EXPOSICIÓN A LA LUZ

This section presents a case-study evaluation of the context-aware sensor fusion technique. We simulate an example of a so called perfectly attackable system [147], i.e., a system whose continuous sensor is under attack such that the estimation error can grow unbounded but the system cannot detect the attack. We show that the system can use context measurements in such a case in order to detect when it is in an unsafe state.

In particular, we simulate a scenario in which the LandShark is moving in an urban environment and trying to avoid an obstacle. The entire scenario is shown in

Figure 5.1: Perfectly attackable system using context measurements. Kalman filter estimates lead the system to believe it is safe whereas the context-aware sensor fusion bounds indicate that the system is unsafe.

Figure 5.1; the LandShark tries to avoid the wall on the East side, so it initially goes North until it believes it is safe. However, the LandShark’s only position sensor, a GPS, is attacked such that the Kalman filter estimates fool the system in believing it is safe – the GPS attacks are also carried out in such a way so as to avoid detection by standard anomaly detectors (e.g., a chi-squared detector [147]). As a result, the system starts heading East too early and crashes into the wall.

On the other hand, we note that since the LandShark is going through an urban environment, it can use image processing to recognize nearby buildings and obtain context measurements from them. Thus, for each building on the map, the Land- Shark receives a context measurement (in the form of a square around the building) if it is in the proximity of that building. At each time step, all context measure- ments are used together with the GPS measurement in the context-aware sensor fusion algorithm; the upper and lower bounds of the resulting fusion polyhedron are also shown in Figure 5.1. As can be seen in the figure, the fusion polyhedron always

contains the true value and, more importantly, indicates that the system is not safe, i.e., it is not North of the obstacle. Thus, this is an example in which the system can greatly benefit from context measurements and can avoid the obstacle (e.g., by going North until the fusion polyhedron contains no points that are inside the obstacle).

Chapter 6

Attack Detection in the Presence

of Transient Sensor Faults

Having developed multiple techniques for estimation and safety detection in the previous chapters, in this chapter we note that all these techniques rely on sensors providing accurate information. In particular, although the sensor fusion approaches are indeed robust to attacks on half of the system’s sensors, their performance could be improved if attacked sensors are identified and discarded. Thus, in this chapter we provide a general technique for sensor attack detection and identification.

One of the main requirements of such a detection algorithm is that it accounts for the fact that sensors might sometimes provide faulty measurements. As argued in Chapter 4, sensors often experience transient faults that usually do not last long and recover on their own (e.g., GPS losing connection in a tunnel and regaining it afterwards); thus, one can design controllers that are robust to such scenarios. Since transient faults are not a security threat for CPS, in this chapter we develop an attack detection algorithm that does not raise false alarms due to temporarily wrong sensor measurements and instead only flags actual sensor attacks.

As argued in Chapters 1 and 2, standard detection techniques either assume 1) the system is in a known nominal state, i.e., known initial condition, such that a

change detection approach could be employed [25, 52, 94, 130, 138, 221] or 2) that a specific fault/attack is present such that specific detectors for that fault/attack could be developed, e.g., generalized likelihood ratio tests or sequential probability ratio tests [23, 24, 177, 178]. At the same time, these two assumptions are not justified in modern CPS that may never have a known nominal state (e.g., perfectly attackable systems [147]) and may not know in advance what faults/attacks they might experience.

Redundancy-based approaches eliminate the need for the above unrealistic as- sumptions by adding more sensors and assuming that less than half are under at- tack [78, 211]. A major shortcoming of existing redundancy-based attack detection works [109, 136] is that they conservatively treat transient faults as attacks. While there exist papers distinguishing attacks from faults [21], they make specific as- sumptions about the form or direction of faults/attacks, thus being unsuitable for our problem.

Different from existing works, in this dissertation we address the problem of sensor attack detection in the presence of transient sensor faults. Similar to Chapter 4, we use the abstract sensor model (in which each sensor provides a polyhedron) – this model is well suited for worst-case analysis due to the noise bounds it provides. In order to distinguish between attacks and faults, similar to Chapter 4, we make use of sensor transient fault models (TFMs) that are now being provided by some manufacturers [82]. Such a model consists of three dimensions: (1) polyhedron size, (2) window size, and (3) number of allowed faulty measurements per window. In the case when such TFMs are not available, one may refer to Section 4.7.2 for an approach to obtain such models from sensor data.

As noted in Section 4.7, depending on the attacker’s goals and capabilities sensor attacks can manifest as either transient or non-transient faults. Masking a sensor’s measurements as a transient fault may prevent the attacker from being discovered but limits his capabilities. On the other hand, if the attacked measurements are

consistently wrong and resemble a permanent fault, they may inflict more damage but may be detected quickly. In this dissertation, we provide resilience to both kinds of attacks: in this section, we present 1) a detector for attacks that manifest as non-transient faults, whereas in Section 4.7 we developed 2) a modified sensor fusion algorithm whose output is guaranteed to contain the true state even in the presence of sensor attacks that might appear as transient faults.

In order to develop a detector for attacks that manifest as non-transient sensor faults, we assume there exists a TFM for each sensor and propose a detection and identification algorithm for sensors that do not comply with their TFMs. The al- gorithm uses pairwise relationships between sensors – if two sensors’ measurements are too distant from each other, then one of them must be wrong. By accumulating this information over time, we develop a sound algorithm for attack detection and identification.

Finally, we evaluate the performance of the detection algorithm (in terms of false alarm and detection rates) using real data collected from the LandShark robot. In particular, we collected measurement data from several runs of the LandShark; this data was then retrospectively augmented with several kinds of attacks. The proposed detector (configured with a large enough TFM window) is able to eventually detect all sensor attacks, thus illustrating the usefulness of this approach.

6.1

Problem Statement

This section presents the system and attack models considered in this chapter before formulating the problem of sensor attack detection in the presence of transient faults.

6.1.1

System Model

The system model used in this Section is the general abstract sensor model used in Chapter 4. Similar to Chapter 4, we note that the techniques developed here are

Sensor Measurement s₁ s₂ s₃ s₄ Fusion Interval t = 1 t = 2 t = 3

Figure 6.1: Illustration of the benefit of the transient fault model. Each of s2, s3

and s4 provide one faulty measurement, but their other measurements are correct.

independent of system dynamics, hence no assumptions on dynamics are made:

xk+1 =f(xk, uk) +νkp. (6.1)

The sensor model is also the same model as in Chapter 4, where each sensor si

provides a direct measurement of the state at timek of the form1

yi,k =xk+νi,km, (6.2)

which is then converted to a polyhedron Pi,k such that

Pi,k ={yi,k +z ∈Rd|Biz ≤bi}. (6.3)

In addition, similar to Section 4.7, each sensor has a corresponding TFM (Ei, ei, wi)

that specifies an upper bound ei on the number of faulty measurements in any win-

dow of size wi. For sensor si, the set Ei contains the pair (Bi, bi) that specifies the

shape of the corresponding polyhedron Pi,k.

To illustrate the benefit of the TFM, consider Figure 6.1. If one were to treat all

transient faults as attacks, then each of s2, s3 and s4 would be declared as attacked

because they each produce a faulty measurement in rounds 3, 2, and 1, respectively (these faulty measurements can be detected because they do not overlap with the 1_{Note that measurements are not explicitly treated as continuous or binary in this chapter since}

fusion interval at the respective times); however, it is more beneficial for the system to just discard the faulty measurements and continue the use the sensors at the times when they do provide correct measurements.

6.1.2

Attack Model

As mentioned to the introduction of this chapter, we focus on detecting attacks that manifest as non-transient sensor faults, i.e., the attacked sensor measurements do not conform to their corresponding TFMs. Thus, in this chapter we treat all non- transiently faulty sensors as attacked (even if an alarm is raised due to an actual non-transient fault, we argue that this is not a false alarm since such a sensor might compromise the system’s operation).

Definition(Attacked Sensor). A sensor is considered attackedif it is non-transiently faulty.

Once again, we emphasize that attacks that manifest as transient faults are han- dled in Section 4.7, where we developed a sensor fusion algorithm that provides guarantees even in the presence of attacks that manifest as transient faults.

Finally, no assumptions are made on the number of attacked sensors. As long as there is one non-attacked sensor in the system, attack detection is possible. Stronger assumptions are needed for attack identification, as noted in the following sections.

6.1.3

Problem Statements

The problem addressed in this chapter is sensor attack detection in the presence of transient sensor faults.

Problem. Given a system withn sensors and a transient fault model (Ei, ei, wi) for

each sensor, develop an algorithm to detect the existence of an attacked sensor and possibly identify which sensor is under attack.

6.2

A Sound Algorithm for Attack Detection and