SMT-Based Observer Design for Cyber-Physical Systems under Sensor Attacks

We introduce a scalable observer architecture to estimate the states of a discrete-time linear-time-invariant (LTI) system whose sensors can be manipulated by an attacker. Given the maximum number of attacked sensors, we build on previous results on necessary and sufficient conditions for state estimation, and propose a novel multi-modal Luenberger (MML) observer based on efficient Satisfiability Modulo Theory (SMT) solving. We present two techniques to reduce the complexity of the estimation problem. As a first strategy, instead of a bank of distinct observers, we use a family of filters sharing a single dynamical equation for the states, but different output equations, to generate estimates corresponding to different subsets of sensors. Such an architecture can reduce the memory usage of the observer from an exponential to a linear function of the number of sensors. We then develop an efficient SMT-based decision procedure that is able to reason about the estimates of the MML observer to detect at runtime which sets of sensors are attack-free, and use them to obtain a correct state estimate. We provide proofs of convergence for our algorithm and report simulation results to compare its runtime performance with alternative techniques. Our algorithm scales well for large systems (including up to 5000 sensors) for which many previously proposed algorithms are not implementable due to excessive memory and time requirements. Finally, we illustrate the effectiveness of our algorithm on the design of resilient power distribution systems.

[1]  Emilio Frazzoli,et al.  Resilient state estimation against switching attacks on stochastic cyber-physical systems , 2015, 2015 54th IEEE Conference on Decision and Control (CDC).

[2]  Paulo Tabuada,et al.  Secure state estimation: Optimal guarantees against sensor attacks in the presence of noise , 2015, 2015 IEEE International Symposium on Information Theory (ISIT).

[3]  Daniel Liberzon,et al.  Finite data-rate feedback stabilization of switched and hybrid linear systems , 2014, Autom..

[4]  Paulo Tabuada,et al.  Secure State Estimation Under Sensor Attacks: A Satisfiability Modulo Theory Approach , 2014, ArXiv.

[5]  Roy S. Smith,et al.  A Decoupled Feedback Structure for Covertly Appropriating Networked Control Systems , 2011 .

[6]  Sharad Malik,et al.  Boolean satisfiability from theoretical hardness to practical success , 2009, Commun. ACM.

[7]  Lihua Xie,et al.  On the Discrete-time Bounded Real Lemma with application in the characterization of static state feedback H ∞ controllers , 1992 .

[8]  Paulo Tabuada,et al.  Secure Estimation and Control for Cyber-Physical Systems Under Adversarial Attacks , 2012, IEEE Transactions on Automatic Control.

[9]  R. Murray,et al.  Multi-dimensional state estimation in adversarial environment , 2015, 2015 34th Chinese Control Conference (CCC).

[10]  Florian Dörfler,et al.  Attack Detection and Identification in Cyber-Physical Systems -- Part II: Centralized and Distributed Monitor Design , 2012, ArXiv.

[11]  Paulo Tabuada,et al.  SMT-based observer design for cyber-physical systems under sensor attacks , 2016, ICCPS 2016.

[12]  L. Ghaoui,et al.  A cone complementarity linearization algorithm for static output-feedback and related problems , 1997, IEEE Trans. Autom. Control..

[13]  Stephen P. Boyd,et al.  Real-Time Convex Optimization in Signal Processing , 2010, IEEE Signal Processing Magazine.

[14]  Daniel Le Berre,et al.  The Sat4j library, release 2.2 , 2010, J. Satisf. Boolean Model. Comput..

[15]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2009, CCS.

[16]  Georgios B. Giannakis,et al.  Doubly Robust Smoothing of Dynamical Processes via Outlier Sparsity Constraints , 2011, IEEE Transactions on Signal Processing.

[17]  B. Schutter,et al.  Minimal state-space realization in linear system theory: an overview , 2000 .

[18]  João Pedro Hespanha,et al.  Observability of linear systems under adversarial attacks , 2015, 2015 American Control Conference (ACC).

[19]  Karl Henrik Johansson,et al.  Secure Control Systems: A Quantitative Risk Management Approach , 2015, IEEE Control Systems.

[20]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[21]  Paulo Tabuada,et al.  Sound and complete state estimation for linear dynamical systems under sensor attacks using Satisfiability Modulo Theory solving , 2015, 2015 American Control Conference (ACC).

[22]  Davide Bresolin,et al.  A Platform-Based Design Methodology With Contracts and Related Tools for the Design of Cyber-Physical Systems , 2015, Proceedings of the IEEE.

[23]  Paulo Tabuada,et al.  Non-invasive Spoofing Attacks for Anti-lock Braking Systems , 2013, CHES.

[24]  Paulo Tabuada,et al.  Event-Triggered State Observers for Sparse Sensor Noise/Attacks , 2013, IEEE Transactions on Automatic Control.

[25]  Paulo Tabuada,et al.  Robustness of attack-resilient state estimators , 2014, 2014 ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS).

[26]  Quanyan Zhu,et al.  Robust and resilient control design for cyber-physical systems with an application to power systems , 2011, IEEE Conference on Decision and Control and European Control Conference.