Secure state estimation for cyber physical systems with state delay and sparse sensor attacks

ABSTRACT In this paper, the problem of secure state estimation for cyber physical systems (CPSs) with state delay and sparse sensor attacks is studied. An algorithm combining set cover approach and adaptive switching mechanism is proposed, which can realize off-line acquisition of candidate set and accurately locate the real attack mode. The contributions of this algorithm are that it can greatly reduce the search space, eliminate the impact of attacks on state estimation, improve the estimation speed and ensure the real-time performance of state estimation under the premise of effective estimation. The sufficient condition for the existence of the observer is obtained. Finally, the rapidity and effectiveness of the designed observer are verified by two examples.


Introduction
CPSs are a class of complex interconnected systems that fully integrate the information world and the physical world. They are widely used in smart power grid, intelligent transportation, energy systems and other different fields, and have been at the heart of the latest industrial revolution (Pasqualetti et al., 2013). As a bridge connecting the control system and equipment objects, sensors play an extremely important role in CPSs. In practical applications, sensor faults and sensor attacks occur from time to time, which are very similar to each other and may affect the stable operation of the system or even lead to major disasters. But there are differences between the two concepts (Huang & Dong, 2020). Sensor faults are generally considered to be random, benign, or independent. The sensor attackers are clever, and they are targeted at the vulnerability of some of the attacked systems carefully designed. Therefore, the classical sensor fault detection and estimation methods may not be suitable for sensor attacks. Meanwhile, CPSs features, such as complex structure, large amount of data transmission and environmental uncertainty, etc. will cause some delay in systems (Fei-Sheng et al., 2019;Mahmoud et al., 2019), and the real-time performance is difficult to be guaranteed.
The characteristics of modern industrial systems, such as large-scale, connected, complex and high speed, make the systems vulnerable to sensor attacks and cause the CONTACT Chong Lin linchong_2004@hotmail.com systems to generate time-delay phenomenon. The problems of attacks on different systems have been discussed in the field of automatic control. For example, Huang and Dong (2019) investigates multiagent systems with malicious attacks, and Huang and Dong (2020) studies T-S fuzzy-model-based nonlinear systems with simultaneous stealthy sensor and actuator attacks. More importantly, secure state estimation for CPSs under sparse sensor attacks has attracted much attention of the scientific community, and many effective methods have been obtained. The present methods can be classified into three classes: (1) brute force search, (2) computationally efficient relaxation and (3) search space reduction. Brute force search, including the literatures Pasqualetti et al. (2013), Chong et al. (2015), Lu and Yang (2017) and Shoukry and Tabuada (2015), ensures the correctness of the estimate, but it takes more time to perform a thorough search on the sensors to determine the attacked sensors, and it is difficult to achieve real-time observation. In order to accelerate the estimated speed, the method of relaxing the combinatorial problem into a convex optimization is proposed. Typical studies are L 1 /L r decoder (Fawzi et al., 2014), satisfiability modulo convex programming  and gradient descent algorithm (Lu & Yang, 2018;Shoukry & Tabuada, 2015). However, those studies have relatively strict requirements on system structure. The third method is search space reduction, including satisfiability modulo theory approach (Shoukry, Nuzzo, Puggelli, et al., 2017), set cover approach (Lu & Yang, 2019b) and constrained set partitioning approach (An & Yang, 2018b), which can reduces computational complexity by reducing the search space. The above three methods are mainly used to solve the problem of secure state estimation of CPSs modelled by discrete-time linear systems. New adaptive algorithms are proposed by Tiwari et al. (2014) and An and Yang (2018a) for real-time estimation, which are suitable for continuous-time linear systems. However, for large CPSs under attacks, the adaptive switching algorithm proposed in An and Yang (2018a) is difficult to ensure the recovery of accurate state estimation in a short time. Therefore, further efforts are needed in the study of secure state estimation for CPSs. The rapid development of network communication lays a foundation for the real-time characteristics of CPSs, but in reality, the network bandwidth is limited, and high-frequency data transportation is easy to cause network congestion and system delay. It's well known that Krasovskii approach (Hale, 1977) and its scaling approaches (Kharitonov, 2013;Melchor-Aguilar et al., 2010;Zhang et al., 2013;Zhou, 2016) have been successfully used for the stability analysis for time-delay systems. However, there are few studies on the time-delay of CPSs. In Fei-Sheng et al. (2019), the system considers input delay, and a resilient event-triggering scheme is used to enable the system to tolerate the data loss caused by the attacks. In Cao et al. (2015), the delay caused by DoS attacks is considered. Thus, there is a large space for the study of time delay in CPSs.
Based on the above analysis, the study of secure state estimation for linear continuous-time systems with time delay is challenging. Inspired by previous studies, the security and state delay of CPSs are considered in this paper, and a new algorithm is given to ensure the correctness of state estimation and reduce the computational complexity. Moreover, the system model studied is general and it is widely applicable to practical systems, such as joint robot system (Lu & Yang, 2018), unmanned ground vehicle system (Lu & Yang, 2019a) and IEEE 6 bus power system (An & Yang, 2018a), etc. Specific contributions are as follows: (1) A real-time secure state observer for linear continuoustime delayed CPSs under sparse sensor attacks is designed.
(2) By combining a set cover approach and a adaptive switching operator, the attacked sensors can be found quickly and the computational complexity can be reduced. (3) Based on the generalization of the Krasovskii classical stability theorem for stability analysis of time-delay systems, the sufficient condition for the existence of the observer can be determined, and the observation error can be converged within a certain range in the case of sparse attacks and bounded noises.

System description
Consider a class of CPSs described in time-delay linear continuous-time form aṡ where d ≥ 0 is the time-delay constant, x(t) ∈ R n x (refer to Table 1), u(t) ∈ R n u , y(t) ∈ R n y , ψ(t) ∈ R n x , ϕ(t) ∈ R n y , a(t) ∈ R n y are the state vector, control input, measurable output, process noise, measurement noise and attack vector, respectively. And A, A d , B and C are known matrices with appropriate dimensions. For a(t) = [a 1 (t), a 2 (t), . . . , a n y (t)] T , if a i (t) = 0, i ∈ {1, 2, . . . , n y }, sensor i is not under attack, otherwise it is. In this paper, we assume that in reality the attacker's energy is limited and the noises are bounded.
For the sake of convenience, the notations used in this paper are listed in Table 1.
In order to design a secure state observer, the following assumptions, which are frequently used in the literatures Shoukry and Tabuada (2015), An andYang (2018a, 2018b) and Lu and Yang (2019b), are essential.

Assumption 2.3:
Among n y sensors, the number of sensors attacked each time is s (2s ≤ n y ), but which sensors the absolute complement of set Ω m in set I 10 I Ωs ∈ R (m−s)×n : the matrix obtained from I ∈ R m×n by removing all the rows indexed by the set Ω s 11 supp(a): the support of vector a ∈ R ny 12 m : the integer not less than m 13 mod(n, m) : the remainder of m \ n are attacked is unknown. Before each attack, the observer can achieve the desired stability estimate. After each attack, the attack mode will remain unchanged for a certain period of time.
Remark 2.1: In An and Yang (2018a), it is assumed that the sensor set under attack is fixed. But we consider the case that the sensor attack set is variable. Thus, Assumption 2.3 is an extension and improvement of that in An and Yang (2018a). In fact, sensor attacks have a certain periodicity, and the attack energy is also limited. It is possible that the observer has implemented stability estimation before a new set of attacks appears. Therefore, Assumption 2.3 proposed in this paper is reasonable and has practical significance.

Methods described
The objective of this paper is to design an observer for system (1) with s-sparse sensor attacks. The desired observer satisfies that when there is no noise, the estimated state will eventually converge to the real state; when there is noise, the estimated state will eventually converge to a neighbourhood of the real state. Motivated by Lu and Yang (2019b), An and Yang (2018a) and Hale (1977), a set cover approach will be used to reduce the search space, an adaptive switching mechanism will be introduced to find the set of sensors under attacks, and the generalization of the Krasovskii classical stability theorem will be applied to determine sufficient condition for the existence of the desired observer.

Lemma 2.1 ((Lu & Yang, 2019b) (Set Cover Problem)):
For given sets ( 2 ) Remark 2.2: There are always more than one G 0 that satisfy condition (2), so the minimum-size set G 0 will be chosen as the candidate set S.
In practice, the set cover problem can be approximated by greedy algorithm, the details are shown in Table 2.
We assume that S = {Ω 2 2s , . . . , Ω θ +1 2s }, where |Ω i 2s | = 2s, i = {2, 3, . . . , θ + 1}. In addition, Ω 1 2s is used to indicate the case that no sensor has been attacked, so Ω 1 2s = ∅. For ζ ∈ {1, 2, . . . , θ + 1}, the ζ th sensor attack mode is represented by Ω ζ 2s in this paper.  Chong et al. (2015), the number of candidates is C s n y + C 2s n y for each time step with a switched Luenberger observer. While it has been reduced to C s n y with a novel adaptive switching mechanism in An and Yang (2018a). In this paper, the number of candidates will be reduced to less than C s n y /2 with the help of set cover approach, greatly reducing the search space.
Next, we will focus on designing an adaptive switching mechanism, which can achieve the following goals: (1) If any sensor is attacked, the switching mechanism will be triggered; (2) If any sensor is attacked, the switching function will automatically vary from J 1 to J θ +1 , until locating the proper entry mode; (3) If the real attack mode does not change, the observer will continue to operate in the proper entry mode, otherwise a new switch will begin. Therefore, an observed performance index and a switching logic ζ( ) will be introduced to assist in achieving the above objectives, which are specified aṡ where μ and σ are constants to be designed, and ζ( ) = mod( , θ + 1) .
And finally, the Krasovskii classical stability theorem will be given in Lemma 7.

Main results
Inspired by the Theorem 1 in Zhou (2016) and the Theorem 3 in Zhou and Egorov (2016), the sufficient condition for the existence of the desired observer will be given in this section.
It can be easily obtained as Suppose the ζ th attack mode is launched at time t 0 . For time t(t > t 0 ), there are two cases: whether or not the switching function can be switched to the correct entry mode, as described below. Case 1. Suppose at time t (t > t 0 ), the switching function matrix is J ζ , and J ζ a = 0. That is to say that the switching function locates the proper entry mode at time t . In this case, the value of σ will be determined.
Based on the conditions (8) -(10), we define the parameters g 1 = p 2 η and g 2 = p 2 ρη , the derivative of the Lypaunov-Krasovskii functional (12) along with system (4) is calculated aṡ where For ι ∈ [t − d, t), one gets Solving Equation (15), one has Then e y (t) ≤ C e(t)| + ϕ(t) where σ = C (−γ p 1 ) −1/2 η 1/2φ +φ. If e y (t) > σ , it can be known thaṫ It is easy to prove that lim t→∞˙ (t) = 0, so (t) will converge to a positive scalar for t → ∞. Case 2. Suppose at time t × (t 0 < t × < t ), the switching function matrix is J ζ × , and J ζ × a = 0. That is to say that the switching function locates the wrong entry mode at time t × . We will prove that the estimated error eventually converges to 0 when there is no noise.
In this case, if +∞ t ×˙ (ι) dι ≤ 1 is no longer satisfied, ζ will be driven to switch to the next integer, until the correct attack mode is located at time t , then +∞ t ˙ (ι) dι ≤ 1 will be satisfied. For (20) Combine (19) and (20) getṡ Then Based on (18) and (22), one haṡ Introduce a variable M and assign it to (25) At the same time, in order to ensure that μM ≤ 1, μ should be assigned to where κ is a designed parameter that satisfies e (γ /2)(t −t 0 ) V(t 0 ) < κ for a sufficiently big t . Through the analysis of the two cases above, it can be known that there must exist a sufficiently big t such that +∞ t ˙ (ι) dι ≤ 1. At the same time, according to Equation (18), it can be deduced that lim t→∞ N 2 σ (e y (t)) = 0, which means lim t→∞ e y (t) ≤ σ . In addition, when ψ(t) = 0, ϕ(t) = 0, we have σ = 0, lim t→∞ e y (t) = 0 and lim t→∞ e(t) = 0.

Remark 3.1:
In condition (8), there are θ 2 LMIs. In each LMI of (8), there are three unknown matrices P ζ , U and N ζ , in which the variables are, respectively, n x (1+n x ) 2 , s(1 + 2s) and n x × p. The structure is simple and the calculation difficulty is low.

Remark 3.2:
In the study of this paper, we need to determine a condition so that the designed functional satisfies the formV(t) ≤ aV(t) + b, where a < 0, b > 0. Through research, we find that traditional Lyapunov functional methods, such as Liu et al. (2017) and Zhang et al. (2004), are difficult to obtain a feasible solution when applied to the system (1). In order to overcome this difficulty, a new Lyapunov-Krasovskii functional (12) is constructed in this paper, and the useful forms (15), (21) and (29) can be obtained through condition (8).

Remark 3.3:
In the literature, most researches in solving security problems for CPSs adopt the method of analyzing the information in a finite length time window (Chong et al., 2015;Lu & Yang, 2017;Pajic et al., 2017;Shoukry, Nuzzo, Puggelli, et al., 2017). In the above methods, the state estimates obtained at time t are the estimated states of the actual system at time t − τ + 1 (τ is the window length), and the completion of each estimate requires processing of data at τ moments. So it is difficult to guarantee the real-time performance. In this paper, a new state observer is designed based on the set cover approach and adaptive switching mechanism. For each estimate, only the data at the current moment need to be processed. By using the greedy algorithm in Table 2 and solving a set of LMIs (8) , and computing an adaptive law (5) and (6) online, the designed observer has the ability to quickly identify attacks and locate the appropriate sensor attack mode. Therefore, the computation burden is reduced and the real-time performance is guaranteed.

Simulation examples
In this section, two examples will be presented to verify the effectiveness and rapidity of the designed observer. The simulations are executed by using MATLAB on a desktop equipped with an Intel Core i7-6700 processor operating at 3.4 GHz and 16 GB of memory.
In Example 4.1, the effectiveness of the designed observer for system (1) will be tested. The IEEE 6 bus power system modified from Ao et al. (2016) is considered.
However, it can be seen from Figures 2 and 3 (e v (t) = v(t) −v(t), v ∈ {δ i , w j }, i, j ∈ {1, 2, 3}) that there is a short period of large estimation errors in states δ 1 (t), δ 2 (t), δ 3 (t) and w 2 (t) from the 10 s. The estimation errors recover to around zero at a fast speed, and the estimated values approximate the real state values. That's because starting at 10 seconds, the original entry mode is no longer correct, so switch is triggered until the index ζ is switched to 2. Since there is no change in attack mode for the rest of the period, the switch index remains at 2. In addition, if the attacked sensors of the system (30) change after 15 seconds, the observer system will repeat the above process. It can be seen from the above analysis that the observer designed in this paper can guarantee the secure state estimation.
Next, we will consider the system (1) without the timedelay term.
Example 4.2: Consider the system (1) with A d = 0, where the matrices A, B and C are randomly generated with appropriate dimensions, ψ(t) = 0.1 sin(t), ϕ(t) = 0.2 cos(t), n x = 10, n y = 5, s = 2. The sampling time is 10, 15, 20, 25 and 30, respectively. For this example, three algorithms from Chong et al. (2015), An and Yang (2018a), and this paper are compared. The comparisons of execution times are shown in Figure 4. It can be seen that the algorithm designed in this paper has a shorter execution time. Especially, it has further advantage in execution speed when the sampling time is longer.

Conclusion
In this paper, a secure state observer is designed for CPSs with s-sparse sensor attacks modelled by time-delay linear continuous-time systems. An algorithm combining adaptive switching mechanism and set cover approach is proposed, which ensures the correct identification of attack modes and improves the state estimation speed.
And two examples are given to verify the effectiveness and practicability of the designed observer. Finally, in CPSs, there is still room for research on the secure state estimation and control of actuator attacks systems as well as extensions to T-S fuzzy-model-based nonlinear systems Tong & Li, 2010;Tong et al., 2020). These interesting topics will be our future research.