Complexity

Volume 2018 (2018), Article ID 1240149, 8 pages

https://doi.org/10.1155/2018/1240149

## Attack Detection/Isolation via a Secure Multisensor Fusion Framework for Cyberphysical Systems

Correspondence should be addressed to Arash Mohammadi

Received 14 September 2017; Accepted 9 January 2018; Published 11 February 2018

Academic Editor: Carlos Gershenson

Copyright © 2018 Arash Mohammadi et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Motivated by rapid growth of cyberphysical systems (CPSs) and the necessity to provide secure state estimates against potential data injection attacks in their application domains, the paper proposes a secure and innovative attack detection and isolation fusion framework. The proposed multisensor fusion framework provides secure state estimates by using ideas from interactive multiple models (IMM) combined with a novel fuzzy-based attack detection/isolation mechanism. The IMM filter is used to adjust the system’s uncertainty adaptively via model probabilities by using a hybrid state model consisting of two behaviour modes, one corresponding to the ideal scenario and one associated with the attack behaviour mode. The state chi-square test is then incorporated through the proposed fuzzy-based fusion framework to detect and isolate potential data injection attacks. In other words, the validation probability of each sensor is calculated based on the value of the chi-square test. Finally, by incorporation of the validation probability of each sensor, the weights of its associated subsystem are computed. To be concrete, an integrated navigation system is simulated with three types of attacks ranging from a constant bias attack to a non-Gaussian stochastic attack to evaluate the proposed attack detection and isolation fusion framework.

#### 1. Introduction

Cyberphysical Systems (CPSs) [1] are designed by integrating control, communication, and processing technologies with the main goal of monitoring/managing critical physical infrastructures. CPSs have attracted significant attentions recently both in academia and in industry due to their exceptional properties and as such emerged in different applications of paramount engineering importance such as medical systems [2], power/energy grids [3], aerospace [4], industrial/manufacturing process control [5], and transportation [6], where performing secure and optimal state estimation is the key concern. In recent years, sensor technologies and communication systems have gone through extensive advancements and improvements making it possible to deploy several sensors simultaneously in CPSs. Such developments have resulted in a significant increase in different CPS application domains. This increasing interest in deployment of CPSs and factoring in that safety and security is of paramount importance in such application domains, investigating security issues of CPSs from different angles has attracted great research interest recently [7–10]. A potential cyber/physical attack in CPSs could have serious ramifications from leakage of consumer information, damaging economy, loss of critical infrastructures, and even threatening humans. Consequently, it is of significant practical importance to detect, identify, and prevent zero-day attacks in real-time with high accuracy which is the focus of this paper.

In this paper, our main focus is to design an attack detection/isolation solution for multisensor state estimation problems in CPSs. The -test or as commonly called, residue-based test [11], is considered to be the conventional detection solution [12–14] typically used in CPSs. The -test utilizes a normalized version of the power of the residuals based on the steady-state innovation covariance. In such a conventional detection criterion, the system is statistically evaluated based on a predefined and assumed model; that is, it is common to base the calculation on some functional form of the innovation sequence (e.g., using trace or determinant operators, in the case of -test, the former is used). Utilization of such functional form of the innovation sequence results in integration of diagonal and off-diagonal components of the innovation which in turn results in overlooking important statistical information.

The paper addresses this drawback. In particular, we propose a multisensor fusion framework which provides secure state estimates by assigning an interactive multiple model (IMM) filter to each sensor modality. The IMM filter adjusts the system’s uncertainty adaptively via model probabilities by constructing a hybrid state model consisting of two modes: one corresponding to the ideal scenario representing clean measurements and one modeling the presence of potential attacks (referred to as the attack behaviour mode). The state -test is then incorporated through a proposed fuzzy-based fusion framework to detect and isolate potential data injection attacks. The values obtained from the -test assigned to each sensor are then used to compute the validation probability of each sensor. To overcome the difficulty in selecting an appropriate threshold, we construct the detection threshold based on the -test’s values with two boundaries and an up boundary. Finally, by incorporation of the validation probability of each sensor, the weights of its associated subsystem are computed.

The rest of the paper is organized as follows: first, Section 2 formulates the attack detection/isolation problem in CPSs and presents different attack models. Section 3 develops the proposed fusion framework and attack isolation mechanism. Section 4 presents simulation results based on an integrated navigation system consisting of three observation nodes, that is, Global Navigation System (GPS), the Bei-Dou2 (BD2), and Strap-down Inertial Navigation System (SINS). The paper is finally concluded in Section 5.

#### 2. Problem Formulation

We consider the following general linear state model to represent the underlying physical system:where denotes the state vector at iteration , is the state noise component which is considered to be distributed according to a Gaussian distribution, independent of the state vector, with zero-mean and known covariance matrix, that is, . The CPS of interest is monitored using a set of observation nodes (sensors) communicating their data to the remote processing unit referred to as the fusion centre (FC) to perform the required estimation task. The measurement model of sensor , for (), is given bywhere represents the observation vector collected by sensor , for () at iteration . The uncertainty in the observation vector is modeled by which is considered to be distributed according to a Gaussian distribution with zero-mean and known covariance matrix, that is, .

In this paper, we consider attack surfaces [15–17] where an adversary compromises the underlying system by injecting a bias (possibly time-varying and/or stochastic) into a subset of measurements at iteration . Based on the original measurement model (see (2)), the measurement model under the attack, therefore, is represented as follows:where denotes possible attacked measurement collected by the th sensor. In particular, we consider the following three type of attack scenarios:(i)Constant attack where the injected bias () into a measurement is constant over time, that is, (ii)Time-varying attack where the injected bias changes over time, for instance, trigonometric functions,(iii)Stochastic attack where the injection randomly changes over time with some statistical properties being selected by the adversary and unknown to the detection mechanism.

Our goal in this paper is to devise a novel monitoring solution to detect such attacks in real-time with minimum latency and isolate the compromised sensors. Without loss of generality and for simplicity of the presentation, we consider the following assumption.

*Assumption 1. *In a sensor network with observation nodes which is under data injection attacks, number of attacked sensors at iteration , denoted by , is not equal to the overall number of available sensor nodes ().

This assumption is considered to guarantee that at each iteration at least one unattacked sensor is available for performing the state estimation task. Please note that this assumption is not restrictive as, in absence of an unattacked sensor node, the overall fusion framework continues to provide predictive state estimates while the problem is being investigated and attacked sensors are restored.

In the next section, we present our proposed attack detection/isolation framework which at each iteration isolates the attacked signal and performs the estimation task only based on the remaining clean measurements.

#### 3. Fusion Framework with Attack Isolation

In order to design a monitoring framework capable of detecting all the three aforementioned injection attacks, first we model the two possible scenarios, that is, the attack and the ideal behaviour modes, by designing two different error covariance matrices for the state forcing terms. This design methodology introduces structural uncertainty into the state model for which an IMM filter is associated with each active sensor. The IMM filers are used cooperatively to provide the estimate of the underlying states.

Considered as the first protection layer, this setup will increase the accuracy of the fusion model under potential attacks. On the other hand, in order to isolate attacked measurements which are incorporated to update associated probability corresponding to each model within the pool of IMM filters, the information provided by the -test is utilized. In other words, we use the measurement which has minimum -test value for updating the associated probability of each filter in the IMM filterbank. Consequently, this proposed approach results in updating the model probabilities based on the sensor measurement which is less likely to be under attack and therefore further increases the accuracy of the fusion task.

Figure 1 illustrates the architecture of the proposed attack detection/isolation framework. In summary and at each update iteration, the proposed attack detection/isolation works as follows:(i)Each node (subsystem) transfers its local measurements to its associated IMM filter which in turn computes an updated estimate of the state vector and its associated error covariance matrix which are updated with that subsystem’s measurements.(ii)This information ( and ), for (), is then transferred to the -square test block, associated with subsystem to perform attack detection tasks.(iii)The detection block computes a failure detection value and transfers it to the central node to be fused with the information from other subsystems and to perform the final attack detection/isolation.(iv)For the purpose of selecting the best available observation to be utilized for evaluation of the IMM filters’ model probabilities, the available fault detection information is used and the subsystem which has the minimum fault value is considered as the selected subsystem for updating the IMM filters’ model probabilities. At the same time and to update (calibrate) the reference data (i.e., and ), we incorporate the global fused information.