Optimal Denial-of-Service Attack Scheduling with Energy Constraint

0018-9286 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. Seehttp://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI10.1109/TAC.2015.2409905, IEEE Transactions on Automatic Control

IEEE TRANSACTIONS ON AUTOMATIC CONTROL , VOL. , NO. , 2015 1

Optimal Denial-of-Service Attack Scheduling withEnergy Constraint

Heng Zhang1, Peng Cheng1, Ling Shi2 and Jiming Chen1

AbstractSecurity of Cyber-Physical Systems (CPS) has gained in-creasing attention in recent years. Most existing works mainly investigatethe system performance given some attacking patterns. In this paper, weinvestigate how an attacker should schedule its Denial-of-Service (DoS)attacks to degrade the system performance. Specifically, we consider thescenario where a sensor sends its data to a remote estimator through awireless channel, while an energy-constrained attacker decides whetherto jam the channel at each sampling time. We construct optimal attackschedules to maximize the expected average estimation error at theremote estimator. We also provide the optimal attack schedules whena special intrusion detection system (IDS) at the estimator is given.We further discuss the optimal attack schedules when the sensor hasenergy constraint. Numerical examples are presented to demonstrate theeffectiveness of the proposed optimal attack schedules.

Index TermsState estimation, DoS attack, energy constraint.

I. INTRODUCTION

Recently, Cyber-Physical Systems (CPS), in which information andphysical elements are closely integrated, have gained much researchinterest from various aspects [3][5]. Applications of CPS havea wide spectrum, such as battle field, smart grid, smart building,intelligent transportation, etc. CPS are vulnerable to different typesof malicious attacks which make the security a fundamental issue forreliable services [3]. A famous example is that in June 2010 a cyberworm named stuxnet attacked an Iranian nuclear facility at Natanz,which resulted in 60% hosts damaged [6].

Researchers have investigated security issues in CPS from differentperspectives recently [7], [8]. Teixeira et al. [8] summarized thecharacteristics of network attacks and defined an attack space with theadversarys priori knowledge of the system model, its disclosure, anddisruption resources. Typical attacks can be categorized into Denial-of-Service (DoS) attack , replay data attack , and false data injectionattack [8]. DoS attack that blocks the communication between thesystem components has been well studied, since it is the mostreachable attack pattern in the attack space [9]. Besides the theoreticalresearch on DoS attack, some experiments were also conducted todemonstrate the effect of DoS attacks [10].

In practice, energy constraint is a natural concern for various typesof attackers, which will affect their attack policies [11][13]. Law etal. [11] pointed out that jammers may run out of energy very fastwhen their energy budget is limited. Kavitha et al. [12] introduced arandom DoS attacker who randomly decides to jam the channel orsleep in order to save the energy.

Most existing works mainly investigate the system performancefor given attack patterns. The study of the adversarys optimal attack

1H. Zhang, P. Cheng and J. Chen are with State Key Labora-tory of Industrial Control Technology, Zhejiang University, Hangzhou,China [email protected], [email protected],[email protected]

2L. Shi is with the Department of Electronic and Computer Engineering,Hong Kong University of Science and Technology, Hong Kong, [email protected]

The work was partially supported by NSFC under grant U1401253, andNational Program for Special Support of Top-Notch Young Professionals,Fundamental Research Funds for the Central Universities 2014XZZX003-25, NCET-11-0445. The work by L. Shi was supported by an HKUSTCaltech Partnership FP004. Part of this work has been presented by IEEECDC 2013 [1]. [2] provides a complete proof of all results in this work..(Corresponding author: Jiming Chen.)

schedules and the corresponding consequences is an important aspectin CPS security as pointed out in [14]. Motivated by this, we aimto answer how to optimally schedule the attack so as to maximizethe attacking effect on a CPS. Specifically, we consider a systemwhere one sensor processes the measurements and sends the datato a remote estimator through a wireless channel. An attacker has alimited attacking energy budget, and decides at each sampling timewhether or not to jam the channel in order to degrade the remoteestimation quality. To the best of our knowledge, this is the firstwork on the DoS attack schedules against remote state estimation.The main contributions of this paper are summarized as follows:

1) We construct the optimal DoS attack schedules, which maxi-mize the expected average estimation error.

2) We present the optimal attack schedules when a special IDS inthe estimator is given.

3) We further present the optimal attack schedules when both thesensor and the attacker have energy constraints.

The remainder of the paper is organized as follows: In SectionII, we formulate the attack schedule problems. In Section III, weconstruct the optimal DoS attack schedules for maximizing theexpected average estimation error. In Section IV, we present theoptimal attack schedules for avoiding a given intrusion detectionsystem. In Section V, we study the optimal attack schedules when thesensor also has energy constraint. In Section VI, numerical examplesare shown to illustrate the results. Finally, Section VII concludes thepaper.

Notations: Sn+ stands for the set of n n positive semi-definitematrices. Z+ stands for the set of positive integers. E[X] is the meanof random variable X , and E[X|Y ] is the mean of random variableX conditioned on Y , respectively. 0 is used to denote the zeronorm of , which is the number of nonzero entries of the vector .Tr() represents the trace of matrix.

II. PROBLEM FORMULATION AND PRELIMINARIES

A. Problem formulation

Consider the following system (Fig. 1)

xk+1 = Axk + wk,

yk = Cxk + vk,(1)

where xk Rnx is the system state with nx Z+, yk Rny isthe sensor measurement with ny Z+, wk Rnx is the processnoise, vk Rny is the measurement noise, and wk and vk areuncorrelated zero mean Gaussian noises with covariance w andv , respectively. The pair (A,C) is assumed to be observable and

(A,12w) is controllable.

Fig. 1. Schematic of attack on the network.

After yk is obtained, the sensor pre-estimates the state xk, andthen sends its minimum mean squared error (MMSE) estimate xsk =E[xk|y1, . . . , yk] to a remote estimator through a wireless channel.

We consider the scenario that there is an attacker which degradesthe remote estimation quality by jamming the wireless channel. Theattacker has a limited energy budget and has to determine whether tojam the channel or not at each sampling time. It is assumed that thepacket will arrive at the remote estimator if there is no DoS attackduring the transmission.

00000000/00$00.00 c 2015 IEEE

Limited circulation. For review onlyIEEE-TAC Submission no.: 14-0729.4

Preprint submitted to IEEE Transactions on Automatic Control. Received: February 23, 2015 00:31:54 PST



2 IEEE TRANSACTIONS ON AUTOMATIC CONTROL , VOL. , NO. , 2015

Denote k = 1 or 0 as the attackers decision variable at time k,and as a schedule that defines k at each k. When the attackerlaunches an attack and jams the channel, the sensor data packet willbe dropped with probability . Denote k = 1 or 0 as the indicatorfunction whether the data packet drops or not. We assume that ksare i.i.d. Bernoulli random variables with E(k) = 1.

Denote all the data packet received at the estimator until time kas D(1:k). The remote estimator then computes its own MMSEestimate xk and its corresponding estimation error covariance Pkbased on D(1:k), e.g., xk(1:k) = E[xk|D(1:k)] and Pk(1:k) =E[(xk xk)(xk xk)|D(1:k)]. For simplicity, we write xk(1:k)as xk, etc., when the schedule 1:k is given.

Consider a finite horizon T . Due to the finite energy constraint,assume the attacker can only launch n attacks from k = 1 to k = T ,i.e., 0= n.

Average Error: For a given attack schedule , define Ja() asthe average expected estimation error covariance matrix, i.e.,

Ja() =1

T

T

k=1

E[Pk(k)].

In this paper, we aim to solve the following problem in theviewpoint of the attacker:

Problem 2.1:

max

Tr[Ja()],

s.t. 0= n,

where = {0, 1}T is the set of all possible attack schedules.

III. OPTIMAL ATTACK SCHEDULE ANALYSIS

A. State estimation under DoS attack

In this section, we present some properties of the estimation errorat the remote estimator under a DoS attack.

The MMSE estimate xsk is obtained from a standard Kalman filter.Let P sk be the estimation error covariance matrix of x

sk. Standard

Kalman filtering analysis shows that P sk converges exponentially to itssteady-state value P . 2 For brevity, we assume 0 = P , then it can beeasily obtained that P sk = P for all k [1, T ]. Define h, h

k : Snx+ Snx+ as h(X) , AXA

+w, and hk(X) , h h h

k times

(X).

From [17], the following result holds.Lemma 3.1: The function h has following property:

P h(P ) h2(P ) hk(P ) , k Z+.

It is straightforward to show that at the remote estimator, xk andPk are obtained as follows [18]:

(xk, Pk) =

{(Axk1, h(Pk1)), if k = 1 and k = 1,

(xsk, P ), otherwise.

Assume the data packet is delivered to the remote estimatorsuccessfully at time s, and the attacker launches m consecutiveattacks from time s + 1 to s + m. The state space of the errorcovariance matrix Pk in this period is {P , h(P ), . . . , hm(P )}.

1Since the bit error rate (BER) is fixed in every attack time when theattacker exploits the same energy to jam the channel [15], we assume that therate of successful attacks follows a Bernoulli probability distribution.

2Since the pair (A,C) is observable and (A,12w) is controllable, P

uniquely exists and can be obtained from the discrete algebraic Riccatiequation. Even if the assumption on controllability and observability fails,there are other iterative algorithms that can ensure quick convergence tothe stabilizing solution for the steady-state Kalman filtering [16]. Thus it isreasonable to assume that 0 = P .

We can see that the error covariance matrix Pk during the consec-utive attack period [s+ 1, s+m] is a stationary Markov chain, andthe transition probability matrix (pij) is given by

pij = Pr{Pk = hj(P )|Pk1 = h

i(P )} =

, j = i+ 1,1 , j = 0,0, others,

(2)

i, j = 0, 1, 2, . . . ,m. Moreover, we have the following properties forPk, k [s+ 1, s+m].

Property 3.1: During the consecutive attack period [s+1, s+m]:1) the distribution of the error covariance matrix Ps+k can be

computed as

Pr{Ps+k = hi(P )} =

{i i+1, i = 0, 1, . . . , k 1;

k, i = k.

2) the conditional probability can be computed as follows:

Pr{Ps+k = hj(P )|Ps = h

i(P )} =

{j j+1, j = 0, . . . , k 1;

k, j = i+ k.

This property can be easily obtained from (2) by mathematicalinduction method. Due to the space limitation, the proof is omitted.

Property 3.2: 1) If the packet is not received at the remote estimatorat time s, then E[Ps+m|Ps P ] E[Ps+m|Ps = P ].

2) Consider two different consecutive attacking periods, n1 andn2, where n1 n2. Then E[Ps+n1 ] E[Ps+n2 ].

An attack scheme with given attacking number n can be dividedinto the following consecutive attacking sequences, k1, k2, . . . , ks,i.e.,

(0, , 0, 1, , 1

k1 times

, 0, , 0, 1, , 1

k2 times

, 0, , 0, 1, , 1

ks times

, 0, , 0),

wheres

i=1 ki = n. Note that each neighboring sequences aredivided by at least one zero. Using Property 3.1, we have

Ja() =1

T

T

k=1

E[Pk(k)] =1

T

s

i=1

ki

ni=1

E[Psi+ni ] +T n

TP

=1

T

s

i=1

ki

ni=1

[

ni1

m=0

hm(P )(m m+1) + nihni(P )]

+T n

TP . (3)

Note that (3) is independent of the attack start sequence si, i =1, 2, . . . , s, which means that any permutation of the kis will leadto the same average expected estimation error. Thus, for the con-secutive attack sequences k1, k2, . . . , ks, we define

k1k2ks1:T

as the set of attack schedules which have the same perfor-mance J(k1k2ks)a,1:T . For simplicity, we write

k1k2ks1:T as

k1k2ks , and write J(k1k2ks)a,1:T as J(k1k2ks)a , when

the time horizon [1, T ] is given. In particular, let n be the set ofattack schedules with a consecutive attack sequence n, which havethe same performance J(n)a .

Property 3.3: The following statements are true.

1) J(n1)a J(n2)a , where n1 n2.

2) J(n1n2)a J(n)a , where n = n1 + n2.

3) J(n1n2ns)a J(n)a , where n = n1 + n2 + + ns.

4) J(m1m2)a J(n1n2)a , where m1 + m2 = n1 + n2 and

max{m1,m2, n1, n2} is n1 or n2.

Proof: See the Appendix.From statement 1) and 4) in Property 3.3, we can see that the

more the attack times are grouped together, the lager the system costbecomes. Statement 2) and 3) demonstrate that consecutive attack ismuch better than scattered attack from the viewpoint of attacker.






B. Optimal attack schedule design

Now we are ready to present the optimal attack schedule forProblem 2.1.

Theorem 3.1: The optimal attack schedule that solves Problem 2.1is anyone that belongs to n, and the corresponding cost is given by

Tr(Ja)max =1

T

n

i=1

Tr[hi(, P )] +T n

TTr(P ), (4)

where hi(, P ) = [(n i)(i i+1) + i]hi(P ).Proof: A direct result from Property 3.3 2) and 3).

As a byproduct, we can obtain the worst attack strategy whichminimizes the expected average error covariance.

Problem 3.1:

min

Tr[Ja()],

s.t. 0= n,

The solution of Problem 3.1 is given by the following theorem.Theorem 3.2: 1) If n 1

2T , an optimal solution for Problem 3.1

is anyone in 111, and the corresponding cost is given by

Tr(Ja)min =T n

TTr(P ) +

n

TTr[h(P )]. (5)

2) If n > 12T , an optimal solution for Problem 3.1 is

((1 1

z times

0) (1 1

z times

0)

r1 times

( 1 1

m1 times

0 1 1

m2 times

) (0 1 1

z times

) (0 1 1

z times

)

r2 times

),

where r1+r2 = Tn1, z = nTn,3 and m1 = m2 = m2 if m is

even, m1 = m2 ,m2 = mm1 or m1 = m2+1,m2 = mm1

if m is odd, with m = z+[n mod (T n)].4 The resulting cost is

Tr(Ja)min =1

TTr{(T n 1)

z

i=1

hi(, P ) +

m1

i=1

hi(, P )

+

m2

i=1

hi(, P ) + [(T n) +m(1 )

+z(1 )(T n 1)]P}, (6)

where hi(, P ) = [(n i)(i i+1) + i]hi(P ).Proof: A direct result from Property 3.3 3) and 4).

From the above two theorems, one can see that grouping theattacks together leads to maximal attacking effect, while separatingthe attacks as uniformly as possible leads to the minimal degradation.Thus the results can be viewed as the upper and lower bound of thedamage an arbitrary attack schedule can make.

IV. OPTIMAL ATTACK SCHEDULES AGAINST A GIVEN IDS

The aforementioned problems are discussed under the assumptionthat the channel is perfect and there is no defensive measure. Inpractical applications, when the estimator considers unknown factorsfrom environment changes or adversarys intrusion, which may leadto data drops, a detector is often designed at the receiver side as afirst step to reduce the effectiveness of these factors. For example,packet reception rate (PRR) at the receiver side is proposed as thecriteria for intrusion detection in [19]. PRR is the rate of packetsreception that are successfully delivered to the estimator comparedto the number of packets that have been sent out by the sensor.

3x is floor function, which is defined as the largest integer that is lessthan real number x.

4mod is defined as modulo operation, i.e., n mod m is the remainder indivision n

m, where n and m are two positive integer.

In practice, the PRR can be computed for a given length of a timewindow , i.e., PRR =

, where is the packet reception numbers

in the time window. If the PRR is too small, the detector will deducethat there may exist an attacker, which triggers an alarm to alertthe sensor. Then the sensor can use channel hopping technology toguarantee the packet can be received by the remote estimator [20]. Inthis paper, we assume that the alarm is triggered if PRR PRR0,where PRR0 is a given alarm bound.5

Fig. 2. Schematic of attack on the network against state estimation with anintrusion detector.

Before introducing the attack schedule against the IDS mechanism,we present a property to help formulate the attack optimizationproblem.

Property 4.1: The alarm triggering condition PRR PRR0 isequivalent to Pk hd(P ), k = 1, 2, . . . , T , where d = 0,0 = max{|

PRR0}.

Proof: See the Appendix.Remark 4.1: From Property 4.1, any attack schedule with at most

d times consecutive attack, i.e.,k+

i=k+1 i d, k = 0, 1, . . . , T ,can guarantee that the attack action will not be detected by the esti-mator. In fact, time window and threshold PRR0 can be evaluatedby the attacker when he eavesdrops the transmission channels beforetaking attack actions.

In order not to be detected by IDS, we consider Problem 2.1 withan additional constraint, i.e.,

Problem 4.1:

max

Tr[Ja()],

s.t. 0= n,k+

i=k+1

i d, k [0, T ]. (7)

The following result presents the optimal solution to Problem 4.1.Theorem 4.1: Consider Problem 4.1. Let d = 0, where 0 =

max{| PRR0}.

1) If d n, any n times consecutive attack is optimal, and thecorresponding cost is (4).

2) If d < n, the optimal attack schedule has the structure of (8),where z0+z1+z2+z3+(s1+s2)0 = Tn, and s1+s2 = m,where m is the quotient of n/d and r is the remainder. Thecorresponding cost is

Tr(Ja)PRRmax =

1

T{m

d

i=1

Tr[hi(, P )] +r

i=1

Tr[hi(, P )]}

+T n

TTr(P ).

Proof: See the Appendix.Remark 4.2: In Problem 4.1, the attacker can completely avoid the

given IDS mechanism. However, this attack schedule seems too cau-tious from an adventurous attackers point of view. If the adventurous

5By utilizing the pseudo-random sequence, the sensor and estimator mayimplement channel hopping once the alarm is triggered [21]. However, theattacker can detect such channel switch by detecting the alarm signal, andsearch the new communication channel by scanning the wireless spectrum. Inthis way, the attacker can learn the alarm bound through statistical analysis,and follow the design against such IDS mechanism.






((0 0

z0 times

) (1 1

d times

0 0

0 times

) (1 1

d times

0 0

0 times

)

s1 times

(0 0

z1 times

1 1

r times

0 0

z2 times

) (0 0

0 times

1 1

d times

) (0 0

0 times

1 1

d times

)

s2 times

(0 0

z3 times

)), (8)

attacker still decides to use an attack schedule proposed in Theorem3.1, the probability of being detected is

k>d Ck

k(1 )k ifn > , and is

k>d Ckn

nk(1 )k if n .

V. OPTIMAL ATTACK SCHEDULES WITH SENSORS ENERGYCONSTRAINT

The aforementioned problems are discussed under the assumptionthat the sensor has sufficent energy to transmit throughout the entiretime horizon. When the sensors energy is also limited and cannottransmit all the time, the attacker needs to change the attackingschedule. Here we assume that the sensor and the estimator do notknow the existence of the attacker.

Some literatures have focused on sensor scheduling and optimalstate estimation in a lossy network environment [18], [22][25].Sinopoli et. al. studied the problem of state estimation using Kalmanfiltering in an i.i.d. packet-dropping network [22]. Reference [23]studied optimal state estimation and optimal LQG controller de-sign over an intermittent packet-dropping network. Shi et al. [18]investigated sensor scheduling strategies to minimize the averageestimation error under energy constraint. Mo et al. [24] provideda stochastic sensor selection scheme to minimize the asymptoticexpected estimation error covariance due to the energy constraint. Youet. al. [25] investigated the stability of the mean estimation error overa network subject to Markovian packet losses. More related workscan be found in the reference therein. However, these literatures havenot considered the state estimation quality when a DoS attacker jamsthe wireless channel and this shortage motivates us to study thesubsequent problem.

Denote k = 1 or 0 as the sensors transmission decision variableat time k, and as a scheduling scheme that defines k at each k. is the set of the sensors transmission schedules. We assume thatthe sensor has energy constraint with 0= N and we considerthe following problem in this section.

Problem 5.1:

max

min

Tr[Ja(, )], (9)

s.t. 0= N, (10)

0= n. (11)

From [18], we have the following property:Property 5.1: Let q = T

N.

1) If N < 12T , the optimal sensor schedule that

minimizes the Tr(Ja) has following structure

(1 0 . . . 0

1 times

)(1 0 . . . 0

2 times

) . . . (1 0 . . . 0

N times

), (12)

in which there are T qN times i = q and (q + 1)N Ttimes i = q 1 in {i, i = 1, 2, . . . , N}.

2) If N 12T , has structure (12) with T N times i = 1

and 2N T times i = 0 in {i, i = 1, 2, . . . , N}.

Here we assume that the attacker obtains the sensors transmissionstrategy by eavesdropping the transmission channel over a long periodbefore starting its attack action. We denote t(i), i = 1, 2, . . . , N asthe sensors data transmission time. If n N , it is obvious thatoptimal attack schedule is taking actions at full transmission time

t(i), i = 1, 2, . . . , N . Thus we only need to consider Problem 5.1 forn < N hereinafter.

Theorem 5.1: Consider Problem 5.1 with n < N .

1) When N < 12T and the sensors schedule has the structure

(1 0 . . . 0

times

)(1 0 . . . 0

times

) . . . (1 0 . . . 0

times

), the optimal attack schedules

are given by t(k) = 1, k = i+1, i+2, . . . , i+n, and k = 0otherwise. The corresponding cost is given by

Tr(Ja)max =1

T

n

i=1

Tr[hi(, )] +N n

TTr( ),

where hi(, ) = [(n i)(i i+1) + i]hi( ).2) When N 1

2T, = 1 and the sensors schedule has the

structure (1 . . . 1

times

0)(1 . . . 1

times

0) . . . (1 . . . 1

times

0), the optimal attack

schedules are given by t(k) = 1, k = i+1, i+2, . . . , i+n,and k = 0 otherwise. The corresponding cost is given by

Tr(Ja)max =1

TTr

[

(N n)P + (T N b)h(P )

+

n+b

i=1

hi(P )]

, (13)

where n = b+ b0 with 0 b0 < b.

Proof: 1) The proof is similar to that of Theorem 3.1. The onlydifference is that we replace P by .

2) One can easily obtain that the resulting cost under the attackschedule is (13). For an arbitrary attack schedule , we have

Tr(Ja()) =1

TTr

[

(N n)P +m1h(P ) +

m2

i=1

ti

j=1

hj(P )]

,

where ti is the length of i-th (i = 1, 2, . . . ,m2) attack period [si +1, si + ti] which satisfies si = 1, si = 0, si+ti = 1, si+ti = 0,and k = 1, k = 1 or k = 0, k = 0 for k = si+2, . . . , si+ti1,(N n)+m1 +

m2i=1 ti = T and

m2i=1 ti n+ b. Then we have

Tr(Ja()) Tr(Ja())

=1

TTr

[ n+b

i=1

hi(P )

m2

i=1

ti

j=1

hj(P ) [m1 (T N b)]h(P )]

> 0,

which completes the proof.Example 5.1: (1) Consider the Problem 5.1 for N < 1

2T

with T = 12, N = 4, n = 2, = 2. From Property5.1, one notes that the optimal sensor transmission schedule is = (100)(100)(100)(100). Then we can obtain three opti-mal attack schedules (100)(100)(000)(000), (000)(100)(100)(000),(000)(000)(100)(100). (2) For N 1

2T , consider T = 12, N =

9, n = 6, = 3. From Property 5.1, the optimal sensor transmis-sion schedule is = (1110)(1110)(1110). Then we obtain fouroptimal attack schedules (1110)(1110)(0000), (0110)(1110)(1000),(0010)(1110)(1100), (0000)(1110)(1110).

Remark 5.1: In Theorem 5.1 we study some special cases ofProblem 5.1, and obtain the optimal attack schedules. Note that theseschedules only depend on the sensor transmission schedule ratherthan on the system parameters. Thus the attacker can run his optimalattack schedules when he obtains the sensors transmission schedule






. The general cases of Problem 5.1, however, are complicated sincethe optimal attack schedules depend on sensor transmission schedule, the system parameters, and the attack successful probability. Anexample is given in Section VI (Fig. 5) to illustrate this.

Remark 5.2: In many situations, the expected terminal estimationerror, i.e., JT = E[PT ] is considered as another important systemperformance index [26]. When the attacker tries to maximize thetrace of expected terminal estimation error covariance, one can seethat the optimal attack schedule is to consecutively attack at time k =T n+1, T n+2, . . . , T . If the detector with (7) is embedded inestimator, any feasible attack schedule with Td = 0, k = 1, k =T d+1, T d+2, . . . , T is optimal. If the sensor also has energyconstraint (10) with N > n, we can prove that the optimal attackschedule is (k) = 1, k = T n + 1, T n + 2, . . . , T , k = 0otherwise.

VI. EXAMPLES

Consider system (1) with

A =

[1.2 0.10 1

]

, C =

[1 00 1

]

,w =

[1 00 2

]

,v = 0.5C.

The effects of different attack schedules are evaluated.In Fig. 3,where we examine the performance under different attack timesfrom 1 to 10 with T = 100, = 1. It can be seen that theperformance under the optimal attack schedules given by Theorem3.1, i.e., Tr(Ja)max, increases rapidly with the allowable attacktimes. Tr(Ja)min, which is under the attack schedule obtained inTheorem 3.2, and Tr(Ja)PRRmax , which is under the attack schedulegiven in Theorem 4.1 with PRR 3

7, grow much slower than

Tr(Ja)max. It also can be found that Tr(Ja)max and Tr(Ja)PRRmaxare overlapping since they have the same optimal attack schedule setn when n 4. But if n > 4, Tr(Ja)PRRmax grows much slowerthan Tr(Ja)max as the attack schedules need to be re-designedunder the given intrusion detection mechanism. It also can been seenthat the attack effectiveness is significantly reduced by this detectionconstraint.

1 2 3 4 5 6 7 8 9 100.5

1

1.5

2

2.5

3

3.5

4

4.5

5

5.5

n

Tr(J

a)

Tr(Ja)maxTr(Ja)

PRR

max

Tr(Ja)minTr(Ja)no

Fig. 3. Illustrating example on Tr(J) under different attack schedules withvarying attack times (T = 100, = 1).

In Fig. 4, we examine the estimation quality with different suc-cessful attack probabilities. In this example, the adversary can attack10 times in the time horizon [1, 100]. From Fig. 4, we can seethat Tr(Ja)max increases rapidly when the success probability increases. On the other hand, Tr(Ja)min grows much slower when increases, which also demonstrates the attack effectiveness of ourdesigned attack schedule. Tr(Ja)PRRmax also grows slower due to theconstraint of avoiding being detected.

In Fig. 5, we examine the estimation quality under differentattack schedules when the sensor has energy constraint. Here T =

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10.5

1

1.5

2

2.5

3

3.5

4

4.5

5

5.5

Tr(J

a)

Tr(Ja)maxTr(Ja)

PRR

max

Tr(Ja)minTr(Ja)no

Fig. 4. Illustrating example on Tr(J) under different attack schedules whilesuccessful attack probability is varying (T = 100).

(a) = 0.8

(b) = 0.1

Fig. 5. Illustrating example on trace of average expected error covarianceunder different attack schedules when the sensor has energy constraint.

14, N = 5, n = 3. The sensos transmission schedule is chosen as = (100)(100)(10)(100)(100). There are 10 attack scheduleswhich has been listed in TABLE I. We assume 1 = 1, 0 = 0for the time t = 1, 0, respectively. The effectiveness of the attackis studied with attack successful probability = 0.8 and = 0.1in Fig. 5 (a) and (b), respectively. In Fig. 5 (a), it can be seen thatattack schedule 2 (t(2) = t(3) = t(4) = 1) and attack schedule 3(t(3) = t(4) = t(5) = 1) are optimal when the attack successfulprobability = 0.8. However, when = 0.1, from Fig. 5 (b)we can see that attack schedule 5 (t(1) = t(2) = t(5) = 1),attack schedule 8 (t(2) = t(3) = t(5) = 1), and attack schedule9 (t(2) = t(4) = t(5) = 1) are optimal which is differentfrom = 0.1. In general, it is difficult to find these optimal

TABLE IATTACK SCHEDULES

attack schedule 1 2 3 4 5i with t(i) = 1 1,2,3 2,3,4 3,4,5 1,2,4 1,2,5attack schedule 6 7 8 9 10i with t(i) = 1 1,3,4 1,3,5 2,3,5 2,4,5 1,4,5






attack schedules explicitly. On the other hand, the suboptimal attackschedules 1, 2, 3 only depend on sensor transmission schedule , andcan be easily obtained.

VII. CONCLUSION

In this paper, we considered optimal attack scheduling againstremote state estimation through a wireless channel. We proved thatconsecutive attacks maximize the expected average error covariance.We also showed that when the attacks are separated uniformly,the attack effect on the estimation quality is minimum. We furtherproposed the optimal attack schedules when a special intrusiondetection mechanism in the estimator is available. We finally studiedthe optimal attack schedules when both the sensor and the attackerhave energy constraints. It is interesting but challenging to find aclosed-form solution for optimal attack scheduling over packet lossynetwork environment. This will be left as a future work. We willalso formulate the infinite-horizon attack model and study the optimalattack schedule in the future. It is also interesting to consider optimaldefensive strategies assuming that the sensor knows the existence ofthe attacker. We will further validate our results using some physicalexperiments, and consider optimal attack scheduling against feedbackcontrol and evaluating the corresponding effectiveness.

APPENDIX

A. Proof of Property 3.3

Proof: 1) We have J(m2)a J(m1)a =

1T

m2

k=m1+1

E[Pk] 0.

2) We have

J(n)a J(n1n2)a =

1

T

{ n

k=n1+1

n1

i=0

E[Pk|Pn1 = hi(P )]

Pr{Pn1 = hi(P )}

n

k=n1+1

E[Pk|Pn1 = P ]}

0,

in which the last inequation is from statement 1) of Property 3.2.3) The proof of this result is similar to 2). Due to the limitation

of space, it is omitted.4) It suffices to prove J(m1m2)a J

((m1+1)(m21))a , with m1

m2. In fact, J((m1+1)(m21))a J

(m1m2)a =

1T{E[Ps+m1+1]

E[Ps+m2 ]} 0. The last inequality is from Property 3.2 2).

B. Proof of Property 4.1

Proof: Alarm triggering condition PRR PRR0 is equivalentto 0. Thus it is also equivalent to that the packets drop numberdnum in any time window is larger than d = 0, i.e., dnum > d.

In order to obtain the result, we prove by contradiction, i.e.,dnum d is equivalent to Pk hd(P ), which clearly holds.

C. Proof of Theorem 4.1

Proof: If d n, any n times consecutive attack schedules satisfythe conditions Pk hd(P ), k = 1, 2, . . . , T . Thus these schedulesare optimal for Problem 4.1 when d n. From Remark 4.1 andstatements 1) and 3) of Property 3.3, we can obtain that optimalattack schedule has the structure (8) if d < n.

REFERENCES

[1] H. Zhang, P. Cheng, L. Shi, and J. Chen, Optimal DoS attack policyagainst remote state estimation, in Proceedings of IEEE Conference onDecision and Control (CDC), 2013, pp. 54445449.

[2] , Optimal Denial-of-Service attack scheduling in cyber-physicalsystems, Zhejiang University, Tech. Rep., Jan. 2015. [Online].Available: http://www.sensornet.cn/heng/Heng estimation Full.pdf

[3] Y. Mo, T. Kim, K. Brancik, D. Dickinson, H. Lee, A. Perrig, andB. Sinopoli, Cyberphysical security of a smart grid infrastructure,Proceedings of the IEEE, no. 99, pp. 115, 2012.

[4] S. Amin, X. Litrico, S. S. Sastry, and A. M. Bayen, Cyber securityof water scada systems-part i: Analysis and experimentation of stealthydeception attacks, IEEE Transactions on Control Systems Technology,vol. 21, no. 5, pp. 19631970, 2013.

[5] H. Zhang, Y. Shu, P. Cheng, and J. Chen, Privacy and performancetrade-off in cyber-physical systems, IEEE Networks, to appear.

[6] J. Farwell and R. Rohozinski, Stuxnet and the future of cyber war,Survival, vol. 53, no. 1, pp. 2340, 2011.

[7] S. Sundaram and C. N. Hadjicostis, Distributed function calculationvia linear iterative strategies in the presence of malicious agents, IEEETransactions on Automatic Control, vol. 56, no. 7, pp. 14951508, 2011.

[8] A. Teixeira, D. Perez, H. Sandberg, and K. H. Johansson, Attack modelsand scenarios for networked control systems, in Proceedings of the 1stinternational conference on High Confidence Networked Systems, 2012,pp. 5564.

[9] S. Amin, A. Cardenas, and S. Sastry, Safe and secure networked controlsystems under denial-of-service attacks, Hybrid Systems: Computationand Control, pp. 3145, 2009.

[10] M. Zuba, Z. Shi, Z. Peng, and J. Cui, Launching Denial-of-Servicejamming attacks in underwater sensor networks, in Proceedings of the6th ACM International Workshop on Underwater Networks, 2011, p. 12.

[11] Y. Law, M. Palaniswami, L. Hoesel, J. Doumen, P. Hartel, andP. Havinga, Energy-efficient link-layer jamming attacks against wirelesssensor network mac protocols, ACM Transactions on Sensor Networks,vol. 5, no. 1, p. 6, 2009.

[12] T. Kavitha and D. Sridharan, Security vulnerabilities in wireless sensornetworks: A survey, Journal of information Assurance and Security,vol. 5, no. 1, pp. 3144, 2010.

[13] H. Zhang, P. Cheng, L. Shi, and J. Chen, Optimal Denial-of-Serviceattack scheduling against linear quadratic gaussian control, in Proceed-ings of American Control Conference (ACC), 2014, pp. 39964001.

[14] A. Cardenas, S. Amin, and S. Sastry, Research challenges for thesecurity of control systems, in Proceedings of the 3rd conference onHot topics in security, 2008, pp. 16.

[15] R. Poisel, Modern communications jamming principles and techniques.Artech House Publishers, 2011.

[16] G. Gu, X.-R. Cao, and H. Badr, Generalized lqr control and kalmanfiltering with relations to computations of inner-outer and spectralfactorizations, IEEE Transactions on Automatic Control, vol. 51, no. 4,pp. 595605, 2006.

[17] L. Shi, P. Cheng, and J. Chen, Optimal periodic sensor scheduling withlimited resources, IEEE Transactions on Automatic Control, vol. 56,no. 9, pp. 21902195, 2011.

[18] , Sensor data scheduling for optimal state estimation with commu-nication energy constraint, Automatica, vol. 47, no. 8, pp. 16931698,2011.

[19] Y. Ponomarchuk and D.-W. Seo, Intrusion detection based on trafficanalysis in wireless sensor networks, in Proceedings of Annual Wirelessand Optical Communications Conference, 2010, pp. 17.

[20] M. Sha, G. Hackmann, and C. Lu, Arch: Practical channel hopping forreliable home-area sensor networks, in Proceedings of 17th IEEE Real-Time and Embedded Technology and Applications Symposium, 2011, pp.305315.

[21] V. Navda, A. Bohra, S. Ganguly, and D. Rubenstein, Using channel hop-ping to increase 802.11 resilience to jamming attacks, in Proceedingsof 26th IEEE International Conference on Computer Communications,2007, pp. 25262530.

[22] B. Sinopoli, L. Schenato, M. Franceschetti, K. Poolla, M. Jordan,and S. Sastry, Kalman filtering with intermittent observations, IEEETransactions on Automatic Control, vol. 49, no. 9, pp. 14531464, 2004.

[23] L. Schenato, B. Sinopoli, M. Franceschetti, K. Poolla, and S. S.Sastry, Foundations of control and estimation over lossy networks,Proceedings of the IEEE, vol. 95, no. 1, pp. 163187, 2007.

[24] Y. Mo, E. Garone, A. Casavola, and B. Sinopoli, Stochastic sensorscheduling for energy constrained estimation in multi-hop wirelesssensor networks, IEEE Transactions on Automatic Control, vol. 56,no. 10, pp. 24892495, 2011.

[25] K. You, M. Fu, and L. Xie, Mean square stability for kalman filteringwith markovian packet losses, Automatica, vol. 47, pp. 26472657,2011.

[26] L. Shi and L. Xie, Optimal sensor power scheduling for state estimationof GaussMarkov systems over a packet-dropping network, IEEETransactions on Signal Processing, vol. 60, no. 5, pp. 27012705, 2012.



Optimal Denial-of-Service Attack Scheduling with Energy Constraint

Documents

Transcript of Optimal Denial-of-Service Attack Scheduling with Energy Constraint