secure state-estimation and control of cyber-physical...
TRANSCRIPT
Lab
Secure State-estimation and Controlof Cyber-Physical Systems
Paulo Tabuada
Cyber-Physical Systems LaboratoryDepartment of Electrical Engineering
University of California at Los Angeles
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 1 / 31
Lab
Secure State-estimation and Controlof Cyber-Physical Systems
Yasser Shoukry
Cyber-Physical Systems LaboratoryDepartment of Electrical Engineering
University of California at Los Angeles
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 2 / 31
Lab
Cyber-physical systems’ security in the news
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 3 / 31
Lab
Cyber-physical systems’ security in the news
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 3 / 31
Lab
Cyber-physical systems’ security in the news
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 3 / 31
Lab
Cyber-physical systems’ security in the news
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 3 / 31
Lab
Cyber-physical systems’ security in the news
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 3 / 31
Lab
Cyber-physical systems’ security in the news
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 3 / 31
Lab
Why security for cyber-physical systems?
Cyber-physical systems are physical processes (chemical plants, power grids,aircraft, etc.) whose functionality requires a tight integration with cybercomponents (computation and communication hardware/software).
Cyber-physical systems are becoming increasingly larger, distributed, and opento the cyber-world (e.g., internet): increased vulnerability to attacks.
Attacks launched in the cyber domain can have physical consequences.
How to detect, identify, and operate in the presence of attacks?
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 4 / 31
Lab
Why security for cyber-physical systems?
Cyber-physical systems are physical processes (chemical plants, power grids,aircraft, etc.) whose functionality requires a tight integration with cybercomponents (computation and communication hardware/software).
Cyber-physical systems are becoming increasingly larger, distributed, and opento the cyber-world (e.g., internet): increased vulnerability to attacks.
Attacks launched in the cyber domain can have physical consequences.
How to detect, identify, and operate in the presence of attacks?
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 4 / 31
Lab
Why security for cyber-physical systems?
Cyber-physical systems are physical processes (chemical plants, power grids,aircraft, etc.) whose functionality requires a tight integration with cybercomponents (computation and communication hardware/software).
Cyber-physical systems are becoming increasingly larger, distributed, and opento the cyber-world (e.g., internet): increased vulnerability to attacks.
Attacks launched in the cyber domain can have physical consequences.
How to detect, identify, and operate in the presence of attacks?
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 4 / 31
Lab
The setup
Physical process modeled as a linear dynamical system:
x(t + 1) = Ax(t) + Bu(t), x(t) ∈ Rn, u(t) ∈ Rm, t ∈ N0.
A total of p sensors monitor state of plant (y(t) ∈ Rp):
y(t) = Cx(t)
+ e(t).︸︷︷︸attackvector
Some sensors are attacked:
ei (t) 6= 0 −→ sensor i is attacked at time t ;
If sensor i is attacked, ei (t) can be arbitrary (no boundedness assumption,no stochastic model, etc.);
Set of attacked sensors (unknown) is denoted by K ⊂ {1, . . . , p}:
supp(e) = {i ∈ {1, . . . , p} | ei 6= 0} = K .
Number of attacked sensors will be denoted by q: q = |K |;
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 5 / 31
Lab
The setup
Physical process modeled as a linear dynamical system:
x(t + 1) = Ax(t) + Bu(t), x(t) ∈ Rn, u(t) ∈ Rm, t ∈ N0.
A total of p sensors monitor state of plant (y(t) ∈ Rp):
y(t) = Cx(t)
+ e(t).︸︷︷︸attackvector
Some sensors are attacked:
ei (t) 6= 0 −→ sensor i is attacked at time t ;
If sensor i is attacked, ei (t) can be arbitrary (no boundedness assumption,no stochastic model, etc.);
Set of attacked sensors (unknown) is denoted by K ⊂ {1, . . . , p}:
supp(e) = {i ∈ {1, . . . , p} | ei 6= 0} = K .
Number of attacked sensors will be denoted by q: q = |K |;
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 5 / 31
Lab
The setup
Physical process modeled as a linear dynamical system:
x(t + 1) = Ax(t) + Bu(t), x(t) ∈ Rn, u(t) ∈ Rm, t ∈ N0.
A total of p sensors monitor state of plant (y(t) ∈ Rp):
y(t) = Cx(t) + e(t).︸︷︷︸attackvector
Some sensors are attacked:
ei (t) 6= 0 −→ sensor i is attacked at time t ;
If sensor i is attacked, ei (t) can be arbitrary (no boundedness assumption,no stochastic model, etc.);
Set of attacked sensors (unknown) is denoted by K ⊂ {1, . . . , p}:
supp(e) = {i ∈ {1, . . . , p} | ei 6= 0} = K .
Number of attacked sensors will be denoted by q: q = |K |;
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 5 / 31
Lab
The setup
Physical process modeled as a linear dynamical system:
x(t + 1) = Ax(t) + Bu(t), x(t) ∈ Rn, u(t) ∈ Rm, t ∈ N0.
A total of p sensors monitor state of plant (y(t) ∈ Rp):
y(t) = Cx(t) + e(t).︸︷︷︸attackvector
Some sensors are attacked:
ei (t) 6= 0 −→ sensor i is attacked at time t ;If sensor i is attacked, ei (t) can be arbitrary (no boundedness assumption,no stochastic model, etc.);
Set of attacked sensors (unknown) is denoted by K ⊂ {1, . . . , p}:
supp(e) = {i ∈ {1, . . . , p} | ei 6= 0} = K .
Number of attacked sensors will be denoted by q: q = |K |;
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 5 / 31
Lab
The setup
Physical process modeled as a linear dynamical system:
x(t + 1) = Ax(t) + Bu(t), x(t) ∈ Rn, u(t) ∈ Rm, t ∈ N0.
A total of p sensors monitor state of plant (y(t) ∈ Rp):
y(t) = Cx(t) + e(t).︸︷︷︸attackvector
Some sensors are attacked:
ei (t) 6= 0 −→ sensor i is attacked at time t ;If sensor i is attacked, ei (t) can be arbitrary (no boundedness assumption,no stochastic model, etc.);
Set of attacked sensors (unknown) is denoted by K ⊂ {1, . . . , p}:
supp(e) = {i ∈ {1, . . . , p} | ei 6= 0} = K .
Number of attacked sensors will be denoted by q: q = |K |;
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 5 / 31
Lab
The setup
Physical process modeled as a linear dynamical system:
x(t + 1) = Ax(t) + Bu(t), x(t) ∈ Rn, u(t) ∈ Rm, t ∈ N0.
A total of p sensors monitor state of plant (y(t) ∈ Rp):
y(t) = Cx(t) + e(t).︸︷︷︸attackvector
Some sensors are attacked:
ei (t) 6= 0 −→ sensor i is attacked at time t ;If sensor i is attacked, ei (t) can be arbitrary (no boundedness assumption,no stochastic model, etc.);
Set of attacked sensors (unknown) is denoted by K ⊂ {1, . . . , p}:
supp(e) = {i ∈ {1, . . . , p} | ei 6= 0} = K .
Number of attacked sensors will be denoted by q: q = |K |;
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 5 / 31
Lab
The setup
Physical process modeled as a linear dynamical system:
x(t + 1) = Ax(t) + Bu(t)
A total of p sensors monitor state of plant (y(t) ∈ Rp):
y(t) = Cx(t) + e(t)︸︷︷︸attackvector
The objective is to design a controller:
u(t) = φ(t , y(0), . . . , y(t))
rendering the closed-loop system exponentially stable
, notwithstanding anyadversarial attack to q sensors, i.e., for all e(t) ∈ Rp with support K , |K | = q.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 6 / 31
Lab
The setup
Physical process modeled as a linear dynamical system:
x(t + 1) = Ax(t) + Bu(t)
A total of p sensors monitor state of plant (y(t) ∈ Rp):
y(t) = Cx(t) + e(t)︸︷︷︸attackvector
The objective is to design a controller:
u(t) = φ(t , y(0), . . . , y(t))
rendering the closed-loop system exponentially stable, notwithstanding anyadversarial attack to q sensors, i.e., for all e(t) ∈ Rp with support K , |K | = q.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 6 / 31
Lab
The setup
Physical process modeled as a linear dynamical system:
x(t + 1) = Ax(t) + Bu(t)
A total of p sensors monitor state of plant (y(t) ∈ Rp):
y(t) = Cx(t) + e(t)︸︷︷︸attackvector
We can see this as a game between the controller and the attacker:
The matrices A, B, and C are known to the controller but x(0) is not. Theattacker is omniscient;The controller chooses an action u(t) ∈ Rm at time t ∈ N0 based on all itspast observations y(0), y(1), . . . , y(t);The attacker chooses K before the game starts and during the game itchooses e(t) ∈ Rp with support in K at time t ∈ N0;The controller seeks to stabilize the plant while the attacker seeks toprevent stabilization.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 7 / 31
Lab
The setup
Physical process modeled as a linear dynamical system:
x(t + 1) = Ax(t) + Bu(t)
A total of p sensors monitor state of plant (y(t) ∈ Rp):
y(t) = Cx(t) + e(t)︸︷︷︸attackvector
We can see this as a game between the controller and the attacker:
The matrices A, B, and C are known to the controller but x(0) is not. Theattacker is omniscient;
The controller chooses an action u(t) ∈ Rm at time t ∈ N0 based on all itspast observations y(0), y(1), . . . , y(t);The attacker chooses K before the game starts and during the game itchooses e(t) ∈ Rp with support in K at time t ∈ N0;The controller seeks to stabilize the plant while the attacker seeks toprevent stabilization.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 7 / 31
Lab
The setup
Physical process modeled as a linear dynamical system:
x(t + 1) = Ax(t) + Bu(t)
A total of p sensors monitor state of plant (y(t) ∈ Rp):
y(t) = Cx(t) + e(t)︸︷︷︸attackvector
We can see this as a game between the controller and the attacker:
The matrices A, B, and C are known to the controller but x(0) is not. Theattacker is omniscient;The controller chooses an action u(t) ∈ Rm at time t ∈ N0 based on all itspast observations y(0), y(1), . . . , y(t);
The attacker chooses K before the game starts and during the game itchooses e(t) ∈ Rp with support in K at time t ∈ N0;The controller seeks to stabilize the plant while the attacker seeks toprevent stabilization.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 7 / 31
Lab
The setup
Physical process modeled as a linear dynamical system:
x(t + 1) = Ax(t) + Bu(t)
A total of p sensors monitor state of plant (y(t) ∈ Rp):
y(t) = Cx(t) + e(t)︸︷︷︸attackvector
We can see this as a game between the controller and the attacker:
The matrices A, B, and C are known to the controller but x(0) is not. Theattacker is omniscient;The controller chooses an action u(t) ∈ Rm at time t ∈ N0 based on all itspast observations y(0), y(1), . . . , y(t);The attacker chooses K before the game starts and during the game itchooses e(t) ∈ Rp with support in K at time t ∈ N0;
The controller seeks to stabilize the plant while the attacker seeks toprevent stabilization.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 7 / 31
Lab
The setup
Physical process modeled as a linear dynamical system:
x(t + 1) = Ax(t) + Bu(t)
A total of p sensors monitor state of plant (y(t) ∈ Rp):
y(t) = Cx(t) + e(t)︸︷︷︸attackvector
We can see this as a game between the controller and the attacker:
The matrices A, B, and C are known to the controller but x(0) is not. Theattacker is omniscient;The controller chooses an action u(t) ∈ Rm at time t ∈ N0 based on all itspast observations y(0), y(1), . . . , y(t);The attacker chooses K before the game starts and during the game itchooses e(t) ∈ Rp with support in K at time t ∈ N0;The controller seeks to stabilize the plant while the attacker seeks toprevent stabilization.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 7 / 31
Lab
Questioning the setup
Are physical systems really linear?
No! Our first results used ideas from compressed sensing and errorcorrection over the reals, hence linearity. The current understanding allowsfor nonlinear systems, conceptually.
Why is the set K of attacked sensors fixed throughout the game?
Compromising a sensor takes time. While the attacker is working tocompromise one additional sensor we can treat K as fixed.
Is the attacker attacking the sensors or the communication between the sensorsand the controller?
Our results are independent of where and how the attack is conducted.
Can you not protect the sensors or the communication using cyber-securitytechniques?
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 8 / 31
Lab
Questioning the setup
Are physical systems really linear?
No! Our first results used ideas from compressed sensing and errorcorrection over the reals, hence linearity. The current understanding allowsfor nonlinear systems, conceptually.
Why is the set K of attacked sensors fixed throughout the game?
Compromising a sensor takes time. While the attacker is working tocompromise one additional sensor we can treat K as fixed.
Is the attacker attacking the sensors or the communication between the sensorsand the controller?
Our results are independent of where and how the attack is conducted.
Can you not protect the sensors or the communication using cyber-securitytechniques?
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 8 / 31
Lab
Questioning the setup
Are physical systems really linear?
No! Our first results used ideas from compressed sensing and errorcorrection over the reals, hence linearity. The current understanding allowsfor nonlinear systems, conceptually.
Why is the set K of attacked sensors fixed throughout the game?
Compromising a sensor takes time. While the attacker is working tocompromise one additional sensor we can treat K as fixed.
Is the attacker attacking the sensors or the communication between the sensorsand the controller?
Our results are independent of where and how the attack is conducted.
Can you not protect the sensors or the communication using cyber-securitytechniques?
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 8 / 31
Lab
Questioning the setup
Are physical systems really linear?
No! Our first results used ideas from compressed sensing and errorcorrection over the reals, hence linearity. The current understanding allowsfor nonlinear systems, conceptually.
Why is the set K of attacked sensors fixed throughout the game?
Compromising a sensor takes time. While the attacker is working tocompromise one additional sensor we can treat K as fixed.
Is the attacker attacking the sensors or the communication between the sensorsand the controller?
Our results are independent of where and how the attack is conducted.
Can you not protect the sensors or the communication using cyber-securitytechniques?
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 8 / 31
Lab
Questioning the setup
Are physical systems really linear?
No! Our first results used ideas from compressed sensing and errorcorrection over the reals, hence linearity. The current understanding allowsfor nonlinear systems, conceptually.
Why is the set K of attacked sensors fixed throughout the game?
Compromising a sensor takes time. While the attacker is working tocompromise one additional sensor we can treat K as fixed.
Is the attacker attacking the sensors or the communication between the sensorsand the controller?
Our results are independent of where and how the attack is conducted.
Can you not protect the sensors or the communication using cyber-securitytechniques?
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 8 / 31
Lab
Questioning the setup
Are physical systems really linear?
No! Our first results used ideas from compressed sensing and errorcorrection over the reals, hence linearity. The current understanding allowsfor nonlinear systems, conceptually.
Why is the set K of attacked sensors fixed throughout the game?
Compromising a sensor takes time. While the attacker is working tocompromise one additional sensor we can treat K as fixed.
Is the attacker attacking the sensors or the communication between the sensorsand the controller?
Our results are independent of where and how the attack is conducted.
Can you not protect the sensors or the communication using cyber-securitytechniques?
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 8 / 31
Lab
Questioning the setup
Are physical systems really linear?
No! Our first results used ideas from compressed sensing and errorcorrection over the reals, hence linearity. The current understanding allowsfor nonlinear systems, conceptually.
Why is the set K of attacked sensors fixed throughout the game?
Compromising a sensor takes time. While the attacker is working tocompromise one additional sensor we can treat K as fixed.
Is the attacker attacking the sensors or the communication between the sensorsand the controller?
Our results are independent of where and how the attack is conducted.
Can you not protect the sensors or the communication using cyber-securitytechniques?
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 8 / 31
Lab
Attacking sensors
Noninvasive spoofing attacks for Anti-Lock Braking systemsY. Shoukry, P. Martin, P. Tabuada, and M. Srivastava.Workshop on Cryptographic Hardware and Embedded Systems, 2013 (CHES 2013).
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 9 / 31
Lab
Attacking sensors
Noninvasive spoofing attacks for Anti-Lock Braking systemsY. Shoukry, P. Martin, P. Tabuada, and M. Srivastava.Workshop on Cryptographic Hardware and Embedded Systems, 2013 (CHES 2013).
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 9 / 31
Lab
Attacking sensors
Noninvasive spoofing attacks for Anti-Lock Braking systemsY. Shoukry, P. Martin, P. Tabuada, and M. Srivastava.Workshop on Cryptographic Hardware and Embedded Systems, 2013 (CHES 2013).
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 9 / 31
Lab
Attacking sensors
Noninvasive spoofing attacks for Anti-Lock Braking systemsY. Shoukry, P. Martin, P. Tabuada, and M. Srivastava.Workshop on Cryptographic Hardware and Embedded Systems, 2013 (CHES 2013).
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 9 / 31
Lab
Attacking sensors
Noninvasive spoofing attacks for Anti-Lock Braking systemsY. Shoukry, P. Martin, P. Tabuada, and M. Srivastava.Workshop on Cryptographic Hardware and Embedded Systems, 2013 (CHES 2013).
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 9 / 31
Lab
A separation result
The attacks are arbitrary, in particular they can be nonlinear and time-varying.
Do we need to design a nonlinear and time-varying controller to be resilient toattacks?
Theorem
Consider the linear control system:
x(t + 1) = Ax(t) + Bu(t)
y(t) = Cx(t) + e(t).
If there exists a controller u(t) = φ(t , y(0), . . . , y(t)) rendering the closed-loop systemexponentially stablea despite an adversarial attack to q sensors then there exists adecoder D : Rn×p → Rn that correctly reconstructs the state in n steps:
x(t − n + 1) = D(y(t − n + 1), . . . , y(t)).
afor a rate of decay smaller than the smallest eigenvalue of A.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 10 / 31
Lab
A separation result
The attacks are arbitrary, in particular they can be nonlinear and time-varying.
Do we need to design a nonlinear and time-varying controller to be resilient toattacks?
Theorem
Consider the linear control system:
x(t + 1) = Ax(t) + Bu(t)
y(t) = Cx(t) + e(t).
If there exists a controller u(t) = φ(t , y(0), . . . , y(t)) rendering the closed-loop systemexponentially stablea despite an adversarial attack to q sensors then there exists adecoder D : Rn×p → Rn that correctly reconstructs the state in n steps:
x(t − n + 1) = D(y(t − n + 1), . . . , y(t)).
afor a rate of decay smaller than the smallest eigenvalue of A.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 10 / 31
Lab
A separation result
Theorem
Consider the linear control system:
x(t + 1) = Ax(t) + Bu(t)
y(t) = Cx(t) + e(t).
If there exists a controller u(t) = φ(t , y(0), . . . , y(t)) rendering the closed-loop systemexponentially stablea despite an adversarial attack to q sensors then there exists adecoder D : Rn×p → Rn that correctly reconstructs the state in n steps:
x(t − n + 1) = D(y(t − n + 1), . . . , y(t)).
afor a rate of decay smaller than the smallest eigenvalue of A.
We can solve our initial problem in two steps:
1 design the decoder (observer) D;
2 design a linear static controller.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 11 / 31
Lab
Error correction
x(t + 1) = Ax(t) + Bu(t)
y(t) = Cx(t) + e(t)
We assume the input to be known since we design the controller. For simplicitywe will take u(t) = 0 for all t ∈ N0;
A decoder (observer) D processes observations y(0), . . . , y(T − 1) andproduces an estimate of the initial state x(0).
We say that a decoder D : (Rp)T → Rn corrects q errors after T steps if it isresilient against any attack of q sensors, i.e., if for any initial condition x(0) ∈ Rn,and for any attack vectors e(0), . . . , e(T − 1) with support K , |K | = q, we have:
D(y(0), . . . , y(T − 1)) = x(0).
We say that q errors are correctable, for the system (A,C), if there exists adecoder that can correct q errors.
Note: correcting q = 0 errors is equivalent to observability.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 12 / 31
Lab
Error correction
x(t + 1) = Ax(t) + Bu(t)
y(t) = Cx(t) + e(t)
We assume the input to be known since we design the controller. For simplicitywe will take u(t) = 0 for all t ∈ N0;
A decoder (observer) D processes observations y(0), . . . , y(T − 1) andproduces an estimate of the initial state x(0).
We say that a decoder D : (Rp)T → Rn corrects q errors after T steps if it isresilient against any attack of q sensors, i.e., if for any initial condition x(0) ∈ Rn,and for any attack vectors e(0), . . . , e(T − 1) with support K , |K | = q, we have:
D(y(0), . . . , y(T − 1)) = x(0).
We say that q errors are correctable, for the system (A,C), if there exists adecoder that can correct q errors.
Note: correcting q = 0 errors is equivalent to observability.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 12 / 31
Lab
Error correction
x(t + 1) = Ax(t)
+ Bu(t)
y(t) = Cx(t) + e(t)
We assume the input to be known since we design the controller. For simplicitywe will take u(t) = 0 for all t ∈ N0;
A decoder (observer) D processes observations y(0), . . . , y(T − 1) andproduces an estimate of the initial state x(0).
We say that a decoder D : (Rp)T → Rn corrects q errors after T steps if it isresilient against any attack of q sensors, i.e., if for any initial condition x(0) ∈ Rn,and for any attack vectors e(0), . . . , e(T − 1) with support K , |K | = q, we have:
D(y(0), . . . , y(T − 1)) = x(0).
We say that q errors are correctable, for the system (A,C), if there exists adecoder that can correct q errors.
Note: correcting q = 0 errors is equivalent to observability.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 12 / 31
Lab
Error correction
x(t + 1) = Ax(t)
+ Bu(t)
y(t) = Cx(t) + e(t)
We assume the input to be known since we design the controller. For simplicitywe will take u(t) = 0 for all t ∈ N0;
A decoder (observer) D processes observations y(0), . . . , y(T − 1) andproduces an estimate of the initial state x(0).
We say that a decoder D : (Rp)T → Rn corrects q errors after T steps if it isresilient against any attack of q sensors, i.e., if for any initial condition x(0) ∈ Rn,and for any attack vectors e(0), . . . , e(T − 1) with support K , |K | = q, we have:
D(y(0), . . . , y(T − 1)) = x(0).
We say that q errors are correctable, for the system (A,C), if there exists adecoder that can correct q errors.
Note: correcting q = 0 errors is equivalent to observability.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 12 / 31
Lab
Error correction
x(t + 1) = Ax(t)
+ Bu(t)
y(t) = Cx(t) + e(t)
We assume the input to be known since we design the controller. For simplicitywe will take u(t) = 0 for all t ∈ N0;
A decoder (observer) D processes observations y(0), . . . , y(T − 1) andproduces an estimate of the initial state x(0).
We say that a decoder D : (Rp)T → Rn corrects q errors after T steps if it isresilient against any attack of q sensors, i.e., if for any initial condition x(0) ∈ Rn,and for any attack vectors e(0), . . . , e(T − 1) with support K , |K | = q, we have:
D(y(0), . . . , y(T − 1)) = x(0).
We say that q errors are correctable, for the system (A,C), if there exists adecoder that can correct q errors.
Note: correcting q = 0 errors is equivalent to observability.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 12 / 31
Lab
Error correction
x(t + 1) = Ax(t)
+ Bu(t)
y(t) = Cx(t) + e(t)
We assume the input to be known since we design the controller. For simplicitywe will take u(t) = 0 for all t ∈ N0;
A decoder (observer) D processes observations y(0), . . . , y(T − 1) andproduces an estimate of the initial state x(0).
We say that a decoder D : (Rp)T → Rn corrects q errors after T steps if it isresilient against any attack of q sensors, i.e., if for any initial condition x(0) ∈ Rn,and for any attack vectors e(0), . . . , e(T − 1) with support K , |K | = q, we have:
D(y(0), . . . , y(T − 1)) = x(0).
We say that q errors are correctable, for the system (A,C), if there exists adecoder that can correct q errors.
Note: correcting q = 0 errors is equivalent to observability.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 12 / 31
Lab
Error correction
x(t + 1) = Ax(t)
+ Bu(t)
y(t) = Cx(t) + e(t)
We assume the input to be known since we design the controller. For simplicitywe will take u(t) = 0 for all t ∈ N0;
A decoder (observer) D processes observations y(0), . . . , y(T − 1) andproduces an estimate of the initial state x(0).
We say that a decoder D : (Rp)T → Rn corrects q errors after T steps if it isresilient against any attack of q sensors, i.e., if for any initial condition x(0) ∈ Rn,and for any attack vectors e(0), . . . , e(T − 1) with support K , |K | = q, we have:
D(y(0), . . . , y(T − 1)) = x(0).
We say that q errors are correctable, for the system (A,C), if there exists adecoder that can correct q errors.
Note: correcting q = 0 errors is equivalent to observability.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 12 / 31
Lab
Correction of q errorsNecessary and sufficient conditions
A pair (A,C) is said to be q-sparse observable if all the pairs (A,C′), obtainedfrom (A,C) by removing q rows from C, remain observable.
TheoremFor any pair (A,C), q errors are correctable iff (A,C) is 2q-sparse observable.
No more than p/2 errors can be corrected since 2q is necessarily smaller than p.This is a fundamental limitation: if an attacker has access to more than half ofthe sensors (> p/2), it is impossible to reconstruct the state.Information theoretic interpretation: if a pair (A,C) is θ-sparse observable, theHamming distance between a sequence of outputs is at least p − θ + 1.Can we efficiently check sparse observability?
PropositionLet A be a diagonalizable matrix with eigenvalues of different magnitudes. Then, forany C of compatible dimensions, q errors are correctable for the pair (A,C) iff|supp(Cv)| > 2q for every eigenvector v of A.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 13 / 31
Lab
Correction of q errorsNecessary and sufficient conditions
A pair (A,C) is said to be q-sparse observable if all the pairs (A,C′), obtainedfrom (A,C) by removing q rows from C, remain observable.
TheoremFor any pair (A,C), q errors are correctable iff (A,C) is 2q-sparse observable.
No more than p/2 errors can be corrected since 2q is necessarily smaller than p.This is a fundamental limitation: if an attacker has access to more than half ofthe sensors (> p/2), it is impossible to reconstruct the state.Information theoretic interpretation: if a pair (A,C) is θ-sparse observable, theHamming distance between a sequence of outputs is at least p − θ + 1.Can we efficiently check sparse observability?
PropositionLet A be a diagonalizable matrix with eigenvalues of different magnitudes. Then, forany C of compatible dimensions, q errors are correctable for the pair (A,C) iff|supp(Cv)| > 2q for every eigenvector v of A.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 13 / 31
Lab
Correction of q errorsNecessary and sufficient conditions
A pair (A,C) is said to be q-sparse observable if all the pairs (A,C′), obtainedfrom (A,C) by removing q rows from C, remain observable.
TheoremFor any pair (A,C), q errors are correctable iff (A,C) is 2q-sparse observable.
No more than p/2 errors can be corrected since 2q is necessarily smaller than p.
This is a fundamental limitation: if an attacker has access to more than half ofthe sensors (> p/2), it is impossible to reconstruct the state.Information theoretic interpretation: if a pair (A,C) is θ-sparse observable, theHamming distance between a sequence of outputs is at least p − θ + 1.Can we efficiently check sparse observability?
PropositionLet A be a diagonalizable matrix with eigenvalues of different magnitudes. Then, forany C of compatible dimensions, q errors are correctable for the pair (A,C) iff|supp(Cv)| > 2q for every eigenvector v of A.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 13 / 31
Lab
Correction of q errorsNecessary and sufficient conditions
A pair (A,C) is said to be q-sparse observable if all the pairs (A,C′), obtainedfrom (A,C) by removing q rows from C, remain observable.
TheoremFor any pair (A,C), q errors are correctable iff (A,C) is 2q-sparse observable.
No more than p/2 errors can be corrected since 2q is necessarily smaller than p.This is a fundamental limitation: if an attacker has access to more than half ofthe sensors (> p/2), it is impossible to reconstruct the state.
Information theoretic interpretation: if a pair (A,C) is θ-sparse observable, theHamming distance between a sequence of outputs is at least p − θ + 1.Can we efficiently check sparse observability?
PropositionLet A be a diagonalizable matrix with eigenvalues of different magnitudes. Then, forany C of compatible dimensions, q errors are correctable for the pair (A,C) iff|supp(Cv)| > 2q for every eigenvector v of A.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 13 / 31
Lab
Correction of q errorsNecessary and sufficient conditions
A pair (A,C) is said to be q-sparse observable if all the pairs (A,C′), obtainedfrom (A,C) by removing q rows from C, remain observable.
TheoremFor any pair (A,C), q errors are correctable iff (A,C) is 2q-sparse observable.
No more than p/2 errors can be corrected since 2q is necessarily smaller than p.This is a fundamental limitation: if an attacker has access to more than half ofthe sensors (> p/2), it is impossible to reconstruct the state.Information theoretic interpretation: if a pair (A,C) is θ-sparse observable, theHamming distance between a sequence of outputs is at least p − θ + 1.
Can we efficiently check sparse observability?
PropositionLet A be a diagonalizable matrix with eigenvalues of different magnitudes. Then, forany C of compatible dimensions, q errors are correctable for the pair (A,C) iff|supp(Cv)| > 2q for every eigenvector v of A.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 13 / 31
Lab
Correction of q errorsNecessary and sufficient conditions
A pair (A,C) is said to be q-sparse observable if all the pairs (A,C′), obtainedfrom (A,C) by removing q rows from C, remain observable.
TheoremFor any pair (A,C), q errors are correctable iff (A,C) is 2q-sparse observable.
No more than p/2 errors can be corrected since 2q is necessarily smaller than p.This is a fundamental limitation: if an attacker has access to more than half ofthe sensors (> p/2), it is impossible to reconstruct the state.Information theoretic interpretation: if a pair (A,C) is θ-sparse observable, theHamming distance between a sequence of outputs is at least p − θ + 1.Can we efficiently check sparse observability?
PropositionLet A be a diagonalizable matrix with eigenvalues of different magnitudes. Then, forany C of compatible dimensions, q errors are correctable for the pair (A,C) iff|supp(Cv)| > 2q for every eigenvector v of A.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 13 / 31
Lab
Correction of q errorsNecessary and sufficient conditions
A pair (A,C) is said to be q-sparse observable if all the pairs (A,C′), obtainedfrom (A,C) by removing q rows from C, remain observable.
TheoremFor any pair (A,C), q errors are correctable iff (A,C) is 2q-sparse observable.
No more than p/2 errors can be corrected since 2q is necessarily smaller than p.This is a fundamental limitation: if an attacker has access to more than half ofthe sensors (> p/2), it is impossible to reconstruct the state.Information theoretic interpretation: if a pair (A,C) is θ-sparse observable, theHamming distance between a sequence of outputs is at least p − θ + 1.Can we efficiently check sparse observability?
PropositionLet A be a diagonalizable matrix with eigenvalues of different magnitudes. Then, forany C of compatible dimensions, q errors are correctable for the pair (A,C) iff|supp(Cv)| > 2q for every eigenvector v of A.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 13 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach
So far we discussed when we can or cannot reconstruct the state in thepresence of attacks.
Are there efficient algorithms for state reconstruction?
Our first approach was to use the `0 to `1 relaxation popularized incompressed sensing and error correction over the reals1.We then developed our own customized optimization algorithm/observerand provided a tight characterization of when it is guaranteed to work2.We now present an algorithm that always reconstructs the state when it ispossible to do so, i.e., under the right sparse observability assumptions3.
1 Secure estimation and control for cyber-physical systems under adversarial attacksH. Fawzi, P. Tabuada, and S. DiggaviIEEE Transactions on Automatic Control, 59(6), 2014.2 Event-Triggered State Observers for Sparse Noise/AttacksY. Shoukry and P. TabuadaTo appear in IEEE Transactions on Automatic Control, 2016. arXiv:1309:3511.3 IMHOTEP-SMT: A Satisfiability Modulo Theory Solver For Secure State EstimationY. Shoukry, P. Nuzzo, A. Puggelli, A. Sangiovanni-Vincentelli, S. A. Seshia, M. Srivastava, and P. Tabuada.13th International Workshop on Satisfiability Modulo Theories (SMT) 2015.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 14 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach
So far we discussed when we can or cannot reconstruct the state in thepresence of attacks.
Are there efficient algorithms for state reconstruction?
Our first approach was to use the `0 to `1 relaxation popularized incompressed sensing and error correction over the reals1.
We then developed our own customized optimization algorithm/observerand provided a tight characterization of when it is guaranteed to work2.We now present an algorithm that always reconstructs the state when it ispossible to do so, i.e., under the right sparse observability assumptions3.
1 Secure estimation and control for cyber-physical systems under adversarial attacksH. Fawzi, P. Tabuada, and S. DiggaviIEEE Transactions on Automatic Control, 59(6), 2014.
2 Event-Triggered State Observers for Sparse Noise/AttacksY. Shoukry and P. TabuadaTo appear in IEEE Transactions on Automatic Control, 2016. arXiv:1309:3511.3 IMHOTEP-SMT: A Satisfiability Modulo Theory Solver For Secure State EstimationY. Shoukry, P. Nuzzo, A. Puggelli, A. Sangiovanni-Vincentelli, S. A. Seshia, M. Srivastava, and P. Tabuada.13th International Workshop on Satisfiability Modulo Theories (SMT) 2015.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 14 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach
So far we discussed when we can or cannot reconstruct the state in thepresence of attacks.
Are there efficient algorithms for state reconstruction?
Our first approach was to use the `0 to `1 relaxation popularized incompressed sensing and error correction over the reals1.We then developed our own customized optimization algorithm/observerand provided a tight characterization of when it is guaranteed to work2.
We now present an algorithm that always reconstructs the state when it ispossible to do so, i.e., under the right sparse observability assumptions3.
1 Secure estimation and control for cyber-physical systems under adversarial attacksH. Fawzi, P. Tabuada, and S. DiggaviIEEE Transactions on Automatic Control, 59(6), 2014.2 Event-Triggered State Observers for Sparse Noise/AttacksY. Shoukry and P. TabuadaTo appear in IEEE Transactions on Automatic Control, 2016. arXiv:1309:3511.
3 IMHOTEP-SMT: A Satisfiability Modulo Theory Solver For Secure State EstimationY. Shoukry, P. Nuzzo, A. Puggelli, A. Sangiovanni-Vincentelli, S. A. Seshia, M. Srivastava, and P. Tabuada.13th International Workshop on Satisfiability Modulo Theories (SMT) 2015.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 14 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach
So far we discussed when we can or cannot reconstruct the state in thepresence of attacks.
Are there efficient algorithms for state reconstruction?
Our first approach was to use the `0 to `1 relaxation popularized incompressed sensing and error correction over the reals1.We then developed our own customized optimization algorithm/observerand provided a tight characterization of when it is guaranteed to work2.We now present an algorithm that always reconstructs the state when it ispossible to do so, i.e., under the right sparse observability assumptions3.
1 Secure estimation and control for cyber-physical systems under adversarial attacksH. Fawzi, P. Tabuada, and S. DiggaviIEEE Transactions on Automatic Control, 59(6), 2014.2 Event-Triggered State Observers for Sparse Noise/AttacksY. Shoukry and P. TabuadaTo appear in IEEE Transactions on Automatic Control, 2016. arXiv:1309:3511.3 IMHOTEP-SMT: A Satisfiability Modulo Theory Solver For Secure State EstimationY. Shoukry, P. Nuzzo, A. Puggelli, A. Sangiovanni-Vincentelli, S. A. Seshia, M. Srivastava, and P. Tabuada.13th International Workshop on Satisfiability Modulo Theories (SMT) 2015.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 14 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach
System Dynamics:
Σa
{x(t + 1) = Ax(t)y(t) = Cx(t) + a(t)
Collect τ measurements:
Yi =
{Oix + Ei if sensor i is under attack,Oix if sensor i is attack-free
For each individual sensor, we define a binary indicator variable bi ∈ B bydeclaring bi = 1 when the i th sensor is under attack and bi = 0 otherwise.
Problem(Secure state-estimation) For the linear control system under attack Σa, construct anestimate η = (x , b) ∈ Rn × Bp such that η |= φ, i.e., η satisfies φ, where φ is definedas:
φ ::=
p∧i=1
(¬bi ⇒ ‖Yi −Oix‖2
2 ≤ 0
) ∧ ( p∑i=1
bi ≤ s
).
Collect τ measurements:
yi (t − τ + 1)
yi (t − τ)...
yi (t)
︸ ︷︷ ︸
Yi
=
Ci
CiA...
CiAτ−1
︸ ︷︷ ︸
Oi
x +
ai (t − τ + 1)
ai (t − τ)...
ai (t)
︸ ︷︷ ︸
Ei
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 15 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach
System Dynamics:
Σa
{x(t + 1) = Ax(t)y(t) = Cx(t) + a(t)
Collect τ measurements:
Yi =
{Oix + Ei if sensor i is under attack,Oix if sensor i is attack-free
For each individual sensor, we define a binary indicator variable bi ∈ B bydeclaring bi = 1 when the i th sensor is under attack and bi = 0 otherwise.
Problem(Secure state-estimation) For the linear control system under attack Σa, construct anestimate η = (x , b) ∈ Rn × Bp such that η |= φ, i.e., η satisfies φ, where φ is definedas:
φ ::=
p∧i=1
(¬bi ⇒ ‖Yi −Oix‖2
2 ≤ 0
) ∧ ( p∑i=1
bi ≤ s
).
Collect τ measurements:
yi (t − τ + 1)
yi (t − τ)...
yi (t)
︸ ︷︷ ︸
Yi
=
Ci
CiA...
CiAτ−1
︸ ︷︷ ︸
Oi
x +
ai (t − τ + 1)
ai (t − τ)...
ai (t)
︸ ︷︷ ︸
Ei
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 15 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach
System Dynamics:
Σa
{x(t + 1) = Ax(t)y(t) = Cx(t) + a(t)
Collect τ measurements:
Yi =
{Oix + Ei if sensor i is under attack,Oix if sensor i is attack-free
For each individual sensor, we define a binary indicator variable bi ∈ B bydeclaring bi = 1 when the i th sensor is under attack and bi = 0 otherwise.
Problem(Secure state-estimation) For the linear control system under attack Σa, construct anestimate η = (x , b) ∈ Rn × Bp such that η |= φ, i.e., η satisfies φ, where φ is definedas:
φ ::=
p∧i=1
(¬bi ⇒ ‖Yi −Oix‖2
2 ≤ 0
) ∧ ( p∑i=1
bi ≤ s
).
Collect τ measurements:
yi (t − τ + 1)
yi (t − τ)...
yi (t)
︸ ︷︷ ︸
Yi
=
Ci
CiA...
CiAτ−1
︸ ︷︷ ︸
Oi
x +
ai (t − τ + 1)
ai (t − τ)...
ai (t)
︸ ︷︷ ︸
Ei
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 15 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach
System Dynamics:
Σa
{x(t + 1) = Ax(t)y(t) = Cx(t) + a(t)
Collect τ measurements:
Yi =
{Oix + Ei if sensor i is under attack,Oix if sensor i is attack-free
For each individual sensor, we define a binary indicator variable bi ∈ B bydeclaring bi = 1 when the i th sensor is under attack and bi = 0 otherwise.
Problem(Secure state-estimation) For the linear control system under attack Σa, construct anestimate η = (x , b) ∈ Rn × Bp such that η |= φ, i.e., η satisfies φ, where φ is definedas:
φ ::=
p∧i=1
(¬bi ⇒ ‖Yi −Oix‖2
2 ≤ 0
) ∧ ( p∑i=1
bi ≤ s
).
Collect τ measurements:
yi (t − τ + 1)
yi (t − τ)...
yi (t)
︸ ︷︷ ︸
Yi
=
Ci
CiA...
CiAτ−1
︸ ︷︷ ︸
Oi
x +
ai (t − τ + 1)
ai (t − τ)...
ai (t)
︸ ︷︷ ︸
Ei
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 15 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach
System Dynamics:
Σa
{x(t + 1) = Ax(t)y(t) = Cx(t) + a(t)
Collect τ measurements:
Yi =
{Oix + Ei if sensor i is under attack,Oix if sensor i is attack-free
For each individual sensor, we define a binary indicator variable bi ∈ B bydeclaring bi = 1 when the i th sensor is under attack and bi = 0 otherwise.
Problem(Secure state-estimation) For the linear control system under attack Σa, construct anestimate η = (x , b) ∈ Rn × Bp such that η |= φ, i.e., η satisfies φ, where φ is definedas:
φ ::=
p∧i=1
(¬bi ⇒ Yi = Oix
) ∧ ( p∑i=1
bi ≤ s
).
Collect τ measurements:
yi (t − τ + 1)
yi (t − τ)...
yi (t)
︸ ︷︷ ︸
Yi
=
Ci
CiA...
CiAτ−1
︸ ︷︷ ︸
Oi
x +
ai (t − τ + 1)
ai (t − τ)...
ai (t)
︸ ︷︷ ︸
Ei
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 15 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach
System Dynamics:
Σa
{x(t + 1) = Ax(t)y(t) = Cx(t) + a(t)
Collect τ measurements:
Yi =
{Oix + Ei if sensor i is under attack,Oix if sensor i is attack-free
For each individual sensor, we define a binary indicator variable bi ∈ B bydeclaring bi = 1 when the i th sensor is under attack and bi = 0 otherwise.
Problem(Secure state-estimation) For the linear control system under attack Σa, construct anestimate η = (x , b) ∈ Rn × Bp such that η |= φ, i.e., η satisfies φ, where φ is definedas:
φ ::=
p∧i=1
(¬bi ⇒ ‖Yi −Oix‖2
2 ≤ 0
) ∧ ( p∑i=1
bi ≤ s
).
Collect τ measurements:
yi (t − τ + 1)
yi (t − τ)...
yi (t)
︸ ︷︷ ︸
Yi
=
Ci
CiA...
CiAτ−1
︸ ︷︷ ︸
Oi
x +
ai (t − τ + 1)
ai (t − τ)...
ai (t)
︸ ︷︷ ︸
Ei
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 15 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Imhotep-SMT
IMHOTEP-SMT Engine
Imhotep “emmo-tep” (meaning: the one whocomes in peace, is with peace) was an Egyptianmathematician, engineer, architect andphysician. He was the designer of the firstpyramid in Egypt.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 16 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture I
SMT = pB-SAT solver + T -Solver.
pB-SAT solver: solves the “booleanversion” of the problem.
Original formula:
φ ::=
p∧i=1
(¬bi ⇒ ‖Yi −Oi x‖
22 ≤ 0
)
∧( p∑i∈1
bi ≤ s
).
Replace non-booleanvariables with boolean ones
φinitial ::=
p∧i=1
(¬bi ⇒ ci
)∧( p∑i=1
bi ≤ s
)
Pass φinitial to the SAT solver.
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial
{(Y1,O1, ‖Ψ1‖2
2
). . .(
Yp,Op, ‖Ψp‖22
)}
η = (x , b)b, I
I
φcert
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 17 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture I
SMT = pB-SAT solver + T -Solver.
pB-SAT solver: solves the “booleanversion” of the problem.
Original formula:
φ ::=
p∧i=1
(¬bi ⇒ ‖Yi −Oi x‖
22 ≤ 0
)
∧( p∑i∈1
bi ≤ s
).
Replace non-booleanvariables with boolean ones
φinitial ::=
p∧i=1
(¬bi ⇒ ci
)∧( p∑i=1
bi ≤ s
)
Pass φinitial to the SAT solver.
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial
{(Y1,O1, ‖Ψ1‖2
2
). . .(
Yp,Op, ‖Ψp‖22
)}
η = (x , b)b, I
I
φcert
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 17 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture I
SMT = pB-SAT solver + T -Solver.
pB-SAT solver: solves the “booleanversion” of the problem.
Original formula:
φ ::=
p∧i=1
(¬bi ⇒ ‖Yi −Oi x‖
22 ≤ 0
)
∧( p∑i∈1
bi ≤ s
).
Replace non-booleanvariables with boolean ones
φinitial ::=
p∧i=1
(¬bi ⇒ ci
)∧( p∑i=1
bi ≤ s
)
Pass φinitial to the SAT solver.
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial
{(Y1,O1, ‖Ψ1‖2
2
). . .(
Yp,Op, ‖Ψp‖22
)}
η = (x , b)b, I
I
φcert
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 17 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture I
SMT = pB-SAT solver + T -Solver.
pB-SAT solver: solves the “booleanversion” of the problem.
Original formula:
φ ::=
p∧i=1
(¬bi ⇒ ‖Yi −Oi x‖
22 ≤ 0
)
∧( p∑i∈1
bi ≤ s
).
Replace non-booleanvariables with boolean ones
φinitial ::=
p∧i=1
(¬bi ⇒ ci
)∧( p∑i=1
bi ≤ s
)
Pass φinitial to the SAT solver.
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial
{(Y1,O1, ‖Ψ1‖2
2
). . .(
Yp,Op, ‖Ψp‖22
)}
η = (x , b)b, I
I
φcert
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 17 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture I
SMT = pB-SAT solver + T -Solver.
pB-SAT solver: solves the “booleanversion” of the problem.
Original formula:
φ ::=
p∧i=1
(¬bi ⇒ ‖Yi −Oi x‖
22 ≤ 0
)
∧( p∑i∈1
bi ≤ s
).
Replace non-booleanvariables with boolean ones
φinitial ::=
p∧i=1
(¬bi ⇒ ci
)∧( p∑i=1
bi ≤ s
)
Pass φinitial to the SAT solver.
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial
{(Y1,O1, ‖Ψ1‖2
2
). . .(
Yp,Op, ‖Ψp‖22
)}
η = (x , b)b, I
I
φcert
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 17 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture II
pB-SAT solver returns anassignment for the variable b.
We extract which sensors are“hypothesized” to be attack free I.
Check this assignment.
1: Solve:x := argminx∈Rn ‖YI −OIx‖2
2
2: if ‖YI −OIx‖22 = 0 then
3: status = SAT; ©
4: else5: status = UNSAT; §
6: end if7: return (status, x);
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial
{(Y1,O1) . . . (Yp,Op)}
b, I
η = (x , b)
I
φcert
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 18 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture II
pB-SAT solver returns anassignment for the variable b.
We extract which sensors are“hypothesized” to be attack free I.
Check this assignment.
1: Solve:x := argminx∈Rn ‖YI −OIx‖2
2
2: if ‖YI −OIx‖22 = 0 then
3: status = SAT; ©
4: else5: status = UNSAT; §
6: end if7: return (status, x);
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial {(Y1,O1) . . . (Yp,Op)}
b, I
η = (x , b)
I
φcert
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 18 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture II
pB-SAT solver returns anassignment for the variable b.
We extract which sensors are“hypothesized” to be attack free I.
Check this assignment.
1: Solve:x := argminx∈Rn ‖YI −OIx‖2
2
2: if ‖YI −OIx‖22 = 0 then
3: status = SAT; ©
4: else5: status = UNSAT; §
6: end if7: return (status, x);
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial {(Y1,O1) . . . (Yp,Op)}
b, I
η = (x , b)
I
φcert
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 18 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture II
pB-SAT solver returns anassignment for the variable b.
We extract which sensors are“hypothesized” to be attack free I.
Check this assignment.
1: Solve:x := argminx∈Rn ‖YI −OIx‖2
2
2: if ‖YI −OIx‖22 = 0 then
3: status = SAT; ©
4: else5: status = UNSAT; §
6: end if7: return (status, x);
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial {(Y1,O1) . . . (Yp,Op)}
b, I η = (x , b)
I
φcert
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 18 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture II
pB-SAT solver returns anassignment for the variable b.
We extract which sensors are“hypothesized” to be attack free I.
Check this assignment.
1: Solve:x := argminx∈Rn ‖YI −OIx‖2
2
2: if ‖YI −OIx‖22 = 0 then
3: status = SAT; ©4: else5: status = UNSAT; §6: end if7: return (status, x);
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial {(Y1,O1) . . . (Yp,Op)}
b, I η = (x , b)
I
φcert
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 18 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture III
Generate “theory lemma”, “counterexample”, or “UNSAT certificate”.
φtriv-cert =∑i∈I
bi ≥ 1
Add this “certificate” to the originalconstraints:
φ := φinitial ∧ φtriv-cert
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial {(Y1,O1) . . . (Yp,Op)}
b, I η = (x , b)
I
φcert
REPEAT
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 19 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture III
Generate “theory lemma”, “counterexample”, or “UNSAT certificate”.
φtriv-cert =∑i∈I
bi ≥ 1
Add this “certificate” to the originalconstraints:
φ := φinitial ∧ φtriv-cert
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial {(Y1,O1) . . . (Yp,Op)}
b, I η = (x , b)
I
φcert
REPEAT
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 19 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture III
Generate “theory lemma”, “counterexample”, or “UNSAT certificate”.
φtriv-cert =∑i∈I
bi ≥ 1
Add this “certificate” to the originalconstraints:
φ := φinitial ∧ φtriv-cert
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial {(Y1,O1) . . . (Yp,Op)}
b, I η = (x , b)
I
φcert
REPEAT
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 19 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Lazy SMT Architecture III
Generate “theory lemma”, “counterexample”, or “UNSAT certificate”.
φtriv-cert =∑i∈I
bi ≥ 1
Add this “certificate” to the originalconstraints:
φ := φinitial ∧ φtriv-cert
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial {(Y1,O1) . . . (Yp,Op)}
b, I η = (x , b)
I
φcert
REPEAT
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 19 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Termination and performance
System Dynamics:
Σa
{x(t + 1) = Ax(t)y(t) = Cx(t) + a(t)
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial {(Y1,O1) , . . . , (Yp,Op)}
η = (x, b)b, I = supp(b)
I
φcert
PropositionLet the linear dynamical system Σa be 2s-sparse observable. Then, IMHOTEP-SMT:
terminates,
identifies the attacked sensors,
and reconstructs the state.
Moreover, the number of iterations is upper bounded by∑s
s=0
(ps
).
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 20 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: UNSAT certificates
Why is performance bad?
φtriv-cert =∑i∈I
bi ≥ 1
To enhance performance, we need to generate compact certificates.
LemmaLet the linear dynamical system Σa be 2s-sparse observable. If T -SOLVE.CHECK(I)is UNSAT then there exists a subset I ⊂ supp(b) with |I| ≤ p − 2s + 1 such thatT -SOLVE.CHECK(Itemp) is also UNSAT.
Trivial certificates have p − s sensors.
The proof of this lemma is constructive.
In practice we can do better by exploiting the convex geometry (observabilitygramian).
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 21 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: UNSAT certificates
Why is performance bad?
φtriv-cert =∑i∈I
bi ≥ 1
To enhance performance, we need to generate compact certificates.
LemmaLet the linear dynamical system Σa be 2s-sparse observable. If T -SOLVE.CHECK(I)is UNSAT then there exists a subset I ⊂ supp(b) with |I| ≤ p − 2s + 1 such thatT -SOLVE.CHECK(Itemp) is also UNSAT.
Trivial certificates have p − s sensors.
The proof of this lemma is constructive.
In practice we can do better by exploiting the convex geometry (observabilitygramian).
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 21 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: UNSAT certificates
Why is performance bad?
φtriv-cert =∑i∈I
bi ≥ 1
To enhance performance, we need to generate compact certificates.
LemmaLet the linear dynamical system Σa be 2s-sparse observable. If T -SOLVE.CHECK(I)is UNSAT then there exists a subset I ⊂ supp(b) with |I| ≤ p − 2s + 1 such thatT -SOLVE.CHECK(Itemp) is also UNSAT.
Trivial certificates have p − s sensors.
The proof of this lemma is constructive.
In practice we can do better by exploiting the convex geometry (observabilitygramian).
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 21 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: UNSAT certificates
pseudoBoolean
(pB)SAT-solver
T -SOLVE.CHECK
T -SOLVE.CERTIFICATE
T -SOLVE
IMHOTEP-SMT
φinitial {(Y1,O1) , . . . , (Yp,Op)}
η = (x, b)b, I = supp(b)
I
φcert
TheoremLet the linear dynamical system Σa be 2s-sparse observable. Then, IMHOTEP-SMT:
terminates,
identifies the attacked sensors,
and reconstructs the state.
Moreover, the number of iterations is upper bounded by( p
p−2s+1
)(compare to:∑s
s′=0
( ps′)).
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 22 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Simulation results
Random system with 25 states 60sensors and an increasing numberof attacked sensors.
1 5 10 15 20
0
100
200
300
400
500
Number of attacked sensors s
Num
bero
fite
ratio
ns
φtriv-cert φconf-cert φconf-cert ∧ φagree-cert
Random systems with 25 states,1/3 of sensors under attack, andincreasing number of sensors.
3 15 30 45 60
0
100
200
300
400
500
Number of sensors p
Num
bero
fite
ratio
ns
φtriv-cert φconf-cert φconf-cert ∧ φagree-cert
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 23 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Simulation results
Random system with 25 states 60sensors and an increasing numberof attacked sensors.
1 5 10 15 20
0
100
200
300
400
500
Number of attacked sensors s
Num
bero
fite
ratio
ns
φtriv-cert φconf-cert φconf-cert ∧ φagree-cert
Random systems with 25 states,1/3 of sensors under attack, andincreasing number of sensors.
3 15 30 45 60
0
100
200
300
400
500
Number of sensors p
Num
bero
fite
ratio
ns
φtriv-cert φconf-cert φconf-cert ∧ φagree-cert
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 23 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Simulation results
Comparison with 2 convex-relaxation algorithms and 2 logic-based encodings.
Random systems with 60 sensors(20 under attack) and an increasingnumber of states.
10 25 50 75 100 150
0
50
100
150
200
Number of states n
Exe
cutio
ntim
e(s
ec)
SMT ETPG Lr/L2 dReal Z3
Random systems with 50 states,1/3 of sensors under attack, andincreasing number of sensors.
3 30 60 90 120 150
0
10
20
30
Number of sensors p
Exe
cutio
ntim
e(s
ec)
SMT ETPG Lr/L2 dReal Z3
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 24 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Simulation results
Comparison with 2 convex-relaxation algorithms and 2 logic-based encodings.
Random systems with 60 sensors(20 under attack) and an increasingnumber of states.
10 25 50 75 100 150
0
50
100
150
200
Number of states n
Exe
cutio
ntim
e(s
ec)
SMT ETPG Lr/L2 dReal Z3
Random systems with 50 states,1/3 of sensors under attack, andincreasing number of sensors.
3 30 60 90 120 150
0
10
20
30
Number of sensors p
Exe
cutio
ntim
e(s
ec)
SMT ETPG Lr/L2 dReal Z3
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 24 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Examples
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 25 / 31
Lab
State reconstruction under sensor attacksA Satisfiability Modulo Theory Approach: Some extensions
Stochastic noise:
combine Kalman filters with SMT solving;optimal performance: as good as a minimum mean squared error (MMSE)estimator that knows the attacked sensors1.
Nonlinear systems: differential flatness and applications to quadcopters2.
1 Secure State Estimation: Optimal Guarantees against Sensor Attacks in the Presence of NoiseS. Mishra, Y. Shoukry, N. Karamchandani, S. Diggavi, P. TabuadaInternational Symposium on Information Theory, 2015.
2 Secure State Reconstruction in Differentially Flat Systems Under Sensor Attacks Using Satisfiability Modulo Theory SolvingY. Shoukry, P. Nuzzo, N. Bezzo, A. L. Sangiovanni-Vincentelli, S. A. Seshia, P. TabuadaIEEE Conference on Decision and Control, 2015.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 26 / 31
Lab
State reconstruction under sensor attacksRelated work
Static case, no dynamics:Detection in Adversarial EnvironmentsK. G. Vamvoudakis, J. P. Hespanha, B. Sinopoli, and Y. MoIEEE Transactions on Automatic Control, 2014Efficient Computation of a Security Index for False Data Attacks in Power NetworksJ. M. Hendrickx, K. H. Johansson, R. M. Jungers, H. Sandberg, K. C. SouIEEE Transactions on Automatic Control, 2014
Unknown input observers:A Unified Filter for Simultaneous Input and State Estimation of Linear Discrete-timeStochastic SystemsS. Z. Yonga, M. Zhub, and E. FrazzoliAutomatica, 2016Delayed Observers for Linear Systems With Unknown InputsS. Sundaram and C. N. HadjicostisIEEE Transactions on Automatic Control, 2007
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 27 / 31
Lab
State reconstruction under sensor attacksRelated work
Static case, no dynamics:Detection in Adversarial EnvironmentsK. G. Vamvoudakis, J. P. Hespanha, B. Sinopoli, and Y. MoIEEE Transactions on Automatic Control, 2014Efficient Computation of a Security Index for False Data Attacks in Power NetworksJ. M. Hendrickx, K. H. Johansson, R. M. Jungers, H. Sandberg, K. C. SouIEEE Transactions on Automatic Control, 2014
Unknown input observers:A Unified Filter for Simultaneous Input and State Estimation of Linear Discrete-timeStochastic SystemsS. Z. Yonga, M. Zhub, and E. FrazzoliAutomatica, 2016Delayed Observers for Linear Systems With Unknown InputsS. Sundaram and C. N. HadjicostisIEEE Transactions on Automatic Control, 2007
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 27 / 31
Lab
State reconstruction under sensor attacksRelated work
Attack detectability:Attack detection and identification in cyber-physical systemsF. Pasqualetti, F. Doerfler, and F. BulloIEEE Transactions on Automatic Control, 2013
Sparse observability in continuous time:Observability of linear systems under adversarial attacksM. S. Chong, M. Wakaikim and J. P. HespanhaAmerican Conference on Cyber-Physical Systems, 2015
Effect of implementation details (delays, jitter, etc.):Robustness of Attack-Resilient State EstimatorsM. Pajic, J. Weimer, N. Bezzo, P. Tabuada, O. Sokolsky, I. Lee, G. J. PappasInternational Conference on Cyber-Physical Systems, 2014
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 28 / 31
Lab
State reconstruction under sensor attacksRelated work
Attack detectability:Attack detection and identification in cyber-physical systemsF. Pasqualetti, F. Doerfler, and F. BulloIEEE Transactions on Automatic Control, 2013
Sparse observability in continuous time:Observability of linear systems under adversarial attacksM. S. Chong, M. Wakaikim and J. P. HespanhaAmerican Conference on Cyber-Physical Systems, 2015
Effect of implementation details (delays, jitter, etc.):Robustness of Attack-Resilient State EstimatorsM. Pajic, J. Weimer, N. Bezzo, P. Tabuada, O. Sokolsky, I. Lee, G. J. PappasInternational Conference on Cyber-Physical Systems, 2014
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 28 / 31
Lab
State reconstruction under sensor attacksRelated work
Attack detectability:Attack detection and identification in cyber-physical systemsF. Pasqualetti, F. Doerfler, and F. BulloIEEE Transactions on Automatic Control, 2013
Sparse observability in continuous time:Observability of linear systems under adversarial attacksM. S. Chong, M. Wakaikim and J. P. HespanhaAmerican Conference on Cyber-Physical Systems, 2015
Effect of implementation details (delays, jitter, etc.):Robustness of Attack-Resilient State EstimatorsM. Pajic, J. Weimer, N. Bezzo, P. Tabuada, O. Sokolsky, I. Lee, G. J. PappasInternational Conference on Cyber-Physical Systems, 2014
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 28 / 31
Lab
State reconstruction under sensor attacksRelated work
Asymptotic state reconstruction under attacks:Dynamic State Estimation in the Presence of Compromised Sensory DataY. Nakahira, Y. MoIEEE Conference on Decision and Control, 2015See also Yasser Shoukry’s talk at ICCPS on Wednesday.
Nonlinear systems:Secure State Estimation for Nonlinear Power Systems under Cyber AttacksQ. Hu, D. Fooladivanda, Y. H. Chang, C. J. TomlinarXiv:1603.06894, 2016Resilient State Estimation against Switching Attacks on Stochastic Cyber-PhysicalSystemsS. Z. Yong, M. Zhub, E. FrazzoliIEEE Conference on Decision and Control, 2015
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 29 / 31
Lab
State reconstruction under sensor attacksRelated work
Asymptotic state reconstruction under attacks:Dynamic State Estimation in the Presence of Compromised Sensory DataY. Nakahira, Y. MoIEEE Conference on Decision and Control, 2015See also Yasser Shoukry’s talk at ICCPS on Wednesday.
Nonlinear systems:Secure State Estimation for Nonlinear Power Systems under Cyber AttacksQ. Hu, D. Fooladivanda, Y. H. Chang, C. J. TomlinarXiv:1603.06894, 2016Resilient State Estimation against Switching Attacks on Stochastic Cyber-PhysicalSystemsS. Z. Yong, M. Zhub, E. FrazzoliIEEE Conference on Decision and Control, 2015
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 29 / 31
Lab
Securing Cyber-Physical SystemsFinal thoughts
Security for CPS is quite different from cyber-security:
there are CPS attacks for which there are no cyber-security defenses;attacks on CPS do not exploit bugs, they exploit features;knowledge of the plant, control architecture, and controller is the key for asuccessful attack or defense.
Cyber-security is needed for CPS but CPS-security is the last line of defense.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 30 / 31
Lab
Securing Cyber-Physical SystemsFinal thoughts
Security for CPS is quite different from cyber-security:
there are CPS attacks for which there are no cyber-security defenses;
attacks on CPS do not exploit bugs, they exploit features;knowledge of the plant, control architecture, and controller is the key for asuccessful attack or defense.
Cyber-security is needed for CPS but CPS-security is the last line of defense.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 30 / 31
Lab
Securing Cyber-Physical SystemsFinal thoughts
Security for CPS is quite different from cyber-security:
there are CPS attacks for which there are no cyber-security defenses;attacks on CPS do not exploit bugs, they exploit features;knowledge of the plant, control architecture, and controller is the key for asuccessful attack or defense.
Cyber-security is needed for CPS but CPS-security is the last line of defense.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 30 / 31
Lab
Securing Cyber-Physical SystemsFinal thoughts
Security for CPS is quite different from cyber-security:
there are CPS attacks for which there are no cyber-security defenses;attacks on CPS do not exploit bugs, they exploit features;knowledge of the plant, control architecture, and controller is the key for asuccessful attack or defense.
Cyber-security is needed for CPS but CPS-security is the last line of defense.
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 30 / 31
Lab
Acknowledgements
Students and collaborators;
National Science Foundation, DARPA,and Northrop Grumman;
Prof. Mitra and Prof. Dullerudfor inviting me.
For more information:http://www.cyphylab.ee.ucla.edu/http://www.ee.ucla.edu/∼tabuada
Paulo Tabuada (CyPhyLab - UCLA) Securing CPS SoSCYPS 04/11/2016 31 / 31