Sage Journals: Discover world-class research

Abstract

This paper investigates the optimal jamming attack scheduling in Networked Sensing and Control Systems (NSCS). From viewpoint of the attacker, we formulate an optimization problem which maximizes the Linear Quadratic Gaussian (LQG) control cost with attacking energy constraint in a finite time horizon. For two special cases, we obtain that the optimal jamming attack schedule is to consecutively attack in the given time horizon. For the general case, we propose an algorithm to find the optimal schedules. Finally, we study the effectiveness of our proposed attack strategies on our established semiphysical testbed.

1. Introduction

Networked Sensing and Control Systems (NSCS) are control systems wherein physical elements, that is, plants, sensors, controllers, and actuators, are connected via wireless communication networks. NSCS have a wide range of applications in factory automation, unmanned aerial vehicles, remote surgery, intelligent transportation, smart grid, smart building, and so forth [1–5]. The essential characteristic of NSCS is that the physical elements and cyberspace are tightly integrated to carry out various jobs [6–8]. However, NSCS are vulnerable to an increasing number of malicious cyber attacks [9]. For example, an Iranian nuclear facility was attacked by “stuxnet” in 2010 and cannot operate normally in a long time since more than 60% of centrifugal control systems were destroyed [10].

In the past few years, several literatures have been focused on evaluating the effect of cyber attacks, for example, Denial-of-Service (DoS) attacks [11, 12], replay attacks [13, 14], and false data injection attacks [15, 16], on NSCS. Among these attacks, DoS attack is the most accomplishable one and can result in serious consequences [11]. Thus, it has been widely studied recently. In order to block the communication between system elements, DoS attacker can interfere with the radio frequencies on the communication channels [17]. In fact, jamming is a typical mode of DoS attack [18].

LQG control cost, which is used to synthetically consider the cost of system states and control, is an important performance in NSCS. Some researches have put emphasis on the security of LQG control under jamming attack [11, 19, 20]. Amin et al. study the optimal controller which minimize the LQG cost with safety and energy constraints when a jamming attacker takes identical independent distributed jamming actions [11]. They present semidefinite programming to solve this problem. Gupta et al. design an optimal controller to defense the intelligent jamming attack with limited actions [19]. Shisheh Foroush and Martinez propose an event-trigger control law which can prevent the periodic jamming attack with energy constraint [20]. The commonality of these works is that they all focus on the design of defense strategies under given attack patterns. However, our work stands in the viewpoint of attacker and finds the optimal attack schedules to maximize the control performance. This is of equal importance as one can provide effective defensive policies only when he grasps the attack strategies.

The goal of this paper is to design an optimal offline jamming schedule, which can maximize the attack effect on the NSCS. Specifically, in our scenario, one sensor observes the states of plant and sends the measurements to a remote estimator via a wireless channel. The attacker has a limited energy budget in the given finite time horizon. He has to decide whether or not to jam the channel from sensor to estimator at each time. The main contributions of this paper which distinguish it from the related literatures are summarized as follows: (1)

We formulate a jamming attack scheduling problem and look for the optimal jamming schedule that maximizes the LQG cost with energy constraint in a given finite time horizon.

(2)

We present the close form of the optimal jamming schedule for two special cases and provide an algorithm to search the optimal schedules for the general case.

(3)

We study the effectiveness of proposed jamming schedules on the established semiphysical testbed.

The remainder of the paper is organized as follows. In Section 2, we formulate the problem. In Section 3, we study the system performance under given attack schedule. In Section 4, we present the optimal jamming attack schedules for special cases and provide an algorithm to search the optimal attack schedules for the general case. In Section 5, we demonstrate the effectiveness of proposed optimal jamming schedules on the semiphysical testbed. Finally, Section 6 concludes the paper.

Notations. $E [X]$ is the mean of random variable X, and $E [X | Y]$ is the mean of random variable X conditioned on Y, respectively. $tr (\cdot)$ represents the trace of matrix. $X ⪯ Y$ means that $Y - X$ is nonnegative-definite; that is, $Y - X ⪰ 0$ .

2. Problem Formulation

2.1. System Architecture

Consider the following linear time-invariant system (Figure 1):

\begin{matrix} x_{t + 1} = A x_{t} + u_{t} + w_{t}, \\ y_{t} = C x_{t} + v_{t}, \end{matrix}

(1)

where

x_{t} \in R^{n_{x}}

is the state of plant at time t,

y_{t} \in R^{n_{y}}

is the measurement from sensor, and

w_{t}

and

v_{t}

are uncorrelated zero mean Gaussian white noises with covariance

Σ_{w}

and

Σ_{v}

, respectively. The pair

(A, C)

is assumed to be observable and

(A, Σ_{w}^{1 / 2})

is controllable.

Figure 1

System architecture.

In our scenario, the sensor observes the plant and gets the measurements $y_{t}$ . According to these measurements, it preestimates the state $x_{t}$ and obtains the minimum mean squared error (MMSE) estimate; that is, ${\hat{x}}_{t}^{s} = E [x_{t} | y_{1}, \dots, y_{t}]$ . Then the sensor sends these estimates to a remote estimator through a wireless channel. The controller then generates a control packet $u_{t}$ based on the received estimates and sends the control packet to the actuator through another dependable channel.

Let $θ_{t}$ be the indicator function whether the packet ${\hat{x}}_{t}^{s}$ is received or not by the estimator; that is,

\begin{matrix} θ_{t} = \{\begin{cases} 1, & if {\hat{x}}_{t}^{s} is received by the estimator; \\ 0, & otherwise . \end{cases} \end{matrix}

(2)

Denote $D_{t}$ by all the data received by estimator until time t; that is,

\begin{matrix} D_{t} = \{θ_{1}, θ_{2}, \dots, θ_{t}, θ_{1} {\hat{x}}_{1}^{s}, θ_{2} {\hat{x}}_{2}^{s}, \dots, θ_{t} {\hat{x}}_{t}^{s}\} . \end{matrix}

(3)

Let ${\hat{x}}_{t}$ be the minimum mean square error (MMSE) estimate in the estimator at time t; that is,

\begin{matrix} {\hat{x}}_{t} = E [x_{t} | D_{t}] . \end{matrix}

(4)

The corresponding error covariance is

\begin{matrix} P_{t} = E [(x_{t} - {\hat{x}}_{t}) {(x_{t} - {\hat{x}}_{t})}^{'} | D_{t}] . \end{matrix}

(5)

Similar to [21], we have

\begin{matrix} {\hat{x}}_{t} = \{\begin{cases} {\hat{x}}_{t}^{s}, & if θ_{t} = 1; \\ A {\hat{x}}_{t - 1}^{s} + B u_{t - 1}, & otherwise . \end{cases} \end{matrix}

(6)

In order to minimize the LQG cost function

\begin{matrix} J = \sum_{t = 0}^{T - 1} E [x_{t}^{'} Q x_{t} + u_{t}^{'} R u_{t}] + x_{T}^{'} Q x_{T} \end{matrix}

(7)

in the finite time horizon

[1, T]

, where

Q ⪰ 0

and

R ≻ 0

are two weighting matrices and the expectation is taken over

{w_{k}}

, we exploit a linear static feedback controller of the form

u_{k} = L {\hat{x}}_{k}

. It is assumed that the system is unaware of the existence of attacker.

2.2. Attack Model

In our scenario, there is an attacker who wishes to deteriorate the control performance by jamming the sensor-to-estimator wireless channel. It is assumed that the attacker has a limited energy budget; that is, he can attack n times at most in the time horizon $[1, T]$ [22]. The attacker has to decide whether to attack or not at each sampling time in order to achieve his aim. Let $γ_{t}$ be the attack decision variable at time t; that is,

\begin{matrix} γ_{t} = \{\begin{cases} 1, & if attacker jams the wireless channel; \\ 0, & otherwise . \end{cases} \end{matrix}

(8)

Similar to [18], we assume that the attack action is successful with probability α, and packet drop variables under attack are independent.

Specifically, from the viewpoint of attacker, he aims to maximize the cost function with energy constraint which is as follows.

Problem 1.

Consider

\begin{matrix} \underset{γ \in Θ}{m a x} E [J (γ)] \\ s.t. \sum_{t = 1}^{T} γ_{t} \leq n, \end{matrix}

(9)

where

γ = (γ_{1}, γ_{2}, \dots, γ_{T})

is the attack schedule on the finite time horizon

[1, T]

and

Θ = \{γ | γ_{t} \in \{0,1\}, t = 1,2, \dots, T\}

is the attack schedule space.

3. Preliminaries

In this section, we present some properties of the estimate at the estimator side and the control performance of plant under a jamming attack.

3.1. State Estimation under Jamming Attack

From standard Kalman filter, the estimate and corresponding error covariance at the sensor side can be calculated as follows:

\begin{matrix} {\hat{x}}_{t | t - 1}^{s} = A {\hat{x}}_{t - 1}^{s} + u_{t - 1}, \\ P_{t | t - 1}^{s} = A P_{t - 1}^{s} A^{'} + Σ_{w}, \\ K_{t}^{s} = P_{t | t - 1}^{s} C^{'} {[C P_{t | t - 1}^{s} C^{'} + Σ_{v}]}^{- 1}, \\ {\hat{x}}_{t}^{s} = A {\hat{x}}_{t - 1}^{s} + K_{t}^{s} (y_{t} - C {\hat{x}}_{t | t - 1}^{s}), \\ P_{t}^{s} = (I - K_{t}^{s} C) P_{t | t - 1}^{s}, \end{matrix}

(10)

where the initial state is

{\hat{x}}_{0} = 0

, and

P_{0}^{s} = Π_{0}

. From [23], we can see that the error covariance

P_{t}^{s}

converges exponentially to its steady-state value

\bar{P}

. Thus, we assume that

Π_{0} = \bar{P}

. It can be seen that

P_{t}^{s} = \bar{P}

for all

t \in [1, T]

Define functions $h, h^{t}$ as $h (X) ≜ A X A^{'} + Σ_{w}$ and $h^{t} (X) ≜ \underset{t t i m e s}{\underset{︸}{h \circ h \circ \dots \circ h}} (X)$ .

From [23], the following result holds.

Lemma 2.

The function h has the following property:

\begin{matrix} \bar{P} ⪯ h (\bar{P}) ⪯ h^{2} (\bar{P}) ⪯ \dots ⪯ h^{t} (\bar{P}) ⪯ \dots, \forall t \in Z^{+} . \end{matrix}

(11)

From [22], we can obtain the estimate ${\hat{x}}_{t}$ and error covariance $P_{t}$ at estimator side as follows:

\begin{matrix} ({\hat{x}}_{t}, P_{t}) = \{\begin{cases} (A {\hat{x}}_{t - 1} + u_{t - 1}, h (P_{t - 1})), & if γ_{t} = 1, θ_{t} = 1, \\ ({\hat{x}}_{t}^{s}, \bar{P}), & otherwise . \end{cases} \end{matrix}

(12)

Define attack sequence $(k_{1}, k_{2}, \dots, k_{s})$ as the attack schedules which has the following form:

\begin{matrix} (0, \dots, 0, \underset{k_{1} times}{\underset{︸}{1, \dots, 1}}, 0, \dots, 0, \underset{k_{2} times}{\underset{︸}{1, \dots, 1}}, 0, \dots, 0, \underset{k_{s} times}{\underset{︸}{1, \dots, 1}}, 0, \dots, 0) . \end{matrix}

(13)

Similar to [18, 22], one can get the following result.

Lemma 3.

Let $E (k_{1} \otimes k_{2} \otimes \dots \otimes k_{s})$ be the average expected error covariance in time horizon $[1, T]$ under attack sequence $(k_{1}, k_{2}, \dots, k_{s})$ at estimator side, and let $E (k)$ be the average expected error covariance under attack sequence $(k)$ . The following statements are true: (1)

$E (k_{1}) ⪯ E (k_{2})$ , where $k_{1} < k_{2}$ .

(2)

$E (k_{1} \otimes k_{2} \otimes \dots \otimes k_{s}) ⪯ E (k)$ , where $k = k_{1} + k_{2} + \dots + k_{s}$ .

(3)

$E (k_{1} \otimes k_{2}) ⪯ E (l_{1} \otimes l_{2})$ , where $k_{1} + k_{2} = l_{1} + l_{2}$ and $m a x {k_{1}, k_{2}, l_{1}, l_{2}}$ is $l_{1}$ or $l_{2}$ .

From Lemma 3, we can see that grouping together as much as possible can lead to maximal average error covariance.

3.2. Control Performance under Jamming Attack

In order to find the optimal offline jamming attack scheduling, we have to study the control performance when the attack schedule is given.

According to [5, 24], one can obtain the following result.

Lemma 4.

The LQG control cost function under a given attack schedule γ can be calculated as follows:

\begin{matrix} J (γ) = tr (S_{0} P_{0}) + \sum_{t = 0}^{T - 1} tr (S_{t + 1} Σ_{w}) + \sum_{t = 0}^{T - 1} tr [(A^{'} S_{t + 1} A + Q - S_{t}) E_{γ} (P_{t})], \end{matrix}

(14)

where

S_{t}

can be computed from the following recursive equation:

\begin{matrix} S_{t} = A^{'} S_{t + 1} A + Q - A^{'} S_{t + 1} {(S_{t + 1} + R)}^{- 1} S_{t + 1} A, t = 0,1, \dots, T - 1 . \end{matrix}

(15)

In fact, (15) converges quickly to a steady state. Thus, if $T \to \infty$ , one can see that

\begin{matrix} S = A^{'} S A + Q - A^{'} S {(S + R)}^{- 1} S A, \end{matrix}

(16)

where

S = {l i m}_{T \to \infty} S_{T}

. In practice, we often choose

u_{t} = L {\hat{x}}_{t}

with control gain

L = - (S + R)^{- 1} S A

as the optimal static state feedback controller to maximize the cost

J_{\infty} = {l i m}_{T \to \infty} J

. In our scenario, we assume that the system has reached steady state; that is,

S_{0} = S

, and

P_{0} = \bar{P}

. Then (14) can be rewritten as

\begin{matrix} J (γ) = J_{c} + J_{e}, \end{matrix}

(17)

where

\begin{matrix} J_{c} = tr (S \bar{P}) + N \cdot tr (S Σ_{w}), \\ J_{e} = \sum_{t = 0}^{T - 1} tr [(A^{'} S A + Q - S) E_{γ} (P_{t})] . \end{matrix}

(18)

It can be seen that $J_{c}$ and $J_{e}$ are the constant part and varying part of (17), respectively. Thus, we only have to study the optimal jamming attack schedule which maximizes $J_{e}$ which is as follows.

Problem 5.

Consider

\begin{matrix} \max_{γ \in Θ} E [J_{e} (γ)] \\ s.t. \sum_{t = 1}^{T} γ_{t} \leq n . \end{matrix}

(19)

4. Optimal Jamming Attack Schedules

In this section, we firstly study the jamming schedules against LQG control for two special cases and present the close form of optimal schedules. Then we investigate the attack strategies for the general case.

4.1. Case I: $R = 0$

When $R = 0$ , it can be seen that the LQG cost function becomes

\begin{matrix} J = \sum_{t = 0}^{T} E [x_{t}^{'} Q x_{t}] . \end{matrix}

(20)

From Lemma 4, we can obtain the following conclusion.

Theorem 6.

If $R = 0$ , the optimal state feedback controller is $u_{t} = L {\hat{x}}_{t} = - A {\hat{x}}_{t}$ , and the corresponding LQG cost function under attack schedule γ is

\begin{matrix} J = J_{c} + J_{e}, \end{matrix}

(21)

where

\begin{matrix} J_{c} = tr (Q \bar{P}) + N \cdot tr (Q Σ_{w}), \\ J_{e} = \sum_{t = 0}^{T - 1} tr [A^{'} Q A E_{γ} (P_{t})] . \end{matrix}

(22)

According to Theorem 6, we can see that the attacker only needs to maximize $E [J_{e}]$ . Since $A^{'} Q A ⪰ 0$ , one can obtain that ${m a x}_{γ} E [J_{e}]$ is equivalent to ${m a x}_{γ} E [\sum_{t = 0}^{N - 1} P_{t} (γ)]$ . Thus, from viewpoint of attacker, we only have to solve the following problem.

Problem 7.

Consider

\begin{matrix} \max_{γ \in Θ} E [\sum_{t = 0}^{N - 1} P_{t} (γ)] \\ s.t. \sum_{t = 1}^{T} γ_{t} \leq n . \end{matrix}

(23)

From [18, 22], Problem 7 can be easily solved by the following theorem.

Theorem 8.

When $R = 0$ , the optimal attack schedules are any consecutive attack n times in time horizon $[1, T]$ , and the corresponding expected LQG cost function is

\begin{matrix} E (J) = J_{c} + J_{e}^{\max}, \end{matrix}

(24)

where

\begin{matrix} J_{e}^{\max} = \sum_{i = 1}^{T} tr [g_{i} (\bar{P})] + (T - n α) tr [M \bar{P}], \end{matrix}

(25)

with

M = A^{'} Q A

and

g_{i} (\bar{P}) = M h^{i} (\bar{P})

4.2. Case II: $S_{0} = S$

Define $\bar{M} = A^{'} S A + Q - S$ , and ${\bar{g}}_{i} (\bar{P}) = \bar{M} h^{i} (\bar{P})$ , $i = 1,2, \dots$ . Then we have following lemma.

Lemma 9.

The function $\bar{g}$ has the following property:

\begin{matrix} {\bar{g}}_{1} (\bar{P}) ⪯ {\bar{g}}_{2} (\bar{P}) ⪯ \dots ⪯ {\bar{g}}_{i} (\bar{P}) ⪯ \dots . \end{matrix}

(26)

According to Section 3.2, the objective of Problem 1 is equivalent to ${m a x}_{γ} E [\sum_{t = 0}^{N - 1} P_{t} (γ)]$ . Thus, from the viewpoint of attacker, we only have to solve Problem 7 for the case $S_{0} = S$ .

From Lemma 9 and Theorem 3.1 in [22], we can solve this problem by the following theorem.

Theorem 10.

When $S_{0} = S$ , the optimal attack schedules are any consecutive attack n times in time horizon $[1, T]$ , and the corresponding expected LQG cost function is

\begin{matrix} E (J) = J_{c} + J_{e}^{\max}, \end{matrix}

(27)

where

\begin{matrix} J_{e}^{\max} = \sum_{i = 1}^{T} tr [{\bar{g}}_{i} (\bar{P})] + (T - n α) tr [\bar{M} \cdot \bar{P}] . \end{matrix}

(28)

4.3. General Case Study

For the general case, it is difficult to obtain a close form of optimal attack schedule. Attacker can find the optimal jamming schedule by exhaustion method which is given in Algorithm 1. Since this schedule can be computed before the attack action begins, the computation of our proposed algorithm will not cost too much.

Algorithm 1: Optimal offline attack schedule.

(1) Process begins;

(2) Input: $H_{t i m e} = T$ ; $Π_{0} = \bar{P}$ ; $J^{*} = 0$ ;

(3) for $γ_{1} + γ_{2} + \dots + γ_{T} = n$ do

(4) Compute LQG cost (14) under attack schedule γ, that is $J = J (γ)$

(5) if $J > J^{*}$ then

(6) $J^{*} = J$ , and $γ^{*} = (γ_{1}, γ_{2}, \dots, γ_{T})$

(7) end if

(8) end for

(9) Output: optimal attack schedule $γ^{*}$ , and corresponding cost $J^{*}$ .

5. Simulation

5.1. Testbed

There are three types testbeds for simulation of NSCS security, that is, software simulation testbeds, physical simulation testbeds, and semiphysical simulation testbeds. The software simulation testbeds cannot fully simulate the real environment. The physical simulation testbeds can employ the same experimental equipment with the real world to construct the security test platform. However, they need long cycle of construction and great cost. Fortunately, semiphysical simulation testbeds are the good choice for NSCS security since they can simulate the real working environment and save the cost. Thus, we choose a semiphysical simulation testbed to study the effectiveness of our proposed attack strategy.

Our semiphysical simulation testbed is composed of virtual plant, physical controller, and communication network. Figure 2 shows the system architecture. In our testbed, real-time system states of the virtual plant are sent to the PLC through a wireless network. After reading the system states, the controller calculates the control data and writes them back to the PLC. Then the control data are sent back to the virtual plant via a wired channel.

Figure 2

The structure of semiphysical testbed.

We build an inverted pendulum control system for experiments, which is based on the system presented in [5]. The parameters are given as follows:

\begin{matrix} A = (\begin{pmatrix} 1.001 & 0.005 & 0.000 & 0.000 \\ 0.350 & 1.001 & - 0.135 & 0.000 \\ - 0.001 & 0.000 & 1.001 & 0.005 \\ - 0.375 & - 0.001 & 0.590 & 1.001 \end{pmatrix}), \\ B = (\begin{pmatrix} 0.001 \\ 0.540 \\ - 0.002 \\ - 1.066 \end{pmatrix}), \\ Σ_{w} = q q^{'}, q = (\begin{pmatrix} 0.003 \\ 1.000 \\ - 0.005 \\ - 2.150 \end{pmatrix}), \\ Q = (\begin{pmatrix} 5 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 \\ 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 1 \end{pmatrix}) . \end{matrix}

(29)

We employ USRP N210 to simulate jamming attack on the wireless channel from sensor to controller. USRP is a universal software radio peripheral that can send and receive radio signal. We use the software GNU Radio in Ubuntu to manipulate the USRP. The frequency spectrum analyzer is adopted to detect the central frequency and waveform of transmission signals. Then we adapt the parameters on GNU Radio to configure the USRP. Experimental parameters are set as follows: center frequency is 433 MHz; waveform is saw tooth; jamming power is 16 dB and jamming signal frequency is 10k; bandwidth is 20 MHz.

We verify the proposed optimal offline attack strategies through experiments based on the semiphysical testbed. We set $T = 250$ and the attack times $n = 10$ in the finite time horizon $[1,250]$ . It means that the attacker can assign the 10 times of attack in this period.

5.2. Simulation Results Analysis

We study the effectiveness of jamming attack with 10 different schedules when $R = 0$ , $S_{0} = S$ , respectively (see Table 1). From Figure 3(a), we can compare the cost J under different attack schedules when $R = 0$ . It can be seen that the attack schedule with 10 consecutive attack times can maximize the LQG cost. We also present the variation of system states and control data under optimal attack schedule in Figure 4. From this figure, these data will deviate the equilibrium points when the wireless channel is under jamming attack. Similarly, we can also study the LQG cost J under different attack schedules when $S_{0} = S$ . From Figure 3(b), we also can see that consecutive attack schedule is optimal. These experimental results can verify the theoretical conclusions in Section 4.

Table 1

Attack schedules in our experiment.

Mark number	1	2	3	4	5

Attack sequence	No attack	$(1,2, 3,4)$	$(6,3, 1)$	$(4,4, 2)$	$(5,5)$

Mark number	6	7	8	9	10

Attack sequence	$(4,6)$	$(7,3)$	$(8,2)$	$(9,1)$	(10)

Figure 3

Compare the cost J under different attack strategies. The lateral axis is the mark number of attack strategy. Attack strategy 10 is the consecutive attack strategy.

Figure 4

The variation of system states and control data under attack schedule 10 (optimal attack) when $R = 0$ .

6. Conclusion

In this paper, we considered the optimal jamming attack scheduling which can destroy the system control performance. We formulated an optimization problem that maximizes the LQG cost subject to attacker's energy constraint in a given finite time horizon. Optimal attack schedule has been presented for two special cases. For the general case, we provided an algorithm to find the optimal attack schedule. We also established a semiphysical testbed and studied the effectiveness of proposed attack schedules by simulation. In the future, we will study the evaluation of control performance when the NSCS is under other types of cyber attack, for example, data injection attack and replay attack. We will also design effective defense strategies to avoid the cyber attacks in NSCS.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The work was partially supported by Professional Development Program for Visiting Scholars in Colleges and Universities under Grant FX2014144 and Zhejiang Provincial Natural Science Foundation of China under Grant Y16F030011. The work by H. Zhang was supported by NSFC under Grants 61203036, 61503147, and 71401060, the University Science Research General Project of Jiangsu Province under Grant 15KJB510002, Huaihai Institute of Technology Doctoral Research Funding under Grant KQ15007, and Lianyungang Science and Technology Projects under Grants CK1331 and CN1321.

References

Gupta

R. A.

Chow

M.-Y.

Networked control system: overview and research trends

IEEE Transactions on Industrial Electronics 2010 57 7 2527 2535

10.1109/tie.2009.2035462

2-s2.0-77953581925

Chen

Yau

D. K. Y.

Sun

Cross-layer optimization of correlated data gathering in wireless sensor networks

IEEE Transactions on Mobile Computing 2012 11 11 1678 1691

10.1109/tmc.2011.210

2-s2.0-84655170952

Zhang

Shi

Chen

Huang

A new method for stabilization of networked control systems with random delays

IEEE Transactions on Automatic Control 2005 50 8 1177 1181

10.1109/tac.2005.852550

MR2156045

2-s2.0-26244435112

Chen

Jiang

Yau

D. K. Y.

Xing

Sun

Energy provisioning in wireless rechargeable sensor networks

IEEE Transactions on Mobile Computing 2013 12 10 1931 1942

10.1109/tmc.2012.161

2-s2.0-84883113038

Schenato

Sinopoli

Franceschetti

Poolla

Sastry

S. S.

Foundations of control and estimation over lossy networks

Proceedings of the IEEE 2007 95 1 163 187

10.1109/jproc.2006.887306

2-s2.0-64149120662

Chen

Cheng

Sun

Fan

Shen

Game theoretical approach for channel allocation in wireless sensor and actuator networks

IEEE Transactions on Automatic Control 2011 56 10 2332 2344

10.1109/tac.2011.2164014

MR2884158

2-s2.0-80053654205

Zhang

Chen

Sun

Shen

Distributed sampling rate control for rechargeable sensor nodes with limited battery capacity

IEEE Transactions on Wireless Communications 2013 12 6 3096 3106

10.1109/tcomm.2013.050613.121698

Chen

Cheng

Sun

Simplot-Ryl

EMD: energy-efficient p2p message dissemination in delay-tolerant wireless sensor and actor networks

IEEE Journal on Selected Areas in Communications 2013 31 9 75 84

10.1109/jsac.2013.sup.0513007

2-s2.0-84883351671

Bezzo

Weimer

Pajic

Sokolsky

Pappas

G. J.

Lee

Attack resilient state estimation for autonomous robotic systems

Proceedings of the IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS ′14)

September 2014

Chicago, Ill, USA

3692 3698

10.1109/iros.2014.6943080

2-s2.0-84911495626

10.

Farwell

J. P.

Rohozinski

Stuxnet and the future of cyber war

Survival 2011 53 1 23 40

10.1080/00396338.2011.555586

2-s2.0-79251616434

11.

Amin

Cárdenas

A. A.

Sastry

S. S.

Safe and secure networked control systems under denial-of-service attacks

Hybrid Systems: Computation and Control 2009 5469

Berlin, Germany

Springer

31 45 Lecture Notes in Computer Science

10.1007/978-3-642-00602-9_3

12.

Cheng

Shi

Chen

Event-based attack against remote state estimation

Proceedings of the IEEE Annual Conference on Decision and Control (CDC ′15)

December 2015

Osaka, Japan

10.1109/cdc.2014.7039975

13.

Miao

Pajic

Pappas

G. J.

Stochastic game approach for replay attack detection

Proceedings of the 52nd IEEE Conference on Decision and Control (CDC ′13)

December 2013

Firenze, Italy

IEEE

1854 1859

10.1109/cdc.2013.6760152

2-s2.0-84902336492

14.

Zhu

Martnez

On the performance analysis of resilient networked control systems under replay attacks

IEEE Transactions on Automatic Control 2014 59 3 804 808

10.1109/tac.2013.2279896

MR3188491

2-s2.0-84897727324

15.

Chabukswar

Sinopoli

Detecting integrity attacks on SCADA systems

IEEE Transactions on Control Systems Technology 2014 22 4 1396 1407

10.1109/tcst.2013.2280899

2-s2.0-84903302626

16.

Cheng

Shi

Chen

SATS: secure average-consensus-based time synchronization in wireless sensor networks

IEEE Transactions on Signal Processing 2013 61 24 6387 6400

10.1109/tsp.2013.2286102

MR3148326

2-s2.0-84888595852

17.

Poisel

Modern Communications Jamming Principles and Techniques 2011

Artech House

18.

Zhang

Cheng

Shi

Chen

Optimal DoS attack policy against remote state estimation

Proceedings of the 52nd IEEE Conference on Decision and Control (CDC ′13)

December 2013

Firenze, Italy

5444 5449

10.1109/cdc.2013.6760746

2-s2.0-84902349715

19.

Gupta

Langbort

Başar

Optimal control in the presence of an intelligent jammer with limited actions

Proceedings of the 49th IEEE Conference on Decision and Control (CDC ′10)

December 2010

Atlanta, Ga, USA

IEEE

1096 1101

10.1109/cdc.2010.5717544

2-s2.0-79953130034

20.

Shisheh Foroush

Martinez

On event-triggered control of linear systems under periodic denial-of-service jamming attacks

Proceedings of the 51st IEEE Conference on Decision and Control (CDC ′12)

December 2012

Maui, Hawaii, USA

IEEE

2551 2556

10.1109/cdc.2012.6425868

2-s2.0-84874275321

21.

Zhang

Cheng

Shi

Chen

Optimal denial-of-service attack scheduling against linear quadratic gaussian control

Proceedings of the American Control Conference (ACC ′14)

June 2014

Portland, Ore, USA

3996 4001

10.1109/acc.2014.6859422

2-s2.0-84905675125

22.

Zhang

Cheng

Shi

Chen

Optimal denial-of-service attack scheduling with energy constraint

IEEE Transactions on Automatic Control 2015

10.1109/tac.2015.2409905

23.

Shi

Cheng

Chen

Optimal periodic sensor scheduling with limited resources

IEEE Transactions on Automatic Control 2011 56 9 2190 2195

10.1109/tac.2011.2152210

MR2865779

2-s2.0-84876060453

24.

Zhang

Cheng

Shi

Chen

Optimal DoS attack scheduling in wireless networked control system

IEEE Transactions on Control Systems Technology 2015

10.1109/TCST.2015.2462741

Optimal Jamming Attack Scheduling in Networked Sensing and Control Systems

Abstract

1. Introduction

2. Problem Formulation

2.1. System Architecture

2.2. Attack Model

Problem 1.

3. Preliminaries

3.1. State Estimation under Jamming Attack

Lemma 2.

Lemma 3.

3.2. Control Performance under Jamming Attack

Lemma 4.

Problem 5.

4. Optimal Jamming Attack Schedules

4.1. Case I: R = 0

Theorem 6.

Problem 7.

Theorem 8.

4.2. Case II: S 0 = S

Lemma 9.

Theorem 10.

4.3. General Case Study

Algorithm 1: Optimal offline attack schedule.

5. Simulation

5.1. Testbed

5.2. Simulation Results Analysis

6. Conclusion

Footnotes

Conflict of Interests

Acknowledgments

References

4.1. Case I: $R = 0$

4.2. Case II: $S_{0} = S$