5,008 research outputs found
On Reachable Sets of Hidden CPS Sensor Attacks
For given system dynamics, observer structure, and observer-based
fault/attack detection procedure, we provide mathematical tools -- in terms of
Linear Matrix Inequalities (LMIs) -- for computing outer ellipsoidal bounds on
the set of estimation errors that attacks can induce while maintaining the
alarm rate of the detector equal to its attack-free false alarm rate. We refer
to these sets to as hidden reachable sets. The obtained ellipsoidal bounds on
hidden reachable sets quantify the attacker's potential impact when it is
constrained to stay hidden from the detector. We provide tools for minimizing
the volume of these ellipsoidal bounds (minimizing thus the reachable sets) by
redesigning the observer gains. Simulation results are presented to illustrate
the performance of our tools
Characterization of Model-Based Detectors for CPS Sensor Faults/Attacks
A vector-valued model-based cumulative sum (CUSUM) procedure is proposed for
identifying faulty/falsified sensor measurements. First, given the system
dynamics, we derive tools for tuning the CUSUM procedure in the fault/attack
free case to fulfill a desired detection performance (in terms of false alarm
rate). We use the widely-used chi-squared fault/attack detection procedure as a
benchmark to compare the performance of the CUSUM. In particular, we
characterize the state degradation that a class of attacks can induce to the
system while enforcing that the detectors (CUSUM and chi-squared) do not raise
alarms. In doing so, we find the upper bound of state degradation that is
possible by an undetected attacker. We quantify the advantage of using a
dynamic detector (CUSUM), which leverages the history of the state, over a
static detector (chi-squared) which uses a single measurement at a time.
Simulations of a chemical reactor with heat exchanger are presented to
illustrate the performance of our tools.Comment: Submitted to IEEE Transactions on Control Systems Technolog
A Comparison of Stealthy Sensor Attacks on Control Systems
As more attention is paid to security in the context of control systems and
as attacks occur to real control systems throughout the world, it has become
clear that some of the most nefarious attacks are those that evade detection.
The term stealthy has come to encompass a variety of techniques that attackers
can employ to avoid detection. Here we show how the states of the system (in
particular, the reachable set corresponding to the attack) can be manipulated
under two important types of stealthy attacks. We employ the chi-squared fault
detection method and demonstrate how this imposes a constraint on the attack
sequence either to generate no alarms (zero-alarm attack) or to generate alarms
at a rate indistinguishable from normal operation (hidden attack)
Tuning Windowed Chi-Squared Detectors for Sensor Attacks
A model-based windowed chi-squared procedure is proposed for identifying
falsified sensor measurements. We employ the widely-used static chi-squared and
the dynamic cumulative sum (CUSUM) fault/attack detection procedures as
benchmarks to compare the performance of the windowed chi-squared detector. In
particular, we characterize the state degradation that a class of attacks can
induce to the system while enforcing that the detectors do not raise alarms
(zero-alarm attacks). We quantify the advantage of using dynamic detectors
(windowed chi-squared and CUSUM detectors), which leverages the history of the
state, over a static detector (chi-squared) which uses a single measurement at
a time. Simulations using a chemical reactor are presented to illustrate the
performance of our tools
Centralized Versus Decentralized Detection of Attacks in Stochastic Interconnected Systems
We consider a security problem for interconnected systems governed by linear,
discrete, time-invariant, stochastic dynamics, where the objective is to detect
exogenous attacks by processing the measurements at different locations. We
consider two classes of detectors, namely centralized and decentralized
detectors, which differ primarily in their knowledge of the system model. In
particular, a decentralized detector has a model of the dynamics of the
isolated subsystems, but is unaware of the interconnection signals that are
exchanged among subsystems. Instead, a centralized detector has a model of the
entire dynamical system. We characterize the performance of the two detectors
and show that, depending on the system and attack parameters, each of the
detectors can outperform the other. In particular, it may be possible for the
decentralized detector to outperform its centralized counterpart, despite
having less information about the system dynamics, and this surprising property
is due to the nature of the considered attack detection problem. To complement
our results on the detection of attacks, we propose and solve an optimization
problem to design attacks that maximally degrade the system performance while
maintaining a pre-specified degree of detectability. Finally, we validate our
findings via numerical studies on an electric power system.Comment: Submitted to IEEE Transactions on Automatic Control (TAC
Causality and Temporal Dependencies in the Design of Fault Management Systems
Reasoning about causes and effects naturally arises in the engineering of
safety-critical systems. A classical example is Fault Tree Analysis, a
deductive technique used for system safety assessment, whereby an undesired
state is reduced to the set of its immediate causes. The design of fault
management systems also requires reasoning on causality relationships. In
particular, a fail-operational system needs to ensure timely detection and
identification of faults, i.e. recognize the occurrence of run-time faults
through their observable effects on the system. Even more complex scenarios
arise when multiple faults are involved and may interact in subtle ways.
In this work, we propose a formal approach to fault management for complex
systems. We first introduce the notions of fault tree and minimal cut sets. We
then present a formal framework for the specification and analysis of
diagnosability, and for the design of fault detection and identification (FDI)
components. Finally, we review recent advances in fault propagation analysis,
based on the Timed Failure Propagation Graphs (TFPG) formalism.Comment: In Proceedings CREST 2017, arXiv:1710.0277
- …