a novel covert agent for stealthy attacks on industrial...
TRANSCRIPT
Research ArticleA Novel Covert Agent for Stealthy Attacks on Industrial ControlSystems Using Least Squares Support Vector Regression
Weize Li Lun Xie and ZhiliangWang
School of Computer and Communication Engineering University of Science and Technology Beijing Beijing 100083 China
Correspondence should be addressed to Lun Xie xielunustbeducn
Received 12 July 2017 Accepted 24 December 2017 Published 1 February 2018
Academic Editor Vinod Sharma
Copyright copy 2018 Weize Li et alThis is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
Research on stealthiness has become an important topic in the field of data integrity (DI) attacks To construct stealthy DI attacksa common assumption in most related studies is that attackers have prior model knowledge of physical systems In this paper suchassumption is relaxed and a covert agent is proposed based on the least squares support vector regression (LSSVR) By estimatinga plant model from control and sensory data the LSSVR-based covert agent can closely imitate the behavior of the physical plantThen the covert agent is used to construct a covert loop which can keep the controllerrsquos input and output both stealthy over a finitetime window Experiments have been carried out to show the effectiveness of the proposed method
1 Introduction
Industrial control systems (ICSs) are widely deployed inmodern critical infrastructures (CIs) and their incapacita-tion can cause serious damage to equipment environmentor even peoplersquos lives [1] During the past ten years manyefforts have been made to improve the security of ICSs [2 3]Among the existing research on ICSs security a great deal ofattention has been given to the study of stealthy data integrity(DI) attacks [4 5] which can violate the integrity of controland sensory data The purpose of such attacks is to disruptthe physical process while remaining stealthy with respect toanomaly detectors [6]
To construct stealthy DI attacks a common assumptionin most related studies is that attackers have prior modelknowledge of physical systems Kwon et al [7] investigatedthree kinds of stealthy deception attacks on a linear time-invariant system with Gaussian noise Their results showedthat if an attacker had perfect model knowledge of the targetsystem he could carefully design a stealthy attack to avoidbeing detected by the monitoring system Pang et al [8]proposed stealthy false data injection (FDI) attacks for bothfeedback and forward channels of the networked controlsystems It was assumed that the attacker knew the detailed
system parameters Such assumption can also be found inthe recent work of Teixeira et al [9] Sedghi and Jonckheere[10] Manandhar et al [11] and Dutta and Langbort [12]In particular in [9] the authors also considered a moremoderate scenario where the attackerrsquos model knowledgecontains some uncertainties In [13] the authors presented acovert agent structure and showed that the better the covertagentrsquosmodel of the plant the easier it was for the covert agentto hide its actions
Besides the perfect model knowledge of physical systemsthere is a more rigorous assumption that attackers also haveother model knowledge of target systems Cardenas et al[14] studied three types of stealthy attacks that aimed atraising the pressure in a tank without being detected Thepowerful attacker was assumed to have prior knowledge ofthe exact plant model and the anomaly detection schemeIn the work of Teixeira et al [15] the model knowledgewas divided into three categories the model of the physicalsystem themodel of the feedback controller and themodel ofthe anomaly detector Attacks constrained by different levelsof prior model knowledge were illustrated by experimentson a quadruple-tank process control testbed In [16] theauthors considered a stronger adversary who not only knew
HindawiJournal of Electrical and Computer EngineeringVolume 2018 Article ID 7204939 14 pageshttpsdoiorg10115520187204939
2 Journal of Electrical and Computer Engineering
the physical model and the detection scheme but also couldadapt to different detection thresholds
As discussed before most prior works on stealthy DIattacks are based on various assumptions that attackers havemodel knowledge of target systems at different levels How-ever there is no description of how such model knowledgecan be obtained by an attacker Although the assumptions ofmodel knowledge are very useful for identifying subtle andstealthy malicious attacks it may be difficult to acquire suchprior knowledge in many practical scenarios where explicitmodels of physical systems are usually not available directly[17]
Recently increasing attention has been paid to stealthyDI attacks without the prior model knowledge of physicalsystems Unlike the studies discussed before Yu and Chin[18] proposed a principal component analysis (PCA) basedmethod to design blind FDI attacks which did not need anyprior knowledge of Jacobian matrix in smart grid Further-more Anwar andMahmood [19] clarified that the PCA basedblind attack strategy was only valid for the measurementswith Gaussian noises In the case of gross errors theyproposed the accelerated proximal gradient (APG) methodto circumvent the gross error issue and construct stealthyattacks Most recently in [20] the authors proposed a sparseoptimization based stealthy attacks construction strategy anddemonstrated how FDI attacks could be constructed blindlythat is without the system model knowledge Howeverunfortunately these three studies were closely related to thesmart grid and the proposed methods were designed for theapproximation of Jacobian matrix
In the framework of a general dynamic cyberphysicalsystem (CPS) Yuan and Mo [21] applied the classical sys-tem identification technique to the construction of stealthyattacks The spectral factorization based method was usedto identify the transfer function of the physical system byobserving the input-output data from the system Further-more they proved a necessary condition and a sufficientcondition under which the perfect model of the systemcould be successfully identified However such conditionsare overly restrictive for widespread applications In fact itis more realistic to consider that the identified model of thesystem is not perfect That is there is a model error betweenthe identifiedmodel and the real systemmodel Motivated bythis consideration we explored the possibility that an attackercan carry out stealthy DI attacks on the ICS by identifying anot so perfect model of the system
The most similar work to ours is the recent study ofKim et al [22] where a subspace estimation method wasused to estimate a system operating subspace from sensormeasurements Based on the subspace information stealthyattacks could be constructed without the need of prior systemmodel knowledge As shown in Figure 1(a) the unobservableattack is launched by adding a corresponding perturbationto the sensor data and the modified sensor data can avoidbeing detected by the anomaly detector However becausethe ultimate objective of the attack is to disrupt the systemrsquosbehavior the controllerrsquos output will be abnormal Anothersimilar case is the replay attack which also does not requireany prior knowledge It gathers sequences of data for a certain
amount of time and afterwards just repeats the recorded dataTeixeira et al [15] introduced an interesting instance of thisattack scenario which consists of applying a physical attack tothe plant while using the replay attack to render the physicalattack stealthy However the replay attack on the sensor datacould also cause anomalies in the controllerrsquos output and thispoint will be revealed later in our experiments
Our goal is to design a covert agent to keep the controllerrsquosinput and output both stealthy over a finite time window Tothis end we propose a function estimation based covert agentas shown in Figure 1(b) The proposed covert agent can beused to construct a two-loop covert structure in Figure 1(c)which consists of two loops the covert loop and the attackloop In comparison Figure 1(d) shows a typical structureof the prior model knowledge based covert attack [13] Thecore idea of such structure is to calculate the attack effecton the plant output measurements and subtract the effectfrom the measured plant output By contrast in the two-loopcovert structure the covert loop covers up the effect of the realattack on the physical plant by closely imitating the expectedbehavior of the physical plant over a finite time window Forthe sake of concentrating on the stealthiness this paper willbe restricted to the construction of the covert loop and willnot deal with the attack loop
The main contribution of this paper is the exploratoryattempt to establish the feasibility of machine learning basedstealthy DI attacks In this paper we use the least squaressupport vector regression (LSSVR) to demonstrate that pointThe LSSVR has emerged as a popular data-driven modelingmethod and it has uniform approximation ability for anycomplex nonlinear system [23] As far as we know there isno LSSVR-based DI attack reported in the literature Overallthe contributions of this work are threefold First we give aformal description of the LSSVR-based covert agent Secondwe present the procedure of how to train a covert agentmodel Third we provide a case study of a continuous stirredtank heater (CSTH) pilot plant to illustrate and demonstratethe effectiveness of the covert agent
It is necessary to mention that the purpose of this work isnot to facilitate stealthy attacks but to disclose the potentialattacks where the attackers do not need any prior modelknowledge of physical systems and to encourage the corre-sponding research of the defending methods The rest of thispaper is organized as follows Section 2 introduces the LSSVRfor function estimation Section 3 gives the covert agentmodel and the procedure of training the model Section 4 isan overview of the experiments and the experimental resultsare presented in Section 5 Finally conclusions and futurework are summarized in Section 6
2 Least Squares Support VectorRegression (LSSVR)
The least squares support vector machine (LSSVM) is analteration of the standard support vector machine (SVM)[24] By changing the inequality constraints in SVR intoequality ones the LSSVM method can avoid the long andcomputationally difficult convex quadratic programming
Journal of Electrical and Computer Engineering 3
NetworkSubspace estimationbased stealthy attack Network
Stealthy
Controller
Physical plant
Anomaly detector
yp
k
yc
k
ya
k
up
k
uc
k
(a)
NetworkFunction estimationbased covert agent Network
Stealthy Stealthy
Controller
Physical plant
Anomaly detector
yp
k up
k
yc
kuc
k
yp
k
(b)
Attack loop
Attack agentNetwork Network
Covert agent
Covert loop
Stealthy Stealthy
Controller
Physical plant
Anomaly detector
yp
k
yc
k
up
k
uc
k
ua
k
yp
k
(c)
Plant model
Network NetworkCovert controller
Stealthy Stealthy
Controller
Physical plant
Anomaly detector
yp
k
ya
k
up
k
ua
k
yc
kuc
k
(d)
Figure 1 Schematic diagrams for the proposed covert agent and the closely related stealthy attacks (a) The subspace estimation basedunobservable attack (b) the proposed covert agent (c) application of the proposed covert agent and (d) the prior model knowledge basedcovert structure
and thus largely speeds up training The LSSVM for regres-sion is called LSSVR which has been extended and applied toforecasting bymany studies [25ndash27] In this sectionwe brieflyintroduce the LSSVR for function estimation
Given training set 119909119896 119910119896119873119896=1 the regression function ofLSSVR can be defined as follows
119910 (119909) = 119908119879120593 (119909) + 119887 (1)
where 119909 isin R119899 119910 isin R and 120593(sdot) is the mapping fromthe original feature space to the high dimensional featurespace 119908 is the coefficient vector and 119887 is a bias term Theoptimization problem of LSSVR is given as follows
min119908119887119890
119869 (119908 119890) = 12119908119879119908 + 12057412119873sum119894=1
1198902119894subjective to 119910119894 = 119908119879120593 (119909119894) + 119887 + 119890119894
119894 = 1 2 119873(2)
where 120574 is the regularization parameter and 119890119894 is the slackvariable for 119909119894 The Lagrangian is constructed as follows
119871 (119908 119887 119890 120572) = 119869 (119908 119890)minus 119873sum119894=1
120572119894 119908119879120593 (119909119894) + 119887 + 119890119894 minus 119910119894 (3)
4 Journal of Electrical and Computer Engineering
where 120572119894 (119894 = 1 2 119873) are the Lagrange multipliers Theconditions for optimality are
120597119871120597119908 = 0 997888rarr 119908 = 119873sum119894=1
120572119894120593 (119909119894) 120597119871120597119887 = 0 997888rarr 119873sum
119894=1
120572119894 = 0120597119871120597119890119894 = 0 997888rarr 120572119894 = 120574119890119894 119894 = 1 119873120597119871120597120572119894 = 0 997888rarr 119910119894 = 119908119879120593 (119909119894) + 119887 + 119890119894 119894 = 1 119873
(4)
With the solution of
[ 0 1119879V1V Ω + 120574minus1119868] [119887120572] = [0119910] (5)
where 119910 = [1199101 119910119873] 1V = [1 1] and Ω119894119895 =120593(119909119894)119879120593(119909119895) = 119870(119909119894 119909119895) for 119894 119895 = 1 119873 the LSSVRmodelfor function estimation is
119910 (119909) = 119873sum119894=1
120572119894119870(119909119894 119909) + 119887 (6)
The kernel function 119870(119909119894 119909) is any symmetric functionthat satisfies Mercerrsquos condition In this study the radial basisfunction (RBF) is used as the kernel function due to its strongnonlinear modeling abilityThe RBF is formulated as follows
119870(119909119894 119909119895) = exp(minus10038171003817100381710038171003817119909119894 minus 11990911989510038171003817100381710038171003817221205902 ) (7)
Using RBF kernels the LSSVR has only two tuningparameters the regularization parameter (120574) and the kernelfunction parameter (120590) which is lesser than the tuningparameters of standard SVR
3 Covert Agent Based on LSSVR
31 Covert Agent Model Suppose that the physical plant isa linear time-invariant (LTI) process which is modeled in adiscrete-time state-space form [28 29]
x119896+1 = 119860x119896 + 119861u119896y119896 = 119862x119896 + w119896 (8)
where x119896 isin 119877119898 is the state variable u119896 isin 119877119902 is thecontrol input and y119896 isin 119877119901 is the measurement vector Themeasurement noise w119896 isin 119877119901 is independent Gaussian noisevector with zero mean and covariance 119876 gt 0 The systemoperates in closed loop and the control input u119896 is given bythe feedback controller
u119896 = 119870 (y119896) (9)
where119870 is the controller function thatmakes the closed-loopsystem stable
We now consider the case where the attacker can bothcapture and inject the data transmitted via the network (iey and u) The control and sensory data are recorded by theattacker to generate the training dataset which is describedby the following notation
(i) 119879 = 1 2 119896 119899 is a set of sampling instantsover a finite time window
(ii) 119884 = y1 y119896 y119899 is a dataset of output variablescaptured over the sampling time window 119879
(iii) 119880 = u1 u119896 u119899 is a dataset of input variablescaptured over the sampling time window 119879
(iv) y119896 = 1199101119896 119910119895119896 119910119901119896 is a data record of outputvariables at the 119896th time instant
(v) u119896 = 1199061119896 119906119894119896 119906119902119896 is a data record of inputvariables at the 119896th time instant
(vi) 119910119895119896denotes the value of the 119895th output variable at the119896th time instant
(vii) 119906119894119896 denotes the value of the 119894th input variable at the 119896thtime instant
(viii) 119869 = 1 2 119895 119901 is a set of output variables ofthe physical plant
(ix) 119868 = 1 2 119894 119902 is a set of input variables of thephysical plant
From the system model in (8) we have
y119896 = 119862x119896 + w119896y119896+1 = 119862119860x119896 + 119862119861u119896 + w119896+1 (10)
If 119862119879119862 is nonsingular then we can obtain
y119896+1 minus w119896+1 = 119862119860 (119862119879119862)minus1 C119879 (y119896 minus w119896) + 119862119861u119896 (11)
In order to reduce the effect of Gaussian noise a waveletfilter119882(sdot) is applied to the dataThe filtered data are given by
y119896+1 = 119882(y119896+1) y119896 = 119882(y119896) (12)
and the estimated noises are
w119896+1 = y119896+1 minus 119882(y119896+1) w119896 = y119896 minus 119882(y119896) (13)
Based on (12) and (13) (11) can be rewritten as
y119896+1 = 119862119860 (119862119879119862)minus1 119862119879y119896 + 119862119861u119896 + e119896+1 (14)
where
e119896+1 = 119862119860 (119862119879119862)minus1 119862119879 (w119896 minus w119896) + w119896+1 minus w119896+1 (15)
Journal of Electrical and Computer Engineering 5
Dataset Training data choosingand preprocessing
Noise Wavelet filter
W(Y)
Obtain the set of LSSVR outputs
DatasetU
Obtain the set of LSSVR inputs
LSSVR output dataset LSSVR input dataset
According to the number p ofoutput variables initialize each
LSSVR training dataset
TrainingLSSVR models
LSSVR_pLSSVR_1
Set the type of kernel function Set the epsilon in loss function
Get the best value of the
cross-validation
parameter C and gamma in each LSSVR by the method of the n-fold
LSSVR model dataset
Train the model ofeach LSSVR
Y
w
Filtered output Y
y1 yk ynminus1
u1 uk unminus1y2 yk yn
Input y11 y
1nminus1 u1 unminus1
Output y12 y
1n
Input yp1 y
pnminus1 u1 unminus1
Output yp2 y
pn
middot middot middot
Figure 2 Procedure of training the covert agent model
Assume that the signal noise can be well filtered by 119882(sdot)and the error e119896+1 can be ignored Then (14) changes to
y119896+1 asymp 119862119860 (119862119879119862)minus1 119862119879y119896 + 119862119861u119896 = 119865 (y119896 u119896) (16)
Without the prior knowledge of 119860 119861 and 119862 we use theLSSVR to estimate 119865 of 119865 from the training data with the
input [y119896 u119896] and the output y119896+1 However for each 119910119895119896+1
iny119896+1 we donot have the knowledge of the relatedness between119910119895119896+1
and the other variables For the relatedness between 119910119895119896+1
and u119896 we keep it loose and select all u119896 as the input data Forthe relatedness between 119910119895
119896+1and y119896 we select 119910119895119896 as the input
for the reason that the sample 119910119895119896is heavily correlated with the
6 Journal of Electrical and Computer Engineering
FTTC Hot water
FC
Steam
FT
Cold water
Flow
LC
LT
TT
Figure 3 The continuous stirred tank heater
minus5
0
5
10
15
20
25
Con
trol s
igna
ls (m
A)
100 200 300 400 500 600 700 800 900 10000Time (s)
u1
u2
y1
y2
y3
100 200 300 400 500 600 700 800 900 10000Time (s)
4
6
8
10
12
14
16
18
20
Mea
sure
men
ts (m
A)
Figure 4 Normal data acquired from the closed-loop CSTH system with the standard operating condition
Journal of Electrical and Computer Engineering 7
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Covert agent
y1 y2 y3 u1 u2
(a)
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Replay attack
y1 y2 y3 u1 u2
(b)
Figure 5 Setups of the experiments (a) The proposed covert agent and (b) the replay attack
next sample119910119895119896+1
in a physical processTherefore the functionestimation 119865 of 119865 is given by
119865 = 1198911 119891119895 119891119901 (17)
where
119891119895 = LSSVR train (119910119895119896+1
[119910119895119896 u119896]) (18)
Then the prediction y119899+1 of y119899+1 can be expressed as
y119899+1 = 1199101119899+1 119910119895119899+1 119910119901119899+1 (19)
where
119910119895119899+1 = 119891119895 (119910119895119905
119904
u119905119904
) 119899 = 119905119904119891119895 (119910119895119899 u119899) 119899 gt 119905119904 (20)
where 119905119904 is the start time when the physical plant is coveredby the covert agent From (12) and (13) we have the output ofthe covert agent which is the estimation y119899+1 of y119899+1 that is
y119899+1 = y119899+1 + w119899+1 (21)
32 Procedure of Training the Covert Agent Model Thetraining of the covert agent model consists of three phases(1) data recording phase (2) model training phase and (3)output predicting phase In the first phase the control andsensory data are recorded to generate a training dataset119884 and119880 which will be used to train the covert plant model in thesecond phase As shown in Figure 2 the dataset 119884 is firstlypreprocessed to generate the required data for training eachLSSVR model Then optimal parameters 120574 and 119888 for eachLSSVR are obtained through the automated grid search with119899-fold cross-validation [30] on the training data Finally theoutputs of this phase are 119901 LSSVR models that is there is a
LSSVRmodel for each output variable of the physical plant Inthe third phase as described in the previous subsection thepredictions y are generated based on the LSSVR models andthey are fed back to the controller to cover the real outputs ofthe physical plant
4 Experiment Overview
The covert loop is illustrated by a case study of a continuousstirred tank heater (CSTH) pilot plant In this section theCSTH Simulink platform is briefly introduced and theexperiment setup is presented Moreover the assessmentmethod used to evaluate the experimental results is alsopresented
41 The CSTH Simulink Platform The configuration of theCSTH plant is shown in Figure 3 Hot water and cold wateraremixed in a stirred tank heated by steam through a heatingcoil and drained from the tank through a long pipe A moredetailed description of the CSTHmodel can be found in [31]
Our experiment is based on the CSTH Simulink modelwith closed-loop control which is provided byThornhill et al(httppersonal-pagespsicacuksimninaCSTHSimulationindexhtm) Under the closed-loop control the CSTHmodelruns to a steady state from a nonsteady initial conditionThe steady-state valve positions and instrument conditionsin this experimental case are shown in Table 1 [31] Thesimulation input and output represent electronic signals on4ndash20mA scale The inputs to the CSTH are control signals ofthe cold water and steam valves The outputs are electronicmeasurements from the temperature level and cold waterflow
Based on the CSTH basic Simulink model Gaussiannoises are added to the three outputs of the CSTH Figure 4shows the normal control signals and measurements underthe closed-loop controlThe default simulation time is 1000 sand the default sampling rate is 3600 samples per hour
8 Journal of Electrical and Computer Engineering
CovertNormal
CovertNormal
CovertNormal
y2
y3
114
116
118
12
122
124
126Le
vel (
mA
)y1
550 600 650 700500Time (s)
112
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
102
103
104
105
106
107
108
109
Tem
pera
ture
(mA
)
(a)
CUSUM control chart
CUSUM control chart
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
500 600 650 700550Time (s)
NLAN = 12000863 NLAN = 0161709
NLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
550 600 650 700500Time (s)
minus8minus6minus4minus2
02468
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
(b)
Figure 6 Data from Observer 1 in the covert agent experiment
(sh) The ldquononsteadyrdquo initial phase of the CSTH plant lastsfor about 150 seconds (s) and is excluded from all theexperiments in this paper
42 Experiment Setup The CSTH plant depicted in Figure 3is simulated inMatlabSimulink and its execution starts with
the predefined base values The covert agent is constructedbased on the LSSVR method which is available in thefree LS-SVMlab toolbox (httpwwwesatkuleuvenbesistalssvmlab) In addition the cumulative sum (CUSUM) algo-rithm is used to evaluate the stealthy time which willbe introduced in the next subsection The setups of the
Journal of Electrical and Computer Engineering 9
CovertNormal
CovertNormal
u1
u2
122
124
126
128
13
132
134
136
Col
d w
ater
val
ve (m
A)
550 600 650 700500Time (s)
116118
12122124126128
13132
Stea
m v
alve
(mA
)
550 600 650 700500Time (s)
(a)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
550 600 650 700500Time (s)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
(b)
Figure 7 Data from Observer 2 in the covert agent experiment
Table 1 Standard operating conditions
VariablesOperatingconditions
(mA)
Variable insimulations
Cold watervalve 1296 1199061Cold waterflow 1189 1199102Steam valve 1257 1199062Level 1200 1199101Temperature 1050 1199103
experiments are illustrated in Figure 5 In order to betterassess the stealthiness of the covert agent we use the replayattack as a comparison and set up two observers to get theexperimental data in the simulation Observer 1 is used to
capture the sensor data (ie 1199101 1199102 and 1199103) and Observer2 is used to capture the output of the controller (ie 1199061 and1199062)43 Assessment Method In order to evaluate experimentalresults the stealthy time 120591 is used and it is defined as
120591 = 119905119890 minus 119905119904 (22)
where 119905119904 is the start time of the covert agent or the replayattack and 119905119890 is the time when an anomaly is detected Alonger stealthy time is favorable to the attackers as they canhave more time to make the physical plant go into an unsafestate while remaining stealthy with respect to the anomalydetectors In this paper the anomaly detector is designedbased on the CUSUM algorithm which is one of the mostcommonly used algorithms for change detection problems[14] Mathematical details of the CUSUM method can befound in [32]
10 Journal of Electrical and Computer Engineering
y1
y2
y3
ReplayNormal
ReplayNormal
ReplayNormal
114
116
118
12
122
124
126
Leve
l (m
A)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
minus8
minus6
minus4
minus2
0
2
4
6
8
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
101
102
103
104
105
106
107
108
Tem
pera
ture
(mA
)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12000863 NLAN = 0161709
CUSUM control chartNLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
Figure 8 Data from Observer 1 in the replay attack experiment
Journal of Electrical and Computer Engineering 11
u1
ReplayNormal
ReplayNormal
u2
minus1400
minus1200
minus1000
minus800
minus600
minus400
minus200
0
200
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
550 600 650 700500Time (s)
115
12
125
13
135
Stea
m v
alve
(mA
)
99510
10511
11512
12513
13514
145C
old
wat
er v
alve
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
Figure 9 Data from Observer 2 in the replay attack experiment
5 Experimental Results
In this study we capture data from the two observers withinthe time window [201 s 400 s] in a normal process and usethem as the training or replaying data in the experimentsIn order to get the statistical results we run 100 simulationsfor the covert agent and the replay attack respectively Ineach individual simulation run the covert agent or the replayattack starts at a random time 119905 where 500 s ⩽ 119905 ⩽ 800 s (timeis discrete) and persists for 200 seconds
To get the corresponding stealthy time the CUSUMalgorithm is applied to the data that are obtained from thetwo observers in the simulations The thresholds in CUSUMalgorithm are determined based on the normal data in thetimewindow ranging from 200 s to 1000 s and each thresholdis selected under the condition that it will not cause any falsealarm on the normal data In this section we first introducea covert agent experiment and a replay attack experimentThen we give the statistical results of all the experimentaltests
51 The Covert Agent and Replay Attack Experiments In thetwo experiments the covert agent and the replay attack areboth started at the time 119905 = 501 s Figures 6 and 7 show theresults of the covert agent experiment Figures 6(a) and 7(a)show a comparison of data with and without a covert agentand Figures 6(b) and 7(b) show the detection of the changesusing the CUSUM algorithm In comparison Figures 8 and 9show the results of the replay attack experiment
From Figures 6 and 8 we can see that the covert agentis able to imitate the behaviors of the three output variablesover a finite time window just like the replay attack doesWhat is more the peaks of the CUSUM standard errors inthe covert agent experiment are smaller than the ones inthe replay attack experiment which means that the covertagent has better stealthiness and can avoid being detected bythe CUSUM with a lower threshold From Figures 7 and 9we can see that the covert agent can also keep the controloutput stealthy but the replay attack causes anomalies in thecontrollerrsquos output
12 Journal of Electrical and Computer Engineering
CUSUM
CUSUM
y1
y2
y3
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
u1
u2
0
20
40
60
80
100
Num
ber o
f sim
ulat
ions
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(a)
Empirical CDF
Empirical CDF
y1
y2
y3
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
0010203040506070809
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(b)
Figure 10 Statistical results of the covert agent experiments
52 Statistical Results Figure 10 shows the statistical resultsof the 100 simulations on the covert agent Figure 10(a)provides the number distributions of the stealthy time by his-tograms and Figure 10(b) gives the proportion distributionsby the empirical cumulative distribution function (CDF)The empirical CDF 119865(119909) is defined as the proportion of thevalues less than or equal to 119909 As can be seen the stealthytime is longer than 40 seconds in most of the covert agentsimulations Figure 11 shows the statistical results of the100 simulations on the replay attack Although the replayedsensor data can avoid being detected by the CUSUMdetectorit is more likely to induce an abnormal behavior in thecontrollerrsquos output More specifically for the control variable
1199061 the stealthy time is no more than 40 seconds in all thereplay attack simulations
6 Conclusions and Future Work
This paper has investigated the design problem of machinelearning based stealthy DI attacks on industrial controlsystems A LSSVR-based covert agent has been presented toestimate the model of the physical system by which attackerscan carry out a stealthy DI attack without the need of priormodel knowledge of the physical system The experimentalresults demonstrate that the covert loop can keep the controloutput and sensor data both stealthy over a finite time
Journal of Electrical and Computer Engineering 13
CUSUM
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
Empirical CDF
u1
u2
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
Figure 11 Statistical results of the replay attack experiments
window For future work the proposed covert agent can befurther extended to a two-loop covert structure in which anattack agent can be added In addition it is also interestingto investigate the detecting methods of the LSSVR-basedattacks
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the National Key Researchand Development Program (no 2016 YFB1001404) and theNational Natural Science Foundation of China (NormalProjects no 61672093 and no 61432004)
References
[1] C Zhou S Huang N Xiong et al ldquoDesign and analysisof multimodel-based anomaly intrusion detection systems inindustrial process automationrdquo IEEE Transactions on SystemsMan and Cybernetics Systems vol 45 no 10 pp 1345ndash13602015
[2] T Cruz L Rosa J Proenca et al ldquoA cybersecurity detectionframework for supervisory control and data acquisition sys-temsrdquo IEEE Transactions on Industrial Informatics vol 12 no6 pp 2236ndash2246 2016
[3] S McLaughlin C Konstantinou X Wang et al ldquoThe Cyberse-curity Landscape in Industrial Control Systemsrdquo Proceedings ofthe IEEE vol 104 no 5 pp 1039ndash1057 2016
[4] M Cheminod L Durante and A Valenzano ldquoReview ofsecurity issues in industrial networksrdquo IEEE Transactions onIndustrial Informatics vol 9 no 1 pp 277ndash293 2013
[5] R Deng G Xiao R Lu H Liang and A V Vasilakos ldquoFalsedata injection on state estimation in power systemsmdashattacks
impacts and defense a surveyrdquo IEEE Transactions on IndustrialInformatics vol 13 no 2 pp 411ndash423 2017
[6] A Teixeira K C Sou H Sandberg and K H Johans-son ldquoSecure control systems a quantitative risk managementapproachrdquo IEEEControl SystemsMagazine vol 35 no 1 pp 24ndash45 2015
[7] C Kwon W Liu and I Hwang ldquoSecurity analysis for Cyber-Physical Systems against stealthy deception attacksrdquo in Proceed-ings of the 2013 1st American Control Conference ACC 2013 pp3344ndash3349 USA June 2013
[8] Z-H Pang G-P Liu D Zhou F Hou and D Sun ldquoTwo-channel false data injection attacks against output trackingcontrol of networked systemsrdquo IEEE Transactions on IndustrialElectronics vol 63 no 5 pp 3242ndash3251 2016
[9] A Teixeira H Sandberg and K H Johansson ldquoStrategicstealthy attacks The output-to-output l2-gainrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 2582ndash2587 Japan December 2015
[10] H Sedghi and E Jonckheere ldquoStatistical structure learning toensure data integrity in smart gridrdquo IEEE Transactions on SmartGrid vol 6 no 4 pp 1924ndash1933 2015
[11] K Manandhar X Cao F Hu and Y Liu ldquoDetection of faultsand attacks including false data injection attack in smart gridusing Kalman filterrdquo IEEE Transactions on Control of NetworkSystems vol 1 no 4 pp 370ndash379 2014
[12] A Dutta and C Langbort ldquoStealthy output injection attacks oncontrol systems with bounded variablesrdquo International Journalof Control vol 90 no 7 pp 1389ndash1402 2017
[13] R S Smith ldquoCovert misappropriation of networked controlsystems presenting a feedback structurerdquo IEEE Control SystemsMagazine vol 35 no 1 pp 82ndash92 2015
[14] A A Cardenas S Amin Z-S Lin Y-L Huang C-Y Huangand S Sastry ldquoAttacks against process control systems riskassessment detection and responserdquo in Proceedings of the6th International Symposium on Information Computer andCommunications Security (ASIACCS rsquo11) pp 355ndash366 HongKong March 2011
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
2 Journal of Electrical and Computer Engineering
the physical model and the detection scheme but also couldadapt to different detection thresholds
As discussed before most prior works on stealthy DIattacks are based on various assumptions that attackers havemodel knowledge of target systems at different levels How-ever there is no description of how such model knowledgecan be obtained by an attacker Although the assumptions ofmodel knowledge are very useful for identifying subtle andstealthy malicious attacks it may be difficult to acquire suchprior knowledge in many practical scenarios where explicitmodels of physical systems are usually not available directly[17]
Recently increasing attention has been paid to stealthyDI attacks without the prior model knowledge of physicalsystems Unlike the studies discussed before Yu and Chin[18] proposed a principal component analysis (PCA) basedmethod to design blind FDI attacks which did not need anyprior knowledge of Jacobian matrix in smart grid Further-more Anwar andMahmood [19] clarified that the PCA basedblind attack strategy was only valid for the measurementswith Gaussian noises In the case of gross errors theyproposed the accelerated proximal gradient (APG) methodto circumvent the gross error issue and construct stealthyattacks Most recently in [20] the authors proposed a sparseoptimization based stealthy attacks construction strategy anddemonstrated how FDI attacks could be constructed blindlythat is without the system model knowledge Howeverunfortunately these three studies were closely related to thesmart grid and the proposed methods were designed for theapproximation of Jacobian matrix
In the framework of a general dynamic cyberphysicalsystem (CPS) Yuan and Mo [21] applied the classical sys-tem identification technique to the construction of stealthyattacks The spectral factorization based method was usedto identify the transfer function of the physical system byobserving the input-output data from the system Further-more they proved a necessary condition and a sufficientcondition under which the perfect model of the systemcould be successfully identified However such conditionsare overly restrictive for widespread applications In fact itis more realistic to consider that the identified model of thesystem is not perfect That is there is a model error betweenthe identifiedmodel and the real systemmodel Motivated bythis consideration we explored the possibility that an attackercan carry out stealthy DI attacks on the ICS by identifying anot so perfect model of the system
The most similar work to ours is the recent study ofKim et al [22] where a subspace estimation method wasused to estimate a system operating subspace from sensormeasurements Based on the subspace information stealthyattacks could be constructed without the need of prior systemmodel knowledge As shown in Figure 1(a) the unobservableattack is launched by adding a corresponding perturbationto the sensor data and the modified sensor data can avoidbeing detected by the anomaly detector However becausethe ultimate objective of the attack is to disrupt the systemrsquosbehavior the controllerrsquos output will be abnormal Anothersimilar case is the replay attack which also does not requireany prior knowledge It gathers sequences of data for a certain
amount of time and afterwards just repeats the recorded dataTeixeira et al [15] introduced an interesting instance of thisattack scenario which consists of applying a physical attack tothe plant while using the replay attack to render the physicalattack stealthy However the replay attack on the sensor datacould also cause anomalies in the controllerrsquos output and thispoint will be revealed later in our experiments
Our goal is to design a covert agent to keep the controllerrsquosinput and output both stealthy over a finite time window Tothis end we propose a function estimation based covert agentas shown in Figure 1(b) The proposed covert agent can beused to construct a two-loop covert structure in Figure 1(c)which consists of two loops the covert loop and the attackloop In comparison Figure 1(d) shows a typical structureof the prior model knowledge based covert attack [13] Thecore idea of such structure is to calculate the attack effecton the plant output measurements and subtract the effectfrom the measured plant output By contrast in the two-loopcovert structure the covert loop covers up the effect of the realattack on the physical plant by closely imitating the expectedbehavior of the physical plant over a finite time window Forthe sake of concentrating on the stealthiness this paper willbe restricted to the construction of the covert loop and willnot deal with the attack loop
The main contribution of this paper is the exploratoryattempt to establish the feasibility of machine learning basedstealthy DI attacks In this paper we use the least squaressupport vector regression (LSSVR) to demonstrate that pointThe LSSVR has emerged as a popular data-driven modelingmethod and it has uniform approximation ability for anycomplex nonlinear system [23] As far as we know there isno LSSVR-based DI attack reported in the literature Overallthe contributions of this work are threefold First we give aformal description of the LSSVR-based covert agent Secondwe present the procedure of how to train a covert agentmodel Third we provide a case study of a continuous stirredtank heater (CSTH) pilot plant to illustrate and demonstratethe effectiveness of the covert agent
It is necessary to mention that the purpose of this work isnot to facilitate stealthy attacks but to disclose the potentialattacks where the attackers do not need any prior modelknowledge of physical systems and to encourage the corre-sponding research of the defending methods The rest of thispaper is organized as follows Section 2 introduces the LSSVRfor function estimation Section 3 gives the covert agentmodel and the procedure of training the model Section 4 isan overview of the experiments and the experimental resultsare presented in Section 5 Finally conclusions and futurework are summarized in Section 6
2 Least Squares Support VectorRegression (LSSVR)
The least squares support vector machine (LSSVM) is analteration of the standard support vector machine (SVM)[24] By changing the inequality constraints in SVR intoequality ones the LSSVM method can avoid the long andcomputationally difficult convex quadratic programming
Journal of Electrical and Computer Engineering 3
NetworkSubspace estimationbased stealthy attack Network
Stealthy
Controller
Physical plant
Anomaly detector
yp
k
yc
k
ya
k
up
k
uc
k
(a)
NetworkFunction estimationbased covert agent Network
Stealthy Stealthy
Controller
Physical plant
Anomaly detector
yp
k up
k
yc
kuc
k
yp
k
(b)
Attack loop
Attack agentNetwork Network
Covert agent
Covert loop
Stealthy Stealthy
Controller
Physical plant
Anomaly detector
yp
k
yc
k
up
k
uc
k
ua
k
yp
k
(c)
Plant model
Network NetworkCovert controller
Stealthy Stealthy
Controller
Physical plant
Anomaly detector
yp
k
ya
k
up
k
ua
k
yc
kuc
k
(d)
Figure 1 Schematic diagrams for the proposed covert agent and the closely related stealthy attacks (a) The subspace estimation basedunobservable attack (b) the proposed covert agent (c) application of the proposed covert agent and (d) the prior model knowledge basedcovert structure
and thus largely speeds up training The LSSVM for regres-sion is called LSSVR which has been extended and applied toforecasting bymany studies [25ndash27] In this sectionwe brieflyintroduce the LSSVR for function estimation
Given training set 119909119896 119910119896119873119896=1 the regression function ofLSSVR can be defined as follows
119910 (119909) = 119908119879120593 (119909) + 119887 (1)
where 119909 isin R119899 119910 isin R and 120593(sdot) is the mapping fromthe original feature space to the high dimensional featurespace 119908 is the coefficient vector and 119887 is a bias term Theoptimization problem of LSSVR is given as follows
min119908119887119890
119869 (119908 119890) = 12119908119879119908 + 12057412119873sum119894=1
1198902119894subjective to 119910119894 = 119908119879120593 (119909119894) + 119887 + 119890119894
119894 = 1 2 119873(2)
where 120574 is the regularization parameter and 119890119894 is the slackvariable for 119909119894 The Lagrangian is constructed as follows
119871 (119908 119887 119890 120572) = 119869 (119908 119890)minus 119873sum119894=1
120572119894 119908119879120593 (119909119894) + 119887 + 119890119894 minus 119910119894 (3)
4 Journal of Electrical and Computer Engineering
where 120572119894 (119894 = 1 2 119873) are the Lagrange multipliers Theconditions for optimality are
120597119871120597119908 = 0 997888rarr 119908 = 119873sum119894=1
120572119894120593 (119909119894) 120597119871120597119887 = 0 997888rarr 119873sum
119894=1
120572119894 = 0120597119871120597119890119894 = 0 997888rarr 120572119894 = 120574119890119894 119894 = 1 119873120597119871120597120572119894 = 0 997888rarr 119910119894 = 119908119879120593 (119909119894) + 119887 + 119890119894 119894 = 1 119873
(4)
With the solution of
[ 0 1119879V1V Ω + 120574minus1119868] [119887120572] = [0119910] (5)
where 119910 = [1199101 119910119873] 1V = [1 1] and Ω119894119895 =120593(119909119894)119879120593(119909119895) = 119870(119909119894 119909119895) for 119894 119895 = 1 119873 the LSSVRmodelfor function estimation is
119910 (119909) = 119873sum119894=1
120572119894119870(119909119894 119909) + 119887 (6)
The kernel function 119870(119909119894 119909) is any symmetric functionthat satisfies Mercerrsquos condition In this study the radial basisfunction (RBF) is used as the kernel function due to its strongnonlinear modeling abilityThe RBF is formulated as follows
119870(119909119894 119909119895) = exp(minus10038171003817100381710038171003817119909119894 minus 11990911989510038171003817100381710038171003817221205902 ) (7)
Using RBF kernels the LSSVR has only two tuningparameters the regularization parameter (120574) and the kernelfunction parameter (120590) which is lesser than the tuningparameters of standard SVR
3 Covert Agent Based on LSSVR
31 Covert Agent Model Suppose that the physical plant isa linear time-invariant (LTI) process which is modeled in adiscrete-time state-space form [28 29]
x119896+1 = 119860x119896 + 119861u119896y119896 = 119862x119896 + w119896 (8)
where x119896 isin 119877119898 is the state variable u119896 isin 119877119902 is thecontrol input and y119896 isin 119877119901 is the measurement vector Themeasurement noise w119896 isin 119877119901 is independent Gaussian noisevector with zero mean and covariance 119876 gt 0 The systemoperates in closed loop and the control input u119896 is given bythe feedback controller
u119896 = 119870 (y119896) (9)
where119870 is the controller function thatmakes the closed-loopsystem stable
We now consider the case where the attacker can bothcapture and inject the data transmitted via the network (iey and u) The control and sensory data are recorded by theattacker to generate the training dataset which is describedby the following notation
(i) 119879 = 1 2 119896 119899 is a set of sampling instantsover a finite time window
(ii) 119884 = y1 y119896 y119899 is a dataset of output variablescaptured over the sampling time window 119879
(iii) 119880 = u1 u119896 u119899 is a dataset of input variablescaptured over the sampling time window 119879
(iv) y119896 = 1199101119896 119910119895119896 119910119901119896 is a data record of outputvariables at the 119896th time instant
(v) u119896 = 1199061119896 119906119894119896 119906119902119896 is a data record of inputvariables at the 119896th time instant
(vi) 119910119895119896denotes the value of the 119895th output variable at the119896th time instant
(vii) 119906119894119896 denotes the value of the 119894th input variable at the 119896thtime instant
(viii) 119869 = 1 2 119895 119901 is a set of output variables ofthe physical plant
(ix) 119868 = 1 2 119894 119902 is a set of input variables of thephysical plant
From the system model in (8) we have
y119896 = 119862x119896 + w119896y119896+1 = 119862119860x119896 + 119862119861u119896 + w119896+1 (10)
If 119862119879119862 is nonsingular then we can obtain
y119896+1 minus w119896+1 = 119862119860 (119862119879119862)minus1 C119879 (y119896 minus w119896) + 119862119861u119896 (11)
In order to reduce the effect of Gaussian noise a waveletfilter119882(sdot) is applied to the dataThe filtered data are given by
y119896+1 = 119882(y119896+1) y119896 = 119882(y119896) (12)
and the estimated noises are
w119896+1 = y119896+1 minus 119882(y119896+1) w119896 = y119896 minus 119882(y119896) (13)
Based on (12) and (13) (11) can be rewritten as
y119896+1 = 119862119860 (119862119879119862)minus1 119862119879y119896 + 119862119861u119896 + e119896+1 (14)
where
e119896+1 = 119862119860 (119862119879119862)minus1 119862119879 (w119896 minus w119896) + w119896+1 minus w119896+1 (15)
Journal of Electrical and Computer Engineering 5
Dataset Training data choosingand preprocessing
Noise Wavelet filter
W(Y)
Obtain the set of LSSVR outputs
DatasetU
Obtain the set of LSSVR inputs
LSSVR output dataset LSSVR input dataset
According to the number p ofoutput variables initialize each
LSSVR training dataset
TrainingLSSVR models
LSSVR_pLSSVR_1
Set the type of kernel function Set the epsilon in loss function
Get the best value of the
cross-validation
parameter C and gamma in each LSSVR by the method of the n-fold
LSSVR model dataset
Train the model ofeach LSSVR
Y
w
Filtered output Y
y1 yk ynminus1
u1 uk unminus1y2 yk yn
Input y11 y
1nminus1 u1 unminus1
Output y12 y
1n
Input yp1 y
pnminus1 u1 unminus1
Output yp2 y
pn
middot middot middot
Figure 2 Procedure of training the covert agent model
Assume that the signal noise can be well filtered by 119882(sdot)and the error e119896+1 can be ignored Then (14) changes to
y119896+1 asymp 119862119860 (119862119879119862)minus1 119862119879y119896 + 119862119861u119896 = 119865 (y119896 u119896) (16)
Without the prior knowledge of 119860 119861 and 119862 we use theLSSVR to estimate 119865 of 119865 from the training data with the
input [y119896 u119896] and the output y119896+1 However for each 119910119895119896+1
iny119896+1 we donot have the knowledge of the relatedness between119910119895119896+1
and the other variables For the relatedness between 119910119895119896+1
and u119896 we keep it loose and select all u119896 as the input data Forthe relatedness between 119910119895
119896+1and y119896 we select 119910119895119896 as the input
for the reason that the sample 119910119895119896is heavily correlated with the
6 Journal of Electrical and Computer Engineering
FTTC Hot water
FC
Steam
FT
Cold water
Flow
LC
LT
TT
Figure 3 The continuous stirred tank heater
minus5
0
5
10
15
20
25
Con
trol s
igna
ls (m
A)
100 200 300 400 500 600 700 800 900 10000Time (s)
u1
u2
y1
y2
y3
100 200 300 400 500 600 700 800 900 10000Time (s)
4
6
8
10
12
14
16
18
20
Mea
sure
men
ts (m
A)
Figure 4 Normal data acquired from the closed-loop CSTH system with the standard operating condition
Journal of Electrical and Computer Engineering 7
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Covert agent
y1 y2 y3 u1 u2
(a)
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Replay attack
y1 y2 y3 u1 u2
(b)
Figure 5 Setups of the experiments (a) The proposed covert agent and (b) the replay attack
next sample119910119895119896+1
in a physical processTherefore the functionestimation 119865 of 119865 is given by
119865 = 1198911 119891119895 119891119901 (17)
where
119891119895 = LSSVR train (119910119895119896+1
[119910119895119896 u119896]) (18)
Then the prediction y119899+1 of y119899+1 can be expressed as
y119899+1 = 1199101119899+1 119910119895119899+1 119910119901119899+1 (19)
where
119910119895119899+1 = 119891119895 (119910119895119905
119904
u119905119904
) 119899 = 119905119904119891119895 (119910119895119899 u119899) 119899 gt 119905119904 (20)
where 119905119904 is the start time when the physical plant is coveredby the covert agent From (12) and (13) we have the output ofthe covert agent which is the estimation y119899+1 of y119899+1 that is
y119899+1 = y119899+1 + w119899+1 (21)
32 Procedure of Training the Covert Agent Model Thetraining of the covert agent model consists of three phases(1) data recording phase (2) model training phase and (3)output predicting phase In the first phase the control andsensory data are recorded to generate a training dataset119884 and119880 which will be used to train the covert plant model in thesecond phase As shown in Figure 2 the dataset 119884 is firstlypreprocessed to generate the required data for training eachLSSVR model Then optimal parameters 120574 and 119888 for eachLSSVR are obtained through the automated grid search with119899-fold cross-validation [30] on the training data Finally theoutputs of this phase are 119901 LSSVR models that is there is a
LSSVRmodel for each output variable of the physical plant Inthe third phase as described in the previous subsection thepredictions y are generated based on the LSSVR models andthey are fed back to the controller to cover the real outputs ofthe physical plant
4 Experiment Overview
The covert loop is illustrated by a case study of a continuousstirred tank heater (CSTH) pilot plant In this section theCSTH Simulink platform is briefly introduced and theexperiment setup is presented Moreover the assessmentmethod used to evaluate the experimental results is alsopresented
41 The CSTH Simulink Platform The configuration of theCSTH plant is shown in Figure 3 Hot water and cold wateraremixed in a stirred tank heated by steam through a heatingcoil and drained from the tank through a long pipe A moredetailed description of the CSTHmodel can be found in [31]
Our experiment is based on the CSTH Simulink modelwith closed-loop control which is provided byThornhill et al(httppersonal-pagespsicacuksimninaCSTHSimulationindexhtm) Under the closed-loop control the CSTHmodelruns to a steady state from a nonsteady initial conditionThe steady-state valve positions and instrument conditionsin this experimental case are shown in Table 1 [31] Thesimulation input and output represent electronic signals on4ndash20mA scale The inputs to the CSTH are control signals ofthe cold water and steam valves The outputs are electronicmeasurements from the temperature level and cold waterflow
Based on the CSTH basic Simulink model Gaussiannoises are added to the three outputs of the CSTH Figure 4shows the normal control signals and measurements underthe closed-loop controlThe default simulation time is 1000 sand the default sampling rate is 3600 samples per hour
8 Journal of Electrical and Computer Engineering
CovertNormal
CovertNormal
CovertNormal
y2
y3
114
116
118
12
122
124
126Le
vel (
mA
)y1
550 600 650 700500Time (s)
112
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
102
103
104
105
106
107
108
109
Tem
pera
ture
(mA
)
(a)
CUSUM control chart
CUSUM control chart
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
500 600 650 700550Time (s)
NLAN = 12000863 NLAN = 0161709
NLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
550 600 650 700500Time (s)
minus8minus6minus4minus2
02468
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
(b)
Figure 6 Data from Observer 1 in the covert agent experiment
(sh) The ldquononsteadyrdquo initial phase of the CSTH plant lastsfor about 150 seconds (s) and is excluded from all theexperiments in this paper
42 Experiment Setup The CSTH plant depicted in Figure 3is simulated inMatlabSimulink and its execution starts with
the predefined base values The covert agent is constructedbased on the LSSVR method which is available in thefree LS-SVMlab toolbox (httpwwwesatkuleuvenbesistalssvmlab) In addition the cumulative sum (CUSUM) algo-rithm is used to evaluate the stealthy time which willbe introduced in the next subsection The setups of the
Journal of Electrical and Computer Engineering 9
CovertNormal
CovertNormal
u1
u2
122
124
126
128
13
132
134
136
Col
d w
ater
val
ve (m
A)
550 600 650 700500Time (s)
116118
12122124126128
13132
Stea
m v
alve
(mA
)
550 600 650 700500Time (s)
(a)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
550 600 650 700500Time (s)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
(b)
Figure 7 Data from Observer 2 in the covert agent experiment
Table 1 Standard operating conditions
VariablesOperatingconditions
(mA)
Variable insimulations
Cold watervalve 1296 1199061Cold waterflow 1189 1199102Steam valve 1257 1199062Level 1200 1199101Temperature 1050 1199103
experiments are illustrated in Figure 5 In order to betterassess the stealthiness of the covert agent we use the replayattack as a comparison and set up two observers to get theexperimental data in the simulation Observer 1 is used to
capture the sensor data (ie 1199101 1199102 and 1199103) and Observer2 is used to capture the output of the controller (ie 1199061 and1199062)43 Assessment Method In order to evaluate experimentalresults the stealthy time 120591 is used and it is defined as
120591 = 119905119890 minus 119905119904 (22)
where 119905119904 is the start time of the covert agent or the replayattack and 119905119890 is the time when an anomaly is detected Alonger stealthy time is favorable to the attackers as they canhave more time to make the physical plant go into an unsafestate while remaining stealthy with respect to the anomalydetectors In this paper the anomaly detector is designedbased on the CUSUM algorithm which is one of the mostcommonly used algorithms for change detection problems[14] Mathematical details of the CUSUM method can befound in [32]
10 Journal of Electrical and Computer Engineering
y1
y2
y3
ReplayNormal
ReplayNormal
ReplayNormal
114
116
118
12
122
124
126
Leve
l (m
A)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
minus8
minus6
minus4
minus2
0
2
4
6
8
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
101
102
103
104
105
106
107
108
Tem
pera
ture
(mA
)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12000863 NLAN = 0161709
CUSUM control chartNLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
Figure 8 Data from Observer 1 in the replay attack experiment
Journal of Electrical and Computer Engineering 11
u1
ReplayNormal
ReplayNormal
u2
minus1400
minus1200
minus1000
minus800
minus600
minus400
minus200
0
200
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
550 600 650 700500Time (s)
115
12
125
13
135
Stea
m v
alve
(mA
)
99510
10511
11512
12513
13514
145C
old
wat
er v
alve
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
Figure 9 Data from Observer 2 in the replay attack experiment
5 Experimental Results
In this study we capture data from the two observers withinthe time window [201 s 400 s] in a normal process and usethem as the training or replaying data in the experimentsIn order to get the statistical results we run 100 simulationsfor the covert agent and the replay attack respectively Ineach individual simulation run the covert agent or the replayattack starts at a random time 119905 where 500 s ⩽ 119905 ⩽ 800 s (timeis discrete) and persists for 200 seconds
To get the corresponding stealthy time the CUSUMalgorithm is applied to the data that are obtained from thetwo observers in the simulations The thresholds in CUSUMalgorithm are determined based on the normal data in thetimewindow ranging from 200 s to 1000 s and each thresholdis selected under the condition that it will not cause any falsealarm on the normal data In this section we first introducea covert agent experiment and a replay attack experimentThen we give the statistical results of all the experimentaltests
51 The Covert Agent and Replay Attack Experiments In thetwo experiments the covert agent and the replay attack areboth started at the time 119905 = 501 s Figures 6 and 7 show theresults of the covert agent experiment Figures 6(a) and 7(a)show a comparison of data with and without a covert agentand Figures 6(b) and 7(b) show the detection of the changesusing the CUSUM algorithm In comparison Figures 8 and 9show the results of the replay attack experiment
From Figures 6 and 8 we can see that the covert agentis able to imitate the behaviors of the three output variablesover a finite time window just like the replay attack doesWhat is more the peaks of the CUSUM standard errors inthe covert agent experiment are smaller than the ones inthe replay attack experiment which means that the covertagent has better stealthiness and can avoid being detected bythe CUSUM with a lower threshold From Figures 7 and 9we can see that the covert agent can also keep the controloutput stealthy but the replay attack causes anomalies in thecontrollerrsquos output
12 Journal of Electrical and Computer Engineering
CUSUM
CUSUM
y1
y2
y3
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
u1
u2
0
20
40
60
80
100
Num
ber o
f sim
ulat
ions
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(a)
Empirical CDF
Empirical CDF
y1
y2
y3
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
0010203040506070809
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(b)
Figure 10 Statistical results of the covert agent experiments
52 Statistical Results Figure 10 shows the statistical resultsof the 100 simulations on the covert agent Figure 10(a)provides the number distributions of the stealthy time by his-tograms and Figure 10(b) gives the proportion distributionsby the empirical cumulative distribution function (CDF)The empirical CDF 119865(119909) is defined as the proportion of thevalues less than or equal to 119909 As can be seen the stealthytime is longer than 40 seconds in most of the covert agentsimulations Figure 11 shows the statistical results of the100 simulations on the replay attack Although the replayedsensor data can avoid being detected by the CUSUMdetectorit is more likely to induce an abnormal behavior in thecontrollerrsquos output More specifically for the control variable
1199061 the stealthy time is no more than 40 seconds in all thereplay attack simulations
6 Conclusions and Future Work
This paper has investigated the design problem of machinelearning based stealthy DI attacks on industrial controlsystems A LSSVR-based covert agent has been presented toestimate the model of the physical system by which attackerscan carry out a stealthy DI attack without the need of priormodel knowledge of the physical system The experimentalresults demonstrate that the covert loop can keep the controloutput and sensor data both stealthy over a finite time
Journal of Electrical and Computer Engineering 13
CUSUM
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
Empirical CDF
u1
u2
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
Figure 11 Statistical results of the replay attack experiments
window For future work the proposed covert agent can befurther extended to a two-loop covert structure in which anattack agent can be added In addition it is also interestingto investigate the detecting methods of the LSSVR-basedattacks
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the National Key Researchand Development Program (no 2016 YFB1001404) and theNational Natural Science Foundation of China (NormalProjects no 61672093 and no 61432004)
References
[1] C Zhou S Huang N Xiong et al ldquoDesign and analysisof multimodel-based anomaly intrusion detection systems inindustrial process automationrdquo IEEE Transactions on SystemsMan and Cybernetics Systems vol 45 no 10 pp 1345ndash13602015
[2] T Cruz L Rosa J Proenca et al ldquoA cybersecurity detectionframework for supervisory control and data acquisition sys-temsrdquo IEEE Transactions on Industrial Informatics vol 12 no6 pp 2236ndash2246 2016
[3] S McLaughlin C Konstantinou X Wang et al ldquoThe Cyberse-curity Landscape in Industrial Control Systemsrdquo Proceedings ofthe IEEE vol 104 no 5 pp 1039ndash1057 2016
[4] M Cheminod L Durante and A Valenzano ldquoReview ofsecurity issues in industrial networksrdquo IEEE Transactions onIndustrial Informatics vol 9 no 1 pp 277ndash293 2013
[5] R Deng G Xiao R Lu H Liang and A V Vasilakos ldquoFalsedata injection on state estimation in power systemsmdashattacks
impacts and defense a surveyrdquo IEEE Transactions on IndustrialInformatics vol 13 no 2 pp 411ndash423 2017
[6] A Teixeira K C Sou H Sandberg and K H Johans-son ldquoSecure control systems a quantitative risk managementapproachrdquo IEEEControl SystemsMagazine vol 35 no 1 pp 24ndash45 2015
[7] C Kwon W Liu and I Hwang ldquoSecurity analysis for Cyber-Physical Systems against stealthy deception attacksrdquo in Proceed-ings of the 2013 1st American Control Conference ACC 2013 pp3344ndash3349 USA June 2013
[8] Z-H Pang G-P Liu D Zhou F Hou and D Sun ldquoTwo-channel false data injection attacks against output trackingcontrol of networked systemsrdquo IEEE Transactions on IndustrialElectronics vol 63 no 5 pp 3242ndash3251 2016
[9] A Teixeira H Sandberg and K H Johansson ldquoStrategicstealthy attacks The output-to-output l2-gainrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 2582ndash2587 Japan December 2015
[10] H Sedghi and E Jonckheere ldquoStatistical structure learning toensure data integrity in smart gridrdquo IEEE Transactions on SmartGrid vol 6 no 4 pp 1924ndash1933 2015
[11] K Manandhar X Cao F Hu and Y Liu ldquoDetection of faultsand attacks including false data injection attack in smart gridusing Kalman filterrdquo IEEE Transactions on Control of NetworkSystems vol 1 no 4 pp 370ndash379 2014
[12] A Dutta and C Langbort ldquoStealthy output injection attacks oncontrol systems with bounded variablesrdquo International Journalof Control vol 90 no 7 pp 1389ndash1402 2017
[13] R S Smith ldquoCovert misappropriation of networked controlsystems presenting a feedback structurerdquo IEEE Control SystemsMagazine vol 35 no 1 pp 82ndash92 2015
[14] A A Cardenas S Amin Z-S Lin Y-L Huang C-Y Huangand S Sastry ldquoAttacks against process control systems riskassessment detection and responserdquo in Proceedings of the6th International Symposium on Information Computer andCommunications Security (ASIACCS rsquo11) pp 355ndash366 HongKong March 2011
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Journal of Electrical and Computer Engineering 3
NetworkSubspace estimationbased stealthy attack Network
Stealthy
Controller
Physical plant
Anomaly detector
yp
k
yc
k
ya
k
up
k
uc
k
(a)
NetworkFunction estimationbased covert agent Network
Stealthy Stealthy
Controller
Physical plant
Anomaly detector
yp
k up
k
yc
kuc
k
yp
k
(b)
Attack loop
Attack agentNetwork Network
Covert agent
Covert loop
Stealthy Stealthy
Controller
Physical plant
Anomaly detector
yp
k
yc
k
up
k
uc
k
ua
k
yp
k
(c)
Plant model
Network NetworkCovert controller
Stealthy Stealthy
Controller
Physical plant
Anomaly detector
yp
k
ya
k
up
k
ua
k
yc
kuc
k
(d)
Figure 1 Schematic diagrams for the proposed covert agent and the closely related stealthy attacks (a) The subspace estimation basedunobservable attack (b) the proposed covert agent (c) application of the proposed covert agent and (d) the prior model knowledge basedcovert structure
and thus largely speeds up training The LSSVM for regres-sion is called LSSVR which has been extended and applied toforecasting bymany studies [25ndash27] In this sectionwe brieflyintroduce the LSSVR for function estimation
Given training set 119909119896 119910119896119873119896=1 the regression function ofLSSVR can be defined as follows
119910 (119909) = 119908119879120593 (119909) + 119887 (1)
where 119909 isin R119899 119910 isin R and 120593(sdot) is the mapping fromthe original feature space to the high dimensional featurespace 119908 is the coefficient vector and 119887 is a bias term Theoptimization problem of LSSVR is given as follows
min119908119887119890
119869 (119908 119890) = 12119908119879119908 + 12057412119873sum119894=1
1198902119894subjective to 119910119894 = 119908119879120593 (119909119894) + 119887 + 119890119894
119894 = 1 2 119873(2)
where 120574 is the regularization parameter and 119890119894 is the slackvariable for 119909119894 The Lagrangian is constructed as follows
119871 (119908 119887 119890 120572) = 119869 (119908 119890)minus 119873sum119894=1
120572119894 119908119879120593 (119909119894) + 119887 + 119890119894 minus 119910119894 (3)
4 Journal of Electrical and Computer Engineering
where 120572119894 (119894 = 1 2 119873) are the Lagrange multipliers Theconditions for optimality are
120597119871120597119908 = 0 997888rarr 119908 = 119873sum119894=1
120572119894120593 (119909119894) 120597119871120597119887 = 0 997888rarr 119873sum
119894=1
120572119894 = 0120597119871120597119890119894 = 0 997888rarr 120572119894 = 120574119890119894 119894 = 1 119873120597119871120597120572119894 = 0 997888rarr 119910119894 = 119908119879120593 (119909119894) + 119887 + 119890119894 119894 = 1 119873
(4)
With the solution of
[ 0 1119879V1V Ω + 120574minus1119868] [119887120572] = [0119910] (5)
where 119910 = [1199101 119910119873] 1V = [1 1] and Ω119894119895 =120593(119909119894)119879120593(119909119895) = 119870(119909119894 119909119895) for 119894 119895 = 1 119873 the LSSVRmodelfor function estimation is
119910 (119909) = 119873sum119894=1
120572119894119870(119909119894 119909) + 119887 (6)
The kernel function 119870(119909119894 119909) is any symmetric functionthat satisfies Mercerrsquos condition In this study the radial basisfunction (RBF) is used as the kernel function due to its strongnonlinear modeling abilityThe RBF is formulated as follows
119870(119909119894 119909119895) = exp(minus10038171003817100381710038171003817119909119894 minus 11990911989510038171003817100381710038171003817221205902 ) (7)
Using RBF kernels the LSSVR has only two tuningparameters the regularization parameter (120574) and the kernelfunction parameter (120590) which is lesser than the tuningparameters of standard SVR
3 Covert Agent Based on LSSVR
31 Covert Agent Model Suppose that the physical plant isa linear time-invariant (LTI) process which is modeled in adiscrete-time state-space form [28 29]
x119896+1 = 119860x119896 + 119861u119896y119896 = 119862x119896 + w119896 (8)
where x119896 isin 119877119898 is the state variable u119896 isin 119877119902 is thecontrol input and y119896 isin 119877119901 is the measurement vector Themeasurement noise w119896 isin 119877119901 is independent Gaussian noisevector with zero mean and covariance 119876 gt 0 The systemoperates in closed loop and the control input u119896 is given bythe feedback controller
u119896 = 119870 (y119896) (9)
where119870 is the controller function thatmakes the closed-loopsystem stable
We now consider the case where the attacker can bothcapture and inject the data transmitted via the network (iey and u) The control and sensory data are recorded by theattacker to generate the training dataset which is describedby the following notation
(i) 119879 = 1 2 119896 119899 is a set of sampling instantsover a finite time window
(ii) 119884 = y1 y119896 y119899 is a dataset of output variablescaptured over the sampling time window 119879
(iii) 119880 = u1 u119896 u119899 is a dataset of input variablescaptured over the sampling time window 119879
(iv) y119896 = 1199101119896 119910119895119896 119910119901119896 is a data record of outputvariables at the 119896th time instant
(v) u119896 = 1199061119896 119906119894119896 119906119902119896 is a data record of inputvariables at the 119896th time instant
(vi) 119910119895119896denotes the value of the 119895th output variable at the119896th time instant
(vii) 119906119894119896 denotes the value of the 119894th input variable at the 119896thtime instant
(viii) 119869 = 1 2 119895 119901 is a set of output variables ofthe physical plant
(ix) 119868 = 1 2 119894 119902 is a set of input variables of thephysical plant
From the system model in (8) we have
y119896 = 119862x119896 + w119896y119896+1 = 119862119860x119896 + 119862119861u119896 + w119896+1 (10)
If 119862119879119862 is nonsingular then we can obtain
y119896+1 minus w119896+1 = 119862119860 (119862119879119862)minus1 C119879 (y119896 minus w119896) + 119862119861u119896 (11)
In order to reduce the effect of Gaussian noise a waveletfilter119882(sdot) is applied to the dataThe filtered data are given by
y119896+1 = 119882(y119896+1) y119896 = 119882(y119896) (12)
and the estimated noises are
w119896+1 = y119896+1 minus 119882(y119896+1) w119896 = y119896 minus 119882(y119896) (13)
Based on (12) and (13) (11) can be rewritten as
y119896+1 = 119862119860 (119862119879119862)minus1 119862119879y119896 + 119862119861u119896 + e119896+1 (14)
where
e119896+1 = 119862119860 (119862119879119862)minus1 119862119879 (w119896 minus w119896) + w119896+1 minus w119896+1 (15)
Journal of Electrical and Computer Engineering 5
Dataset Training data choosingand preprocessing
Noise Wavelet filter
W(Y)
Obtain the set of LSSVR outputs
DatasetU
Obtain the set of LSSVR inputs
LSSVR output dataset LSSVR input dataset
According to the number p ofoutput variables initialize each
LSSVR training dataset
TrainingLSSVR models
LSSVR_pLSSVR_1
Set the type of kernel function Set the epsilon in loss function
Get the best value of the
cross-validation
parameter C and gamma in each LSSVR by the method of the n-fold
LSSVR model dataset
Train the model ofeach LSSVR
Y
w
Filtered output Y
y1 yk ynminus1
u1 uk unminus1y2 yk yn
Input y11 y
1nminus1 u1 unminus1
Output y12 y
1n
Input yp1 y
pnminus1 u1 unminus1
Output yp2 y
pn
middot middot middot
Figure 2 Procedure of training the covert agent model
Assume that the signal noise can be well filtered by 119882(sdot)and the error e119896+1 can be ignored Then (14) changes to
y119896+1 asymp 119862119860 (119862119879119862)minus1 119862119879y119896 + 119862119861u119896 = 119865 (y119896 u119896) (16)
Without the prior knowledge of 119860 119861 and 119862 we use theLSSVR to estimate 119865 of 119865 from the training data with the
input [y119896 u119896] and the output y119896+1 However for each 119910119895119896+1
iny119896+1 we donot have the knowledge of the relatedness between119910119895119896+1
and the other variables For the relatedness between 119910119895119896+1
and u119896 we keep it loose and select all u119896 as the input data Forthe relatedness between 119910119895
119896+1and y119896 we select 119910119895119896 as the input
for the reason that the sample 119910119895119896is heavily correlated with the
6 Journal of Electrical and Computer Engineering
FTTC Hot water
FC
Steam
FT
Cold water
Flow
LC
LT
TT
Figure 3 The continuous stirred tank heater
minus5
0
5
10
15
20
25
Con
trol s
igna
ls (m
A)
100 200 300 400 500 600 700 800 900 10000Time (s)
u1
u2
y1
y2
y3
100 200 300 400 500 600 700 800 900 10000Time (s)
4
6
8
10
12
14
16
18
20
Mea
sure
men
ts (m
A)
Figure 4 Normal data acquired from the closed-loop CSTH system with the standard operating condition
Journal of Electrical and Computer Engineering 7
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Covert agent
y1 y2 y3 u1 u2
(a)
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Replay attack
y1 y2 y3 u1 u2
(b)
Figure 5 Setups of the experiments (a) The proposed covert agent and (b) the replay attack
next sample119910119895119896+1
in a physical processTherefore the functionestimation 119865 of 119865 is given by
119865 = 1198911 119891119895 119891119901 (17)
where
119891119895 = LSSVR train (119910119895119896+1
[119910119895119896 u119896]) (18)
Then the prediction y119899+1 of y119899+1 can be expressed as
y119899+1 = 1199101119899+1 119910119895119899+1 119910119901119899+1 (19)
where
119910119895119899+1 = 119891119895 (119910119895119905
119904
u119905119904
) 119899 = 119905119904119891119895 (119910119895119899 u119899) 119899 gt 119905119904 (20)
where 119905119904 is the start time when the physical plant is coveredby the covert agent From (12) and (13) we have the output ofthe covert agent which is the estimation y119899+1 of y119899+1 that is
y119899+1 = y119899+1 + w119899+1 (21)
32 Procedure of Training the Covert Agent Model Thetraining of the covert agent model consists of three phases(1) data recording phase (2) model training phase and (3)output predicting phase In the first phase the control andsensory data are recorded to generate a training dataset119884 and119880 which will be used to train the covert plant model in thesecond phase As shown in Figure 2 the dataset 119884 is firstlypreprocessed to generate the required data for training eachLSSVR model Then optimal parameters 120574 and 119888 for eachLSSVR are obtained through the automated grid search with119899-fold cross-validation [30] on the training data Finally theoutputs of this phase are 119901 LSSVR models that is there is a
LSSVRmodel for each output variable of the physical plant Inthe third phase as described in the previous subsection thepredictions y are generated based on the LSSVR models andthey are fed back to the controller to cover the real outputs ofthe physical plant
4 Experiment Overview
The covert loop is illustrated by a case study of a continuousstirred tank heater (CSTH) pilot plant In this section theCSTH Simulink platform is briefly introduced and theexperiment setup is presented Moreover the assessmentmethod used to evaluate the experimental results is alsopresented
41 The CSTH Simulink Platform The configuration of theCSTH plant is shown in Figure 3 Hot water and cold wateraremixed in a stirred tank heated by steam through a heatingcoil and drained from the tank through a long pipe A moredetailed description of the CSTHmodel can be found in [31]
Our experiment is based on the CSTH Simulink modelwith closed-loop control which is provided byThornhill et al(httppersonal-pagespsicacuksimninaCSTHSimulationindexhtm) Under the closed-loop control the CSTHmodelruns to a steady state from a nonsteady initial conditionThe steady-state valve positions and instrument conditionsin this experimental case are shown in Table 1 [31] Thesimulation input and output represent electronic signals on4ndash20mA scale The inputs to the CSTH are control signals ofthe cold water and steam valves The outputs are electronicmeasurements from the temperature level and cold waterflow
Based on the CSTH basic Simulink model Gaussiannoises are added to the three outputs of the CSTH Figure 4shows the normal control signals and measurements underthe closed-loop controlThe default simulation time is 1000 sand the default sampling rate is 3600 samples per hour
8 Journal of Electrical and Computer Engineering
CovertNormal
CovertNormal
CovertNormal
y2
y3
114
116
118
12
122
124
126Le
vel (
mA
)y1
550 600 650 700500Time (s)
112
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
102
103
104
105
106
107
108
109
Tem
pera
ture
(mA
)
(a)
CUSUM control chart
CUSUM control chart
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
500 600 650 700550Time (s)
NLAN = 12000863 NLAN = 0161709
NLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
550 600 650 700500Time (s)
minus8minus6minus4minus2
02468
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
(b)
Figure 6 Data from Observer 1 in the covert agent experiment
(sh) The ldquononsteadyrdquo initial phase of the CSTH plant lastsfor about 150 seconds (s) and is excluded from all theexperiments in this paper
42 Experiment Setup The CSTH plant depicted in Figure 3is simulated inMatlabSimulink and its execution starts with
the predefined base values The covert agent is constructedbased on the LSSVR method which is available in thefree LS-SVMlab toolbox (httpwwwesatkuleuvenbesistalssvmlab) In addition the cumulative sum (CUSUM) algo-rithm is used to evaluate the stealthy time which willbe introduced in the next subsection The setups of the
Journal of Electrical and Computer Engineering 9
CovertNormal
CovertNormal
u1
u2
122
124
126
128
13
132
134
136
Col
d w
ater
val
ve (m
A)
550 600 650 700500Time (s)
116118
12122124126128
13132
Stea
m v
alve
(mA
)
550 600 650 700500Time (s)
(a)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
550 600 650 700500Time (s)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
(b)
Figure 7 Data from Observer 2 in the covert agent experiment
Table 1 Standard operating conditions
VariablesOperatingconditions
(mA)
Variable insimulations
Cold watervalve 1296 1199061Cold waterflow 1189 1199102Steam valve 1257 1199062Level 1200 1199101Temperature 1050 1199103
experiments are illustrated in Figure 5 In order to betterassess the stealthiness of the covert agent we use the replayattack as a comparison and set up two observers to get theexperimental data in the simulation Observer 1 is used to
capture the sensor data (ie 1199101 1199102 and 1199103) and Observer2 is used to capture the output of the controller (ie 1199061 and1199062)43 Assessment Method In order to evaluate experimentalresults the stealthy time 120591 is used and it is defined as
120591 = 119905119890 minus 119905119904 (22)
where 119905119904 is the start time of the covert agent or the replayattack and 119905119890 is the time when an anomaly is detected Alonger stealthy time is favorable to the attackers as they canhave more time to make the physical plant go into an unsafestate while remaining stealthy with respect to the anomalydetectors In this paper the anomaly detector is designedbased on the CUSUM algorithm which is one of the mostcommonly used algorithms for change detection problems[14] Mathematical details of the CUSUM method can befound in [32]
10 Journal of Electrical and Computer Engineering
y1
y2
y3
ReplayNormal
ReplayNormal
ReplayNormal
114
116
118
12
122
124
126
Leve
l (m
A)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
minus8
minus6
minus4
minus2
0
2
4
6
8
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
101
102
103
104
105
106
107
108
Tem
pera
ture
(mA
)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12000863 NLAN = 0161709
CUSUM control chartNLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
Figure 8 Data from Observer 1 in the replay attack experiment
Journal of Electrical and Computer Engineering 11
u1
ReplayNormal
ReplayNormal
u2
minus1400
minus1200
minus1000
minus800
minus600
minus400
minus200
0
200
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
550 600 650 700500Time (s)
115
12
125
13
135
Stea
m v
alve
(mA
)
99510
10511
11512
12513
13514
145C
old
wat
er v
alve
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
Figure 9 Data from Observer 2 in the replay attack experiment
5 Experimental Results
In this study we capture data from the two observers withinthe time window [201 s 400 s] in a normal process and usethem as the training or replaying data in the experimentsIn order to get the statistical results we run 100 simulationsfor the covert agent and the replay attack respectively Ineach individual simulation run the covert agent or the replayattack starts at a random time 119905 where 500 s ⩽ 119905 ⩽ 800 s (timeis discrete) and persists for 200 seconds
To get the corresponding stealthy time the CUSUMalgorithm is applied to the data that are obtained from thetwo observers in the simulations The thresholds in CUSUMalgorithm are determined based on the normal data in thetimewindow ranging from 200 s to 1000 s and each thresholdis selected under the condition that it will not cause any falsealarm on the normal data In this section we first introducea covert agent experiment and a replay attack experimentThen we give the statistical results of all the experimentaltests
51 The Covert Agent and Replay Attack Experiments In thetwo experiments the covert agent and the replay attack areboth started at the time 119905 = 501 s Figures 6 and 7 show theresults of the covert agent experiment Figures 6(a) and 7(a)show a comparison of data with and without a covert agentand Figures 6(b) and 7(b) show the detection of the changesusing the CUSUM algorithm In comparison Figures 8 and 9show the results of the replay attack experiment
From Figures 6 and 8 we can see that the covert agentis able to imitate the behaviors of the three output variablesover a finite time window just like the replay attack doesWhat is more the peaks of the CUSUM standard errors inthe covert agent experiment are smaller than the ones inthe replay attack experiment which means that the covertagent has better stealthiness and can avoid being detected bythe CUSUM with a lower threshold From Figures 7 and 9we can see that the covert agent can also keep the controloutput stealthy but the replay attack causes anomalies in thecontrollerrsquos output
12 Journal of Electrical and Computer Engineering
CUSUM
CUSUM
y1
y2
y3
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
u1
u2
0
20
40
60
80
100
Num
ber o
f sim
ulat
ions
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(a)
Empirical CDF
Empirical CDF
y1
y2
y3
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
0010203040506070809
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(b)
Figure 10 Statistical results of the covert agent experiments
52 Statistical Results Figure 10 shows the statistical resultsof the 100 simulations on the covert agent Figure 10(a)provides the number distributions of the stealthy time by his-tograms and Figure 10(b) gives the proportion distributionsby the empirical cumulative distribution function (CDF)The empirical CDF 119865(119909) is defined as the proportion of thevalues less than or equal to 119909 As can be seen the stealthytime is longer than 40 seconds in most of the covert agentsimulations Figure 11 shows the statistical results of the100 simulations on the replay attack Although the replayedsensor data can avoid being detected by the CUSUMdetectorit is more likely to induce an abnormal behavior in thecontrollerrsquos output More specifically for the control variable
1199061 the stealthy time is no more than 40 seconds in all thereplay attack simulations
6 Conclusions and Future Work
This paper has investigated the design problem of machinelearning based stealthy DI attacks on industrial controlsystems A LSSVR-based covert agent has been presented toestimate the model of the physical system by which attackerscan carry out a stealthy DI attack without the need of priormodel knowledge of the physical system The experimentalresults demonstrate that the covert loop can keep the controloutput and sensor data both stealthy over a finite time
Journal of Electrical and Computer Engineering 13
CUSUM
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
Empirical CDF
u1
u2
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
Figure 11 Statistical results of the replay attack experiments
window For future work the proposed covert agent can befurther extended to a two-loop covert structure in which anattack agent can be added In addition it is also interestingto investigate the detecting methods of the LSSVR-basedattacks
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the National Key Researchand Development Program (no 2016 YFB1001404) and theNational Natural Science Foundation of China (NormalProjects no 61672093 and no 61432004)
References
[1] C Zhou S Huang N Xiong et al ldquoDesign and analysisof multimodel-based anomaly intrusion detection systems inindustrial process automationrdquo IEEE Transactions on SystemsMan and Cybernetics Systems vol 45 no 10 pp 1345ndash13602015
[2] T Cruz L Rosa J Proenca et al ldquoA cybersecurity detectionframework for supervisory control and data acquisition sys-temsrdquo IEEE Transactions on Industrial Informatics vol 12 no6 pp 2236ndash2246 2016
[3] S McLaughlin C Konstantinou X Wang et al ldquoThe Cyberse-curity Landscape in Industrial Control Systemsrdquo Proceedings ofthe IEEE vol 104 no 5 pp 1039ndash1057 2016
[4] M Cheminod L Durante and A Valenzano ldquoReview ofsecurity issues in industrial networksrdquo IEEE Transactions onIndustrial Informatics vol 9 no 1 pp 277ndash293 2013
[5] R Deng G Xiao R Lu H Liang and A V Vasilakos ldquoFalsedata injection on state estimation in power systemsmdashattacks
impacts and defense a surveyrdquo IEEE Transactions on IndustrialInformatics vol 13 no 2 pp 411ndash423 2017
[6] A Teixeira K C Sou H Sandberg and K H Johans-son ldquoSecure control systems a quantitative risk managementapproachrdquo IEEEControl SystemsMagazine vol 35 no 1 pp 24ndash45 2015
[7] C Kwon W Liu and I Hwang ldquoSecurity analysis for Cyber-Physical Systems against stealthy deception attacksrdquo in Proceed-ings of the 2013 1st American Control Conference ACC 2013 pp3344ndash3349 USA June 2013
[8] Z-H Pang G-P Liu D Zhou F Hou and D Sun ldquoTwo-channel false data injection attacks against output trackingcontrol of networked systemsrdquo IEEE Transactions on IndustrialElectronics vol 63 no 5 pp 3242ndash3251 2016
[9] A Teixeira H Sandberg and K H Johansson ldquoStrategicstealthy attacks The output-to-output l2-gainrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 2582ndash2587 Japan December 2015
[10] H Sedghi and E Jonckheere ldquoStatistical structure learning toensure data integrity in smart gridrdquo IEEE Transactions on SmartGrid vol 6 no 4 pp 1924ndash1933 2015
[11] K Manandhar X Cao F Hu and Y Liu ldquoDetection of faultsand attacks including false data injection attack in smart gridusing Kalman filterrdquo IEEE Transactions on Control of NetworkSystems vol 1 no 4 pp 370ndash379 2014
[12] A Dutta and C Langbort ldquoStealthy output injection attacks oncontrol systems with bounded variablesrdquo International Journalof Control vol 90 no 7 pp 1389ndash1402 2017
[13] R S Smith ldquoCovert misappropriation of networked controlsystems presenting a feedback structurerdquo IEEE Control SystemsMagazine vol 35 no 1 pp 82ndash92 2015
[14] A A Cardenas S Amin Z-S Lin Y-L Huang C-Y Huangand S Sastry ldquoAttacks against process control systems riskassessment detection and responserdquo in Proceedings of the6th International Symposium on Information Computer andCommunications Security (ASIACCS rsquo11) pp 355ndash366 HongKong March 2011
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
4 Journal of Electrical and Computer Engineering
where 120572119894 (119894 = 1 2 119873) are the Lagrange multipliers Theconditions for optimality are
120597119871120597119908 = 0 997888rarr 119908 = 119873sum119894=1
120572119894120593 (119909119894) 120597119871120597119887 = 0 997888rarr 119873sum
119894=1
120572119894 = 0120597119871120597119890119894 = 0 997888rarr 120572119894 = 120574119890119894 119894 = 1 119873120597119871120597120572119894 = 0 997888rarr 119910119894 = 119908119879120593 (119909119894) + 119887 + 119890119894 119894 = 1 119873
(4)
With the solution of
[ 0 1119879V1V Ω + 120574minus1119868] [119887120572] = [0119910] (5)
where 119910 = [1199101 119910119873] 1V = [1 1] and Ω119894119895 =120593(119909119894)119879120593(119909119895) = 119870(119909119894 119909119895) for 119894 119895 = 1 119873 the LSSVRmodelfor function estimation is
119910 (119909) = 119873sum119894=1
120572119894119870(119909119894 119909) + 119887 (6)
The kernel function 119870(119909119894 119909) is any symmetric functionthat satisfies Mercerrsquos condition In this study the radial basisfunction (RBF) is used as the kernel function due to its strongnonlinear modeling abilityThe RBF is formulated as follows
119870(119909119894 119909119895) = exp(minus10038171003817100381710038171003817119909119894 minus 11990911989510038171003817100381710038171003817221205902 ) (7)
Using RBF kernels the LSSVR has only two tuningparameters the regularization parameter (120574) and the kernelfunction parameter (120590) which is lesser than the tuningparameters of standard SVR
3 Covert Agent Based on LSSVR
31 Covert Agent Model Suppose that the physical plant isa linear time-invariant (LTI) process which is modeled in adiscrete-time state-space form [28 29]
x119896+1 = 119860x119896 + 119861u119896y119896 = 119862x119896 + w119896 (8)
where x119896 isin 119877119898 is the state variable u119896 isin 119877119902 is thecontrol input and y119896 isin 119877119901 is the measurement vector Themeasurement noise w119896 isin 119877119901 is independent Gaussian noisevector with zero mean and covariance 119876 gt 0 The systemoperates in closed loop and the control input u119896 is given bythe feedback controller
u119896 = 119870 (y119896) (9)
where119870 is the controller function thatmakes the closed-loopsystem stable
We now consider the case where the attacker can bothcapture and inject the data transmitted via the network (iey and u) The control and sensory data are recorded by theattacker to generate the training dataset which is describedby the following notation
(i) 119879 = 1 2 119896 119899 is a set of sampling instantsover a finite time window
(ii) 119884 = y1 y119896 y119899 is a dataset of output variablescaptured over the sampling time window 119879
(iii) 119880 = u1 u119896 u119899 is a dataset of input variablescaptured over the sampling time window 119879
(iv) y119896 = 1199101119896 119910119895119896 119910119901119896 is a data record of outputvariables at the 119896th time instant
(v) u119896 = 1199061119896 119906119894119896 119906119902119896 is a data record of inputvariables at the 119896th time instant
(vi) 119910119895119896denotes the value of the 119895th output variable at the119896th time instant
(vii) 119906119894119896 denotes the value of the 119894th input variable at the 119896thtime instant
(viii) 119869 = 1 2 119895 119901 is a set of output variables ofthe physical plant
(ix) 119868 = 1 2 119894 119902 is a set of input variables of thephysical plant
From the system model in (8) we have
y119896 = 119862x119896 + w119896y119896+1 = 119862119860x119896 + 119862119861u119896 + w119896+1 (10)
If 119862119879119862 is nonsingular then we can obtain
y119896+1 minus w119896+1 = 119862119860 (119862119879119862)minus1 C119879 (y119896 minus w119896) + 119862119861u119896 (11)
In order to reduce the effect of Gaussian noise a waveletfilter119882(sdot) is applied to the dataThe filtered data are given by
y119896+1 = 119882(y119896+1) y119896 = 119882(y119896) (12)
and the estimated noises are
w119896+1 = y119896+1 minus 119882(y119896+1) w119896 = y119896 minus 119882(y119896) (13)
Based on (12) and (13) (11) can be rewritten as
y119896+1 = 119862119860 (119862119879119862)minus1 119862119879y119896 + 119862119861u119896 + e119896+1 (14)
where
e119896+1 = 119862119860 (119862119879119862)minus1 119862119879 (w119896 minus w119896) + w119896+1 minus w119896+1 (15)
Journal of Electrical and Computer Engineering 5
Dataset Training data choosingand preprocessing
Noise Wavelet filter
W(Y)
Obtain the set of LSSVR outputs
DatasetU
Obtain the set of LSSVR inputs
LSSVR output dataset LSSVR input dataset
According to the number p ofoutput variables initialize each
LSSVR training dataset
TrainingLSSVR models
LSSVR_pLSSVR_1
Set the type of kernel function Set the epsilon in loss function
Get the best value of the
cross-validation
parameter C and gamma in each LSSVR by the method of the n-fold
LSSVR model dataset
Train the model ofeach LSSVR
Y
w
Filtered output Y
y1 yk ynminus1
u1 uk unminus1y2 yk yn
Input y11 y
1nminus1 u1 unminus1
Output y12 y
1n
Input yp1 y
pnminus1 u1 unminus1
Output yp2 y
pn
middot middot middot
Figure 2 Procedure of training the covert agent model
Assume that the signal noise can be well filtered by 119882(sdot)and the error e119896+1 can be ignored Then (14) changes to
y119896+1 asymp 119862119860 (119862119879119862)minus1 119862119879y119896 + 119862119861u119896 = 119865 (y119896 u119896) (16)
Without the prior knowledge of 119860 119861 and 119862 we use theLSSVR to estimate 119865 of 119865 from the training data with the
input [y119896 u119896] and the output y119896+1 However for each 119910119895119896+1
iny119896+1 we donot have the knowledge of the relatedness between119910119895119896+1
and the other variables For the relatedness between 119910119895119896+1
and u119896 we keep it loose and select all u119896 as the input data Forthe relatedness between 119910119895
119896+1and y119896 we select 119910119895119896 as the input
for the reason that the sample 119910119895119896is heavily correlated with the
6 Journal of Electrical and Computer Engineering
FTTC Hot water
FC
Steam
FT
Cold water
Flow
LC
LT
TT
Figure 3 The continuous stirred tank heater
minus5
0
5
10
15
20
25
Con
trol s
igna
ls (m
A)
100 200 300 400 500 600 700 800 900 10000Time (s)
u1
u2
y1
y2
y3
100 200 300 400 500 600 700 800 900 10000Time (s)
4
6
8
10
12
14
16
18
20
Mea
sure
men
ts (m
A)
Figure 4 Normal data acquired from the closed-loop CSTH system with the standard operating condition
Journal of Electrical and Computer Engineering 7
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Covert agent
y1 y2 y3 u1 u2
(a)
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Replay attack
y1 y2 y3 u1 u2
(b)
Figure 5 Setups of the experiments (a) The proposed covert agent and (b) the replay attack
next sample119910119895119896+1
in a physical processTherefore the functionestimation 119865 of 119865 is given by
119865 = 1198911 119891119895 119891119901 (17)
where
119891119895 = LSSVR train (119910119895119896+1
[119910119895119896 u119896]) (18)
Then the prediction y119899+1 of y119899+1 can be expressed as
y119899+1 = 1199101119899+1 119910119895119899+1 119910119901119899+1 (19)
where
119910119895119899+1 = 119891119895 (119910119895119905
119904
u119905119904
) 119899 = 119905119904119891119895 (119910119895119899 u119899) 119899 gt 119905119904 (20)
where 119905119904 is the start time when the physical plant is coveredby the covert agent From (12) and (13) we have the output ofthe covert agent which is the estimation y119899+1 of y119899+1 that is
y119899+1 = y119899+1 + w119899+1 (21)
32 Procedure of Training the Covert Agent Model Thetraining of the covert agent model consists of three phases(1) data recording phase (2) model training phase and (3)output predicting phase In the first phase the control andsensory data are recorded to generate a training dataset119884 and119880 which will be used to train the covert plant model in thesecond phase As shown in Figure 2 the dataset 119884 is firstlypreprocessed to generate the required data for training eachLSSVR model Then optimal parameters 120574 and 119888 for eachLSSVR are obtained through the automated grid search with119899-fold cross-validation [30] on the training data Finally theoutputs of this phase are 119901 LSSVR models that is there is a
LSSVRmodel for each output variable of the physical plant Inthe third phase as described in the previous subsection thepredictions y are generated based on the LSSVR models andthey are fed back to the controller to cover the real outputs ofthe physical plant
4 Experiment Overview
The covert loop is illustrated by a case study of a continuousstirred tank heater (CSTH) pilot plant In this section theCSTH Simulink platform is briefly introduced and theexperiment setup is presented Moreover the assessmentmethod used to evaluate the experimental results is alsopresented
41 The CSTH Simulink Platform The configuration of theCSTH plant is shown in Figure 3 Hot water and cold wateraremixed in a stirred tank heated by steam through a heatingcoil and drained from the tank through a long pipe A moredetailed description of the CSTHmodel can be found in [31]
Our experiment is based on the CSTH Simulink modelwith closed-loop control which is provided byThornhill et al(httppersonal-pagespsicacuksimninaCSTHSimulationindexhtm) Under the closed-loop control the CSTHmodelruns to a steady state from a nonsteady initial conditionThe steady-state valve positions and instrument conditionsin this experimental case are shown in Table 1 [31] Thesimulation input and output represent electronic signals on4ndash20mA scale The inputs to the CSTH are control signals ofthe cold water and steam valves The outputs are electronicmeasurements from the temperature level and cold waterflow
Based on the CSTH basic Simulink model Gaussiannoises are added to the three outputs of the CSTH Figure 4shows the normal control signals and measurements underthe closed-loop controlThe default simulation time is 1000 sand the default sampling rate is 3600 samples per hour
8 Journal of Electrical and Computer Engineering
CovertNormal
CovertNormal
CovertNormal
y2
y3
114
116
118
12
122
124
126Le
vel (
mA
)y1
550 600 650 700500Time (s)
112
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
102
103
104
105
106
107
108
109
Tem
pera
ture
(mA
)
(a)
CUSUM control chart
CUSUM control chart
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
500 600 650 700550Time (s)
NLAN = 12000863 NLAN = 0161709
NLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
550 600 650 700500Time (s)
minus8minus6minus4minus2
02468
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
(b)
Figure 6 Data from Observer 1 in the covert agent experiment
(sh) The ldquononsteadyrdquo initial phase of the CSTH plant lastsfor about 150 seconds (s) and is excluded from all theexperiments in this paper
42 Experiment Setup The CSTH plant depicted in Figure 3is simulated inMatlabSimulink and its execution starts with
the predefined base values The covert agent is constructedbased on the LSSVR method which is available in thefree LS-SVMlab toolbox (httpwwwesatkuleuvenbesistalssvmlab) In addition the cumulative sum (CUSUM) algo-rithm is used to evaluate the stealthy time which willbe introduced in the next subsection The setups of the
Journal of Electrical and Computer Engineering 9
CovertNormal
CovertNormal
u1
u2
122
124
126
128
13
132
134
136
Col
d w
ater
val
ve (m
A)
550 600 650 700500Time (s)
116118
12122124126128
13132
Stea
m v
alve
(mA
)
550 600 650 700500Time (s)
(a)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
550 600 650 700500Time (s)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
(b)
Figure 7 Data from Observer 2 in the covert agent experiment
Table 1 Standard operating conditions
VariablesOperatingconditions
(mA)
Variable insimulations
Cold watervalve 1296 1199061Cold waterflow 1189 1199102Steam valve 1257 1199062Level 1200 1199101Temperature 1050 1199103
experiments are illustrated in Figure 5 In order to betterassess the stealthiness of the covert agent we use the replayattack as a comparison and set up two observers to get theexperimental data in the simulation Observer 1 is used to
capture the sensor data (ie 1199101 1199102 and 1199103) and Observer2 is used to capture the output of the controller (ie 1199061 and1199062)43 Assessment Method In order to evaluate experimentalresults the stealthy time 120591 is used and it is defined as
120591 = 119905119890 minus 119905119904 (22)
where 119905119904 is the start time of the covert agent or the replayattack and 119905119890 is the time when an anomaly is detected Alonger stealthy time is favorable to the attackers as they canhave more time to make the physical plant go into an unsafestate while remaining stealthy with respect to the anomalydetectors In this paper the anomaly detector is designedbased on the CUSUM algorithm which is one of the mostcommonly used algorithms for change detection problems[14] Mathematical details of the CUSUM method can befound in [32]
10 Journal of Electrical and Computer Engineering
y1
y2
y3
ReplayNormal
ReplayNormal
ReplayNormal
114
116
118
12
122
124
126
Leve
l (m
A)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
minus8
minus6
minus4
minus2
0
2
4
6
8
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
101
102
103
104
105
106
107
108
Tem
pera
ture
(mA
)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12000863 NLAN = 0161709
CUSUM control chartNLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
Figure 8 Data from Observer 1 in the replay attack experiment
Journal of Electrical and Computer Engineering 11
u1
ReplayNormal
ReplayNormal
u2
minus1400
minus1200
minus1000
minus800
minus600
minus400
minus200
0
200
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
550 600 650 700500Time (s)
115
12
125
13
135
Stea
m v
alve
(mA
)
99510
10511
11512
12513
13514
145C
old
wat
er v
alve
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
Figure 9 Data from Observer 2 in the replay attack experiment
5 Experimental Results
In this study we capture data from the two observers withinthe time window [201 s 400 s] in a normal process and usethem as the training or replaying data in the experimentsIn order to get the statistical results we run 100 simulationsfor the covert agent and the replay attack respectively Ineach individual simulation run the covert agent or the replayattack starts at a random time 119905 where 500 s ⩽ 119905 ⩽ 800 s (timeis discrete) and persists for 200 seconds
To get the corresponding stealthy time the CUSUMalgorithm is applied to the data that are obtained from thetwo observers in the simulations The thresholds in CUSUMalgorithm are determined based on the normal data in thetimewindow ranging from 200 s to 1000 s and each thresholdis selected under the condition that it will not cause any falsealarm on the normal data In this section we first introducea covert agent experiment and a replay attack experimentThen we give the statistical results of all the experimentaltests
51 The Covert Agent and Replay Attack Experiments In thetwo experiments the covert agent and the replay attack areboth started at the time 119905 = 501 s Figures 6 and 7 show theresults of the covert agent experiment Figures 6(a) and 7(a)show a comparison of data with and without a covert agentand Figures 6(b) and 7(b) show the detection of the changesusing the CUSUM algorithm In comparison Figures 8 and 9show the results of the replay attack experiment
From Figures 6 and 8 we can see that the covert agentis able to imitate the behaviors of the three output variablesover a finite time window just like the replay attack doesWhat is more the peaks of the CUSUM standard errors inthe covert agent experiment are smaller than the ones inthe replay attack experiment which means that the covertagent has better stealthiness and can avoid being detected bythe CUSUM with a lower threshold From Figures 7 and 9we can see that the covert agent can also keep the controloutput stealthy but the replay attack causes anomalies in thecontrollerrsquos output
12 Journal of Electrical and Computer Engineering
CUSUM
CUSUM
y1
y2
y3
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
u1
u2
0
20
40
60
80
100
Num
ber o
f sim
ulat
ions
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(a)
Empirical CDF
Empirical CDF
y1
y2
y3
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
0010203040506070809
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(b)
Figure 10 Statistical results of the covert agent experiments
52 Statistical Results Figure 10 shows the statistical resultsof the 100 simulations on the covert agent Figure 10(a)provides the number distributions of the stealthy time by his-tograms and Figure 10(b) gives the proportion distributionsby the empirical cumulative distribution function (CDF)The empirical CDF 119865(119909) is defined as the proportion of thevalues less than or equal to 119909 As can be seen the stealthytime is longer than 40 seconds in most of the covert agentsimulations Figure 11 shows the statistical results of the100 simulations on the replay attack Although the replayedsensor data can avoid being detected by the CUSUMdetectorit is more likely to induce an abnormal behavior in thecontrollerrsquos output More specifically for the control variable
1199061 the stealthy time is no more than 40 seconds in all thereplay attack simulations
6 Conclusions and Future Work
This paper has investigated the design problem of machinelearning based stealthy DI attacks on industrial controlsystems A LSSVR-based covert agent has been presented toestimate the model of the physical system by which attackerscan carry out a stealthy DI attack without the need of priormodel knowledge of the physical system The experimentalresults demonstrate that the covert loop can keep the controloutput and sensor data both stealthy over a finite time
Journal of Electrical and Computer Engineering 13
CUSUM
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
Empirical CDF
u1
u2
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
Figure 11 Statistical results of the replay attack experiments
window For future work the proposed covert agent can befurther extended to a two-loop covert structure in which anattack agent can be added In addition it is also interestingto investigate the detecting methods of the LSSVR-basedattacks
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the National Key Researchand Development Program (no 2016 YFB1001404) and theNational Natural Science Foundation of China (NormalProjects no 61672093 and no 61432004)
References
[1] C Zhou S Huang N Xiong et al ldquoDesign and analysisof multimodel-based anomaly intrusion detection systems inindustrial process automationrdquo IEEE Transactions on SystemsMan and Cybernetics Systems vol 45 no 10 pp 1345ndash13602015
[2] T Cruz L Rosa J Proenca et al ldquoA cybersecurity detectionframework for supervisory control and data acquisition sys-temsrdquo IEEE Transactions on Industrial Informatics vol 12 no6 pp 2236ndash2246 2016
[3] S McLaughlin C Konstantinou X Wang et al ldquoThe Cyberse-curity Landscape in Industrial Control Systemsrdquo Proceedings ofthe IEEE vol 104 no 5 pp 1039ndash1057 2016
[4] M Cheminod L Durante and A Valenzano ldquoReview ofsecurity issues in industrial networksrdquo IEEE Transactions onIndustrial Informatics vol 9 no 1 pp 277ndash293 2013
[5] R Deng G Xiao R Lu H Liang and A V Vasilakos ldquoFalsedata injection on state estimation in power systemsmdashattacks
impacts and defense a surveyrdquo IEEE Transactions on IndustrialInformatics vol 13 no 2 pp 411ndash423 2017
[6] A Teixeira K C Sou H Sandberg and K H Johans-son ldquoSecure control systems a quantitative risk managementapproachrdquo IEEEControl SystemsMagazine vol 35 no 1 pp 24ndash45 2015
[7] C Kwon W Liu and I Hwang ldquoSecurity analysis for Cyber-Physical Systems against stealthy deception attacksrdquo in Proceed-ings of the 2013 1st American Control Conference ACC 2013 pp3344ndash3349 USA June 2013
[8] Z-H Pang G-P Liu D Zhou F Hou and D Sun ldquoTwo-channel false data injection attacks against output trackingcontrol of networked systemsrdquo IEEE Transactions on IndustrialElectronics vol 63 no 5 pp 3242ndash3251 2016
[9] A Teixeira H Sandberg and K H Johansson ldquoStrategicstealthy attacks The output-to-output l2-gainrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 2582ndash2587 Japan December 2015
[10] H Sedghi and E Jonckheere ldquoStatistical structure learning toensure data integrity in smart gridrdquo IEEE Transactions on SmartGrid vol 6 no 4 pp 1924ndash1933 2015
[11] K Manandhar X Cao F Hu and Y Liu ldquoDetection of faultsand attacks including false data injection attack in smart gridusing Kalman filterrdquo IEEE Transactions on Control of NetworkSystems vol 1 no 4 pp 370ndash379 2014
[12] A Dutta and C Langbort ldquoStealthy output injection attacks oncontrol systems with bounded variablesrdquo International Journalof Control vol 90 no 7 pp 1389ndash1402 2017
[13] R S Smith ldquoCovert misappropriation of networked controlsystems presenting a feedback structurerdquo IEEE Control SystemsMagazine vol 35 no 1 pp 82ndash92 2015
[14] A A Cardenas S Amin Z-S Lin Y-L Huang C-Y Huangand S Sastry ldquoAttacks against process control systems riskassessment detection and responserdquo in Proceedings of the6th International Symposium on Information Computer andCommunications Security (ASIACCS rsquo11) pp 355ndash366 HongKong March 2011
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Journal of Electrical and Computer Engineering 5
Dataset Training data choosingand preprocessing
Noise Wavelet filter
W(Y)
Obtain the set of LSSVR outputs
DatasetU
Obtain the set of LSSVR inputs
LSSVR output dataset LSSVR input dataset
According to the number p ofoutput variables initialize each
LSSVR training dataset
TrainingLSSVR models
LSSVR_pLSSVR_1
Set the type of kernel function Set the epsilon in loss function
Get the best value of the
cross-validation
parameter C and gamma in each LSSVR by the method of the n-fold
LSSVR model dataset
Train the model ofeach LSSVR
Y
w
Filtered output Y
y1 yk ynminus1
u1 uk unminus1y2 yk yn
Input y11 y
1nminus1 u1 unminus1
Output y12 y
1n
Input yp1 y
pnminus1 u1 unminus1
Output yp2 y
pn
middot middot middot
Figure 2 Procedure of training the covert agent model
Assume that the signal noise can be well filtered by 119882(sdot)and the error e119896+1 can be ignored Then (14) changes to
y119896+1 asymp 119862119860 (119862119879119862)minus1 119862119879y119896 + 119862119861u119896 = 119865 (y119896 u119896) (16)
Without the prior knowledge of 119860 119861 and 119862 we use theLSSVR to estimate 119865 of 119865 from the training data with the
input [y119896 u119896] and the output y119896+1 However for each 119910119895119896+1
iny119896+1 we donot have the knowledge of the relatedness between119910119895119896+1
and the other variables For the relatedness between 119910119895119896+1
and u119896 we keep it loose and select all u119896 as the input data Forthe relatedness between 119910119895
119896+1and y119896 we select 119910119895119896 as the input
for the reason that the sample 119910119895119896is heavily correlated with the
6 Journal of Electrical and Computer Engineering
FTTC Hot water
FC
Steam
FT
Cold water
Flow
LC
LT
TT
Figure 3 The continuous stirred tank heater
minus5
0
5
10
15
20
25
Con
trol s
igna
ls (m
A)
100 200 300 400 500 600 700 800 900 10000Time (s)
u1
u2
y1
y2
y3
100 200 300 400 500 600 700 800 900 10000Time (s)
4
6
8
10
12
14
16
18
20
Mea
sure
men
ts (m
A)
Figure 4 Normal data acquired from the closed-loop CSTH system with the standard operating condition
Journal of Electrical and Computer Engineering 7
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Covert agent
y1 y2 y3 u1 u2
(a)
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Replay attack
y1 y2 y3 u1 u2
(b)
Figure 5 Setups of the experiments (a) The proposed covert agent and (b) the replay attack
next sample119910119895119896+1
in a physical processTherefore the functionestimation 119865 of 119865 is given by
119865 = 1198911 119891119895 119891119901 (17)
where
119891119895 = LSSVR train (119910119895119896+1
[119910119895119896 u119896]) (18)
Then the prediction y119899+1 of y119899+1 can be expressed as
y119899+1 = 1199101119899+1 119910119895119899+1 119910119901119899+1 (19)
where
119910119895119899+1 = 119891119895 (119910119895119905
119904
u119905119904
) 119899 = 119905119904119891119895 (119910119895119899 u119899) 119899 gt 119905119904 (20)
where 119905119904 is the start time when the physical plant is coveredby the covert agent From (12) and (13) we have the output ofthe covert agent which is the estimation y119899+1 of y119899+1 that is
y119899+1 = y119899+1 + w119899+1 (21)
32 Procedure of Training the Covert Agent Model Thetraining of the covert agent model consists of three phases(1) data recording phase (2) model training phase and (3)output predicting phase In the first phase the control andsensory data are recorded to generate a training dataset119884 and119880 which will be used to train the covert plant model in thesecond phase As shown in Figure 2 the dataset 119884 is firstlypreprocessed to generate the required data for training eachLSSVR model Then optimal parameters 120574 and 119888 for eachLSSVR are obtained through the automated grid search with119899-fold cross-validation [30] on the training data Finally theoutputs of this phase are 119901 LSSVR models that is there is a
LSSVRmodel for each output variable of the physical plant Inthe third phase as described in the previous subsection thepredictions y are generated based on the LSSVR models andthey are fed back to the controller to cover the real outputs ofthe physical plant
4 Experiment Overview
The covert loop is illustrated by a case study of a continuousstirred tank heater (CSTH) pilot plant In this section theCSTH Simulink platform is briefly introduced and theexperiment setup is presented Moreover the assessmentmethod used to evaluate the experimental results is alsopresented
41 The CSTH Simulink Platform The configuration of theCSTH plant is shown in Figure 3 Hot water and cold wateraremixed in a stirred tank heated by steam through a heatingcoil and drained from the tank through a long pipe A moredetailed description of the CSTHmodel can be found in [31]
Our experiment is based on the CSTH Simulink modelwith closed-loop control which is provided byThornhill et al(httppersonal-pagespsicacuksimninaCSTHSimulationindexhtm) Under the closed-loop control the CSTHmodelruns to a steady state from a nonsteady initial conditionThe steady-state valve positions and instrument conditionsin this experimental case are shown in Table 1 [31] Thesimulation input and output represent electronic signals on4ndash20mA scale The inputs to the CSTH are control signals ofthe cold water and steam valves The outputs are electronicmeasurements from the temperature level and cold waterflow
Based on the CSTH basic Simulink model Gaussiannoises are added to the three outputs of the CSTH Figure 4shows the normal control signals and measurements underthe closed-loop controlThe default simulation time is 1000 sand the default sampling rate is 3600 samples per hour
8 Journal of Electrical and Computer Engineering
CovertNormal
CovertNormal
CovertNormal
y2
y3
114
116
118
12
122
124
126Le
vel (
mA
)y1
550 600 650 700500Time (s)
112
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
102
103
104
105
106
107
108
109
Tem
pera
ture
(mA
)
(a)
CUSUM control chart
CUSUM control chart
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
500 600 650 700550Time (s)
NLAN = 12000863 NLAN = 0161709
NLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
550 600 650 700500Time (s)
minus8minus6minus4minus2
02468
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
(b)
Figure 6 Data from Observer 1 in the covert agent experiment
(sh) The ldquononsteadyrdquo initial phase of the CSTH plant lastsfor about 150 seconds (s) and is excluded from all theexperiments in this paper
42 Experiment Setup The CSTH plant depicted in Figure 3is simulated inMatlabSimulink and its execution starts with
the predefined base values The covert agent is constructedbased on the LSSVR method which is available in thefree LS-SVMlab toolbox (httpwwwesatkuleuvenbesistalssvmlab) In addition the cumulative sum (CUSUM) algo-rithm is used to evaluate the stealthy time which willbe introduced in the next subsection The setups of the
Journal of Electrical and Computer Engineering 9
CovertNormal
CovertNormal
u1
u2
122
124
126
128
13
132
134
136
Col
d w
ater
val
ve (m
A)
550 600 650 700500Time (s)
116118
12122124126128
13132
Stea
m v
alve
(mA
)
550 600 650 700500Time (s)
(a)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
550 600 650 700500Time (s)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
(b)
Figure 7 Data from Observer 2 in the covert agent experiment
Table 1 Standard operating conditions
VariablesOperatingconditions
(mA)
Variable insimulations
Cold watervalve 1296 1199061Cold waterflow 1189 1199102Steam valve 1257 1199062Level 1200 1199101Temperature 1050 1199103
experiments are illustrated in Figure 5 In order to betterassess the stealthiness of the covert agent we use the replayattack as a comparison and set up two observers to get theexperimental data in the simulation Observer 1 is used to
capture the sensor data (ie 1199101 1199102 and 1199103) and Observer2 is used to capture the output of the controller (ie 1199061 and1199062)43 Assessment Method In order to evaluate experimentalresults the stealthy time 120591 is used and it is defined as
120591 = 119905119890 minus 119905119904 (22)
where 119905119904 is the start time of the covert agent or the replayattack and 119905119890 is the time when an anomaly is detected Alonger stealthy time is favorable to the attackers as they canhave more time to make the physical plant go into an unsafestate while remaining stealthy with respect to the anomalydetectors In this paper the anomaly detector is designedbased on the CUSUM algorithm which is one of the mostcommonly used algorithms for change detection problems[14] Mathematical details of the CUSUM method can befound in [32]
10 Journal of Electrical and Computer Engineering
y1
y2
y3
ReplayNormal
ReplayNormal
ReplayNormal
114
116
118
12
122
124
126
Leve
l (m
A)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
minus8
minus6
minus4
minus2
0
2
4
6
8
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
101
102
103
104
105
106
107
108
Tem
pera
ture
(mA
)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12000863 NLAN = 0161709
CUSUM control chartNLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
Figure 8 Data from Observer 1 in the replay attack experiment
Journal of Electrical and Computer Engineering 11
u1
ReplayNormal
ReplayNormal
u2
minus1400
minus1200
minus1000
minus800
minus600
minus400
minus200
0
200
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
550 600 650 700500Time (s)
115
12
125
13
135
Stea
m v
alve
(mA
)
99510
10511
11512
12513
13514
145C
old
wat
er v
alve
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
Figure 9 Data from Observer 2 in the replay attack experiment
5 Experimental Results
In this study we capture data from the two observers withinthe time window [201 s 400 s] in a normal process and usethem as the training or replaying data in the experimentsIn order to get the statistical results we run 100 simulationsfor the covert agent and the replay attack respectively Ineach individual simulation run the covert agent or the replayattack starts at a random time 119905 where 500 s ⩽ 119905 ⩽ 800 s (timeis discrete) and persists for 200 seconds
To get the corresponding stealthy time the CUSUMalgorithm is applied to the data that are obtained from thetwo observers in the simulations The thresholds in CUSUMalgorithm are determined based on the normal data in thetimewindow ranging from 200 s to 1000 s and each thresholdis selected under the condition that it will not cause any falsealarm on the normal data In this section we first introducea covert agent experiment and a replay attack experimentThen we give the statistical results of all the experimentaltests
51 The Covert Agent and Replay Attack Experiments In thetwo experiments the covert agent and the replay attack areboth started at the time 119905 = 501 s Figures 6 and 7 show theresults of the covert agent experiment Figures 6(a) and 7(a)show a comparison of data with and without a covert agentand Figures 6(b) and 7(b) show the detection of the changesusing the CUSUM algorithm In comparison Figures 8 and 9show the results of the replay attack experiment
From Figures 6 and 8 we can see that the covert agentis able to imitate the behaviors of the three output variablesover a finite time window just like the replay attack doesWhat is more the peaks of the CUSUM standard errors inthe covert agent experiment are smaller than the ones inthe replay attack experiment which means that the covertagent has better stealthiness and can avoid being detected bythe CUSUM with a lower threshold From Figures 7 and 9we can see that the covert agent can also keep the controloutput stealthy but the replay attack causes anomalies in thecontrollerrsquos output
12 Journal of Electrical and Computer Engineering
CUSUM
CUSUM
y1
y2
y3
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
u1
u2
0
20
40
60
80
100
Num
ber o
f sim
ulat
ions
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(a)
Empirical CDF
Empirical CDF
y1
y2
y3
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
0010203040506070809
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(b)
Figure 10 Statistical results of the covert agent experiments
52 Statistical Results Figure 10 shows the statistical resultsof the 100 simulations on the covert agent Figure 10(a)provides the number distributions of the stealthy time by his-tograms and Figure 10(b) gives the proportion distributionsby the empirical cumulative distribution function (CDF)The empirical CDF 119865(119909) is defined as the proportion of thevalues less than or equal to 119909 As can be seen the stealthytime is longer than 40 seconds in most of the covert agentsimulations Figure 11 shows the statistical results of the100 simulations on the replay attack Although the replayedsensor data can avoid being detected by the CUSUMdetectorit is more likely to induce an abnormal behavior in thecontrollerrsquos output More specifically for the control variable
1199061 the stealthy time is no more than 40 seconds in all thereplay attack simulations
6 Conclusions and Future Work
This paper has investigated the design problem of machinelearning based stealthy DI attacks on industrial controlsystems A LSSVR-based covert agent has been presented toestimate the model of the physical system by which attackerscan carry out a stealthy DI attack without the need of priormodel knowledge of the physical system The experimentalresults demonstrate that the covert loop can keep the controloutput and sensor data both stealthy over a finite time
Journal of Electrical and Computer Engineering 13
CUSUM
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
Empirical CDF
u1
u2
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
Figure 11 Statistical results of the replay attack experiments
window For future work the proposed covert agent can befurther extended to a two-loop covert structure in which anattack agent can be added In addition it is also interestingto investigate the detecting methods of the LSSVR-basedattacks
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the National Key Researchand Development Program (no 2016 YFB1001404) and theNational Natural Science Foundation of China (NormalProjects no 61672093 and no 61432004)
References
[1] C Zhou S Huang N Xiong et al ldquoDesign and analysisof multimodel-based anomaly intrusion detection systems inindustrial process automationrdquo IEEE Transactions on SystemsMan and Cybernetics Systems vol 45 no 10 pp 1345ndash13602015
[2] T Cruz L Rosa J Proenca et al ldquoA cybersecurity detectionframework for supervisory control and data acquisition sys-temsrdquo IEEE Transactions on Industrial Informatics vol 12 no6 pp 2236ndash2246 2016
[3] S McLaughlin C Konstantinou X Wang et al ldquoThe Cyberse-curity Landscape in Industrial Control Systemsrdquo Proceedings ofthe IEEE vol 104 no 5 pp 1039ndash1057 2016
[4] M Cheminod L Durante and A Valenzano ldquoReview ofsecurity issues in industrial networksrdquo IEEE Transactions onIndustrial Informatics vol 9 no 1 pp 277ndash293 2013
[5] R Deng G Xiao R Lu H Liang and A V Vasilakos ldquoFalsedata injection on state estimation in power systemsmdashattacks
impacts and defense a surveyrdquo IEEE Transactions on IndustrialInformatics vol 13 no 2 pp 411ndash423 2017
[6] A Teixeira K C Sou H Sandberg and K H Johans-son ldquoSecure control systems a quantitative risk managementapproachrdquo IEEEControl SystemsMagazine vol 35 no 1 pp 24ndash45 2015
[7] C Kwon W Liu and I Hwang ldquoSecurity analysis for Cyber-Physical Systems against stealthy deception attacksrdquo in Proceed-ings of the 2013 1st American Control Conference ACC 2013 pp3344ndash3349 USA June 2013
[8] Z-H Pang G-P Liu D Zhou F Hou and D Sun ldquoTwo-channel false data injection attacks against output trackingcontrol of networked systemsrdquo IEEE Transactions on IndustrialElectronics vol 63 no 5 pp 3242ndash3251 2016
[9] A Teixeira H Sandberg and K H Johansson ldquoStrategicstealthy attacks The output-to-output l2-gainrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 2582ndash2587 Japan December 2015
[10] H Sedghi and E Jonckheere ldquoStatistical structure learning toensure data integrity in smart gridrdquo IEEE Transactions on SmartGrid vol 6 no 4 pp 1924ndash1933 2015
[11] K Manandhar X Cao F Hu and Y Liu ldquoDetection of faultsand attacks including false data injection attack in smart gridusing Kalman filterrdquo IEEE Transactions on Control of NetworkSystems vol 1 no 4 pp 370ndash379 2014
[12] A Dutta and C Langbort ldquoStealthy output injection attacks oncontrol systems with bounded variablesrdquo International Journalof Control vol 90 no 7 pp 1389ndash1402 2017
[13] R S Smith ldquoCovert misappropriation of networked controlsystems presenting a feedback structurerdquo IEEE Control SystemsMagazine vol 35 no 1 pp 82ndash92 2015
[14] A A Cardenas S Amin Z-S Lin Y-L Huang C-Y Huangand S Sastry ldquoAttacks against process control systems riskassessment detection and responserdquo in Proceedings of the6th International Symposium on Information Computer andCommunications Security (ASIACCS rsquo11) pp 355ndash366 HongKong March 2011
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
6 Journal of Electrical and Computer Engineering
FTTC Hot water
FC
Steam
FT
Cold water
Flow
LC
LT
TT
Figure 3 The continuous stirred tank heater
minus5
0
5
10
15
20
25
Con
trol s
igna
ls (m
A)
100 200 300 400 500 600 700 800 900 10000Time (s)
u1
u2
y1
y2
y3
100 200 300 400 500 600 700 800 900 10000Time (s)
4
6
8
10
12
14
16
18
20
Mea
sure
men
ts (m
A)
Figure 4 Normal data acquired from the closed-loop CSTH system with the standard operating condition
Journal of Electrical and Computer Engineering 7
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Covert agent
y1 y2 y3 u1 u2
(a)
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Replay attack
y1 y2 y3 u1 u2
(b)
Figure 5 Setups of the experiments (a) The proposed covert agent and (b) the replay attack
next sample119910119895119896+1
in a physical processTherefore the functionestimation 119865 of 119865 is given by
119865 = 1198911 119891119895 119891119901 (17)
where
119891119895 = LSSVR train (119910119895119896+1
[119910119895119896 u119896]) (18)
Then the prediction y119899+1 of y119899+1 can be expressed as
y119899+1 = 1199101119899+1 119910119895119899+1 119910119901119899+1 (19)
where
119910119895119899+1 = 119891119895 (119910119895119905
119904
u119905119904
) 119899 = 119905119904119891119895 (119910119895119899 u119899) 119899 gt 119905119904 (20)
where 119905119904 is the start time when the physical plant is coveredby the covert agent From (12) and (13) we have the output ofthe covert agent which is the estimation y119899+1 of y119899+1 that is
y119899+1 = y119899+1 + w119899+1 (21)
32 Procedure of Training the Covert Agent Model Thetraining of the covert agent model consists of three phases(1) data recording phase (2) model training phase and (3)output predicting phase In the first phase the control andsensory data are recorded to generate a training dataset119884 and119880 which will be used to train the covert plant model in thesecond phase As shown in Figure 2 the dataset 119884 is firstlypreprocessed to generate the required data for training eachLSSVR model Then optimal parameters 120574 and 119888 for eachLSSVR are obtained through the automated grid search with119899-fold cross-validation [30] on the training data Finally theoutputs of this phase are 119901 LSSVR models that is there is a
LSSVRmodel for each output variable of the physical plant Inthe third phase as described in the previous subsection thepredictions y are generated based on the LSSVR models andthey are fed back to the controller to cover the real outputs ofthe physical plant
4 Experiment Overview
The covert loop is illustrated by a case study of a continuousstirred tank heater (CSTH) pilot plant In this section theCSTH Simulink platform is briefly introduced and theexperiment setup is presented Moreover the assessmentmethod used to evaluate the experimental results is alsopresented
41 The CSTH Simulink Platform The configuration of theCSTH plant is shown in Figure 3 Hot water and cold wateraremixed in a stirred tank heated by steam through a heatingcoil and drained from the tank through a long pipe A moredetailed description of the CSTHmodel can be found in [31]
Our experiment is based on the CSTH Simulink modelwith closed-loop control which is provided byThornhill et al(httppersonal-pagespsicacuksimninaCSTHSimulationindexhtm) Under the closed-loop control the CSTHmodelruns to a steady state from a nonsteady initial conditionThe steady-state valve positions and instrument conditionsin this experimental case are shown in Table 1 [31] Thesimulation input and output represent electronic signals on4ndash20mA scale The inputs to the CSTH are control signals ofthe cold water and steam valves The outputs are electronicmeasurements from the temperature level and cold waterflow
Based on the CSTH basic Simulink model Gaussiannoises are added to the three outputs of the CSTH Figure 4shows the normal control signals and measurements underthe closed-loop controlThe default simulation time is 1000 sand the default sampling rate is 3600 samples per hour
8 Journal of Electrical and Computer Engineering
CovertNormal
CovertNormal
CovertNormal
y2
y3
114
116
118
12
122
124
126Le
vel (
mA
)y1
550 600 650 700500Time (s)
112
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
102
103
104
105
106
107
108
109
Tem
pera
ture
(mA
)
(a)
CUSUM control chart
CUSUM control chart
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
500 600 650 700550Time (s)
NLAN = 12000863 NLAN = 0161709
NLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
550 600 650 700500Time (s)
minus8minus6minus4minus2
02468
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
(b)
Figure 6 Data from Observer 1 in the covert agent experiment
(sh) The ldquononsteadyrdquo initial phase of the CSTH plant lastsfor about 150 seconds (s) and is excluded from all theexperiments in this paper
42 Experiment Setup The CSTH plant depicted in Figure 3is simulated inMatlabSimulink and its execution starts with
the predefined base values The covert agent is constructedbased on the LSSVR method which is available in thefree LS-SVMlab toolbox (httpwwwesatkuleuvenbesistalssvmlab) In addition the cumulative sum (CUSUM) algo-rithm is used to evaluate the stealthy time which willbe introduced in the next subsection The setups of the
Journal of Electrical and Computer Engineering 9
CovertNormal
CovertNormal
u1
u2
122
124
126
128
13
132
134
136
Col
d w
ater
val
ve (m
A)
550 600 650 700500Time (s)
116118
12122124126128
13132
Stea
m v
alve
(mA
)
550 600 650 700500Time (s)
(a)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
550 600 650 700500Time (s)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
(b)
Figure 7 Data from Observer 2 in the covert agent experiment
Table 1 Standard operating conditions
VariablesOperatingconditions
(mA)
Variable insimulations
Cold watervalve 1296 1199061Cold waterflow 1189 1199102Steam valve 1257 1199062Level 1200 1199101Temperature 1050 1199103
experiments are illustrated in Figure 5 In order to betterassess the stealthiness of the covert agent we use the replayattack as a comparison and set up two observers to get theexperimental data in the simulation Observer 1 is used to
capture the sensor data (ie 1199101 1199102 and 1199103) and Observer2 is used to capture the output of the controller (ie 1199061 and1199062)43 Assessment Method In order to evaluate experimentalresults the stealthy time 120591 is used and it is defined as
120591 = 119905119890 minus 119905119904 (22)
where 119905119904 is the start time of the covert agent or the replayattack and 119905119890 is the time when an anomaly is detected Alonger stealthy time is favorable to the attackers as they canhave more time to make the physical plant go into an unsafestate while remaining stealthy with respect to the anomalydetectors In this paper the anomaly detector is designedbased on the CUSUM algorithm which is one of the mostcommonly used algorithms for change detection problems[14] Mathematical details of the CUSUM method can befound in [32]
10 Journal of Electrical and Computer Engineering
y1
y2
y3
ReplayNormal
ReplayNormal
ReplayNormal
114
116
118
12
122
124
126
Leve
l (m
A)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
minus8
minus6
minus4
minus2
0
2
4
6
8
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
101
102
103
104
105
106
107
108
Tem
pera
ture
(mA
)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12000863 NLAN = 0161709
CUSUM control chartNLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
Figure 8 Data from Observer 1 in the replay attack experiment
Journal of Electrical and Computer Engineering 11
u1
ReplayNormal
ReplayNormal
u2
minus1400
minus1200
minus1000
minus800
minus600
minus400
minus200
0
200
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
550 600 650 700500Time (s)
115
12
125
13
135
Stea
m v
alve
(mA
)
99510
10511
11512
12513
13514
145C
old
wat
er v
alve
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
Figure 9 Data from Observer 2 in the replay attack experiment
5 Experimental Results
In this study we capture data from the two observers withinthe time window [201 s 400 s] in a normal process and usethem as the training or replaying data in the experimentsIn order to get the statistical results we run 100 simulationsfor the covert agent and the replay attack respectively Ineach individual simulation run the covert agent or the replayattack starts at a random time 119905 where 500 s ⩽ 119905 ⩽ 800 s (timeis discrete) and persists for 200 seconds
To get the corresponding stealthy time the CUSUMalgorithm is applied to the data that are obtained from thetwo observers in the simulations The thresholds in CUSUMalgorithm are determined based on the normal data in thetimewindow ranging from 200 s to 1000 s and each thresholdis selected under the condition that it will not cause any falsealarm on the normal data In this section we first introducea covert agent experiment and a replay attack experimentThen we give the statistical results of all the experimentaltests
51 The Covert Agent and Replay Attack Experiments In thetwo experiments the covert agent and the replay attack areboth started at the time 119905 = 501 s Figures 6 and 7 show theresults of the covert agent experiment Figures 6(a) and 7(a)show a comparison of data with and without a covert agentand Figures 6(b) and 7(b) show the detection of the changesusing the CUSUM algorithm In comparison Figures 8 and 9show the results of the replay attack experiment
From Figures 6 and 8 we can see that the covert agentis able to imitate the behaviors of the three output variablesover a finite time window just like the replay attack doesWhat is more the peaks of the CUSUM standard errors inthe covert agent experiment are smaller than the ones inthe replay attack experiment which means that the covertagent has better stealthiness and can avoid being detected bythe CUSUM with a lower threshold From Figures 7 and 9we can see that the covert agent can also keep the controloutput stealthy but the replay attack causes anomalies in thecontrollerrsquos output
12 Journal of Electrical and Computer Engineering
CUSUM
CUSUM
y1
y2
y3
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
u1
u2
0
20
40
60
80
100
Num
ber o
f sim
ulat
ions
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(a)
Empirical CDF
Empirical CDF
y1
y2
y3
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
0010203040506070809
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(b)
Figure 10 Statistical results of the covert agent experiments
52 Statistical Results Figure 10 shows the statistical resultsof the 100 simulations on the covert agent Figure 10(a)provides the number distributions of the stealthy time by his-tograms and Figure 10(b) gives the proportion distributionsby the empirical cumulative distribution function (CDF)The empirical CDF 119865(119909) is defined as the proportion of thevalues less than or equal to 119909 As can be seen the stealthytime is longer than 40 seconds in most of the covert agentsimulations Figure 11 shows the statistical results of the100 simulations on the replay attack Although the replayedsensor data can avoid being detected by the CUSUMdetectorit is more likely to induce an abnormal behavior in thecontrollerrsquos output More specifically for the control variable
1199061 the stealthy time is no more than 40 seconds in all thereplay attack simulations
6 Conclusions and Future Work
This paper has investigated the design problem of machinelearning based stealthy DI attacks on industrial controlsystems A LSSVR-based covert agent has been presented toestimate the model of the physical system by which attackerscan carry out a stealthy DI attack without the need of priormodel knowledge of the physical system The experimentalresults demonstrate that the covert loop can keep the controloutput and sensor data both stealthy over a finite time
Journal of Electrical and Computer Engineering 13
CUSUM
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
Empirical CDF
u1
u2
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
Figure 11 Statistical results of the replay attack experiments
window For future work the proposed covert agent can befurther extended to a two-loop covert structure in which anattack agent can be added In addition it is also interestingto investigate the detecting methods of the LSSVR-basedattacks
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the National Key Researchand Development Program (no 2016 YFB1001404) and theNational Natural Science Foundation of China (NormalProjects no 61672093 and no 61432004)
References
[1] C Zhou S Huang N Xiong et al ldquoDesign and analysisof multimodel-based anomaly intrusion detection systems inindustrial process automationrdquo IEEE Transactions on SystemsMan and Cybernetics Systems vol 45 no 10 pp 1345ndash13602015
[2] T Cruz L Rosa J Proenca et al ldquoA cybersecurity detectionframework for supervisory control and data acquisition sys-temsrdquo IEEE Transactions on Industrial Informatics vol 12 no6 pp 2236ndash2246 2016
[3] S McLaughlin C Konstantinou X Wang et al ldquoThe Cyberse-curity Landscape in Industrial Control Systemsrdquo Proceedings ofthe IEEE vol 104 no 5 pp 1039ndash1057 2016
[4] M Cheminod L Durante and A Valenzano ldquoReview ofsecurity issues in industrial networksrdquo IEEE Transactions onIndustrial Informatics vol 9 no 1 pp 277ndash293 2013
[5] R Deng G Xiao R Lu H Liang and A V Vasilakos ldquoFalsedata injection on state estimation in power systemsmdashattacks
impacts and defense a surveyrdquo IEEE Transactions on IndustrialInformatics vol 13 no 2 pp 411ndash423 2017
[6] A Teixeira K C Sou H Sandberg and K H Johans-son ldquoSecure control systems a quantitative risk managementapproachrdquo IEEEControl SystemsMagazine vol 35 no 1 pp 24ndash45 2015
[7] C Kwon W Liu and I Hwang ldquoSecurity analysis for Cyber-Physical Systems against stealthy deception attacksrdquo in Proceed-ings of the 2013 1st American Control Conference ACC 2013 pp3344ndash3349 USA June 2013
[8] Z-H Pang G-P Liu D Zhou F Hou and D Sun ldquoTwo-channel false data injection attacks against output trackingcontrol of networked systemsrdquo IEEE Transactions on IndustrialElectronics vol 63 no 5 pp 3242ndash3251 2016
[9] A Teixeira H Sandberg and K H Johansson ldquoStrategicstealthy attacks The output-to-output l2-gainrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 2582ndash2587 Japan December 2015
[10] H Sedghi and E Jonckheere ldquoStatistical structure learning toensure data integrity in smart gridrdquo IEEE Transactions on SmartGrid vol 6 no 4 pp 1924ndash1933 2015
[11] K Manandhar X Cao F Hu and Y Liu ldquoDetection of faultsand attacks including false data injection attack in smart gridusing Kalman filterrdquo IEEE Transactions on Control of NetworkSystems vol 1 no 4 pp 370ndash379 2014
[12] A Dutta and C Langbort ldquoStealthy output injection attacks oncontrol systems with bounded variablesrdquo International Journalof Control vol 90 no 7 pp 1389ndash1402 2017
[13] R S Smith ldquoCovert misappropriation of networked controlsystems presenting a feedback structurerdquo IEEE Control SystemsMagazine vol 35 no 1 pp 82ndash92 2015
[14] A A Cardenas S Amin Z-S Lin Y-L Huang C-Y Huangand S Sastry ldquoAttacks against process control systems riskassessment detection and responserdquo in Proceedings of the6th International Symposium on Information Computer andCommunications Security (ASIACCS rsquo11) pp 355ndash366 HongKong March 2011
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Journal of Electrical and Computer Engineering 7
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Covert agent
y1 y2 y3 u1 u2
(a)
Network Network
Observer 1 Observer 2
PID
CSTH
CUSUM
Replay attack
y1 y2 y3 u1 u2
(b)
Figure 5 Setups of the experiments (a) The proposed covert agent and (b) the replay attack
next sample119910119895119896+1
in a physical processTherefore the functionestimation 119865 of 119865 is given by
119865 = 1198911 119891119895 119891119901 (17)
where
119891119895 = LSSVR train (119910119895119896+1
[119910119895119896 u119896]) (18)
Then the prediction y119899+1 of y119899+1 can be expressed as
y119899+1 = 1199101119899+1 119910119895119899+1 119910119901119899+1 (19)
where
119910119895119899+1 = 119891119895 (119910119895119905
119904
u119905119904
) 119899 = 119905119904119891119895 (119910119895119899 u119899) 119899 gt 119905119904 (20)
where 119905119904 is the start time when the physical plant is coveredby the covert agent From (12) and (13) we have the output ofthe covert agent which is the estimation y119899+1 of y119899+1 that is
y119899+1 = y119899+1 + w119899+1 (21)
32 Procedure of Training the Covert Agent Model Thetraining of the covert agent model consists of three phases(1) data recording phase (2) model training phase and (3)output predicting phase In the first phase the control andsensory data are recorded to generate a training dataset119884 and119880 which will be used to train the covert plant model in thesecond phase As shown in Figure 2 the dataset 119884 is firstlypreprocessed to generate the required data for training eachLSSVR model Then optimal parameters 120574 and 119888 for eachLSSVR are obtained through the automated grid search with119899-fold cross-validation [30] on the training data Finally theoutputs of this phase are 119901 LSSVR models that is there is a
LSSVRmodel for each output variable of the physical plant Inthe third phase as described in the previous subsection thepredictions y are generated based on the LSSVR models andthey are fed back to the controller to cover the real outputs ofthe physical plant
4 Experiment Overview
The covert loop is illustrated by a case study of a continuousstirred tank heater (CSTH) pilot plant In this section theCSTH Simulink platform is briefly introduced and theexperiment setup is presented Moreover the assessmentmethod used to evaluate the experimental results is alsopresented
41 The CSTH Simulink Platform The configuration of theCSTH plant is shown in Figure 3 Hot water and cold wateraremixed in a stirred tank heated by steam through a heatingcoil and drained from the tank through a long pipe A moredetailed description of the CSTHmodel can be found in [31]
Our experiment is based on the CSTH Simulink modelwith closed-loop control which is provided byThornhill et al(httppersonal-pagespsicacuksimninaCSTHSimulationindexhtm) Under the closed-loop control the CSTHmodelruns to a steady state from a nonsteady initial conditionThe steady-state valve positions and instrument conditionsin this experimental case are shown in Table 1 [31] Thesimulation input and output represent electronic signals on4ndash20mA scale The inputs to the CSTH are control signals ofthe cold water and steam valves The outputs are electronicmeasurements from the temperature level and cold waterflow
Based on the CSTH basic Simulink model Gaussiannoises are added to the three outputs of the CSTH Figure 4shows the normal control signals and measurements underthe closed-loop controlThe default simulation time is 1000 sand the default sampling rate is 3600 samples per hour
8 Journal of Electrical and Computer Engineering
CovertNormal
CovertNormal
CovertNormal
y2
y3
114
116
118
12
122
124
126Le
vel (
mA
)y1
550 600 650 700500Time (s)
112
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
102
103
104
105
106
107
108
109
Tem
pera
ture
(mA
)
(a)
CUSUM control chart
CUSUM control chart
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
500 600 650 700550Time (s)
NLAN = 12000863 NLAN = 0161709
NLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
550 600 650 700500Time (s)
minus8minus6minus4minus2
02468
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
(b)
Figure 6 Data from Observer 1 in the covert agent experiment
(sh) The ldquononsteadyrdquo initial phase of the CSTH plant lastsfor about 150 seconds (s) and is excluded from all theexperiments in this paper
42 Experiment Setup The CSTH plant depicted in Figure 3is simulated inMatlabSimulink and its execution starts with
the predefined base values The covert agent is constructedbased on the LSSVR method which is available in thefree LS-SVMlab toolbox (httpwwwesatkuleuvenbesistalssvmlab) In addition the cumulative sum (CUSUM) algo-rithm is used to evaluate the stealthy time which willbe introduced in the next subsection The setups of the
Journal of Electrical and Computer Engineering 9
CovertNormal
CovertNormal
u1
u2
122
124
126
128
13
132
134
136
Col
d w
ater
val
ve (m
A)
550 600 650 700500Time (s)
116118
12122124126128
13132
Stea
m v
alve
(mA
)
550 600 650 700500Time (s)
(a)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
550 600 650 700500Time (s)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
(b)
Figure 7 Data from Observer 2 in the covert agent experiment
Table 1 Standard operating conditions
VariablesOperatingconditions
(mA)
Variable insimulations
Cold watervalve 1296 1199061Cold waterflow 1189 1199102Steam valve 1257 1199062Level 1200 1199101Temperature 1050 1199103
experiments are illustrated in Figure 5 In order to betterassess the stealthiness of the covert agent we use the replayattack as a comparison and set up two observers to get theexperimental data in the simulation Observer 1 is used to
capture the sensor data (ie 1199101 1199102 and 1199103) and Observer2 is used to capture the output of the controller (ie 1199061 and1199062)43 Assessment Method In order to evaluate experimentalresults the stealthy time 120591 is used and it is defined as
120591 = 119905119890 minus 119905119904 (22)
where 119905119904 is the start time of the covert agent or the replayattack and 119905119890 is the time when an anomaly is detected Alonger stealthy time is favorable to the attackers as they canhave more time to make the physical plant go into an unsafestate while remaining stealthy with respect to the anomalydetectors In this paper the anomaly detector is designedbased on the CUSUM algorithm which is one of the mostcommonly used algorithms for change detection problems[14] Mathematical details of the CUSUM method can befound in [32]
10 Journal of Electrical and Computer Engineering
y1
y2
y3
ReplayNormal
ReplayNormal
ReplayNormal
114
116
118
12
122
124
126
Leve
l (m
A)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
minus8
minus6
minus4
minus2
0
2
4
6
8
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
101
102
103
104
105
106
107
108
Tem
pera
ture
(mA
)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12000863 NLAN = 0161709
CUSUM control chartNLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
Figure 8 Data from Observer 1 in the replay attack experiment
Journal of Electrical and Computer Engineering 11
u1
ReplayNormal
ReplayNormal
u2
minus1400
minus1200
minus1000
minus800
minus600
minus400
minus200
0
200
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
550 600 650 700500Time (s)
115
12
125
13
135
Stea
m v
alve
(mA
)
99510
10511
11512
12513
13514
145C
old
wat
er v
alve
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
Figure 9 Data from Observer 2 in the replay attack experiment
5 Experimental Results
In this study we capture data from the two observers withinthe time window [201 s 400 s] in a normal process and usethem as the training or replaying data in the experimentsIn order to get the statistical results we run 100 simulationsfor the covert agent and the replay attack respectively Ineach individual simulation run the covert agent or the replayattack starts at a random time 119905 where 500 s ⩽ 119905 ⩽ 800 s (timeis discrete) and persists for 200 seconds
To get the corresponding stealthy time the CUSUMalgorithm is applied to the data that are obtained from thetwo observers in the simulations The thresholds in CUSUMalgorithm are determined based on the normal data in thetimewindow ranging from 200 s to 1000 s and each thresholdis selected under the condition that it will not cause any falsealarm on the normal data In this section we first introducea covert agent experiment and a replay attack experimentThen we give the statistical results of all the experimentaltests
51 The Covert Agent and Replay Attack Experiments In thetwo experiments the covert agent and the replay attack areboth started at the time 119905 = 501 s Figures 6 and 7 show theresults of the covert agent experiment Figures 6(a) and 7(a)show a comparison of data with and without a covert agentand Figures 6(b) and 7(b) show the detection of the changesusing the CUSUM algorithm In comparison Figures 8 and 9show the results of the replay attack experiment
From Figures 6 and 8 we can see that the covert agentis able to imitate the behaviors of the three output variablesover a finite time window just like the replay attack doesWhat is more the peaks of the CUSUM standard errors inthe covert agent experiment are smaller than the ones inthe replay attack experiment which means that the covertagent has better stealthiness and can avoid being detected bythe CUSUM with a lower threshold From Figures 7 and 9we can see that the covert agent can also keep the controloutput stealthy but the replay attack causes anomalies in thecontrollerrsquos output
12 Journal of Electrical and Computer Engineering
CUSUM
CUSUM
y1
y2
y3
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
u1
u2
0
20
40
60
80
100
Num
ber o
f sim
ulat
ions
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(a)
Empirical CDF
Empirical CDF
y1
y2
y3
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
0010203040506070809
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(b)
Figure 10 Statistical results of the covert agent experiments
52 Statistical Results Figure 10 shows the statistical resultsof the 100 simulations on the covert agent Figure 10(a)provides the number distributions of the stealthy time by his-tograms and Figure 10(b) gives the proportion distributionsby the empirical cumulative distribution function (CDF)The empirical CDF 119865(119909) is defined as the proportion of thevalues less than or equal to 119909 As can be seen the stealthytime is longer than 40 seconds in most of the covert agentsimulations Figure 11 shows the statistical results of the100 simulations on the replay attack Although the replayedsensor data can avoid being detected by the CUSUMdetectorit is more likely to induce an abnormal behavior in thecontrollerrsquos output More specifically for the control variable
1199061 the stealthy time is no more than 40 seconds in all thereplay attack simulations
6 Conclusions and Future Work
This paper has investigated the design problem of machinelearning based stealthy DI attacks on industrial controlsystems A LSSVR-based covert agent has been presented toestimate the model of the physical system by which attackerscan carry out a stealthy DI attack without the need of priormodel knowledge of the physical system The experimentalresults demonstrate that the covert loop can keep the controloutput and sensor data both stealthy over a finite time
Journal of Electrical and Computer Engineering 13
CUSUM
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
Empirical CDF
u1
u2
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
Figure 11 Statistical results of the replay attack experiments
window For future work the proposed covert agent can befurther extended to a two-loop covert structure in which anattack agent can be added In addition it is also interestingto investigate the detecting methods of the LSSVR-basedattacks
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the National Key Researchand Development Program (no 2016 YFB1001404) and theNational Natural Science Foundation of China (NormalProjects no 61672093 and no 61432004)
References
[1] C Zhou S Huang N Xiong et al ldquoDesign and analysisof multimodel-based anomaly intrusion detection systems inindustrial process automationrdquo IEEE Transactions on SystemsMan and Cybernetics Systems vol 45 no 10 pp 1345ndash13602015
[2] T Cruz L Rosa J Proenca et al ldquoA cybersecurity detectionframework for supervisory control and data acquisition sys-temsrdquo IEEE Transactions on Industrial Informatics vol 12 no6 pp 2236ndash2246 2016
[3] S McLaughlin C Konstantinou X Wang et al ldquoThe Cyberse-curity Landscape in Industrial Control Systemsrdquo Proceedings ofthe IEEE vol 104 no 5 pp 1039ndash1057 2016
[4] M Cheminod L Durante and A Valenzano ldquoReview ofsecurity issues in industrial networksrdquo IEEE Transactions onIndustrial Informatics vol 9 no 1 pp 277ndash293 2013
[5] R Deng G Xiao R Lu H Liang and A V Vasilakos ldquoFalsedata injection on state estimation in power systemsmdashattacks
impacts and defense a surveyrdquo IEEE Transactions on IndustrialInformatics vol 13 no 2 pp 411ndash423 2017
[6] A Teixeira K C Sou H Sandberg and K H Johans-son ldquoSecure control systems a quantitative risk managementapproachrdquo IEEEControl SystemsMagazine vol 35 no 1 pp 24ndash45 2015
[7] C Kwon W Liu and I Hwang ldquoSecurity analysis for Cyber-Physical Systems against stealthy deception attacksrdquo in Proceed-ings of the 2013 1st American Control Conference ACC 2013 pp3344ndash3349 USA June 2013
[8] Z-H Pang G-P Liu D Zhou F Hou and D Sun ldquoTwo-channel false data injection attacks against output trackingcontrol of networked systemsrdquo IEEE Transactions on IndustrialElectronics vol 63 no 5 pp 3242ndash3251 2016
[9] A Teixeira H Sandberg and K H Johansson ldquoStrategicstealthy attacks The output-to-output l2-gainrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 2582ndash2587 Japan December 2015
[10] H Sedghi and E Jonckheere ldquoStatistical structure learning toensure data integrity in smart gridrdquo IEEE Transactions on SmartGrid vol 6 no 4 pp 1924ndash1933 2015
[11] K Manandhar X Cao F Hu and Y Liu ldquoDetection of faultsand attacks including false data injection attack in smart gridusing Kalman filterrdquo IEEE Transactions on Control of NetworkSystems vol 1 no 4 pp 370ndash379 2014
[12] A Dutta and C Langbort ldquoStealthy output injection attacks oncontrol systems with bounded variablesrdquo International Journalof Control vol 90 no 7 pp 1389ndash1402 2017
[13] R S Smith ldquoCovert misappropriation of networked controlsystems presenting a feedback structurerdquo IEEE Control SystemsMagazine vol 35 no 1 pp 82ndash92 2015
[14] A A Cardenas S Amin Z-S Lin Y-L Huang C-Y Huangand S Sastry ldquoAttacks against process control systems riskassessment detection and responserdquo in Proceedings of the6th International Symposium on Information Computer andCommunications Security (ASIACCS rsquo11) pp 355ndash366 HongKong March 2011
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
8 Journal of Electrical and Computer Engineering
CovertNormal
CovertNormal
CovertNormal
y2
y3
114
116
118
12
122
124
126Le
vel (
mA
)y1
550 600 650 700500Time (s)
112
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
102
103
104
105
106
107
108
109
Tem
pera
ture
(mA
)
(a)
CUSUM control chart
CUSUM control chart
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
500 600 650 700550Time (s)
NLAN = 12000863 NLAN = 0161709
NLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
550 600 650 700500Time (s)
minus8minus6minus4minus2
02468
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
(b)
Figure 6 Data from Observer 1 in the covert agent experiment
(sh) The ldquononsteadyrdquo initial phase of the CSTH plant lastsfor about 150 seconds (s) and is excluded from all theexperiments in this paper
42 Experiment Setup The CSTH plant depicted in Figure 3is simulated inMatlabSimulink and its execution starts with
the predefined base values The covert agent is constructedbased on the LSSVR method which is available in thefree LS-SVMlab toolbox (httpwwwesatkuleuvenbesistalssvmlab) In addition the cumulative sum (CUSUM) algo-rithm is used to evaluate the stealthy time which willbe introduced in the next subsection The setups of the
Journal of Electrical and Computer Engineering 9
CovertNormal
CovertNormal
u1
u2
122
124
126
128
13
132
134
136
Col
d w
ater
val
ve (m
A)
550 600 650 700500Time (s)
116118
12122124126128
13132
Stea
m v
alve
(mA
)
550 600 650 700500Time (s)
(a)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
550 600 650 700500Time (s)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
(b)
Figure 7 Data from Observer 2 in the covert agent experiment
Table 1 Standard operating conditions
VariablesOperatingconditions
(mA)
Variable insimulations
Cold watervalve 1296 1199061Cold waterflow 1189 1199102Steam valve 1257 1199062Level 1200 1199101Temperature 1050 1199103
experiments are illustrated in Figure 5 In order to betterassess the stealthiness of the covert agent we use the replayattack as a comparison and set up two observers to get theexperimental data in the simulation Observer 1 is used to
capture the sensor data (ie 1199101 1199102 and 1199103) and Observer2 is used to capture the output of the controller (ie 1199061 and1199062)43 Assessment Method In order to evaluate experimentalresults the stealthy time 120591 is used and it is defined as
120591 = 119905119890 minus 119905119904 (22)
where 119905119904 is the start time of the covert agent or the replayattack and 119905119890 is the time when an anomaly is detected Alonger stealthy time is favorable to the attackers as they canhave more time to make the physical plant go into an unsafestate while remaining stealthy with respect to the anomalydetectors In this paper the anomaly detector is designedbased on the CUSUM algorithm which is one of the mostcommonly used algorithms for change detection problems[14] Mathematical details of the CUSUM method can befound in [32]
10 Journal of Electrical and Computer Engineering
y1
y2
y3
ReplayNormal
ReplayNormal
ReplayNormal
114
116
118
12
122
124
126
Leve
l (m
A)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
minus8
minus6
minus4
minus2
0
2
4
6
8
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
101
102
103
104
105
106
107
108
Tem
pera
ture
(mA
)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12000863 NLAN = 0161709
CUSUM control chartNLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
Figure 8 Data from Observer 1 in the replay attack experiment
Journal of Electrical and Computer Engineering 11
u1
ReplayNormal
ReplayNormal
u2
minus1400
minus1200
minus1000
minus800
minus600
minus400
minus200
0
200
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
550 600 650 700500Time (s)
115
12
125
13
135
Stea
m v
alve
(mA
)
99510
10511
11512
12513
13514
145C
old
wat
er v
alve
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
Figure 9 Data from Observer 2 in the replay attack experiment
5 Experimental Results
In this study we capture data from the two observers withinthe time window [201 s 400 s] in a normal process and usethem as the training or replaying data in the experimentsIn order to get the statistical results we run 100 simulationsfor the covert agent and the replay attack respectively Ineach individual simulation run the covert agent or the replayattack starts at a random time 119905 where 500 s ⩽ 119905 ⩽ 800 s (timeis discrete) and persists for 200 seconds
To get the corresponding stealthy time the CUSUMalgorithm is applied to the data that are obtained from thetwo observers in the simulations The thresholds in CUSUMalgorithm are determined based on the normal data in thetimewindow ranging from 200 s to 1000 s and each thresholdis selected under the condition that it will not cause any falsealarm on the normal data In this section we first introducea covert agent experiment and a replay attack experimentThen we give the statistical results of all the experimentaltests
51 The Covert Agent and Replay Attack Experiments In thetwo experiments the covert agent and the replay attack areboth started at the time 119905 = 501 s Figures 6 and 7 show theresults of the covert agent experiment Figures 6(a) and 7(a)show a comparison of data with and without a covert agentand Figures 6(b) and 7(b) show the detection of the changesusing the CUSUM algorithm In comparison Figures 8 and 9show the results of the replay attack experiment
From Figures 6 and 8 we can see that the covert agentis able to imitate the behaviors of the three output variablesover a finite time window just like the replay attack doesWhat is more the peaks of the CUSUM standard errors inthe covert agent experiment are smaller than the ones inthe replay attack experiment which means that the covertagent has better stealthiness and can avoid being detected bythe CUSUM with a lower threshold From Figures 7 and 9we can see that the covert agent can also keep the controloutput stealthy but the replay attack causes anomalies in thecontrollerrsquos output
12 Journal of Electrical and Computer Engineering
CUSUM
CUSUM
y1
y2
y3
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
u1
u2
0
20
40
60
80
100
Num
ber o
f sim
ulat
ions
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(a)
Empirical CDF
Empirical CDF
y1
y2
y3
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
0010203040506070809
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(b)
Figure 10 Statistical results of the covert agent experiments
52 Statistical Results Figure 10 shows the statistical resultsof the 100 simulations on the covert agent Figure 10(a)provides the number distributions of the stealthy time by his-tograms and Figure 10(b) gives the proportion distributionsby the empirical cumulative distribution function (CDF)The empirical CDF 119865(119909) is defined as the proportion of thevalues less than or equal to 119909 As can be seen the stealthytime is longer than 40 seconds in most of the covert agentsimulations Figure 11 shows the statistical results of the100 simulations on the replay attack Although the replayedsensor data can avoid being detected by the CUSUMdetectorit is more likely to induce an abnormal behavior in thecontrollerrsquos output More specifically for the control variable
1199061 the stealthy time is no more than 40 seconds in all thereplay attack simulations
6 Conclusions and Future Work
This paper has investigated the design problem of machinelearning based stealthy DI attacks on industrial controlsystems A LSSVR-based covert agent has been presented toestimate the model of the physical system by which attackerscan carry out a stealthy DI attack without the need of priormodel knowledge of the physical system The experimentalresults demonstrate that the covert loop can keep the controloutput and sensor data both stealthy over a finite time
Journal of Electrical and Computer Engineering 13
CUSUM
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
Empirical CDF
u1
u2
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
Figure 11 Statistical results of the replay attack experiments
window For future work the proposed covert agent can befurther extended to a two-loop covert structure in which anattack agent can be added In addition it is also interestingto investigate the detecting methods of the LSSVR-basedattacks
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the National Key Researchand Development Program (no 2016 YFB1001404) and theNational Natural Science Foundation of China (NormalProjects no 61672093 and no 61432004)
References
[1] C Zhou S Huang N Xiong et al ldquoDesign and analysisof multimodel-based anomaly intrusion detection systems inindustrial process automationrdquo IEEE Transactions on SystemsMan and Cybernetics Systems vol 45 no 10 pp 1345ndash13602015
[2] T Cruz L Rosa J Proenca et al ldquoA cybersecurity detectionframework for supervisory control and data acquisition sys-temsrdquo IEEE Transactions on Industrial Informatics vol 12 no6 pp 2236ndash2246 2016
[3] S McLaughlin C Konstantinou X Wang et al ldquoThe Cyberse-curity Landscape in Industrial Control Systemsrdquo Proceedings ofthe IEEE vol 104 no 5 pp 1039ndash1057 2016
[4] M Cheminod L Durante and A Valenzano ldquoReview ofsecurity issues in industrial networksrdquo IEEE Transactions onIndustrial Informatics vol 9 no 1 pp 277ndash293 2013
[5] R Deng G Xiao R Lu H Liang and A V Vasilakos ldquoFalsedata injection on state estimation in power systemsmdashattacks
impacts and defense a surveyrdquo IEEE Transactions on IndustrialInformatics vol 13 no 2 pp 411ndash423 2017
[6] A Teixeira K C Sou H Sandberg and K H Johans-son ldquoSecure control systems a quantitative risk managementapproachrdquo IEEEControl SystemsMagazine vol 35 no 1 pp 24ndash45 2015
[7] C Kwon W Liu and I Hwang ldquoSecurity analysis for Cyber-Physical Systems against stealthy deception attacksrdquo in Proceed-ings of the 2013 1st American Control Conference ACC 2013 pp3344ndash3349 USA June 2013
[8] Z-H Pang G-P Liu D Zhou F Hou and D Sun ldquoTwo-channel false data injection attacks against output trackingcontrol of networked systemsrdquo IEEE Transactions on IndustrialElectronics vol 63 no 5 pp 3242ndash3251 2016
[9] A Teixeira H Sandberg and K H Johansson ldquoStrategicstealthy attacks The output-to-output l2-gainrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 2582ndash2587 Japan December 2015
[10] H Sedghi and E Jonckheere ldquoStatistical structure learning toensure data integrity in smart gridrdquo IEEE Transactions on SmartGrid vol 6 no 4 pp 1924ndash1933 2015
[11] K Manandhar X Cao F Hu and Y Liu ldquoDetection of faultsand attacks including false data injection attack in smart gridusing Kalman filterrdquo IEEE Transactions on Control of NetworkSystems vol 1 no 4 pp 370ndash379 2014
[12] A Dutta and C Langbort ldquoStealthy output injection attacks oncontrol systems with bounded variablesrdquo International Journalof Control vol 90 no 7 pp 1389ndash1402 2017
[13] R S Smith ldquoCovert misappropriation of networked controlsystems presenting a feedback structurerdquo IEEE Control SystemsMagazine vol 35 no 1 pp 82ndash92 2015
[14] A A Cardenas S Amin Z-S Lin Y-L Huang C-Y Huangand S Sastry ldquoAttacks against process control systems riskassessment detection and responserdquo in Proceedings of the6th International Symposium on Information Computer andCommunications Security (ASIACCS rsquo11) pp 355ndash366 HongKong March 2011
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Journal of Electrical and Computer Engineering 9
CovertNormal
CovertNormal
u1
u2
122
124
126
128
13
132
134
136
Col
d w
ater
val
ve (m
A)
550 600 650 700500Time (s)
116118
12122124126128
13132
Stea
m v
alve
(mA
)
550 600 650 700500Time (s)
(a)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
550 600 650 700500Time (s)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
(b)
Figure 7 Data from Observer 2 in the covert agent experiment
Table 1 Standard operating conditions
VariablesOperatingconditions
(mA)
Variable insimulations
Cold watervalve 1296 1199061Cold waterflow 1189 1199102Steam valve 1257 1199062Level 1200 1199101Temperature 1050 1199103
experiments are illustrated in Figure 5 In order to betterassess the stealthiness of the covert agent we use the replayattack as a comparison and set up two observers to get theexperimental data in the simulation Observer 1 is used to
capture the sensor data (ie 1199101 1199102 and 1199103) and Observer2 is used to capture the output of the controller (ie 1199061 and1199062)43 Assessment Method In order to evaluate experimentalresults the stealthy time 120591 is used and it is defined as
120591 = 119905119890 minus 119905119904 (22)
where 119905119904 is the start time of the covert agent or the replayattack and 119905119890 is the time when an anomaly is detected Alonger stealthy time is favorable to the attackers as they canhave more time to make the physical plant go into an unsafestate while remaining stealthy with respect to the anomalydetectors In this paper the anomaly detector is designedbased on the CUSUM algorithm which is one of the mostcommonly used algorithms for change detection problems[14] Mathematical details of the CUSUM method can befound in [32]
10 Journal of Electrical and Computer Engineering
y1
y2
y3
ReplayNormal
ReplayNormal
ReplayNormal
114
116
118
12
122
124
126
Leve
l (m
A)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
minus8
minus6
minus4
minus2
0
2
4
6
8
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
101
102
103
104
105
106
107
108
Tem
pera
ture
(mA
)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12000863 NLAN = 0161709
CUSUM control chartNLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
Figure 8 Data from Observer 1 in the replay attack experiment
Journal of Electrical and Computer Engineering 11
u1
ReplayNormal
ReplayNormal
u2
minus1400
minus1200
minus1000
minus800
minus600
minus400
minus200
0
200
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
550 600 650 700500Time (s)
115
12
125
13
135
Stea
m v
alve
(mA
)
99510
10511
11512
12513
13514
145C
old
wat
er v
alve
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
Figure 9 Data from Observer 2 in the replay attack experiment
5 Experimental Results
In this study we capture data from the two observers withinthe time window [201 s 400 s] in a normal process and usethem as the training or replaying data in the experimentsIn order to get the statistical results we run 100 simulationsfor the covert agent and the replay attack respectively Ineach individual simulation run the covert agent or the replayattack starts at a random time 119905 where 500 s ⩽ 119905 ⩽ 800 s (timeis discrete) and persists for 200 seconds
To get the corresponding stealthy time the CUSUMalgorithm is applied to the data that are obtained from thetwo observers in the simulations The thresholds in CUSUMalgorithm are determined based on the normal data in thetimewindow ranging from 200 s to 1000 s and each thresholdis selected under the condition that it will not cause any falsealarm on the normal data In this section we first introducea covert agent experiment and a replay attack experimentThen we give the statistical results of all the experimentaltests
51 The Covert Agent and Replay Attack Experiments In thetwo experiments the covert agent and the replay attack areboth started at the time 119905 = 501 s Figures 6 and 7 show theresults of the covert agent experiment Figures 6(a) and 7(a)show a comparison of data with and without a covert agentand Figures 6(b) and 7(b) show the detection of the changesusing the CUSUM algorithm In comparison Figures 8 and 9show the results of the replay attack experiment
From Figures 6 and 8 we can see that the covert agentis able to imitate the behaviors of the three output variablesover a finite time window just like the replay attack doesWhat is more the peaks of the CUSUM standard errors inthe covert agent experiment are smaller than the ones inthe replay attack experiment which means that the covertagent has better stealthiness and can avoid being detected bythe CUSUM with a lower threshold From Figures 7 and 9we can see that the covert agent can also keep the controloutput stealthy but the replay attack causes anomalies in thecontrollerrsquos output
12 Journal of Electrical and Computer Engineering
CUSUM
CUSUM
y1
y2
y3
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
u1
u2
0
20
40
60
80
100
Num
ber o
f sim
ulat
ions
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(a)
Empirical CDF
Empirical CDF
y1
y2
y3
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
0010203040506070809
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(b)
Figure 10 Statistical results of the covert agent experiments
52 Statistical Results Figure 10 shows the statistical resultsof the 100 simulations on the covert agent Figure 10(a)provides the number distributions of the stealthy time by his-tograms and Figure 10(b) gives the proportion distributionsby the empirical cumulative distribution function (CDF)The empirical CDF 119865(119909) is defined as the proportion of thevalues less than or equal to 119909 As can be seen the stealthytime is longer than 40 seconds in most of the covert agentsimulations Figure 11 shows the statistical results of the100 simulations on the replay attack Although the replayedsensor data can avoid being detected by the CUSUMdetectorit is more likely to induce an abnormal behavior in thecontrollerrsquos output More specifically for the control variable
1199061 the stealthy time is no more than 40 seconds in all thereplay attack simulations
6 Conclusions and Future Work
This paper has investigated the design problem of machinelearning based stealthy DI attacks on industrial controlsystems A LSSVR-based covert agent has been presented toestimate the model of the physical system by which attackerscan carry out a stealthy DI attack without the need of priormodel knowledge of the physical system The experimentalresults demonstrate that the covert loop can keep the controloutput and sensor data both stealthy over a finite time
Journal of Electrical and Computer Engineering 13
CUSUM
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
Empirical CDF
u1
u2
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
Figure 11 Statistical results of the replay attack experiments
window For future work the proposed covert agent can befurther extended to a two-loop covert structure in which anattack agent can be added In addition it is also interestingto investigate the detecting methods of the LSSVR-basedattacks
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the National Key Researchand Development Program (no 2016 YFB1001404) and theNational Natural Science Foundation of China (NormalProjects no 61672093 and no 61432004)
References
[1] C Zhou S Huang N Xiong et al ldquoDesign and analysisof multimodel-based anomaly intrusion detection systems inindustrial process automationrdquo IEEE Transactions on SystemsMan and Cybernetics Systems vol 45 no 10 pp 1345ndash13602015
[2] T Cruz L Rosa J Proenca et al ldquoA cybersecurity detectionframework for supervisory control and data acquisition sys-temsrdquo IEEE Transactions on Industrial Informatics vol 12 no6 pp 2236ndash2246 2016
[3] S McLaughlin C Konstantinou X Wang et al ldquoThe Cyberse-curity Landscape in Industrial Control Systemsrdquo Proceedings ofthe IEEE vol 104 no 5 pp 1039ndash1057 2016
[4] M Cheminod L Durante and A Valenzano ldquoReview ofsecurity issues in industrial networksrdquo IEEE Transactions onIndustrial Informatics vol 9 no 1 pp 277ndash293 2013
[5] R Deng G Xiao R Lu H Liang and A V Vasilakos ldquoFalsedata injection on state estimation in power systemsmdashattacks
impacts and defense a surveyrdquo IEEE Transactions on IndustrialInformatics vol 13 no 2 pp 411ndash423 2017
[6] A Teixeira K C Sou H Sandberg and K H Johans-son ldquoSecure control systems a quantitative risk managementapproachrdquo IEEEControl SystemsMagazine vol 35 no 1 pp 24ndash45 2015
[7] C Kwon W Liu and I Hwang ldquoSecurity analysis for Cyber-Physical Systems against stealthy deception attacksrdquo in Proceed-ings of the 2013 1st American Control Conference ACC 2013 pp3344ndash3349 USA June 2013
[8] Z-H Pang G-P Liu D Zhou F Hou and D Sun ldquoTwo-channel false data injection attacks against output trackingcontrol of networked systemsrdquo IEEE Transactions on IndustrialElectronics vol 63 no 5 pp 3242ndash3251 2016
[9] A Teixeira H Sandberg and K H Johansson ldquoStrategicstealthy attacks The output-to-output l2-gainrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 2582ndash2587 Japan December 2015
[10] H Sedghi and E Jonckheere ldquoStatistical structure learning toensure data integrity in smart gridrdquo IEEE Transactions on SmartGrid vol 6 no 4 pp 1924ndash1933 2015
[11] K Manandhar X Cao F Hu and Y Liu ldquoDetection of faultsand attacks including false data injection attack in smart gridusing Kalman filterrdquo IEEE Transactions on Control of NetworkSystems vol 1 no 4 pp 370ndash379 2014
[12] A Dutta and C Langbort ldquoStealthy output injection attacks oncontrol systems with bounded variablesrdquo International Journalof Control vol 90 no 7 pp 1389ndash1402 2017
[13] R S Smith ldquoCovert misappropriation of networked controlsystems presenting a feedback structurerdquo IEEE Control SystemsMagazine vol 35 no 1 pp 82ndash92 2015
[14] A A Cardenas S Amin Z-S Lin Y-L Huang C-Y Huangand S Sastry ldquoAttacks against process control systems riskassessment detection and responserdquo in Proceedings of the6th International Symposium on Information Computer andCommunications Security (ASIACCS rsquo11) pp 355ndash366 HongKong March 2011
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
10 Journal of Electrical and Computer Engineering
y1
y2
y3
ReplayNormal
ReplayNormal
ReplayNormal
114
116
118
12
122
124
126
Leve
l (m
A)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
114
116
118
12
122
124
126
Col
d w
ater
flow
(mA
)
minus8
minus6
minus4
minus2
0
2
4
6
8
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
101
102
103
104
105
106
107
108
Tem
pera
ture
(mA
)
minus6
minus4
minus2
0
2
4
6
Stan
dard
erro
rs
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12000863 NLAN = 0161709
CUSUM control chartNLAN = 11897463 NLAN = 0202564
CUSUM control chartNLAN = 10499137 NLAN = 0105247
Figure 8 Data from Observer 1 in the replay attack experiment
Journal of Electrical and Computer Engineering 11
u1
ReplayNormal
ReplayNormal
u2
minus1400
minus1200
minus1000
minus800
minus600
minus400
minus200
0
200
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
550 600 650 700500Time (s)
115
12
125
13
135
Stea
m v
alve
(mA
)
99510
10511
11512
12513
13514
145C
old
wat
er v
alve
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
Figure 9 Data from Observer 2 in the replay attack experiment
5 Experimental Results
In this study we capture data from the two observers withinthe time window [201 s 400 s] in a normal process and usethem as the training or replaying data in the experimentsIn order to get the statistical results we run 100 simulationsfor the covert agent and the replay attack respectively Ineach individual simulation run the covert agent or the replayattack starts at a random time 119905 where 500 s ⩽ 119905 ⩽ 800 s (timeis discrete) and persists for 200 seconds
To get the corresponding stealthy time the CUSUMalgorithm is applied to the data that are obtained from thetwo observers in the simulations The thresholds in CUSUMalgorithm are determined based on the normal data in thetimewindow ranging from 200 s to 1000 s and each thresholdis selected under the condition that it will not cause any falsealarm on the normal data In this section we first introducea covert agent experiment and a replay attack experimentThen we give the statistical results of all the experimentaltests
51 The Covert Agent and Replay Attack Experiments In thetwo experiments the covert agent and the replay attack areboth started at the time 119905 = 501 s Figures 6 and 7 show theresults of the covert agent experiment Figures 6(a) and 7(a)show a comparison of data with and without a covert agentand Figures 6(b) and 7(b) show the detection of the changesusing the CUSUM algorithm In comparison Figures 8 and 9show the results of the replay attack experiment
From Figures 6 and 8 we can see that the covert agentis able to imitate the behaviors of the three output variablesover a finite time window just like the replay attack doesWhat is more the peaks of the CUSUM standard errors inthe covert agent experiment are smaller than the ones inthe replay attack experiment which means that the covertagent has better stealthiness and can avoid being detected bythe CUSUM with a lower threshold From Figures 7 and 9we can see that the covert agent can also keep the controloutput stealthy but the replay attack causes anomalies in thecontrollerrsquos output
12 Journal of Electrical and Computer Engineering
CUSUM
CUSUM
y1
y2
y3
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
u1
u2
0
20
40
60
80
100
Num
ber o
f sim
ulat
ions
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(a)
Empirical CDF
Empirical CDF
y1
y2
y3
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
0010203040506070809
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(b)
Figure 10 Statistical results of the covert agent experiments
52 Statistical Results Figure 10 shows the statistical resultsof the 100 simulations on the covert agent Figure 10(a)provides the number distributions of the stealthy time by his-tograms and Figure 10(b) gives the proportion distributionsby the empirical cumulative distribution function (CDF)The empirical CDF 119865(119909) is defined as the proportion of thevalues less than or equal to 119909 As can be seen the stealthytime is longer than 40 seconds in most of the covert agentsimulations Figure 11 shows the statistical results of the100 simulations on the replay attack Although the replayedsensor data can avoid being detected by the CUSUMdetectorit is more likely to induce an abnormal behavior in thecontrollerrsquos output More specifically for the control variable
1199061 the stealthy time is no more than 40 seconds in all thereplay attack simulations
6 Conclusions and Future Work
This paper has investigated the design problem of machinelearning based stealthy DI attacks on industrial controlsystems A LSSVR-based covert agent has been presented toestimate the model of the physical system by which attackerscan carry out a stealthy DI attack without the need of priormodel knowledge of the physical system The experimentalresults demonstrate that the covert loop can keep the controloutput and sensor data both stealthy over a finite time
Journal of Electrical and Computer Engineering 13
CUSUM
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
Empirical CDF
u1
u2
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
Figure 11 Statistical results of the replay attack experiments
window For future work the proposed covert agent can befurther extended to a two-loop covert structure in which anattack agent can be added In addition it is also interestingto investigate the detecting methods of the LSSVR-basedattacks
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the National Key Researchand Development Program (no 2016 YFB1001404) and theNational Natural Science Foundation of China (NormalProjects no 61672093 and no 61432004)
References
[1] C Zhou S Huang N Xiong et al ldquoDesign and analysisof multimodel-based anomaly intrusion detection systems inindustrial process automationrdquo IEEE Transactions on SystemsMan and Cybernetics Systems vol 45 no 10 pp 1345ndash13602015
[2] T Cruz L Rosa J Proenca et al ldquoA cybersecurity detectionframework for supervisory control and data acquisition sys-temsrdquo IEEE Transactions on Industrial Informatics vol 12 no6 pp 2236ndash2246 2016
[3] S McLaughlin C Konstantinou X Wang et al ldquoThe Cyberse-curity Landscape in Industrial Control Systemsrdquo Proceedings ofthe IEEE vol 104 no 5 pp 1039ndash1057 2016
[4] M Cheminod L Durante and A Valenzano ldquoReview ofsecurity issues in industrial networksrdquo IEEE Transactions onIndustrial Informatics vol 9 no 1 pp 277ndash293 2013
[5] R Deng G Xiao R Lu H Liang and A V Vasilakos ldquoFalsedata injection on state estimation in power systemsmdashattacks
impacts and defense a surveyrdquo IEEE Transactions on IndustrialInformatics vol 13 no 2 pp 411ndash423 2017
[6] A Teixeira K C Sou H Sandberg and K H Johans-son ldquoSecure control systems a quantitative risk managementapproachrdquo IEEEControl SystemsMagazine vol 35 no 1 pp 24ndash45 2015
[7] C Kwon W Liu and I Hwang ldquoSecurity analysis for Cyber-Physical Systems against stealthy deception attacksrdquo in Proceed-ings of the 2013 1st American Control Conference ACC 2013 pp3344ndash3349 USA June 2013
[8] Z-H Pang G-P Liu D Zhou F Hou and D Sun ldquoTwo-channel false data injection attacks against output trackingcontrol of networked systemsrdquo IEEE Transactions on IndustrialElectronics vol 63 no 5 pp 3242ndash3251 2016
[9] A Teixeira H Sandberg and K H Johansson ldquoStrategicstealthy attacks The output-to-output l2-gainrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 2582ndash2587 Japan December 2015
[10] H Sedghi and E Jonckheere ldquoStatistical structure learning toensure data integrity in smart gridrdquo IEEE Transactions on SmartGrid vol 6 no 4 pp 1924ndash1933 2015
[11] K Manandhar X Cao F Hu and Y Liu ldquoDetection of faultsand attacks including false data injection attack in smart gridusing Kalman filterrdquo IEEE Transactions on Control of NetworkSystems vol 1 no 4 pp 370ndash379 2014
[12] A Dutta and C Langbort ldquoStealthy output injection attacks oncontrol systems with bounded variablesrdquo International Journalof Control vol 90 no 7 pp 1389ndash1402 2017
[13] R S Smith ldquoCovert misappropriation of networked controlsystems presenting a feedback structurerdquo IEEE Control SystemsMagazine vol 35 no 1 pp 82ndash92 2015
[14] A A Cardenas S Amin Z-S Lin Y-L Huang C-Y Huangand S Sastry ldquoAttacks against process control systems riskassessment detection and responserdquo in Proceedings of the6th International Symposium on Information Computer andCommunications Security (ASIACCS rsquo11) pp 355ndash366 HongKong March 2011
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Journal of Electrical and Computer Engineering 11
u1
ReplayNormal
ReplayNormal
u2
minus1400
minus1200
minus1000
minus800
minus600
minus400
minus200
0
200
Stan
dard
erro
rs
minus6
minus4
minus2
0
2
4
6St
anda
rd er
rors
550 600 650 700500Time (s)
550 600 650 700500Time (s)
115
12
125
13
135
Stea
m v
alve
(mA
)
99510
10511
11512
12513
13514
145C
old
wat
er v
alve
(mA
)
550 600 650 700500Time (s)
550 600 650 700500Time (s)
CUSUM control chartNLAN = 12955243 NLAN = 0245031
CUSUM control chartNLAN = 12575916 NLAN = 0312932
Figure 9 Data from Observer 2 in the replay attack experiment
5 Experimental Results
In this study we capture data from the two observers withinthe time window [201 s 400 s] in a normal process and usethem as the training or replaying data in the experimentsIn order to get the statistical results we run 100 simulationsfor the covert agent and the replay attack respectively Ineach individual simulation run the covert agent or the replayattack starts at a random time 119905 where 500 s ⩽ 119905 ⩽ 800 s (timeis discrete) and persists for 200 seconds
To get the corresponding stealthy time the CUSUMalgorithm is applied to the data that are obtained from thetwo observers in the simulations The thresholds in CUSUMalgorithm are determined based on the normal data in thetimewindow ranging from 200 s to 1000 s and each thresholdis selected under the condition that it will not cause any falsealarm on the normal data In this section we first introducea covert agent experiment and a replay attack experimentThen we give the statistical results of all the experimentaltests
51 The Covert Agent and Replay Attack Experiments In thetwo experiments the covert agent and the replay attack areboth started at the time 119905 = 501 s Figures 6 and 7 show theresults of the covert agent experiment Figures 6(a) and 7(a)show a comparison of data with and without a covert agentand Figures 6(b) and 7(b) show the detection of the changesusing the CUSUM algorithm In comparison Figures 8 and 9show the results of the replay attack experiment
From Figures 6 and 8 we can see that the covert agentis able to imitate the behaviors of the three output variablesover a finite time window just like the replay attack doesWhat is more the peaks of the CUSUM standard errors inthe covert agent experiment are smaller than the ones inthe replay attack experiment which means that the covertagent has better stealthiness and can avoid being detected bythe CUSUM with a lower threshold From Figures 7 and 9we can see that the covert agent can also keep the controloutput stealthy but the replay attack causes anomalies in thecontrollerrsquos output
12 Journal of Electrical and Computer Engineering
CUSUM
CUSUM
y1
y2
y3
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
u1
u2
0
20
40
60
80
100
Num
ber o
f sim
ulat
ions
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(a)
Empirical CDF
Empirical CDF
y1
y2
y3
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
0010203040506070809
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(b)
Figure 10 Statistical results of the covert agent experiments
52 Statistical Results Figure 10 shows the statistical resultsof the 100 simulations on the covert agent Figure 10(a)provides the number distributions of the stealthy time by his-tograms and Figure 10(b) gives the proportion distributionsby the empirical cumulative distribution function (CDF)The empirical CDF 119865(119909) is defined as the proportion of thevalues less than or equal to 119909 As can be seen the stealthytime is longer than 40 seconds in most of the covert agentsimulations Figure 11 shows the statistical results of the100 simulations on the replay attack Although the replayedsensor data can avoid being detected by the CUSUMdetectorit is more likely to induce an abnormal behavior in thecontrollerrsquos output More specifically for the control variable
1199061 the stealthy time is no more than 40 seconds in all thereplay attack simulations
6 Conclusions and Future Work
This paper has investigated the design problem of machinelearning based stealthy DI attacks on industrial controlsystems A LSSVR-based covert agent has been presented toestimate the model of the physical system by which attackerscan carry out a stealthy DI attack without the need of priormodel knowledge of the physical system The experimentalresults demonstrate that the covert loop can keep the controloutput and sensor data both stealthy over a finite time
Journal of Electrical and Computer Engineering 13
CUSUM
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
Empirical CDF
u1
u2
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
Figure 11 Statistical results of the replay attack experiments
window For future work the proposed covert agent can befurther extended to a two-loop covert structure in which anattack agent can be added In addition it is also interestingto investigate the detecting methods of the LSSVR-basedattacks
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the National Key Researchand Development Program (no 2016 YFB1001404) and theNational Natural Science Foundation of China (NormalProjects no 61672093 and no 61432004)
References
[1] C Zhou S Huang N Xiong et al ldquoDesign and analysisof multimodel-based anomaly intrusion detection systems inindustrial process automationrdquo IEEE Transactions on SystemsMan and Cybernetics Systems vol 45 no 10 pp 1345ndash13602015
[2] T Cruz L Rosa J Proenca et al ldquoA cybersecurity detectionframework for supervisory control and data acquisition sys-temsrdquo IEEE Transactions on Industrial Informatics vol 12 no6 pp 2236ndash2246 2016
[3] S McLaughlin C Konstantinou X Wang et al ldquoThe Cyberse-curity Landscape in Industrial Control Systemsrdquo Proceedings ofthe IEEE vol 104 no 5 pp 1039ndash1057 2016
[4] M Cheminod L Durante and A Valenzano ldquoReview ofsecurity issues in industrial networksrdquo IEEE Transactions onIndustrial Informatics vol 9 no 1 pp 277ndash293 2013
[5] R Deng G Xiao R Lu H Liang and A V Vasilakos ldquoFalsedata injection on state estimation in power systemsmdashattacks
impacts and defense a surveyrdquo IEEE Transactions on IndustrialInformatics vol 13 no 2 pp 411ndash423 2017
[6] A Teixeira K C Sou H Sandberg and K H Johans-son ldquoSecure control systems a quantitative risk managementapproachrdquo IEEEControl SystemsMagazine vol 35 no 1 pp 24ndash45 2015
[7] C Kwon W Liu and I Hwang ldquoSecurity analysis for Cyber-Physical Systems against stealthy deception attacksrdquo in Proceed-ings of the 2013 1st American Control Conference ACC 2013 pp3344ndash3349 USA June 2013
[8] Z-H Pang G-P Liu D Zhou F Hou and D Sun ldquoTwo-channel false data injection attacks against output trackingcontrol of networked systemsrdquo IEEE Transactions on IndustrialElectronics vol 63 no 5 pp 3242ndash3251 2016
[9] A Teixeira H Sandberg and K H Johansson ldquoStrategicstealthy attacks The output-to-output l2-gainrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 2582ndash2587 Japan December 2015
[10] H Sedghi and E Jonckheere ldquoStatistical structure learning toensure data integrity in smart gridrdquo IEEE Transactions on SmartGrid vol 6 no 4 pp 1924ndash1933 2015
[11] K Manandhar X Cao F Hu and Y Liu ldquoDetection of faultsand attacks including false data injection attack in smart gridusing Kalman filterrdquo IEEE Transactions on Control of NetworkSystems vol 1 no 4 pp 370ndash379 2014
[12] A Dutta and C Langbort ldquoStealthy output injection attacks oncontrol systems with bounded variablesrdquo International Journalof Control vol 90 no 7 pp 1389ndash1402 2017
[13] R S Smith ldquoCovert misappropriation of networked controlsystems presenting a feedback structurerdquo IEEE Control SystemsMagazine vol 35 no 1 pp 82ndash92 2015
[14] A A Cardenas S Amin Z-S Lin Y-L Huang C-Y Huangand S Sastry ldquoAttacks against process control systems riskassessment detection and responserdquo in Proceedings of the6th International Symposium on Information Computer andCommunications Security (ASIACCS rsquo11) pp 355ndash366 HongKong March 2011
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
12 Journal of Electrical and Computer Engineering
CUSUM
CUSUM
y1
y2
y3
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
u1
u2
0
20
40
60
80
100
Num
ber o
f sim
ulat
ions
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(a)
Empirical CDF
Empirical CDF
y1
y2
y3
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
0010203040506070809
1
Cum
ulat
ive d
istrib
utio
n
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
(b)
Figure 10 Statistical results of the covert agent experiments
52 Statistical Results Figure 10 shows the statistical resultsof the 100 simulations on the covert agent Figure 10(a)provides the number distributions of the stealthy time by his-tograms and Figure 10(b) gives the proportion distributionsby the empirical cumulative distribution function (CDF)The empirical CDF 119865(119909) is defined as the proportion of thevalues less than or equal to 119909 As can be seen the stealthytime is longer than 40 seconds in most of the covert agentsimulations Figure 11 shows the statistical results of the100 simulations on the replay attack Although the replayedsensor data can avoid being detected by the CUSUMdetectorit is more likely to induce an abnormal behavior in thecontrollerrsquos output More specifically for the control variable
1199061 the stealthy time is no more than 40 seconds in all thereplay attack simulations
6 Conclusions and Future Work
This paper has investigated the design problem of machinelearning based stealthy DI attacks on industrial controlsystems A LSSVR-based covert agent has been presented toestimate the model of the physical system by which attackerscan carry out a stealthy DI attack without the need of priormodel knowledge of the physical system The experimentalresults demonstrate that the covert loop can keep the controloutput and sensor data both stealthy over a finite time
Journal of Electrical and Computer Engineering 13
CUSUM
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
Empirical CDF
u1
u2
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
Figure 11 Statistical results of the replay attack experiments
window For future work the proposed covert agent can befurther extended to a two-loop covert structure in which anattack agent can be added In addition it is also interestingto investigate the detecting methods of the LSSVR-basedattacks
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the National Key Researchand Development Program (no 2016 YFB1001404) and theNational Natural Science Foundation of China (NormalProjects no 61672093 and no 61432004)
References
[1] C Zhou S Huang N Xiong et al ldquoDesign and analysisof multimodel-based anomaly intrusion detection systems inindustrial process automationrdquo IEEE Transactions on SystemsMan and Cybernetics Systems vol 45 no 10 pp 1345ndash13602015
[2] T Cruz L Rosa J Proenca et al ldquoA cybersecurity detectionframework for supervisory control and data acquisition sys-temsrdquo IEEE Transactions on Industrial Informatics vol 12 no6 pp 2236ndash2246 2016
[3] S McLaughlin C Konstantinou X Wang et al ldquoThe Cyberse-curity Landscape in Industrial Control Systemsrdquo Proceedings ofthe IEEE vol 104 no 5 pp 1039ndash1057 2016
[4] M Cheminod L Durante and A Valenzano ldquoReview ofsecurity issues in industrial networksrdquo IEEE Transactions onIndustrial Informatics vol 9 no 1 pp 277ndash293 2013
[5] R Deng G Xiao R Lu H Liang and A V Vasilakos ldquoFalsedata injection on state estimation in power systemsmdashattacks
impacts and defense a surveyrdquo IEEE Transactions on IndustrialInformatics vol 13 no 2 pp 411ndash423 2017
[6] A Teixeira K C Sou H Sandberg and K H Johans-son ldquoSecure control systems a quantitative risk managementapproachrdquo IEEEControl SystemsMagazine vol 35 no 1 pp 24ndash45 2015
[7] C Kwon W Liu and I Hwang ldquoSecurity analysis for Cyber-Physical Systems against stealthy deception attacksrdquo in Proceed-ings of the 2013 1st American Control Conference ACC 2013 pp3344ndash3349 USA June 2013
[8] Z-H Pang G-P Liu D Zhou F Hou and D Sun ldquoTwo-channel false data injection attacks against output trackingcontrol of networked systemsrdquo IEEE Transactions on IndustrialElectronics vol 63 no 5 pp 3242ndash3251 2016
[9] A Teixeira H Sandberg and K H Johansson ldquoStrategicstealthy attacks The output-to-output l2-gainrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 2582ndash2587 Japan December 2015
[10] H Sedghi and E Jonckheere ldquoStatistical structure learning toensure data integrity in smart gridrdquo IEEE Transactions on SmartGrid vol 6 no 4 pp 1924ndash1933 2015
[11] K Manandhar X Cao F Hu and Y Liu ldquoDetection of faultsand attacks including false data injection attack in smart gridusing Kalman filterrdquo IEEE Transactions on Control of NetworkSystems vol 1 no 4 pp 370ndash379 2014
[12] A Dutta and C Langbort ldquoStealthy output injection attacks oncontrol systems with bounded variablesrdquo International Journalof Control vol 90 no 7 pp 1389ndash1402 2017
[13] R S Smith ldquoCovert misappropriation of networked controlsystems presenting a feedback structurerdquo IEEE Control SystemsMagazine vol 35 no 1 pp 82ndash92 2015
[14] A A Cardenas S Amin Z-S Lin Y-L Huang C-Y Huangand S Sastry ldquoAttacks against process control systems riskassessment detection and responserdquo in Proceedings of the6th International Symposium on Information Computer andCommunications Security (ASIACCS rsquo11) pp 355ndash366 HongKong March 2011
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Journal of Electrical and Computer Engineering 13
CUSUM
u1
u2
0
01
02
03
04
05
06
07
08
09
1
Cum
ulat
ive d
istrib
utio
n
Empirical CDF
u1
u2
0
20
40
60
80
100N
umbe
r of s
imul
atio
ns
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
20 40 60 80 100 120 140 160 180 2000Stealthy time (s)
Figure 11 Statistical results of the replay attack experiments
window For future work the proposed covert agent can befurther extended to a two-loop covert structure in which anattack agent can be added In addition it is also interestingto investigate the detecting methods of the LSSVR-basedattacks
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the National Key Researchand Development Program (no 2016 YFB1001404) and theNational Natural Science Foundation of China (NormalProjects no 61672093 and no 61432004)
References
[1] C Zhou S Huang N Xiong et al ldquoDesign and analysisof multimodel-based anomaly intrusion detection systems inindustrial process automationrdquo IEEE Transactions on SystemsMan and Cybernetics Systems vol 45 no 10 pp 1345ndash13602015
[2] T Cruz L Rosa J Proenca et al ldquoA cybersecurity detectionframework for supervisory control and data acquisition sys-temsrdquo IEEE Transactions on Industrial Informatics vol 12 no6 pp 2236ndash2246 2016
[3] S McLaughlin C Konstantinou X Wang et al ldquoThe Cyberse-curity Landscape in Industrial Control Systemsrdquo Proceedings ofthe IEEE vol 104 no 5 pp 1039ndash1057 2016
[4] M Cheminod L Durante and A Valenzano ldquoReview ofsecurity issues in industrial networksrdquo IEEE Transactions onIndustrial Informatics vol 9 no 1 pp 277ndash293 2013
[5] R Deng G Xiao R Lu H Liang and A V Vasilakos ldquoFalsedata injection on state estimation in power systemsmdashattacks
impacts and defense a surveyrdquo IEEE Transactions on IndustrialInformatics vol 13 no 2 pp 411ndash423 2017
[6] A Teixeira K C Sou H Sandberg and K H Johans-son ldquoSecure control systems a quantitative risk managementapproachrdquo IEEEControl SystemsMagazine vol 35 no 1 pp 24ndash45 2015
[7] C Kwon W Liu and I Hwang ldquoSecurity analysis for Cyber-Physical Systems against stealthy deception attacksrdquo in Proceed-ings of the 2013 1st American Control Conference ACC 2013 pp3344ndash3349 USA June 2013
[8] Z-H Pang G-P Liu D Zhou F Hou and D Sun ldquoTwo-channel false data injection attacks against output trackingcontrol of networked systemsrdquo IEEE Transactions on IndustrialElectronics vol 63 no 5 pp 3242ndash3251 2016
[9] A Teixeira H Sandberg and K H Johansson ldquoStrategicstealthy attacks The output-to-output l2-gainrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 2582ndash2587 Japan December 2015
[10] H Sedghi and E Jonckheere ldquoStatistical structure learning toensure data integrity in smart gridrdquo IEEE Transactions on SmartGrid vol 6 no 4 pp 1924ndash1933 2015
[11] K Manandhar X Cao F Hu and Y Liu ldquoDetection of faultsand attacks including false data injection attack in smart gridusing Kalman filterrdquo IEEE Transactions on Control of NetworkSystems vol 1 no 4 pp 370ndash379 2014
[12] A Dutta and C Langbort ldquoStealthy output injection attacks oncontrol systems with bounded variablesrdquo International Journalof Control vol 90 no 7 pp 1389ndash1402 2017
[13] R S Smith ldquoCovert misappropriation of networked controlsystems presenting a feedback structurerdquo IEEE Control SystemsMagazine vol 35 no 1 pp 82ndash92 2015
[14] A A Cardenas S Amin Z-S Lin Y-L Huang C-Y Huangand S Sastry ldquoAttacks against process control systems riskassessment detection and responserdquo in Proceedings of the6th International Symposium on Information Computer andCommunications Security (ASIACCS rsquo11) pp 355ndash366 HongKong March 2011
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
14 Journal of Electrical and Computer Engineering
[15] A Teixeira I Shames H Sandberg and K H JohanssonldquoA secure control framework for resource-limited adversariesrdquoAutomatica vol 51 pp 135ndash148 2015
[16] D I Urbina J Giraldo A A Cardenas et al ldquoLimiting theimpact of stealthy attacks on Industrial Control Systemsrdquo inProceedings of the 23rd ACM Conference on Computer andCommunications Security CCS 2016 pp 1092ndash1105 AustriaOctober 2016
[17] X Dai and Z Gao ldquoFrom model signal to knowledge Adata-driven perspective of fault detection and diagnosisrdquo IEEETransactions on Industrial Informatics vol 9 no 4 pp 2226ndash2238 2013
[18] Z Yu and W Chin ldquoBlind false data injection attack using pcaapproximation method in smart gridrdquo IEEE Transactions onSmart Grid vol 6 no 3 pp 1219ndash1226 2015
[19] A Anwar and A N Mahmood ldquoStealthy and blind falseinjection attacks on SCADA EMS in the presence of grosserrorsrdquo inProceedings of the 2016 IEEE Power and Energy SocietyGeneral Meeting PESGM 2016 USA July 2016
[20] A Anwar A N Mahmood and M Pickering ldquoModeling andperformance evaluation of stealthy false data injection attackson smart grid in the presence of corrupted measurementsrdquoJournal of Computer and System Sciences vol 83 no 1 pp 58ndash72 2017
[21] Y Yuan and Y Mo ldquoSecurity in cyber-physical systems Con-troller design against Known-Plaintext Attackrdquo in Proceedingsof the 54th IEEE Conference on Decision and Control CDC 2015pp 5814ndash5819 Japan December 2015
[22] J Kim L Tong and R J Thomas ldquoSubspace methods fordata attack on state estimation a data driven approachrdquo IEEETransactions on Signal Processing vol 63 no 5 pp 1102ndash11142015
[23] X Lu W Zou and M Huang ldquoA novel spatiotemporal LS-SVM method for complex distributed parameter systems withapplications to curing thermal processrdquo IEEE Transactions onIndustrial Informatics vol 12 no 3 pp 1156ndash1165 2016
[24] J A K Suykens and J Vandewalle ldquoLeast squares supportvector machine classifiersrdquo Neural Processing Letters vol 9 no3 pp 293ndash300 1999
[25] F Kaytez M C Taplamacioglu E Cam and F HardalacldquoForecasting electricity consumption a comparison of regres-sion analysis neural networks and least squares support vectormachinesrdquo International Journal of Electrical Power amp EnergySystems vol 67 pp 431ndash438 2015
[26] H C Jung J S Kim andHHeo ldquoPrediction of building energyconsumption using an improved real coded genetic algorithmbased least squares support vector machine approachrdquo Energyand Buildings vol 90 pp 76ndash84 2015
[27] M K Goyal B Bharti J Quilty J Adamowski and A PandeyldquoModeling of daily pan evaporation in sub tropical climatesusing ANN LS-SVR fuzzy logic and ANFISrdquo Expert Systemswith Applications vol 41 no 11 pp 5267ndash5276 2014
[28] A Teixeira I Shames H Sandberg and K H JohanssonldquoRevealing stealthy attacks in control systemsrdquo in Proceedings ofthe 2012 50th Annual Allerton Conference on CommunicationControl and Computing Allerton 2012 pp 1806ndash1813 USAOctober 2012
[29] G Wu and J Sun ldquoOptimal data integrity attack on actuatorsin Cyber-Physical Systemsrdquo in Proceedings of the 2016 Amer-ican Control Conference American Automatic Control Council(AACC) (ACC rsquo16) pp 1160ndash1164 USA July 2016
[30] C Staelin ldquoParameter selection for support vector machinesrdquoHewlett-Packard Company 2003 Tech Rep HPL-2002-354R1
[31] N FThornhill S C Patwardhan and S L Shah ldquoA continuousstirred tank heater simulationmodel with applicationsrdquo Journalof Process Control vol 18 no 3-4 pp 347ndash360 2008
[32] L Koepcke G Ashida and J Kretzberg ldquoSingle and multiplechange point detection in spike trains Comparison of differentCUSUM methodsrdquo Frontiers in Systems Neuroscience vol 10article no 51 2016
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom