Research ArticleOptimal Jamming Attack Scheduling inNetworked Sensing and Control Systems
Lifu Zhang1 Heng Zhang2 Cunhua Li2 and Buxi Ni1
1Wenzhou Vocational amp Technical College Wenzhou 325000 China2Huaihai Institute of Technology Lianyungang 222000 China
Correspondence should be addressed to Heng Zhang ezhanghenggmailcom
Received 8 June 2015 Revised 19 August 2015 Accepted 16 September 2015
Academic Editor Jianping He
Copyright copy 2015 Lifu Zhang et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
This paper investigates the optimal jamming attack scheduling inNetworked Sensing andControl Systems (NSCS) From viewpointof the attacker we formulate an optimization problem which maximizes the Linear Quadratic Gaussian (LQG) control cost withattacking energy constraint in a finite time horizon For two special cases we obtain that the optimal jamming attack schedule is toconsecutively attack in the given time horizon For the general case we propose an algorithm to find the optimal schedules Finallywe study the effectiveness of our proposed attack strategies on our established semiphysical testbed
1 Introduction
Networked Sensing and Control Systems (NSCS) are controlsystems wherein physical elements that is plants sensorscontrollers and actuators are connected via wireless com-munication networks NSCS have a wide range of appli-cations in factory automation unmanned aerial vehiclesremote surgery intelligent transportation smart grid smartbuilding and so forth [1ndash5] The essential characteristic ofNSCS is that the physical elements and cyberspace are tightlyintegrated to carry out various jobs [6ndash8] However NSCSare vulnerable to an increasing number of malicious cyberattacks [9] For example an Iranian nuclear facility wasattacked by ldquostuxnetrdquo in 2010 and cannot operate normallyin a long time since more than 60 of centrifugal controlsystems were destroyed [10]
In the past few years several literatures have been focusedon evaluating the effect of cyber attacks for example Denial-of-Service (DoS) attacks [11 12] replay attacks [13 14] andfalse data injection attacks [15 16] on NSCS Among theseattacks DoS attack is the most accomplishable one andcan result in serious consequences [11] Thus it has beenwidely studied recently In order to block the communicationbetween system elements DoS attacker can interfere with theradio frequencies on the communication channels [17] Infact jamming is a typical mode of DoS attack [18]
LQG control cost which is used to synthetically considerthe cost of system states and control is an important perfor-mance in NSCS Some researches have put emphasis on thesecurity of LQG control under jamming attack [11 19 20]Amin et al study the optimal controller which minimize theLQG cost with safety and energy constraints when a jammingattacker takes identical independent distributed jammingactions [11] They present semidefinite programming to solvethis problem Gupta et al design an optimal controller todefense the intelligent jamming attack with limited actions[19] Shisheh Foroush andMartinez propose an event-triggercontrol law which can prevent the periodic jamming attackwith energy constraint [20]The commonality of these worksis that they all focus on the design of defense strategiesunder given attack patterns However our work stands in theviewpoint of attacker and finds the optimal attack schedulesto maximize the control performance This is of equalimportance as one can provide effective defensive policiesonly when he grasps the attack strategies
The goal of this paper is to design an optimal offline jam-ming schedule which can maximize the attack effect on theNSCS Specifically in our scenario one sensor observes thestates of plant and sends the measurements to a remote esti-mator via awireless channelThe attacker has a limited energybudget in the given finite time horizon He has to decide
Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2015 Article ID 206954 7 pageshttpdxdoiorg1011552015206954
2 International Journal of Distributed Sensor Networks
whether or not to jam the channel from sensor to estimatorat each time The main contributions of this paper whichdistinguish it from the related literatures are summarized asfollows
(1) We formulate a jamming attack scheduling problemand look for the optimal jamming schedule thatmaximizes the LQG cost with energy constraint in agiven finite time horizon
(2) We present the close form of the optimal jammingschedule for two special cases and provide an algo-rithm to search the optimal schedules for the generalcase
(3) We study the effectiveness of proposed jammingschedules on the established semiphysical testbed
The remainder of the paper is organized as follows InSection 2 we formulate the problem In Section 3 we studythe system performance under given attack schedule InSection 4 we present the optimal jamming attack schedulesfor special cases and provide an algorithm to search theoptimal attack schedules for the general case In Section 5 wedemonstrate the effectiveness of proposed optimal jammingschedules on the semiphysical testbed Finally Section 6concludes the paper
Notations E[119883] is the mean of random variable119883 and E[119883 |119884] is the mean of random variable 119883 conditioned on 119884respectively tr(sdot) represents the trace of matrix119883 ⪯ 119884meansthat 119884 minus 119883 is nonnegative-definite that is 119884 minus 119883 ⪰ 0
2 Problem Formulation
21 System Architecture Consider the following linear time-invariant system (Figure 1)
119909119905+1= 119860119909119905+ 119906119905+ 119908119905
119910119905= 119862119909119905+ V119905
(1)
where 119909119905isin R119899119909 is the state of plant at time 119905 119910
119905isin R119899119910 is
themeasurement from sensor and119908119905and V119905are uncorrelated
zero mean Gaussian white noises with covariance Σ119908and ΣV
respectively The pair (119860 119862) is assumed to be observable and(119860 Σ12
119908) is controllable
In our scenario the sensor observes the plant and getsthe measurements 119910
119905 According to these measurements it
preestimates the state 119909119905and obtains the minimum mean
squared error (MMSE) estimate that is 119909119904119905= E[119909
119905| 1199101
119910119905] Then the sensor sends these estimates to a remote
estimator through a wireless channel The controller thengenerates a control packet 119906
119905based on the received estimates
and sends the control packet to the actuator through anotherdependable channel
Let 120579119905be the indicator function whether the packet 119909119904
119905is
received or not by the estimator that is
120579119905=
1 if 119909119904119905is received by the estimator
0 otherwise(2)
Actuator Plant Sensor
Attacker
Controller Estimator
Wirelessnetwork
Figure 1 System architecture
DenoteD119905by all the data received by estimator until time
119905 that is
D119905= 1205791 1205792 120579
119905 1205791119909119904
1 1205792119909119904
2 120579
119905119909119904
119905 (3)
Let 119909119905be the minimum mean square error (MMSE)
estimate in the estimator at time 119905 that is
119909119905= E [119909
119905| D119905] (4)
The corresponding error covariance is
119875119905= E [(119909
119905minus 119909119905) (119909119905minus 119909119905)1015840
| D119905] (5)
Similar to [21] we have
119909119905=
119909119904
119905 if 120579
119905= 1
119860119909119904
119905minus1+ 119861119906119905minus1 otherwise
(6)
In order to minimize the LQG cost function
119869 =
119879minus1
sum119905=0
E [1199091015840
119905119876119909119905+ 1199061015840
119905119877119906119905] + 1199091015840
119879119876119909119879
(7)
in the finite time horizon [1 119879] where 119876 ⪰ 0 and 119877 ≻ 0are two weighting matrices and the expectation is taken over119908119896 we exploit a linear static feedback controller of the form
119906119896= 119871119909
119896 It is assumed that the system is unaware of the
existence of attacker
22 Attack Model In our scenario there is an attacker whowishes to deteriorate the control performance by jamming thesensor-to-estimator wireless channel It is assumed that theattacker has a limited energy budget that is he can attack 119899times at most in the time horizon [1 119879] [22]The attacker hasto decide whether to attack or not at each sampling time inorder to achieve his aim Let 120574
119905be the attack decision variable
at time 119905 that is
120574119905=
1 if attacker jams the wireless channel
0 otherwise(8)
Similar to [18] we assume that the attack action is successfulwith probability 120572 and packet drop variables under attack areindependent
Specifically from the viewpoint of attacker he aims tomaximize the cost function with energy constraint which isas follows
International Journal of Distributed Sensor Networks 3
Problem 1 Consider
max120574isinΘ
E [119869 (120574)]
st119879
sum119905=1
120574119905le 119899
(9)
where 120574 = (1205741 1205742 120574
119879) is the attack schedule on the finite
time horizon [1 119879] and Θ = 120574 | 120574119905isin 0 1 119905 = 1 2 119879
is the attack schedule space
3 Preliminaries
In this section we present some properties of the estimate atthe estimator side and the control performance of plant undera jamming attack
31 State Estimation under Jamming Attack From standardKalman filter the estimate and corresponding error covari-ance at the sensor side can be calculated as follows
119909119904
119905|119905minus1= 119860119909119904
119905minus1+ 119906119905minus1
119875119904
119905|119905minus1= 119860119875119904
119905minus11198601015840+ Σ119908
119870119904
119905= 119875119904
119905|119905minus11198621015840[119862119875119904
119905|119905minus11198621015840+ ΣV]minus1
119909119904
119905= 119860119909119904
119905minus1+ 119870119904
119905(119910119905minus 119862119909119904
119905|119905minus1)
119875119904
119905= (119868 minus 119870
119904
119905119862)119875119904
119905|119905minus1
(10)
where the initial state is 1199090= 0 and 119875119904
0= Π0 From [23] we
can see that the error covariance 119875119904119905converges exponentially
to its steady-state value 119875 Thus we assume that Π0= 119875 It
can be seen that 119875119904119905= 119875 for all 119905 isin [1 119879]
Define functions ℎ ℎ119905 as ℎ(119883) ≜ 1198601198831198601015840 + Σ119908and ℎ119905(119883) ≜
ℎ ∘ ℎ ∘ sdot sdot sdot ∘ ℎ⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟119905 times
(119883)
From [23] the following result holds
Lemma 2 The function ℎ has the following property
119875 ⪯ ℎ (119875) ⪯ ℎ2(119875) ⪯ sdot sdot sdot ⪯ ℎ
119905(119875) ⪯ sdot sdot sdot forall119905 isin Z
+ (11)
From [22] we can obtain the estimate 119909119905and error
covariance 119875119905at estimator side as follows
(119909119905 119875119905)
=
(119860119909119905minus1+ 119906119905minus1 ℎ (119875119905minus1)) if 120574
119905= 1 120579
119905= 1
(119909119904
119905 119875) otherwise
(12)
Define attack sequence (1198961 1198962 119896
119904) as the attack sched-
ules which has the following form
(0 0 1 1⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1198961times 0 0 1 1⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1198962times 0 0 1 1⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119896119904times
0 0)
(13)
Similar to [18 22] one can get the following result
Lemma 3 Let 119864(1198961otimes 1198962otimes sdot sdot sdot otimes 119896
119904) be the average expected
error covariance in time horizon [1 119879] under attack sequence(1198961 1198962 119896
119904) at estimator side and let 119864(119896) be the average
expected error covariance under attack sequence (119896) Thefollowing statements are true
(1) 119864(1198961) ⪯ 119864(119896
2) where 119896
1lt 1198962
(2) 119864(1198961otimes1198962otimessdot sdot sdototimes119896
119904) ⪯ 119864(119896) where 119896 = 119896
1+1198962+sdot sdot sdot+119896
119904
(3) 119864(1198961otimes 1198962) ⪯ 119864(119897
1otimes 1198972) where 119896
1+ 1198962= 1198971+ 1198972and
max1198961 1198962 1198971 1198972 is 1198971or 1198972
From Lemma 3 we can see that grouping together asmuch as possible can lead to maximal average error covari-ance
32 Control Performance under Jamming Attack In order tofind the optimal offline jamming attack scheduling we haveto study the control performance when the attack schedule isgiven
According to [5 24] one can obtain the following result
Lemma 4 TheLQG control cost function under a given attackschedule 120574 can be calculated as follows
119869 (120574) = tr (11987801198750) +
119879minus1
sum119905=0
tr (119878119905+1Σ119908)
+
119879minus1
sum119905=0
tr [(1198601015840119878119905+1119860 + 119876 minus 119878
119905) 119864120574(119875119905)]
(14)
where 119878119905can be computed from the following recursive equa-
tion
119878119905= 1198601015840119878119905+1119860 + 119876 minus 119860
1015840119878119905+1(119878119905+1+ 119877)minus1
119878119905+1119860
119905 = 0 1 119879 minus 1(15)
In fact (15) converges quickly to a steady state Thus if119879 rarr infin one can see that
119878 = 1198601015840119878119860 + 119876 minus 119860
1015840119878 (119878 + 119877)
minus1119878119860 (16)
where 119878 = lim119879rarrinfin
119878119879 In practice we often choose 119906
119905= 119871119909119905
with control gain 119871 = minus(119878 +119877)minus1119878119860 as the optimal static statefeedback controller to maximize the cost 119869
infin= lim
119879rarrinfin119869
4 International Journal of Distributed Sensor Networks
In our scenario we assume that the system has reached steadystate that is 119878
0= 119878 and 119875
0= 119875 Then (14) can be rewritten
as
119869 (120574) = 119869119888+ 119869119890 (17)
where
119869119888= tr (119878119875) + 119873 sdot tr (119878Σ
119908)
119869119890=
119879minus1
sum119905=0
tr [(1198601015840119878119860 + 119876 minus 119878)E120574(119875119905)]
(18)
It can be seen that 119869119888and 119869
119890are the constant part and
varying part of (17) respectively Thus we only have to studythe optimal jamming attack schedule which maximizes 119869
119890
which is as follows
Problem 5 Consider
max120574isinΘ
E [119869119890(120574)]
st119879
sum119905=1
120574119905le 119899
(19)
4 Optimal Jamming Attack Schedules
In this section we firstly study the jamming schedules againstLQG control for two special cases and present the close formof optimal schedulesThenwe investigate the attack strategiesfor the general case
41 Case I 119877 = 0 When 119877 = 0 it can be seen that the LQGcost function becomes
119869 =
119879
sum119905=0
E [1199091015840
119905119876119909119905] (20)
From Lemma 4 we can obtain the following conclusion
Theorem 6 If 119877 = 0 the optimal state feedback controller is119906119905= 119871119909119905= minus119860119909
119905 and the corresponding LQG cost function
under attack schedule 120574 is
119869 = 119869119888+ 119869119890 (21)
where
119869119888= tr (119876119875) + 119873 sdot tr (119876Σ
119908)
119869119890=
119879minus1
sum119905=0
tr [1198601015840119876119860E120574(119875119905)]
(22)
According toTheorem 6 we can see that the attacker onlyneeds tomaximizeE[119869
119890] Since1198601015840119876119860 ⪰ 0 one can obtain that
max120574E[119869119890] is equivalent to max
120574E[sum119873minus1
119905=0119875119905(120574)] Thus from
viewpoint of attacker we only have to solve the followingproblem
Problem 7 Consider
max120574isinΘ
E[119873minus1
sum119905=0
119875119905(120574)]
st119879
sum119905=1
120574119905le 119899
(23)
From [18 22] Problem 7 can be easily solved by thefollowing theorem
Theorem 8 When 119877 = 0 the optimal attack schedules areany consecutive attack 119899 times in time horizon [1 119879] and thecorresponding expected LQG cost function is
E (119869) = 119869119888+ 119869
max119890 (24)
where
119869max119890=
119879
sum119894=1
tr [119892119894(119875)] + (119879 minus 119899120572) tr [119872119875] (25)
with119872 = 1198601015840119876119860 and 119892119894(119875) = 119872ℎ
119894(119875)
42 Case II 1198780= 119878 Define119872 = 1198601015840119878119860 + 119876 minus 119878 and 119892
119894(119875) =
119872ℎ119894(119875) 119894 = 1 2 Then we have following lemma
Lemma 9 The function 119892 has the following property
1198921(119875) ⪯ 119892
2(119875) ⪯ sdot sdot sdot ⪯ 119892
119894(119875) ⪯ sdot sdot sdot (26)
According to Section 32 the objective of Problem 1 isequivalent to max
120574E[sum119873minus1
119905=0119875119905(120574)] Thus from the viewpoint
of attacker we only have to solve Problem 7 for the case1198780= 119878FromLemma 9 andTheorem 31 in [22] we can solve this
problem by the following theorem
Theorem 10 When 1198780= 119878 the optimal attack schedules are
any consecutive attack 119899 times in time horizon [1 119879] and thecorresponding expected LQG cost function is
E (119869) = 119869119888+ 119869
max119890 (27)
where
119869max119890=
119879
sum119894=1
tr [119892119894(119875)] + (119879 minus 119899120572) tr [119872 sdot 119875] (28)
43 General Case Study For the general case it is difficult toobtain a close form of optimal attack schedule Attacker canfind the optimal jamming schedule by exhaustion methodwhich is given in Algorithm 1 Since this schedule can becomputed before the attack action begins the computationof our proposed algorithm will not cost too much
5 Simulation
51 Testbed There are three types testbeds for simulation ofNSCS security that is software simulation testbeds physical
International Journal of Distributed Sensor Networks 5
(1) Process begins(2) Input119867time = 119879 Π0 = 119875 119869
lowast= 0
(3) for 1205741+ 1205742+ sdot sdot sdot + 120574
119879= 119899 do
(4) Compute LQG cost (14) under attack schedule 120574 that is 119869 = 119869(120574)(5) if 119869 gt 119869lowast then(6) 119869
lowast= 119869 and 120574lowast = (120574
1 1205742 120574
119879)
(7) end if(8) end for(9) Output optimal attack schedule 120574lowast and corresponding cost 119869lowast
Algorithm 1 Optimal offline attack schedule
Virtualplant
PLC
Wirelessdevice
Wirelessdevice
USRP
Controller
(a) The physical structure
Virtual plantControl
algorithm
Measurementsignal
USRP attackerPLC
Control signal
(b) The schematic diagram
Figure 2 The structure of semiphysical testbed
simulation testbeds and semiphysical simulation testbedsThe software simulation testbeds cannot fully simulate thereal environment The physical simulation testbeds canemploy the same experimental equipment with the realworld to construct the security test platform However theyneed long cycle of construction and great cost Fortunatelysemiphysical simulation testbeds are the good choice forNSCS security since they can simulate the real working envi-ronment and save the cost Thus we choose a semiphysicalsimulation testbed to study the effectiveness of our proposedattack strategy
Our semiphysical simulation testbed is composed of vir-tual plant physical controller and communication networkFigure 2 shows the system architecture In our testbed real-time system states of the virtual plant are sent to the PLCthrough a wireless network After reading the system statesthe controller calculates the control data and writes themback to the PLC Then the control data are sent back to thevirtual plant via a wired channel
We build an inverted pendulum control system forexperiments which is based on the system presented in [5]The parameters are given as follows
119860 =(
1001 0005 0000 0000
0350 1001 minus0135 0000
minus0001 0000 1001 0005
minus0375 minus0001 0590 1001
)
119861 =(
0001
0540
minus0002
minus1066
)
Σ119908= 1199021199021015840 119902 = (
0003
1000
minus0005
minus2150
)
119876 =(
5 0 0 0
0 1 0 0
0 0 1 0
0 0 0 1
)
(29)
We employ USRP N210 to simulate jamming attack onthe wireless channel from sensor to controller USRP is auniversal software radio peripheral that can send and receiveradio signal We use the software GNU Radio in Ubuntuto manipulate the USRP The frequency spectrum analyzeris adopted to detect the central frequency and waveform oftransmission signals Then we adapt the parameters on GNURadio to configure the USRP Experimental parameters are
6 International Journal of Distributed Sensor Networks
1 2 3 4 5 6 7 8 9 100
2
4
6
8
10
12
14
16times105
(a) 119877 = 01 2 3 4 5 6 7 8 9 10
0
2
4
6
8
10
12
14times105
(b) 1198780= 119878
Figure 3 Compare the cost 119869 under different attack strategies The lateral axis is the mark number of attack strategy Attack strategy 10 is theconsecutive attack strategy
Table 1 Attack schedules in our experiment
Marknumber 1 2 3 4 5
Attacksequence No attack (1 2 3 4) (6 3 1) (4 4 2) (5 5)
Marknumber 6 7 8 9 10
Attacksequence (4 6) (7 3) (8 2) (9 1) (10)
set as follows center frequency is 433MHz waveform is sawtooth jamming power is 16 dB and jamming signal frequencyis 10k bandwidth is 20MHz
We verify the proposed optimal offline attack strategiesthrough experiments based on the semiphysical testbed Weset 119879 = 250 and the attack times 119899 = 10 in the finite timehorizon [1 250] It means that the attacker can assign the 10times of attack in this period
52 Simulation Results Analysis We study the effectivenessof jamming attack with 10 different schedules when 119877 = 01198780= 119878 respectively (see Table 1) From Figure 3(a) we can
compare the cost 119869 under different attack schedules when119877 =0 It can be seen that the attack schedule with 10 consecutiveattack times can maximize the LQG cost We also presentthe variation of system states and control data under optimalattack schedule in Figure 4 From this figure these data willdeviate the equilibrium points when the wireless channel isunder jamming attack Similarly we can also study the LQGcost 119869 under different attack schedules when 119878
0= 119878 From
Figure 3(b) we also can see that consecutive attack schedule isoptimalThese experimental results can verify the theoreticalconclusions in Section 4
minus200minus100
0100200300
180 190 200 210 220 230 240 250minus2minus1
0123
t
180 190 200 210 220 230 240 250t
u
u
times104
1205791
1205792
120579 (r
ad)
Figure 4 The variation of system states and control data underattack schedule 10 (optimal attack) when 119877 = 0
6 Conclusion
In this paper we considered the optimal jamming attackscheduling which can destroy the system control perfor-mance We formulated an optimization problem that max-imizes the LQG cost subject to attackerrsquos energy constraintin a given finite time horizon Optimal attack schedulehas been presented for two special cases For the generalcase we provided an algorithm to find the optimal attackschedule We also established a semiphysical testbed and
International Journal of Distributed Sensor Networks 7
studied the effectiveness of proposed attack schedules bysimulation In the future we will study the evaluation ofcontrol performance when the NSCS is under other typesof cyber attack for example data injection attack and replayattackWewill also design effective defense strategies to avoidthe cyber attacks in NSCS
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The work was partially supported by Professional Develop-ment Program for Visiting Scholars in Colleges andUniversi-ties under Grant FX2014144 and Zhejiang Provincial NaturalScience Foundation of China under Grant Y16F030011 Thework by H Zhang was supported by NSFC under Grants61203036 61503147 and 71401060 the University ScienceResearch General Project of Jiangsu Province under Grant15KJB510002 Huaihai Institute of Technology DoctoralResearch Funding under Grant KQ15007 and LianyungangScience and Technology Projects under Grants CK1331 andCN1321
References
[1] R A Gupta and M-Y Chow ldquoNetworked control systemoverview and research trendsrdquo IEEE Transactions on IndustrialElectronics vol 57 no 7 pp 2527ndash2535 2010
[2] S He J Chen D K Y Yau and Y Sun ldquoCross-layer optimiza-tion of correlated data gathering in wireless sensor networksrdquoIEEE Transactions onMobile Computing vol 11 no 11 pp 1678ndash1691 2012
[3] L Zhang Y Shi T Chen and B Huang ldquoA new method forstabilization of networked control systemswith randomdelaysrdquoIEEE Transactions on Automatic Control vol 50 no 8 pp 1177ndash1181 2005
[4] SHe J Chen F Jiang D K Y Yau G Xing andY Sun ldquoEnergyprovisioning in wireless rechargeable sensor networksrdquo IEEETransactions onMobile Computing vol 12 no 10 pp 1931ndash19422013
[5] L Schenato B Sinopoli M Franceschetti K Poolla and SS Sastry ldquoFoundations of control and estimation over lossynetworksrdquo Proceedings of the IEEE vol 95 no 1 pp 163ndash1872007
[6] J Chen Q Yu P Cheng Y Sun Y Fan and X ShenldquoGame theoretical approach for channel allocation in wirelesssensor and actuator networksrdquo IEEE Transactions on AutomaticControl vol 56 no 10 pp 2332ndash2344 2011
[7] Y Zhang S He J Chen Y Sun and X Shen ldquoDistributedsampling rate control for rechargeable sensor nodes withlimited battery capacityrdquo IEEE Transactions on Wireless Com-munications vol 12 no 6 pp 3096ndash3106 2013
[8] S He X Li J Chen P Cheng Y Sun and D Simplot-RylldquoEMD energy-efficient p2p message dissemination in delay-tolerant wireless sensor and actor networksrdquo IEEE Journal onSelected Areas in Communications vol 31 no 9 pp 75ndash84 2013
[9] N Bezzo J Weimer M Pajic O Sokolsky G J Pappasand I Lee ldquoAttack resilient state estimation for autonomousrobotic systemsrdquo in Proceedings of the IEEERSJ InternationalConference on Intelligent Robots and Systems (IROS rsquo14) pp3692ndash3698 Chicago Ill USA September 2014
[10] J P Farwell and R Rohozinski ldquoStuxnet and the future of cyberwarrdquo Survival vol 53 no 1 pp 23ndash40 2011
[11] S Amin A A Cardenas and S S Sastry ldquoSafe and securenetworked control systems under denial-of-service attacksrdquo inHybrid Systems Computation and Control vol 5469 of LectureNotes inComputer Science pp 31ndash45 Springer BerlinGermany2009
[12] Y Qi P Cheng L Shi and J Chen ldquoEvent-based attack againstremote state estimationrdquo in Proceedings of the IEEE AnnualConference on Decision and Control (CDC rsquo15) Osaka JapanDecember 2015
[13] F Miao M Pajic and G J Pappas ldquoStochastic game approachfor replay attack detectionrdquo in Proceedings of the 52nd IEEEConference on Decision and Control (CDC rsquo13) pp 1854ndash1859IEEE Firenze Italy December 2013
[14] M Zhu and S Martınez ldquoOn the performance analysis ofresilient networked control systems under replay attacksrdquo IEEETransactions on Automatic Control vol 59 no 3 pp 804ndash8082014
[15] Y Mo R Chabukswar and B Sinopoli ldquoDetecting integrityattacks on SCADA systemsrdquo IEEE Transactions on ControlSystems Technology vol 22 no 4 pp 1396ndash1407 2014
[16] J He P Cheng L Shi and J Chen ldquoSATS secure average-consensus-based time synchronization in wireless sensor net-worksrdquo IEEE Transactions on Signal Processing vol 61 no 24pp 6387ndash6400 2013
[17] R Poisel Modern Communications Jamming Principles andTechniques Artech House 2011
[18] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoS attackpolicy against remote state estimationrdquo in Proceedings of the52nd IEEE Conference on Decision and Control (CDC rsquo13) pp5444ndash5449 Firenze Italy December 2013
[19] A Gupta C Langbort and T Basar ldquoOptimal control in thepresence of an intelligent jammer with limited actionsrdquo inProceedings of the 49th IEEEConference onDecision and Control(CDC rsquo10) pp 1096ndash1101 IEEE Atlanta Ga USA December2010
[20] H Shisheh Foroush and S Martinez ldquoOn event-triggered con-trol of linear systems under periodic denial-of-service jammingattacksrdquo in Proceedings of the 51st IEEE Conference on Decisionand Control (CDC rsquo12) pp 2551ndash2556 IEEE Maui HawaiiUSA December 2012
[21] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling against linear quadratic gaussiancontrolrdquo in Proceedings of the American Control Conference(ACC rsquo14) pp 3996ndash4001 Portland Ore USA June 2014
[22] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling with energy constraintrdquo IEEETransactions on Automatic Control 2015
[23] L Shi P Cheng and J Chen ldquoOptimal periodic sensor schedul-ing with limited resourcesrdquo IEEE Transactions on AutomaticControl vol 56 no 9 pp 2190ndash2195 2011
[24] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoSattack scheduling in wireless networked control systemrdquo IEEETransactions on Control Systems Technology 2015
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 International Journal of Distributed Sensor Networks
whether or not to jam the channel from sensor to estimatorat each time The main contributions of this paper whichdistinguish it from the related literatures are summarized asfollows
(1) We formulate a jamming attack scheduling problemand look for the optimal jamming schedule thatmaximizes the LQG cost with energy constraint in agiven finite time horizon
(2) We present the close form of the optimal jammingschedule for two special cases and provide an algo-rithm to search the optimal schedules for the generalcase
(3) We study the effectiveness of proposed jammingschedules on the established semiphysical testbed
The remainder of the paper is organized as follows InSection 2 we formulate the problem In Section 3 we studythe system performance under given attack schedule InSection 4 we present the optimal jamming attack schedulesfor special cases and provide an algorithm to search theoptimal attack schedules for the general case In Section 5 wedemonstrate the effectiveness of proposed optimal jammingschedules on the semiphysical testbed Finally Section 6concludes the paper
Notations E[119883] is the mean of random variable119883 and E[119883 |119884] is the mean of random variable 119883 conditioned on 119884respectively tr(sdot) represents the trace of matrix119883 ⪯ 119884meansthat 119884 minus 119883 is nonnegative-definite that is 119884 minus 119883 ⪰ 0
2 Problem Formulation
21 System Architecture Consider the following linear time-invariant system (Figure 1)
119909119905+1= 119860119909119905+ 119906119905+ 119908119905
119910119905= 119862119909119905+ V119905
(1)
where 119909119905isin R119899119909 is the state of plant at time 119905 119910
119905isin R119899119910 is
themeasurement from sensor and119908119905and V119905are uncorrelated
zero mean Gaussian white noises with covariance Σ119908and ΣV
respectively The pair (119860 119862) is assumed to be observable and(119860 Σ12
119908) is controllable
In our scenario the sensor observes the plant and getsthe measurements 119910
119905 According to these measurements it
preestimates the state 119909119905and obtains the minimum mean
squared error (MMSE) estimate that is 119909119904119905= E[119909
119905| 1199101
119910119905] Then the sensor sends these estimates to a remote
estimator through a wireless channel The controller thengenerates a control packet 119906
119905based on the received estimates
and sends the control packet to the actuator through anotherdependable channel
Let 120579119905be the indicator function whether the packet 119909119904
119905is
received or not by the estimator that is
120579119905=
1 if 119909119904119905is received by the estimator
0 otherwise(2)
Actuator Plant Sensor
Attacker
Controller Estimator
Wirelessnetwork
Figure 1 System architecture
DenoteD119905by all the data received by estimator until time
119905 that is
D119905= 1205791 1205792 120579
119905 1205791119909119904
1 1205792119909119904
2 120579
119905119909119904
119905 (3)
Let 119909119905be the minimum mean square error (MMSE)
estimate in the estimator at time 119905 that is
119909119905= E [119909
119905| D119905] (4)
The corresponding error covariance is
119875119905= E [(119909
119905minus 119909119905) (119909119905minus 119909119905)1015840
| D119905] (5)
Similar to [21] we have
119909119905=
119909119904
119905 if 120579
119905= 1
119860119909119904
119905minus1+ 119861119906119905minus1 otherwise
(6)
In order to minimize the LQG cost function
119869 =
119879minus1
sum119905=0
E [1199091015840
119905119876119909119905+ 1199061015840
119905119877119906119905] + 1199091015840
119879119876119909119879
(7)
in the finite time horizon [1 119879] where 119876 ⪰ 0 and 119877 ≻ 0are two weighting matrices and the expectation is taken over119908119896 we exploit a linear static feedback controller of the form
119906119896= 119871119909
119896 It is assumed that the system is unaware of the
existence of attacker
22 Attack Model In our scenario there is an attacker whowishes to deteriorate the control performance by jamming thesensor-to-estimator wireless channel It is assumed that theattacker has a limited energy budget that is he can attack 119899times at most in the time horizon [1 119879] [22]The attacker hasto decide whether to attack or not at each sampling time inorder to achieve his aim Let 120574
119905be the attack decision variable
at time 119905 that is
120574119905=
1 if attacker jams the wireless channel
0 otherwise(8)
Similar to [18] we assume that the attack action is successfulwith probability 120572 and packet drop variables under attack areindependent
Specifically from the viewpoint of attacker he aims tomaximize the cost function with energy constraint which isas follows
International Journal of Distributed Sensor Networks 3
Problem 1 Consider
max120574isinΘ
E [119869 (120574)]
st119879
sum119905=1
120574119905le 119899
(9)
where 120574 = (1205741 1205742 120574
119879) is the attack schedule on the finite
time horizon [1 119879] and Θ = 120574 | 120574119905isin 0 1 119905 = 1 2 119879
is the attack schedule space
3 Preliminaries
In this section we present some properties of the estimate atthe estimator side and the control performance of plant undera jamming attack
31 State Estimation under Jamming Attack From standardKalman filter the estimate and corresponding error covari-ance at the sensor side can be calculated as follows
119909119904
119905|119905minus1= 119860119909119904
119905minus1+ 119906119905minus1
119875119904
119905|119905minus1= 119860119875119904
119905minus11198601015840+ Σ119908
119870119904
119905= 119875119904
119905|119905minus11198621015840[119862119875119904
119905|119905minus11198621015840+ ΣV]minus1
119909119904
119905= 119860119909119904
119905minus1+ 119870119904
119905(119910119905minus 119862119909119904
119905|119905minus1)
119875119904
119905= (119868 minus 119870
119904
119905119862)119875119904
119905|119905minus1
(10)
where the initial state is 1199090= 0 and 119875119904
0= Π0 From [23] we
can see that the error covariance 119875119904119905converges exponentially
to its steady-state value 119875 Thus we assume that Π0= 119875 It
can be seen that 119875119904119905= 119875 for all 119905 isin [1 119879]
Define functions ℎ ℎ119905 as ℎ(119883) ≜ 1198601198831198601015840 + Σ119908and ℎ119905(119883) ≜
ℎ ∘ ℎ ∘ sdot sdot sdot ∘ ℎ⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟119905 times
(119883)
From [23] the following result holds
Lemma 2 The function ℎ has the following property
119875 ⪯ ℎ (119875) ⪯ ℎ2(119875) ⪯ sdot sdot sdot ⪯ ℎ
119905(119875) ⪯ sdot sdot sdot forall119905 isin Z
+ (11)
From [22] we can obtain the estimate 119909119905and error
covariance 119875119905at estimator side as follows
(119909119905 119875119905)
=
(119860119909119905minus1+ 119906119905minus1 ℎ (119875119905minus1)) if 120574
119905= 1 120579
119905= 1
(119909119904
119905 119875) otherwise
(12)
Define attack sequence (1198961 1198962 119896
119904) as the attack sched-
ules which has the following form
(0 0 1 1⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1198961times 0 0 1 1⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1198962times 0 0 1 1⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119896119904times
0 0)
(13)
Similar to [18 22] one can get the following result
Lemma 3 Let 119864(1198961otimes 1198962otimes sdot sdot sdot otimes 119896
119904) be the average expected
error covariance in time horizon [1 119879] under attack sequence(1198961 1198962 119896
119904) at estimator side and let 119864(119896) be the average
expected error covariance under attack sequence (119896) Thefollowing statements are true
(1) 119864(1198961) ⪯ 119864(119896
2) where 119896
1lt 1198962
(2) 119864(1198961otimes1198962otimessdot sdot sdototimes119896
119904) ⪯ 119864(119896) where 119896 = 119896
1+1198962+sdot sdot sdot+119896
119904
(3) 119864(1198961otimes 1198962) ⪯ 119864(119897
1otimes 1198972) where 119896
1+ 1198962= 1198971+ 1198972and
max1198961 1198962 1198971 1198972 is 1198971or 1198972
From Lemma 3 we can see that grouping together asmuch as possible can lead to maximal average error covari-ance
32 Control Performance under Jamming Attack In order tofind the optimal offline jamming attack scheduling we haveto study the control performance when the attack schedule isgiven
According to [5 24] one can obtain the following result
Lemma 4 TheLQG control cost function under a given attackschedule 120574 can be calculated as follows
119869 (120574) = tr (11987801198750) +
119879minus1
sum119905=0
tr (119878119905+1Σ119908)
+
119879minus1
sum119905=0
tr [(1198601015840119878119905+1119860 + 119876 minus 119878
119905) 119864120574(119875119905)]
(14)
where 119878119905can be computed from the following recursive equa-
tion
119878119905= 1198601015840119878119905+1119860 + 119876 minus 119860
1015840119878119905+1(119878119905+1+ 119877)minus1
119878119905+1119860
119905 = 0 1 119879 minus 1(15)
In fact (15) converges quickly to a steady state Thus if119879 rarr infin one can see that
119878 = 1198601015840119878119860 + 119876 minus 119860
1015840119878 (119878 + 119877)
minus1119878119860 (16)
where 119878 = lim119879rarrinfin
119878119879 In practice we often choose 119906
119905= 119871119909119905
with control gain 119871 = minus(119878 +119877)minus1119878119860 as the optimal static statefeedback controller to maximize the cost 119869
infin= lim
119879rarrinfin119869
4 International Journal of Distributed Sensor Networks
In our scenario we assume that the system has reached steadystate that is 119878
0= 119878 and 119875
0= 119875 Then (14) can be rewritten
as
119869 (120574) = 119869119888+ 119869119890 (17)
where
119869119888= tr (119878119875) + 119873 sdot tr (119878Σ
119908)
119869119890=
119879minus1
sum119905=0
tr [(1198601015840119878119860 + 119876 minus 119878)E120574(119875119905)]
(18)
It can be seen that 119869119888and 119869
119890are the constant part and
varying part of (17) respectively Thus we only have to studythe optimal jamming attack schedule which maximizes 119869
119890
which is as follows
Problem 5 Consider
max120574isinΘ
E [119869119890(120574)]
st119879
sum119905=1
120574119905le 119899
(19)
4 Optimal Jamming Attack Schedules
In this section we firstly study the jamming schedules againstLQG control for two special cases and present the close formof optimal schedulesThenwe investigate the attack strategiesfor the general case
41 Case I 119877 = 0 When 119877 = 0 it can be seen that the LQGcost function becomes
119869 =
119879
sum119905=0
E [1199091015840
119905119876119909119905] (20)
From Lemma 4 we can obtain the following conclusion
Theorem 6 If 119877 = 0 the optimal state feedback controller is119906119905= 119871119909119905= minus119860119909
119905 and the corresponding LQG cost function
under attack schedule 120574 is
119869 = 119869119888+ 119869119890 (21)
where
119869119888= tr (119876119875) + 119873 sdot tr (119876Σ
119908)
119869119890=
119879minus1
sum119905=0
tr [1198601015840119876119860E120574(119875119905)]
(22)
According toTheorem 6 we can see that the attacker onlyneeds tomaximizeE[119869
119890] Since1198601015840119876119860 ⪰ 0 one can obtain that
max120574E[119869119890] is equivalent to max
120574E[sum119873minus1
119905=0119875119905(120574)] Thus from
viewpoint of attacker we only have to solve the followingproblem
Problem 7 Consider
max120574isinΘ
E[119873minus1
sum119905=0
119875119905(120574)]
st119879
sum119905=1
120574119905le 119899
(23)
From [18 22] Problem 7 can be easily solved by thefollowing theorem
Theorem 8 When 119877 = 0 the optimal attack schedules areany consecutive attack 119899 times in time horizon [1 119879] and thecorresponding expected LQG cost function is
E (119869) = 119869119888+ 119869
max119890 (24)
where
119869max119890=
119879
sum119894=1
tr [119892119894(119875)] + (119879 minus 119899120572) tr [119872119875] (25)
with119872 = 1198601015840119876119860 and 119892119894(119875) = 119872ℎ
119894(119875)
42 Case II 1198780= 119878 Define119872 = 1198601015840119878119860 + 119876 minus 119878 and 119892
119894(119875) =
119872ℎ119894(119875) 119894 = 1 2 Then we have following lemma
Lemma 9 The function 119892 has the following property
1198921(119875) ⪯ 119892
2(119875) ⪯ sdot sdot sdot ⪯ 119892
119894(119875) ⪯ sdot sdot sdot (26)
According to Section 32 the objective of Problem 1 isequivalent to max
120574E[sum119873minus1
119905=0119875119905(120574)] Thus from the viewpoint
of attacker we only have to solve Problem 7 for the case1198780= 119878FromLemma 9 andTheorem 31 in [22] we can solve this
problem by the following theorem
Theorem 10 When 1198780= 119878 the optimal attack schedules are
any consecutive attack 119899 times in time horizon [1 119879] and thecorresponding expected LQG cost function is
E (119869) = 119869119888+ 119869
max119890 (27)
where
119869max119890=
119879
sum119894=1
tr [119892119894(119875)] + (119879 minus 119899120572) tr [119872 sdot 119875] (28)
43 General Case Study For the general case it is difficult toobtain a close form of optimal attack schedule Attacker canfind the optimal jamming schedule by exhaustion methodwhich is given in Algorithm 1 Since this schedule can becomputed before the attack action begins the computationof our proposed algorithm will not cost too much
5 Simulation
51 Testbed There are three types testbeds for simulation ofNSCS security that is software simulation testbeds physical
International Journal of Distributed Sensor Networks 5
(1) Process begins(2) Input119867time = 119879 Π0 = 119875 119869
lowast= 0
(3) for 1205741+ 1205742+ sdot sdot sdot + 120574
119879= 119899 do
(4) Compute LQG cost (14) under attack schedule 120574 that is 119869 = 119869(120574)(5) if 119869 gt 119869lowast then(6) 119869
lowast= 119869 and 120574lowast = (120574
1 1205742 120574
119879)
(7) end if(8) end for(9) Output optimal attack schedule 120574lowast and corresponding cost 119869lowast
Algorithm 1 Optimal offline attack schedule
Virtualplant
PLC
Wirelessdevice
Wirelessdevice
USRP
Controller
(a) The physical structure
Virtual plantControl
algorithm
Measurementsignal
USRP attackerPLC
Control signal
(b) The schematic diagram
Figure 2 The structure of semiphysical testbed
simulation testbeds and semiphysical simulation testbedsThe software simulation testbeds cannot fully simulate thereal environment The physical simulation testbeds canemploy the same experimental equipment with the realworld to construct the security test platform However theyneed long cycle of construction and great cost Fortunatelysemiphysical simulation testbeds are the good choice forNSCS security since they can simulate the real working envi-ronment and save the cost Thus we choose a semiphysicalsimulation testbed to study the effectiveness of our proposedattack strategy
Our semiphysical simulation testbed is composed of vir-tual plant physical controller and communication networkFigure 2 shows the system architecture In our testbed real-time system states of the virtual plant are sent to the PLCthrough a wireless network After reading the system statesthe controller calculates the control data and writes themback to the PLC Then the control data are sent back to thevirtual plant via a wired channel
We build an inverted pendulum control system forexperiments which is based on the system presented in [5]The parameters are given as follows
119860 =(
1001 0005 0000 0000
0350 1001 minus0135 0000
minus0001 0000 1001 0005
minus0375 minus0001 0590 1001
)
119861 =(
0001
0540
minus0002
minus1066
)
Σ119908= 1199021199021015840 119902 = (
0003
1000
minus0005
minus2150
)
119876 =(
5 0 0 0
0 1 0 0
0 0 1 0
0 0 0 1
)
(29)
We employ USRP N210 to simulate jamming attack onthe wireless channel from sensor to controller USRP is auniversal software radio peripheral that can send and receiveradio signal We use the software GNU Radio in Ubuntuto manipulate the USRP The frequency spectrum analyzeris adopted to detect the central frequency and waveform oftransmission signals Then we adapt the parameters on GNURadio to configure the USRP Experimental parameters are
6 International Journal of Distributed Sensor Networks
1 2 3 4 5 6 7 8 9 100
2
4
6
8
10
12
14
16times105
(a) 119877 = 01 2 3 4 5 6 7 8 9 10
0
2
4
6
8
10
12
14times105
(b) 1198780= 119878
Figure 3 Compare the cost 119869 under different attack strategies The lateral axis is the mark number of attack strategy Attack strategy 10 is theconsecutive attack strategy
Table 1 Attack schedules in our experiment
Marknumber 1 2 3 4 5
Attacksequence No attack (1 2 3 4) (6 3 1) (4 4 2) (5 5)
Marknumber 6 7 8 9 10
Attacksequence (4 6) (7 3) (8 2) (9 1) (10)
set as follows center frequency is 433MHz waveform is sawtooth jamming power is 16 dB and jamming signal frequencyis 10k bandwidth is 20MHz
We verify the proposed optimal offline attack strategiesthrough experiments based on the semiphysical testbed Weset 119879 = 250 and the attack times 119899 = 10 in the finite timehorizon [1 250] It means that the attacker can assign the 10times of attack in this period
52 Simulation Results Analysis We study the effectivenessof jamming attack with 10 different schedules when 119877 = 01198780= 119878 respectively (see Table 1) From Figure 3(a) we can
compare the cost 119869 under different attack schedules when119877 =0 It can be seen that the attack schedule with 10 consecutiveattack times can maximize the LQG cost We also presentthe variation of system states and control data under optimalattack schedule in Figure 4 From this figure these data willdeviate the equilibrium points when the wireless channel isunder jamming attack Similarly we can also study the LQGcost 119869 under different attack schedules when 119878
0= 119878 From
Figure 3(b) we also can see that consecutive attack schedule isoptimalThese experimental results can verify the theoreticalconclusions in Section 4
minus200minus100
0100200300
180 190 200 210 220 230 240 250minus2minus1
0123
t
180 190 200 210 220 230 240 250t
u
u
times104
1205791
1205792
120579 (r
ad)
Figure 4 The variation of system states and control data underattack schedule 10 (optimal attack) when 119877 = 0
6 Conclusion
In this paper we considered the optimal jamming attackscheduling which can destroy the system control perfor-mance We formulated an optimization problem that max-imizes the LQG cost subject to attackerrsquos energy constraintin a given finite time horizon Optimal attack schedulehas been presented for two special cases For the generalcase we provided an algorithm to find the optimal attackschedule We also established a semiphysical testbed and
International Journal of Distributed Sensor Networks 7
studied the effectiveness of proposed attack schedules bysimulation In the future we will study the evaluation ofcontrol performance when the NSCS is under other typesof cyber attack for example data injection attack and replayattackWewill also design effective defense strategies to avoidthe cyber attacks in NSCS
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The work was partially supported by Professional Develop-ment Program for Visiting Scholars in Colleges andUniversi-ties under Grant FX2014144 and Zhejiang Provincial NaturalScience Foundation of China under Grant Y16F030011 Thework by H Zhang was supported by NSFC under Grants61203036 61503147 and 71401060 the University ScienceResearch General Project of Jiangsu Province under Grant15KJB510002 Huaihai Institute of Technology DoctoralResearch Funding under Grant KQ15007 and LianyungangScience and Technology Projects under Grants CK1331 andCN1321
References
[1] R A Gupta and M-Y Chow ldquoNetworked control systemoverview and research trendsrdquo IEEE Transactions on IndustrialElectronics vol 57 no 7 pp 2527ndash2535 2010
[2] S He J Chen D K Y Yau and Y Sun ldquoCross-layer optimiza-tion of correlated data gathering in wireless sensor networksrdquoIEEE Transactions onMobile Computing vol 11 no 11 pp 1678ndash1691 2012
[3] L Zhang Y Shi T Chen and B Huang ldquoA new method forstabilization of networked control systemswith randomdelaysrdquoIEEE Transactions on Automatic Control vol 50 no 8 pp 1177ndash1181 2005
[4] SHe J Chen F Jiang D K Y Yau G Xing andY Sun ldquoEnergyprovisioning in wireless rechargeable sensor networksrdquo IEEETransactions onMobile Computing vol 12 no 10 pp 1931ndash19422013
[5] L Schenato B Sinopoli M Franceschetti K Poolla and SS Sastry ldquoFoundations of control and estimation over lossynetworksrdquo Proceedings of the IEEE vol 95 no 1 pp 163ndash1872007
[6] J Chen Q Yu P Cheng Y Sun Y Fan and X ShenldquoGame theoretical approach for channel allocation in wirelesssensor and actuator networksrdquo IEEE Transactions on AutomaticControl vol 56 no 10 pp 2332ndash2344 2011
[7] Y Zhang S He J Chen Y Sun and X Shen ldquoDistributedsampling rate control for rechargeable sensor nodes withlimited battery capacityrdquo IEEE Transactions on Wireless Com-munications vol 12 no 6 pp 3096ndash3106 2013
[8] S He X Li J Chen P Cheng Y Sun and D Simplot-RylldquoEMD energy-efficient p2p message dissemination in delay-tolerant wireless sensor and actor networksrdquo IEEE Journal onSelected Areas in Communications vol 31 no 9 pp 75ndash84 2013
[9] N Bezzo J Weimer M Pajic O Sokolsky G J Pappasand I Lee ldquoAttack resilient state estimation for autonomousrobotic systemsrdquo in Proceedings of the IEEERSJ InternationalConference on Intelligent Robots and Systems (IROS rsquo14) pp3692ndash3698 Chicago Ill USA September 2014
[10] J P Farwell and R Rohozinski ldquoStuxnet and the future of cyberwarrdquo Survival vol 53 no 1 pp 23ndash40 2011
[11] S Amin A A Cardenas and S S Sastry ldquoSafe and securenetworked control systems under denial-of-service attacksrdquo inHybrid Systems Computation and Control vol 5469 of LectureNotes inComputer Science pp 31ndash45 Springer BerlinGermany2009
[12] Y Qi P Cheng L Shi and J Chen ldquoEvent-based attack againstremote state estimationrdquo in Proceedings of the IEEE AnnualConference on Decision and Control (CDC rsquo15) Osaka JapanDecember 2015
[13] F Miao M Pajic and G J Pappas ldquoStochastic game approachfor replay attack detectionrdquo in Proceedings of the 52nd IEEEConference on Decision and Control (CDC rsquo13) pp 1854ndash1859IEEE Firenze Italy December 2013
[14] M Zhu and S Martınez ldquoOn the performance analysis ofresilient networked control systems under replay attacksrdquo IEEETransactions on Automatic Control vol 59 no 3 pp 804ndash8082014
[15] Y Mo R Chabukswar and B Sinopoli ldquoDetecting integrityattacks on SCADA systemsrdquo IEEE Transactions on ControlSystems Technology vol 22 no 4 pp 1396ndash1407 2014
[16] J He P Cheng L Shi and J Chen ldquoSATS secure average-consensus-based time synchronization in wireless sensor net-worksrdquo IEEE Transactions on Signal Processing vol 61 no 24pp 6387ndash6400 2013
[17] R Poisel Modern Communications Jamming Principles andTechniques Artech House 2011
[18] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoS attackpolicy against remote state estimationrdquo in Proceedings of the52nd IEEE Conference on Decision and Control (CDC rsquo13) pp5444ndash5449 Firenze Italy December 2013
[19] A Gupta C Langbort and T Basar ldquoOptimal control in thepresence of an intelligent jammer with limited actionsrdquo inProceedings of the 49th IEEEConference onDecision and Control(CDC rsquo10) pp 1096ndash1101 IEEE Atlanta Ga USA December2010
[20] H Shisheh Foroush and S Martinez ldquoOn event-triggered con-trol of linear systems under periodic denial-of-service jammingattacksrdquo in Proceedings of the 51st IEEE Conference on Decisionand Control (CDC rsquo12) pp 2551ndash2556 IEEE Maui HawaiiUSA December 2012
[21] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling against linear quadratic gaussiancontrolrdquo in Proceedings of the American Control Conference(ACC rsquo14) pp 3996ndash4001 Portland Ore USA June 2014
[22] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling with energy constraintrdquo IEEETransactions on Automatic Control 2015
[23] L Shi P Cheng and J Chen ldquoOptimal periodic sensor schedul-ing with limited resourcesrdquo IEEE Transactions on AutomaticControl vol 56 no 9 pp 2190ndash2195 2011
[24] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoSattack scheduling in wireless networked control systemrdquo IEEETransactions on Control Systems Technology 2015
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 3
Problem 1 Consider
max120574isinΘ
E [119869 (120574)]
st119879
sum119905=1
120574119905le 119899
(9)
where 120574 = (1205741 1205742 120574
119879) is the attack schedule on the finite
time horizon [1 119879] and Θ = 120574 | 120574119905isin 0 1 119905 = 1 2 119879
is the attack schedule space
3 Preliminaries
In this section we present some properties of the estimate atthe estimator side and the control performance of plant undera jamming attack
31 State Estimation under Jamming Attack From standardKalman filter the estimate and corresponding error covari-ance at the sensor side can be calculated as follows
119909119904
119905|119905minus1= 119860119909119904
119905minus1+ 119906119905minus1
119875119904
119905|119905minus1= 119860119875119904
119905minus11198601015840+ Σ119908
119870119904
119905= 119875119904
119905|119905minus11198621015840[119862119875119904
119905|119905minus11198621015840+ ΣV]minus1
119909119904
119905= 119860119909119904
119905minus1+ 119870119904
119905(119910119905minus 119862119909119904
119905|119905minus1)
119875119904
119905= (119868 minus 119870
119904
119905119862)119875119904
119905|119905minus1
(10)
where the initial state is 1199090= 0 and 119875119904
0= Π0 From [23] we
can see that the error covariance 119875119904119905converges exponentially
to its steady-state value 119875 Thus we assume that Π0= 119875 It
can be seen that 119875119904119905= 119875 for all 119905 isin [1 119879]
Define functions ℎ ℎ119905 as ℎ(119883) ≜ 1198601198831198601015840 + Σ119908and ℎ119905(119883) ≜
ℎ ∘ ℎ ∘ sdot sdot sdot ∘ ℎ⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟119905 times
(119883)
From [23] the following result holds
Lemma 2 The function ℎ has the following property
119875 ⪯ ℎ (119875) ⪯ ℎ2(119875) ⪯ sdot sdot sdot ⪯ ℎ
119905(119875) ⪯ sdot sdot sdot forall119905 isin Z
+ (11)
From [22] we can obtain the estimate 119909119905and error
covariance 119875119905at estimator side as follows
(119909119905 119875119905)
=
(119860119909119905minus1+ 119906119905minus1 ℎ (119875119905minus1)) if 120574
119905= 1 120579
119905= 1
(119909119904
119905 119875) otherwise
(12)
Define attack sequence (1198961 1198962 119896
119904) as the attack sched-
ules which has the following form
(0 0 1 1⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1198961times 0 0 1 1⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1198962times 0 0 1 1⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119896119904times
0 0)
(13)
Similar to [18 22] one can get the following result
Lemma 3 Let 119864(1198961otimes 1198962otimes sdot sdot sdot otimes 119896
119904) be the average expected
error covariance in time horizon [1 119879] under attack sequence(1198961 1198962 119896
119904) at estimator side and let 119864(119896) be the average
expected error covariance under attack sequence (119896) Thefollowing statements are true
(1) 119864(1198961) ⪯ 119864(119896
2) where 119896
1lt 1198962
(2) 119864(1198961otimes1198962otimessdot sdot sdototimes119896
119904) ⪯ 119864(119896) where 119896 = 119896
1+1198962+sdot sdot sdot+119896
119904
(3) 119864(1198961otimes 1198962) ⪯ 119864(119897
1otimes 1198972) where 119896
1+ 1198962= 1198971+ 1198972and
max1198961 1198962 1198971 1198972 is 1198971or 1198972
From Lemma 3 we can see that grouping together asmuch as possible can lead to maximal average error covari-ance
32 Control Performance under Jamming Attack In order tofind the optimal offline jamming attack scheduling we haveto study the control performance when the attack schedule isgiven
According to [5 24] one can obtain the following result
Lemma 4 TheLQG control cost function under a given attackschedule 120574 can be calculated as follows
119869 (120574) = tr (11987801198750) +
119879minus1
sum119905=0
tr (119878119905+1Σ119908)
+
119879minus1
sum119905=0
tr [(1198601015840119878119905+1119860 + 119876 minus 119878
119905) 119864120574(119875119905)]
(14)
where 119878119905can be computed from the following recursive equa-
tion
119878119905= 1198601015840119878119905+1119860 + 119876 minus 119860
1015840119878119905+1(119878119905+1+ 119877)minus1
119878119905+1119860
119905 = 0 1 119879 minus 1(15)
In fact (15) converges quickly to a steady state Thus if119879 rarr infin one can see that
119878 = 1198601015840119878119860 + 119876 minus 119860
1015840119878 (119878 + 119877)
minus1119878119860 (16)
where 119878 = lim119879rarrinfin
119878119879 In practice we often choose 119906
119905= 119871119909119905
with control gain 119871 = minus(119878 +119877)minus1119878119860 as the optimal static statefeedback controller to maximize the cost 119869
infin= lim
119879rarrinfin119869
4 International Journal of Distributed Sensor Networks
In our scenario we assume that the system has reached steadystate that is 119878
0= 119878 and 119875
0= 119875 Then (14) can be rewritten
as
119869 (120574) = 119869119888+ 119869119890 (17)
where
119869119888= tr (119878119875) + 119873 sdot tr (119878Σ
119908)
119869119890=
119879minus1
sum119905=0
tr [(1198601015840119878119860 + 119876 minus 119878)E120574(119875119905)]
(18)
It can be seen that 119869119888and 119869
119890are the constant part and
varying part of (17) respectively Thus we only have to studythe optimal jamming attack schedule which maximizes 119869
119890
which is as follows
Problem 5 Consider
max120574isinΘ
E [119869119890(120574)]
st119879
sum119905=1
120574119905le 119899
(19)
4 Optimal Jamming Attack Schedules
In this section we firstly study the jamming schedules againstLQG control for two special cases and present the close formof optimal schedulesThenwe investigate the attack strategiesfor the general case
41 Case I 119877 = 0 When 119877 = 0 it can be seen that the LQGcost function becomes
119869 =
119879
sum119905=0
E [1199091015840
119905119876119909119905] (20)
From Lemma 4 we can obtain the following conclusion
Theorem 6 If 119877 = 0 the optimal state feedback controller is119906119905= 119871119909119905= minus119860119909
119905 and the corresponding LQG cost function
under attack schedule 120574 is
119869 = 119869119888+ 119869119890 (21)
where
119869119888= tr (119876119875) + 119873 sdot tr (119876Σ
119908)
119869119890=
119879minus1
sum119905=0
tr [1198601015840119876119860E120574(119875119905)]
(22)
According toTheorem 6 we can see that the attacker onlyneeds tomaximizeE[119869
119890] Since1198601015840119876119860 ⪰ 0 one can obtain that
max120574E[119869119890] is equivalent to max
120574E[sum119873minus1
119905=0119875119905(120574)] Thus from
viewpoint of attacker we only have to solve the followingproblem
Problem 7 Consider
max120574isinΘ
E[119873minus1
sum119905=0
119875119905(120574)]
st119879
sum119905=1
120574119905le 119899
(23)
From [18 22] Problem 7 can be easily solved by thefollowing theorem
Theorem 8 When 119877 = 0 the optimal attack schedules areany consecutive attack 119899 times in time horizon [1 119879] and thecorresponding expected LQG cost function is
E (119869) = 119869119888+ 119869
max119890 (24)
where
119869max119890=
119879
sum119894=1
tr [119892119894(119875)] + (119879 minus 119899120572) tr [119872119875] (25)
with119872 = 1198601015840119876119860 and 119892119894(119875) = 119872ℎ
119894(119875)
42 Case II 1198780= 119878 Define119872 = 1198601015840119878119860 + 119876 minus 119878 and 119892
119894(119875) =
119872ℎ119894(119875) 119894 = 1 2 Then we have following lemma
Lemma 9 The function 119892 has the following property
1198921(119875) ⪯ 119892
2(119875) ⪯ sdot sdot sdot ⪯ 119892
119894(119875) ⪯ sdot sdot sdot (26)
According to Section 32 the objective of Problem 1 isequivalent to max
120574E[sum119873minus1
119905=0119875119905(120574)] Thus from the viewpoint
of attacker we only have to solve Problem 7 for the case1198780= 119878FromLemma 9 andTheorem 31 in [22] we can solve this
problem by the following theorem
Theorem 10 When 1198780= 119878 the optimal attack schedules are
any consecutive attack 119899 times in time horizon [1 119879] and thecorresponding expected LQG cost function is
E (119869) = 119869119888+ 119869
max119890 (27)
where
119869max119890=
119879
sum119894=1
tr [119892119894(119875)] + (119879 minus 119899120572) tr [119872 sdot 119875] (28)
43 General Case Study For the general case it is difficult toobtain a close form of optimal attack schedule Attacker canfind the optimal jamming schedule by exhaustion methodwhich is given in Algorithm 1 Since this schedule can becomputed before the attack action begins the computationof our proposed algorithm will not cost too much
5 Simulation
51 Testbed There are three types testbeds for simulation ofNSCS security that is software simulation testbeds physical
International Journal of Distributed Sensor Networks 5
(1) Process begins(2) Input119867time = 119879 Π0 = 119875 119869
lowast= 0
(3) for 1205741+ 1205742+ sdot sdot sdot + 120574
119879= 119899 do
(4) Compute LQG cost (14) under attack schedule 120574 that is 119869 = 119869(120574)(5) if 119869 gt 119869lowast then(6) 119869
lowast= 119869 and 120574lowast = (120574
1 1205742 120574
119879)
(7) end if(8) end for(9) Output optimal attack schedule 120574lowast and corresponding cost 119869lowast
Algorithm 1 Optimal offline attack schedule
Virtualplant
PLC
Wirelessdevice
Wirelessdevice
USRP
Controller
(a) The physical structure
Virtual plantControl
algorithm
Measurementsignal
USRP attackerPLC
Control signal
(b) The schematic diagram
Figure 2 The structure of semiphysical testbed
simulation testbeds and semiphysical simulation testbedsThe software simulation testbeds cannot fully simulate thereal environment The physical simulation testbeds canemploy the same experimental equipment with the realworld to construct the security test platform However theyneed long cycle of construction and great cost Fortunatelysemiphysical simulation testbeds are the good choice forNSCS security since they can simulate the real working envi-ronment and save the cost Thus we choose a semiphysicalsimulation testbed to study the effectiveness of our proposedattack strategy
Our semiphysical simulation testbed is composed of vir-tual plant physical controller and communication networkFigure 2 shows the system architecture In our testbed real-time system states of the virtual plant are sent to the PLCthrough a wireless network After reading the system statesthe controller calculates the control data and writes themback to the PLC Then the control data are sent back to thevirtual plant via a wired channel
We build an inverted pendulum control system forexperiments which is based on the system presented in [5]The parameters are given as follows
119860 =(
1001 0005 0000 0000
0350 1001 minus0135 0000
minus0001 0000 1001 0005
minus0375 minus0001 0590 1001
)
119861 =(
0001
0540
minus0002
minus1066
)
Σ119908= 1199021199021015840 119902 = (
0003
1000
minus0005
minus2150
)
119876 =(
5 0 0 0
0 1 0 0
0 0 1 0
0 0 0 1
)
(29)
We employ USRP N210 to simulate jamming attack onthe wireless channel from sensor to controller USRP is auniversal software radio peripheral that can send and receiveradio signal We use the software GNU Radio in Ubuntuto manipulate the USRP The frequency spectrum analyzeris adopted to detect the central frequency and waveform oftransmission signals Then we adapt the parameters on GNURadio to configure the USRP Experimental parameters are
6 International Journal of Distributed Sensor Networks
1 2 3 4 5 6 7 8 9 100
2
4
6
8
10
12
14
16times105
(a) 119877 = 01 2 3 4 5 6 7 8 9 10
0
2
4
6
8
10
12
14times105
(b) 1198780= 119878
Figure 3 Compare the cost 119869 under different attack strategies The lateral axis is the mark number of attack strategy Attack strategy 10 is theconsecutive attack strategy
Table 1 Attack schedules in our experiment
Marknumber 1 2 3 4 5
Attacksequence No attack (1 2 3 4) (6 3 1) (4 4 2) (5 5)
Marknumber 6 7 8 9 10
Attacksequence (4 6) (7 3) (8 2) (9 1) (10)
set as follows center frequency is 433MHz waveform is sawtooth jamming power is 16 dB and jamming signal frequencyis 10k bandwidth is 20MHz
We verify the proposed optimal offline attack strategiesthrough experiments based on the semiphysical testbed Weset 119879 = 250 and the attack times 119899 = 10 in the finite timehorizon [1 250] It means that the attacker can assign the 10times of attack in this period
52 Simulation Results Analysis We study the effectivenessof jamming attack with 10 different schedules when 119877 = 01198780= 119878 respectively (see Table 1) From Figure 3(a) we can
compare the cost 119869 under different attack schedules when119877 =0 It can be seen that the attack schedule with 10 consecutiveattack times can maximize the LQG cost We also presentthe variation of system states and control data under optimalattack schedule in Figure 4 From this figure these data willdeviate the equilibrium points when the wireless channel isunder jamming attack Similarly we can also study the LQGcost 119869 under different attack schedules when 119878
0= 119878 From
Figure 3(b) we also can see that consecutive attack schedule isoptimalThese experimental results can verify the theoreticalconclusions in Section 4
minus200minus100
0100200300
180 190 200 210 220 230 240 250minus2minus1
0123
t
180 190 200 210 220 230 240 250t
u
u
times104
1205791
1205792
120579 (r
ad)
Figure 4 The variation of system states and control data underattack schedule 10 (optimal attack) when 119877 = 0
6 Conclusion
In this paper we considered the optimal jamming attackscheduling which can destroy the system control perfor-mance We formulated an optimization problem that max-imizes the LQG cost subject to attackerrsquos energy constraintin a given finite time horizon Optimal attack schedulehas been presented for two special cases For the generalcase we provided an algorithm to find the optimal attackschedule We also established a semiphysical testbed and
International Journal of Distributed Sensor Networks 7
studied the effectiveness of proposed attack schedules bysimulation In the future we will study the evaluation ofcontrol performance when the NSCS is under other typesof cyber attack for example data injection attack and replayattackWewill also design effective defense strategies to avoidthe cyber attacks in NSCS
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The work was partially supported by Professional Develop-ment Program for Visiting Scholars in Colleges andUniversi-ties under Grant FX2014144 and Zhejiang Provincial NaturalScience Foundation of China under Grant Y16F030011 Thework by H Zhang was supported by NSFC under Grants61203036 61503147 and 71401060 the University ScienceResearch General Project of Jiangsu Province under Grant15KJB510002 Huaihai Institute of Technology DoctoralResearch Funding under Grant KQ15007 and LianyungangScience and Technology Projects under Grants CK1331 andCN1321
References
[1] R A Gupta and M-Y Chow ldquoNetworked control systemoverview and research trendsrdquo IEEE Transactions on IndustrialElectronics vol 57 no 7 pp 2527ndash2535 2010
[2] S He J Chen D K Y Yau and Y Sun ldquoCross-layer optimiza-tion of correlated data gathering in wireless sensor networksrdquoIEEE Transactions onMobile Computing vol 11 no 11 pp 1678ndash1691 2012
[3] L Zhang Y Shi T Chen and B Huang ldquoA new method forstabilization of networked control systemswith randomdelaysrdquoIEEE Transactions on Automatic Control vol 50 no 8 pp 1177ndash1181 2005
[4] SHe J Chen F Jiang D K Y Yau G Xing andY Sun ldquoEnergyprovisioning in wireless rechargeable sensor networksrdquo IEEETransactions onMobile Computing vol 12 no 10 pp 1931ndash19422013
[5] L Schenato B Sinopoli M Franceschetti K Poolla and SS Sastry ldquoFoundations of control and estimation over lossynetworksrdquo Proceedings of the IEEE vol 95 no 1 pp 163ndash1872007
[6] J Chen Q Yu P Cheng Y Sun Y Fan and X ShenldquoGame theoretical approach for channel allocation in wirelesssensor and actuator networksrdquo IEEE Transactions on AutomaticControl vol 56 no 10 pp 2332ndash2344 2011
[7] Y Zhang S He J Chen Y Sun and X Shen ldquoDistributedsampling rate control for rechargeable sensor nodes withlimited battery capacityrdquo IEEE Transactions on Wireless Com-munications vol 12 no 6 pp 3096ndash3106 2013
[8] S He X Li J Chen P Cheng Y Sun and D Simplot-RylldquoEMD energy-efficient p2p message dissemination in delay-tolerant wireless sensor and actor networksrdquo IEEE Journal onSelected Areas in Communications vol 31 no 9 pp 75ndash84 2013
[9] N Bezzo J Weimer M Pajic O Sokolsky G J Pappasand I Lee ldquoAttack resilient state estimation for autonomousrobotic systemsrdquo in Proceedings of the IEEERSJ InternationalConference on Intelligent Robots and Systems (IROS rsquo14) pp3692ndash3698 Chicago Ill USA September 2014
[10] J P Farwell and R Rohozinski ldquoStuxnet and the future of cyberwarrdquo Survival vol 53 no 1 pp 23ndash40 2011
[11] S Amin A A Cardenas and S S Sastry ldquoSafe and securenetworked control systems under denial-of-service attacksrdquo inHybrid Systems Computation and Control vol 5469 of LectureNotes inComputer Science pp 31ndash45 Springer BerlinGermany2009
[12] Y Qi P Cheng L Shi and J Chen ldquoEvent-based attack againstremote state estimationrdquo in Proceedings of the IEEE AnnualConference on Decision and Control (CDC rsquo15) Osaka JapanDecember 2015
[13] F Miao M Pajic and G J Pappas ldquoStochastic game approachfor replay attack detectionrdquo in Proceedings of the 52nd IEEEConference on Decision and Control (CDC rsquo13) pp 1854ndash1859IEEE Firenze Italy December 2013
[14] M Zhu and S Martınez ldquoOn the performance analysis ofresilient networked control systems under replay attacksrdquo IEEETransactions on Automatic Control vol 59 no 3 pp 804ndash8082014
[15] Y Mo R Chabukswar and B Sinopoli ldquoDetecting integrityattacks on SCADA systemsrdquo IEEE Transactions on ControlSystems Technology vol 22 no 4 pp 1396ndash1407 2014
[16] J He P Cheng L Shi and J Chen ldquoSATS secure average-consensus-based time synchronization in wireless sensor net-worksrdquo IEEE Transactions on Signal Processing vol 61 no 24pp 6387ndash6400 2013
[17] R Poisel Modern Communications Jamming Principles andTechniques Artech House 2011
[18] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoS attackpolicy against remote state estimationrdquo in Proceedings of the52nd IEEE Conference on Decision and Control (CDC rsquo13) pp5444ndash5449 Firenze Italy December 2013
[19] A Gupta C Langbort and T Basar ldquoOptimal control in thepresence of an intelligent jammer with limited actionsrdquo inProceedings of the 49th IEEEConference onDecision and Control(CDC rsquo10) pp 1096ndash1101 IEEE Atlanta Ga USA December2010
[20] H Shisheh Foroush and S Martinez ldquoOn event-triggered con-trol of linear systems under periodic denial-of-service jammingattacksrdquo in Proceedings of the 51st IEEE Conference on Decisionand Control (CDC rsquo12) pp 2551ndash2556 IEEE Maui HawaiiUSA December 2012
[21] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling against linear quadratic gaussiancontrolrdquo in Proceedings of the American Control Conference(ACC rsquo14) pp 3996ndash4001 Portland Ore USA June 2014
[22] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling with energy constraintrdquo IEEETransactions on Automatic Control 2015
[23] L Shi P Cheng and J Chen ldquoOptimal periodic sensor schedul-ing with limited resourcesrdquo IEEE Transactions on AutomaticControl vol 56 no 9 pp 2190ndash2195 2011
[24] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoSattack scheduling in wireless networked control systemrdquo IEEETransactions on Control Systems Technology 2015
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 International Journal of Distributed Sensor Networks
In our scenario we assume that the system has reached steadystate that is 119878
0= 119878 and 119875
0= 119875 Then (14) can be rewritten
as
119869 (120574) = 119869119888+ 119869119890 (17)
where
119869119888= tr (119878119875) + 119873 sdot tr (119878Σ
119908)
119869119890=
119879minus1
sum119905=0
tr [(1198601015840119878119860 + 119876 minus 119878)E120574(119875119905)]
(18)
It can be seen that 119869119888and 119869
119890are the constant part and
varying part of (17) respectively Thus we only have to studythe optimal jamming attack schedule which maximizes 119869
119890
which is as follows
Problem 5 Consider
max120574isinΘ
E [119869119890(120574)]
st119879
sum119905=1
120574119905le 119899
(19)
4 Optimal Jamming Attack Schedules
In this section we firstly study the jamming schedules againstLQG control for two special cases and present the close formof optimal schedulesThenwe investigate the attack strategiesfor the general case
41 Case I 119877 = 0 When 119877 = 0 it can be seen that the LQGcost function becomes
119869 =
119879
sum119905=0
E [1199091015840
119905119876119909119905] (20)
From Lemma 4 we can obtain the following conclusion
Theorem 6 If 119877 = 0 the optimal state feedback controller is119906119905= 119871119909119905= minus119860119909
119905 and the corresponding LQG cost function
under attack schedule 120574 is
119869 = 119869119888+ 119869119890 (21)
where
119869119888= tr (119876119875) + 119873 sdot tr (119876Σ
119908)
119869119890=
119879minus1
sum119905=0
tr [1198601015840119876119860E120574(119875119905)]
(22)
According toTheorem 6 we can see that the attacker onlyneeds tomaximizeE[119869
119890] Since1198601015840119876119860 ⪰ 0 one can obtain that
max120574E[119869119890] is equivalent to max
120574E[sum119873minus1
119905=0119875119905(120574)] Thus from
viewpoint of attacker we only have to solve the followingproblem
Problem 7 Consider
max120574isinΘ
E[119873minus1
sum119905=0
119875119905(120574)]
st119879
sum119905=1
120574119905le 119899
(23)
From [18 22] Problem 7 can be easily solved by thefollowing theorem
Theorem 8 When 119877 = 0 the optimal attack schedules areany consecutive attack 119899 times in time horizon [1 119879] and thecorresponding expected LQG cost function is
E (119869) = 119869119888+ 119869
max119890 (24)
where
119869max119890=
119879
sum119894=1
tr [119892119894(119875)] + (119879 minus 119899120572) tr [119872119875] (25)
with119872 = 1198601015840119876119860 and 119892119894(119875) = 119872ℎ
119894(119875)
42 Case II 1198780= 119878 Define119872 = 1198601015840119878119860 + 119876 minus 119878 and 119892
119894(119875) =
119872ℎ119894(119875) 119894 = 1 2 Then we have following lemma
Lemma 9 The function 119892 has the following property
1198921(119875) ⪯ 119892
2(119875) ⪯ sdot sdot sdot ⪯ 119892
119894(119875) ⪯ sdot sdot sdot (26)
According to Section 32 the objective of Problem 1 isequivalent to max
120574E[sum119873minus1
119905=0119875119905(120574)] Thus from the viewpoint
of attacker we only have to solve Problem 7 for the case1198780= 119878FromLemma 9 andTheorem 31 in [22] we can solve this
problem by the following theorem
Theorem 10 When 1198780= 119878 the optimal attack schedules are
any consecutive attack 119899 times in time horizon [1 119879] and thecorresponding expected LQG cost function is
E (119869) = 119869119888+ 119869
max119890 (27)
where
119869max119890=
119879
sum119894=1
tr [119892119894(119875)] + (119879 minus 119899120572) tr [119872 sdot 119875] (28)
43 General Case Study For the general case it is difficult toobtain a close form of optimal attack schedule Attacker canfind the optimal jamming schedule by exhaustion methodwhich is given in Algorithm 1 Since this schedule can becomputed before the attack action begins the computationof our proposed algorithm will not cost too much
5 Simulation
51 Testbed There are three types testbeds for simulation ofNSCS security that is software simulation testbeds physical
International Journal of Distributed Sensor Networks 5
(1) Process begins(2) Input119867time = 119879 Π0 = 119875 119869
lowast= 0
(3) for 1205741+ 1205742+ sdot sdot sdot + 120574
119879= 119899 do
(4) Compute LQG cost (14) under attack schedule 120574 that is 119869 = 119869(120574)(5) if 119869 gt 119869lowast then(6) 119869
lowast= 119869 and 120574lowast = (120574
1 1205742 120574
119879)
(7) end if(8) end for(9) Output optimal attack schedule 120574lowast and corresponding cost 119869lowast
Algorithm 1 Optimal offline attack schedule
Virtualplant
PLC
Wirelessdevice
Wirelessdevice
USRP
Controller
(a) The physical structure
Virtual plantControl
algorithm
Measurementsignal
USRP attackerPLC
Control signal
(b) The schematic diagram
Figure 2 The structure of semiphysical testbed
simulation testbeds and semiphysical simulation testbedsThe software simulation testbeds cannot fully simulate thereal environment The physical simulation testbeds canemploy the same experimental equipment with the realworld to construct the security test platform However theyneed long cycle of construction and great cost Fortunatelysemiphysical simulation testbeds are the good choice forNSCS security since they can simulate the real working envi-ronment and save the cost Thus we choose a semiphysicalsimulation testbed to study the effectiveness of our proposedattack strategy
Our semiphysical simulation testbed is composed of vir-tual plant physical controller and communication networkFigure 2 shows the system architecture In our testbed real-time system states of the virtual plant are sent to the PLCthrough a wireless network After reading the system statesthe controller calculates the control data and writes themback to the PLC Then the control data are sent back to thevirtual plant via a wired channel
We build an inverted pendulum control system forexperiments which is based on the system presented in [5]The parameters are given as follows
119860 =(
1001 0005 0000 0000
0350 1001 minus0135 0000
minus0001 0000 1001 0005
minus0375 minus0001 0590 1001
)
119861 =(
0001
0540
minus0002
minus1066
)
Σ119908= 1199021199021015840 119902 = (
0003
1000
minus0005
minus2150
)
119876 =(
5 0 0 0
0 1 0 0
0 0 1 0
0 0 0 1
)
(29)
We employ USRP N210 to simulate jamming attack onthe wireless channel from sensor to controller USRP is auniversal software radio peripheral that can send and receiveradio signal We use the software GNU Radio in Ubuntuto manipulate the USRP The frequency spectrum analyzeris adopted to detect the central frequency and waveform oftransmission signals Then we adapt the parameters on GNURadio to configure the USRP Experimental parameters are
6 International Journal of Distributed Sensor Networks
1 2 3 4 5 6 7 8 9 100
2
4
6
8
10
12
14
16times105
(a) 119877 = 01 2 3 4 5 6 7 8 9 10
0
2
4
6
8
10
12
14times105
(b) 1198780= 119878
Figure 3 Compare the cost 119869 under different attack strategies The lateral axis is the mark number of attack strategy Attack strategy 10 is theconsecutive attack strategy
Table 1 Attack schedules in our experiment
Marknumber 1 2 3 4 5
Attacksequence No attack (1 2 3 4) (6 3 1) (4 4 2) (5 5)
Marknumber 6 7 8 9 10
Attacksequence (4 6) (7 3) (8 2) (9 1) (10)
set as follows center frequency is 433MHz waveform is sawtooth jamming power is 16 dB and jamming signal frequencyis 10k bandwidth is 20MHz
We verify the proposed optimal offline attack strategiesthrough experiments based on the semiphysical testbed Weset 119879 = 250 and the attack times 119899 = 10 in the finite timehorizon [1 250] It means that the attacker can assign the 10times of attack in this period
52 Simulation Results Analysis We study the effectivenessof jamming attack with 10 different schedules when 119877 = 01198780= 119878 respectively (see Table 1) From Figure 3(a) we can
compare the cost 119869 under different attack schedules when119877 =0 It can be seen that the attack schedule with 10 consecutiveattack times can maximize the LQG cost We also presentthe variation of system states and control data under optimalattack schedule in Figure 4 From this figure these data willdeviate the equilibrium points when the wireless channel isunder jamming attack Similarly we can also study the LQGcost 119869 under different attack schedules when 119878
0= 119878 From
Figure 3(b) we also can see that consecutive attack schedule isoptimalThese experimental results can verify the theoreticalconclusions in Section 4
minus200minus100
0100200300
180 190 200 210 220 230 240 250minus2minus1
0123
t
180 190 200 210 220 230 240 250t
u
u
times104
1205791
1205792
120579 (r
ad)
Figure 4 The variation of system states and control data underattack schedule 10 (optimal attack) when 119877 = 0
6 Conclusion
In this paper we considered the optimal jamming attackscheduling which can destroy the system control perfor-mance We formulated an optimization problem that max-imizes the LQG cost subject to attackerrsquos energy constraintin a given finite time horizon Optimal attack schedulehas been presented for two special cases For the generalcase we provided an algorithm to find the optimal attackschedule We also established a semiphysical testbed and
International Journal of Distributed Sensor Networks 7
studied the effectiveness of proposed attack schedules bysimulation In the future we will study the evaluation ofcontrol performance when the NSCS is under other typesof cyber attack for example data injection attack and replayattackWewill also design effective defense strategies to avoidthe cyber attacks in NSCS
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The work was partially supported by Professional Develop-ment Program for Visiting Scholars in Colleges andUniversi-ties under Grant FX2014144 and Zhejiang Provincial NaturalScience Foundation of China under Grant Y16F030011 Thework by H Zhang was supported by NSFC under Grants61203036 61503147 and 71401060 the University ScienceResearch General Project of Jiangsu Province under Grant15KJB510002 Huaihai Institute of Technology DoctoralResearch Funding under Grant KQ15007 and LianyungangScience and Technology Projects under Grants CK1331 andCN1321
References
[1] R A Gupta and M-Y Chow ldquoNetworked control systemoverview and research trendsrdquo IEEE Transactions on IndustrialElectronics vol 57 no 7 pp 2527ndash2535 2010
[2] S He J Chen D K Y Yau and Y Sun ldquoCross-layer optimiza-tion of correlated data gathering in wireless sensor networksrdquoIEEE Transactions onMobile Computing vol 11 no 11 pp 1678ndash1691 2012
[3] L Zhang Y Shi T Chen and B Huang ldquoA new method forstabilization of networked control systemswith randomdelaysrdquoIEEE Transactions on Automatic Control vol 50 no 8 pp 1177ndash1181 2005
[4] SHe J Chen F Jiang D K Y Yau G Xing andY Sun ldquoEnergyprovisioning in wireless rechargeable sensor networksrdquo IEEETransactions onMobile Computing vol 12 no 10 pp 1931ndash19422013
[5] L Schenato B Sinopoli M Franceschetti K Poolla and SS Sastry ldquoFoundations of control and estimation over lossynetworksrdquo Proceedings of the IEEE vol 95 no 1 pp 163ndash1872007
[6] J Chen Q Yu P Cheng Y Sun Y Fan and X ShenldquoGame theoretical approach for channel allocation in wirelesssensor and actuator networksrdquo IEEE Transactions on AutomaticControl vol 56 no 10 pp 2332ndash2344 2011
[7] Y Zhang S He J Chen Y Sun and X Shen ldquoDistributedsampling rate control for rechargeable sensor nodes withlimited battery capacityrdquo IEEE Transactions on Wireless Com-munications vol 12 no 6 pp 3096ndash3106 2013
[8] S He X Li J Chen P Cheng Y Sun and D Simplot-RylldquoEMD energy-efficient p2p message dissemination in delay-tolerant wireless sensor and actor networksrdquo IEEE Journal onSelected Areas in Communications vol 31 no 9 pp 75ndash84 2013
[9] N Bezzo J Weimer M Pajic O Sokolsky G J Pappasand I Lee ldquoAttack resilient state estimation for autonomousrobotic systemsrdquo in Proceedings of the IEEERSJ InternationalConference on Intelligent Robots and Systems (IROS rsquo14) pp3692ndash3698 Chicago Ill USA September 2014
[10] J P Farwell and R Rohozinski ldquoStuxnet and the future of cyberwarrdquo Survival vol 53 no 1 pp 23ndash40 2011
[11] S Amin A A Cardenas and S S Sastry ldquoSafe and securenetworked control systems under denial-of-service attacksrdquo inHybrid Systems Computation and Control vol 5469 of LectureNotes inComputer Science pp 31ndash45 Springer BerlinGermany2009
[12] Y Qi P Cheng L Shi and J Chen ldquoEvent-based attack againstremote state estimationrdquo in Proceedings of the IEEE AnnualConference on Decision and Control (CDC rsquo15) Osaka JapanDecember 2015
[13] F Miao M Pajic and G J Pappas ldquoStochastic game approachfor replay attack detectionrdquo in Proceedings of the 52nd IEEEConference on Decision and Control (CDC rsquo13) pp 1854ndash1859IEEE Firenze Italy December 2013
[14] M Zhu and S Martınez ldquoOn the performance analysis ofresilient networked control systems under replay attacksrdquo IEEETransactions on Automatic Control vol 59 no 3 pp 804ndash8082014
[15] Y Mo R Chabukswar and B Sinopoli ldquoDetecting integrityattacks on SCADA systemsrdquo IEEE Transactions on ControlSystems Technology vol 22 no 4 pp 1396ndash1407 2014
[16] J He P Cheng L Shi and J Chen ldquoSATS secure average-consensus-based time synchronization in wireless sensor net-worksrdquo IEEE Transactions on Signal Processing vol 61 no 24pp 6387ndash6400 2013
[17] R Poisel Modern Communications Jamming Principles andTechniques Artech House 2011
[18] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoS attackpolicy against remote state estimationrdquo in Proceedings of the52nd IEEE Conference on Decision and Control (CDC rsquo13) pp5444ndash5449 Firenze Italy December 2013
[19] A Gupta C Langbort and T Basar ldquoOptimal control in thepresence of an intelligent jammer with limited actionsrdquo inProceedings of the 49th IEEEConference onDecision and Control(CDC rsquo10) pp 1096ndash1101 IEEE Atlanta Ga USA December2010
[20] H Shisheh Foroush and S Martinez ldquoOn event-triggered con-trol of linear systems under periodic denial-of-service jammingattacksrdquo in Proceedings of the 51st IEEE Conference on Decisionand Control (CDC rsquo12) pp 2551ndash2556 IEEE Maui HawaiiUSA December 2012
[21] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling against linear quadratic gaussiancontrolrdquo in Proceedings of the American Control Conference(ACC rsquo14) pp 3996ndash4001 Portland Ore USA June 2014
[22] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling with energy constraintrdquo IEEETransactions on Automatic Control 2015
[23] L Shi P Cheng and J Chen ldquoOptimal periodic sensor schedul-ing with limited resourcesrdquo IEEE Transactions on AutomaticControl vol 56 no 9 pp 2190ndash2195 2011
[24] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoSattack scheduling in wireless networked control systemrdquo IEEETransactions on Control Systems Technology 2015
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 5
(1) Process begins(2) Input119867time = 119879 Π0 = 119875 119869
lowast= 0
(3) for 1205741+ 1205742+ sdot sdot sdot + 120574
119879= 119899 do
(4) Compute LQG cost (14) under attack schedule 120574 that is 119869 = 119869(120574)(5) if 119869 gt 119869lowast then(6) 119869
lowast= 119869 and 120574lowast = (120574
1 1205742 120574
119879)
(7) end if(8) end for(9) Output optimal attack schedule 120574lowast and corresponding cost 119869lowast
Algorithm 1 Optimal offline attack schedule
Virtualplant
PLC
Wirelessdevice
Wirelessdevice
USRP
Controller
(a) The physical structure
Virtual plantControl
algorithm
Measurementsignal
USRP attackerPLC
Control signal
(b) The schematic diagram
Figure 2 The structure of semiphysical testbed
simulation testbeds and semiphysical simulation testbedsThe software simulation testbeds cannot fully simulate thereal environment The physical simulation testbeds canemploy the same experimental equipment with the realworld to construct the security test platform However theyneed long cycle of construction and great cost Fortunatelysemiphysical simulation testbeds are the good choice forNSCS security since they can simulate the real working envi-ronment and save the cost Thus we choose a semiphysicalsimulation testbed to study the effectiveness of our proposedattack strategy
Our semiphysical simulation testbed is composed of vir-tual plant physical controller and communication networkFigure 2 shows the system architecture In our testbed real-time system states of the virtual plant are sent to the PLCthrough a wireless network After reading the system statesthe controller calculates the control data and writes themback to the PLC Then the control data are sent back to thevirtual plant via a wired channel
We build an inverted pendulum control system forexperiments which is based on the system presented in [5]The parameters are given as follows
119860 =(
1001 0005 0000 0000
0350 1001 minus0135 0000
minus0001 0000 1001 0005
minus0375 minus0001 0590 1001
)
119861 =(
0001
0540
minus0002
minus1066
)
Σ119908= 1199021199021015840 119902 = (
0003
1000
minus0005
minus2150
)
119876 =(
5 0 0 0
0 1 0 0
0 0 1 0
0 0 0 1
)
(29)
We employ USRP N210 to simulate jamming attack onthe wireless channel from sensor to controller USRP is auniversal software radio peripheral that can send and receiveradio signal We use the software GNU Radio in Ubuntuto manipulate the USRP The frequency spectrum analyzeris adopted to detect the central frequency and waveform oftransmission signals Then we adapt the parameters on GNURadio to configure the USRP Experimental parameters are
6 International Journal of Distributed Sensor Networks
1 2 3 4 5 6 7 8 9 100
2
4
6
8
10
12
14
16times105
(a) 119877 = 01 2 3 4 5 6 7 8 9 10
0
2
4
6
8
10
12
14times105
(b) 1198780= 119878
Figure 3 Compare the cost 119869 under different attack strategies The lateral axis is the mark number of attack strategy Attack strategy 10 is theconsecutive attack strategy
Table 1 Attack schedules in our experiment
Marknumber 1 2 3 4 5
Attacksequence No attack (1 2 3 4) (6 3 1) (4 4 2) (5 5)
Marknumber 6 7 8 9 10
Attacksequence (4 6) (7 3) (8 2) (9 1) (10)
set as follows center frequency is 433MHz waveform is sawtooth jamming power is 16 dB and jamming signal frequencyis 10k bandwidth is 20MHz
We verify the proposed optimal offline attack strategiesthrough experiments based on the semiphysical testbed Weset 119879 = 250 and the attack times 119899 = 10 in the finite timehorizon [1 250] It means that the attacker can assign the 10times of attack in this period
52 Simulation Results Analysis We study the effectivenessof jamming attack with 10 different schedules when 119877 = 01198780= 119878 respectively (see Table 1) From Figure 3(a) we can
compare the cost 119869 under different attack schedules when119877 =0 It can be seen that the attack schedule with 10 consecutiveattack times can maximize the LQG cost We also presentthe variation of system states and control data under optimalattack schedule in Figure 4 From this figure these data willdeviate the equilibrium points when the wireless channel isunder jamming attack Similarly we can also study the LQGcost 119869 under different attack schedules when 119878
0= 119878 From
Figure 3(b) we also can see that consecutive attack schedule isoptimalThese experimental results can verify the theoreticalconclusions in Section 4
minus200minus100
0100200300
180 190 200 210 220 230 240 250minus2minus1
0123
t
180 190 200 210 220 230 240 250t
u
u
times104
1205791
1205792
120579 (r
ad)
Figure 4 The variation of system states and control data underattack schedule 10 (optimal attack) when 119877 = 0
6 Conclusion
In this paper we considered the optimal jamming attackscheduling which can destroy the system control perfor-mance We formulated an optimization problem that max-imizes the LQG cost subject to attackerrsquos energy constraintin a given finite time horizon Optimal attack schedulehas been presented for two special cases For the generalcase we provided an algorithm to find the optimal attackschedule We also established a semiphysical testbed and
International Journal of Distributed Sensor Networks 7
studied the effectiveness of proposed attack schedules bysimulation In the future we will study the evaluation ofcontrol performance when the NSCS is under other typesof cyber attack for example data injection attack and replayattackWewill also design effective defense strategies to avoidthe cyber attacks in NSCS
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The work was partially supported by Professional Develop-ment Program for Visiting Scholars in Colleges andUniversi-ties under Grant FX2014144 and Zhejiang Provincial NaturalScience Foundation of China under Grant Y16F030011 Thework by H Zhang was supported by NSFC under Grants61203036 61503147 and 71401060 the University ScienceResearch General Project of Jiangsu Province under Grant15KJB510002 Huaihai Institute of Technology DoctoralResearch Funding under Grant KQ15007 and LianyungangScience and Technology Projects under Grants CK1331 andCN1321
References
[1] R A Gupta and M-Y Chow ldquoNetworked control systemoverview and research trendsrdquo IEEE Transactions on IndustrialElectronics vol 57 no 7 pp 2527ndash2535 2010
[2] S He J Chen D K Y Yau and Y Sun ldquoCross-layer optimiza-tion of correlated data gathering in wireless sensor networksrdquoIEEE Transactions onMobile Computing vol 11 no 11 pp 1678ndash1691 2012
[3] L Zhang Y Shi T Chen and B Huang ldquoA new method forstabilization of networked control systemswith randomdelaysrdquoIEEE Transactions on Automatic Control vol 50 no 8 pp 1177ndash1181 2005
[4] SHe J Chen F Jiang D K Y Yau G Xing andY Sun ldquoEnergyprovisioning in wireless rechargeable sensor networksrdquo IEEETransactions onMobile Computing vol 12 no 10 pp 1931ndash19422013
[5] L Schenato B Sinopoli M Franceschetti K Poolla and SS Sastry ldquoFoundations of control and estimation over lossynetworksrdquo Proceedings of the IEEE vol 95 no 1 pp 163ndash1872007
[6] J Chen Q Yu P Cheng Y Sun Y Fan and X ShenldquoGame theoretical approach for channel allocation in wirelesssensor and actuator networksrdquo IEEE Transactions on AutomaticControl vol 56 no 10 pp 2332ndash2344 2011
[7] Y Zhang S He J Chen Y Sun and X Shen ldquoDistributedsampling rate control for rechargeable sensor nodes withlimited battery capacityrdquo IEEE Transactions on Wireless Com-munications vol 12 no 6 pp 3096ndash3106 2013
[8] S He X Li J Chen P Cheng Y Sun and D Simplot-RylldquoEMD energy-efficient p2p message dissemination in delay-tolerant wireless sensor and actor networksrdquo IEEE Journal onSelected Areas in Communications vol 31 no 9 pp 75ndash84 2013
[9] N Bezzo J Weimer M Pajic O Sokolsky G J Pappasand I Lee ldquoAttack resilient state estimation for autonomousrobotic systemsrdquo in Proceedings of the IEEERSJ InternationalConference on Intelligent Robots and Systems (IROS rsquo14) pp3692ndash3698 Chicago Ill USA September 2014
[10] J P Farwell and R Rohozinski ldquoStuxnet and the future of cyberwarrdquo Survival vol 53 no 1 pp 23ndash40 2011
[11] S Amin A A Cardenas and S S Sastry ldquoSafe and securenetworked control systems under denial-of-service attacksrdquo inHybrid Systems Computation and Control vol 5469 of LectureNotes inComputer Science pp 31ndash45 Springer BerlinGermany2009
[12] Y Qi P Cheng L Shi and J Chen ldquoEvent-based attack againstremote state estimationrdquo in Proceedings of the IEEE AnnualConference on Decision and Control (CDC rsquo15) Osaka JapanDecember 2015
[13] F Miao M Pajic and G J Pappas ldquoStochastic game approachfor replay attack detectionrdquo in Proceedings of the 52nd IEEEConference on Decision and Control (CDC rsquo13) pp 1854ndash1859IEEE Firenze Italy December 2013
[14] M Zhu and S Martınez ldquoOn the performance analysis ofresilient networked control systems under replay attacksrdquo IEEETransactions on Automatic Control vol 59 no 3 pp 804ndash8082014
[15] Y Mo R Chabukswar and B Sinopoli ldquoDetecting integrityattacks on SCADA systemsrdquo IEEE Transactions on ControlSystems Technology vol 22 no 4 pp 1396ndash1407 2014
[16] J He P Cheng L Shi and J Chen ldquoSATS secure average-consensus-based time synchronization in wireless sensor net-worksrdquo IEEE Transactions on Signal Processing vol 61 no 24pp 6387ndash6400 2013
[17] R Poisel Modern Communications Jamming Principles andTechniques Artech House 2011
[18] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoS attackpolicy against remote state estimationrdquo in Proceedings of the52nd IEEE Conference on Decision and Control (CDC rsquo13) pp5444ndash5449 Firenze Italy December 2013
[19] A Gupta C Langbort and T Basar ldquoOptimal control in thepresence of an intelligent jammer with limited actionsrdquo inProceedings of the 49th IEEEConference onDecision and Control(CDC rsquo10) pp 1096ndash1101 IEEE Atlanta Ga USA December2010
[20] H Shisheh Foroush and S Martinez ldquoOn event-triggered con-trol of linear systems under periodic denial-of-service jammingattacksrdquo in Proceedings of the 51st IEEE Conference on Decisionand Control (CDC rsquo12) pp 2551ndash2556 IEEE Maui HawaiiUSA December 2012
[21] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling against linear quadratic gaussiancontrolrdquo in Proceedings of the American Control Conference(ACC rsquo14) pp 3996ndash4001 Portland Ore USA June 2014
[22] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling with energy constraintrdquo IEEETransactions on Automatic Control 2015
[23] L Shi P Cheng and J Chen ldquoOptimal periodic sensor schedul-ing with limited resourcesrdquo IEEE Transactions on AutomaticControl vol 56 no 9 pp 2190ndash2195 2011
[24] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoSattack scheduling in wireless networked control systemrdquo IEEETransactions on Control Systems Technology 2015
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 International Journal of Distributed Sensor Networks
1 2 3 4 5 6 7 8 9 100
2
4
6
8
10
12
14
16times105
(a) 119877 = 01 2 3 4 5 6 7 8 9 10
0
2
4
6
8
10
12
14times105
(b) 1198780= 119878
Figure 3 Compare the cost 119869 under different attack strategies The lateral axis is the mark number of attack strategy Attack strategy 10 is theconsecutive attack strategy
Table 1 Attack schedules in our experiment
Marknumber 1 2 3 4 5
Attacksequence No attack (1 2 3 4) (6 3 1) (4 4 2) (5 5)
Marknumber 6 7 8 9 10
Attacksequence (4 6) (7 3) (8 2) (9 1) (10)
set as follows center frequency is 433MHz waveform is sawtooth jamming power is 16 dB and jamming signal frequencyis 10k bandwidth is 20MHz
We verify the proposed optimal offline attack strategiesthrough experiments based on the semiphysical testbed Weset 119879 = 250 and the attack times 119899 = 10 in the finite timehorizon [1 250] It means that the attacker can assign the 10times of attack in this period
52 Simulation Results Analysis We study the effectivenessof jamming attack with 10 different schedules when 119877 = 01198780= 119878 respectively (see Table 1) From Figure 3(a) we can
compare the cost 119869 under different attack schedules when119877 =0 It can be seen that the attack schedule with 10 consecutiveattack times can maximize the LQG cost We also presentthe variation of system states and control data under optimalattack schedule in Figure 4 From this figure these data willdeviate the equilibrium points when the wireless channel isunder jamming attack Similarly we can also study the LQGcost 119869 under different attack schedules when 119878
0= 119878 From
Figure 3(b) we also can see that consecutive attack schedule isoptimalThese experimental results can verify the theoreticalconclusions in Section 4
minus200minus100
0100200300
180 190 200 210 220 230 240 250minus2minus1
0123
t
180 190 200 210 220 230 240 250t
u
u
times104
1205791
1205792
120579 (r
ad)
Figure 4 The variation of system states and control data underattack schedule 10 (optimal attack) when 119877 = 0
6 Conclusion
In this paper we considered the optimal jamming attackscheduling which can destroy the system control perfor-mance We formulated an optimization problem that max-imizes the LQG cost subject to attackerrsquos energy constraintin a given finite time horizon Optimal attack schedulehas been presented for two special cases For the generalcase we provided an algorithm to find the optimal attackschedule We also established a semiphysical testbed and
International Journal of Distributed Sensor Networks 7
studied the effectiveness of proposed attack schedules bysimulation In the future we will study the evaluation ofcontrol performance when the NSCS is under other typesof cyber attack for example data injection attack and replayattackWewill also design effective defense strategies to avoidthe cyber attacks in NSCS
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The work was partially supported by Professional Develop-ment Program for Visiting Scholars in Colleges andUniversi-ties under Grant FX2014144 and Zhejiang Provincial NaturalScience Foundation of China under Grant Y16F030011 Thework by H Zhang was supported by NSFC under Grants61203036 61503147 and 71401060 the University ScienceResearch General Project of Jiangsu Province under Grant15KJB510002 Huaihai Institute of Technology DoctoralResearch Funding under Grant KQ15007 and LianyungangScience and Technology Projects under Grants CK1331 andCN1321
References
[1] R A Gupta and M-Y Chow ldquoNetworked control systemoverview and research trendsrdquo IEEE Transactions on IndustrialElectronics vol 57 no 7 pp 2527ndash2535 2010
[2] S He J Chen D K Y Yau and Y Sun ldquoCross-layer optimiza-tion of correlated data gathering in wireless sensor networksrdquoIEEE Transactions onMobile Computing vol 11 no 11 pp 1678ndash1691 2012
[3] L Zhang Y Shi T Chen and B Huang ldquoA new method forstabilization of networked control systemswith randomdelaysrdquoIEEE Transactions on Automatic Control vol 50 no 8 pp 1177ndash1181 2005
[4] SHe J Chen F Jiang D K Y Yau G Xing andY Sun ldquoEnergyprovisioning in wireless rechargeable sensor networksrdquo IEEETransactions onMobile Computing vol 12 no 10 pp 1931ndash19422013
[5] L Schenato B Sinopoli M Franceschetti K Poolla and SS Sastry ldquoFoundations of control and estimation over lossynetworksrdquo Proceedings of the IEEE vol 95 no 1 pp 163ndash1872007
[6] J Chen Q Yu P Cheng Y Sun Y Fan and X ShenldquoGame theoretical approach for channel allocation in wirelesssensor and actuator networksrdquo IEEE Transactions on AutomaticControl vol 56 no 10 pp 2332ndash2344 2011
[7] Y Zhang S He J Chen Y Sun and X Shen ldquoDistributedsampling rate control for rechargeable sensor nodes withlimited battery capacityrdquo IEEE Transactions on Wireless Com-munications vol 12 no 6 pp 3096ndash3106 2013
[8] S He X Li J Chen P Cheng Y Sun and D Simplot-RylldquoEMD energy-efficient p2p message dissemination in delay-tolerant wireless sensor and actor networksrdquo IEEE Journal onSelected Areas in Communications vol 31 no 9 pp 75ndash84 2013
[9] N Bezzo J Weimer M Pajic O Sokolsky G J Pappasand I Lee ldquoAttack resilient state estimation for autonomousrobotic systemsrdquo in Proceedings of the IEEERSJ InternationalConference on Intelligent Robots and Systems (IROS rsquo14) pp3692ndash3698 Chicago Ill USA September 2014
[10] J P Farwell and R Rohozinski ldquoStuxnet and the future of cyberwarrdquo Survival vol 53 no 1 pp 23ndash40 2011
[11] S Amin A A Cardenas and S S Sastry ldquoSafe and securenetworked control systems under denial-of-service attacksrdquo inHybrid Systems Computation and Control vol 5469 of LectureNotes inComputer Science pp 31ndash45 Springer BerlinGermany2009
[12] Y Qi P Cheng L Shi and J Chen ldquoEvent-based attack againstremote state estimationrdquo in Proceedings of the IEEE AnnualConference on Decision and Control (CDC rsquo15) Osaka JapanDecember 2015
[13] F Miao M Pajic and G J Pappas ldquoStochastic game approachfor replay attack detectionrdquo in Proceedings of the 52nd IEEEConference on Decision and Control (CDC rsquo13) pp 1854ndash1859IEEE Firenze Italy December 2013
[14] M Zhu and S Martınez ldquoOn the performance analysis ofresilient networked control systems under replay attacksrdquo IEEETransactions on Automatic Control vol 59 no 3 pp 804ndash8082014
[15] Y Mo R Chabukswar and B Sinopoli ldquoDetecting integrityattacks on SCADA systemsrdquo IEEE Transactions on ControlSystems Technology vol 22 no 4 pp 1396ndash1407 2014
[16] J He P Cheng L Shi and J Chen ldquoSATS secure average-consensus-based time synchronization in wireless sensor net-worksrdquo IEEE Transactions on Signal Processing vol 61 no 24pp 6387ndash6400 2013
[17] R Poisel Modern Communications Jamming Principles andTechniques Artech House 2011
[18] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoS attackpolicy against remote state estimationrdquo in Proceedings of the52nd IEEE Conference on Decision and Control (CDC rsquo13) pp5444ndash5449 Firenze Italy December 2013
[19] A Gupta C Langbort and T Basar ldquoOptimal control in thepresence of an intelligent jammer with limited actionsrdquo inProceedings of the 49th IEEEConference onDecision and Control(CDC rsquo10) pp 1096ndash1101 IEEE Atlanta Ga USA December2010
[20] H Shisheh Foroush and S Martinez ldquoOn event-triggered con-trol of linear systems under periodic denial-of-service jammingattacksrdquo in Proceedings of the 51st IEEE Conference on Decisionand Control (CDC rsquo12) pp 2551ndash2556 IEEE Maui HawaiiUSA December 2012
[21] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling against linear quadratic gaussiancontrolrdquo in Proceedings of the American Control Conference(ACC rsquo14) pp 3996ndash4001 Portland Ore USA June 2014
[22] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling with energy constraintrdquo IEEETransactions on Automatic Control 2015
[23] L Shi P Cheng and J Chen ldquoOptimal periodic sensor schedul-ing with limited resourcesrdquo IEEE Transactions on AutomaticControl vol 56 no 9 pp 2190ndash2195 2011
[24] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoSattack scheduling in wireless networked control systemrdquo IEEETransactions on Control Systems Technology 2015
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 7
studied the effectiveness of proposed attack schedules bysimulation In the future we will study the evaluation ofcontrol performance when the NSCS is under other typesof cyber attack for example data injection attack and replayattackWewill also design effective defense strategies to avoidthe cyber attacks in NSCS
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The work was partially supported by Professional Develop-ment Program for Visiting Scholars in Colleges andUniversi-ties under Grant FX2014144 and Zhejiang Provincial NaturalScience Foundation of China under Grant Y16F030011 Thework by H Zhang was supported by NSFC under Grants61203036 61503147 and 71401060 the University ScienceResearch General Project of Jiangsu Province under Grant15KJB510002 Huaihai Institute of Technology DoctoralResearch Funding under Grant KQ15007 and LianyungangScience and Technology Projects under Grants CK1331 andCN1321
References
[1] R A Gupta and M-Y Chow ldquoNetworked control systemoverview and research trendsrdquo IEEE Transactions on IndustrialElectronics vol 57 no 7 pp 2527ndash2535 2010
[2] S He J Chen D K Y Yau and Y Sun ldquoCross-layer optimiza-tion of correlated data gathering in wireless sensor networksrdquoIEEE Transactions onMobile Computing vol 11 no 11 pp 1678ndash1691 2012
[3] L Zhang Y Shi T Chen and B Huang ldquoA new method forstabilization of networked control systemswith randomdelaysrdquoIEEE Transactions on Automatic Control vol 50 no 8 pp 1177ndash1181 2005
[4] SHe J Chen F Jiang D K Y Yau G Xing andY Sun ldquoEnergyprovisioning in wireless rechargeable sensor networksrdquo IEEETransactions onMobile Computing vol 12 no 10 pp 1931ndash19422013
[5] L Schenato B Sinopoli M Franceschetti K Poolla and SS Sastry ldquoFoundations of control and estimation over lossynetworksrdquo Proceedings of the IEEE vol 95 no 1 pp 163ndash1872007
[6] J Chen Q Yu P Cheng Y Sun Y Fan and X ShenldquoGame theoretical approach for channel allocation in wirelesssensor and actuator networksrdquo IEEE Transactions on AutomaticControl vol 56 no 10 pp 2332ndash2344 2011
[7] Y Zhang S He J Chen Y Sun and X Shen ldquoDistributedsampling rate control for rechargeable sensor nodes withlimited battery capacityrdquo IEEE Transactions on Wireless Com-munications vol 12 no 6 pp 3096ndash3106 2013
[8] S He X Li J Chen P Cheng Y Sun and D Simplot-RylldquoEMD energy-efficient p2p message dissemination in delay-tolerant wireless sensor and actor networksrdquo IEEE Journal onSelected Areas in Communications vol 31 no 9 pp 75ndash84 2013
[9] N Bezzo J Weimer M Pajic O Sokolsky G J Pappasand I Lee ldquoAttack resilient state estimation for autonomousrobotic systemsrdquo in Proceedings of the IEEERSJ InternationalConference on Intelligent Robots and Systems (IROS rsquo14) pp3692ndash3698 Chicago Ill USA September 2014
[10] J P Farwell and R Rohozinski ldquoStuxnet and the future of cyberwarrdquo Survival vol 53 no 1 pp 23ndash40 2011
[11] S Amin A A Cardenas and S S Sastry ldquoSafe and securenetworked control systems under denial-of-service attacksrdquo inHybrid Systems Computation and Control vol 5469 of LectureNotes inComputer Science pp 31ndash45 Springer BerlinGermany2009
[12] Y Qi P Cheng L Shi and J Chen ldquoEvent-based attack againstremote state estimationrdquo in Proceedings of the IEEE AnnualConference on Decision and Control (CDC rsquo15) Osaka JapanDecember 2015
[13] F Miao M Pajic and G J Pappas ldquoStochastic game approachfor replay attack detectionrdquo in Proceedings of the 52nd IEEEConference on Decision and Control (CDC rsquo13) pp 1854ndash1859IEEE Firenze Italy December 2013
[14] M Zhu and S Martınez ldquoOn the performance analysis ofresilient networked control systems under replay attacksrdquo IEEETransactions on Automatic Control vol 59 no 3 pp 804ndash8082014
[15] Y Mo R Chabukswar and B Sinopoli ldquoDetecting integrityattacks on SCADA systemsrdquo IEEE Transactions on ControlSystems Technology vol 22 no 4 pp 1396ndash1407 2014
[16] J He P Cheng L Shi and J Chen ldquoSATS secure average-consensus-based time synchronization in wireless sensor net-worksrdquo IEEE Transactions on Signal Processing vol 61 no 24pp 6387ndash6400 2013
[17] R Poisel Modern Communications Jamming Principles andTechniques Artech House 2011
[18] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoS attackpolicy against remote state estimationrdquo in Proceedings of the52nd IEEE Conference on Decision and Control (CDC rsquo13) pp5444ndash5449 Firenze Italy December 2013
[19] A Gupta C Langbort and T Basar ldquoOptimal control in thepresence of an intelligent jammer with limited actionsrdquo inProceedings of the 49th IEEEConference onDecision and Control(CDC rsquo10) pp 1096ndash1101 IEEE Atlanta Ga USA December2010
[20] H Shisheh Foroush and S Martinez ldquoOn event-triggered con-trol of linear systems under periodic denial-of-service jammingattacksrdquo in Proceedings of the 51st IEEE Conference on Decisionand Control (CDC rsquo12) pp 2551ndash2556 IEEE Maui HawaiiUSA December 2012
[21] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling against linear quadratic gaussiancontrolrdquo in Proceedings of the American Control Conference(ACC rsquo14) pp 3996ndash4001 Portland Ore USA June 2014
[22] H Zhang P Cheng L Shi and J Chen ldquoOptimal denial-of-service attack scheduling with energy constraintrdquo IEEETransactions on Automatic Control 2015
[23] L Shi P Cheng and J Chen ldquoOptimal periodic sensor schedul-ing with limited resourcesrdquo IEEE Transactions on AutomaticControl vol 56 no 9 pp 2190ndash2195 2011
[24] H Zhang P Cheng L Shi and J Chen ldquoOptimal DoSattack scheduling in wireless networked control systemrdquo IEEETransactions on Control Systems Technology 2015
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of