Toward a Theory of High Conﬁdence Networked Control Systems€¦ · Wired network tools: IDS, network design, network registration, separate management Wireless network tools: network

Toward a Theory of High ConfidenceNetworked Control Systems

Closing the Loop around Wireless Sensor Networks

Saurabh Amin† and Shankar Sastry †

† University of California at Berkeley, CA, USA

Our CollaboratorsS. Oh (Seoul National), A. Cárdenas (Fuji. Labs), A. Bayen (Berkeley),

T. Roosta (Cisco), L. Schenato (Padova), B. Sinopoli (CMU), K-H.Johansson, A. Texeira, H. Sandberg (KTH)

Presented at the local PI Meeting of the CPS Action Webs Project,Berkeley, July 2010

Outline

Wireless Sensor Networks (WSN)Tech Push and ApplicationsAdvantages and Limitations of WSN

Closing the Loop around WSNOn-time WSN Based ControlRobustness and Fault Tolerance against Random FailuresVulnerabilities, Threats, and Countermeasures

Research on Secure and Resilient ControlThreat AssessmentDetection of Deception AttacksAttack Resilient Control

Future Work

Sensor Webs Closing the Loop Secure Control Future Work Tech Push Advantages and Limitations

Outline




Future Work

S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley


Major Recent Progress

Ref: Ambient Intelligence, Eds: Weber, Rabaey, Aarts, 2005S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley


Ubiquitous Intrumentation

Understanding Phenomena

Data Collection for offline analysis

Environmental monitoringHabitat monitoringStructural health monitoring



Sensor Webs Everywhere

Detecting changes in the environment

Thresholds, phase transitions, anomalydetection

Security systems and Health careWildfire detectionFault detection, threat detection



Widely deployed in Critical Infrastructure Systems

Real-time estimation and control

DCS and SCADA systems

Traffic control, building control,environmental controlManufacturing and plant automation,power gridsMuitiple Target Tracking,pursuit-evasion games, activesurveillance, search and rescue/capture



Sensor Web Application Taxonomy

Understanding Phenomena

Data Collection for offline analysis

Environmental monitoring, Habitat monitoringStructural health monitoring

Detecting changes in the environment

Thresholds, phase transitions, anomaly detection

Security systems, Health careFault detection, threat detection

Real-time estimation and control

Action Webs

Traffic control, building control, environmental controlManufacturing and plant automation, power gridsMuitiple Target Tracking, pursuit-evasion games,active surveillance



Societal Cyber Physical Systems

“A complex collection of sensors, controllers, compute nodes,and actuators that work together to improve our daily lives”

From very small: Ubiquitous, Pervasive, Disappearing,Perceptive, Ambient

To very large: Always Connectable, Reliable, Scalable,Adaptive, Flexible

Emerging Service Models

Environmental control, energy management and safety inbuildings

Automotive and avionic safety and control

Management of metropolitan traffic flows

Distributed health monitoring

Power distribution with decentralized energy generation



Why add Action Webs in Societal CPS?!

Cost reduction

More than 85% reduction in costcompared to wired systems (casestudy by Emerson)

Easy to deploy and enables newfunctionalities

Typical plant: 40+ years old,$ 10B infrastructure

Reliability

Robust estimation from noisymeasurements in the presence ofunreliable communication

Real-time control formission-critical systems



Limitations of Sensor Networks

Limited Resources

Energy RestrictionsLimited Communication and Computational Power (10 KBRAM, 250 kbps data rate, for example)Storage Restrictions

Random Topology

No prior knowledge of post-deployment topology

Measurement inconsistency

Noise, False alarms

Communication Reliability

Transmission failures and packet loss, Delays

Deployed in Hostile Environments

Vulnerability to physical capture


Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks

Outline




Future Work



High Confidence Networked Control Systems

Next generation control systems will have

Robust estimation for control under randomdisturbances

Unreliable communications with delays andpacket lossMobile sensor and actuator dynamicsDistributed parameter systems

Closing-the-loop capability with fault-tolerantnetworked control

Characterization of limits on stability, safetyand optimalityScalable model predictive control

Security and resilience under attacks

Availability, Integrity and ConfidentialityGraceful degradation



On-Time Sensor Network-Based Control System

Hierarchical architecture

for real-time operation

Multiple layers of data fusion

for robustness and to reducecommunication load

LochNess: Large-scale On-time

Collaborative Heterogeneous Networked

Embedded Systems

Oh, Schenato, Chen, Sastry, Proc.S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley


Multi-Target Tracking (MTT) Problem

Given

Multiple dynamics and measurement models

Sensor and clutter (false alarms) models

Target appearance and disappearance models

Set of noisy unlabeled observations Y

Find

Number of targets

States of all targets

Requires solutions to both

Requires solutions to both

Data association

State estimationS. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley


Robustness against Transmission Failure

Simulation Results

Each single-hop transmission fails with probability(transmission failure rate)

Tolerates up to 50% lost-to-total packet ratio



Robustness against Communication Delays

Simulation Results

Each single-hop transmission gets delayed with probability(communication delay rate)

Tolerates up to 90% delayed-to-total packet ratio



Optimal control with both intermittent observations andcontrol packets

For unreliable communication

What is the minimum arrival probability that guaranteesacceptable performance of estimator and controller?

How is the arrival rate related to the system dynamics?

Can we design estimator and controller independently?

Are the optimal estimator and controllers still linear?

Can we provide design guidelines?

Joint work with L. Schenato and B. Sinopoli



Linear Quadratic Control Design for TCP-like andUDP-like communication protocols

Limits of Stability

Optimal LQG control with

constant gains

TCP-like: ACK is available,UDP-like: ACK Not available

Better performance of TCP compared to UDP



Wireless Security Myths

Licensed frequencies provide security

No! Only provide a right tocommunicate over a specificfrequency or range of frequencies

Enable legal recourse only ifadversary is found

Directional antenna means data issecure

Beamwidth must be large enoughto reach target

Wireless travels based ontopography

Left-over tower real estate

Courtesy: Mark Hadley, PNNL



Wireless Security Myths

SCADA radio communication is well behaved

Time between telemetry requests can be used for malicioustraffic injection

Encryption provides security

Encryption only provides confidentiality. It does not careabout the intent of the data

What about integrity and availability?

Both malicious and legitimate data can travel throughencrypted tunnels with equal ease



Attack Models for Sensor Networks

Mote-class Attacker

Controls a few ordinary sensor nodesHas the same capabilities as the network

Laptop-class Attacker

Greater battery, processing power, memory, high-power radiotransmitter, low-latency communication

Outsider Attacks

Passive eavesdroppingDenial of service attacksReplay attacks

Insider Attacks: compromised node

Node runs malicious codeNode has access to secret keys, participates in authenticatedcommunication



Previous Work on Countermeasures to Attacks on WSN

Secure communicationSPINS: Security Protocols for Sensor Networks (Perrig, Szewczyk,Wen, Culler, Tygar)

TinySec: Link Layer encryption for tiny devices (Karlof, Sastry,

Wagner)

Robust aggregationData aggregation is prone to insider attacks which inject faulty datainto the networkSIA: Secure Information Aggregation for Sensor Networks(Przydatek, Song, Perrig)

Resilient Aggregation in Sensor Networks (Wagner)

Sybil AttackNode pretends to have multiple identities, or the adversary createsnode identities that do not exist in the network.

Countermeasures (Newsome, Shi, Song, Perrig)

Courtesy of T. Roosta



Previous Work on Countermeasures to Attacks on WSN

Secure location verificationThe goal is to validate the claims of nodes

Verification of Location Claims (N. Sastry, Shankar, Wagner)

Robust localizationLocalization is used to find the position of the nodesStatistical Methods for Robust Localization (Z. Li, W. Trappe, Y.Zhang, B. Nath)

SeRLoc (Lazos, Poovendran)

Key distribution protocolsUsed for distributing the cryptographic keys in the network afterdeployment

Random Key Distribution Protocol (Chan, Perrig, Song and

Eschenauer, Gligor)

Courtesy of T. Roosta



Defense-in-depth

Security tools at each layer

Containtment measures: VLAN, logicalseparation, physical separation, egressfilters

Wired network tools: IDS, networkdesign, network registration, separatemanagement

Wireless network tools: network design,spectrum analyzer, limit transmit power,network registration, authenticate traffic,encrypt traffic, gateway

Physical tools: gates, doors, locks, mantraps, posted signage

Personnel controls: security staff trainingand awareness

Key Question: How to select security tools at each layer?


Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control

Outline




Future Work



Vulnerabilities can be Exploited

2008 Huntington Beach

offshore oil platforms

2000 Maroochy Shire sewage

control systemoffshore oil platforms control system

2007 Tehama!Colusa Canal2007 Cal!ISO power

k ti ti2007 Tehama Colusa Canal marketing operations



Vulnerabilities can be Exploited



Attacks to Control System

Attacks can disrupt

Set points: man-in-the-middlesubstitutions,

Control: tuning parametersubstitutions

Process value readings: valuesubstitutions,

Communication: latency impactvia DoS attack,

Process disruption: disruptconnection to plant.

Multilayer Control Structure

(Tatjewski, ’08)



Operational Goals and Attributes of the Adversary

Operational Goals

Maintain safe operational mode

- Limit the probability of undesirable behavior,

Meet production demands

- Keep certain process values within prescribed limits,

Maximize production profit.

Attributes of the Adversary

Mode of attack

- Availability, integrity, confidentiality,

Signature of attack

- Targeted, resource constrained, random,

Time of attack.



Integrity and Availability for Control Systems

Integrity

Trustworthiness of sensor andcontrol data packets,

Lack of integrity results indeception,

A1 & A3: integrity attacks.

Availability

Ability of system components onbeing accessible,

Lack of availability results in DoSof sensor & control data,

A2 & A4: DoS attacks.

Physical System

Controller

y

u

A1

A2A3

A4

A5



Secure ControlWhat is New and Fundamentally Different?

Control system security is importantAre there new research problems, or can problems be solved with

Traditional IT security?

Robust Fault-tolerant control?

Information security: What can help?

Prevention: Authentication, access control, software security

Detection: Intrusion detection, malware filtering

Resiliency: Separation of duty, principle of least privilege

What seems to be missing?

Effect of attacks on control and estimation algorithms interacting withphysical dynamics,

Trust and Adversary Model: How the attacker may manipulate controland sensor data to achieve goals.



CPS vs. Traditional IT Security

What is new and fundamentally different in control systemssecurity?

Model interaction with the physical world

Three new research directions

Threat assessment: How attacker may manipulate control variablesto achieve goals and study consequences to the physical system

Attack-detection by using models of the physical system

Study stealthy attacks (undetected attacks)Ensure safety of any automated response mechanism

Attack-resilient control algorithms



Our Results in these three New Research Directions

Threat assessmentAd Hoc Networks 2009 Cárdenas, Roosta, SastryJ. of Critical Infrastructure Protection 2009 Huang, Cárdenas,Amin, Lin, SastryHSCC 2010 (to appear) Amin, Litrico, Sastry, Bayen

Control and Decision Conference 2010 (submitted) Teixeira, Amin,

Sandberg, Johansson, Sastry

Attack-detection using reduced-order models

Focus on power grid (Preprint), chemical process control(Tech. Report) Lin, Cárdenas, Amin, Huang, Sastry

Attack-resilient control algorithms

HSCC 2009, Amin, Cárdenas, SastryPrivacy-aware dynamic sensing (Preprint), Amin, Hofleitner,Herring, Bayen



Risk Assessment Case StudyGignac Water Distribution System

The Gignac Project

Irrigates 2800 Hc of land by 50 km ofprimary, 270 km of secondary canals

Equipped with level and velocitysensors, and motorized gates withlocal slave controllers

SCADA system architecture:centralized base station thatcommunicates with field devicesthrough radio and telephonecommunication



Attacks on Water Distribution Systems

. . . ℓ

hL

k

h0

k

Upstream Gate

Canal Bed

Canal Reach

Water level measurement

Remote Controller

Control Signal

yk = hL

k

uk

Qℓ

k

L0 1 2 3 4

wk

For regulatory control, attacks may result from1 Intermittent offtake withdrawals.

2 Certain deception/DoS attacks on sensor and control data.



Cyber and Physical Infrastructure

Physical Infrastructure Cyber Infrastructure



Experiment Site and SCADA Supervisory Interface

Avencq Cross-Regulator

SCADA Interface

Lagarel station is under alert (notfunctional) but Avencq is functional



Cascade of Canal Reaches

Frequency domain model of canal reach

Control input variables: Upstream µi and downstreamdischarge µi+1, Controlled variable: the downstream water level yi ,Disturbance: pi offtake withdrawal

Frequency domain input-output relationship (Callier-Desoer

algebra) for reach i :

yi(s) = Gi(s)µi(s) + Gi(s)[µi+1(s) + pi(s)]

Low frequency approx. (integrator-delay model) used to design PI

controllers



Effect of Hacking Level Sensor: Simulation

Water withdrawal by attacker Actual water level under attackWater withdrawal by attacker Actual water level under attack

Deception attack on level sensor Control action under attack



Effect of Hacking Level Sensor: Experiment

Actual water level under attackWater withdrawal by attacker

Control action under attackDeception attack on level sensor



Extension to decentralized, multivariable PI controllers

Compensating effect of water withdrawal at the boundaries bymanipulating sensor readings,

Such that the multivariable controller does not react to actualperturbation.



Attack Detection Case StudyTennessee Eastman Process Control System (TE-PCS)

TE-PCS Plantwide Control

Process model (FORTRAN code) & Four-loop PIcontroller (MATLAB code)

Control Objective

- Regulate product rate- Maintain reactor pressure to safe limits- Minimize Operating Cost

Adversary Model

- Sensors y4, y5, y7 may be compromised- Block attack duration Ka = {ks , . . . , ke}- Observed sensor measurement yi

yi(k) =

{

yi(k) for k /∈ Ka, yi(k) ∈ [ymini , ymax

i ]

ai(k) for k ∈ Ka, ai(k) ∈ [ymini , ymax

i ]

- Models DoS and deception attacks

!""#$%

&"'()"**+)

!""#$,

&"'()"**+)

!""#$-

&"'()"**+)

!""#$.

&"'()"**+)

/+'0")$1.

$23)4+

2)"536(789

#:;<

#0#

=.

=++5$%7>?@?&9

=++5$,7#3)+$>9

1>-

1>-0#

#

=.

=.0#

3-

3%

3,

/+'0")$1A

/+'0")$1B

=-

#

=%

=,

C;*D+

C;*D+

C;*D+

From L. Ricker (1993)



Framework for Attack Detection

Four Step Process

Estimate model of the physical process

Linearized model around operating point

xk+1 = Axk + Buk , yk = Cxk

Propose detection scheme

Non-parametric Cumulative sum(CUSUM) statistic

Study stealthy attacks

Assume that adversary is adaptive andknows anomaly detection scheme

Ensure safety of automated response

Use internal model output to control thesystem when anomaly is detected

Computing Blocks

uk : control signal, yk : sensorsignal, wk : disturbance signalAnomaly Detection Module(ADM) output is yk underattack, and yk otherwise



CUSUM Change Detection Algorithm

CUSUM Algorithm

Random process Zi(k) follows p0 (null hypothesis H0) or p1

(alternate hypothesis p1)

CUSUM statistic updated as (starting from Si(0) = 0)

Si(k + 1) =

(

logp1(zi(k))

p0(zi(k))+ Si(k)

)+

Stopping time is the time when test stops and decides that achange has occured

N = infn

{n : Si(n) ≥ τi}

Where τi is selected based on false alarm constraint



Nonparametric CUSUM for Sensor i

Nonparametric CUSUM does not a assume parametricdistribution for p0 and p1

Measure the difference between the expected and observedbehavior

zi(k) =‖ yi(k) − yi(k) ‖ −bi ,

Where bi > 0 selected such that E0[Zk ] < 0 and E1[Zk ] > 0

Nonparametric CUSUM:

Si(k) = (Si(k − 1) + zi(k))+

, Si(0) = 0

Decision rule at k : H1 if Si(k) > τ , H0 otherwise



Tuning CUSUM ParametersTuning bi

Parameter bi chosen as the empirical expected value of distance|yi(k) − yi(k)| under no attack

Tuning threshold τi

Selected to achieve balance between false alarms and detection time

Number of false alarms decrease exponentially with increasing τ

0 10 20 30 40 500

5

10

15

20

X: 7Y: 1

y4

tau

fals

e

ala

rm

0 25 50 75 1000

5

10

15

20

X: 44Y: 1

y7

taufa

lse

ala

rm0 2500 5000 7500 10000

0

5

10

15

20

X: 4900Y: 1

y5

tau

fals

e

ala

rm

Time to detection increases linearly with increasing τ

0 25 50 75 1000

0.2

0.4

0.6

0.8

X: 50Y: 0.5

aver

age

det

ectio

n ti

me

(hou

r)

X: 50Y: 0.1

y4

tau

y = y * 0.9y = y * 0.7y = y * 0.5

0 2500 5000 7500 100000

0.5

1

1.5

2

2.5

3

X: 5000Y: 1.8

y5

tau

aver

age

det

ectio

n ti

me

(hou

r)

X: 5000Y: 0.3

X: 8000Y: 0.5

y = y * 0.9y = y * 0.7y = y * 0.5

0 50 100 150 2000

0.5

1

1.5

2

2.5

3

X: 100Y: 2

y7

tau

aver

age

det

ectio

n ti

me

(hou

r)

X: 150Y: 0.6X: 100

Y: 0.4

y = y * 0.9y = y * 0.7y = y * 0.5



Stealthy Attack Model for Insider Attacks

Assumptions for stealthy attack model

Internal model and ADM parameters are known to adversary

Goal is to compromise plant safety by increasing pressure in thereactor

And yet remain undetected for fixed numer of time steps

Examples

Surge attack: Adversary tries to maximize the damage in shortest time,but when statistic reaches threshold, it stays at the threshold forremaining time

Bias attack: Aderversary adds a small bias at each time step

Geometric attack: Attacker combines slow initial drift of the bias attackwith surge attack at the end to cause maximum damage



Geometric Stealthy Attack

Attack starts at T = 10 hrs and goal is to remain undetecteduntil T = 30 hrs

0 10 20 30 4096

97

98

99

100

101

102

103

104

105

y4

Time (hour)

Pro

duct

Rate

(km

ol

/hr)

y4y4

0 10 20 30 402600

2650

2700

2750

2800

2850

2900

2950

3000

y5

Time (hour)

Pre

ssure

(kP

a)

y5y5

0 10 20 30 4042

43

44

45

46

47

48

49

50

y7

Time (hour)

Am

ount

of

Ain

purg

e(m

ol

%)

y7y7

0 5 10 15 20 25 30 35 400

10

20

30

40

50

60

S4

Time (hour)0 5 10 15 20 25 30 35 40

0

2000

4000

6000

8000

10000

12000

S5

Time (hour)0 5 10 15 20 25 30 35 40

0

20

40

60

80

100

120

140

160

180

200

220

S7

Time (hour)



Resiliency under Stealthy Attacks

Stealthy attacks are not able compromise plant safety due toresilient control structure in place



Automatic Response Mechanism

Response of ADM

When attack is detected, (Si(k) > τi), replace yi(k) by output frominternal (linear) model yi(k)

Else, use yi(k) compute control action

0 10 20 30 401000

1500

2000

2500

3000

3500X: 23.2Y: 3000

y5

Time (hour)

Pre

ssure

( k

Pa )

y5

y5

0 10 20 30 401000

1500

2000

2500

3000

3500

X: 10.6Y: 1369

y5

Time (hour)

Pre

ssure

( k

Pa )

y5

y5

. . . Measurement under attack, – Original measurement

Attack starts at T = 10, system crashes at T = 29, Attack detected

at T = 10.8S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley


Automatic Response to False Alarms

Response to false alarm does not violate safety

Maximum pressure under false alarm is (2779 kPa) which is in sameorder of magnitude as normal maximum pressure under no false alarm

(2757 kPa)



Constrained Linear Systems Under DoS Attack Mode

Discrete-time linear system under DoS attack with dynamics

xk+1 = Axk + Buak + wk , k = 1, . . . , N − 1

xak = γkxk , γk ∈ {0, 1}

uak = νkuk , νk ∈ {0, 1}

uk = µk(xa0 , . . . , xa

k ),

and constraints on state and control input

(xak , ua

k) ∈ T , wk ∈ W.



Operational Goals for Secure Control Problem

Power Constraints(

xak

uak

)⊤(

Hxxi 00 Huu

i

)(

xak

uak

)

≤ βi , i = 1, . . . , L1,

Safety constraints(

xak

uak

)

∈ Tj , j = 1, . . . , L2,

Cost functionJ(x0, u, w) =

∑Nk=1 x⊤

k Qxxxk +∑N−1

k=1 νku⊤k Quuuk ,

For disturbance sets

w ∈ Wα := {w| ‖ w ‖2≤ α},

- Constraints and cost in worst-case sense.

w ∼ N (0, W ),

- Constraints and cost in expected/probabilistic sense.



DoS Attack Signatures for Secure Control Problem

Random adversary(Sinopoli et al., ’04, Elia, ’04) ABer(γ,ν)

= {(γN−10 , νN−1

0 )|P(γk = 1) =

γ, P(νk = 1) = ν, k = 0, . . . , N − 1}.

Probability of successful measurement (resp. control) transmission is γ(resp. ν).

Resource constrained adversaryApq = {(γN−1

0 , νN−10 ) ∈ {0, 1}2N

∣

∣ ‖ γN−10 ‖1≥ N − p, ‖ νN−1

0 ‖1≥ N − q}.

Adversary can deny measurement (resp. control) transmission for at mostp (resp. q) times.

Apq attacks include block attacks

Aτx τupq = {(γN−1

0 , νN−10 ) ∈ {0, 1}2N |γτx+p−1

τx= 0, ντu+q−1

τu= 0},

- τx (resp. τu) start of attack on measurement (resp. control)data.



Secure Control Problem for DoS attack mode

Definition (Secure Control Problem)

To design a (predictive) control strategy that

Minimizes operating costs,

Satisfies safety constraints,

Maintains closed-loop stability,

by surviving DoS attacks to measurement andcontrol data under a well-defined adversary model(e.g., random or resource-constrained attacksignature).



Problem Statement for Resource Constrained Adversary

For constrained linear systems

xk+1 = Axk + Buak + wk , k = 1, . . . , N − 1

xak = γkxk , ua

k = νkuk , (γk , νk) ∈ {0, 1}2

find causal feedback policies uk = µk(xa0 , . . . , xa

k ), thatminimize J(x0, u, w) =

∑Nk=1 x⊤

k Qxxxk +∑N−1

k=1 νku⊤k Quuuk ,

subject to power constraints(

xak

uak

)⊤(

Hxxi 00 Huu

i

)(

xak

uak

)

≤ βi , i = 1, . . . , L1,

and safety constraints(

xak

uak

)

∈ Tj , j = 1, . . . , L2,

for all disturbances w ∈ Wα OR w ∼ N (0, W ) and a given set of(γN−1

0 , νN−10 ) ∈ Apq attack signatures.



Key Ideas from Robust Control

Using following ideas

Semi-definite program (SDP) viewpoint of linear quadraticcontrol (LQC) problem,

Constrained LQC with affine state-feedback policies,

Robust appoximations of probabilistic constraints on state andcontrol input,

we can arrive at feedback policies that are robust to certain classesof DoS attacks.



Robust Control For a Set of Apq Attacks

The solution of the secure control problem for a set of attacksignatures of type (γN−1

0 , νN−10 ) ∈ Apq using the

affine-feedback control policies

uk = u◦k +

k−1∑

j=0

γjMk,jwj , k = 0, . . . , N − 1

can be obtained as a solution of a semidefinite program. Here,u◦

k is the open-loop part of the control, and Mk,j is thefeedback gain or recourse at time k from past sensormeasurement xj .

The result holds for both w ∈ Wα and w ∼ N (0, W ).



Implications for the Defender

Receding horizon implementation An admissible control policycan be computed at each time, with first component of thepolicy applied.

Predicted state estimates, disturbance, and attack signatures:

(x⊤0|k , . . . , x⊤

N|k)⊤, (w⊤

0|k , . . . , w⊤N−1|k)

⊤

(γ⊤0|k , . . . , γ⊤

N−1|k)⊤, (ν⊤

0|k , . . . , ν⊤N−1|k)

⊤

A solution provides certificate of feasibility: Policy is(p, q, α)−secure.

If the feasibility margins are violated, the constraints can besoftened and open-loop or back-up policies aimed at drivingthe system back to feasible set computed.

If back-up policies fail, reconfiguration is the only option.



Implications for the Attacker

Give a set of attack signatures(γN−1

0 , νN−10 )1, . . . , (γN−1

0 , νN−10 )r ∈ Apq, the attacker

computes robustness margins for each attack signature bysuccessively increasing uncertainty bounds.

The attack signature with least feasibility margin is mostpromising from attackers viewpoint

Candidate attack signatures

Block A0ppq attacks,

(

Np

)

most informative attacks (Joshi and Boyd, ’08).


Sensor Webs Closing the Loop Secure Control Future Work

Outline




Future Work



Building Operating System

Courtesy of Arun MajumdarS. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley


Cooperative Continuous Reduction

Aim of the Action Webs Project

To achieve 40% reduction over 4 years



Heterogeneous Sensor Webs

For tracking moving objects

Simple background to extract movingobjects in a scene

Built on Intel Vision Library

UCB/ITRI CITRIC Mote



Towards Foundations of Multi-Person, Networked Games


Documents

Toward a Theory of High Conﬁdence Networked Control Systems€¦ · Wired network tools: IDS, network design, network registration, separate management Wireless network tools: network