Structural Resilience of CyberphysicalSystems Under Attack
Bhaskar Ramasubramanian1, M.A. Rajan2, M. Girish Chandra 2
1Department of Electrical and Computer Engineering, and Institute for Systems Research,University of Maryland, College Park, MD 20742, USA.
2Innovation Labs, Tata Consultancy Services, Bangalore 560066. India.
1 / 13
Cyberphysical Systems
Working of physical system intimately linked to functioning ofcomputers that influence interactions among subsystems.Often controlled over a network⇒ computational resources andbandwidth affect their working.Consequence: system can be remotely attacked.
(a) (b) (c)
Figure: Examples of CPSs
2 / 13
Structural Resilience: Motivation
Structural Approach: Motivation
Large scale CPS: many states, variables’ values fluctuate⇒computational analysis costly.Structural approach: knowledge of only positions of zero/nonzero entries of system matrices.Properties will hold for almost all valid numerical realizations.
Prior WorkAttacks on LTI systems in terms of controllability of a modifiedsystem [Barreto(2013)].Structural design of large scale systems [Pequito(2015)].Minimal structural controllability, minimal cost constrainedstructural controllability [Pequito(2014), Pequito(2015)].
3 / 13
Structural Resilience: Motivation
Structural Approach: Motivation
Large scale CPS: many states, variables’ values fluctuate⇒computational analysis costly.Structural approach: knowledge of only positions of zero/nonzero entries of system matrices.Properties will hold for almost all valid numerical realizations.
Prior WorkAttacks on LTI systems in terms of controllability of a modifiedsystem [Barreto(2013)].Structural design of large scale systems [Pequito(2015)].Minimal structural controllability, minimal cost constrainedstructural controllability [Pequito(2014), Pequito(2015)].
3 / 13
Structured Linear Systems
Consider the linear structured system:
x(t) = [A]x(t) + [B]u(t)
Structural framework: every entry in [A] and [B] is either a fixedzero or a free parameter.
Structural Controllability
([A], [B]) is structurally controllable if there exists an admissiblenumerical realization (A,B) that is controllable.If ([A], [B]) is structurally controllable, then almost every admissiblenumerical realization will be controllable. The structured system isthen said to be generically controllable.
4 / 13
Structured Systems and Graph Theory
Directed Graph Representation
D = (V, E), where V = U ∪ X and E = EA ∪ EB, whereEA = {(xj , xi)|[A]ij 6= 0}, EB = {(uj , xi)|[B]ij 6= 0}.
Bipartite Graph Representation
For any V1,V2, a bipartite graph B(V1,V2, EV1,V2) is a digraph withvertex set V1 ∪ V2 and edge set EV1,V2 ⊂ {(v1, v2)|v1 ∈ V1, v2 ∈ V2}.
Matching: an independent edge set.Maximum Matching: matching with largest number of edges.B(V,V, E): bipartite graph associated with D(V, E).
5 / 13
Preliminaries
Strongly Connected Component (SCC) : maximal stronglyconnected subgraph.Non Top-Linked SCC : SCC with no incoming edge.Top Assignable SCC : non top-linked SCC containing at leastone right unmatched vertex in a maximum matching.
Assumem : # right unmatched vertices in a maximum matching.α : maximum top assignability index.β : # non top-linked SCCs.
Theorem [Liu(2011), Pequito(2015)]
The minimum number of inputs required to make the systemstructurally controllable is one, if m = 0, and m, otherwise.The minimum number of links between input and state needed toachieve structural controllability is p = m + β − α.
6 / 13
Preliminaries
Strongly Connected Component (SCC) : maximal stronglyconnected subgraph.Non Top-Linked SCC : SCC with no incoming edge.Top Assignable SCC : non top-linked SCC containing at leastone right unmatched vertex in a maximum matching.Assume
m : # right unmatched vertices in a maximum matching.α : maximum top assignability index.β : # non top-linked SCCs.
Theorem [Liu(2011), Pequito(2015)]
The minimum number of inputs required to make the systemstructurally controllable is one, if m = 0, and m, otherwise.The minimum number of links between input and state needed toachieve structural controllability is p = m + β − α.
6 / 13
Structural Resilience
Let u =(
uTdef uT
att
)T
CPS modeled as a linear structured system:
x(t) = [A]x(t) + [Bdef ]udef (t) + [Batt ]uatt(t)
ASSUME: set of attacked nodes remains unchanged with time.
Structural Resilience
Given the structured system with ([A], [B]) structurally controllablebefore an attack, characterize the system’s structural resilience todenial of service (DoS) attacks and integrity attacks.
7 / 13
DoS Attack Resilience
DoS attack⇒ uatt = 0, udef arbitrary; ≡ [Batt ] = 0.Xdef , Xatt : (disjoint) sets of state vertices accessible to thedefender and attacker inputs.ASSUME: number of right unmatched vertices, m, in a maximummatching of B([A]) is nonzero.mdef , matt : number of right unmatched vertices in B([A])corresponding to Xdef and Xatt (thus, mdef + matt = m).l(P → Q): set of links from P to Q.The system model is:
x(t) = [A]x(t) + [Bdef ]udef (t)
8 / 13
DoS Attack Resilience
Lemma: DoS Attack Success
A DoS attack is structurally successful if |Udef | < mdef , and:1 |Udef ∪ Uatt | ≥ m + β − α. OR2 |Udef ∪ Uatt | ≥ m and |l((Udef ∪ Uatt)→ X )| ≥ m + β − α.
Lemma
If |Udef | ≥ mdef , a DoS attack is structurally successful if:1 There exists an unreachable state from the vertices of Udef . OR2 There does not exist a disjoint union of Udef rooted path families
and cycle families covering all the states. OR3 |l(Udef → X )| < mdef + β − α. OR4 Every maximum matching of B([A]) has a right unmatched vertex
in Xatt . OR5 There is a non top linked SCC in D([A]) comprising exclusively
vertices from Xatt .
9 / 13
DoS Attack Resilience
Lemma: DoS Attack Success
A DoS attack is structurally successful if |Udef | < mdef , and:1 |Udef ∪ Uatt | ≥ m + β − α. OR2 |Udef ∪ Uatt | ≥ m and |l((Udef ∪ Uatt)→ X )| ≥ m + β − α.
Lemma
If |Udef | ≥ mdef , a DoS attack is structurally successful if:1 There exists an unreachable state from the vertices of Udef . OR2 There does not exist a disjoint union of Udef rooted path families
and cycle families covering all the states. OR3 |l(Udef → X )| < mdef + β − α. OR4 Every maximum matching of B([A]) has a right unmatched vertex
in Xatt . OR5 There is a non top linked SCC in D([A]) comprising exclusively
vertices from Xatt .
9 / 13
Examples
Let states x1, . . . , x6 be accessible to Udef and x7, . . . , x10 to Uatt .
x1
x2x3
x4
x5x6
x8
x7
x10x9
(a)
x1
x2x3
x4
x5x6
x8
x7
x10x9
(b)
x1
x2x3
x4
x5x6
x8
x7
x10x9
(c)
Figure: Structural Resilience to DoS Attack
10 / 13
State Feedback Integrity Attack Resilience
Only control signals corresponding to attacker maintain theirintegrity; defender controls are arbitrary.Here, uatt(t) = Kattx(t); udef is arbitrary.mA, mAatt : number of right unmatched vertices in a maximummatching of B([A)] and B([Aatt ]) respectively.
The system model is:
x(t) = ([A] + [Batt ][Katt ])x(t) + [Bdef ]udef (t) = [Aatt ]x(t) + [Bdef ]udef (t)
Theorem
If the system is structurally resilient to a DoS attack for some [Bdef ]with zero structure Z(Bdef ), then there exists a [B′
def ] withZ(B′
def ) ⊆ Z(Bdef ) for which it will also be structurally resilient to astate feedback integrity attack.Further, if mAatt + βAatt − αAatt ≤ mA + βA − αA for some choice of [Bdef ]corresponding to the DoS case, then the same [Bdef ] will ensurestructural resilience to a state feedback integrity attack.
11 / 13
Conclusion
Formulated a structural approach to study resilience of CPSs toattacks.Attack success interpreted in terms of digraph and bipartitegraph representations of system structure.Results independent of numerical realizations of systemparameters.Future Directions:
Cost of controllability.Robustness to worst attack with least cost.Extension to distributed systems.
12 / 13
Thank You.Questions?
13 / 13