Takagi–Sugeno Fuzzy Control for a Nonlinear Networked System Exposed to a Replay Attack

This article investigates the stabilization problem of a nonlinear networked control system (NCS) exposed to a replay attack. A new mathematical model of the replay attack is proposed. The resulting closed-loop system is defined as a discrete-time Markovian jump linear system (MJLS). Employing the Lyapunov–Krasovskii functional, a sufficient condition for stochastic stability is given in the form of linear matrix inequalities (LMIs). The control law can be obtained by solving these LMIs. Finally, a simulation of an inverted pendulum (IP) with Matlab is developed to illustrate our controller’s efficiency.


Introduction
A networked control system (NCS) is a system in which all the data (control input, sensor readings, etc.) are transferred via a communication network. is novel kind of system differs significantly from the classical control systems, where the exchanges of the data pass via electrical wiring. e main advantages of the communication network are flexibility, high efficiency, and reasonable price. Nevertheless, a new issue arose with the use of this control implementation compared with the old wired control systems, such as the packet loss.
is problem has been the subject of much systematic investigation, where Lu et al. [1] used the Bernoulli distribution to model the packet loss of the information transmitted through the network. Yu et al. [2] modelled the NCS with data packet dropout as a linear jump system. Chen et al. [3] studied the H ∞ control of a nonlinear NCS with data packet dropout, where the data packet dropout was described as a homogeneous Bernoulli process and the global system was modelled as a Takagi-Sugeno (T-S) fuzzy system. Xiong and Lam [4] considered two categories of packet dropout; the first category was the random packet loss process, whereas the second was the Markovian packet loss process.
Moreover, the control issue of an NCS with time delay and packet dropout was established in [5][6][7][8], where Qi et al. [5] studied the event-triggered H ∞ control problem for networked switched systems with a mixed time and statedependent switching law taking into consideration the effect of the network delay. Wang et al. [6] investigated the H ∞ issue for NCS with packet dropout and varying time delays. Wang et al. [7] studied the robust H ∞ fault detection dilemma for NCS with Markov time delay and packet loss in both communication channels. Qiu et al. [8] treated the stability problem for an NCS with random time delays and packet dropouts based on a unified Markov jump model. For more information on stochastic control using Markov chains, we refer the interested reader to [9].
In addition to the network problems mentioned above. e cyberattacks pose a significant threat to the NCS, especially after a series of successful attacks. In the last ten years, the Stuxnet virus was considered the most dangerous cyberattack in history. is virus targeted Iranian nuclear facilities and caused enormous losses [10]. Stuxnet has the same characteristic as a replay attack [11,12], it registers the measurements of the sensors; after that, it replaces the new sensor's output with previous measurements that are already saved and stocked by the cybercriminal. is type of attack is commonly a principal source of instability.
Due to the Stuxnet events, the control issues of a cyber system under a replay attack have attracted many researchers. e majority of these works have a common point. ey had used a based-detector method to identify the replay attack by injecting a noisy signal as an authentication signal to the nominal control input. en, they calculated the control law basing on the information offering by the detector. However, when the detection rate increases, the control efficacy deteriorates. A trade-off exists between the detection rate and the degradation of the control efficiency in terms of the variance of the authentication signal [13]. Moreover, the absenteeism of the attack when the adversary decides to stop the attack for a while produces a waste of control cost [11]. Consequently, new technical solutions are required to design the control law based upon the mathematical model of the replay attack. At our best knowledge, up to now, far too little attention has been paid to study this problem using the mathematical-based method, which motivates the study of this paper. e main objective of this article is to use an accurate mathematical model of the replay attack to calculate a robust feedback controller that guarantees the stability and conserves the control efficacy, with or without the existence of the replay attack. e main contribution of this article is to model the nonlinear NCS against a replay attacker as a discrete-time Markovian jump linear system (MJLS), where a two-state Markov chain is used to describe the attack apparition, and a finite-state Markov chain is utilized to model the replay delay value. Based on this mathematical model, we will develop a new LMI employing the Lyapunov-Krasovskii functional.
Due to the various uses of the inverted pendulum (IP) in many fields, this system is considered one of the best applications of the NCS. Including its distinct physical characteristic (strong nonlinearity), these particularities encouraged us to choose it as an application system to test the robustness of our approach. Many methods are utilized to model the IP. For instance, Wang [14] modelled the IP based on the Euler-Lagrange equations. Furthermore, Çakan et al. [15] built for the IP a virtual prototype using MSC Adams software, this prototype was exporting to MATLAB, and the simulation was realized via MATLAB and MSC Adams software. In this study, we will use the Euler-Lagrange equations to give a mathematical model to the IP. en, we will discretize the differential equations by using the discretization method of the first order (Euler). After that, we will linearise the discrete model creating the Takagi-Sugeno (T-S) fuzzy model of the IP, which means writing the nonlinear model in the form of many linear subsystems that are connected to membership function [16]. e overall number of subsystems depend on the number of nonlinearity exist in the system. For more information on the T-S fuzzy model and its applications, we refer the interested reader to [17][18][19][20]. e article is organized as follows: first, we will represent our model of the replay attack, and we will describe the structure of the global system. Section 3 develops the sufficient stability conditions of the overall system. After that, in Section 4, we will use the Euler-Lagrange equations to give a mathematical model to the IP. In Section 4.3, two simulations will be performed to investigate the effectiveness of the proposed approach. Finally, in Section 5, a brief conclusion is presented to sum up the approach.
Notations. Let (Ω, F, P) be a complete probability space. X 1 > 0 and X 1 < 0 are utilized to denote a positive and negative definite matrices, respectively. Notation X 1 ≥ X 2 (respectively, X 1 > X 2 ) where X 1 and X 2 are real symmetric matrices, meaning that X 1 − X 2 is positive semidefinite (respectively, positive definite). diag(X 1 , . . . , X n ) refers to an n × n diagonal matrix with X i as its ith diagonal entry. 0 n denotes the zero matrix, whereas I n denotes the identity matrix with appropriate dimensions. e delimiter ‖.‖ refers to the Euclidean norm for vectors and induced 2-norm for matrices. e operator E[.] denotes the mathematical expectation.
e superscript T denotes the transpose for vectors or matrices. e symbol * stands for the symmetric terms of the corresponding off-diagonal term. e notation sym(X 1 ) is employed to denote the expression X 1 + X T 1 .

Replay Attack.
A replay attack is a type of cyberattack in which a cybercriminal eavesdrops on a secure communication network, intercepts the data, and then maliciously delays or retransmits it to misdirect the system into doing what the adversary wants ( Figure 1). e thing that makes the replay attack one of the most perilous cyberattacks is that the adversary does not even need advanced skills to decrypt the data, he just needs to record the sensing data secretly and then resend it to the controller after modifying the sensors' output fraudulently to push the controller to take wrong decisions which could destabilize the system in the feedback loop.
To explain how the replay attack behaves, an illustrative example will be utilized ( Figure 2), where the first line represents the transmitted sequence and the second line represents the received sequence under the replay attack. We suppose that the attacker records from 100 to 101, and then he replays it from 102 to 103. In other words, the adversary replaces the packets 102 and 103 by 100 and 101, respectively. e same procedure for the packet 200, but this time the replay delay equals 3T e ; that means he saves the packets 197; 198; 199. en, he replays it from 200 to 202.

Problem Formulation.
is article deals with the control problem of a nonlinear NCS with a replay attack. As Figure 3 shows, the transmission of the packets from the sensor to the controller passes via a communication network. We assume that an attacker has connected to the communication network of the system. To keep himself undercover and avoid being detected by the classical detectors, the attacker will not apply the attack all the time (steadily); he will appear at different times (randomly). is action will reflect negatively on the stability of the system. e framework of nonlinear NCS exposed to a replay attack is depicted in Figure 3. e T-S fuzzy model can be seen as represented by s plant rules. e ith plant rule is en, where x(k) ∈ R n denotes the system state and u(k) ∈ R m denotes the control input. A i ∈ R n×n and B i ∈ R n×m are the system matrices. Using a standard fuzzy inference, the final state of the fuzzy model is inferred as follows: where w i (z(k)) is the attributed weight for each rule i, and μ i,l (z l (k)) is the appurtenance degree of the membership function to the fuzzy set M i,j . e functions h i (z) satisfies the convex sum property, i.e, s i�1 h i (z) � 1, and 0 ≤ h i (z) ≤ 1, with i � 1. . .s. e state feedback controller can be driven by the next rules: where K j ∈ R m×n is the controller gain and x(k) is the controller input with e variable δ is a two-state Markov model that represents the state of the switch S, Figure 4. If the communication link between the sensor and the controller was perfect, δ will be equal to 0. Otherwise, if there was a communication problem (communication delay and/or replay attack), δ will be equal to 1. τ(k) represents the replay delay and/or the network delay; that means if there is an attack, the state x(k) will be changed by the previous state x(k − τ 1 (k)). However, if there is a communication delay, the state x(k) will be equal to x(k − τ 2 (k)). Finally, if there are a replay attack and a network delay simultaneously, the state x(k) will be equal to x(k − τ 1 (k) − τ 2 (k)), and since the delays τ 1 (k) and τ 2 (k) are variables, we can unify the two variables in one variable τ(k), where τ(k) is a random scalar which bounded between τ min and τ max , such as 0 ≤ τ min ≤ τ(k) ≤ τ max . Consequently, the controller (6) will be switching between several subsystems based on the value of δ(k) and τ(k). e switching controller has been widely used for other similar systems (see [21,22], and the references therein).

Main Results
is section will be devoted to the stabilization theorem for the closed-loop system (8).

Mathematical Problems in Engineering
Remark 2. In practice, it is important to know the maximum network delay and the maximum replay delay such that the NCS can remain stable. To determine these maximum time delays, we should solve the following nonlinear optimization problem: max τ max s.t. (12) (29)

Mathematical Model of the Inverted
Pendulum. e inverted pendulum depends on three parameters Figure 5. e position of the cart noted as X, the angle θ which makes the pendulum rod with the vertical position, and the force exerted to the cart to put the pendulum rod in the stable position. ese parameters of the system are included in Table 1.
In reason to give the mathematical model of the system, we will use the Lagrangian equation. is equation is based on the principle of conservation of mechanical energy. In our case, the system has two degrees of freedom which can be represented by (i) X for the horizontal movement of the cart. (ii) θ for the angular position of the pendulum. e Lagrangian equation is generally defined by the difference between the kinetic energy (E c ) and the potential energy (E p ) of the system: e form of the Lagrange equation is d dt With E j and G j are, respectively, the degree of freedom and the generalized force in the sense of the degree of freedom E j . e kinetic energy of the system is given by where J � (m ′ L 2 /3). e potential energy of the system is given by Replacing equation (32) and (33) in (30), we obtain

cos(θ). (35)
We define Hence, Replacing the value of € X in (37), we obtain where a � (1/M). e mathematical model of the IP system can be written as follows: .

T-S Fuzzy Modelling of the Inverted Pendulum.
To pass from continuous time to discrete time, the differential equations (41) can be discretised by using the discretization technique of the first-order Euler in which we will replace where T e is the sampling time. e differential equation (41) becomes .
After using this linearisation technique, the IP system can be written as a sixteen linear subsystems, with the matrices A i and B i of these subsystems given in Appendix.

System Stabilization.
To illustrate the effectiveness of the developed controllers in eorem 1, a simulation of an IP controlled through a communication network is performed using the parameters in Table 2.
e convex sum propriety of the activation functions h i (z) is well respected. From Figure 7, we can see that 0 ≤ h i (z) ≤ 1. And from Figure 8, we have s i�1 h i (z) � 1, with i � 1. . . 16. Figure 9 represents the switch values of δ(k). To be close to the reality, we chose that the commutation of the switch S is random. e command "dmtc" in Econometrics Matlab toolbox is used to create the switching law of δ(k). e matrix of the transition probability is In this example, we will take the case when τ(k) is bounded between 0.5s and 1s, which means it will take the following values (0.5-0.6-0.7-0.8-0.9-1). Figure 10 shows the switch of τ(k) between these values. e transition probability matrix is as follows: As is custom, the IP system has an inherent instability, Figures 11 and 12 e state trajectories are shown in Figures 13 and 14, where the two curves represent the trajectory of the states x 1 and x 2 under the controller gain K j . e initial condition is x 0 � π/4 0 T . As we can notice from the figures, the two curves converge to zero. Accordingly, the closed-loop system is stable.

Trajectory
Tracking. Let us consider the above system with the same parameter's value given in Table 2. e subject of this paragraph is that the angle θ(k) of the IP's rod tracks the desired trajectory Yr (the reference).
e control law will be written as follows: To find the value of L j , we will apply the Z-transform proprieties on the equation (53):

Mathematical Problems in Engineering
e output y(k) of the system can be rewritten as follows: where C � [1 0]. e gains L j will be calculated in such a way that y ∞ � Y r , with Hence, To see the robustness of the proposed theorem, three different situations will be studied. In the first situation, the event rate of the switch S is 0.1 (the percentage to have a replay attack during 100 s is 10%). In the second situation, the event rate equals 0.3. Finally, in the third situation, the event rate is 0.5. Figures 15-17 represent the different events rates of the switch S. 0.1, 0.3, and 0.5, respectively.
As we have said previously, the instants, when δ(k) takes value 1, represent the times of the replay attacks. To simulate perfectly the attacks, these instance are chosen arbitrary. e values of τ(k) stayed the same (Figure 10). e value of the controller gain K j and the trajectory controller gain L j are given in Tables 3 and 4.    From Figure 18, we can notice that if the event rate of the switch S equals 0.1, the output can track perfectly the reference; the same thing happens if the chance to have an attack rises to 30% or 50%. But, the response time at start up increases in these two cases. However, the results stay acceptable, which reflects the potency of our theorem.

Conclusion
is study dealt with the control problem of a nonlinear NCS exposed to a replay attack. A novel approach was used to calculate the control law based on an accurate mathematical description of the global system, taking into account the stochastic characteristics of the replay attack.
Two simulations have been performed to investigate the effectiveness of the proposed approach. e obtained results show that the new approach conserves the performance of the system despite the existence of the replay attack. e main advantages of the presented control method compared with the other approach that based on the detectors are the stochastic robustness, the good response time, and the adaptability for a practical application.
As a perspective of this study, our attention will be oriented towards studying the same problem with packet losses and an external disturbance.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.