Fake-Acknowledgment Attack on ACK-based Sensor Power Schedule for Remote State Estimation

We consider a class of malicious attacks against remote state estimation. A sensor with limited resources adopts an acknowledgement (ACK)-based online power schedule to improve the remote state estimation performance. A malicious attacker can modify the ACKs from the remote estimator and convey fake information to the sensor. When the capability of the attacker is limited, we propose an attack strategy for the attacker and analyze the corresponding effect on the estimation performance. The possible responses of the sensor are studied and a condition for the sensor to discard ACKs and switch from online schedule to offline schedule is provided.Comment: submitted to IEEE CDC 201

Resilient dynamic state estimation in the presence of false information injection attacks

The impact of false information injection is investigated for linear dynamic systems with multiple sensors. First, it is assumed that the system is unaware of the existence of false information and the adversary is trying to maximize the negative effect of the false information on Kalman filter\u27s estimation performance under a power constraint. The false information attack under different conditions is mathematically characterized. For the adversary, many closed-form results for the optimal attack strategies that maximize the Kalman filter\u27s estimation error are theoretically derived. It is shown that by choosing the optimal correlation coefficients among the false information and allocating power optimally among sensors, the adversary could significantly increase the Kalman filter\u27s estimation errors. In order to detect the false information injected by an adversary, we investigate the strategies for the Bayesian estimator to detect the false information and defend itself from such attacks. We assume that the adversary attacks the system with certain probability, and that he/she adopts the worst possible strategy that maximizes the mean squared error (MSE) if the attack is undetected. An optimal Bayesian detector is designed which minimizes the average system estimation error instead of minimizing the probability of detection error, as a conventional Bayesian detector typically does. The case that the adversary attacks the system continuously is also studied. In this case, sparse attack strategies in multi-sensor dynamic systems are investigated from the adversary\u27s point of view. It is assumed that the defender can perfectly detect and remove the sensors once they are corrupted by false information injected by an adversary. The adversary\u27s goal is to maximize the covariance matrix of the system state estimate by the end of attack period under the constraint that the adversary can only attack the system a few times over the sensor and over the time, which leads to an integer programming problem. In order to overcome the prohibitive complexity of the exhaustive search, polynomial-time algorithms, such as greedy search and dynamic programming, are proposed to find the suboptimal attack strategies. As for greedy search, it starts with an empty set， and one sensor is added at each iteration, whose elimination will lead to the maximum system estimation error. The process terminates when the cardinality of the active set reaches to the sparsity constraint. Greedy search based approaches such as sequential forward selection (SFS), sequential backward selection (SBS), and simplex improved sequential forward selection (SFS-SS) are discussed and corresponding attack strategies are provided. Dynamic programming is also used in obtaining the sub-optimal attack strategy. The validity of dynamic programming lies on a straightforward but important nature of dynamic state estimation systems: the credibility of the state estimate at current step is in accordance with that at previous step. The problem of false information attack on and the Kalman filter\u27s defense of state estimation in dynamic multi-sensor systems is also investigated from a game theoretic perspective. The relationship between the Kalman filter and the adversary can be regarded as a two-person zero-sum game. The condition under which both sides of the game will reach a Nash equilibrium is investigated

Secure State Estimation in the Presence of False Information Injection Attacks

In this dissertation, we first investigate the problem of source location estimation in wireless sensor networks (WSNs) based on quantized data in the presence of false information attacks. Using a Gaussian mixture to model the possible attacks, we develop a maximum likelihood estimator (MLE) to estimate the source location. The Cramer-Rao lower bound (CRLB) for this estimation problem is also derived. Then, the assumption that the fusion center does not have the knowledge of the attack probability and the attack noise power investigated. We assume that the attack probability and power are random variables which follow certain uniform distributions. We derive the MLE for the localization problem. The CRLB for this estimation problem is also derived. It is shown that the proposed estimator is robust in various cases with different attack probabilities and parameter mismatch. The linear state estimation problem subjected to False Information Injection is also considered. The relationship between the attacker and the defender is modeled from a minimax perspective, in which the attacker tries to maximize the cost function. On the other hand, the defender tries to optimize the detection threshold selection to minimize the cost function. We consider that the attacker will attack with deterministic bias, then we also considered the random bias. In both cases, we derive the probabilities of detection and miss, and the probability of false alarm is derived based on the Chi squared distribution. We solve the minimax optimization problem numerically for both the cases

Secure state estimation against sensor attacks in the presence of noise

We consider the problem of estimating the state of a noisy linear dynamical system when an unknown subset of sensors is arbitrarily corrupted by an adversary. We propose a secure state estimation algorithm, and derive (optimal) bounds on the achievable state estimation error given an upper bound on the number of attacked sensors. The proposed state estimator involves Kalman filters operating over subsets of sensors to search for a sensor subset which is reliable for state estimation. To further improve the subset search time, we propose Satisfiability Modulo Theory-based techniques to exploit the combinatorial nature of searching over sensor subsets. Finally, as a result of independent interest, we give a coding theoretic view of attack detection and state estimation against sensor attacks in a noiseless dynamical system

Robust Inference in Wireless Sensor Networks

This dissertation presents a systematic approach to obtain robust statistical inference schemes in unreliable networks. Statistical inference offers mechanisms for deducing the statistical properties of unknown parameters from the data. In Wireless Sensor Networks (WSNs), sensor outputs are transmitted across a wireless communication network to the fusion center (FC) for final decision-making. The sensor data are not always reliable. Some factors may cause anomaly in network operations, such as malfunction, corruption, or compromised due to some unknown source of contamination or adversarial attacks. Two standard component failure models are adopted in this study to describe the system vulnerability: the probabilistic and static models. In probabilistic models, we consider a widely known ε−contamination model, where each node has ε probability of malfunctioning or being compromised. In contrast, the static model assumes there is up to a certain number of malfunctioning nodes. It is assumed that the decision center/network operator is aware of the presence of anomaly nodes and can adjust the operation rule to counter the impact of the anomaly. The anomaly node is assumed to know that the network operator is taking some defensive actions to improve its performance. Considering both the decision center (network operator) and compromised (anomalous) nodes and their possible actions, the problem is formulated as a two-player zero-sum game. Under this setting, we attempt to discover the worst possible failure models and best possible operating strategies. First, the effect of sensor unreliability on detection performance is investigated, and robust detection schemes are proposed. The aim is to design robust detectors when some observation nodes malfunction. The detection problem is relatively well known under the probabilistic model in simple binary hypotheses testing with known saddle-point solutions. The detection problem is investigated under the mini-max framework for the static settings as no such saddle point solutions are shown to exist under these settings. In the robust estimation, results in estimation theory are presented to measure system robustness and performance. The estimation theory covers probabilistic and static component failure models. Besides the standard approaches of robust estimation under the frequentist settings where the interesting parameters are fixed but unknown, the estimation problem under the Bayes settings is considered where the prior probability distribution is known. After first establishing the general framework, comprehensive results on the particular case of a single node network are presented under the probabilistic settings. Based on the insights from the single node network, we investigate the robust estimation problem for the general network for both failure models. A few robust localization methods are presented as an extension of robust estimation theory at the end

Securing location discovery in wireless sensor networks

Providing security for wireless sensor networks in hostile environments has a significant importance. Resilience against malicious attacks during the process of location discovery has an increasing need. There are many applications that rely on sensor nodes\u27 locations to be accurate in order to function correctly. The need to provide secure, attack resistant location discovery schemes has become a challenging research topic. In this thesis, location discovery techniques are discussed and the security threats and attacks are explained. I also present current secure location discovery schemes which are developed for range-based location discovery. The thesis goal is to develop a secure range-free location discovery scheme. This is accomplished by enhancing the voting-based scheme developed in [8, 9] to be used as the bases for developing a secure range-free location discovery scheme. Both the enhancement voting-based and the secure range-free schemes are implemented on Sun SPOT wireless sensors and subjected to various levels of location discovery attacks and tested under different sensor network scales using a simulation program developed for testing purposes

Security of Linear Control Systems

The coming decades may see the large scale deployment of networked cyber-physical systems to address global needs in areas such as energy, water, healthcare, and transportation. However, as recent events have shown, such systems are vulnerable to cyber attacks. They are not only econoically important, but being safety critical, their disruption or misbehavior can also cause injuries and loss of life. It is therefore important to secure such networked cyber-physical systems against attacks. In the absence of credible security guarantees, there will be resistance to the proliferation of cyber-physical systems, which are much needed to meet global needs in critical infrastructures and services. This study addresses the problem of secure control of networked cyber-physical systems. This problem is different from the problem of securing the communication network, since cyberphysical systems at their very essence need sensors and actuators that interface with the physical plant, and malicious agents may tamper with sensors or actuators, as recent attacks have shown. We consider physical plants that are being controlled by multiple actuators and sensors communicating over a network, where some sensors and actuators could be “malicious." A malicious sensor may not report the measurement that it observes truthfully, while a malicious actuator may not apply actuation signals in accordance with the designed control policy. In the first part of this work, we introduce, against this backdrop, the notions of securable and unsecurable subspaces of a linear dynamical system, and show that they have important operational meanings for both deterministic and stochastic linear dynamical systems in the context of secure control. These subspaces may be regarded as analogs of the controllable and unobservable subspaces reexamined in an era where there is intense interest in cybersecurity of control systems. In the second part of the work, we propose a general technique, termed “Dynamic Watermarking,” by which honest nodes in the system can detect the actions of malicious nodes, and disable closed-loop control based on their information. Dynamic Watermarking employs the technique of honest actuators injecting a “small" random noise, known as private excitation, into the system which will reveal tampering of measurements by malicious sensors. We lay the foundations for the theory for how such an active defense can be used to secure networked systems of sensors and actuators