Model-based Randomness Monitor for Stealthy Sensor Attacks

This work builds on previous research considering deceptive cyber-attacks to hijack a system by injecting false data to sensor measurements while trying to remain undetected [4]. Many of the previous works use the residual for detection, which gives clues whether sensor measurements are healthy (uncompromised). Previous works characterizing the effects of stealthy sensor attacks on the Kalman filter can be found in [5, 6]. Similarly, authors in [4, 7] discuss how stealthy, undetectable attacks can compromise closed-loop systems, causing state and system dynamic degradation

Several procedures and techniques that analyze the residual for attack detection exist, one of which is the Sequential Probability Ratio Testing (SPRT) [8] that tests the sequence of incoming residuals one at a time by taking the log-likelihood function (LLF). The Cumulative Sum (CUSUM) procedure proposed in [9] and [10] leverages the known characteristics of the residual covariance and sequentially sums the residual error to find changes in mean of the distribution. Compound Scalar Testing (CST) in [7] is another technique which is computationally friendly by reducing the residual vector with the known residual covariance matrix into a scalar value with $\chi^{2}$ distribution. An improvement of CST in [11] is made by including a coding matrix to sensor outputs that is unknown to attackers, then an iterative optimization algorithm is used to solve for a transform matrix to detect stealthy attacks. Similar to our work where monitors are placed on individual sensors, the authors in [12] propose a Trust-based framework for sensor sets by “side-channel” monitors to provide a weight for trustworthiness to determine whether sensors have been compromised. Other works have proposed attack resiliency by leveraging information from redundant sensing. In [13], authors solve to reconstruct the state estimate of stochastic systems using an $l_{0}$ optimization problem when less than half of the sensors are compromised. Different from these previous works, we build a framework to monitor sensor measurements to find previously undetectable attacks by searching for non-random behavior.

The remainder of this work is organized as follows. In Section II we begin with system, estimator models and problem formulation, followed by the description of our Random Monitor framework in Section III. In Section IV an analysis of worst-case stealthy attacks and characterization of the effects on system performance is presented. Finally, in Section V we demonstrate through simulations and experiments the performance of our framework augmented with boundary detectors before drawing conclusions in Section VI.

To monitor whether the sequence of residuals are symmetrically distributed and zero-mean, we leverage the Wilcoxon Signed-Rank (WSR) test [2] as follows. A hypothesis test is formed by $\mathcal{H}_{0}$ for no attacks and $\mathcal{H}_{a}$ with attacks:

A monitor is built to check if the residual $\bm{r}_{k}$ sequence over a sliding monitoring window $T=(k-\ell+1,k)$ for $\ell$ previous steps is symmetric. We denote the vector of residual sequences over the sliding window $T$ as $\bm{r}_{T}~{}=~{}(\bm{r}_{T,1},\dots,\bm{r}_{T,i},\dots,\bm{r}_{T,s})$ where the residual sequence for an $i^{th}$ sensor is $\bm{r}_{T,i}=(r_{k-\ell+1,i},\dots,r_{k,i})$. Following $\mathcal{H}_{0}$, we would expect that the number of positive and negative values of $\bm{r}_{k}$ over the monitoring window are equal. Additionally, a symmetric distribution indicates that the expected absolute magnitude of positive and negative residuals over a given window of length $\ell$ are equal,

where $\mathrm{E}[|\bm{r}_{T,i}^{+}|]$ and $\mathrm{E}[|\bm{r}_{T,i}^{-}|]$ denote the expected absolute magnitude for positive and negative values of the residual $r_{k,i}$ within the window $T$ for any given $i^{th}$ sensor. In other words, we would expect the sum of absolute values from the residual to be equal for both the positive and negative values. The WSR test takes both the sign and magnitude of the residual into account to determine whether conditions satisfy $\mathcal{H}_{0}$. Large differences in the residual signs or signed magnitudes imply non-similar distributions, causing the test to reject the no attack assumption and triggering an alarm.

To perform the WSR test at each time step $k$, we first look at the $\ell$ number of residuals over the monitoring window $T$ of a given $i^{th}$ sensor, ranking the absolute values of residuals $r_{T,i}$, starting with $rank=1$ for the smallest absolute value, $rank=2$ for the second smallest, and so on until reaching the largest absolute value with $rank=\ell$. Ranks of absolute values for positive (i.e. $|r_{T,i}^{+}|$) and negative (i.e. $|r_{T,i}^{-}|$) residuals over the window $T$ are placed into the sets $\mathcal{R}_{k,i}^{+}$ and $\mathcal{R}_{k,i}^{-}$ at every time instance $k$, respectively.

Following, we compute the sum of ranks for both the positive and negative valued residuals,

Residuals with symmetric distributions have similar valued sum of ranks, i.e. $W_{k,i}^{+}\sim W_{k,i}^{-}$, whereas the sum of ranks in non-symmetric distributions are not similar $W_{k,i}^{+}\nsim W_{k,i}^{-}$ resulting in a rejection of $\mathcal{H}_{0}$ in (8), which we will now discuss how to solve. Assuming a large window of size $\ell\geq 20$¹¹1For window length of smaller size, exact tables need to be used for probability distributions of the Wilcoxon Signed-Rank random variable [14]. [14], the Wilcoxon random variables $W_{k,i}^{+}$, $W_{k,i}^{-}$ converge to a Normal distribution (without attacks) as $\ell\to\infty$ and can be approximated to a standard normal distribution. The approximated expected value and variance of the two sum of ranks $W_{k,i}^{+}$ and $W_{k,i}^{-}$, denoted as $W_{k,i}^{\pm}=\{W_{k,i}^{+},W_{k,i}^{-}\}$ is

The z-score of (10) for a given $i^{th}$ sensor is computed by

and the p-value used to determine whether to reject the null hypothesis $\mathcal{H}_{0}$ (i.e. no attacks) is computed from (12) as

When $p_{k,i}^{W}$ falls below the threshold $\tau_{i}^{W}=\alpha_{i}^{\text{des}}$, i.e., $p_{k,i}^{W}<\tau_{i}^{W}$, we reject $\mathcal{H}_{0}$ from (8) and an alarm $\psi_{k,i}^{W}=1$ is triggered, otherwise $\psi_{k,i}^{W}=0$. In the absence of attacks, the alarm rate $\alpha_{i}^{W}$ for an $i^{th}$ sensor should be approximately the same as the desired false alarm rate $\alpha_{i}^{W}\sim\alpha_{i}^{\text{des}}$. Computation of $\alpha_{i}^{W}$ is over the sliding window $T^{\alpha}=(k-\ell^{\alpha}+1,k)$ of length $\ell^{\alpha}$ by $\alpha_{i}^{W}=\frac{1}{\ell^{\alpha}}\sum_{j=k-\ell^{\alpha}+1}^{k}\psi_{j,i}^{W}$. Conversely, an attack that affects the residual distribution symmetry, triggering the alarm $\psi_{k,i}^{W}$ more frequently, causing an elevation of alarm rate $\alpha_{i}^{W}$. For alarm rates exceeding a user defined alarm rate threshold, i.e. $\alpha_{i}^{W}>\alpha_{i}^{\tau}$, the $i^{th}$ sensor is deemed compromised. In the following lemma we provide a proof for bounds of the WSR test variables (10) to satisfy a desired false alarm rate $\alpha_{i}^{\text{des}}$.

The WSR test alone is not sufficient to test for randomness, since an attacker could manipulate measurements by creating specific patterns to avoid detection on the WSR test. To test further, we need to determine if the sequence of residuals are being received randomly by leveraging the Serial Independence runs (SIR) test [3]. The SIR test examines the number of runs that occur over the sequence, where a “run” is defined as one or more consecutive residuals that are greater or less than the previous value. A random sequence of residuals over a given window length should exhibit a specific expected number of runs: too many or too few number of runs would not satisfy random sequential behavior. A hypothesis test is formed with $\mathcal{H}_{0}$ for the absence of sensor attacks and $\mathcal{H}_{a}$ where attacks are present by

where $N_{R}$ is the number of observed runs, to determine whether the number of runs satisfy a randomly behaving sequence. First, we take the difference of residuals at time instances $k$ and $k-1$ over a window $T^{\prime}$

where $T^{\prime}=\{k-\ell+2,\dots,k\}=T\setminus\{k-\ell+1\}$ is the monitor window $T$ shortened by one by removing the oldest time instance. This in turn gives us $\ell^{\prime}=\ell-1$ residual differences.

From the sequence of residual differences (18), we take the sign of each residual within the window $T^{\prime}$,

forming a sequence of $\ell^{\prime}$ positive and negative signs. The number of runs $N_{R}$ are observed over the sequence of $\ell^{\prime}$ residual differences. The expected mean and variance of runs [3] are computed by

Assuming large data sets (i.e. window length $\ell\geq 25$) [3], the distribution of $N_{R}$ converges to a normal distribution as $\ell^{\prime}\to\infty$ and can be approximated to a zero mean unit variance standard normal distribution $N_{R}\sim\mathcal{N}(0,1)$. From the number of observed runs $N_{R}$ and number of residual differences $\ell^{\prime}$, we compute the z-score test statistic for Serial Independence from a standard normal distribution

Using the z-score from (21) we compute the p-value of the observed signed residual differences by

When $p_{k,i}^{S}<\tau_{i}^{S}$ is satisfied where $\tau_{i}^{S}=\alpha_{i}^{\text{des}}$ denotes the threshold, we reject the null hypothesis $\mathcal{H}_{0}$ from (17) and an alarm $\psi_{k,i}^{S}=1$ is triggered. In the absence of attacks, the alarm rate $\alpha_{i}^{S}$ is approximately the same as the desired false alarm rate $\alpha_{i}^{S}\sim\alpha_{i}^{\text{des}}$. Alarm rate $\alpha_{i}^{S}$ over the sliding window $T^{\alpha}$ is computed by $\alpha_{i}^{S}=\frac{1}{\ell^{\alpha}}\sum_{j=k-\ell^{\alpha}+1}^{k}\psi_{j,i}^{S}$. Alarm rates exceeding a user defined alarm rate threshold, i.e. $\alpha_{i}^{S}>\alpha_{i}^{\tau}$, signifies that the $i^{th}$ sensor is compromised.

The following lemma provides a proof for bounds of $N_{R}$ in the SIR test to satisfy a desired false alarm rate $\alpha_{i}^{\text{des}}$.

To show that our framework can easily be augmented with any detector that provides magnitude boundaries, we consider two different boundary detectors found in the CPS security literature. Both boundary detectors discussed in this section leverage the absolute value of the residual (4) for attack detection. Consequently, in the absence of attacks (i.e. $\bm{\xi}_{k}=\bm{0}$), this leads to $|r_{k,i}|$ following a half-normal distribution [15] defined by

where $\sigma^{2}_{i}$ was defined as the $i^{th}$ diagonal element in (5).

The first detector that we consider is the Bad-Data Detector (BDD) [4], a benchmark attack detector to find anomalies in sensor measurements, alarming when the residual error goes beyond a threshold. Similar to our detection framework in Section III, the BDD can also be tuned for a desired false alarm rate $\alpha_{i}^{\text{des}}$. Considering the residual $r_{k,i}$ in (4), the BDD procedure for each $i^{th}$ sensor is as follows:

Bad-Data Detector Procedure

Assuming the system is without attacks, the tuned threshold $\tau_{i}^{B}$ for the BDD in (26) with $r_{k,i}\sim\mathcal{N}(0,\sigma_{i}^{2})$ is solved by $\tau_{i}^{B}=\sqrt{2}\sigma_{i}\mathrm{erf}^{-1}(1-\alpha_{i}^{\text{des}})$ where $\mathrm{erf}^{-1}(\cdot)$ is the inverse error function, resulting in $\alpha_{i}^{B}\sim\alpha_{i}^{\text{des}}$.

The second well-known boundary detector that we consider is the CUmulative SUM (CUSUM), which has been shown to have tighter bounds on attack detection than the BDD [9]. The CUSUM leverages the absolute value of the residual in the detection procedure and is solved by

CUSUM Detector Procedure

The working principle of of this detector is to accumulate the residual sequence in $S_{k,i}$, triggering an alarm $\psi_{k,i}^{C}=1$ when the test variable surpasses the threshold $\tau^{C}_{i}$. A detailed explanation of how to tune threshold $\tau^{C}_{i}$ given a bias $b_{i}$ for a desired false alarm rate $\alpha_{i}^{\text{des}}$ can be found in [9].

We consider the reference tracking feedback controller

where $\bm{K}\in\mathbb{R}^{s\times n}$ is the state feedback control gain matrix, $\bm{k}_{r}~{}\in~{}\mathbb{R}^{m\times m}$ is a reference gain for output tracking, $\bm{x}_{k}^{\text{ref}}$ is the reference state, and $\hat{\bm{x}}_{k}$ is the KF state estimate from (2)-(3). Choosing a suitable $\bm{K}$ such that $(\bm{A}+\bm{B}\bm{K})$ is stable (i.e. $\rho[\bm{A}+\bm{B}\bm{K}]<1$, where $\rho[\cdot]$ is the spectral radius) and $(\bm{A},\bm{C})$ is assumed stabilizable, the closed-loop system can be written within terms of the KF estimation error as

As an attacker injects signals into the measurements (i.e. $\bm{\xi}\neq\bm{0}$), system dynamics are indirectly affected via the interconnected term $\bm{B}\bm{K}\bm{e}_{k}$ from the estimation error dynamics.

In the remaining of this section we describe the maximum damage that can occur due to worst-case scenario stealthy sensor attacks. We assume the attacker has perfect knowledge of system dynamics, detection procedures, and state estimation. The objective of an attacker is to cause maximum damage to the system state by injecting attack signals $\bm{\xi}_{k}$ to measurements while also remaining undetected. With only the BDD implemented, the effects of a worst-case scenario attack while not triggering an alarm can be derived from (4) and (26) with a sustained attack signal

causing the residual $|r_{k,i}|=\tau_{i}^{B}$ to not trigger the BDD alarm.

Now considering CUSUM as a stand-alone detector, an adversarial wants to avoid attack vectors such that the monitoring test variable exceeds threshold $\tau^{C}_{i}$, thereby causing a reset $S_{k,i}=0,\text{ if }S_{k-1,i}>\tau^{C}_{i}$ in (27) by satisfying the CUSUM procedure sequence $S_{k,i}=\max(0,S_{k-1,i}+|\bm{C}_{i}\bm{e}_{k}+\eta_{k,i}+\xi_{k,i}|-b_{i})\leq\tau^{C}_{i}$ if $S_{k-1,i}\leq\tau^{C}_{i}$. For maximum effect on state deviation, the attacker saturates the CUSUM test statistic such that $S_{k,i}=\tau^{C}_{i}$ to achieve no alarm sequences. Here we define a saturation as follows:

Beginning at a time $k$, an attacker immediately saturates $S_{k,i}$ with the attack signal,

followed by

for all future time instances to hold $S_{k,i}$ at threshold $\tau^{C}_{i}$.

With the Randomness Monitor augmented with either BDD or CUSUM, an attacker can no longer hold an attack sequence to one side as described in attacks (30)-(32). Rather, an attacker is forced to create an attack sequence such that $r_{k,i}$ alternates residual signs if it wants to avoid triggering alarms for both the WSR and SIR tests. The most effective attack for maximum state deviation with our augmented framework is to saturate the boundary detector as often as possible, while leaving the remaining attack signals with an opposite sign with respect to the saturating attacks to force the residual to be as close as possible to zero.

From the WSR test, given a monitoring window $\ell$, the minimum number of non-saturating attack signals $\xi_{k,i}$ to not trigger an alarm $\psi_{k,i}^{W}$ is

in which $\ell^{j}\in\mathcal{L}=(1,\dots,\ell)$ and $\mathcal{L}$ is the set of all $ranks$ as introduced in Section III-A. From (33), we can then find the maximum number of saturating attack signals by $\beta_{i}^{\ell}=\ell-\gamma_{i}^{\ell}$.

To this point, we have discussed worst-case scenario attack sequences causing saturation of the test variable (in this paper BDD and CUSUM) to maximize the effect of the attack. However, from Remark 3 in Section III-B, a special case to satisfy requirements of the SIR test is when two consecutive residuals of same value triggers an alarm $\psi_{k,i}^{S}~{}=~{}1$. To work around this issue, a stealthy attacker with perfect knowledge of the SIR test can include a small uniformly random number to the attack signal $\xi_{k,i}$ denoted by $\delta_{k,i}\sim\mathcal{U}(0,\epsilon)$ where $\epsilon\in\mathbb{R}^{+}$ is infinitesimally small and $\mathrm{E}[\delta_{k,i}]=\frac{\epsilon}{2}\approx 0$. Thus, the worst-case scenario with the Randomness Monitor augmented to the BDD follows

in order to not trigger an alarm. Similarly, but with the CUSUM detector, an undetectable attack sequence follows

Given the alternating signed sequence of residuals over the monitoring window, the expected value of $r_{k,i}$ under worst-case scenario stealthy attacks is denoted as

With our framework augmented to the BDD, the expected value of the residual sequence is described as $\mathrm{E}[\bm{r}^{B}_{k}]=(\mathrm{E}[r^{B}_{k,1}],\dots,\mathrm{E}[r^{B}_{k,s}])^{T}$ and the expectation of the closed-loop system (29) under attack (34) results in

Note, in (37), the reference signal term $\bm{B}\bm{k}_{r}\bm{x}_{k}^{\text{ref}}$ from (29) has been removed as we are interested in the expected state deviation under an attack. It is clear that if $\rho[\bm{A}]>1$ and $\mathrm{E}[\bm{r}_{k}^{B}]\neq\bm{0}$ then the expectation of the estimation error $\mathrm{E}[\bm{e}_{k}]$ for destabilized states diverge to infinity as $k\to\infty$ (depending on algebraic properties of $\bm{A}$), indirectly causing these states within $\mathrm{E}[\bm{x}_{k}]$ to also diverge unbounded.

Similarly, with the Randomness Monitor augmented to CUSUM, the expected closed-loop system evolution under attack sequence (35) is described by

where $\mathrm{E}[\bm{r}^{C}_{k}]=(\mathrm{E}[r^{C}_{k,1}],\dots,\mathrm{E}[r^{C}_{k,s}])^{T}$ is the expected value of the residual sequence vector for CUSUM in (36).

Considering the UGV system model (42) in our case study, we show the effect of stealthy attacks on the velocity sensor on state $x_{1}$ with a monitoring window length $\ell=100$. Table I gives the resulting alarm rates when our framework is augmented to boundary detectors (BDD and CUSUM) with all detectors tuned for desired false alarm rates $\alpha^{\text{des}}\in\{.05,.20\}$ and in separate simulations we show the alarm rate for No Attack, Attack #1, and Attack #2. As expected, with no attacks present, all alarm rates converge approximately to the desired false alarm rate $\alpha_{1}^{\text{des}}$. Under Attack #1, alarm rates for only the WSR increase to higher values and similarly the Attack #2 pattern gives an increased alarm rate to only the SIR test. We should note that the window length $\ell$ results in different behaviors: short window lengths result in faster responses, while longer window lengths react slower but are able to detect more hidden attacks exhibiting non-random behavior than a monitor with a short window length. Fig. 4 demonstrates attacks on the velocity sensor where our detectors are tuned for $\alpha_{1}^{\text{des}}=0.10$ and compared with the CUSUM boundary detector. Attack #1 occurs between ($50,125$)s triggering the WSR test, Attack #2 between ($175,250$)s triggering the SIR test, and from $300$s a third attack satisfying bounds for both randomness tests but violating the CUSUM test is presented. Velocity is reduced as expected according to (29) while experiencing the effects of each attack.

In this section we present a case study for a UGV performing way-point navigation under stealthy sensor attacks. For our case, the UGV travels to a series of goal positions while avoiding a restricted area with a desired cruise velocity $v^{\text{ref}}=0.15$m/s while experiencing the same class of attacks as in Section V-A. This time the IMU sensor that measures angle $\theta$ is spoofed while our Randomness Monitor is augmented with the BDD. Fig. 5 shows the UGV position while traveling to the four goal points. For both attacks the vehicle enters the restricted area (marked by red tape) while the boundary detector (BDD) does not see the attack in each case. The alarm rate for the WSR test increases for the case under Attack #1 (solid line) and the SIR test alarm rate increases during the case for Attack  #2 (dashed line), as expected.