#### Abstract

This paper addresses the static output feedback predictive (SOFP) control problem with cyber-physical system (CPS) subject to Denial-of-Service (DoS) attacks. The effects of DoS attacks are reasonably assumed to the bounded consecutive packet dropouts by considering the energy constraints of an attacker. Then, a novel predictive control sequence, in which only the latest successfully received output is employed, is designed to compensate such packet dropouts caused by DoS attacks. Furthermore, the stability criterion and predictive control design are carefully derived by using the switching Lyapunov functional approach and linear matrix inequality. Compared with the previous works, the proposed predictive control strategy can compensate arbitrary packet dropouts under DoS attacks while only the latest successfully received output is available. At last, a simulation example illustrates the effectiveness of the SOFP control strategy.

#### 1. Introduction

The rapid development of CPS is attributed to the strong integration among computation, communication, and control technology, in which CPS has received considerable attention in the past decades. Taking advantage of low cost and flexible network architecture, it has been widely applied in some engineering fields such as smart grid, healthcare, and water/gas distribution and industrial process control [1–3].

Due to the capacity of connecting deeply integration physical plants and cyber elements in an unprecedented way, CPS offers ample opportunities for malicious threats to launch attacks. The applications of next-generation information technologies such as big data, cloud computing, and Internet of Things greatly provide performance improvements for physical systems but at the same time introduce more risks which make physical isolation more difficult to implement. Therefore, how to ensure the safe operation and preserve the control performance under malicious attacks are the basic security issues in CPS. In fact, CPS has realized more complex and high-risk industrial process control through the transmission of information in the heterogeneous network [4]. However, the vulnerability of open communication networks, as the key components of society safety-critical infrastructures in CPS, increases the severity of such malicious cyber-attacks in [5], which can menace the control systems. There have been an increasing number of cyber-attacks on power grids reported worldwide. For instance, a devastating cyber-attack on the power station brought down the information flow from the physical process to the remote management system, which plunges 225,000 people into blackout in Ukraine [6]. Besides, the “Stuxnet”, an advanced computer worm virus, intruded the nuclear facility and caused severe damage in Iran [7]. These facts show the serious economic loss and severe social detriment attacked by malicious network in CPS, which has attracted extensive attention of many scholars [8–10].

The typical network attacks in CPS are categorized as deceptive attack, false data injection attack and DoS attack in [11]. The DoS attack, a more reachable attack pattern, prevents the exchange of information for the adversary, while the false data injection attack affects the data integrity of packets by modifying their payloads in [12]. The essence of DoS attack is that the measurement state or the control signal transmitted through the wireless communication network is blocked, which results in the fact that the information update is not timely and complete. Thus, the DoS attack focuses on deteriorating the system performance and even leads to system instability. One of the main issues under DoS attacks in CPS is the packet dropout phenomenon [13]. It should be pointed out that information data can be transmitted in a “packet”, which implies sending a sequence of control prediction in one data packet and then selecting the appropriate one corresponding to the current network condition to compensate the packet dropout. In this case, the SOFP control strategy has been proposed in this paper.

In many existing works, various efforts have been devoted to the security control influenced by DoS attacks. Some of the literatures focused on the effects of network-induced delays. Many methods for the delay issue have been done in [14–16]. Some other literatures show that a large number of the approaches have been investigated to alleviate the severe impact influenced by packet dropouts. A defence strategy is proposed to deal with the information flow which congests the transmission signal between the sensor and the controller against DoS attacks on the multichannel CPS in [17]. In addition, some necessary scheduling algorithms are proposed to ensure transmission security when control plants can gain access to the network at each sampling instant because of the limitation of network bandwidth. If there is no optimal scheduling algorithm in CPS design, the packet dropout in smaller sampling frequency should be considered. That is, it not only ensures the system is schedulable and guarantees that the overall CPS is stable. Then, the relationship based applicable scheduling algorithm design between the packet dropout rate and the stability of the closed-loop system should be established, and the corresponding controllers design procedures to make the closed-loop system stability should be given. As stated in [18–20], such as the stochastic system and the switching system method, some effective strategies are employed to address the model and control issues with packet dropout. The networked system with arbitrary and finite packet loss is modelled as a switching system, and the design control method of state feedback is proposed in [21]. Furthermore, by using the measured output information, a token-dependent static output feedback SMC is designed in [22]. By only considering attacks in the backward channels in [23, 24], the security control is established to address attack-induced severe packet dropout. Notice that both-side communication with arbitrary packet dropout caused by attacks is more realistic in the practical attack pattern and the state feedback controller is given in [25].

Motivated by the fact that not all states are available and only the latest received output measurements can be obtained at the controller, the SOFP control strategy is proposed to deal with the security control problem. In contrast with the existing results, the main contributions of this paper can be summarised as follows:(1)A novel switching system model is established to characterize the security properties of CPS under DoS attacks. Different from [26], only limited output measurements are used to design the security controller in this paper.(2)Only the latest received measurements are used to design the proposed predictive control gains. Compared with traditional model predictive control methods, the proposed security control strategy will predict their future control gains rather than state prediction.

The remainder of this paper is organized as follows. Section 2 gives the problem formulations with the proposed SOFP control strategy by considering the energy-limited DoS attacks. Section 3 is presented in the security analysis, which infers the stability criterion to guarantee the security performance. The SOFP controller is designed in Section 4, and a simulation example is shown in Section 5 to illustrate the feasibility of the desired controller. And finally, Section 6 concludes this paper.

Notation: and denote the *n*-dimensional and *m*-dimensional Euclidean space, respectively. is the set of *n* × *m* real matrices. The superscript “*T*” stands for matrix transposition. The notation *X* > 0 means that the matrix *X* is real symmetric positive definite.

#### 2. Problem Formulations

##### 2.1. System Framework

The structure of SOFP control considered in this paper is shown in Figure 1, where the studied CPS is composed by the sensor, controller, buffer, and actuator. The SOFP control strategy against attack-induced severe packet dropout is that the controller receives all the measurement outputs from sensor and calculates the sequence of control inputs, which transmits to the buffer simultaneously. Then, the actuator selects the corresponding control value from and delivers appropriate control inputs to the plant, which can compensate the arbitrary packet dropouts caused by DoS attacks.

Consider a discrete-time linear system described bywhere , represents the sampling period, and are the system state and control input, respectively, and , are real matrices of appropriate dimensions.

To make the proposed method more suitable for practical network attacks, the DoS attacks behaviours considered energy constraints are presented aswhere is the attack duration and is the instant transition time of the attack state.

As shown in Figure 2, “” denotes that the DoS is converted to the attack state and “” indicates that the DoS is the end of the attack process. When , the DoS launches a limited attack with the duration of ( is a pulse attack only).

To clearly describe the energy-limited characteristics of DoS attacks in this paper, the following assumption is given.

*Assumption 1. *The maximum packet dropouts of consecutive DoS attacks are bounded with *N*.

*Remark 1. *In practice, the attackers gradually run out of energy because of an inherent characteristic of energy constraints [27]. Based on this reliable fact, it is reasonable to consider that the packet dropouts of consecutive DoS attacks are bounded. Furthermore, to achieve predictive compensation for packet dropout, a data buffer is involved at the controller side to record recently successfully transmitted data packets.

##### 2.2. Switching Model under DoS Attacks

Suppose that the controller latest received the value of process output at time , then the predictive control based on output feedback control law is given bywhere , stands for the switching instant time, and is a time-varying switching signal which takes the value in a finite set .

The packet-based transmission mechanism in CPS determines that the corresponding control input at time is , respectively. It is known that the neighboring two switching points have the following relation:

Therefore, the evolution law of dynamics can be described by the following cases: *Case 0*. DoS-free: *Case 1.* One-step packet dropout: *Case N*: *N*-steps packets dropouts :

According to (5)–(7), model (1) with SOFP control strategy can be transformed into the following closed-loop system included *N*-steps packet dropouts:where . It illustrates the essential characteristics of the proposed SOFP control strategy, that is, the state is unchanged and the controller gain is changed.

#### 3. Stability Analysis

In this section, the security analysis based SOFP strategy is given with some mathematical derivations. The following necessary definition and lemmas are introduced.

*Definition 1. *If there are positive scalars and such that the following inequality,holds, the CPS (1) is said to be exponentially stable, where is an arbitrary initial value.

Lemma 1 (see [27]). *For an arbitrary matrix and an arbitrary vector , the following inequality,holds, where and are the minimum singular value and the maximum singular value, respectively, of .**Based on the above, the following theorem gives criteria for system exponentially stable with arbitrary switching characteristics under DoS attacks.*

Theorem 1. *For some given scalars , , if there exist matrices , such that the following inequalities,hold, then the system (8) will be exponentially stable with the decay rate .*

*Proof. * Choose the following Lyapunov function:Therefore, it is derived from (14) at time thatThen, pre- and post-multiplying inequality (11) by and , one hasSubstituting the function (14) and (15) into (16), we have,Similarly,Suppose that one-step packet dropout at time and caused by DoS attacks, respectively. Thus, we obtain thatUtilizing (12) and (18) together leads toDefine , then the above law (21) can be written asThen, it is concluded from (13) and (14) thatwhich implies that the system will be stable in .

Notice that the system should not only be stable in the discrete regions but also converge to the subset after sampling periods.

Therefore, by Lemma 1, we obtain by induction that the following inequality holds:where . It means that the upper bounded value of is . Thus,Based on the above analysis, the closed-loop switching system (8) tends to be exponentially stable and then the exponential decay rate is obtained.

It is deduced from (19) thatFurther, it is easy to see thatIt is derived from (22) thatwhere and are the minimum singular value and the maximum singular value, respectively, of .

Therefore, it is easy to know from (28) thatSubstituting (24) into (29), it can be found thatMeanwhile, , , and have the following relations:where .

It is clearly deduced from (31) and (32) thatBecause of , the following inequalities hold.where .

Finally, we can further obtain from (34) and (35) that, for an arbitrary instant time *t*, the following inequality,holds. The proof is thus completed.

#### 4. Control Design of SOFP

In this section, the SOFP control sequence based on Theorem 1 is derived below.

Theorem 2. *For given scalars , , if there exist matrices , , and , such that the following inequalities,where , hold, then the system (8) will be exponentially stable with the decay rate .*

*Proof. *According to the stability condition of the discrete-time linear system, for matrices , , the following inequality,holds, if and only if there exists a matrix such thatTherefore, the inequality (11) will be held if there exists a matrix such that the following inequality,holds. Based on this fact, the controller can be easily obtained below.

Define and . Then pre- and postmultiplying inequality (42) by and (notice from (41) that the matrix is invertible), one hasSubstituting (5)–(7) into (43),It can be found that the inequalities (44) and (37) in Theorem 2 are equivalent.

Meanwhile, the inequality (38) in Theorem 2 is derived by pre- and post-multiplying , for . This completes the proof.

However, the above inequalities still cannot be solved due to the coupling nonlinear item . In order to deal with such items, Theorem 3 transformed nonlinear item is presented.

Theorem 3. *For given scalars , , if there exist matrices , , and , full rank matrix , and any matrix of appropriate dimensions such that the following inequalities,where , hold, then the system (8) secured by will be exponentially stable with the decay rate .*

*Proof. *It is deduced from (44) that . By replacing with , we can easily obtain the above result with which completes this proof.

#### 5. Simulation Example

In this section, an inverted pendulum control system is presented to illustrate the proposed security method with the SOFP control strategy. The plant model is described asand the inverted pendulum system is shown in Figure 3.

Based on the above inequality, the initial state variables of the system can be defined as

To make the description simpler, the inverted pendulum control system takes the following parameters, which are given in Table 1.

Let the sampling period , then the discrete-time model of the inverted pendulum is given aswhere

In the simulation settings, by selecting , , . The initial condition is set to be and the simulation time is chosen as . Then, the stabilization control law in Theorem 3 can be resorting to LMI toolbox in MATLAB. Suppose that the maximum number of packet dropouts is under the worst attacks in this simulation example. Therefore, the corresponding gain is obtained. Meanwhile, the distribution of DoS attacks is shown in Figure 4.

*Case* I. DoS-free case: The state responses of the system (49) with the designed controller under DoS-free case are shown in Figure 5, in which the stability of the studied is verified. It is worth noting that the angle value in Figures 5–7 has been reduced by one tenth in order to make a more intuitive comparison between the angle and position curves. *Case* II. DoS attacks case: In the second scenario, the designed controller in Case I is still used. Under the DoS attacks in Figure 4, the state responses of the system (49) are depicted in Figure 6. It is evident that the angle and position states of the inverted pendulum system are not convergent, in which state responses are presented in a worse performance. Thus, one can see that the switching system is unstable when there are no SOFP control inputs to confront uncertain packet dropouts caused by DoS attacks. Case III: DoS attacks migration with SOFP

The third scenario considered the SOFP control strategy. In such case, the corresponding output feedback gain *G* against the worst attacks is employed to ensure system stability and maintain the desired control performance. Similarly, we can obtain the following in Figure 7.

Based on the angle and position curves, the proposed method is effective, as the control strategy demonstrates that the closed-loop system is stable with bounded packet dropouts. One can see that the system performance is better than the one without predictive control. As a result, the proposed packet-based compensation control method has certain robustness and security.

According to the simulation examples shown above, it can be summarised that the designed controller is stable against DoS attacks and the feasibility of the proposed designing method is verified.

#### 6. Conclusion

In this paper, a novel predictive control strategy is proposed to cope with packet dropouts caused by DoS jamming attacks. Firstly, the discrete-time switched linear control system is formulated to characterize the properties of CPS under DoS attacks. Then, the stability criterion is derived, and the predictive control sequences have been given by LMIs. Finally, the corresponding simulation example results have shown the validity of the SOFP control method.

#### Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this article.

#### Acknowledgments

This work was supported by the Natural Science Foundation of China under grants nos. 61863026 and 61563031. Also, it is partially supported by the Industrial Support and Guidance Project for Higher Education of Gansu Province (2019C-05), the Open Fund Project of Key Laboratory of Gansu Advanced Control for Industrial Process (2019KFJJ03), and the Project of Shandong Province Higher Educational Science and Technology Program (J17KA084).