Context-Aware Sensor Fusion For Securing Cyber-Physical Systems

The goal of this dissertation is to provide detection and estimation techniques in order to ensure the safety and security of modern Cyber-Physical Systems (CPS) even in the presence of arbitrary sensors faults and attacks. We leverage the fact that modern CPS are equipped with various sensors that provide redundant information about the system\u27s state. In such a setting, the system can limit its dependence on any individual sensor, thereby providing guarantees about its safety even in the presence of arbitrary faults and attacks. In order to address the problem of safety detection, we develop sensor fusion techniques that make use of the sensor redundancy available in modern CPS. First of all, we develop a multidimensional sensor fusion algorithm that outputs a bounded fusion set which is guaranteed to contain the true state even in the presence of attacks and faults. Furthermore, we provide two approaches for strengthening sensor fusion\u27s worst-case guarantees: 1) incorporating historical measurements as well as 2) analyzing sensor transmission schedules (e.g., in a time-triggered system using a shared bus) in order to minimize the attacker\u27s available information and impact on the system. In addition, we modify the sensor fusion algorithm in order to provide guarantees even when sensors might experience transient faults in addition to attacks. Finally, we develop an attack detection technique (also in the presence of transient faults) in order to discard attacked sensors. In addition to standard plant sensors, we note that modern CPS also have access to multiple environment sensors that provide information about the system\u27s context (e.g., a camera recognizing a nearby building). Since these context measurements are related to the system\u27s state, they can be used for estimation and detection purposes, similar to standard measurements. In this dissertation, we first develop a nominal context-aware filter (i.e., with no faults or attacks) for binary context measurements (e.g., a building detection). Finally, we develop a technique for incorporating context measurements into sensor fusion, thus providing guarantees about system safety even in cases where more than half of standard sensors might be under attack

Context-Aware Detection in Medical Cyber-Physical Systems

This paper considers the problem of incorporating context in medical cyber-physical systems (MCPS) applications for the purpose of improving the performance of MCPS detectors. In particular, in many applications additional data could be used to conclude that actual measurements might be noisy or wrong (e.g., machine settings might indicate that the machine is improperly attached to the patient); we call such data context. The first contribution of this work is the formal definition of context, namely additional information whose presence is associated with a change in the measurement model (e.g., higher variance). Given this formulation, we developed the context-aware parameter-invariant (CA-PAIN) detector; the CA-PAIN detector improves upon the original PAIN detector by recognizing events with noisy measurements and not raising unnecessary false alarms. We evaluate the CA-PAIN detector both in simulation and on real-patient data; in both cases, the CA-PAIN detector achieves roughly a 20-percent reduction of false alarm rates over the PAIN detector, thus indicating that formalizing context and using it in a rigorous way is a promising direction for future work

Resilient Multidimensional Sensor Fusion Using Measurement History

This work considers the problem of performing resilient sensor fusion using past sensor measurements. In particular, we consider a system with n sensors measuring the same physical variable where some sensors might be attacked or faulty. We consider a setup in which each sensor provides the controller with a set of possible values for the true value. Here, more precise sensors provide smaller sets. Since a lot of modern sensors provide multidimensional measurements (e.g., position in three dimensions), the sets considered in this work are multidimensional polyhedra. Given the assumption that some sensors can be attacked or faulty, the paper provides a sensor fusion algorithm that obtains a fusion polyhedron which is guaranteed to contain the true value and is minimal in size. A bound on the volume of the fusion polyhedron is also proved based on the number of faulty or attacked sensors. In addition, we incorporate system dynamics in order to utilize past measurements and further reduce the size of the fusion polyhedron. We describe several ways of mapping previous measurements to current time and compare them, under di erent assumptions, using the volume of the fusion polyhedron. Finally, we illustrate the implementation of the best of these methods and show its e ectiveness using a case study with sensor values from a real robot

Attack-Resilient Sensor Fusion

This work considers the problem of attack-resilient sensor fusion in an autonomous system where multiple sensors measure the same physical variable. A malicious attacker may corrupt a subset of these sensors and send wrong measurements to the controller on their behalf, potentially compromising the safety of the system. We formalize the goals and constraints of such an attacker who also wants to avoid detection by the system. We argue that the attacker’s capabilities depend on the amount of information she has about the correct sensors’ measurements. In the presence of a shared bus where messages are broadcast to all components connected to the network, the attacker may consider all other measurements before sending her own in order to achieve maximal impact. Consequently, we investigate effects of communication schedules on sensor fusion performance. We provide worst- and average-case results in support of the Ascending schedule, where sensors send their measurements in a fixed succession based on their precision, starting from the most precise sensors. Finally, we provide a case study to illustrate the use of this approach

Attack-Resilient Sensor Fusion for Safety-Critical Cyber-Physical

This paper focuses on the design of safe and attack-resilient Cyber-Physical Systems (CPS) equipped with multiple sensors measuring the same physical variable. A malicious attacker may be able to disrupt system performance through compromising a subset of these sensors. Consequently, we develop a precise and resilient sensor fusion algorithm that combines the data received from all sensors by taking into account their specified precisions. In particular, we note that in the presence of a shared bus, in which messages are broadcast to all nodes in the network, the attacker’s impact depends on what sensors he has seen before sending the corrupted measurements. Therefore, we explore the effects of communication schedules on the performance of sensor fusion and provide theoretical and experimental results advocating for the use of the Ascending schedule, which orders sensor transmissions according to their precision starting from the most precise. In addition, to improve the accuracy of the sensor fusion algorithm, we consider the dynamics of the system in order to incorporate past measurements at the current time. Possible ways of mapping sensor measurement history are investigated in the paper and are compared in terms of the confidence in the final output of the sensor fusion. We show that the precision of the algorithm using history is never worse than the no-history one, while the benefits may be significant. Furthermore, we utilize the complementary properties of the two methods and show that their combination results in a more precise and resilient algorithm. Finally, we validate our approach in simulation and experiments on a real unmanned ground robot

RePulmo: A Remote Pulmonary Monitoring System

Remote physiological monitoring is increasing in popularity with the evolution of technologies in the healthcare industry. However, the current solutions for remote monitoring of blood-oxygen saturation, one of the most common continuously monitored vital signs, either have inconsistent accuracy or are not secure for transmitting over the network. In this paper, we propose RePulmo, an open-source platform for secure and accurate remote pulmonary data monitoring. RePulmo satisfies both robustness and security requirements by utilizing hospital-grade pulse oximeter devices with multiple layers of security enforcement. We describe two applications of RePulmo, namely (1) a remote pulmonary monitoring system for infants to support the Children’s Hospital of Philadelphia (CHOP) clinical trial; (2) a proof-of-concept of a low SpO2 smart alarm system

Sensor Attack Detection in the Presence of Transient Faults

This paper addresses the problem of detection and identification of sensor attacks in the presence of transient faults. We consider a system with multiple sensors measuring the same physical variable, where some sensors might be under attack and provide malicious values. We consider a setup, in which each sensor provides the controller with an interval of possible values for the true value. While approaches exist for detecting malicious sensor attacks, they are conservative in that they treat attacks and faults in the same way, thus neglecting the fact that sensors may provide faulty measurements at times due to temporary disturbances (e.g., a tunnel for GPS). To address this problem, we propose a transient fault model for each sensor and an algorithm designed to detect and identify attacks in the presence of transient faults. The fault model consists of three aspects: the size of the sensor\u27s interval (1) and an upper bound on the number of errors (2) allowed in a given window size (3). Given such a model for each sensor, the algorithm uses pairwise inconsistencies between sensors to detect and identify attacks. In addition to the algorithm, we provide a framework for selecting a fault model for each sensor based on training data. Finally, we validate the algorithm\u27s performance on real measurement data obtained from an unmanned ground vehicle

Robust Localization Using Context-Aware Filtering

In this paper we develop a robot localization technique that incorporates discrete context measurements, in addition to standard continuous state measurements. Context measurements provide binary information about detected events in the robot’s environment, e.g., a building is recognized using image processing or a known radio station is received. Such measurements can only be detected from certain positions and can, therefore, be correlated with the robot’s state. We investigate two specific examples where context measurements are especially useful – an urban localization scenario where GPS measurements are not reliable as well as the capture of the RQ-170 Sentinel drone in Iran, where GPS measurements were spoofed. By focusing on a specific class of probability of context detection functions, we derive a closed-form Gaussian mixture filter that is precise, captures context, and has the theoretical properties of the Kalman filter. Finally, we provide simulations of the urban localization scenario with an unmanned ground vehicle and show that the proposed context-aware filter is more robust and more accurate than the conventional extended Kalman filter, which only uses continuous measurements

Robust Estimation Using Context-Aware Filtering

This paper presents the context-aware filter, an estimation technique that incorporates context measurements, in addition to the regular continuous measurements. Context measurements provide binary information about the system’s context which is not directly encoded in the state; examples include a robot detecting a nearby building using image processing or a medical device alarming that a vital sign has exceeded a predefined threshold. These measurements can only be received from certain states and can therefore be modeled as a function of the system’s current state. We focus on two classes of functions describing the probability of context detection given the current state; these functions capture a wide variety of detections that may occur in practice. We derive the corresponding context-aware filters, a Gaussian Mixture filter and another closed-form filter with a posterior distribution whose moments are derived in the paper. Finally, we evaluate the performance of both classes of functions through simulation of an unmanned ground vehicle