Issue |
Security and Safety
Volume 1, 2022
|
|
---|---|---|
Article Number | 2022005 | |
Number of page(s) | 16 | |
Section | Industrial Control | |
DOI | https://doi.org/10.1051/sands/2022005 | |
Published online | 22 July 2022 |
Research Article
Optimal injection attack strategy for cyber-physical systems: a dynamic feedback approach
School of Electronics and Information Engineering, Tongji University, Shanghai, 201804, China
* Corresponding author (email: zhang_hao@tongji.edu.cn)
Received:
30
December
2021
Revised:
21
February
2022
Accepted:
14
March
2022
This paper investigates the system security problem of cyber-physical systems (CPSs), which is not only more practical but also more significant to deal with than the detecting faults problem. The purpose of this paper is to find an optimal attack strategy that maximizes the output error of the attacked system with low energy consumption. Based on a general model of linear time-invariant systems and a key technical lemma, a new optimal attack strategy for the meticulously designed false data injection attack is constructed. It is worth mentioning that compared with the existing model-based attack strategies, the designed one is more general and the corresponding attack strategy is more easily implemented when system states and external input are inaccessible. Key to overcoming the inaccessible information, a dynamic observer in the form of Luenberger is constructed. Finally, a networked magnetic levitation steel ball movement system is applied to illustrate the effectiveness of the proposed scheme.
Key words: False data injection attack / Dynamic output feedback / Attack strategy design / Cyber-physical systems
Citation: Gao S, Zhang H, Wang ZP and et al. Optimal injection attack strategy for cyber-physical systems: a dynamic feedback approach. Security and Safety 2022; 1: 2022005. https://doi.org/10.1051/sands/2022005
© The Author(s) 2022. Published by EDP Sciences and China Science Publishing & Media Ltd.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
1. Introduction
With the development of computer and communication technology, the network has been rapidly applied to most aspects of society in recent decades. Although the network has brought convenience to people’s lives, it is vulnerable to hackers because of its high degree of openness, to name just a few, Bushehr, the only nuclear power plant in Iran, was hacked in 2010 causing all centrifuges to shut down; Colonial Pipeline, the major oil and gas pipeline company in the USA, was hacked in 2021 and forced to shut down all of its pipeline operating systems. Therefore, cyber security is an important part of ensuring national security and social stability. The above systems are classified as the cyber-physical systems[1–3], which integrate computing, networking, and physical processes, whose cyber security has been paid more and more attention by researchers.
Cyber security, which is one of the main issues of informatization, mainly includes cyberattack, attack detection, and security defense. Cyberattack refers to any type of offensive action on a computer equipment, network, or infrastructure from the network layer. There are two commonly used methods for cyberattack, namely, cracking of the system password to steal the information of the attacked system [4–7] and implementing elaborately designed attack strategies to destroy the attacked system [8–15].Different from the cyberattack on the side of the offensive, attack detection represents the timely discovery of vulnerabilities in the system and alarm from the perspective of the defender. The detection mechanisms for the corresponding attacks have been extensively studied, such as denial-of-service (DoS) attack detection [16], replay attack detection [17], and false data injection (FDI) attack detection [18, 19]. Security defense denotes the security protection of the system from the perspective of the defender. Many researchers have implemented secure control or resilient control strategy under attack to reduce or avoid the damage caused by attackers [20–26]. All of the aforementioned works on cyber security focus on existing classic attack strategies. Unfortunately, the continuous update of attack strategies makes the existing detection mechanisms and defense strategies ineffective. Therefore, this paper mainly designs an attack strategy on the attacker’s side. One of the research motivations was to enable defenders to understand the behavior of unknown attackers more deeply, and then design corresponding defense strategies to better protect the system.
To date, two main categories of cyberattacks exist, namely denial-of-service (DoS) attacks [12, 13, 27] and deception attacks, among which deception attacks include replay attacks and injection attacks [10, 28]. DoS attack is destroying the target object, making it unable to serve normal users, resulting in information packet loss or delay, etc. Massive research results have been reported on DoS attack strategy design and secure control, see [20–22] and the references therein. The replay attack refers to injecting external inputs without being detected; the attacker hijacks the sensor, observes and records its readings for a period of time, and then repeats these readings when executing the attack [28]. Since the data of replay attack come from a normal system, it is difficult to be detected. Therefore, some detection mechanisms for replay attacks are proposed in [17, 29, 30]. For false data injection attack, the attacker injects the meticulously designed false information to disturb the normal operation of the system. More recently, Chen et al. [31] have studied the attack strategy of attackers against CPSs from the vantage point of optimal control. Wu and Jian [32] have also designed a switching data injection attack scheme from the attacker’s side. After that, they have further considered the optimal feedback attack problem and the optimal location switching attack problems, respectively [10, 11]. The design of the above attack strategies is based on the assumption that the information of the attacked system is completely known. The fact that a part of the information of the attacked system is inaccessible is a natural extension of the attack strategy design that all information can be accessed. Up to now, when the information of the attacked system is completely unknown, that is, the attacked system is model free for the attacker, there is a neural network learning method to design the attack strategy [33]. However, in most cases, it is a natural fact that the attacker is not completely unaware of the attacked system through long-term information eavesdropping. If the attacked system is regarded as a black box and the attack strategy is directly designed by the learning method, the useful information obtained by eavesdropping will be wasted and the adaptability of the obtained attack strategy will be insufficient. Making good use of this information in the design of attack strategy is the main motivation to promote us to study the problems proposed in this paper.
In this paper, a new attack strategy for cyber-physical systems under the system states and external input inaccessible is proposed. The main contributions of this paper are summarized as follows:
-
(1)
A new data injection attack method is proposed from the perspective of attackers, in which attackers use system output to construct attack strategy in the form of dynamic feedback. The objective function of attacker is defined as the linear quadratic function and the corresponding algebraic Riccati equation is derived by solving the defined objective function.
-
(2)
Since the attacker cannot access the system states and external input information of the attacked system, it is difficult for the attacker to maximize the output error of the attacked system with the least energy consumption. In this paper, a modified Luenberger observer-based method is introduced to solve the aforementioned attack optimization problem.
-
(3)
During the design of the attack strategy, the value of the designed observer is adopted as the dynamic auxiliary virtual states to deal with the difficulty that the unknown parameter matrices of the attack strategy cannot be solved directly.
The rest of this paper is organized as follows. The problem formulation about a class of linear time-invariant system is shown in Section 2. The schemes of dynamic observer and false data injection attack based on dynamic observation and output feedback are described in Section 3. In Section 4, the efficiency of proposed scheme is illustrated by a networked magnetic levitation steel ball movement system example. Finally, this paper is concluded in Section 5.
Notations:
denotes the n-dimensional Euclidean space. Let
and
,
. Let
and
,
. M
T
indicates the transposed matrix of matrix M. M
−1 denotes the inverse matrix of matrix M. diag(N, M) represents diagonal matrix with diagonal entries N and M. eig(M)
refers to the eigenvalue of matrix M. Re(M) is defined as the real part of the element of matrix M. stands for the first order partial derivative of f with respect to matrix M. Matrices and vectors are assumed to hold appropriate dimensions if they are not explicitly stated.
2. Problem formulation
Consider a class of linear time-invariant system described by
where x ∈ ℝ n is the state, u ∈ ℝ l is the control input, y ∈ ℝ m is the measured output, d(t)∈ℝ p is the external disturbance, and A, B, C, D, E, and F are known constant matrices with compatible dimensions. External disturbance d(t) is generated by linear autonomous differential equation expressed as
where d0 is arbitrary initial value.
The tracking error of system (1) can be expressed as
where y r (t) is the desired output, and y r (t) is given by
where y r0 is an arbitrary initial value.
Combining the system state of system (1) and the tracking error (3), the trajectory tracking system can be written as
where
ζ(t) satisfies
where 0 and I are the zero and identity matrix of appropriate dimensions, respectively.
Through the linear quadratic tracker (LQT), the control input is designed as
where K1 and K2 are known constant matrices with compatible dimensions.
For system (5), the following assumption is needed.
Assumption 1 The pair (A, B) is stabilizable,
is detectable.
Remark 1 The first part of Assumption 1 is quite standard in the literature to design the attack strategy because it is meaningful for the attackers to destroy stable systems. The latter part of Assumption 1 is necessary for the design of the attack strategy in this paper, when it is undetectable, the attack strategy to achieve the maximum deviation of the system output from the desired output cannot be designed due to the lack of information related to the desired output.
3. Design of optimal data injection attack strategy
3.1. Attack structure
Since the controller transmits the control signal to the actuator through the wireless transmission channel, the attacker achieves the purpose by intercepting the control signal transmitted through the wireless transmission channel and tampering with the signal. The false data injection attack is expressed as
where is the attacked control input, Γ
a
is the attack weight matrix with compatible dimension, and
is the attack input.
Combining trajectory tracking systems (5) and (7), the attacked system is
where and
are the attacked state and unmeasured tracking error, respectively.
The key design of the data injection attack structure is described as
where A a , B a , and C a are the designed attack matrices with compatible dimensions, u a (0) is an arbitrarily small initial value and η(t) is the designed auxiliary virtual state of the attack input.
The following assumptions are needed to design an attack strategy for the attacker.
Assumption 2 The attacker has complete knowledge of system (5) matrices through eavesdropping the system information for sufficient time.
Assumption 3 In the FDI attack, the attacker has the ability to inject the calculated false data vector u a (t) into the actuators synchronously with the system input signals.
The purpose of the attacker in this subsection is to use as little energy as possible to make the system tracking error maximum deviate from 0. The objective function can be described as
where t0 and t
f
are the start time and end time of the injection attack, respectively. It is worth mentioning that represents the energy consumption of the attacker. Then, the problem of data injection attack can be expressed as the optimal problem.
Problem 1
Due to inaccessible system states and external input data information from the perspective of the attacker, Problem 1 cannot be solved. Therefore, the dynamic observer is applied in the design of the attack strategy.
3.2. Design of dynamic observer
Note that system state , external disturbance d(t), and desired output y
r
(t) are unknown to the attacker. Thus, the attacker can use the modified Luenberger observer to observe state x(t) and external input ζ(t), the observer is designed as
where ξ(t) is the estimation of [x(t),ζ(t)]
T
, is the estimated control input based on the observation of [x(t),ζ(t)]
T
, which satisfies
, L is the observation matrix, and
and .
Lemma 1 Under Assumptions 1, for the attacked system (8) and the observer (11), if L satisfies the condition , then lim
t → ∞
e
x
ξ
(t)=0, where e
x
ξ
(t)=[x(t),ζ(t)]
T
− ξ(t) denotes the observation error.
Proof. Combined with ,
, the attacked system (8) and the observer (11), the derivative of the observation error e
x
ξ
(t) can be expressed as
thus, through the theory of observer design, when is satisfied, lim
t → ∞
e
x
ξ
(t)=0, which indicates that when t → ∞, the estimation ξ(t) is equal to [x(t),ζ(t)]
T
.
This is end of proof
It is worth pointing out that the designed auxiliary virtual state η(t) is determined by the attacker. When observation ξ(t) is selected by the attacker as the designed auxiliary virtual state η(t), Problem 1 can be transformed into Problem 2.
Problem 2
The block diagram of the attacked system is shown in Figure 1. As can be seen from Figure 1, the attacker first obtains the system output by eavesdropping, which is transmitted from the plant to the controller using the sensor. Then, system output
and the estimated value of the designed observer are applied to construct (9). Next, optimal attack input u
a
(t) can be obtained by solving Problem 2. Finally, optimal attack input u
a
(t) is injected into control input u(t) wirelessly transmitted from the controller to the actuator so that the control input obtained by the actuator is tampered with
to complete the attack.
![]() |
Figure 1. Block diagram of the attacked system |
3.3. Main results
Before presenting the main result, the key lemma is first introduced.
Lemma 2 ([34) , [35]] The optimal problem is expressed as
If requirement Q ≥ 0 is not satisfied, a necessary and sufficient condition to provide a unique solution to the affine-quadratic continuous-time optimal problem is
where P is the solution of the following Algebraic Riccati Equation
Theorem 1 Under Assumptions 1–3, if (R−Γ a T D T Q DΓ a ) > 0 holds and the observation ξ(t) is selected by the attacker as the designed auxiliary virtual state η(t), the matrices of the optimal attack strategy designed as (9) can be obtained by solving Problem 2, which are expressed as
where P satisfies the following equation
and
Proof. If the attacker utilizes observation ξ(t) as designed auxiliary virtual state η(t), then attacked control input (7) based on the observation of [x(t),ζ(t)] T can be rewritten as
where is described in Theorem 1.
Combining (9), (11) and (15), one has
thus, and B
a
= L.
Inserting (15) into the attacked tracking error based on the observation of [x(t),ζ(t)]
T
, one has
therefore, the integrated term of the objective function (10) can be reorganized as
then, the Hamilton function is defined as
where λ(t) is the co-state vector.
Through the optimal theory [35], is applied,
the optimal attack input is obtained as
combined with the co-state equation,
letting λ(t)=P η(t), (21) and (22) can be rewritten as
thus, C a is obtained, and
Since (22) and (24) are equal, the preliminary algebraic Riccati equation can be described as
by means of Lemma 2, the optimal solution for Problem 2 is unique if and only if .
Since A a contains C a , C a contains P, and (25) contains A a , in order to avoid the unknown matrix when solving in (25), combining (16), (23), and (25), one can obtain
then, B
a
= L and are used to simplify (26) to obtain (14).
This is end of proof. ▫
The application of Theorem 1 is transformed into the false data injection attack algorithm based on dynamic observation feedback, as shown in Algorithm 1.
1: Initialize: The system matrices A, B, C, D, Eζ, Fζ, Ãζ, K1, and K2;
Set sampling time τ, the start time and end time of the injection attack t0 and tf, suitable initial observation η(0), and suitable weighting matrices Q and R, satisfying Q ≥ 0 and R > 0.
2: Step 1. Calculate the matrices of the observer, ĀB̅C̅;
Select suitable observation matrix L, satisfying Re(eig(Ā − LC̅ + (B̅ − LD)[K1, K2])) < 0;
Set weight attack matrix Γa, satisfying (R − ΓTa DT QDΓa) > 0;
Calculate matrices C̅e, K̅, Ξ, ψ, Θ and solve equation (14) to obtain P;
Calculate matrices of the attack strategy Aa, Ba, and Ca.
3: while t ≤ tf do
4: Step 2. Update η(t), ỹ(t) and ũ̂(t + τ);
Calculate observation η(t + τ) as calculate η(t + τ) ← (Aaτ + I)η(t) + Baτỹ(t) or η(t + τ) ← (τĀ + I)η(t) + τB̅ũ̂(t) + Lτ(ỹ(t) − C̅ξ(t) − Dũ̂(t)).
5: Step 3. Calculate optimal attack input u*a(t + τ) ← Caη(t + τ), and implement injection attack ũ̂(t + τ) ← [K1, K2]η(t + τ) + Γaua(t + τ).
6: end while
Remark 2 In Algorithm , the Euler forward discretization method is adopted in the practical application of attack strategy, and other discretization methods can also be applied, such as trapezoidal rule, Heun method, Runge Kutta method, etc.
4. Simulation example
A networked magnetic levitation steel ball movement system [36] is applied to illustrate the effectiveness of the designed attack strategy. The schematic diagram of the networked magnetic levitation steel ball movement system which is attacked is shown in Figures 2 and 3, where the networked magnetic levitation steel ball motion system can be described as
![]() |
Figure 2. The schematic diagram of the networked magnetic levitation steel ball movement system under attack |
![]() |
Figure 3. The structure diagram of the networked magnetic levitation steel ball movement system |
Specifications of the networked magnetic levitation steel ball movement system
where the physical meaning and unit represented by each variable are shown in Table 1, external disturbance input d(t), desired system output y r (t), and tracking error e(t) can be expressed as
The initial system state x(0)=[−1; 2], the initial control input u(0)=0.2, and the control feedback gain K1 = [ − 11.13, −2.92], K2 = [1, 0]. The simulation terminal time t
f
= 50 s, the sampling time τ = 0.12, the suitable observation matrix ,
satisfies
, weight attack matrix Γ
a
= 10, weighting matrices of objective function Q = 1 and R = 1, satisfies (R − Γ
a
T
D
T
Q
DΓ
a
)=0.99 > 0, and initial attack input u
a
(0)=0.5, and simulation results are shown in Figures 4–9.
![]() |
Figure 4. The networked magnetic levitation steel ball movement system states under healthy and attacked conditions |
![]() |
Figure 5. The health output, real output under the attack condition and observation-based output under the attack condition of the networked magnetic levitation steel ball movement system |
![]() |
Figure 6. The health control input, real control input under the attack condition and observation-based control input under the attack condition of the networked magnetic levitation steel ball movement system |
![]() |
Figure 7. The designed optimal attack output curve and total energy consumption of the attacker |
![]() |
Figure 8. The health output error, real output error under the attack condition and observation-based output error under the attack condition of the networked magnetic levitation steel ball movement system |
![]() |
Figure 9. The cost function value calculated by real output error and the observation-based output error under the attack condition |
The designed attack strategy matrix is obtained as follows,
It is worth noting that the output of the networked magnetic levitation steel ball movement system can be eavesdropped by the attacker, but the system states, desired output, and external disturbance input cannot be obtained for the attacker.
The results in Figures 4, 5 and 8 show the comparison of system states, output, and output error under healthy and attacked conditions. It can be seen that the damage effect of the attack
is large. In addition, in Figures 5 and 8, the error between the real output and the output based on observation is small enough; the real output error and output error based on observation indicates that the observation error of the designed observer is small. The result in Figure 7 shows the designed attack strategy and the total energy consumption of the attacker, the total energy consumption of the attacker converges to the optimal value 8607.9, and the result in Figure 9 that the variation form of the cost function based on the real output error and the observed output error is basically the same or even better, and converges to the same optimal value, J * = −23992.
Comparison of different attack strategies
It can be known from Table 2 that the attack strategy designed in this paper relaxes the requirements for obtaining the state information of the attacked system under the assumption that the system matrix information is known. When the system state and external input of the system cannot be stolen by the attacker, the attack strategy involved in Wu et al. [10, 11, 32] cannot be adopted by the attacker. Since the attack strategy in this paper is based on the integrated strategy of dynamic observation and output feedback, it can effectively solve the problem that the part of the attacked system information can be known.
5. Conclusion
This paper has proposed a new optimal attack strategy based on dynamic observation and output feedback to achieve the attack purpose that maximizes the output error of the attacked system under the minimum energy consumption of the attacker. The proposed attack strategy does not require the full state information and external input information of the attacked system. Future work includes the design of attack strategy using dynamic output feedback under non-observation, and the design of attack strategy when there is an unknown time delay in the attack.
Conflict of Interest
The authors declare that they have no conflict of interest.
Data Availability
The original data are available from corresponding authors upon reasonable request.
Authors’ Contributions
Sheng Gao wrote and constructed this paper. Hao Zhang mainly surveyed the related work and jointly wrote this paper. Zhuping Wang discussed the recent development, corrects typos in the paper and jointly wrote this paper. Chao Huang carried out the theoretical derivation inspection and simulation experiment assistance.
Acknowledgments
We would like to thank all editors and reviewers who help us improve the paper.
Funding
This work is supported by National Natural Science Foundation of China (61922063), Shanghai International Science and Technology Cooperation Project (18510711100), Shanghai Shuguang Project (18sg18), Shanghai Natural Science Foundation (19zr1461400), Shanghai Sailing Program under grant (20YF1452900), Shanghai Municipal Science and Technology Major Project (2021SHZDZX0100), Shanghai Hong Kong Macao Taiwan Science and Technology Cooperation Project (21550760900) and Fundamental Research Funds for the Central Universities.
References
- Wolf W. Cyber-physical systems. Computer 2009; 42: 88–9. [CrossRef] [Google Scholar]
- Humayed A, Lin J and Li F et al. Cyber-physical systems security: a survey. IEEE Internet Things J 2017; 4: 1802–31. [CrossRef] [Google Scholar]
- Ashibani Y and Mahmoud QH. Cyber-physical systems security: analysis, challenges and solutions. Comput Secur 2017; 68: 81–97. [CrossRef] [Google Scholar]
- Weir M, Aggarwal S and Medeiros BD et al. Password cracking using probabilistic context-free grammars. In: 2009 30th IEEE Symposium on Security and Privacy, 17-20 May 2009, Oakland, CA, USA, 2009, 391–405. [Google Scholar]
- Houshmand S, Aggarwal S and Flood R. Next gen PCFG password cracking. IEEE Trans Inf Forensics Secur 2015; 10: 1776–91. [CrossRef] [Google Scholar]
- Ji S, Yang S and Hu X et al. Zero-sum password cracking game: a large-scale empirical study on the crackability, correlation, and security of passwords. IEEE Trans Dependable Secure Comput 2017; 14: 550–64. [CrossRef] [Google Scholar]
- Shayan M, Bhattacharjee S and Orozaliev A et al. Thwarting Bio-IP theft through dummy-valve-based obfuscation. IEEE Trans Inf Forensics Secur 2021; 16: 2076–89. [CrossRef] [Google Scholar]
- Kosut O, Jia L and Thomas RJ et al. Limiting false data attacks on power system state estimation. In: 2010 44th Annual Conference on Information Sciences and Systems (CISS), 17-19 March 2010, Princeton, NJ, 2010, 1–6. [Google Scholar]
- Xie L, Mo Y and Sinopoli B. Integrity data attacks in power market operations. IEEE Trans Smart Grid 2011; 2: 659–66. [CrossRef] [Google Scholar]
- Wu G, Jian S and Jie C. Optimal data injection attacks in cyber-physical systems. IEEE Trans Cybern 2018; 48: 3302–12. [CrossRef] [PubMed] [Google Scholar]
- Wu G, Wang G and Sun J et al. Optimal switching attacks and countermeasures in cyber-physical systems. IEEE Trans Syst Man Cybern Syst 2021; 51: 4825–35. [CrossRef] [Google Scholar]
- Imer O, Yüksel S and Başar T. Optimal control of LTI systems over unreliable communication links. Automatica 2006; 42: 1429–39. [CrossRef] [Google Scholar]
- Befekadu GK, Gupta V and Antsaklis PJ. Risk-sensitive control under Markov modulated denial-of-service (DoS) attack strategies. IEEE Trans Automat Contr 2015; 60: 3299–304. [CrossRef] [Google Scholar]
- Koning W. Infinite horizon optimal control of linear discrete time systems with stochastic parameters. Automatica 1982; 18: 443–53. [CrossRef] [Google Scholar]
- Katayama T. On the matrix Riccati equation for linear systems with random gain. IEEE Trans Automat Contr 1976; 21: 770–1. [CrossRef] [Google Scholar]
- Jiang X, Yang J and Jin G et al. RED-FT: A scalable random early detection scheme with flow trust against DoS attacks. IEEE Commun Lett 2013; 17: 1032–5. [CrossRef] [Google Scholar]
- Guo H, Pang Z-H and Sun J et al. An output-coding-based detection scheme against replay attacks in cyber-physical systems. IEEE Trans Circuits Syst II Express Br 2021; 68(10): 3306–10. [CrossRef] [Google Scholar]
- Mo Y, Chabukswar R and Sinopoli B. Detecting integrity attacks on scada systems. IEEE Trans Control Syst Technol 2014; 22: 1396–1407. [CrossRef] [Google Scholar]
- Mo Y, Weerakkody S and Sinopoli B. Physical authentication of control systems: Designing watermarked control inputs to detect counterfeit sensor outputs. IEEE Control Syst Mag 2015; 35: 93–109. [Google Scholar]
- Sinopoli B, Schenato L and Franceschetti M et al. Optimal control with unreliable communication: the TCP case. In: Proceedings of the 2005 American Control Conference, 8-10 June 2005, Portland, OR, USA, Vol. 5, 2005, 3354–59. [CrossRef] [Google Scholar]
- Zhang H, Cheng P and Shi L et al. Optimal denial-of-service attack scheduling with energy constraint. IEEE Trans Automat Contr 2015; 60: 3023–8. [CrossRef] [Google Scholar]
- Ding K, Li Y and Quevedo DE et al. A multi-channel transmission schedule for remote state estimation under DoS attacks. Automatica 2017; 78: 194–201. [CrossRef] [Google Scholar]
- Xu Y, Zhou J and Rao H et al. Reset moving horizon estimation for quantized discrete time systems. IEEE Trans Automat Contr 2021; 66: 4199–205. [CrossRef] [Google Scholar]
- Zhu M and Martínez S. On the performance analysis of resilient networked control systems under replay attacks. IEEE Trans Automat Contr 2014; 59: 804–8. [CrossRef] [Google Scholar]
- Farha F, Ning H and Yang S et al. Timestamp scheme to mitigate replay attacks in secure ZigBee networks. IEEE Trans Mob Comput 2022; 21: 342–51. [Google Scholar]
- Xu Y, Yang L and Wang Z et al. State estimation for networked systems with Markov driven transmission and buffer constraint. IEEE Trans Syst Man Cybern Syst 2021; 51: 7727–34. [CrossRef] [Google Scholar]
- Zhang H, Cheng P and Shi L et al. Optimal dos attack scheduling in wireless networked control system. IEEE Trans Control Syst Technol 2016; 24: 843–52. [CrossRef] [Google Scholar]
- Mo Y and Sinopoli B. Secure control against replay attacks. In: 2009 47th Annual Allerton Conference on Communication, Control, and Computing, Allerton, 2009, 911–8. [CrossRef] [Google Scholar]
- Dan Y, Tyz A and Ge G. Stochastic coding detection scheme in cyber-physical systems against replay attack. Inform Sci 2019; 481: 432–44. [CrossRef] [Google Scholar]
- Ferrari RMG and Teixeira AMH. Detection and isolation of replay attacks through sensor watermarking. In: IFACPapersOnLine, 6-8 July 2016, Boston, MA, USA, Vol. 50, 2017, 7363–68. [Google Scholar]
- Chen Y, Kar S and Moura JMF. Cyber-physical attacks with control objectives. IEEE Trans Automat Contr 2018; 63: 1418–25. [CrossRef] [Google Scholar]
- Wu G and Jian S. Optimal data integrity attack on actuators in cyber-physical systems. In: Proceedings of the 2016 American Control Conference, 9-14 July 2017, Toulouse, 2016. [Google Scholar]
- Liang L, Xing H and Lei D et al. Exploring adversarial attack in spiking neural networks with spike-compatible gradient. In: IEEE Transactions on Neural Networks and Learning Systems, 2021, in press. https://doi.org/10.1109/TNNLS.2021.3106961. [Google Scholar]
- Başar T and Olsder GJ. Dynamic Noncooperative Game Theory. Philadelphia: SIAM, 1998. [Google Scholar]
- Başar T and Bernhard P. H-Infinity Optimal Control and Related Minimax Design Problems: A Dynamic Game Approach. Berlin: Springer Science & Business Media, 2008. [Google Scholar]
- Dorf RC and Bishop RH. Modern Control Systems, twelfth edition. Upper Saddle River, NJ: Pearson Prentice Hall, 2015. [Google Scholar]

Sheng Gao received his B.Sc. degree in automation from Donghua University, Shanghai, China in 2019. He is currently working toward the Ph.D. degree in control science and engineering at Tongji University, Shanghai, China. His current research interests include optimal control, cyber-physical systems, robot, and cyber security.

Hao Zhang received her B.Sc. degree in automatic control from Wuhan University of Technology, Wuhan, China, in 2001 and received her Ph.D. degree in control theory and control engineering from Huazhong University of Science and Technology Wuhan, China, in 2007. Currently, she is a professor with the School of Electronic and Information Engineering, Tongji University, Shanghai, China. Her research interests include network-based control systems, multi-agent systems, and autonomous systems.

Zhuping Wang received her B.Eng. and M.Eng. degrees from the Department of Automatic Control in 1994 and 1997, respectively, both from Northwestern Polytechnic University, China, and her Ph.D. degree from National University of Singapore in 2003. Currently, she is a professor at the College of Electronics and Information Engineering, Tongji University, Shanghai, China. Her research interests include intelligent control of robotic systems, self-driving vehicles, and nonholonomic control systems.

Chao Huang received his B.Sc., M.Sc., and Ph.D. degrees from Zhejiang University, in 2010, 2012, and 2015, respectively, all in Electrical Engineering. In 2016, he was a post-doctoral research fellow at the School of Engineering, the Australian National University. From 2017 to 2019, he was with the School of Automation, Hangzhou Dianzi University, as a lecturer. He is now with the School of Electronics and Information Engineering, Tongji University, where he is currently an assistant professor. His research interests include system identification, nonlinear and adaptive control, and multi-agent systems.
All Tables
All Figures
![]() |
Figure 1. Block diagram of the attacked system |
In the text |
![]() |
Figure 2. The schematic diagram of the networked magnetic levitation steel ball movement system under attack |
In the text |
![]() |
Figure 3. The structure diagram of the networked magnetic levitation steel ball movement system |
In the text |
![]() |
Figure 4. The networked magnetic levitation steel ball movement system states under healthy and attacked conditions |
In the text |
![]() |
Figure 5. The health output, real output under the attack condition and observation-based output under the attack condition of the networked magnetic levitation steel ball movement system |
In the text |
![]() |
Figure 6. The health control input, real control input under the attack condition and observation-based control input under the attack condition of the networked magnetic levitation steel ball movement system |
In the text |
![]() |
Figure 7. The designed optimal attack output curve and total energy consumption of the attacker |
In the text |
![]() |
Figure 8. The health output error, real output error under the attack condition and observation-based output error under the attack condition of the networked magnetic levitation steel ball movement system |
In the text |
![]() |
Figure 9. The cost function value calculated by real output error and the observation-based output error under the attack condition |
In the text |
Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.
Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.
Initial download of the metrics may take a while.