33 research outputs found
Learning-based attacks in cyber-physical systems
We introduce the problem of learning-based attacks in a simple abstraction of
cyber-physical systems---the case of a discrete-time, linear, time-invariant
plant that may be subject to an attack that overrides the sensor readings and
the controller actions. The attacker attempts to learn the dynamics of the
plant and subsequently override the controller's actuation signal, to destroy
the plant without being detected. The attacker can feed fictitious sensor
readings to the controller using its estimate of the plant dynamics and mimic
the legitimate plant operation. The controller, on the other hand, is
constantly on the lookout for an attack; once the controller detects an attack,
it immediately shuts the plant off. In the case of scalar plants, we derive an
upper bound on the attacker's deception probability for any measurable control
policy when the attacker uses an arbitrary learning algorithm to estimate the
system dynamics. We then derive lower bounds for the attacker's deception
probability for both scalar and vector plants by assuming a specific
authentication test that inspects the empirical variance of the system
disturbance. We also show how the controller can improve the security of the
system by superimposing a carefully crafted privacy-enhancing signal on top of
the "nominal control policy." Finally, for nonlinear scalar dynamics that
belong to the Reproducing Kernel Hilbert Space (RKHS), we investigate the
performance of attacks based on nonlinear Gaussian-processes (GP) learning
algorithms
Information Flow for Security in Control Systems
This paper considers the development of information flow analyses to support
resilient design and active detection of adversaries in cyber physical systems
(CPS). The area of CPS security, though well studied, suffers from
fragmentation. In this paper, we consider control systems as an abstraction of
CPS. Here, we extend the notion of information flow analysis, a well
established set of methods developed in software security, to obtain a unified
framework that captures and extends system theoretic results in control system
security. In particular, we propose the Kullback Liebler (KL) divergence as a
causal measure of information flow, which quantifies the effect of adversarial
inputs on sensor outputs. We show that the proposed measure characterizes the
resilience of control systems to specific attack strategies by relating the KL
divergence to optimal detection techniques. We then relate information flows to
stealthy attack scenarios where an adversary can bypass detection. Finally,
this article examines active detection mechanisms where a defender
intelligently manipulates control inputs or the system itself in order to
elicit information flows from an attacker's malicious behavior. In all previous
cases, we demonstrate an ability to investigate and extend existing results by
utilizing the proposed information flow analyses
Detection of replay attacks in cyber-physical systems using a frequency-based signature
This paper proposes a frequency-based approach for the detection of replay attacks affecting cyber-physical systems (CPS). In particular, the method employs a sinusoidal signal with a time-varying frequency (authentication signal) into the closed-loop system and checks whether the time profile of the frequency components in the output signal are compatible with the authentication signal or not. In order to carry out this target, the couplings between inputs and outputs are eliminated using a dynamic decoupling technique based on vector fitting. In this way, a signature introduced on a specific input channel will affect only the output that is selected to be associated with that input, which is a property that can be exploited to determine which channels are being affected. A bank of band-pass filters is used to generate signals whose energies can be compared to reconstruct an estimation of the time-varying frequency profile. By matching the known frequency profile with its estimation, the detector can provide the information about whether a replay attack is being carried out or not. The design of the signal generator and the detector are thoroughly discussed, and an example based on a quadruple-tank process is used to show the application and effectiveness of the proposed method.Peer ReviewedPostprint (author's final draft
Attack-Resilient Supervisory Control of Discrete-Event Systems
In this work, we study the problem of supervisory control of discrete-event
systems (DES) in the presence of attacks that tamper with inputs and outputs of
the plant. We consider a very general system setup as we focus on both
deterministic and nondeterministic plants that we model as finite state
transducers (FSTs); this also covers the conventional approach to modeling DES
as deterministic finite automata. Furthermore, we cover a wide class of attacks
that can nondeterministically add, remove, or rewrite a sensing and/or
actuation word to any word from predefined regular languages, and show how such
attacks can be modeled by nondeterministic FSTs; we also present how the use of
FSTs facilitates modeling realistic (and very complex) attacks, as well as
provides the foundation for design of attack-resilient supervisory controllers.
Specifically, we first consider the supervisory control problem for
deterministic plants with attacks (i) only on their sensors, (ii) only on their
actuators, and (iii) both on their sensors and actuators. For each case, we
develop new conditions for controllability in the presence of attacks, as well
as synthesizing algorithms to obtain FST-based description of such
attack-resilient supervisors. A derived resilient controller provides a set of
all safe control words that can keep the plant work desirably even in the
presence of corrupted observation and/or if the control words are subjected to
actuation attacks. Then, we extend the controllability theorems and the
supervisor synthesizing algorithms to nondeterministic plants that satisfy a
nonblocking condition. Finally, we illustrate applicability of our methodology
on several examples and numerical case-studies