Locating collaborative attack targets based on physical invariants toward cyber-physical systems

Abstract

Various studies have demonstrated that the collaborative false command injection (FCI) and false sensory data injection (FDI) attacks can go undetected by the existing detection methods and result in serious cascading failures. Therefore, fast attack-recovery under attacks are gaining importance. However, previous researches cannot know which data are contaminated and real system state cannot be evaluated, which leads to serious misalignment of attack-recovery. In this paper, we propose a novel and effective method based on physical invariants among heterogeneous control commands and sensory data to locate the maliciously modified command or compromised sensor. First, we analyze changes in invariants under different single attacks and depict how to detect the collaborative attack and locate attack targets by utilizing broken invariants. Second, considering localization becomes difficult when multiple attacks may be launched simultaneously to disrupt different components, we build the causal network by utilizing the physical invariants and develop a causal-network-based algorithm to fast locate compromised objects. Finally, our numerical results validate the effectiveness of our proposed methods and algorithms. Our work will build the foundation to achieve real-time and accurate recovery under attacks.

Appendix A: The discussion of NP-complete nature

For formula 6, our target is to search the set \(V^A\), which has the least number of elements and these selected elements can cover the broken correlations. On another hand, these selected elements cannot cause new broken correlations. An example is shown in Fig. 13. The correlation between node “E1” and node “S1” and the correlation between node “E4” and “S9” are broken. From broken correlations, we can know there exist 4 attacked situations: \(\{E1,E4\}\), \(\{E1,S9\}\),\(\{S1,E4\}\), or \(\{S1, S9\}\). However, other nodes also possible are compromised. For example, when \(E1\) is considered as the attacked node, \(S2\), \(S3\), and \(S4\) need to be considered as compromised nodes because correlations among \(E1\),\(S2\),\(S3\), and \(S4\) are not broken. Considering the above situation, the candidate set keeps growing and when a candidate node is seen as manipulated node, all of nodes related to the candidate node will be recomputed whether it is attacked or not. If we use brute search, for N nodes with n attacked targets, the time complexity is \(O(N\times 2^n)\). With the increase of attacked targets, the cost of solving the problem is very large.

Next, we illustrate the problem is equal to knapsack problem.

In graph \(G(N,L)\), node set \(V\) consists of attacked set \(V^A\) and normal set \(V^N\), which means

$$\begin{aligned} V = V^A \cup V^N \quad \quad \quad and \quad \quad \quad V^A \cap V^N = \emptyset \end{aligned}$$

(16)

\(C^B\) denotes the broken correlation set. For any link \(v_i\rightarrow v_j \in C^B\), \(v_i\) and \(v_j\) will be added into the candidate set \(N^B\). Our target is selecting elements from \(N^B\) to \(V^A\) and obtaining \(V^A\) with the least number of elements. Combining Equ (16), the problem is equal to finding the set \(V^N\) with the most number of elements and no adding new links into set \(C^B\).

We use \(Score(v_i)\) to denote the number of normal nodes when \(v_i\) is considered as manipulated node. \(C^B(v_i)\) denotes the abnormal link set connected with node \(v_i\). Our problem is to search a set \(V^A\) satisfying:

$$\begin{aligned} \max _{{\textrm{V}}^{A}}{\sum _{v_i\in V^A}{Score(v_i)}} \end{aligned}$$

(17)

subject to

$$\begin{aligned} \begin{aligned}&\cup _{v_i\in V^A}{C^B(v_i)}=C^B \\&for \quad \forall v_i,v_j \in V^A:\quad C^B(v_i)\cap C^B(v_j) = \emptyset \end{aligned} \end{aligned}$$

From (17), we can know this is a knapsack problem which needs to be filled(NP-complete problem).