A Uni Ed Modeling of Muti-Sources Cyber-Attacks

JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
Available online at www.sciencedirect.com
Journal of the Franklin Institute xxx (xxxx) xxx

www.elsevier.com/locate/jfranklin
A unified modeling of muti-sources cyber-attacks with

uncertainties for CPS security controlR
Hui Ge a, b, Dong Yue a, b, ∗, Sébastien Gambse b, Song Deng b,
Chunxia Dou b,∗
a School of Automation, Nanjing University of Posts and Telecommunications, Nanjing 210023, People’s Republic of
China
b Institute of Advanced Technology, Nanjing University of Posts and Telecommunications, Nanjing 210023, People’s
Republic of China
Received 26 September 2018; received in revised form 21 November 2018; accepted 6 January 2019
Available online xxx
Abstract
In this paper, the issue of CPS security is investigated. By analyzing the process of multi-sources
cyber-attacks of denial-of-service (DoS), information disclosure, stealthy attack and replay attack, a
unified system model with uncertainties is formulated. Under this system model framework, robust
control theory is applied to design the control scenarios for cyber-attack prevention. Furthermore, a
double closed-loop NCS framework combined with information integration technology is proposed,
necessary conditions for security guarantee are derived. Finally, a DC motor speed moderating example
is given to demonstrate the problem.
© 2019 Published by Elsevier Ltd on behalf of The Franklin Institute.
1. Introduction
Cyber-physical system (CPS) is an innovated system referring to the completely new

capabilities of computation, communication and control to the critical infrastructures of
R Fully documented templates are available in the elsarticle package on CTAN.

∗ Corresponding authors at: School of Automation and Institute of Advanced Technology, Nanjing University of
Posts and Telecommunications, Nanjing 210023, People’s Republic of China.
E-mail addresses: 21020535@163.com, gehuivip0217@163.com (H. Ge), yued@njupt.edu.cn (D. Yue),
xiexiangpeng1953@163.com (X. Xie), dengsong@njupt.edu.cn (S. Deng), cxdou@ysu.edu.cn (C. Dou).
https://doi.org/10.1016/j.jfranklin.2019.01.006
0016-0032/© 2019 Published by Elsevier Ltd on behalf of The Franklin Institute.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
2 H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx
the heterogenous engineering systems, such as petrochemical engineering systems, power

systems (smart grid), and modern transportation systems, as well as airplanes and space ve-
hicles [1,2].
Among these systems, the hybrid interaction and communication of different and distributed
critical infrastructures are widespread. Thus, the increasing availability of connections and
communications via Internet or wireless network of aforementioned CPS are susceptible to
cyber security threatens. Before 2010, CPS is seemed to be security. However, from then
on, the incidents of CPS security began to happen one by one. In 2010, the Iran nuclear
program has been attacked by Stuxnet virus, Followed in 2015, the milestone event that a big
blackout happened in Ukraine. In 2017, the weapon grade cyber-attack Ransom Ware called
“Wannacry” and “Petya” have wreaked havoc nearly 20,000 computers breakdown all of the
world.
From theoretical perspective, a great deal of methodologies have been developed for system
stabilization performances, such as state space analysis, robust control, predictive control and
stochastic control, as well as time and frequency domain methodologies. Fruitful results have
been achieved in computer science as well, for instance, real-time computing techniques,
embedded systems architectures and system software, and innovative approaches to ensure
the system reliability, cyber security [3,12,13]. However, the research approaches focusing on
cyber security based on control theory is still very few, how to ensure the high reliability
and security requirements for heterogeneous critical infrastructures is still the upmost grand
challenge for current CPS research [4,5].
Considering from control theoretical standpoint, the performance of stabilization is the first
consideration. But this control objection can not satisfy the security requirement. An attacked
system usually presented to be normal and stable before breakdown. Thus, stabilization per-
formance is not sufficient to guarantee the security of CPS. Therefore, the heterogeneous
information integration techniques should be adopted, such as the very preliminary work in
[6].
General information-based security control is aiming at protecting the data via the com-
munication channels, and the control theory is concerned with the stability of output. From
the above point of view, the reliability of CPS can not be guaranteed only on one side. That’s
the right work we have done in this paper. Synthesizing control methodology and informa-
tion techniques to ensure the reliability and security of CPS. In control theory field, how to
guarantee the stability of system underlying uncertain perturbations or even cyber-attack is
the most important issue. Unlike the traditional information security of network, the attacker
aims to influence the physical device in CPS via changing the computational information.
In [7,9], the dramatic differences of security between CPS and general-purpose computing
systems have been summarized. In [10], DoS power dispatch against linear quadratic control
is investigate via a fading channel.
However, a great deal of research work is focusing on some isolated domains, such as
information disclosure [39], denial-of-service(DoS) in [18–20], wormhole attacks [40], stealthy
attack models [21], synthesis attacks in [22]. Among the defense scenario designs, control
theory, optimization and game theory approach [15] are mainstream methodologies. Recently,
the set-based approach and event-trigger approach are increasing adopted to analyze cyber-
attacks (see [17] and the reference therein). For detailing, an explicit characterization of the
frequency and duration of DoS attacks is analyzed in depth in [29,30]. Meanwhile, a special
methodology biometric applications in [33] is used for life security guarantee.
006
JID: FI
H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx 3
The increasing complexity of the CPS brings in heterogeneous uncertainties, these uncer-
tainties may mitigate the reliability and security of CPS. Therefore, the uncertainty is generally
taken as an important performance of a system. In this paper, the CPS security issue is inves-
tigated from uncertainty perspective, both the faults and cyber-attacks are taken as different
uncertainties. A uniform structure of model is formulated to describe the CPS. However, in
practice system, it is difficult to eliminate the error between the models and the practical
system, which is so-called model errors. In addition, attack process are often stealthy and
pretended to be seem normal, and the abnormal information is usually unavailable [11,21].
Remark 1. This paper is an extended version of the conference paper [14], based on the basic
method proposed in [14] and [32], the detailed process of modeling work have been done.
Due to the limitation of pages, formulated the cyber-attacks to be uncertainties is proposed
by a simple form in the conference paper. In this paper, the process of how a cyber-attack
(including denial-of-service, information disclosure, stealthy attack and replay attack) evolved
ultimately into the typical NCS models with uncertainty.
1.1. Contributions and outline
The main contribution in this note can be presented as follows: (1) double closed-loop
framework is proposed co-considering the detection of faults and cyber-attacks. (2) the models
of cyber-attacks, including denial-of-service, information disclosure (privacy attack), stealthy
attack and replay attacks, are formulated to be a unified typical NCS model with uncertainties
from control theory perspective. (3) Information technique (IIT) is synthesized together with
control theory, and a novel framework is designed based on typical CPS structure, effective
attack defense scenarios are devised and applied on this framework to detect and identify the
cyber-attacks classifications.
The organization of the remainders are as follows. In Section 2, four kinds typical cyber-
attacks are modeled to be the typical NCS models with uncertainties. And some important
results are derived in Section 3, what follows then is the attack defense scenarios and the
algorithm details. In Section 4, the example of separated DC motor is give to demonstrate
the process of cyber-attack. Finally, some conclusions are drawn for all of this note.
1.2. Notations
Throughout of this paper, presents the uncertainties of the parameter . E(.), D(.) and
hash(.) are adopted to describe the encryption function, decryption function and hash function,
respectively. For example, for any message x, hash(x) is called the Hash Value of x.
Table 1 presented the notations that will be frequently used throughout the remainder of
the paper.
2. Formulation
In this paper, the system model with uncertainties is considered as

xk+1 = (A p + Ak )xk + B p u˜k + ωk
(1)
yk = Cp xk + yk + υk
where xk ∈ Rn p , u˜k ∈ R and yk ∈ Rny represent the plant state, control signal input and sensors’
output, respectively. And Ak stands for the uncertainties of the system performance. ωk ∈ Rnx
006
JID: FI
Table 1
Frequently used notations.
Notations Descriptions
xk the state of plant
μk synthesis attacker vectors
ukc control input
ukc control uncertainties, which is taken as attack
yk output of plant
yk output caused by uncertain inputs
p
Tstamp,k the time-stamp of the package from plant
w
Uc,k the encrypted data of ukc
d
Uc,k w
the detection data by function hash Uc,k
c
Tstamp,k the time-stamp of the package from controller
Ykw the encrypted sensor measurement (attack vector maybe mixed)
Ykw−μ the encrypted sensor measurement without any attack vector
Ykd the detection data by function hash(yk )
Ykd−μ the detection data by function hash (yk − yk )
and υk ∈ Rny are the process and sensor noises at time k, which are assumed to be IID Gaussian
process with ωk ∈ N (0, Q) and υk ∈ N (0, R).
The Eq. (1) also can be presented as

xk+1 = A p (xk + xk ) + B p (uk + uk ) + D1 ωk
(2)
yk = Cp (xk + xk )+D2 υk
As the development of theory and technique, as well as the extensive application of net-
work, the ICS security issues should be reconsidered. In this paper, parameter uncertainties
are considered not only for stabilization analysis, but also the security performance of the
system.
Inspired by Zhou et al. [24], a LTI feedback controller in NCSs is presented as

zk+1 = Ac zk + Bc ȳk
(3)
ukc = Cc zk + Dc y˜k
where zk ∈ Rnz , ukc ∈ Rnx and ȳk ∈ Rny denote controller state, control outputs and the feedback
measurement of the plants, respectively.
Remark 2. The sensor measurement outputs are presented as ȳk = yk + yk with yk to
denote the uncertainties. However, in this paper, excepting uncertainties, yk is also adopted
to describe cyber-attack. Particularly, if the cyber-attack is absent with no system perturbation
from theoretical perspective, yk = 0, then ȳk = yk .
In Eq. (3), y˜k ∈ Rny is the reference information including feedback and regulation pa-
rameters. The relationship between them can be given as y˜k = yk + yre f ,k , with yref,k as a
part of control input to adjust the controller output to against perturbations, faults and even
cyber-attacks.
CPS is the system upgraded from networked control systems (NCSs), which are combining
the distributed plants and sensors and local controllers via the networked communication
channels. Among the critical elements within CPS, there is a public network connecting the
local controller and remote plants, sensors to be a unified framework, as showing in Fig. 1.
006
JID: FI
Fig. 1. Typical framework of CPS for cyber-attack detecting with uncertainties.
This framework has advantage for distributed control, especially for remote distributed
control.
Motivated by the methods in [25,26], an observer-based residual detection structure is given
as

sk+1 = Ae sk + Be uc,k + Ee y˜k
(4)
rk = Ce sk + De uc,k + Fe y˜k
where sk ∈ Rns is the state of anomaly detector and rk ∈ Rnr is the residue between estimator
and virtual exists.
Remark 3. According to Eq. (4), the inputs of the detector are the control signal uk,c and the
feedback signals y˜k from sensor side. If the stealthy attack achieved, the residue rk will equal
to zero or limited within a certain range. This is the strong power of the stealthy attack. For
this kind of attack, information integration technology with hash function and data encryption
are applied.
T T
Define the argument vectors as ηk = [xkT zk T sk T ] , ξk = [ωkT υkT ] , μk =
T
T
[uat t ,k yat
T
t ,k ] , and Rk represents the residual error of the detector.

ηk+1 = Āηk + B̄ μk + Ē ξk + H fk + G1 yre f ,k
(5)
Rk = C¯ηk + D̄μk + F̄ ξk + G2 yre f ,k

A p +B p Dc C p B pCc 0 Bp B p Dc Dω B p Dc Dν F
where Ā = Bc C p Ac 0 , B̄ = 0 Bc , Ē = 0 0 , H= 0 ,
Be Dc C p +Ee C p BeCc Ae 0 Be Dc +Ee 0 Be Dc Dν +Ee Dν 0
T
B p Dc De DcC p +FeC p
G1 = 0 , C¯ = DeCc , D̄ = 0 De Dc +Fe , F̄ = 0 De Dc Dν +Fe Dν , G2 = De Dc .
Be Dc Ce
The reference input yref (k) is used to adjust the outputs of the controller, which can ulti-
mately eliminate the fault or attack effectively.
Remark 4. In Eq. (5), yref,k is adopted to moderate the controller for desirable output, which
is used to fight against the perturbations ωk , ν k and attacks uatt,k , yatt,k . For simplicity,
yre f ,k = J xkc is used to evolve the model of Eq. (3). And Dω = Inx , Dν = Iny are defined to
for simple as well.
006
JID: FI
Then, Eq. (5) is renewed as follow

ηk+1 = Āc ηk + B̄c μk + Ēc ξk + H fk
(6)
Rk = C¯c ηk + D̄c μk + F̄c ξk

A p +B p Dc C p B pCc +B p Dc J 0 Bp B p Dc Inx B p Dc F
where Āc = Bc C p Ac 0 , B̄c = 0 Bc , Ēc = 0 0 ,H= 0 ,
Be DcC+EeC BeCc +Be Dc J Ae 0 Be Dc +Ee 0 Be Dc +Ee 0

C¯c = De DcC+FeC DeCc +De Dc J Ce , D̄c = 0 De Dc +Fe , F̄c = 0 De Dc Iny +Fe Iny .
Remark 5. In this part, the detailed model (5) is difficult for theoretical analysis. Thus, a step
to simplify the model is needed. Motivated by Simani et al. [27], the fault fk in the model
are taken as the combination of actuator fault fa,k , plant fault fp,k and sensor fault fs,k .
Furthermore, uncertainty is another major element considered to analyze the fault fa,k caused
by uk . Thus, uf,k is taken as a part of the control signal, which is often used to denote the
controller-actuator channel attack and actuator faults in a suitable sense.
Assumption 1. We assume u f ,k = Kx f ,k for simple, then we can easily find uf,k is
related with uf,k from state feedback or output feedback control law. In order to handle this
issue for simple, we assume u f ,k = Ku f ,k holds. From state feedback or output feedback
control law, we can easily get that uf,k is related with uf,k .
Assumption 2. From previous work, it is reasonable to assume that u˜k = uat t ,k + u f ,k

and y˜k = yat t ,k + y f ,k . After that, the definition of μk can be rewritten as
T T
μ˜ k = [ukT ykT ] = [uat t ,k + uk f ,k yat t ,k + yk f ,k ]
T T T T
which is equal to the description of nonzero attack (BK uK , DK uK ) in [28].
Consequently, the system model with faults and cyber-attack has evolved as the models
with uncertainty parts.

ηk+1 = Āz ηk + B̄z μ˜ k + Ē ξk
(7)
Rk = C¯z ηk + D̄z μ˜ k + F̄ ξk

A p +B p Dc C p B pCc +B p Dc J 0 B p +M B p Dc Inx B p Dc
where Āz = Bc C p Ac 0 , B̄z = 0 Bc , Ē = 0 0 , C¯ =
Be DcC+EeC BeCc +Be Dc J Ae 0 Be Dc +Ee 0 Be Dc +Ee

De DcC+FeC DeCc +De Dc J Ce , D̄ = 0 De Dc +Fe ,
Remark 6. The matrix F changes according to the function fk . Since uf,k , xf,k and yf,k
are related with Ap , Bp and Cp , respectively. Therefore, the matrix F can be replaced by
[B p A p Cp ].
Remark 7. From the operation process of NCS, we got that that xf,k is a part of xp,k , thus,
Ap xf,k is an inevitable part of xp,k . In the view of state feedback control law uk = Kx p,k ,
006
JID: FI
which is often equal to u f ,k = Kk x f ,k . Then,we define A p = MK, where M is the matrix

needed to be determined, such that A p x f ,k = MKx f ,k = Mu f ,k .

¯¯ ηz k +
ηk+1 = A ¯
¯B z k
¯ + ¯ (8)
Rk = ¯Cη z k
¯D z k
T
where k = [μ˜ Tk ξkT ] , denoting all coupled perturbations, and Rk represents the residue
of the synthesis system. Particularly, Jth ≤ R is chosen to be the threshold for detection
of the external faults and threats, see our previous [44].
From the analysis, we find that all of the effects caused by cyber-attack within the whole
closed-loop system can be directly or indirectly reflected on the state of the system. Synthe-
sizing the stacking vectors, we can summarize the system model as

ηk +1 =
Ac + A ηk + E c ξk
(9)
R k = C c + C ηk + F c ξk

Q·A 0 0
where A = SAk 0 0 , C = N Ak 0 0 , Q = (BK + BDcC )A−1 , S = BcC A−1 ,
MAk 0 0
M = (Be Dc + Ee )C A and N = (De Dc + Fe )C A−1 .
−1
Based on above formulation works, several cyber-attacks also can be formulated to be the
typical form with uncertainties.
2.1. Information disclosure
As the increasing of internet and wireless networked connectivity, information disclosure

is prone to happen within the network communication channels. Through the bypass or back
door of the application software, the attackers can find and utilize the vulnerabilities of the
software and hardware, then the attackers grab the operation data of the system, this is also
an unauthorized operation.
Information disclosure is the fundamental of serval cyber-attacks. In this part, the pro-
cess of information disclosure is formulated from another perspective. Monitoring, scanning,
enumeration as well as destroy, infection an even advance persistent threat (APT) [23] are
effective ways for attacker to capture information. These scenarios also helps the attacker to
find the bypass and back door of the application software.
Motivated by the formulation process of denial-of-service (DoS), we define matrix
diag{
u,k ,
y,k }, where
u,k ∈ Rnu and
y,k ∈ Rny are adopted to stand the cyber-attacker
within forward and feedback channels, respectively.
u T y
In networked system, we record the numbers
u,k = Tk=1 = N and
u,k = k=1 =M
to represent the successful transmission response data. We define T to denote the interval
[0, T ]. The definition u = Tu − N and y = Ty − M denote the error between the total
number of data sent and the total number of responses received. Then we define αu = TuT−N u
T −M
and αy = y Ty to denote safety data proportion during interval T . Furthermore, α¯1 = 1 − α1
and α¯2 = 1 − α2 can be adopted to describe the successful information disclosure.
006
JID: FI
Consequently, the information transmitted via the forward and feedback channels with
considering the information disclosure strategy can formulated as

ᾱ 0 uk
Seq,k = 1,k , k ∈ [0, ∞ )
0 ᾱ2,k yk
ᾱ1,k and ᾱ2,k are the parameters that stand the probability of successful information disclosure
attack.
Substituting ᾱ1,k uk and ᾱ2,k yk into the plant and controller equations, we will obtain the
ultimate form of the model for information disclosure.

xk+1 = Axk + ᾱ1,k Buk
(10)
ᾱ2,k yk = Cxk
Considering together with the aforementioned definitions, we have

xk+1 = Axk + Buk − α1,k Buk
(11)
yk = Cxk + α2,k yk
Then, we define −α1,k uk = uk and α2,k yk = yk = Cxk , such that, we have

xk+1 = Axk + B (uk + uk )
(12)
yk = Cxk + yk = C (xk + xk )
2.2. DoS attack VS. packet lose
Denial-of-service (DoS) is the attack caused to stop legitimate users from accessing a
specific network resource, and the first work about this issue begins from 1980s. Then the
distributed denial-of-service (DDoS) attack incident is first time reported [41]. Because CPS
is full of distributed information interaction (see [29] and the reference therein), it is very
important to prevent and effectively defend DDoS attack.
Similarly to the process of information disclosure, which is also called privacy attack, all
the sequence of the signals grabbed by the attacker are described as
T

u,k I nu 0 uk
S(k) = (13)
0
y,k I ny yk
k=0
where {
u,k ,
y,k } ∈ {0, 1} are used to denote the DoS attack results. “1” indicates successful
DoS attack, and “0” indicates the inverse case. Inu and Iny are identity matrix with appropriate
dimensions according to uk and yk , respectively.
The above is the simplest case, and in most cases, a random DoS attack is a normal situ-
ation. Therefore, we define α = diag{αi , α j } and β = diag{βi , β j }, where i ∈ {1, 2, . . . , nu },
j ∈ {1, 2, . . . , ny }. α and β are adopted to represent the probability of successful transmission
via forward and feedback communication channels, respectively.
Consequently, we have the consequence
αi
u,k In 0

uk
Sca,k = Sca,k−1 ) u
0 βi
y,k I nu yk
and
α j
u,k In 0

uk
Ssc,k = Ssc,k−1 u
0 β j
y,k I ny yk
006
JID: FI
Fig. 2. Process of intermittent DoS attack.
where {α i , α j , β i , β j } ∈ [0, 1], denote the probability of successful denial-of-service attack

within forward and feedback channels, which are often defined as:

P{
u,k = 1} = α, P{
u,k = 0} = 1 − α;
(14)
P{
y,k = 1} = β, P{
yk = 0} = 1 − β;
In this paper, the method of describing packet loss is adopted to model the process of
DoS. Then, we have

xk+1 = δ1 Axk + δ2 Buk
(15)
yk = δ1Cxk
where δ 1 and δ 2 indicates the probability of DoS attack in forward and feedback channels.
We have δ 1 ∈ {0, 1}, as well as δ 2 ∈ {0, 1}, where “0” means a success DoS attack, and “1”
is inverse.
Using mathematical technique, (15) is rewritten as

xk+1 = Axk − (1 − δ1 )Axk + Buk − (1 − δ2 )Buk
(16)
yk = Cxk − (1 − δ1 )Cxk
For simplicity, we define δ̄1 = 1 − δ1 , δ̄2 = 1 − δ2 , then we have

xk+1 = Axk − δ̄1 Axk + Buk − δ̄2 Buk
(17)
yk = C xk − δ¯1C xk
According to DoS attack, we sure that the condition δ̄1 ∈ {0, 1}, and δ̄2 ∈ {0, 1} is satis-
fied, furthermore, δ̄1 = 1 and δ̄2 = 1 indicate the successful DoS action within feedback and
forward channels, respectively. Otherwise, δ̄1 = 1 and δ̄2 = 1 stand the failure of DoS attack.
These are limited to Bernoulli distributed case.
Furthermore, an uncertainty approach can be adopted to describe the features of DoS
attack under the condition that Axk = −δ̄1 Axk , Buk = −δ̄2 uk and yk = −δ̄1Cxk . Then,
Eq. (17) reduced to the form of Eq. (2).
Based on above analysis, a definition can be summarized as follow.
006
JID: FI
Definition 1. For the ith interval of DoS noting as [Satti

, Satt
i
+ τi ], as depicted in Fig. 2, τ i
is the ith DoS duration time. If the duration time τ i can successfully cause the system losing
stable, it is called the effective DoS duration time (EDDT).
Furthermore, in [k0 , km ], with 0 ≤ k0 < km , the DoS presence and absent interval can be
generalized as
∞

Snor := i
[satt + τi , satt
i+1
) (18)
i=1
i i
Satt := satt [satt , satt
i
+ τi ), i ∈ [0, m) (19)

In addition,
two meaningful conclusions can be drawn as: (i)[k0 , km ] = Satt Snor ;
(ii)Satt Snor =φ.
For better comprehension, Fig. 2 is given to show the process of intermittent DoS attack.
2.3. Stealth attack
Stealth attack is so common ranging from economic to engineering, such as simulated

handwriting to take over the authority for economic benefits and tamper the communication
data in ICSs for destroying the target system. The process of it is more sophisticated than other
kind attacks. Man-in-the-middle (MITM) is one of the most typical. Based on information
disclosure, the attackers can record the original data of operation system. According to the
data, they can analyze and model the system, or implement other types of attacks, such as
replay attacks [36], handwriting simulation [16].
We assume that, the attackers have almost full knowledge of the system. Thus, they can
not only carry out successful attacks, but also hide themselves well. Hence, this case requires
more sophisticated resources and more plant knowledge to find and defense them [21].
Considering the stealthy attack, Eq. (1) can be rewritten as

yk = Cp xk + D2 υk
(20)
u˜kc = Kxk
where u˜kc denotes the control input from controller transmitted via network, and u˜kc = Kxk is
the state feedback control law. For linear case, it is represented as u˜kc = ukc + uat t ,k , where
uatt,k is usually taken as cyber-attack in controller-to-sensor channel.
Synthesizing the two equations in (21), we can get

u˜kc = Cc zk + Dc y pc,k + yre f ,k

= Cc zk + Dc yk + yat t ,k + yre f ,k (21)
Remark 8. On the one hand, for security case, uat t ,k = 0, yat t ,k = 0 and thus u˜kc =
ukc , y pc,k = yk . Consequently, the system (21) and (22) reduce to NCS (1) and (2). On the
other hand, the system is lost of security, it means μk = 0, yatt,k = 0 and u˜kc = ukc , y pc,k = yk .
Combining (19) and (20), the closed-loop response of the system in nominal case is

yk = Cp K−1Cc zk + Cp K−1 yre f ,k + D2 υk (22)

−1
where = I − Cp K−1 Dc .
006
JID: FI
In the presence of stealth attack or covert agent, the control signal ukc is changed into
u˜kc
= ukc + uat t ,k , and the feedback signal of sensor-to-controller is yk + yat t ,k .
Since the attacker has been learning and imitating the original system, the model of attacker
can be formulated similarly to the original system

yat t ,k = μ uat t ,k
(23)
uat t ,k = μ yat t ,k + re f yre f ,k
where μ , u and ref are the matrices that need to be determined and adjust according to
the learning errors. This feedback loop is driven by the yref,k input giving

−1
uat t ,k = I − μ μ re f yre f ,k

−1 (24)
yat t ,k = μ I − μ μ re f yre f ,k
According to Eqs. (22) and (23), the case μ = Cp K−1 + D2 υk (ukc )−1 is ideal, which
indicates the error between virtual system and covert agent is zero and the original system is
well learned and mastered by the attacker.
Synthesis the effects under cyber-attacks within both forward and feedback channels, the
integrated output of the plant is as follows:
xk+1 = A p xk + B pu˜kc + ωk

= A p xk + B p Cc zk + Dc yk + y pc,k + yre f ,k
c
= A p x (k ) + B p uk + Dc y pc,k + Dc yre f ,k + uca,k (25)
Remark 9. In Eq. (24), uca,k and Dc ypc,k are the attack information injected in control
channel (forward) and feedback channel, if the cyber-attack is a stealth attack, such as “the
man-in-the-middle” attack. In order to hide the attack action, the attacker aims to satisfy
the condition uca,k = −Dc y pc,k , which is equal to the condition Pu = u in [21]. For
any case uca,k , Dc ypc,k and uca,k = −Dc y pc,k , yref,k is aiming to defense the attack by
Dc y pc,k + Dc yre f ,k + uca,k = 0.
According to above remark, we have

xk+1 = A p xk + B p Ukc + Uk (26)
where Uk = Dc y pc,k + uca,k is the attack during the channels, and Ukc = ukc + yre f ,k is
the security control scenario.
2.4. Replay attack
As referred in the Iran nuclear program, the Stuxnet virus, which is a typical replay attack
[42]. It is a kind of cyber threatens which hidden in the system to record the normal data of
the plant and the sensors measurement outputs for several weeks or months, or even years,
then selected a proper time to replay this data while they play their own attack actions,
which will protect this attack action is not detected and found, such as the process present in
[21,34] and the related references.
In the domain of information security, the conventional solution is to “challenge response”,
time stamp, serial number and other methods. In the field of control theory, the χ 2 distribu-
tion, physical watermark detection method to detect replay attacks, has gradually become the
mainstream method, see [34–37] and the reference therein.
006
JID: FI
Fig. 3. The process of replay attack scenario (1).
Before the analysis of replay attack, a meaningful definition is given as follow.

Definition 2. In the interval T [k0 , km ), CPS is under information disclosure attack, the
data of the plant state and sensor’s output during the intervals have been recorded by the
attacker. Although the attacker has the capability to inject any recorded data to CPS at any
time, but none of the data is replay to the SCADA system, and there is no any stealthy attack
is acting. Then, we called this interval as “incubation time”.
Generally, replay attack does not work alone, it needs the foundation of information dis-
closure to record the normal system data, these data are used to confuse the system by replay
historical data. Only recorded data is not enough, the attacker can only achieve an successful
attack by taking over the authority of the system.
Most of the time, the attacker is hidden in “incubation time”, then selects a perfect time
to trigger the replay attack, the instant is given in Fig. 3. In [36], the replay attack strategy is
presented with time-shifted variables ykν = yk−T , 0 ≤ k ≤ T and xˆkν|k −1 = xˆkν−T |k −T −1 , where
T is the attack period. However, many important details were not considered.
In this paper, we proposed two schemes of replay attack strategies. One is the full cycle
attack mode, as presented in Fig. 3. Under this mode, in order to hidden attacker’s behavior,
the attackers often choose the replay instant at hk + s, which satisfied the condition s >
hk+1 − hk = T . Then, a perfect attack starting point xhk +s = xhk is selected, such that the
error between the injected point and its neighbor point is minimum (zero in theory), and the
system seems to be operating normally to the SCADA system, although the virtual data of
the system is blocked. Consequently, the attackers can hide themselves successfully.
Then, the replay attack process can formulated as
xhak +s+i = xhk +i (27)
where i ∈ {0, 1, · · · , T } S1 , S1 is the set containing all the replay instants. x[a··· ] means the
injected replay data, and x[] is the original data of the system. And T = hk+1 − hk is defined
as the data recording period. xk , is the recorded information of plant, and yk is the recorded
information of sensor’s measurement outputs, where k ∈ hk , hk+1 ).
Another scheme is incomplete periodic replay attack, the process is presented as showing
in Fig. 4. Similar to the features presented in Fig. 3, the beginning of replay attack is the
same in both schemes. The most difference between them is when to stop the replay attack.
In order to hidden the replay attack action, the condition xhak +s+i = xhk +s+i is a good choice.
Hence, the errors f ,k = xhk +s+i+1 − xhak +s+i = xhk +s+i+1 − xhk +s+i seem to be normal.
006
JID: FI
Fig. 4. The process of replay attack scenario (2) (For interpretation of the references to color in this figure, the
reader is referred to the web version of this article).
In order to reduce the error between the data replay attacks start position and adjacent
points, and to reduce the probability of recognition and detection, the attacker will usually
select hk + s as replay attack starting point, yields to xhk +s = xhk , or yhk +s = yhk to attack the
controller-to-plant forward loop or sensor-to-controller feedback loop. This is a hidden attack
strong, from the starting point in Fig. 4 red attack can be seen. Comparing the two schemes
of the replay attack, the latter is more hidden.
We define ak = |xhak+ j +s j +i − xhk+ j +s j +i+1 | to denote the interval between two secure states,

and the attacker takes action according to Tj = xhk+ j +s j +i+1 − xhk+ j +s j +i , j ∈ {1, 2, . . . , N }.
Selecting k = hk+ j + s j + i where k ∈ [hk+ j + s j , hk+ j+1 + s j+1 ), then we have uka = uk− jT ,
the according feedback state is xka = xk− jT , such that the system model is formulated as

xk+1 = A p xk + Buk− jT + ωk
(28)
yk = C p xk + vk
where xk ∈ Rn is the system state, uk− jT is the control input under replay attack, ωk and vk
are the system disturbances, and yk ∈ Rn is the sensor measurements.
Based on previous analysis, the system model can be further evolved as

xk+1 = A p xk + B (ūk + uk ) + ωk
(29)
yk = C p xk + vk
Remark 10. Since the control uk is masked by the replay attack signal, thus, ūk is obtained
indirectly from the historical healthy data. If the cyber-attacks are absence, the condition
uk = ūk holds.
Considering from close-loop perspective, we have

xk+1 = A p (x̄k + xk ) + Būk + ωk
(30)
yk = Cp x̄k + yk + vk
where uk = K xk is the attack in forward channel, and yk =Cp xk is the attack in feedback
channel. Similar to ūk , x̄k is obtained indirectly from historical data record.
006
JID: FI
3. Stability analysis with uncertainties and security defense scenarios design
3.1. Stabilization of NCS with uncertainties
Based on above modeling of multi-sources cyber-attacks, some results are derived with
control theory.
Theorem 1. For given system (9), if there exist scalars κ, λ < 1 and ε2 > ε1 > 0, such that
the system solution is satisfied with the zero input state

ηk < κλ(k−k0 ) ηk0 (31)
Then, the system (9) issaid to be exponential stable(ES) with zero input. The decay rate is
κ, and the scalar κ = εε21 .
System (9) is asymptotically stable (AS) with an H∞ disturbance level γ > 0, if there exist
symmetric matrix P > 0, and positive matrices J , M satisfying
⎡ ⎤
−P ∗ ∗ ∗
⎢ 0 −γ 2 I ∗ ∗ ⎥
⎢ ⎥
⎢ ⎥<0 (32)
⎣P A z PBz −P ∗ ⎦
PC z PDz 0 −P
where
A+B Dc C BCc +BDc J 0
Az = Bc C Ac 0 ,
Be DcC+EeC BeCc +Be Dc J Ae

B+M B Dc Inx B Dc
Bz = 0 Bc 0 0 ,
0 Be Dc +Ee 0 Be Dc +Ee

C z = De DcC + FeC DeCc + De Dc J Ce and

Dz = 0 De Dc + Fe 0 De Dc Iν + Fe Iν .
Proof. Define a Lyapunov function as
V (ηk , k ) = ηkT Pηk
where P = PT > 0. To calculate the difference of V(ηk , k) tracing along with system (9) as
V = V (ηk+1 , k + 1 ) − V (ηk , k )
If (k ) = 0, system (9) turns to ηk+1 = Az ηk , then we have

V (ηk , k ) = ηk+1
T
Pηk+1 − ηkT Pηk

T
= ηkT Az PAz − P ηk
According to the stabilization definitions [43], we can determine that there exists P =
T
P > 0, let Az PAz − P < 0 holds, which indicates V(ηk , k) < 0, and V (ηk+1 , k + 1 ) <
T
λ2V (ηk , k ) holds.

V (ηk , k ) < λ2(k−1)V (ηk−1 , k − 1 )
006
JID: FI
< λ2(k−2 )V (ηk−2 , k − 2 )

..
.

< λ2(k−k0 )V ηk0 , k0
Define ε1 = min {λmin (P )} and ε2 = max {λmax (P )}, thus

2
ε1 ηk 2 < V (ηk , k ) < λ2(k−k0 )V ηk0 , k0 < ε2 λ2(k−k0 ) ηk0
furthermore,
!
ε2 (k−k0 )
ηk

ηk < λ
ε1 0

system (9) is exponential stable when (k ) = 0, and the decay rate is λ, with scalar κ= εε21 .
If ϖk = 0, calculating the difference along with (9), in light of the system performances,
we can obtain
∞
"
V (ηk , k ) + RTk Rk − γ 2 kT k
k=0
⎧ ⎡ ⎤ ⎫
"∞ ⎨ T T T T ⎬
ηk ⎣Az PAz − P + C z PC z Az PB z ⎦ ηk
= (33)
⎩ k T
B z P Az −γ I + B z PB z + Dz PDz k ⎭
2
T T
k=0
If the stability of this system is guarantee, it is necessary to satisfy the condition

⎡ ⎤
T T T
⎣A z P A z − P + C z P C z
T
Az P B z
T T
⎦<0 (34)
B z P Az −γ I + B z PB z + Dz PDz
2
By using Schur complement method, we have

⎡ ⎤
−P ∗ ∗ ∗
⎢ 0 −γ 2 I ∗ ∗ ⎥
⎢ ⎥
⎢ ⎥<0 (35)
⎣P A z PBz −P ∗ ⎦
PC z PDz 0 −P

A+B Dc C B pCc +BDc J 0
where Az = Bc C Ac 0 ,
Be DcC+EeC BeCc +Be Dc J Ae

B+M B Dc Inx B Dc
Bz = 0 Bc 0 0 ,
0 Be Dc +Ee 0 Be Dc +Ee

C z = De DcC+FeC DeCc +De Dc J Ce and

Dz = 0 De Dc +Fe 0 De Dc Iν +Fe Iν .
006
JID: FI
For all ϖk = 0, k ∈ l2 = [0, ∞ ), with zero initial condition, there exist V (η0 , 0 ) = 0 and
V(η∞ , ∞) ≥ 0, such that
∞
" T
Rk Rk − γ 2 kT k < 0 (36)
k=0
∞ T
holds, equivalent to c k=0 RTk Rk < γ 2 ∞
k=0 k k < 0.
According to [8,31] and its related references, uncertainty caused by attack components
can be described as

uca,k uk f ,k Eua Eu f
= H Fk
ysc,k yk f ,k Eya Ey f
where H is known real constant matrix, and F(k) is the unknown matrix with Lebesgue
measurable elements Fk FkT ≤ I . In general, the uncertainties uk f and yk f can not separate
from uc−a,k and ys−c,k even if Assumption 2 holds. Hence, the form of [uk yk ] =
H Fk [Eua Eub ] is logical for selection.
Theorem 2. For given matrix H and symmetrical matrix P = PT > 0 in system (9) with the
Assumption 2, the system (9) is asymptotically stable (AS) if there exist matrices Q, S, M, Ea
and parameters γ > 0, ε > 0, satisfying the follow linear matrix inequality
⎡ ⎤
−P ∗ ∗ ∗ ∗
⎢ 0 −γ 2 I ∗ ∗ ∗ ⎥
⎢ ⎥
⎢ P Ac PE c −P + 1 ∗ ∗ ⎥
⎢ ⎥<0 (37)
⎣ PC c PF c 0 −P + 1 ∗ ⎦
ϒ1 0 0 0 −εI

ε P11 QH H T QT P11
T
0 0
where 1 = 0 ε P12 S H H T S T P12
T
0 , 2 = ε P11 N H H T N T P11
T
,
0 0 ε P13 MH H T MT P13
T

ϒ1 = Ea 0 0 . The matrix block Ac , C c , E c and F c have been defined already in
aforementioned parts.
Proof. Similar to the proof of Theorem 1, choosing the Lyapunov function V (ηk , k ) = ηkT Pηk ,
tracking along with the system (9), calculating the difference
V (ηk , k ) = ηk+1
T
If ξ k ≡ 0, we have
V (ηk , k ) = ηk+1
T
)
T
*
= ηkT Ac + A P Ac + A − P ηk
<0 (38)
equals to (Ac + A )T P (Ac + A ) − P < 0, such that system (9) is exponential stable (ES)
under the attack.
006
JID: FI
If ξ k = 0, calculate the difference of system (9) with the consideration of robust

performance
∞
"
V (ηk , k ) + RTk Rk − γ 2 ξkT ξk
k=0
∞
+
" ηk
T
η
= k
ξk ξk
k=0
where

T

T

T
Ac + A P Ac + A − P + C c + C P C c + C Ac + A PE c
= T
T T T
E c P Ac + A −γ 2 I + E c PE c + F c PF c
If we want to guarantee the stability of the system (1), the follow condition should be satisfied

T

T

T
Ac + A P Ac + A − P + C c + C P C c + C Ac + A PE c
T
T T T <0
E c P Ac + A −γ 2 I + E c PE c + F c PF c
(39)
Utilizing the Schur complement
⎡ ⎤
−P ∗ ∗ ∗
⎢ −γ 2 I ∗ ∗ ⎥
⎢
0 ⎥<0 (40)
⎣P Ac + A PE c −P ∗ ⎦

P Cc + C PF c 0 −P
By decomposing calculation, we can obtain
⎡ ⎤ ⎡ ⎤
−P ∗ ∗ ∗ 0 ∗ ∗ ∗
⎢ 0 −γ 2
I ∗ ∗ ⎥ ⎢ 0 0 ∗ ∗⎥
⎢ ⎥+⎢ ⎥<0 (41)
⎣P A c PE c −P ∗ ⎦ ⎣P A 0 0 ∗⎦
PC c PF c 0 −P PC 0 0 0
T
QAk 0 0 N HFk Ea
where A = SAk 0 0 , C = 0 , S = BcC A−1 , Q = (BK + BDcC )A−1 , M =
MAk 0 0 0
−1
(Be Dc + Ee )C A and N = (De Dc + Fe )C A−1 .
For any cases, the matrix P can be decomposed into blocks of matrices of appropriate
dimensions P = Pi j , i, j ∈ {1, 2,3}, according toA and C . In light of the definition
P11 QHFk Ea 0 0
Ak = H Fk Ea , we have PA = P12 SHFk Ea 0 0 , PC = P11 N H Fk Ea .
P13 MHFk Ea 0 0
Substitute above results into Eq. (41), applying the Lemmas in [31], then we can get
⎡ ⎤
−P ∗ ∗ ∗ ∗
⎢ 0 −γ 2 I ∗ ∗ ∗ ⎥
⎢ ⎥
⎢P A c E −P + ∗ ∗ ⎥
⎢ P c 1 ⎥<0
⎣ PC c PF c 0 −P + 1 ∗ ⎦
ϒ1 0 0 0 −εI
006
JID: FI

ε P11 QH H T QT P11
T
0 0
where 1 = 0 ε P12 S H H T S T P12
T
0 , 2 = ε P11 N H H T N T P11
T
and
0 0 ε P13 MH H T MT P13
T

ϒ1 = Ea 0 0.
For system (9), an predetermine threshold is adopted to detect the additions caused by
cyber-attacks, which is usually formed as

Jr (k) > Jth (k) ⇒ alarm
(42)
Jr (k) ≤ Jth (k) ⇒ no alarm
where Jr (k) is the real-time output errors, Jth (k) is the predetermine threshold.
Remark

11. From the stabilization definition in [43], we can derive Rk 2 ≤ γ 2 k 2 =
γ μk + ξk 2 , furthermore, Rk 2 ≤ δμ2 + δξ2 with δμ2 = γ 2 μk 2 and δξ2 = γ 2 ξk 2 rep-
2 2
resenting the effects of disturbance and cyber-attacks. If the system (9) is secure, we have
Rk 2 ≤ δξ2 , thus δμ2 = γ 2 μk 2 = 0. In this case, the research issue degenerates to be the
classical robust control problem for dynamic disturbance. Therefore, the key point of security
control turns to be focusing on the identification of perturbation and cyber-attack.
3.2. Security defense framework design
On another hand, the best way to defend a network against an attacker is to think like an
attack. In this part, we assume the attacker can learn and imitate the original system very
well by the steps of reconnaissance, scan, enumerate, penetrate and infect. Based on these
techniques, the attacker will known the system very well, an attack scenario is susceptible to
play, such as information disclosure, DoS attack, stealthy attack and replay attack [23].
The objection of IT security is to protect the integrity of data within the communication
channel rather than the physical resource of the system. This is the biggest difference between
CPS security issues and conventional IT security focuses.
Fig. 5. A novel defense structure of NCS for deception attack.
As presented in Fig. 5, the data transmitted from controller is packaged as {Tstamp,k ,

w
Uc,k , Uc,k
d
}, including time-stamp, the real control and its detection signal by hash function.
Tstamp (k) is the time-stamp function at instant k,which is obtained by
Tstamp,k = E (co{hash1 (k ), time(k ), date(k )} ) (43)
006
JID: FI
w
where Uc,k = E (uc,k ) and Uc,k
d
= hash(Uc,k
w
) stand for encrypted control signal and detection
signal. Because the hash function is one-way, such that a private shared algorithm for hush
function is insensitively security to ensure the transmitted data to be unique and safe.
According to aforementioned work, several meaning results will be obtained.
Theorem 3. Given Seq c

(k) = {Tstamp,k
c
, Uc,k
w
, Uc,k
d
} as the controller side sending sequence to
the actuator, and the received sequence of actuator side is S˜eq c
(k) = {T˜stamp,k
c
, U˜ c,k
w
, U˜ c,k
d
}. We
said the forward channel whin system (1)–(3) is security without any information disclosure
and tamper, if the following conditions are satisfied.
(i) D(T˜stamp,k
c
) − D(Tstamp,k
c
) > 0;
˜ w ˜
(ii) ca = hash(Uc,k ) − Uc,k = Uc,k
d d
=0;
Proof. If condition (i) and (ii) are satisfied, it can deduce that the information with Seq c
(k)
˜
and Seq (k) are identical, which indicates the transmitted data via forward channel is secure
c
without any modification. The integrity is ensured under this case.

Otherwise, if one of the two conditions or even both of them are not met, then Seq c
(k) =
˜
Seq (k). Under these circumstances, the integrity of the package is destroyed, in other words,
c
the transmitted package has been intercepted and tampered.

Assumptions aforementioned indicate that Uc,k d
= U˜ c,k
d
, which is ensured by the practical
technique: hidden coding. Then, we can judge whether the information of channel transmission
is attacked by condition 2.
Alike the methodology presented in Theorem 1, a further conclusion is drawn.

p
Theorem 4. Given feedback sequence
p (k) = {Tstamp,k , Ykw , Ykd }, the received encrypted se-
quence in controller side is
˜ p (k) = {T˜stamp,k , Y˜k , Y˜k }. the feedback channel whin system
p w d
(1)–(3) is said to be security without any information disclosure and tamper, if the following
conditions are satisfied.
(i) D(T˜stamp,k
p p
) − D(Tstamp,k ) > 0;
(ii) sc = hash(Yk ) − Yk = Y˜kd − Ykd = 0;
˜ w ˜ d
The proof of Theorem 2 can be got referring to the proof of Theorem 1, since the proof
are almost alike.
Remark 12. Using the judgement conditions in Theorem 1, the attack vector μk can be de-
tected. Then the attack vector will be extracted from the mixed signals as a part of uncertainty
ukc = μk . According to ukc and ukc + ukc , the post-plant unit obtains the sensor’s output yk
and yk . Aiming to find the covert agent, ykw−μ = yk − yk is defined for detecting. By adopting
the hash function, the detection vector Ykd−μ and Ykd are derived.
Based on Remark (12), a result for covert agent detection is concluded.

p
Theorem 5. Given sensor side data
p (k) = {Tstamp,k , Ykw , Ykd−μ , Ykd } sending to con-
troller, and controller side received data is
˜ p (k) = {T˜ p , Y˜kw , Y˜ d−μ , Y˜kd }. Synthesizing
stamp,k k
006
JID: FI
Theorems 1 and 2, we can conclude that the feedback channel within system composed by
(1)–(4) is security with no hidden agent, if the following equations hold
p
(i) D(Tstamp,k ) − D(T˜stamp,k
p
) ≤ 0;
˜ ˜
(ii) sc = hash(Yk ) − Yk = Ykd = 0;
w d
˜ sc = hash(Y˜ w ) − Y˜ d−μ = 0;
(iii) k k
p
Furthermore, given transmitted data
p (k) = {Tstamp,k , Ykw−μ , Ykd−μ , Ykd } from sensors and
received data
¯ p (k) = {T̄stamp,k
p
, Ȳkw−μ , Ȳkd−μ , Ȳkd } of controller, it can be said that there exists
a covert agent among forward and feedback channels, if the following equations hold
p p
(I) D(Tstamp,k ) − D(T̄stamp,k ) ≤ 0;
(II) sc = hash(Ȳpw−μ (k)) − Ȳkd−μ = 0;
¯ sc = hash(Ȳ w−μ ) − Ȳ d = 0;
(III) k k
Proof. If the sensor-to-controller channel within the system is security, the condition (i)
D˜ (Tstamp,k
p p
) ≥ D(Tstamp,k ) can be derived directly. Since the condition (i) is not the sufficient
condition for the judgement. Meanwhile, the behavior of information disclosure and tamper
are not happened, such that
k =
˜ k holds. This is also the case of Theorem 2. In addition,
referring to the definition of parts within
k and
˜ k , before data transmission, hash(Ykw ) = Ykd
and hash(E (yk − μk ) ) = Ykd−μ are determined. Hence, the above definitions are used to judge
the security of the system and wether a covert agent is existed.
Otherwise, if the there exists an undetectable covert agent (CA) attacker, but the in-
jected uncertainties of control input is detected and separated based on the approach
within Theorem 1. From the package schedule, we know hash(D(yk )) = hash(Ykw ) = Ykd and
hash(D(yk − yk )) = Ykd−μ . Since the CA attacker have full knowledge of the plant, together
with the ability of listening the communication channels between sensor and controller, thus
it can remove the affects they have put on. According to the parts of the controller side
received sequence
¯ k , the conditions (I) (II) and (III) together tell us the existing of the CA
attacker.
Remark 13. First of all, science the hash function has the feature of one-way, the attack can
not obtain the original message from hash values. Secondly, if the hash function is determined,
the hash value will be same for the same information. The last but not the least, the industrial
system is always function periodic, and the sampled data follow certain operating rules, which
ensure the historical database is healthy and trustable.
4. Examples
An example of DC motor motion control is presented here to demonstrate the features of

uncertainty caused by cyber-attacks. DC motor has a large speed range, which determined
the extensive applications. Together with speed loop and current loop control, the stable and
reliable operation of the dynamic motion control system can be realized. The system block
diagram is given as showing in Fig. 6
006
JID: FI
Fig. 6. Conventional structure of DC motor control system.
The DC motor motion control system has been applied for many years, the DC motor is
generally formulated
⎧
⎪ dia
⎪u a = R a i a + L a
⎪ + Km φω
⎪
⎪ dt
⎪
⎨ dφ
uf = Rf if +
dt (44)
⎪
⎪ Te = Km φia
⎪
⎪
⎪
⎪
⎩Te = J dω + Bm ω + TL
dt
where φ is the pole flux, uf is the field voltage, Te is the electric torque, TL is mechanical
load torque. Since φ has a hysteretic nonlinearity. In practical case, it is usually simplified to
be linear form φ = L f i f .
From Eq. (44), we can derive
⎡ ⎤ ⎡ ⎤
dia Ra
⎡1 ⎤
⎢ dt ⎥ ⎢− La ia − Km i f ω ⎥
⎢ ⎥ ⎢ R i ⎥ u
⎢ di f ⎥ ⎢ f f ⎥ ⎢ La a ⎥
⎢ ⎥ = ⎢− ⎥ + ⎣0 ⎦ (45)
⎢ dt ⎥ ⎢ L f ⎥
⎣ dω ⎦ ⎣ 1
⎦ 0
−Bω + Km ia i f − TL
dt J
Similar to [38], we define the system states into the stacking vector as x(t ) =
T -
[iaT (t ) ωT (t ) x3T (t )] , u(t ) = Ua (t ), x3 (t ) = (ω − ωre f )dt.
Based on above definitions, the DC dynamic model is given as
x˙(t ) = (A + A )x(t ) + B (u(t ) + u(t ) ) + ω˜ (t ) (46)
Ra Km u f
− La − La R 0 1
0
f La
where A = , B= , ω˜ (t ) = , u(t ) = Ua (t ).
Km u f
JR f − BJ 0 0 0
0 −1 0 0 ωre f
The inherent relationship of uncertainties and normal parameters are Ra = Ranormal + Ra ,
R f = R fnormal + R f , and TL = TLnormal + TL . In addition, the control signal is given as ua (t ) =
uanormal (t ) + ua (t ), which is unlike the case in many previous examples. However, as the
increasing researches focusing on CPS security in recent years, more and more researchers
began to care about the function of this part.
In the DC motor dynamic system, the uncertain parts are often caused by the armature
and field resistance, as well as the load torque. Consequently, Ra , Rf and TL are used to
indicate the deviation of the corresponding parameters, respectively. Recent studies indicates
that, the uncertainties ua (t) is generally caused by cyber-attacks.
006
JID: FI
Fig. 7. The comparisons of normal speed and attacked speed.
Fig. 8. The comparisons of normal current and attacked current.
⎡ Ranormal Km U f
⎤
− La − La R 0
⎢ f normal
⎥
A=⎣ 0 ⎦, A =
Km U f
Based on above description, we have JR f − BJ
normal
0 −1 0
⎡ Km U
⎤
− R
La
a − La Rf 0 A11 A12 0
⎣ Km U f 0⎦
f
JR f 0 = A21 0 0 .
0 0 0 0 0 0
In this paper, static state feedback controller is designed as
u(t ) = −K x(t ) = −[k1 k2 k3 ]x(t ) (47)
The parameter values of DC motor are chosen the same in [21,38], with the controller K =
[0.37265 1.1029 −8.0814], then we get the rated speed as 1750 r/min.
During the simulation intervals, the cyber-attack is assumed as tempering attack, an addi-
tional torque is added on the original torque at t = 5 s, then we can get the contrast results
of DC motor speeds, currents and torques of the normal and attacked cases.
006
JID: FI
Fig. 9. The comparisons of normal torque and attacked torque.
Synthesizing from Figs. 7–9, we can find that during the attacking interval, the attacked
speed, current and torque are seemed to be normal and the uncertainty errors are within the
steady-state error, thus, the uncertainties are difficult to detect. However, it is gratifying to
find a significant phenomenon that the attack action has effected the DC motor parameters
dramatically within the absent of attack intervals. Furthermore, the parameters don’t change
in one direction. These features will play an important role in attack detection.
5. Conclusion
In this paper, the process of cyber-attacks (DoS, information disclosure, replay attack and
stealthy attack) have been analyzed from the perspective of uncertainties under closed-loop
NCS framework. Based on this framework, unified system models with parameter uncertainties
are summarized. Then, utilizing the IT methodology, system security requirements have been
derived for cyber-attack detection and identification. Through these validation conditions, we
can determine when and where the attack occurred.
Acknowledgements
This work was funded by 61833008, 61533010, 61833011. And the author would like to
thank the associate editor and reviewers for valuable comments.
References
[1] President’s Council of A dvisors on Science and Technology. Leadership Under Challenge: Information Tech-
nology R&D in a Competitive World [Online], Aug. 2007. Available at http:// www.nitrd.gov/ Pcast/ reports/
PCAST-NIT-FINAL.pdf.
[2] R. Rajkumar, I. Lee, L. Sha, et al., Cyber-physical systems: the next computing revolution, in: Proceedings of
the Design Automation Conference, ACM, 2010, pp. 731–736.
[3] R. Baheti, H. Gill, Cyber-physical systems, Impact Control Technol. 12 (2011) 161–166.
[4] A.A. Cárdenas, S. Amin, B. Sinopoli, A. Perrig, S. Sastry, Challenges for securing cyber physical systems, in:
Proceedings of the First Workshop on Cyber-physical Systems Security, 2006, pp. 363–369.
[5] D.C. Neuman, Challenges in security for cyber-physical systems, in: DHS Workshop on Future Directions
Cyber-Physical Systems Security, 2009.
006
JID: FI
[6] ZEKRIFA, Djabeur Mohamed Seifeddine et GHORBANI, Ali. Ameliorate Competitive Learning Neural Networks for System Intrusion
detection. 2013.
[7] A. Cárdenas, S. Amin, Sastry, secure control: towards survivable cyber-physical systems, in: Proceedings of the
Twenty-eighth International Conference on Distributed Computing Systems Workshops, 2008.
[8] D. Yue, Q.-L. Han, J. Lam, Network-based robust h ∞ control of systems with uncertainty, Automatica 41 (6)
(2005) 999–1007.
[9] M. Y-L, K.T. H-J, K. Brancik, D. Dickinson, H. Lee, A. Perrig, B. Sinopoli, Cyber-physical security of a smart
grid infrastructure, Proc. IEEE 100 (1) (2012) 195–209.
[10] H. Zhang, W.X. Zheng, Denial-of-service power dispatch against linear quadratic control via a fading channel,
IEEE Trans. Autom. Control 99 (2018) 1.
[11] H. Sandberg, S. Amin, K. Johansson, Cyber-physical security in networked control systems: an introduction to
the issue, IEEE Control Syst. 35 (1) (2015) 20–23.
[12] J.P. How, Cyberphysical security in networked control systems [about this issue], IEEE Control Systems 35 (1)
(2015) 8–12.
[13] H.A. Abbass, E. Petraki, K. Merrick, et al., Trusted autonomy and cognitive cyber symbiosis: Open challenges[J],
Cognitive Computation 8 (3) (2016) 385–408.
[14] H. Ge, D. Yue, X.P. Xie, S. Deng, S.L. Hu, Analysis of cyber physical systems security issue via uncertainty
approaches, in: M. Fei, S. Ma, X. Li, X. Sun, L. Jia, Z. Su (Eds.), Advanced Computational Methods in Life
System Modeling and Simulation. LSMS 2017, ICSEE 2017. Communications in Computer and Information
Science, 761, Springer, Singapore, 2017.
[15] Q. Zhu, T. Basar, Game-theoretic methods for robustness, security, and resilience of cyberphysical control
systems: games-in-games principle for optimal cross-layer resilient control systems, IEEE Control Syst. 35 (1)
(2015) 46–65.
[16] G. Luria, A. Kahana, S. Rosenblum, Detection of deception via handwriting behaviors using a computerized
tool: toward an evaluation of malingering, Cognit. Comput. 6 (4) (2014) 849–855.
[17] D. Yue, E. Tian, Q.L. Han, A delay system method for designing event-triggered controllers of networked
control systems, IEEE Trans. Autom. Control 58 (2) (2013) 475–481.
[18] A. Householder, A. Manion, L. Pesante, G. Weaver, 2001 Tech Tip: Managing the Threat of Denial-of-Service
Attacks [J], 33, Cert Coordination Center, 2001, pp. 99–110.
[19] H. Zhang, Y. Qi, J. Wu, et al., Dos attack energy management against remote state estimation, IEEE Trans.
Control Netw. Syst. 5 (1) (2018) 383–394.
[20] Zekrifa, Djabeur Mohamed Seifeddine. Hybrid Intrusion Detection System. Diss. 2014.
[21] R. Smith, Covert misappropriation of networked control systems: presenting a feedback structure, IEEE Control
Syst. 35 (1) (2015) 82–92.
[22] F. Pasqualetti, F. Dorfler, F. Bullo, Attack detection and identification in cyber-physical systems, IEEE Trans.
Autom. Control 58 (11) (2013) 2715–2729.
[23] E.D. Knapp, Industrial network security: Securing critical infrastructure networks for smart grid, in: Proceedings
of the SCADA, and Other Industrial Control Systems, Syngress, 2011.
[24] K. Zhou, J.C. Doyle, K. Glover, Robust and Optimal Control, Prentice Hall Information and System Sciences
Series; Prentice Hall: Control Engineering Practice, 4(8), 1996, pp. 1189–1190. Upper Saddle River, NJ, USA.
[25] S. Ding, Model-Based Fault Diagnosis Techniques: Design Schemes, Algorithms, and Tools, Springer Science
& Business Media, 2008.
[26] I. Hwang, S. Kim, Y. Kim, C.E. Seah, A survey of fault detection, isolation, and reconfiguration methods, IEEE
Trans. Control Syst. Technol. 18 (3) (2010) 636–653.
[27] S. Simani, R. Patton, C. Fantuzzi, Model-Based Fault Diagnosis in Dynamic Systems Using Identification
Techniques, Springer, London, 2003.
[28] F. Pasqualetti, F. Dörfler, F. Bullo, Attack detection and identification in cyber-physical systems, IEEE Trans.
Autom. Control 58 (11) (2013) 2715–2729.
[29] C.D. Persis, P. Tesi, Input-to-state stabilizing control under denial-of-service, IEEE Trans. Autom. Control 60
(11) (2015) 2930–2944.
[30] H. Zhang, W. Meng, J. Qi, et al., Distributed load sharing under false data injection attack in inverter-based
microgrid, IEEE Trans. Ind. Electron. (99) (2018) 543–1551.
[31] L.H. Xie, Output feedback H∞ control of systems with parameter uncertainty, Int. J. Control 63 (4) (1996)
741–750.
006
JID: FI
[32] D. Yue, Q.L. Han, J. Lam, Network-Based Robust H∞ Control of Systems with Uncertainty, Pergamon Press,
Inc., 2005.
[33] M. Faundez-Zanuy, A. Hussain, J. Mekyska, et al., Biometric applications related to human beings: there is life
beyond security, Cognit. Comput. 5 (1) (2013) 136–151.
[34] Y. Mo, B. Sinopoli, Secure control against replay attacks, in: Proceedings of the Conference on Communication,
Control, and Computing. Allerton, IEEE, 2009, pp. 911–918.
[35] R. Chabukswar, Y. Mo, B. Sinopoli, Detecting integrity attacks on SCADA systems, in: Proceedings of the
IFAC, 44, 2011, pp. 11239–11244.
[36] Y. Mo, S. Weerakkody, B. Sinopoli, Physical authentication of control systems: designing watermarked control
inputs to detect counterfeit sensor outputs[j], IEEE Control Syst. 35 (1) (2015) 93–109.
[37] H. Zhao, J. Ren, Cognitive computation of compressed sensing for watermark signal measurement, Cognit.
Comput. 8 (2) (2016) 246–260.
[38] J. Zhou, Y. Wang, R. Zhou, Global speed control of separately excited DC motor[c] power engineering society
winter meeting, in: Proceedings of the IEEE Xplore, 3, 2001, pp. 1425–1430.
[39] A. Teixeira, I. Shames, H. Sandberg, et al., A secure control framework for resource-limited adversaries, Auto-
matica 51 (2015) 135–148.
[40] P. Lee, A. Clark, L. Bushnell, et al., A passivity framework for modeling and mitigating wormhole attacks on
networked control systems, IEEE Trans. Autom. Control 59 (12) (2013) 3224–3237.
[41] P. Criscuolo, Distributed Denial of Service Tools, Trin00, Tribe Flood Network, Tribe Flood Network 2000 and
Stacheldraht[J], Office of Scientific & Technical Information Technical Reports (2000).
[42] N. Falliere, L.O. Murchu, E. Chien, W32.Stuxnet Dossier. Symantec: security response, 2011.
[43] E. Tian, W.K. Wong, D. Yue, et al., h ∞ filtering for discrete-time switched systems with known sojourn
probabilities, IEEE Trans. Autom. Control 60 (9) (2015) 2446–2451.
[44] H. Ge, D. Yue, X. Xie, Observer-based fault diagnosis of nonlinear systems via an improved homogeneous
polynomial technique, Int. J. Fuzzy Syst. 20 (6) (2017) 1–13.
006

A Uni Ed Modeling of Muti-Sources Cyber-Attacks

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

A Uni Ed Modeling of Muti-Sources Cyber-Attacks

Hochgeladen von

Copyright:

Verfügbare Formate

JID: FI

ARTICLE IN PRESS [m1+;March 5, 2019;18:47]

Available online at www.sciencedirect.com

Journal of the Franklin Institute xxx (xxxx) xxx

A unified modeling of muti-sources cyber-attacks with

Cyber-physical system (CPS) is an innovated system referring to the completely new

R Fully documented templates are available in the elsarticle package on CTAN.

the heterogenous engineering systems, such as petrochemical engineering systems, power

1.1. Contributions and outline

In this paper, the system model with uncertainties is considered as

Fig. 1. Typical framework of CPS for cyber-attack detecting with uncertainties.

Then, Eq. (5) is renewed as follow

Assumption 2. From previous work, it is reasonable to assume that u˜k = uat t ,k + u f ,k

which is equal to the description of nonzero attack (BK uK , DK uK ) in [28].

which is often equal to u f ,k = Kk x f ,k . Then,we define A p = MK, where M is the matrix

2.1. Information disclosure

As the increasing of internet and wireless networked connectivity, information disclosure

2.2. DoS attack VS. packet lose

Fig. 2. Process of intermittent DoS attack.

where {α i , α j , β i , β j } ∈ [0, 1], denote the probability of successful denial-of-service attack

For simplicity, we define δ̄1 = 1 − δ1 , δ̄2 = 1 − δ2 , then we have

Definition 1. For the ith interval of DoS noting as [Satti

2.3. Stealth attack

Stealth attack is so common ranging from economic to engineering, such as simulated

2.4. Replay attack

Fig. 3. The process of replay attack scenario (1).

Before the analysis of replay attack, a meaningful definition is given as follow.

Considering from close-loop perspective, we have

3. Stability analysis with uncertainties and security defense scenarios design

3.1. Stabilization of NCS with uncertainties

If (k ) = 0, system (9) turns to ηk+1 = Az ηk , then we have

λ2V (ηk , k ) holds.

< λ2(k−2 )V (ηk−2 , k − 2 )

Define ε1 = min {λmin (P )} and ε2 = max {λmax (P )}, thus

If the stability of this system is guarantee, it is necessary to satisfy the condition

By using Schur complement method, we have

If ξ k = 0, calculate the difference of system (9) with the consideration of robust

3.2. Security defense framework design

Fig. 5. A novel defense structure of NCS for deception attack.

As presented in Fig. 5, the data transmitted from controller is packaged as {Tstamp,k ,

Theorem 3. Given Seq c

without any modification. The integrity is ensured under this case.

the transmitted package has been intercepted and tampered.

Alike the methodology presented in Theorem 1, a further conclusion is drawn.

Based on Remark (12), a result for covert agent detection is concluded.

An example of DC motor motion control is presented here to demonstrate the features of

Fig. 6. Conventional structure of DC motor control system.

Fig. 7. The comparisons of normal speed and attacked speed.

Fig. 8. The comparisons of normal current and attacked current.

In this paper, static state feedback controller is designed as

u(t ) = −K x(t ) = −[k1 k2 k3 ]x(t ) (47)

Fig. 9. The comparisons of normal torque and attacked torque.

Das könnte Ihnen auch gefallen

If ξ k = 0, calculate the difference of system (9) with the consideration of robust