Static Output Feedback Predictive Control for Cyber-Physical System under Denial of Service Attacks

College of Electrical and Information Engineering, Lanzhou University of Technology, Lanzhou 730050, China Key Laboratory of Gansu Advanced Control for Industrial Processes, Lanzhou University of Technology, Lanzhou 730050, China National Demonstration Centre for Experimental Electrical and Control Engineering Education, Lanzhou University of Technology, Lanzhou 730050, China College of Engineering, Qufu Normal University, Qufu 273100, China


Introduction
e rapid development of CPS is attributed to the strong integration among computation, communication, and control technology, in which CPS has received considerable attention in the past decades. Taking advantage of low cost and flexible network architecture, it has been widely applied in some engineering fields such as smart grid, healthcare, and water/gas distribution and industrial process control [1][2][3].
Due to the capacity of connecting deeply integration physical plants and cyber elements in an unprecedented way, CPS offers ample opportunities for malicious threats to launch attacks. e applications of next-generation information technologies such as big data, cloud computing, and Internet of ings greatly provide performance improvements for physical systems but at the same time introduce more risks which make physical isolation more difficult to implement. erefore, how to ensure the safe operation and preserve the control performance under malicious attacks are the basic security issues in CPS. In fact, CPS has realized more complex and high-risk industrial process control through the transmission of information in the heterogeneous network [4]. However, the vulnerability of open communication networks, as the key components of society safety-critical infrastructures in CPS, increases the severity of such malicious cyber-attacks in [5], which can menace the control systems. ere have been an increasing number of cyber-attacks on power grids reported worldwide. For instance, a devastating cyber-attack on the power station brought down the information flow from the physical process to the remote management system, which plunges 225,000 people into blackout in Ukraine [6]. Besides, the "Stuxnet", an advanced computer worm virus, intruded the nuclear facility and caused severe damage in Iran [7]. ese facts show the serious economic loss and severe social detriment attacked by malicious network in CPS, which has attracted extensive attention of many scholars [8][9][10]. e typical network attacks in CPS are categorized as deceptive attack, false data injection attack and DoS attack in [11].
e DoS attack, a more reachable attack pattern, prevents the exchange of information for the adversary, while the false data injection attack affects the data integrity of packets by modifying their payloads in [12]. e essence of DoS attack is that the measurement state or the control signal transmitted through the wireless communication network is blocked, which results in the fact that the information update is not timely and complete. us, the DoS attack focuses on deteriorating the system performance and even leads to system instability. One of the main issues under DoS attacks in CPS is the packet dropout phenomenon [13]. It should be pointed out that information data can be transmitted in a "packet", which implies sending a sequence of control prediction in one data packet and then selecting the appropriate one corresponding to the current network condition to compensate the packet dropout. In this case, the SOFP control strategy has been proposed in this paper.
In many existing works, various efforts have been devoted to the security control influenced by DoS attacks. Some of the literatures focused on the effects of networkinduced delays. Many methods for the delay issue have been done in [14][15][16]. Some other literatures show that a large number of the approaches have been investigated to alleviate the severe impact influenced by packet dropouts. A defence strategy is proposed to deal with the information flow which congests the transmission signal between the sensor and the controller against DoS attacks on the multichannel CPS in [17]. In addition, some necessary scheduling algorithms are proposed to ensure transmission security when control plants can gain access to the network at each sampling instant because of the limitation of network bandwidth. If there is no optimal scheduling algorithm in CPS design, the packet dropout in smaller sampling frequency should be considered. at is, it not only ensures the system is schedulable and guarantees that the overall CPS is stable. en, the relationship based applicable scheduling algorithm design between the packet dropout rate and the stability of the closed-loop system should be established, and the corresponding controllers design procedures to make the closed-loop system stability should be given. As stated in [18][19][20], such as the stochastic system and the switching system method, some effective strategies are employed to address the model and control issues with packet dropout.
e networked system with arbitrary and finite packet loss is modelled as a switching system, and the design control method of state feedback is proposed in [21]. Furthermore, by using the measured output information, a token-dependent static output feedback SMC is designed in [22]. By only considering attacks in the backward channels in [23,24], the security control is established to address attack-induced severe packet dropout. Notice that both-side communication with arbitrary packet dropout caused by attacks is more realistic in the practical attack pattern and the state feedback controller is given in [25].
Motivated by the fact that not all states are available and only the latest received output measurements can be obtained at the controller, the SOFP control strategy is proposed to deal with the security control problem. In contrast with the existing results, the main contributions of this paper can be summarised as follows: (1) A novel switching system model is established to characterize the security properties of CPS under DoS attacks. Different from [26], only limited output measurements are used to design the security controller in this paper. (2) Only the latest received measurements are used to design the proposed predictive control gains. Compared with traditional model predictive control methods, the proposed security control strategy will predict their future control gains rather than state prediction. e remainder of this paper is organized as follows. Section 2 gives the problem formulations with the proposed SOFP control strategy by considering the energy-limited DoS attacks. Section 3 is presented in the security analysis, which infers the stability criterion to guarantee the security performance. e SOFP controller is designed in Section 4, and a simulation example is shown in Section 5 to illustrate the feasibility of the desired controller. And finally, Section 6 concludes this paper.
Notation: R n and R m denote the n-dimensional and mdimensional Euclidean space, respectively. R n×m is the set of n × m real matrices. e superscript "T" stands for matrix transposition. e notation X > 0 means that the matrix X is real symmetric positive definite.

System Framework.
e structure of SOFP control considered in this paper is shown in Figure 1, where the studied CPS is composed by the sensor, controller, buffer, and actuator. e SOFP control strategy against attack-induced severe packet dropout is that the controller receives all the measurement outputs from sensor and calculates the sequence of control inputs, which transmits to the buffer simultaneously. en, the actuator selects the corresponding control value from [u(t h ) T , u(t h + 1) T , . . . , u(t h + τ) T ] T and delivers appropriate control inputs to the plant, which can compensate the arbitrary packet dropouts caused by DoS attacks.
Consider a discrete-time linear system described by where t + 1 ≜ (t + 1)T, T represents the sampling period, x(t) ∈ R n and u(t) ∈ R m are the system state and control input, respectively, and A,B are real matrices of appropriate dimensions.
To make the proposed method more suitable for practical network attacks, the DoS attacks behaviours considered energy constraints are presented as where τ is the attack duration and h n is the instant transition time of the attack state. As shown in Figure 2, "↑" denotes that the DoS is converted to the attack state and "↓" indicates that the DoS is the end of the attack process. When τ ∈ R ≥ 0, the DoS launches a limited attack with the duration of τ (τ � 0 is a pulse attack only).
To clearly describe the energy-limited characteristics of DoS attacks in this paper, the following assumption is given.
e maximum packet dropouts of consecutive DoS attacks are bounded with N. Remark 1. In practice, the attackers gradually run out of energy because of an inherent characteristic of energy constraints [27]. Based on this reliable fact, it is reasonable to consider that the packet dropouts of consecutive DoS attacks are bounded. Furthermore, to achieve predictive compensation for packet dropout, a data buffer is involved at the controller side to record recently successfully transmitted data packets.

Switching Model under DoS Attacks.
Suppose that the controller latest received the value of process output y(t h ) at time t h , then the predictive control based on output feedback control law is given by where t h + τ ≜ (t h + τ)T, t h stands for the switching instant time, and τ � 0, 1, . . . , σ(t h ) is a time-varying switching signal which takes the value in a finite set τ ∈ Z ≜ 0, 1, . . . , N { }. e packet-based transmission mechanism in CPS determines that the corresponding control input at time t h , t h + 1, . . . , t h + τ is u(t h ), u(t h + 1), . . . , u(t h + τ), respectively. It is known that the neighboring two switching points have the following relation: erefore, the evolution law of dynamics can be described by the following N + 1 cases: Case 1. One-step packet dropout(σ(t h ) � 1): Case N: N-steps packets dropouts (σ(t h ) � N): According to (5)-(7), model (1) with SOFP control strategy can be transformed into the following closed-loop system included N-steps packet dropouts: where Φ i � A i+1 + i l�0 A l BG i−l C. It illustrates the essential characteristics of the proposed SOFP control strategy, that is, the state is unchanged and the controller gain is changed.

Stability Analysis
In this section, the security analysis based SOFP strategy is given with some mathematical derivations. e following necessary definition and lemmas are introduced.
holds, the CPS (1) is said to be exponentially stable, where x(0) ∈ R n is an arbitrary initial value.
Lemma 1 (see [27]). For an arbitrary matrix Ψ ∈ R n×n and an arbitrary vector x ∈ R n , the following inequality, holds, where λ min and λ max are the minimum singular value and the maximum singular value, respectively, of Ψ. Based on the above, the following theorem gives criteria for system exponentially stable with arbitrary switching characteristics under DoS attacks. Theorem 1. For some given scalars 0 < λ i < 1, μ > 0, if there exist matrices P i > 0, such that the following inequalities, hold, then the system (8) will be exponentially stable with the decay rate 2(N+2) � ρ √ .
Proof. Choose the following Lyapunov function: erefore, it is derived from (14) at time t h+1 that en, pre-and post-multiplying inequality (11) by x T (t h ) and x(t h ), one has Substituting the function (14) and (15) into (16), we have, Similarly, Suppose that one-step packet dropout at time t h+1 and t h+2 caused by DoS attacks, respectively. us, we obtain that Utilizing (12) and (18) together leads to Define ρ � μλ σ(t h+1 ) , then the above law (21) can be written as en, it is concluded from (13) and (14) that which implies that the system will be stable in x(t) { }. Notice that the system should not only be stable in the discrete regions x(t) { } but also converge to the subset x(t d,h ) after dT sampling periods. erefore, by Lemma 1, we obtain by induction that the following inequality holds: Based on the above analysis, the closed-loop switching system (8) tends to be exponentially stable and then the exponential decay rate is obtained.
It is deduced from (19) that Further, it is easy to see that It is derived from (22) that where η 1 and η 2 are the minimum singular value and the maximum singular value, respectively, of P. erefore, it is easy to know from (28) that Substituting (24) into (29), it can be found that Meanwhile, t d,h+2 , t h+2 , and t + 2 have the following relations: 4 Mathematical Problems in Engineering t h+2 ≤ (N + 1)(t + 2). (31) where h + 2 ≥ N. It is clearly deduced from (31) and (32) that t h+2 Because of ρ < 1, the following inequalities hold.
where h + 2 ≥ N. Finally, we can further obtain from (34) and (35) that, for an arbitrary instant time t, the following inequality, holds. e proof is thus completed.

Control Design of SOFP
In this section, the SOFP control sequence based on eorem 1 is derived below.
Proof. According to the stability condition of the discretetime linear system, for matrices A, P > 0, the following inequality, holds, if and only if there exists a matrix Ψ such that erefore, the inequality (11) will be held if there exists a matrix Ψ such that the following inequality, holds. Based on this fact, the controller can be easily obtained below. Define X � Ψ −1 and Ω i � X T P i X. en pre-and postmultiplying inequality (42) by diag Ψ −T , Ψ −T and Ω i � X T P i X (notice from (41) that the matrix Ψ is invertible), one has Substituting (5)- (7) into (43), It can be found that the inequalities (44) and (37) in eorem 2 are equivalent. Meanwhile, the inequality (38) in eorem 2 is derived by pre-and post-multiplying X T , X for P α < μP β , ∀α, β ∈ Z.
is completes the proof. However, the above inequalities still cannot be solved due to the coupling nonlinear item ABGCX. In order to deal with such items, eorem 3 transformed nonlinear item is presented. □ Theorem 3. For given scalars 0 < λ i < 1, ε > 0, if there exist matrices X, Ω i , and P i > 0, full rank matrix M, and any matrix V of appropriate dimensions such that the following inequalities, where Proof. It is deduced from (44) that C � M −1 CX. By replacing G τ CX with V τ C, we can easily obtain the above result with G τ � V τ M −1 which completes this proof.

Simulation Example
In this section, an inverted pendulum control system is presented to illustrate the proposed security method with the SOFP control strategy. e plant model is described as Mathematical Problems in Engineering mg l sin ϕ � m d 2 dt 2 (y + l sin ϕ)l cos ϕ, and the inverted pendulum system is shown in Figure 3. Based on the above inequality, the initial state variables of the system can be defined as To make the description simpler, the inverted pendulum control system takes the following parameters, which are given in Table 1.

Mathematical Problems in Engineering
Let the sampling period T � 0.01s, then the discrete-time model of the inverted pendulum is given as where A �  In the simulation settings, by selecting δ � 0.85, μ � 1, e initial condition is set to be x 0 � 10 0 0 0 T and the simulation time is chosen as t ∈ 0 10 . en, the stabilization control law in eorem 3 can be resorting to LMI toolbox in MATLAB. Suppose that the maximum number of packet dropouts is N � 3 under the worst attacks in this simulation example. erefore, the corresponding gain G � −3.7808 1.9434 is obtained. Meanwhile, the distribution of DoS attacks is shown in Figure 4.
Case I. DoS-free case: e state responses of the system (49) with the designed controller under DoS-free case are shown in Figure 5, in which the stability of the studied is verified. It is worth noting that the angle value in Figures 5-7 has been reduced by one tenth in order to make a more intuitive comparison between the angle and position curves. Case II. DoS attacks case: In the second scenario, the designed controller in Case I is still used. Under the DoS attacks in Figure 4, the state responses of the system (49) are depicted in Figure 6. It is evident that the angle and position states of the inverted pendulum system are not convergent, in which state responses are presented in a worse performance. us, one can see that the switching system is unstable when there are no SOFP control inputs to confront uncertain packet dropouts caused by DoS attacks. Case III: DoS attacks migration with SOFP e third scenario considered the SOFP control strategy. In such case, the corresponding output feedback gain G against the worst attacks is employed to ensure system stability and maintain the desired control performance. Similarly, we can obtain the following in Figure 7.
Based on the angle and position curves, the proposed method is effective, as the control strategy demonstrates that the closed-loop system is stable with bounded packet dropouts. One can see that the system performance is better than the one without predictive control. As a result, the proposed packet-based compensation control method has certain robustness and security.
According to the simulation examples shown above, it can be summarised that the designed controller is stable against DoS attacks and the feasibility of the proposed designing method is verified.

Conclusion
In this paper, a novel predictive control strategy is proposed to cope with packet dropouts caused by DoS jamming attacks. Firstly, the discrete-time switched linear control system is formulated to characterize the properties of CPS under DoS attacks. en, the stability criterion is derived, and the predictive control sequences have been given by LMIs. Finally, the corresponding simulation example results have shown the validity of the SOFP control method.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this article.