ← (τĀ + I)η(t) + τB̅ũ̂(t) + Lτ(ỹ(t)C̅ξ(t) − Dũ̂(t)).

5: Step 3. Calculate optimal attack input u*a(t + τ)Caη(t + τ), and implement injection attack ũ̂(t + τ) ← [K1, K2]η(t + τ) + Γaua(t + τ).

6: end while

Remark 2 In Algorithm , the Euler forward discretization method is adopted in the practical application of attack strategy, and other discretization methods can also be applied, such as trapezoidal rule, Heun method, Runge Kutta method, etc.

4. Simulation example

A networked magnetic levitation steel ball movement system [36] is applied to illustrate the effectiveness of the designed attack strategy. The schematic diagram of the networked magnetic levitation steel ball movement system which is attacked is shown in Figures 2 and 3, where the networked magnetic levitation steel ball motion system can be described as

x ˙ ( t ) = [ x ˙ 1 ( t ) x ˙ 2 ( t ) ] = [ 0 1 9 0 ] [ x 1 ( t ) x 2 ( t ) ] + [ 0 1 ] u ( t ) + [ 0.01 0.015 ] d ( t ) , u ( t ) = K 1 [ x 1 ( t ) x 2 ( t ) ] + K 2 [ y r ( t ) d ( t ) ] , y ( t ) = [ 0 1 ] [ x 1 ( t ) x 2 ( t ) ] + 0.01 u ( t ) + 0.002 d ( t ) , $$ \begin{aligned} \begin{aligned} \dot{x}(t)&=\begin{bmatrix} \dot{x}_1(t)\\ \dot{x}_2(t) \end{bmatrix}=\begin{bmatrix} 0&1\\ 9&0 \end{bmatrix}\begin{bmatrix} x_1(t)\\ x_2(t) \end{bmatrix}+\begin{bmatrix} 0\\ 1 \end{bmatrix}u(t)+\begin{bmatrix} 0.01\\ 0.015 \end{bmatrix}d(t),\\ u(t)&=K_1\begin{bmatrix} x_1(t)\\ x_2(t) \end{bmatrix}+K_2\begin{bmatrix} y_r(t)\\ d(t) \end{bmatrix},\\ y(t)&=[0\quad 1]\begin{bmatrix} x_1(t)\\ x_2(t) \end{bmatrix}+0.01u(t)+0.002d(t), \end{aligned} \end{aligned} $$

thumbnail Figure 2.

The schematic diagram of the networked magnetic levitation steel ball movement system under attack

thumbnail Figure 3.

The structure diagram of the networked magnetic levitation steel ball movement system

Table 1.

Specifications of the networked magnetic levitation steel ball movement system

where the physical meaning and unit represented by each variable are shown in Table 1, external disturbance input d(t), desired system output y r (t), and tracking error e(t) can be expressed as

d ˙ ( t ) = 0.2 d ( t ) , d ( 0 ) = 0.1 , y ˙ r ( t ) = 0.1 y r ( t ) , y r ( 0 ) = 1 , e ( t ) = y ( t ) y r ( t ) . $$ \begin{aligned} \begin{aligned}&\dot{d}(t)=-0.2d(t),\ d(0)=0.1,\\&\dot{y}_{r}(t)=-0.1y_{r}(t),\ y_{r}(0)=1,\\&e(t)=y(t)-y_{r}(t). \end{aligned} \end{aligned} $$

The initial system state x(0)=[−1; 2], the initial control input u(0)=0.2, and the control feedback gain K1 = [ − 11.13, −2.92], K2 = [1, 0]. The simulation terminal time t f  = 50 s, the sampling time τ = 0.12, the suitable observation matrix L = [ 14.2446 0.8097 34.5498 163.0878 ] $ L=\begin{bmatrix} -14.2446\\ -0.8097\\ -34.5498\\ 163.0878 \end{bmatrix} $, eig ( A ¯ L C ¯ + ( B ¯ L D ) [ K 1 , K 2 ] ) = [ 1.1071 0.9935 + 0.0999 i 0.9935 0.0999 i 0.9060 ] $ \mathrm{eig}(\bar{A}-L\bar{C}+(\bar{B}-LD)[K_{1}, K_{2}])=\begin{bmatrix} -1.1071\\ -0.9935+0.0999\mathrm{i}\\ -0.9935-0.0999\mathrm{i}\\ -0.9060 \end{bmatrix} $ satisfies Re ( eig ( A ¯ L C ¯ + ( B ¯ L D ) [ K 1 , K 2 ] ) ) < 0 $ \mathrm{Re}(\mathrm{eig}(\bar{A}-L\bar{C}+(\bar{B}-LD)[K_{1}, K_{2}])) < 0 $, weight attack matrix Γ a  = 10, weighting matrices of objective function Q = 1 and R = 1, satisfies (R − Γ a T D T Q DΓ a )=0.99 >  0, and initial attack input u a (0)=0.5, and simulation results are shown in Figures 49.

thumbnail Figure 4.

The networked magnetic levitation steel ball movement system states under healthy and attacked conditions

thumbnail Figure 5.

The health output, real output under the attack condition and observation-based output under the attack condition of the networked magnetic levitation steel ball movement system

thumbnail Figure 6.

The health control input, real control input under the attack condition and observation-based control input under the attack condition of the networked magnetic levitation steel ball movement system

thumbnail Figure 7.

The designed optimal attack output curve and total energy consumption of the attacker

thumbnail Figure 8.

The health output error, real output error under the attack condition and observation-based output error under the attack condition of the networked magnetic levitation steel ball movement system

thumbnail Figure 9.

The cost function value calculated by real output error and the observation-based output error under the attack condition

The designed attack strategy matrix is obtained as follows,

A a = [ 6.2445 14.5448 90.4612 18.8442 35.1926 4.1429 640.1980 133.1055 15.1458 32.8524 219.3106 45.6817 71.4938 155.0755 1035.6988 215.8346 ] , B a = [ 14.2446 0.8097 34.5498 163.0878 ] , C a = [ 3.2708 0.1993 63.4056 13.2020 ] . $$ \begin{aligned} \begin{aligned}&A_a=\begin{bmatrix} -6.2445&14.5448&90.4612&18.8442\\ -35.1926&-4.1429&640.1980&133.1055\\ -15.1458&32.8524&219.3106&45.6817\\ 71.4938&-155.0755&-1035.6988&-215.8346 \end{bmatrix},B_a=\begin{bmatrix} -14.2446\\ -0.8097\\ -34.5498\\ 163.0878 \end{bmatrix},\\&C_a=\begin{bmatrix} -3.2708&-0.1993&63.4056&13.2020\end{bmatrix}. \end{aligned} \end{aligned} $$

It is worth noting that the output of the networked magnetic levitation steel ball movement system can be eavesdropped by the attacker, but the system states, desired output, and external disturbance input cannot be obtained for the attacker.

The results in Figures 4, 5 and 8 show the comparison of system states, output, and output error under healthy and attacked conditions. It can be seen that the damage effect of the attack

is large. In addition, in Figures 5 and 8, the error between the real output and the output based on observation is small enough; the real output error and output error based on observation indicates that the observation error of the designed observer is small. The result in Figure 7 shows the designed attack strategy and the total energy consumption of the attacker, the total energy consumption of the attacker converges to the optimal value 8607.9, and the result in Figure 9 that the variation form of the cost function based on the real output error and the observed output error is basically the same or even better, and converges to the same optimal value, J * = −23992.

Table 2.

Comparison of different attack strategies

It can be known from Table 2 that the attack strategy designed in this paper relaxes the requirements for obtaining the state information of the attacked system under the assumption that the system matrix information is known. When the system state and external input of the system cannot be stolen by the attacker, the attack strategy involved in Wu et al. [10, 11, 32] cannot be adopted by the attacker. Since the attack strategy in this paper is based on the integrated strategy of dynamic observation and output feedback, it can effectively solve the problem that the part of the attacked system information can be known.

5. Conclusion

This paper has proposed a new optimal attack strategy based on dynamic observation and output feedback to achieve the attack purpose that maximizes the output error of the attacked system under the minimum energy consumption of the attacker. The proposed attack strategy does not require the full state information and external input information of the attacked system. Future work includes the design of attack strategy using dynamic output feedback under non-observation, and the design of attack strategy when there is an unknown time delay in the attack.

Conflict of Interest

The authors declare that they have no conflict of interest.

Data Availability

The original data are available from corresponding authors upon reasonable request.

Authors’ Contributions

Sheng Gao wrote and constructed this paper. Hao Zhang mainly surveyed the related work and jointly wrote this paper. Zhuping Wang discussed the recent development, corrects typos in the paper and jointly wrote this paper. Chao Huang carried out the theoretical derivation inspection and simulation experiment assistance.

Acknowledgments

We would like to thank all editors and reviewers who help us improve the paper.

Funding

This work is supported by National Natural Science Foundation of China (61922063), Shanghai International Science and Technology Cooperation Project (18510711100), Shanghai Shuguang Project (18sg18), Shanghai Natural Science Foundation (19zr1461400), Shanghai Sailing Program under grant (20YF1452900), Shanghai Municipal Science and Technology Major Project (2021SHZDZX0100), Shanghai Hong Kong Macao Taiwan Science and Technology Cooperation Project (21550760900) and Fundamental Research Funds for the Central Universities.

References

  1. Wolf W. Cyber-physical systems. Computer 2009; 42: 88–9. [CrossRef] [Google Scholar]
  2. Humayed A, Lin J and Li F et al. Cyber-physical systems security: a survey. IEEE Internet Things J 2017; 4: 1802–31. [CrossRef] [Google Scholar]
  3. Ashibani Y and Mahmoud QH. Cyber-physical systems security: analysis, challenges and solutions. Comput Secur 2017; 68: 81–97. [CrossRef] [Google Scholar]
  4. Weir M, Aggarwal S and Medeiros BD et al. Password cracking using probabilistic context-free grammars. In: 2009 30th IEEE Symposium on Security and Privacy, 17-20 May 2009, Oakland, CA, USA, 2009, 391–405. [Google Scholar]
  5. Houshmand S, Aggarwal S and Flood R. Next gen PCFG password cracking. IEEE Trans Inf Forensics Secur 2015; 10: 1776–91. [CrossRef] [Google Scholar]
  6. Ji S, Yang S and Hu X et al. Zero-sum password cracking game: a large-scale empirical study on the crackability, correlation, and security of passwords. IEEE Trans Dependable Secure Comput 2017; 14: 550–64. [CrossRef] [Google Scholar]
  7. Shayan M, Bhattacharjee S and Orozaliev A et al. Thwarting Bio-IP theft through dummy-valve-based obfuscation. IEEE Trans Inf Forensics Secur 2021; 16: 2076–89. [CrossRef] [Google Scholar]
  8. Kosut O, Jia L and Thomas RJ et al. Limiting false data attacks on power system state estimation. In: 2010 44th Annual Conference on Information Sciences and Systems (CISS), 17-19 March 2010, Princeton, NJ, 2010, 1–6. [Google Scholar]
  9. Xie L, Mo Y and Sinopoli B. Integrity data attacks in power market operations. IEEE Trans Smart Grid 2011; 2: 659–66. [CrossRef] [Google Scholar]
  10. Wu G, Jian S and Jie C. Optimal data injection attacks in cyber-physical systems. IEEE Trans Cybern 2018; 48: 3302–12. [CrossRef] [PubMed] [Google Scholar]
  11. Wu G, Wang G and Sun J et al. Optimal switching attacks and countermeasures in cyber-physical systems. IEEE Trans Syst Man Cybern Syst 2021; 51: 4825–35. [CrossRef] [Google Scholar]
  12. Imer O, Yüksel S and Başar T. Optimal control of LTI systems over unreliable communication links. Automatica 2006; 42: 1429–39. [CrossRef] [Google Scholar]
  13. Befekadu GK, Gupta V and Antsaklis PJ. Risk-sensitive control under Markov modulated denial-of-service (DoS) attack strategies. IEEE Trans Automat Contr 2015; 60: 3299–304. [CrossRef] [Google Scholar]
  14. Koning W. Infinite horizon optimal control of linear discrete time systems with stochastic parameters. Automatica 1982; 18: 443–53. [CrossRef] [Google Scholar]
  15. Katayama T. On the matrix Riccati equation for linear systems with random gain. IEEE Trans Automat Contr 1976; 21: 770–1. [CrossRef] [Google Scholar]
  16. Jiang X, Yang J and Jin G et al. RED-FT: A scalable random early detection scheme with flow trust against DoS attacks. IEEE Commun Lett 2013; 17: 1032–5. [CrossRef] [Google Scholar]
  17. Guo H, Pang Z-H and Sun J et al. An output-coding-based detection scheme against replay attacks in cyber-physical systems. IEEE Trans Circuits Syst II Express Br 2021; 68(10): 3306–10. [CrossRef] [Google Scholar]
  18. Mo Y, Chabukswar R and Sinopoli B. Detecting integrity attacks on scada systems. IEEE Trans Control Syst Technol 2014; 22: 1396–1407. [CrossRef] [Google Scholar]
  19. Mo Y, Weerakkody S and Sinopoli B. Physical authentication of control systems: Designing watermarked control inputs to detect counterfeit sensor outputs. IEEE Control Syst Mag 2015; 35: 93–109. [Google Scholar]
  20. Sinopoli B, Schenato L and Franceschetti M et al. Optimal control with unreliable communication: the TCP case. In: Proceedings of the 2005 American Control Conference, 8-10 June 2005, Portland, OR, USA, Vol. 5, 2005, 3354–59. [CrossRef] [Google Scholar]
  21. Zhang H, Cheng P and Shi L et al. Optimal denial-of-service attack scheduling with energy constraint. IEEE Trans Automat Contr 2015; 60: 3023–8. [CrossRef] [Google Scholar]
  22. Ding K, Li Y and Quevedo DE et al. A multi-channel transmission schedule for remote state estimation under DoS attacks. Automatica 2017; 78: 194–201. [CrossRef] [Google Scholar]
  23. Xu Y, Zhou J and Rao H et al. Reset moving horizon estimation for quantized discrete time systems. IEEE Trans Automat Contr 2021; 66: 4199–205. [CrossRef] [Google Scholar]
  24. Zhu M and Martínez S. On the performance analysis of resilient networked control systems under replay attacks. IEEE Trans Automat Contr 2014; 59: 804–8. [CrossRef] [Google Scholar]
  25. Farha F, Ning H and Yang S et al. Timestamp scheme to mitigate replay attacks in secure ZigBee networks. IEEE Trans Mob Comput 2022; 21: 342–51. [Google Scholar]
  26. Xu Y, Yang L and Wang Z et al. State estimation for networked systems with Markov driven transmission and buffer constraint. IEEE Trans Syst Man Cybern Syst 2021; 51: 7727–34. [CrossRef] [Google Scholar]
  27. Zhang H, Cheng P and Shi L et al. Optimal dos attack scheduling in wireless networked control system. IEEE Trans Control Syst Technol 2016; 24: 843–52. [CrossRef] [Google Scholar]
  28. Mo Y and Sinopoli B. Secure control against replay attacks. In: 2009 47th Annual Allerton Conference on Communication, Control, and Computing, Allerton, 2009, 911–8. [CrossRef] [Google Scholar]
  29. Dan Y, Tyz A and Ge G. Stochastic coding detection scheme in cyber-physical systems against replay attack. Inform Sci 2019; 481: 432–44. [CrossRef] [Google Scholar]
  30. Ferrari RMG and Teixeira AMH. Detection and isolation of replay attacks through sensor watermarking. In: IFACPapersOnLine, 6-8 July 2016, Boston, MA, USA, Vol. 50, 2017, 7363–68. [Google Scholar]
  31. Chen Y, Kar S and Moura JMF. Cyber-physical attacks with control objectives. IEEE Trans Automat Contr 2018; 63: 1418–25. [CrossRef] [Google Scholar]
  32. Wu G and Jian S. Optimal data integrity attack on actuators in cyber-physical systems. In: Proceedings of the 2016 American Control Conference, 9-14 July 2017, Toulouse, 2016. [Google Scholar]
  33. Liang L, Xing H and Lei D et al. Exploring adversarial attack in spiking neural networks with spike-compatible gradient. In: IEEE Transactions on Neural Networks and Learning Systems, 2021, in press. https://doi.org/10.1109/TNNLS.2021.3106961. [Google Scholar]
  34. Başar T and Olsder GJ. Dynamic Noncooperative Game Theory. Philadelphia: SIAM, 1998. [Google Scholar]
  35. Başar T and Bernhard P. H-Infinity Optimal Control and Related Minimax Design Problems: A Dynamic Game Approach. Berlin: Springer Science & Business Media, 2008. [Google Scholar]
  36. Dorf RC and Bishop RH. Modern Control Systems, twelfth edition. Upper Saddle River, NJ: Pearson Prentice Hall, 2015. [Google Scholar]
Sheng Gao

Sheng Gao received his B.Sc. degree in automation from Donghua University, Shanghai, China in 2019. He is currently working toward the Ph.D. degree in control science and engineering at Tongji University, Shanghai, China. His current research interests include optimal control, cyber-physical systems, robot, and cyber security.

Hao Zhang

Hao Zhang received her B.Sc. degree in automatic control from Wuhan University of Technology, Wuhan, China, in 2001 and received her Ph.D. degree in control theory and control engineering from Huazhong University of Science and Technology Wuhan, China, in 2007. Currently, she is a professor with the School of Electronic and Information Engineering, Tongji University, Shanghai, China. Her research interests include network-based control systems, multi-agent systems, and autonomous systems.

Zhuping Wang

Zhuping Wang received her B.Eng. and M.Eng. degrees from the Department of Automatic Control in 1994 and 1997, respectively, both from Northwestern Polytechnic University, China, and her Ph.D. degree from National University of Singapore in 2003. Currently, she is a professor at the College of Electronics and Information Engineering, Tongji University, Shanghai, China. Her research interests include intelligent control of robotic systems, self-driving vehicles, and nonholonomic control systems.

Chao Huang

Chao Huang received his B.Sc., M.Sc., and Ph.D. degrees from Zhejiang University, in 2010, 2012, and 2015, respectively, all in Electrical Engineering. In 2016, he was a post-doctoral research fellow at the School of Engineering, the Australian National University. From 2017 to 2019, he was with the School of Automation, Hangzhou Dianzi University, as a lecturer. He is now with the School of Electronics and Information Engineering, Tongji University, where he is currently an assistant professor. His research interests include system identification, nonlinear and adaptive control, and multi-agent systems.

All Tables

Table 1.

Specifications of the networked magnetic levitation steel ball movement system

Table 2.

Comparison of different attack strategies

All Figures

thumbnail Figure 1.

Block diagram of the attacked system

In the text
thumbnail Figure 2.

The schematic diagram of the networked magnetic levitation steel ball movement system under attack

In the text
thumbnail Figure 3.

The structure diagram of the networked magnetic levitation steel ball movement system

In the text
thumbnail Figure 4.

The networked magnetic levitation steel ball movement system states under healthy and attacked conditions

In the text
thumbnail Figure 5.

The health output, real output under the attack condition and observation-based output under the attack condition of the networked magnetic levitation steel ball movement system

In the text
thumbnail Figure 6.

The health control input, real control input under the attack condition and observation-based control input under the attack condition of the networked magnetic levitation steel ball movement system

In the text
thumbnail Figure 7.

The designed optimal attack output curve and total energy consumption of the attacker

In the text
thumbnail Figure 8.

The health output error, real output error under the attack condition and observation-based output error under the attack condition of the networked magnetic levitation steel ball movement system

In the text
thumbnail Figure 9.

The cost function value calculated by real output error and the observation-based output error under the attack condition

In the text

Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.

Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.

Initial download of the metrics may take a while.