Stealthy attacks to cyber-physical systems (CPS) refer to the ones that avoid attack detection mechanisms augmented to the systems typically in the form of anomaly detectors. Various types of stealthy attacks have been reported in the literature. Among the attacks with stealthy property, a recently reported multiplicative coordinated attack is particularly dangerous in that it corrupts sensor and actuator data in a coordinated manner, and it does not require precise system knowledge in order to be stealthy. It must be noted that most of these attacks are applicable to CPS, the physical counterparts of which are of linear dynamics. This could be a limitation since most of the physical dynamic systems that are encountered from CPS perspective are of nonlinear nature. In this work, we present a version of multiplicative coordinated stealthy attack for a class of CPS, the physical counterpart of which possesses nonlinear dynamics. Specifically, for the physical systems with homogeneous property, the attack is constructed and the effect is analyzed. Various simulations are carried out to illustrate the effect of the attack.
The improvement of computing power in embedded systems and significant advances of communication and network technologies have created a new field of cyber-physical systems (CPS) which tightly integrate physical and cyber components. Over the past years, CPS has emerged as an important paradigm to design large-scale distributed systems such as electric power grid systems, water distribution systems, and smart vehicular systems [
For developing countermeasures for the known attacks [
Fortunately, the existing attack methods reported in [
Recently, a notable stealthy attack mechanism capable of overcoming the said restrictions was developed in [
Main research interest of this paper is to reveal that a multiplicative coordinated stealthy attack is applicable to CPS with nonlinear physical plants with homogeneous property and to carry out relevant analysis. We show that the multiplicative coordinated attack is capable of forcing the states of target system far away from the desired trajectories without being detected. Attackers only need to know homogeneity degrees of the target systems. The attack can be realized, even if the attackers have incorrect information about the physical plant and have insufficient knowledge of the controller and the anomaly detector. The comparison with existing attacks (e.g., replay attack and false data injection attack) emphasizes that the multiplicative coordinated attack is particularly dangerous. Finally, two methods capable for detecting the multiplicative coordinated stealthy attacks are briefly discussed and demonstrated through simulations.
It should be noted that the security problem of the nonlinear dynamical systems has been rarely discussed in [
The rest of this paper is organized as follows. In Section
Before presenting a stealthy attack method for nonlinear homogeneous systems, we here introduce the basic definitions of homogeneity and the properties. The notion of homogeneity was first introduced in [
For fixed coordinates
Now, by using the dilation, we can define the homogeneous function. Definition 2 shows the definition of the homogeneous function, and Lemma 1 shows that the homogeneous functions have a property.
A function
Let
In next section, we first introduce a CPS and focus on the attack scenario where physical plants are remotely controlled via some unreliable communication network, and the attackers can penetrate such network systems without any restriction. Next, we show that a coordinated attack method can be applied into the nonlinear physical plants with homogeneous properties.
In this subsection, we briefly discuss a common CPS including a physical plant, a controller, and an anomaly detector. First consider a class of the controllable canonical nonlinear plants on the physical layer which is given by
Next, we consider a controller given by
Before introducing the anomaly detector, we assume that (
There exists a diffeomorphism function
For monitoring the system behavior of (
Define
Unlike linear systems, the observability of the nonlinear system depends on the control input
A smart attacker may hope to corrupt the physical plant of (
In Definition 3, (
In our attack scenario, several assumptions are required to achieve (
The nonlinear functions in (
There exists a Lyapunov function
The system outputs and control inputs are available to the malicious attackers.
The reference is not identically zero.
CPS operates in a steady state during attack period.
Assumption 2 indicates that we only consider the nonlinear systems with homogeneity property. Note that all linear systems always satisfy homogenous property. Assumption 3 indicates that for the feedback system of (
Based on Assumption 4, the malicious attackers can inspect the measurements in real time and can know whether Assumption 5 and Assumption 6 are satisfied or not. If the intercepted measurements remain the nonzero constant for a long period, the CPS works in a steady state and the attacks can occur.
Under Assumptions 1, 2, 3, 4, 5, and 6, we introduce the multiplicative coordinated attack posed on the cyber layer. The attack signals selected by attackers take the multiplicative form given by
Now, using (
Without loss of generality, for guaranteeing the stealthiness, the received output should have the value identical with the attack-free output, i.e.,
Then, Assumption 2 and (
Then, (
Let Assumptions 1, 2, 3, 4, 5, and 6 hold. The stealthy and effective attack for (
see Appendix
The multiplicative coordinated attack in Theorem 1 has the stealthy property of (
In a practical view, the attackers may have to consider the saturation of systems [
Let Assumptions 1, 2, 3, 4, 5, and 6 hold. If the control input stays in zero, malicious attackers can choose a stealthy and effective attack signal as
see Appendix
The method in Corollary 1 implies that the attackers may compromise (
It is worth noting that the stealthy attack technique for the linear systems can also be verified from Theorem 1. We define the linear system as
Let Assumptions 1, 3, 4, 5, and 6 hold. The stealthy and effective attack for linear systems in (
see [
When the attackers compromise the linear systems, any model knowledge about the system dynamics is not required. However, for the stealthy attacks of the nonlinear systems, the attackers may need the minimum knowledge of homogeneity degrees in the nonlinear dynamics.
Until now, we presented the attack methods for the specific systems which have the forms of (
It is worth noting that the multiplicative coordinated stealthy attack may not be easily detected by the existing watermarking detection methods. This is because the response of the probing signals can be obtained without any modification under the attack. Comparing with the replay attacks being easily detected by the probing signals [
From attacker’s perspective, we introduce several efficient attack methods. Below is, for the nonlinear systems, the extended version of the linear attack method introduced in [
When the attacks occur, the abrupt changes of the control input and system output may incur the poor transient performance such as the peaking phenomenon of undershoot or overshoot [
In order to destroy the nonlinear systems (
In this section, we conduct various simulations and study the multiplicative coordinated stealthy attack. Let us consider a nonlinear forced physical system given by
The homogeneous degrees of (
The simulation results are shown in Figure
Simulation results of (
For the system of (
Attack impacts
In this simulation, it needs to be emphasized that the attackers may have imprecise model knowledge about (
In this section, we show that the multiplicative coordinated stealthy attack may be more dangerous than the replay attack. For the demonstration, the nonlinear system of (
We design a controller capable for tracking
The anomaly detector identical with (
The results are shown in Figure
Simulation results of (
For clarity, we show the simulation result for the replay attack. It is assumed that the output is recorded from 20 s until 80 s for the replay attack and the recorded output is injected after 90 s. As expected, the recorded output shown in Figure
Simulation result of replay attack.
In addition, we conduct comparison with the false data injection (sensor) attack [
Simulation results of false data injection attack. (a) Reference and corrupted output. (b) Residue signal.
Consider a nonlinear system given by
The nonlinear system in (
Now, the attackers can compromise (
Simulation results of (
It is worth noting that in order to demonstrate the effectiveness of the attack, the experiment using a quadrotor called AR-drone was conducted in [
Although this paper mainly focuses on how to formulate the attack signals, proposing detection methods for multiplicative coordinated stealthy attack can be worthy work. In this section, we briefly suggest two detection methods using smart sensors and eliminating homogeneous properties.
Using a detection method introduced in [ Before transmitting the sensor measurements After the transmission, data receivers construct the transmitted signal for securing original signal by subtracting
For clarity, we mathematically represent the transmitted signal
If the multiplicative coordinated attack does not occur, the receiver secures the original signal, i.e.,
However, when the transmitted signal
Eliminating homogeneous properties may become another detection method. We propose modifying system dynamics by augmenting new nonlinear dynamics which the attackers do not cognize with (
If the system designers can reconfigure (
Now, we validate the effectiveness of the detection method using smart sensors and consider the systems of Example 1 again. We conduct simulations for several
Attack detection results for several
Attack detection results for several
The multiplicative coordinated stealthy attack was developed for corrupting the homogeneous nonlinear systems. We analyzed the attack and validated the dangerousness through several simulations. Also, the detection methods were briefly discussed. We hope that the current research results would help to CPS security.
Limits of current study are summarized as follows. This paper only considers single input single output nonlinear systems. Extending the multiplicative coordinated attacks into multiple input multiple output dynamics will be future work. Finally, although this work conceives a method of attack design, discussions on countermeasures are limited. A more comprehensive detection method will be necessary.
We show that (
Define
Define estimation error as
The following proof is based on [
By choosing an unique positive definite solution
Next, we show that (
This shows that choosing proper
Since input signal is zero in a steady state, we have, from (
This shows that no stealthy condition is formulated for
The data used to support the findings of this study are included within the article.
A preliminary version of this manuscript, i.e., [
The authors declare that they have no conflicts of interest.
This work was partly supported by the Institute for Information and Communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (2014-0-00065, Resilient Cyber-Physical Systems Research) and partly supported by the Global Research Laboratory Program through the National Research Foundation of Korea (NRF-2013K1A1A2A02078326). This work was also supported by the DGIST R&D Programs of the Ministry of Science and ICT (18-ST-02 and 18-EE-01).