I MHOTEP-SMT : A Satisfiability Modulo Theory Solver For Secure State Estimation ∗

This paper presents IMHOTEP-SMT, a solver for the detection and mitigation of sensor attacks in cyber-physical systems. IMHOTEP-SMT receives as inputs a description of the physical system in the form of a linear difference equation, the system input (control) signal, and a set of output (sensor) measurements that can be noisy and corrupted by a malicious attacker. The output is the solution of the secure state estimation problem, i.e., a report indicating: (i) the corrupted sensors, and (ii) an estimate of the continuous state of the system obtained from the uncorrupted sensors. Based on this estimate, it is then possible to deploy a control strategy, while being resilient to adversarial attacks. The core of our tool relies on the combination of convex programming with pseudo-Boolean satisfiability solving, following the lazy satisfiability modulo theory paradigm. We provide an empirical evaluation of the tool scalability, and demonstrate its application to attack detection and secure state estimation of electric power grids.

[1]  Christian Commault,et al.  Generic properties and control of linear structured systems: a survey , 2003, Autom..

[2]  Martin Fränzle,et al.  Efficient Solving of Large Non-linear Arithmetic Constraint Systems with Complex Boolean Structure , 2007, J. Satisf. Boolean Model. Comput..

[3]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[4]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2009, CCS.

[5]  Daniel Le Berre,et al.  The Sat4j library, release 2.2 , 2010, J. Satisf. Boolean Model. Comput..

[6]  Alberto L. Sangiovanni-Vincentelli,et al.  CalCS: SMT solving for non-linear convex constraints , 2010, Formal Methods in Computer Aided Design.

[7]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[8]  Edmund M. Clarke,et al.  δ-Complete Decision Procedures for Satisfiability over the Reals , 2012, IJCAR.

[9]  Edmund M. Clarke,et al.  dReal: An SMT Solver for Nonlinear Theories over the Reals , 2013, CADE.

[10]  Florian Dörfler,et al.  Attack Detection and Identification in Cyber-Physical Systems -- Part II: Centralized and Distributed Monitor Design , 2012, ArXiv.

[11]  Paulo Tabuada,et al.  Non-invasive Spoofing Attacks for Anti-lock Braking Systems , 2013, CHES.

[12]  Paulo Tabuada,et al.  Secure State Estimation Under Sensor Attacks: A Satisfiability Modulo Theory Approach , 2014, ArXiv.

[13]  Paulo Tabuada,et al.  Secure Estimation and Control for Cyber-Physical Systems Under Adversarial Attacks , 2012, IEEE Transactions on Automatic Control.

[14]  Paulo Tabuada,et al.  Sound and complete state estimation for linear dynamical systems under sensor attacks using Satisfiability Modulo Theory solving , 2015, 2015 American Control Conference (ACC).

[15]  João Pedro Hespanha,et al.  Observability of linear systems under adversarial attacks , 2015, 2015 American Control Conference (ACC).

[16]  Paulo Tabuada,et al.  Event-Triggered State Observers for Sparse Sensor Noise/Attacks , 2013, IEEE Transactions on Automatic Control.