Beruflich Dokumente
Kultur Dokumente
Republic of China
Received 26 September 2018; received in revised form 21 November 2018; accepted 6 January 2019
Available online xxx
Abstract
In this paper, the issue of CPS security is investigated. By analyzing the process of multi-sources
cyber-attacks of denial-of-service (DoS), information disclosure, stealthy attack and replay attack, a
unified system model with uncertainties is formulated. Under this system model framework, robust
control theory is applied to design the control scenarios for cyber-attack prevention. Furthermore, a
double closed-loop NCS framework combined with information integration technology is proposed,
necessary conditions for security guarantee are derived. Finally, a DC motor speed moderating example
is given to demonstrate the problem.
© 2019 Published by Elsevier Ltd on behalf of The Franklin Institute.
1. Introduction
https://doi.org/10.1016/j.jfranklin.2019.01.006
0016-0032/© 2019 Published by Elsevier Ltd on behalf of The Franklin Institute.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
2 H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx 3
The increasing complexity of the CPS brings in heterogeneous uncertainties, these uncer-
tainties may mitigate the reliability and security of CPS. Therefore, the uncertainty is generally
taken as an important performance of a system. In this paper, the CPS security issue is inves-
tigated from uncertainty perspective, both the faults and cyber-attacks are taken as different
uncertainties. A uniform structure of model is formulated to describe the CPS. However, in
practice system, it is difficult to eliminate the error between the models and the practical
system, which is so-called model errors. In addition, attack process are often stealthy and
pretended to be seem normal, and the abnormal information is usually unavailable [11,21].
Remark 1. This paper is an extended version of the conference paper [14], based on the basic
method proposed in [14] and [32], the detailed process of modeling work have been done.
Due to the limitation of pages, formulated the cyber-attacks to be uncertainties is proposed
by a simple form in the conference paper. In this paper, the process of how a cyber-attack
(including denial-of-service, information disclosure, stealthy attack and replay attack) evolved
ultimately into the typical NCS models with uncertainty.
The main contribution in this note can be presented as follows: (1) double closed-loop
framework is proposed co-considering the detection of faults and cyber-attacks. (2) the models
of cyber-attacks, including denial-of-service, information disclosure (privacy attack), stealthy
attack and replay attacks, are formulated to be a unified typical NCS model with uncertainties
from control theory perspective. (3) Information technique (IIT) is synthesized together with
control theory, and a novel framework is designed based on typical CPS structure, effective
attack defense scenarios are devised and applied on this framework to detect and identify the
cyber-attacks classifications.
The organization of the remainders are as follows. In Section 2, four kinds typical cyber-
attacks are modeled to be the typical NCS models with uncertainties. And some important
results are derived in Section 3, what follows then is the attack defense scenarios and the
algorithm details. In Section 4, the example of separated DC motor is give to demonstrate
the process of cyber-attack. Finally, some conclusions are drawn for all of this note.
1.2. Notations
Throughout of this paper, presents the uncertainties of the parameter . E(.), D(.) and
hash(.) are adopted to describe the encryption function, decryption function and hash function,
respectively. For example, for any message x, hash(x) is called the Hash Value of x.
Table 1 presented the notations that will be frequently used throughout the remainder of
the paper.
2. Formulation
Table 1
Frequently used notations.
Notations Descriptions
xk the state of plant
μk synthesis attacker vectors
ukc control input
ukc control uncertainties, which is taken as attack
yk output of plant
yk output caused by uncertain inputs
p
Tstamp,k the time-stamp of the package from plant
w
Uc,k the encrypted data of ukc
d
Uc,k w
the detection data by function hash Uc,k
c
Tstamp,k the time-stamp of the package from controller
Ykw the encrypted sensor measurement (attack vector maybe mixed)
Ykw−μ the encrypted sensor measurement without any attack vector
Ykd the detection data by function hash(yk )
Ykd−μ the detection data by function hash (yk − yk )
and υk ∈ Rny are the process and sensor noises at time k, which are assumed to be IID Gaussian
process with ωk ∈ N (0, Q) and υk ∈ N (0, R).
The Eq. (1) also can be presented as
xk+1 = A p (xk + xk ) + B p (uk + uk ) + D1 ωk
(2)
yk = Cp (xk + xk )+D2 υk
As the development of theory and technique, as well as the extensive application of net-
work, the ICS security issues should be reconsidered. In this paper, parameter uncertainties
are considered not only for stabilization analysis, but also the security performance of the
system.
Inspired by Zhou et al. [24], a LTI feedback controller in NCSs is presented as
zk+1 = Ac zk + Bc ȳk
(3)
ukc = Cc zk + Dc y˜k
where zk ∈ Rnz , ukc ∈ Rnx and ȳk ∈ Rny denote controller state, control outputs and the feedback
measurement of the plants, respectively.
Remark 2. The sensor measurement outputs are presented as ȳk = yk + yk with yk to
denote the uncertainties. However, in this paper, excepting uncertainties, yk is also adopted
to describe cyber-attack. Particularly, if the cyber-attack is absent with no system perturbation
from theoretical perspective, yk = 0, then ȳk = yk .
In Eq. (3), y˜k ∈ Rny is the reference information including feedback and regulation pa-
rameters. The relationship between them can be given as y˜k = yk + yre f ,k , with yref,k as a
part of control input to adjust the controller output to against perturbations, faults and even
cyber-attacks.
CPS is the system upgraded from networked control systems (NCSs), which are combining
the distributed plants and sensors and local controllers via the networked communication
channels. Among the critical elements within CPS, there is a public network connecting the
local controller and remote plants, sensors to be a unified framework, as showing in Fig. 1.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx 5
This framework has advantage for distributed control, especially for remote distributed
control.
Motivated by the methods in [25,26], an observer-based residual detection structure is given
as
sk+1 = Ae sk + Be uc,k + Ee y˜k
(4)
rk = Ce sk + De uc,k + Fe y˜k
where sk ∈ Rns is the state of anomaly detector and rk ∈ Rnr is the residue between estimator
and virtual exists.
Remark 3. According to Eq. (4), the inputs of the detector are the control signal uk,c and the
feedback signals y˜k from sensor side. If the stealthy attack achieved, the residue rk will equal
to zero or limited within a certain range. This is the strong power of the stealthy attack. For
this kind of attack, information integration technology with hash function and data encryption
are applied.
T T
Define the argument vectors as ηk = [xkT zk T sk T ] , ξk = [ωkT υkT ] , μk =
T
T
[uat t ,k yat
T
t ,k ] , and Rk represents the residual error of the detector.
ηk+1 = Āηk + B̄ μk + Ē ξk + H fk + G1 yre f ,k
(5)
Rk = C¯ηk + D̄μk + F̄ ξk + G2 yre f ,k
A p +B p Dc C p B pCc 0 Bp B p Dc Dω B p Dc Dν F
where Ā = Bc C p Ac 0 , B̄ = 0 Bc , Ē = 0 0 , H= 0 ,
Be Dc C p +Ee C p BeCc Ae 0 Be Dc +Ee 0 Be Dc Dν +Ee Dν 0
T
B p Dc De DcC p +FeC p
G1 = 0 , C¯ = DeCc , D̄ = 0 De Dc +Fe , F̄ = 0 De Dc Dν +Fe Dν , G2 = De Dc .
Be Dc Ce
The reference input yref (k) is used to adjust the outputs of the controller, which can ulti-
mately eliminate the fault or attack effectively.
Remark 4. In Eq. (5), yref,k is adopted to moderate the controller for desirable output, which
is used to fight against the perturbations ωk , ν k and attacks uatt,k , yatt,k . For simplicity,
yre f ,k = J xkc is used to evolve the model of Eq. (3). And Dω = Inx , Dν = Iny are defined to
for simple as well.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
6 H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx
Remark 5. In this part, the detailed model (5) is difficult for theoretical analysis. Thus, a step
to simplify the model is needed. Motivated by Simani et al. [27], the fault fk in the model
are taken as the combination of actuator fault fa,k , plant fault fp,k and sensor fault fs,k .
Furthermore, uncertainty is another major element considered to analyze the fault fa,k caused
by uk . Thus, uf,k is taken as a part of the control signal, which is often used to denote the
controller-actuator channel attack and actuator faults in a suitable sense.
Assumption 1. We assume u f ,k = Kx f ,k for simple, then we can easily find uf,k is
related with uf,k from state feedback or output feedback control law. In order to handle this
issue for simple, we assume u f ,k = Ku f ,k holds. From state feedback or output feedback
control law, we can easily get that uf,k is related with uf,k .
T T
μ˜ k = [ukT ykT ] = [uat t ,k + uk f ,k yat t ,k + yk f ,k ]
T T T T
Consequently, the system model with faults and cyber-attack has evolved as the models
with uncertainty parts.
ηk+1 = Āz ηk + B̄z μ˜ k + Ē ξk
(7)
Rk = C¯z ηk + D̄z μ˜ k + F̄ ξk
A p +B p Dc C p B pCc +B p Dc J 0 B p +M B p Dc Inx B p Dc
where Āz = Bc C p Ac 0 , B̄z = 0 Bc , Ē = 0 0 , C¯ =
Be DcC+EeC BeCc +Be Dc J Ae 0 Be Dc +Ee 0 Be Dc +Ee
De DcC+FeC DeCc +De Dc J Ce , D̄ = 0 De Dc +Fe ,
Remark 6. The matrix F changes according to the function fk . Since uf,k , xf,k and yf,k
are related with Ap , Bp and Cp , respectively. Therefore, the matrix F can be replaced by
[B p A p Cp ].
Remark 7. From the operation process of NCS, we got that that xf,k is a part of xp,k , thus,
Ap xf,k is an inevitable part of xp,k . In the view of state feedback control law uk = Kx p,k ,
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx 7
¯¯ ηz k +
ηk+1 = A ¯
¯B z k
¯ + ¯ (8)
Rk = ¯Cη z k
¯D z k
T
where k = [μ˜ Tk ξkT ] , denoting all coupled perturbations, and Rk represents the residue
of the synthesis system. Particularly, Jth ≤ R is chosen to be the threshold for detection
of the external faults and threats, see our previous [44].
From the analysis, we find that all of the effects caused by cyber-attack within the whole
closed-loop system can be directly or indirectly reflected on the state of the system. Synthe-
sizing the stacking vectors, we can summarize the system model as
ηk +1 =
Ac + A ηk + E c ξk
(9)
R k = C c + C ηk + F c ξk
Q·A 0 0
where A = SAk 0 0 , C = N Ak 0 0 , Q = (BK + BDcC )A−1 , S = BcC A−1 ,
MAk 0 0
M = (Be Dc + Ee )C A and N = (De Dc + Fe )C A−1 .
−1
Based on above formulation works, several cyber-attacks also can be formulated to be the
typical form with uncertainties.
Consequently, the information transmitted via the forward and feedback channels with
considering the information disclosure strategy can formulated as
ᾱ 0 uk
Seq,k = 1,k , k ∈ [0, ∞ )
0 ᾱ2,k yk
ᾱ1,k and ᾱ2,k are the parameters that stand the probability of successful information disclosure
attack.
Substituting ᾱ1,k uk and ᾱ2,k yk into the plant and controller equations, we will obtain the
ultimate form of the model for information disclosure.
xk+1 = Axk + ᾱ1,k Buk
(10)
ᾱ2,k yk = Cxk
Considering together with the aforementioned definitions, we have
xk+1 = Axk + Buk − α1,k Buk
(11)
yk = Cxk + α2,k yk
Then, we define −α1,k uk = uk and α2,k yk = yk = Cxk , such that, we have
xk+1 = Axk + B (uk + uk )
(12)
yk = Cxk + yk = C (xk + xk )
Denial-of-service (DoS) is the attack caused to stop legitimate users from accessing a
specific network resource, and the first work about this issue begins from 1980s. Then the
distributed denial-of-service (DDoS) attack incident is first time reported [41]. Because CPS
is full of distributed information interaction (see [29] and the reference therein), it is very
important to prevent and effectively defend DDoS attack.
Similarly to the process of information disclosure, which is also called privacy attack, all
the sequence of the signals grabbed by the attacker are described as
T
u,k I nu 0 uk
S(k) = (13)
0
y,k I ny yk
k=0
where {
u,k ,
y,k } ∈ {0, 1} are used to denote the DoS attack results. “1” indicates successful
DoS attack, and “0” indicates the inverse case. Inu and Iny are identity matrix with appropriate
dimensions according to uk and yk , respectively.
The above is the simplest case, and in most cases, a random DoS attack is a normal situ-
ation. Therefore, we define α = diag{αi , α j } and β = diag{βi , β j }, where i ∈ {1, 2, . . . , nu },
j ∈ {1, 2, . . . , ny }. α and β are adopted to represent the probability of successful transmission
via forward and feedback communication channels, respectively.
Consequently, we have the consequence
αi
u,k In 0
uk
Sca,k = Sca,k−1 ) u
0 βi
y,k I nu yk
and
α j
u,k In 0
uk
Ssc,k = Ssc,k−1 u
0 β j
y,k I ny yk
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx 9
According to DoS attack, we sure that the condition δ̄1 ∈ {0, 1}, and δ̄2 ∈ {0, 1} is satis-
fied, furthermore, δ̄1 = 1 and δ̄2 = 1 indicate the successful DoS action within feedback and
forward channels, respectively. Otherwise, δ̄1 = 1 and δ̄2 = 1 stand the failure of DoS attack.
These are limited to Bernoulli distributed case.
Furthermore, an uncertainty approach can be adopted to describe the features of DoS
attack under the condition that Axk = −δ̄1 Axk , Buk = −δ̄2 uk and yk = −δ̄1Cxk . Then,
Eq. (17) reduced to the form of Eq. (2).
Based on above analysis, a definition can be summarized as follow.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
10 H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx
Remark 8. On the one hand, for security case, uat t ,k = 0, yat t ,k = 0 and thus u˜kc =
ukc , y pc,k = yk . Consequently, the system (21) and (22) reduce to NCS (1) and (2). On the
other hand, the system is lost of security, it means μk = 0, yatt,k = 0 and u˜kc = ukc , y pc,k = yk .
Combining (19) and (20), the closed-loop response of the system in nominal case is
yk = Cp K−1Cc zk + Cp K−1 yre f ,k + D2 υk (22)
−1
where = I − Cp K−1 Dc .
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx 11
In the presence of stealth attack or covert agent, the control signal ukc is changed into
u˜kc
= ukc + uat t ,k , and the feedback signal of sensor-to-controller is yk + yat t ,k .
Since the attacker has been learning and imitating the original system, the model of attacker
can be formulated similarly to the original system
yat t ,k = μ uat t ,k
(23)
uat t ,k = μ yat t ,k + re f yre f ,k
where μ , u and ref are the matrices that need to be determined and adjust according to
the learning errors. This feedback loop is driven by the yref,k input giving
−1
uat t ,k = I − μ μ re f yre f ,k
−1 (24)
yat t ,k = μ I − μ μ re f yre f ,k
According to Eqs. (22) and (23), the case μ = Cp K−1 + D2 υk (ukc )−1 is ideal, which
indicates the error between virtual system and covert agent is zero and the original system is
well learned and mastered by the attacker.
Synthesis the effects under cyber-attacks within both forward and feedback channels, the
integrated output of the plant is as follows:
xk+1 = A p xk + B pu˜kc + ωk
= A p xk + B p Cc zk + Dc yk + y pc,k + yre f ,k
c
= A p x (k ) + B p uk + Dc y pc,k + Dc yre f ,k + uca,k (25)
Remark 9. In Eq. (24), uca,k and Dc ypc,k are the attack information injected in control
channel (forward) and feedback channel, if the cyber-attack is a stealth attack, such as “the
man-in-the-middle” attack. In order to hide the attack action, the attacker aims to satisfy
the condition uca,k = −Dc y pc,k , which is equal to the condition Pu = u in [21]. For
any case uca,k , Dc ypc,k and uca,k = −Dc y pc,k , yref,k is aiming to defense the attack by
Dc y pc,k + Dc yre f ,k + uca,k = 0.
According to above remark, we have
xk+1 = A p xk + B p Ukc + Uk (26)
where Uk = Dc y pc,k + uca,k is the attack during the channels, and Ukc = ukc + yre f ,k is
the security control scenario.
As referred in the Iran nuclear program, the Stuxnet virus, which is a typical replay attack
[42]. It is a kind of cyber threatens which hidden in the system to record the normal data of
the plant and the sensors measurement outputs for several weeks or months, or even years,
then selected a proper time to replay this data while they play their own attack actions,
which will protect this attack action is not detected and found, such as the process present in
[21,34] and the related references.
In the domain of information security, the conventional solution is to “challenge response”,
time stamp, serial number and other methods. In the field of control theory, the χ 2 distribu-
tion, physical watermark detection method to detect replay attacks, has gradually become the
mainstream method, see [34–37] and the reference therein.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
12 H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx
Fig. 4. The process of replay attack scenario (2) (For interpretation of the references to color in this figure, the
reader is referred to the web version of this article).
In order to reduce the error between the data replay attacks start position and adjacent
points, and to reduce the probability of recognition and detection, the attacker will usually
select hk + s as replay attack starting point, yields to xhk +s = xhk , or yhk +s = yhk to attack the
controller-to-plant forward loop or sensor-to-controller feedback loop. This is a hidden attack
strong, from the starting point in Fig. 4 red attack can be seen. Comparing the two schemes
of the replay attack, the latter is more hidden.
We define ak = |xhak+ j +s j +i − xhk+ j +s j +i+1 | to denote the interval between two secure states,
and the attacker takes action according to Tj = xhk+ j +s j +i+1 − xhk+ j +s j +i , j ∈ {1, 2, . . . , N }.
Selecting k = hk+ j + s j + i where k ∈ [hk+ j + s j , hk+ j+1 + s j+1 ), then we have uka = uk− jT ,
the according feedback state is xka = xk− jT , such that the system model is formulated as
xk+1 = A p xk + Buk− jT + ωk
(28)
yk = C p xk + vk
where xk ∈ Rn is the system state, uk− jT is the control input under replay attack, ωk and vk
are the system disturbances, and yk ∈ Rn is the sensor measurements.
Based on previous analysis, the system model can be further evolved as
xk+1 = A p xk + B (ūk + uk ) + ωk
(29)
yk = C p xk + vk
Remark 10. Since the control uk is masked by the replay attack signal, thus, ūk is obtained
indirectly from the historical healthy data. If the cyber-attacks are absence, the condition
uk = ūk holds.
where uk = K xk is the attack in forward channel, and yk =Cp xk is the attack in feedback
channel. Similar to ūk , x̄k is obtained indirectly from historical data record.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
14 H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx
Based on above modeling of multi-sources cyber-attacks, some results are derived with
control theory.
Theorem 1. For given system (9), if there exist scalars κ, λ < 1 and ε2 > ε1 > 0, such that
the system solution is satisfied with the zero input state
ηk < κλ(k−k0 ) ηk0 (31)
Then, the system (9) issaid to be exponential stable(ES) with zero input. The decay rate is
κ, and the scalar κ = εε21 .
System (9) is asymptotically stable (AS) with an H∞ disturbance level γ > 0, if there exist
symmetric matrix P > 0, and positive matrices J , M satisfying
⎡ ⎤
−P ∗ ∗ ∗
⎢ 0 −γ 2 I ∗ ∗ ⎥
⎢ ⎥
⎢ ⎥<0 (32)
⎣P A z PBz −P ∗ ⎦
PC z PDz 0 −P
where
A+B Dc C BCc +BDc J 0
Az = Bc C Ac 0 ,
Be DcC+EeC BeCc +Be Dc J Ae
B+M B Dc Inx B Dc
Bz = 0 Bc 0 0 ,
0 Be Dc +Ee 0 Be Dc +Ee
C z = De DcC + FeC DeCc + De Dc J Ce and
Dz = 0 De Dc + Fe 0 De Dc Iν + Fe Iν .
Proof. Define a Lyapunov function as
V (ηk , k ) = ηkT Pηk
where P = PT > 0. To calculate the difference of V(ηk , k) tracing along with system (9) as
V = V (ηk+1 , k + 1 ) − V (ηk , k )
According to the stabilization definitions [43], we can determine that there exists P =
T
P > 0, let Az PAz − P < 0 holds, which indicates V(ηk , k) < 0, and V (ηk+1 , k + 1 ) <
T
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx 15
furthermore,
!
ε2 (k−k0 )
ηk
ηk < λ
ε1 0
system (9) is exponential stable when (k ) = 0, and the decay rate is λ, with scalar κ= εε21 .
If ϖk = 0, calculating the difference along with (9), in light of the system performances,
we can obtain
∞
"
V (ηk , k ) + RTk Rk − γ 2 kT k
k=0
⎧ ⎡ ⎤ ⎫
"∞ ⎨
T T T T
⎬
ηk ⎣Az PAz − P + C z PC z Az PB z ⎦ ηk
= (33)
⎩ k T
B z P Az −γ I + B z PB z + Dz PDz k ⎭
2
T T
k=0
For all ϖk = 0, k ∈ l2 = [0, ∞ ), with zero initial condition, there exist V (η0 , 0 ) = 0 and
V(η∞ , ∞) ≥ 0, such that
∞
" T
Rk Rk − γ 2 kT k < 0 (36)
k=0
∞ T
holds, equivalent to c k=0 RTk Rk < γ 2 ∞
k=0 k k < 0.
According to [8,31] and its related references, uncertainty caused by attack components
can be described as
uca,k uk f ,k Eua Eu f
= H Fk
ysc,k yk f ,k Eya Ey f
where H is known real constant matrix, and F(k) is the unknown matrix with Lebesgue
measurable elements Fk FkT ≤ I . In general, the uncertainties uk f and yk f can not separate
from uc−a,k and ys−c,k even if Assumption 2 holds. Hence, the form of [uk yk ] =
H Fk [Eua Eub ] is logical for selection.
Theorem 2. For given matrix H and symmetrical matrix P = PT > 0 in system (9) with the
Assumption 2, the system (9) is asymptotically stable (AS) if there exist matrices Q, S, M, Ea
and parameters γ > 0, ε > 0, satisfying the follow linear matrix inequality
⎡ ⎤
−P ∗ ∗ ∗ ∗
⎢ 0 −γ 2 I ∗ ∗ ∗ ⎥
⎢ ⎥
⎢ P Ac PE c −P + 1 ∗ ∗ ⎥
⎢ ⎥<0 (37)
⎣ PC c PF c 0 −P + 1 ∗ ⎦
ϒ1 0 0 0 −εI
ε P11 QH H T QT P11
T
0 0
where 1 = 0 ε P12 S H H T S T P12
T
0 , 2 = ε P11 N H H T N T P11
T
,
0 0 ε P13 MH H T MT P13
T
ϒ1 = Ea 0 0 . The matrix block Ac , C c , E c and F c have been defined already in
aforementioned parts.
Proof. Similar to the proof of Theorem 1, choosing the Lyapunov function V (ηk , k ) = ηkT Pηk ,
tracking along with the system (9), calculating the difference
V (ηk , k ) = ηk+1
T
Pηk+1 − ηkT Pηk
If ξ k ≡ 0, we have
V (ηk , k ) = ηk+1
T
Pηk+1 − ηkT Pηk
)
T
*
= ηkT Ac + A P Ac + A − P ηk
<0 (38)
equals to (Ac + A )T P (Ac + A ) − P < 0, such that system (9) is exponential stable (ES)
under the attack.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx 17
where
T
T
T
Ac + A P Ac + A − P + C c + C P C c + C Ac + A PE c
= T
T T T
E c P Ac + A −γ 2 I + E c PE c + F c PF c
If we want to guarantee the stability of the system (1), the follow condition should be satisfied
T
T
T
Ac + A P Ac + A − P + C c + C P C c + C Ac + A PE c
T
T T T <0
E c P Ac + A −γ 2 I + E c PE c + F c PF c
(39)
Utilizing the Schur complement
⎡ ⎤
−P ∗ ∗ ∗
⎢ −γ 2 I ∗ ∗ ⎥
⎢
0 ⎥<0 (40)
⎣P Ac + A PE c −P ∗ ⎦
P Cc + C PF c 0 −P
By decomposing calculation, we can obtain
⎡ ⎤ ⎡ ⎤
−P ∗ ∗ ∗ 0 ∗ ∗ ∗
⎢ 0 −γ 2
I ∗ ∗ ⎥ ⎢ 0 0 ∗ ∗⎥
⎢ ⎥+⎢ ⎥<0 (41)
⎣P A c PE c −P ∗ ⎦ ⎣P A 0 0 ∗⎦
PC c PF c 0 −P PC 0 0 0
T
QAk 0 0 N HFk Ea
where A = SAk 0 0 , C = 0 , S = BcC A−1 , Q = (BK + BDcC )A−1 , M =
MAk 0 0 0
−1
(Be Dc + Ee )C A and N = (De Dc + Fe )C A−1 .
For any cases, the matrix P can be decomposed into blocks of matrices of appropriate
dimensions P = Pi j , i, j ∈ {1, 2,3}, according toA and C . In light of the definition
P11 QHFk Ea 0 0
Ak = H Fk Ea , we have PA = P12 SHFk Ea 0 0 , PC = P11 N H Fk Ea .
P13 MHFk Ea 0 0
Substitute above results into Eq. (41), applying the Lemmas in [31], then we can get
⎡ ⎤
−P ∗ ∗ ∗ ∗
⎢ 0 −γ 2 I ∗ ∗ ∗ ⎥
⎢ ⎥
⎢P A c E −P + ∗ ∗ ⎥
⎢ P c 1 ⎥<0
⎣ PC c PF c 0 −P + 1 ∗ ⎦
ϒ1 0 0 0 −εI
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
18 H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx
ε P11 QH H T QT P11
T
0 0
where 1 = 0 ε P12 S H H T S T P12
T
0 , 2 = ε P11 N H H T N T P11
T
and
0 0 ε P13 MH H T MT P13
T
ϒ1 = Ea 0 0.
For system (9), an predetermine threshold is adopted to detect the additions caused by
cyber-attacks, which is usually formed as
Jr (k) > Jth (k) ⇒ alarm
(42)
Jr (k) ≤ Jth (k) ⇒ no alarm
where Jr (k) is the real-time output errors, Jth (k) is the predetermine threshold.
Remark
11. From the stabilization definition in [43], we can derive Rk 2 ≤ γ 2 k 2 =
γ μk + ξk 2 , furthermore, Rk 2 ≤ δμ2 + δξ2 with δμ2 = γ 2 μk 2 and δξ2 = γ 2 ξk 2 rep-
2 2
resenting the effects of disturbance and cyber-attacks. If the system (9) is secure, we have
Rk 2 ≤ δξ2 , thus δμ2 = γ 2 μk 2 = 0. In this case, the research issue degenerates to be the
classical robust control problem for dynamic disturbance. Therefore, the key point of security
control turns to be focusing on the identification of perturbation and cyber-attack.
On another hand, the best way to defend a network against an attacker is to think like an
attack. In this part, we assume the attacker can learn and imitate the original system very
well by the steps of reconnaissance, scan, enumerate, penetrate and infect. Based on these
techniques, the attacker will known the system very well, an attack scenario is susceptible to
play, such as information disclosure, DoS attack, stealthy attack and replay attack [23].
The objection of IT security is to protect the integrity of data within the communication
channel rather than the physical resource of the system. This is the biggest difference between
CPS security issues and conventional IT security focuses.
w
where Uc,k = E (uc,k ) and Uc,k
d
= hash(Uc,k
w
) stand for encrypted control signal and detection
signal. Because the hash function is one-way, such that a private shared algorithm for hush
function is insensitively security to ensure the transmitted data to be unique and safe.
According to aforementioned work, several meaning results will be obtained.
(i) D(T˜stamp,k
c
) − D(Tstamp,k
c
) > 0;
˜ w ˜
(ii) ca = hash(Uc,k ) − Uc,k = Uc,k
d d
=0;
Proof. If condition (i) and (ii) are satisfied, it can deduce that the information with Seq c
(k)
˜
and Seq (k) are identical, which indicates the transmitted data via forward channel is secure
c
(1)–(3) is said to be security without any information disclosure and tamper, if the following
conditions are satisfied.
(i) D(T˜stamp,k
p p
) − D(Tstamp,k ) > 0;
(ii) sc = hash(Yk ) − Yk = Y˜kd − Ykd = 0;
˜ w ˜ d
The proof of Theorem 2 can be got referring to the proof of Theorem 1, since the proof
are almost alike.
Remark 12. Using the judgement conditions in Theorem 1, the attack vector μk can be de-
tected. Then the attack vector will be extracted from the mixed signals as a part of uncertainty
ukc = μk . According to ukc and ukc + ukc , the post-plant unit obtains the sensor’s output yk
and yk . Aiming to find the covert agent, ykw−μ = yk − yk is defined for detecting. By adopting
the hash function, the detection vector Ykd−μ and Ykd are derived.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
20 H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx
Theorems 1 and 2, we can conclude that the feedback channel within system composed by
(1)–(4) is security with no hidden agent, if the following equations hold
p
(i) D(Tstamp,k ) − D(T˜stamp,k
p
) ≤ 0;
˜ ˜
(ii) sc = hash(Yk ) − Yk = Ykd = 0;
w d
˜ sc = hash(Y˜ w ) − Y˜ d−μ = 0;
(iii) k k
p
Furthermore, given transmitted data
p (k) = {Tstamp,k , Ykw−μ , Ykd−μ , Ykd } from sensors and
received data
¯ p (k) = {T̄stamp,k
p
, Ȳkw−μ , Ȳkd−μ , Ȳkd } of controller, it can be said that there exists
a covert agent among forward and feedback channels, if the following equations hold
p p
(I) D(Tstamp,k ) − D(T̄stamp,k ) ≤ 0;
(II) sc = hash(Ȳpw−μ (k)) − Ȳkd−μ = 0;
¯ sc = hash(Ȳ w−μ ) − Ȳ d = 0;
(III) k k
Proof. If the sensor-to-controller channel within the system is security, the condition (i)
D˜ (Tstamp,k
p p
) ≥ D(Tstamp,k ) can be derived directly. Since the condition (i) is not the sufficient
condition for the judgement. Meanwhile, the behavior of information disclosure and tamper
are not happened, such that
k =
˜ k holds. This is also the case of Theorem 2. In addition,
referring to the definition of parts within
k and
˜ k , before data transmission, hash(Ykw ) = Ykd
and hash(E (yk − μk ) ) = Ykd−μ are determined. Hence, the above definitions are used to judge
the security of the system and wether a covert agent is existed.
Otherwise, if the there exists an undetectable covert agent (CA) attacker, but the in-
jected uncertainties of control input is detected and separated based on the approach
within Theorem 1. From the package schedule, we know hash(D(yk )) = hash(Ykw ) = Ykd and
hash(D(yk − yk )) = Ykd−μ . Since the CA attacker have full knowledge of the plant, together
with the ability of listening the communication channels between sensor and controller, thus
it can remove the affects they have put on. According to the parts of the controller side
received sequence
¯ k , the conditions (I) (II) and (III) together tell us the existing of the CA
attacker.
Remark 13. First of all, science the hash function has the feature of one-way, the attack can
not obtain the original message from hash values. Secondly, if the hash function is determined,
the hash value will be same for the same information. The last but not the least, the industrial
system is always function periodic, and the sampled data follow certain operating rules, which
ensure the historical database is healthy and trustable.
4. Examples
The DC motor motion control system has been applied for many years, the DC motor is
generally formulated
⎧
⎪ dia
⎪u a = R a i a + L a
⎪ + Km φω
⎪
⎪ dt
⎪
⎨ dφ
uf = Rf if +
dt (44)
⎪
⎪ Te = Km φia
⎪
⎪
⎪
⎪
⎩Te = J dω + Bm ω + TL
dt
where φ is the pole flux, uf is the field voltage, Te is the electric torque, TL is mechanical
load torque. Since φ has a hysteretic nonlinearity. In practical case, it is usually simplified to
be linear form φ = L f i f .
From Eq. (44), we can derive
⎡ ⎤ ⎡ ⎤
dia Ra
⎡1 ⎤
⎢ dt ⎥ ⎢− La ia − Km i f ω ⎥
⎢ ⎥ ⎢ R i ⎥ u
⎢ di f ⎥ ⎢ f f ⎥ ⎢ La a ⎥
⎢ ⎥ = ⎢− ⎥ + ⎣0 ⎦ (45)
⎢ dt ⎥ ⎢ L f ⎥
⎣ dω ⎦ ⎣ 1
⎦ 0
−Bω + Km ia i f − TL
dt J
Similar to [38], we define the system states into the stacking vector as x(t ) =
T -
[iaT (t ) ωT (t ) x3T (t )] , u(t ) = Ua (t ), x3 (t ) = (ω − ωre f )dt.
Based on above definitions, the DC dynamic model is given as
x˙(t ) = (A + A )x(t ) + B (u(t ) + u(t ) ) + ω˜ (t ) (46)
Ra Km u f
− La − La R 0 1
0
f La
where A = , B= , ω˜ (t ) = , u(t ) = Ua (t ).
Km u f
JR f − BJ 0 0 0
0 −1 0 0 ωre f
The inherent relationship of uncertainties and normal parameters are Ra = Ranormal + Ra ,
R f = R fnormal + R f , and TL = TLnormal + TL . In addition, the control signal is given as ua (t ) =
uanormal (t ) + ua (t ), which is unlike the case in many previous examples. However, as the
increasing researches focusing on CPS security in recent years, more and more researchers
began to care about the function of this part.
In the DC motor dynamic system, the uncertain parts are often caused by the armature
and field resistance, as well as the load torque. Consequently, Ra , Rf and TL are used to
indicate the deviation of the corresponding parameters, respectively. Recent studies indicates
that, the uncertainties ua (t) is generally caused by cyber-attacks.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
22 H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx
⎡ Ranormal Km U f
⎤
− La − La R 0
⎢ f normal
⎥
A=⎣ 0 ⎦, A =
Km U f
Based on above description, we have JR f − BJ
normal
0 −1 0
⎡ Km U
⎤
− R
La
a − La Rf 0 A11 A12 0
⎣ Km U f 0⎦
f
JR f 0 = A21 0 0 .
0 0 0 0 0 0
The parameter values of DC motor are chosen the same in [21,38], with the controller K =
[0.37265 1.1029 −8.0814], then we get the rated speed as 1750 r/min.
During the simulation intervals, the cyber-attack is assumed as tempering attack, an addi-
tional torque is added on the original torque at t = 5 s, then we can get the contrast results
of DC motor speeds, currents and torques of the normal and attacked cases.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx 23
Synthesizing from Figs. 7–9, we can find that during the attacking interval, the attacked
speed, current and torque are seemed to be normal and the uncertainty errors are within the
steady-state error, thus, the uncertainties are difficult to detect. However, it is gratifying to
find a significant phenomenon that the attack action has effected the DC motor parameters
dramatically within the absent of attack intervals. Furthermore, the parameters don’t change
in one direction. These features will play an important role in attack detection.
5. Conclusion
In this paper, the process of cyber-attacks (DoS, information disclosure, replay attack and
stealthy attack) have been analyzed from the perspective of uncertainties under closed-loop
NCS framework. Based on this framework, unified system models with parameter uncertainties
are summarized. Then, utilizing the IT methodology, system security requirements have been
derived for cyber-attack detection and identification. Through these validation conditions, we
can determine when and where the attack occurred.
Acknowledgements
This work was funded by 61833008, 61533010, 61833011. And the author would like to
thank the associate editor and reviewers for valuable comments.
References
[1] President’s Council of A dvisors on Science and Technology. Leadership Under Challenge: Information Tech-
nology R&D in a Competitive World [Online], Aug. 2007. Available at http:// www.nitrd.gov/ Pcast/ reports/
PCAST-NIT-FINAL.pdf.
[2] R. Rajkumar, I. Lee, L. Sha, et al., Cyber-physical systems: the next computing revolution, in: Proceedings of
the Design Automation Conference, ACM, 2010, pp. 731–736.
[3] R. Baheti, H. Gill, Cyber-physical systems, Impact Control Technol. 12 (2011) 161–166.
[4] A.A. Cárdenas, S. Amin, B. Sinopoli, A. Perrig, S. Sastry, Challenges for securing cyber physical systems, in:
Proceedings of the First Workshop on Cyber-physical Systems Security, 2006, pp. 363–369.
[5] D.C. Neuman, Challenges in security for cyber-physical systems, in: DHS Workshop on Future Directions
Cyber-Physical Systems Security, 2009.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
24 H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx
[6] ZEKRIFA, Djabeur Mohamed Seifeddine et GHORBANI, Ali. Ameliorate Competitive Learning Neural Networks for System Intrusion
detection. 2013.
[7] A. Cárdenas, S. Amin, Sastry, secure control: towards survivable cyber-physical systems, in: Proceedings of the
Twenty-eighth International Conference on Distributed Computing Systems Workshops, 2008.
[8] D. Yue, Q.-L. Han, J. Lam, Network-based robust h ∞ control of systems with uncertainty, Automatica 41 (6)
(2005) 999–1007.
[9] M. Y-L, K.T. H-J, K. Brancik, D. Dickinson, H. Lee, A. Perrig, B. Sinopoli, Cyber-physical security of a smart
grid infrastructure, Proc. IEEE 100 (1) (2012) 195–209.
[10] H. Zhang, W.X. Zheng, Denial-of-service power dispatch against linear quadratic control via a fading channel,
IEEE Trans. Autom. Control 99 (2018) 1.
[11] H. Sandberg, S. Amin, K. Johansson, Cyber-physical security in networked control systems: an introduction to
the issue, IEEE Control Syst. 35 (1) (2015) 20–23.
[12] J.P. How, Cyberphysical security in networked control systems [about this issue], IEEE Control Systems 35 (1)
(2015) 8–12.
[13] H.A. Abbass, E. Petraki, K. Merrick, et al., Trusted autonomy and cognitive cyber symbiosis: Open challenges[J],
Cognitive Computation 8 (3) (2016) 385–408.
[14] H. Ge, D. Yue, X.P. Xie, S. Deng, S.L. Hu, Analysis of cyber physical systems security issue via uncertainty
approaches, in: M. Fei, S. Ma, X. Li, X. Sun, L. Jia, Z. Su (Eds.), Advanced Computational Methods in Life
System Modeling and Simulation. LSMS 2017, ICSEE 2017. Communications in Computer and Information
Science, 761, Springer, Singapore, 2017.
[15] Q. Zhu, T. Basar, Game-theoretic methods for robustness, security, and resilience of cyberphysical control
systems: games-in-games principle for optimal cross-layer resilient control systems, IEEE Control Syst. 35 (1)
(2015) 46–65.
[16] G. Luria, A. Kahana, S. Rosenblum, Detection of deception via handwriting behaviors using a computerized
tool: toward an evaluation of malingering, Cognit. Comput. 6 (4) (2014) 849–855.
[17] D. Yue, E. Tian, Q.L. Han, A delay system method for designing event-triggered controllers of networked
control systems, IEEE Trans. Autom. Control 58 (2) (2013) 475–481.
[18] A. Householder, A. Manion, L. Pesante, G. Weaver, 2001 Tech Tip: Managing the Threat of Denial-of-Service
Attacks [J], 33, Cert Coordination Center, 2001, pp. 99–110.
[19] H. Zhang, Y. Qi, J. Wu, et al., Dos attack energy management against remote state estimation, IEEE Trans.
Control Netw. Syst. 5 (1) (2018) 383–394.
[20] Zekrifa, Djabeur Mohamed Seifeddine. Hybrid Intrusion Detection System. Diss. 2014.
[21] R. Smith, Covert misappropriation of networked control systems: presenting a feedback structure, IEEE Control
Syst. 35 (1) (2015) 82–92.
[22] F. Pasqualetti, F. Dorfler, F. Bullo, Attack detection and identification in cyber-physical systems, IEEE Trans.
Autom. Control 58 (11) (2013) 2715–2729.
[23] E.D. Knapp, Industrial network security: Securing critical infrastructure networks for smart grid, in: Proceedings
of the SCADA, and Other Industrial Control Systems, Syngress, 2011.
[24] K. Zhou, J.C. Doyle, K. Glover, Robust and Optimal Control, Prentice Hall Information and System Sciences
Series; Prentice Hall: Control Engineering Practice, 4(8), 1996, pp. 1189–1190. Upper Saddle River, NJ, USA.
[25] S. Ding, Model-Based Fault Diagnosis Techniques: Design Schemes, Algorithms, and Tools, Springer Science
& Business Media, 2008.
[26] I. Hwang, S. Kim, Y. Kim, C.E. Seah, A survey of fault detection, isolation, and reconfiguration methods, IEEE
Trans. Control Syst. Technol. 18 (3) (2010) 636–653.
[27] S. Simani, R. Patton, C. Fantuzzi, Model-Based Fault Diagnosis in Dynamic Systems Using Identification
Techniques, Springer, London, 2003.
[28] F. Pasqualetti, F. Dörfler, F. Bullo, Attack detection and identification in cyber-physical systems, IEEE Trans.
Autom. Control 58 (11) (2013) 2715–2729.
[29] C.D. Persis, P. Tesi, Input-to-state stabilizing control under denial-of-service, IEEE Trans. Autom. Control 60
(11) (2015) 2930–2944.
[30] H. Zhang, W. Meng, J. Qi, et al., Distributed load sharing under false data injection attack in inverter-based
microgrid, IEEE Trans. Ind. Electron. (99) (2018) 543–1551.
[31] L.H. Xie, Output feedback H∞ control of systems with parameter uncertainty, Int. J. Control 63 (4) (1996)
741–750.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006
JID: FI
ARTICLE IN PRESS [m1+;March 5, 2019;18:47]
H. Ge, D. Yue and X. Xie et al. / Journal of the Franklin Institute xxx (xxxx) xxx 25
[32] D. Yue, Q.L. Han, J. Lam, Network-Based Robust H∞ Control of Systems with Uncertainty, Pergamon Press,
Inc., 2005.
[33] M. Faundez-Zanuy, A. Hussain, J. Mekyska, et al., Biometric applications related to human beings: there is life
beyond security, Cognit. Comput. 5 (1) (2013) 136–151.
[34] Y. Mo, B. Sinopoli, Secure control against replay attacks, in: Proceedings of the Conference on Communication,
Control, and Computing. Allerton, IEEE, 2009, pp. 911–918.
[35] R. Chabukswar, Y. Mo, B. Sinopoli, Detecting integrity attacks on SCADA systems, in: Proceedings of the
IFAC, 44, 2011, pp. 11239–11244.
[36] Y. Mo, S. Weerakkody, B. Sinopoli, Physical authentication of control systems: designing watermarked control
inputs to detect counterfeit sensor outputs[j], IEEE Control Syst. 35 (1) (2015) 93–109.
[37] H. Zhao, J. Ren, Cognitive computation of compressed sensing for watermark signal measurement, Cognit.
Comput. 8 (2) (2016) 246–260.
[38] J. Zhou, Y. Wang, R. Zhou, Global speed control of separately excited DC motor[c] power engineering society
winter meeting, in: Proceedings of the IEEE Xplore, 3, 2001, pp. 1425–1430.
[39] A. Teixeira, I. Shames, H. Sandberg, et al., A secure control framework for resource-limited adversaries, Auto-
matica 51 (2015) 135–148.
[40] P. Lee, A. Clark, L. Bushnell, et al., A passivity framework for modeling and mitigating wormhole attacks on
networked control systems, IEEE Trans. Autom. Control 59 (12) (2013) 3224–3237.
[41] P. Criscuolo, Distributed Denial of Service Tools, Trin00, Tribe Flood Network, Tribe Flood Network 2000 and
Stacheldraht[J], Office of Scientific & Technical Information Technical Reports (2000).
[42] N. Falliere, L.O. Murchu, E. Chien, W32.Stuxnet Dossier. Symantec: security response, 2011.
[43] E. Tian, W.K. Wong, D. Yue, et al., h ∞ filtering for discrete-time switched systems with known sojourn
probabilities, IEEE Trans. Autom. Control 60 (9) (2015) 2446–2451.
[44] H. Ge, D. Yue, X. Xie, Observer-based fault diagnosis of nonlinear systems via an improved homogeneous
polynomial technique, Int. J. Fuzzy Syst. 20 (6) (2017) 1–13.
Please cite this article as: H. Ge, D. Yue and X. Xie et al., A unified modeling of muti-sources cyber-attacks with
uncertainties for CPS security control, Journal of the Franklin Institute, https:// doi.org/ 10.1016/ j.jfranklin.2019.01.
006