ieee transactions on control systems ...ireless networked control systems (wncss), in which physical...

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY 1

Optimal DoS Attack Scheduling in WirelessNetworked Control System

Heng Zhang, Peng Cheng, Member, IEEE, Ling Shi, Member, IEEE,and Jiming Chen, Senior Member, IEEE

Abstract— Recently, many literature works have considered thesecurity issues of wireless networked control system (WNCS).However, few works studied how the attacker should optimizeits attack schedule in order to maximize the effect on thesystem performance due to the insufficiency of energy at theattacker side. This paper fills this gap from the aspect ofcontrol system performance. We consider the optimal jammingattack that maximizes the Linear Quadratic Gaussian (LQG)control cost function under energy constraint. After analyzingthe properties of the cost function under an arbitrary attackschedule, we derive the optimal jamming attack schedule and thecorresponding cost function. System stability under this optimalattack schedule is also considered. We further investigate theoptimal attack schedule in a WNCS with multiple subsystems.Different examples are provided to demonstrate the effectivenessof the proposed optimal denial-of-service attack schedule.

Index Terms— Attack scheduling, Denial-of-Service (DoS)attack, energy constraint, Linear Quadratic Gaussian (LQG)control, system stability.

I. INTRODUCTION

W IRELESS networked control systems (WNCSs),in which physical elements (plants, sensors,

controllers, and actuators) communicate via wireless networks,have received increasing research interests [1]–[4]. WNCSshave a wide spectrum of applications in mobile sensornetworks, remote surgery, intelligent transportation, unmannedaerial vehicles, mobile robots, and so on. Security issues inWNCSs have been investigated from different viewpoints in

Manuscript received January 26, 2015; revised May 18, 2015; acceptedJuly 8, 2015. Manuscript received in final form July 19, 2015. This workwas supported in part by the National Natural Science Foundation of Chinaunder Grant U1401253 and Grant 61429301, in part by the National Programfor Special Support of Top Notch Young Professionals, and in part bythe Fundamental Research Funds for the Central Universities underGrant 2014XZZX001-03. The work of L. Shi was supported byThe Hong Kong University of Science and Technology Caltech Partnershipunder Grant FP004. The work of H. Zhang was supported by the UniversityScience Research General Project of Jiangsu Province underGrant 15KJB510002. Recommended by Associate Editor Y. Shi.(Corresponding author: Jiming Chen.)

H. Zhang is with the State Key Laboratory of Industrial ControlTechnology, Cyber Innovation Joint Research Center, Zhejiang University,Hangzhou 310027, China, and also with the Huaihai Institute of Technology,Lianyungang 222000, China (e-mail: [email protected]).

P. Cheng, and J. Chen are with the State Key Laboratory ofIndustrial Control Technology, Cyber Innovation Joint ResearchCenter, Zhejiang University, Hangzhou 310027, China (e-mail:[email protected]; [email protected]).

L. Shi is with the Department of Electronic and Computer Engineering,The Hong Kong University of Science and Technology, Hong Kong (e-mail:[email protected]).

Color versions of one or more of the figures in this paper are availableonline at http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TCST.2015.2462741

recent years due to the increasing amount of cyber attacksthat make WNCSs more and more vulnerable [5]–[9].

Various efforts have been devoted to studying the influenceof specific malicious attacks, e.g., Denial-of-Service (DoS)attacks [10], replay attacks [11], and data injection attacks [7],on particular systems. Thereinto, the DoS attack, which aimsto prevent the communication between system components,has been widely studied since this attack pattern is themost accomplishable one and can result in serious conseque-nces [10], [12], [13]. A typical DoS technique in WNCS isjamming attack, which can interfere with the radio frequencieson the communication channels [14].

Recently, researchers have studied the LQG problems underDoS attack [10], [15], [16]. A semidefinite programming-basedsolution was presented in [10] to find an optimal feedbackcontroller that minimizes a cost function subject to safety andenergy constraints in the presence of an attack with identicalindependent distributed actions. In [15], the optimal controllaw is designed against an intelligent jammer with limitedactions. In [16], an event-trigger control strategy is derivedin the presence of an energy-constrained periodic jammingattacker. The common characteristic of these related worksis that they aim to find optimal defensive control law. Ourwork, however, is from the viewpoint of the attacker,i.e., we look for the optimal attack strategies to maximizethe LQG cost function. This is equally important as one candesign an effective defensive control law only when he knowshow the attacker behaves.

In almost all types of attacks, energy constraint isinherent and will affect an attacker’s strategies [17]–[19].Kashyap et al. [17] studied a zero-sum game on Multiple InputMultiple Output (MIMO) Gaussian Rayleigh fading channelsbetween an intelligent DoS jammer and a decoder with bilat-eral power constraints. Li et al. [18] investigated the optimaljamming attack strategies by controlling the probability ofjamming and transmission range. Zuba et al. [19] studiedthe effect of jamming attack on underwater wireless sensornetworks and investigated the minimal energy consumptionand the probability of detection in order to launch an effectiveDoS jamming attack.

In this paper, we aim to design an optimal attack scheduleto maximize the attacking effect on the WNCS. Specifically,we first consider a system where one sensor measures thesystem state and sends the data packets to a remote estimatorthrough a wireless channel. The attacker has a limited energybudget in every active period and decides at each samplingtime whether or not to jam the channel. Then, we extend itto the scenario with multiple subsystems. In this scenario, the

1063-6536 © 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.


2 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY

DoS attacker has to make the attack decision, i.e., when toattack and which channel to be chosen. The main contributionsof this paper, which distinguish from the related literatures, aresummarized as follows.

1) We formulate a novel DoS attack problem and seek theoptimal attack schedule that maximizes the LQG controlcost function with an energy constraint.

2) We obtain the analytical expression of LQG cost func-tion under an arbitrary attack schedule.

3) We provide the optimal attack schedule and analyze thesystem stability under this schedule.

4) We study the optimal attack schedule in a networkedcontrol system with multiple subsystems.

The remainder of this paper is organized as follows.In Section II, we present the system model and problemformulation. In Section III, we introduce some basic propertiesof system performance under an arbitrary attack schedule.In Section IV, we construct optimal DoS jamming attackschedules that maximize the cost function and analyze thesystem stability. In Section V, we study the optimal attackschedule in a networked control system with multiple sub-systems. In Section VI, numerical examples are shown todemonstrate the effectiveness of the proposed optimal attackschedule. Finally, Section VII concludes this paper.

Notations: Rn stands for the n-dimensional Euclidean space.

N is a positive integer set. (·)′ stands for the transposition of amatrix. Tr(·) is the trace of a square matrix. Pr{·} stands for theprobability of a random event. E(·) stands for the mathematicalexpectation of a random variable, and E(·|·) stands for theconditional mathematical expectation. Var(·) stands for thevariance of a random variable. �x� stands for the floor functionof x , i.e., the integer part of x .

II. PROBLEM FORMULATION

A. System Model

Consider the following discrete linear system:xk+1 = Axk + Buk + wk, (1)

where xk ∈ Rnx is the state vector at time k, x0 is the initial

state vector, uk ∈ Rmx is the control input vector at time k,

and wk ∈ Rnx is the zero-mean Gaussian with covariance

Cov(wi , w j ) = δi j �w.1 We assume that the pairs (A, B) and(A,�

1/2w ) are stabilizable [20].

The sensor measures the state xk and sends it to the remotecontroller via a wireless channel (see Fig. 1). The controllerhas a built-in estimator to estimate the state in case the packetis lost. The controller then generates a control packet uk basedon all the received sensor measurements and historical controlcommands and sends uk to the actuator through a reliablechannel [21], [22].

We introduce θk = 1/0 as the indicator function whether thedata packet xk is received or not by the controller at time k.Let Ik be the data set {θ1x1, θ2x2, . . . , θk xk, u1, u2, . . . , uk−1}.

1δi j is the Kronecker delta function, i.e., δi j = 1, if i = j , and δi j = 0otherwise.

Fig. 1. System architecture.

We define xk as the controller’s minimum mean squareerror (MMSE) estimate of xk at time k, i.e.,

xk = E[xk |Ik], (2)

where Ik denotes the controller’s data at time k.The corresponding error covariance is

Pk = E[(xk − xk)(xk − xk)′|Ik]. (3)

It is straightforward to obtain [22]

xk ={

xk, if θk = 1,

Axk−1 + Buk−1, otherwise.(4)

We consider a linear static feedback controller of the formuk = Lxk , which is designed to minimize the followinginfinite-horizon LQG cost function [7], [22], [23]:

J = limN→∞

1

N

N∑k=1

E[x ′k Qxk + u′

k Ruk ],

where Q ≥ 0 and R > 0 are two weighting matrices and theexpectation is taken over {wk}. We will give the explicit formof L in Section III. We assume that the controller does notknow the existence of the attacker.

B. Attack Model

It has been summarized that there are three types of attacksin an LQG control system, i.e., integrity attacks, DoS attacks,and direct physical attacks to the process (see [10, Fig. 1]).In this paper, we consider the case that the attacker performsDoS attack with the objective of increasing the cost function Jas much as possible subject to an energy constraint. We assumethat the attacker can attack only the communicationchannel n times in a given active period TON. After this period,he has to stop his attack actions and shift to an inactive periodTOFF to replenish the energy in order for the following attackperiod.

Let γ (m) = (γm,1, γm,2, . . . , γm,T ) be the attack schedulein the m-th period, where γm,t , t = 1, 2, . . . , TON is the attackdecision variable in active time, i.e., γm,t = 1 if he jams thetransmission channel at time t of the m-th active period, andγm,t = 0 otherwise, and γm,t = 0 for inactive time i = TON + 1,TON + 2, . . . , T with T = TON + TOFF. The consequence ofattacking action γm,t = 1 is

θ(γm,t ) ={

1, with probability 1 − α,

0, with probability α.(5)

If he does not take action at time t , i.e., γm,t = 0, the data fromthe sensor can be received by the controller, i.e., θ(γm,t ) = 1.


ZHANG et al.: OPTIMAL DoS ATTACK SCHEDULING IN WNCS 3

From the attacker’s viewpoint, it is of interest to designthe optimal attack schedule that maximizes the expected costfunction.

Problem 2.1:

maxγ∈�

E[J (γ)] (6)

s.t.T∑

t=1

γm,t ≤ n, ∀m ∈ N, (7)

where γ = [γ (m)]∞m=1 is the attack schedule on the infinitetime horizon [1,∞) and � = {γ |γm,t ∈ {0, 1},∀m ∈ N,t ∈ {1, 2, . . . , TON}} is the attack schedule space.

III. PRELIMINARIES

Before investigating the optimal attack schedule, we intro-duce some preliminary results.

Lemma 3.1 [7], [22]: The optimal static feedback controlleris given by

uk = −(B ′SB + R)−1 B ′S Axk,

where S is the unique solution to the following [24]:S = A′S A + Q − A′SB(B ′SB + R)−1 B ′S A,

and the minimal cost is

J ∗ = Jc + Je,

where

Jc = Tr[S�w], (8)

Je = limN→∞

1

N

N∑k=1

Tr[M Pk] (9)

with M = A′SB(B ′SB + R)−1 B ′S A.2

Now, we present some properties of system performanceunder a given DoS attack schedule.

Lemma 3.2: Let f (P) = Tr(M P), where P is an nx × nx

positive definite symmetric matrix. If positive definite sym-metric matrices P1 and P2 are nx × nx and satisfy P1 ≥ P2,we have f (P1) ≥ f (P2).

Proof: See the Appendix.Remark 3.1: Note that Jc is the fixed part of J and Je is

the variable part that is affected by an attack schedule γ.Thus, we need only to find an optimal attack schedule tomaximize E[Je(γ )]. From Lemma 3.2, maximizing E[Je(γ)]is equivalent to maximize

limN→∞

1

N

N∑k=1

E[Pk(γ )].

Thus, we have to investigate E[Pk] under an arbitrary attackschedule γ .

From (3) and (4), one can see that

Pk+1 =

⎧⎪⎨⎪⎩

�w, if θk+1 = 0, Pk = 0,

APk A′ + �w, if θk+1 = 0, Pk �= 0,

0, otherwise.

2It can be seen that M is a positive semidefinite matrix.

Then, we have

E[Pk+1|Pk = 0] ={

α�w, if γk+1 = 1,

0, otherwise,

and

E[Pk+1|Pk �= 0] ={

α(APk A′ + �w), if γk+1 = 1,

0, otherwise.

The following lemma shows how the consecutive attackactions affect the error covariance.

Lemma 3.3: For a given consecutive attack time interval[s + 1, s + t], i.e., γs = 0, γs+1 = γs+2 = · · · = γs+t = 1,γs+t+1 = 0, we have

E[Ps+ j ] =j−1∑i=0

(αi − αi+1)Hi + α j H j , (10)

where Hi = ∑i−1l=0(Al)�w(Al)′ and j = 1, 2, . . . , t .

Proof: See the Appendix.From Lemma 3.3, for the given consecutive attack time

interval [s+1, s+t], E[Ps+ j ], j = 1, 2, . . . , t , does not dependon s. Thus, we denote �α(t) by the sum of expected errorcovariance with any t times consecutive attack in the givenactive attack period [s + 1, s + t]. Using the same method, anyattack strategy with consecutive attack sequence t1, t2, . . . , tsin a given period will lead to the same sum of expectederror covariance. Then, we denote �α(t1 ⊕ t2 ⊕ · · · ⊕ ts)by the sum of expected error covariance with consecu-tive attack sequence t1, t2, . . . , ts in the given attack period(Fig. 2). Note that t1, t2, . . . , ts satisfy commutative law in�α(t1 ⊕ t2 ⊕ · · · ⊕ ts).

In fact

�α(t) =t∑

j=1

E[Ps+ j ]

=t∑

j=1

[ j−1∑i=0

(αi − αi+1)Hi + α j H j

]

=t∑

i=0

[(t − i + 1)αi − (t − i)αi+1

]Hi ,

and

�α(t1 ⊕ t2 ⊕ · · · ⊕ ts) =s∑

i=1

ti∑ji=1

E[Psi+ ji ] =s∑

i=1

�α(ti ).

Lemma 3.4: The following statements are true.1) �α(t1) ≤ �α(t2), where t1 ≤ t2.2) �α(t1 ⊕ t2) ≤ �α(t), where t = t1 + t2.3) �α(t1⊕t2 ⊕· · ·⊕ts) ≤ �α(t), where t = t1+t2+· · ·+ts .4) �α(t1 ⊕ t2) ≤ �α(t3 ⊕ t4), where t1 + t2 = t3 + t4 and

max{t1, t2, t3, t4} is t3 or t4.Proof: See the Appendix.

Remark 3.2: From Lemma 3.4, one can see that more attacktimes (more energy) used in any given period lead to higher



Fig. 2. Schematic of the attacker’s schedule with consecutive attacksequences t1, t2, . . . , ts in the same active period.

cost function. Thus, constraint (7) in Problem 2.1 can bereplaced by

T∑t=1

γm,t = n, ∀m ∈ N. (11)

IV. OPTIMAL ATTACK SCHEDULE ANALYSIS

In this section, we first present the optimal attack schedulefor Problem 2.1, and then analyze the system stability underthe proposed attack schedule.

A. Optimal Attack Schedule

Theorem 4.1: The optimal attack schedule γ ∗ forProblem 2.1 is any n times consecutive attack at active periods,and the expected corresponding cost function can be calculatedas follows:

E[J (γ ∗)] = Jc + 1

TTr[M�α(n)]. (12)

Proof: From Lemma 3.4, one can obtain that any n timesconsecutive attack at active periods is an optimal attackschedule.

Let N = qT + m with q, m ∈ N, and 0 ≤ m < T . Then

1

(q + 1)T<

1

N≤ 1

qT.

If 0 ≤ m ≤ n, we have

N∑k=1

E[Pk ] = qT�α(n).

If n < m < T , we have

N∑k=1

E[Pk] = (qT + 1)�α(n).

Then, it can be seen that

1

(q + 1)T

N∑k=1

E[Pk] <1

N

N∑k=1

E[Pk ] ≤ 1

qT

N∑k=1

E[Pk].

Taking the limit N → ∞ to this inequality, we can obtain

limN→∞

1

N

N∑k=1

E[Pk] = 1

T[�α(n)]

which finishes the proof.Example 4.1: Consider Problem 2.1 with TON = 5, n = 3,

and TOFF = 5. From Theorem 4.1, it can be seen that in any

active period, the attack schedules (1, 1, 1, 0, 0), (0, 1, 1, 1, 0),and (0, 0, 1, 1, 1) are optimal. The corresponding resulton J can be calculated as

E[J (γ ∗)] = Jc + 1

10Tr[M�α(3)].

Remark 4.1: From Theorem 4.1, under an optimal attackschedule, the jamming instances are grouped together and thisschedule does not depend on system parameters.

B. Stability Analysis Under Optimal Attack Schedule

Stability is critical in an LQG system. Before presentingresults on stability of system (1) under an optimal attackschedule, we give the definition of system stability formallyas follows.

Definition 4.1 [20], [25]: System (1) is stable if thecovariance of the system state is bounded, i.e., Var(xk) ≤ C∗,where C∗ is a constant matrix.

Theorem 4.2: Consider system (1) under an optimal attackschedule γ ∗. When TOFF > 0, the system is stable in the senseof bounded covariance.

Proof: From Definition 4.1, one can see that

Var(xk) = E[E((xk − E(xk))(xk − E(xk))′|Ik)]

= E[E((xk − xk)(xk − xk)′|Ik)] = E[Pk ].

Since TOFF > 0, from (10), we have

Var(xk) ≤n−1∑i=0

(αi − αi+1)Hi + αn Hn = C∗,

i.e., the covariance of state is bounded for a given n.Remark 4.2: Theorem 4.2 shows that the optimal DoS

attack cannot change the system stability if TOFF > 0.If TOFF = 0, the attacker has unlimited energy, and he canalways attack the wireless channel. Thus, θk, k = 1, 2, . . .become independent identically distributed Bernoulli randomvariable sequence with E(θk) = 1 − α. Similar to [26], thesystem is stable if and only if α < 1 − γc, where γc =infγ {γ |X = A′X A + �w − γ A′X B(B ′X B + R)−1 B ′X A}.

V. MULTIPLE-SUBSYSTEM CASE STUDY

In this section, we aim to optimize the attack schedulein a networked control system with multiple subsystems(see Fig. 3) [27], [28]. We assume that the attacker launchesmultichannel switch jamming in wireless networks. For exam-ple, DoS attacker can switch his jamming signals betweentarget channels on 802.11 networks [29]. In our problem, theattacker has to make the attack decision, i.e., when to attackand which channel to be chosen.

A. WNCS Model With Multiple Subsystems

Similar to (1), we assume that the evolution of plants is asfollows:

xi,k+1 = Ai xi,k + Bi ui,k + wi,k , i = 1, 2, . . . , r, (13)

where xi,k ∈ Rnx is the state vector of plant i at time k,

ui,k ∈ Rmx is the control input vector of plant i at time k,

wi,k ∈ Rnx is the zero-mean Gaussian with covariance



Fig. 3. Networked control system architecture with r subsystems. Theattacker can jam one of the r channels during a time slot.

Cov(wi,k , wi,t ) = δkt�wi , and Cov(w1,k, w2,t ) = 0.We assume that the pairs (Ai , Bi ) and (Ai ,�

1/2wi ) are

stabilizable.Let xi,k and Pi,k be the MMSE estimates of xi,k and

corresponding error covariance, respectively. They can beeasily obtained from (2)–(4), respectively. The cost functionsof these subsystems are

Ji = limN→∞

1

N

N∑k=1

E[x ′i,k Qi xi,k + u′

i,k Ri ui,k ], i = 1, 2, . . . , r.

From Lemma 3.1, we can obtain the optimal controller ofsystem i as

ui,k = −(B ′i Si Bi + Ri )

−1 B ′i Si Ai xi,k ,

where Si is the unique solution to the following equation:Si = A′

i Si Ai + Qi − A′i Si Bi (B ′

i Si Bi + Ri )−1 B ′

i Si Ai ,

and the minimal cost is

J ∗i = Ji,c + Ji,e, i = 1, 2, . . . , r, (14)

where

Ji,c = Tr[Si�wi ],

Ji,e = limN→∞

1

N

N∑k=1

Tr[Mi Pi,k ]

with Mi = A′i Si Bi (B ′

i Si Bi + Ri )−1 B ′

i Si Ai .

B. Optimal Attack Schedule

We assume that the attacker’s energy budget is etotal in everyactive period and TOFF > 0. Due to this energy constraint, theDoS attacker needs to make decisions when and which channelto jam in order to maximize the total cost

Jtotal = J1 + J2 + · · · + Jr . (15)

Let γm,t = (γ 1m,t , γ

2m,t , . . . , γ

rm,t ) be the attacker’s decision

vector at time t of m-th active period

γ im,t =

{1, if the attacker jams channel i ,

0, otherwise.

We also assume that the attack action is successful withprobability αi when he jams the channel i with energy ei

for i = 1, 2, . . . , r . From the viewpoint of DoS attacker, theoptimization problem can be formulated as follows.

Problem 5.1:

maxγ∈�

E[Jtotal(γ )] (16)

s.t.r∑

i=1

γ im,t ≤ 1, ∀m ∈ N, (17)

r∑i=1

[ei

( T∑t=1

γ im,t

)]≤ etotal, ∀m ∈ N, (18)

where γ = [γ (m)]∞m=1 is the attack schedule on the infinitetime horizon [1,∞) and � = {γ |γ i

m,t ∈ {0, 1},∀m ∈ N,t ∈ {1, 2, . . . , TON}} is the attack schedule space. Con-straint (17) shows that the attacker can only jam one channel ordoes not take action in any time. Equation (18) is the attacker’senergy constraint in every active period.

From Lemma 3.4 and Theorem 4.1, one can see that if theattack times on channel i is limited to ni , then consecutiveattack ni times with proper beginning attack time is theoptimal decision. By unfolding (15) with (14), the objectivefunction in Problem 5.1 can be replaced by

r∑i=1

Ji,e = Tr

[ r∑i=1

Mi�αi (ni )

],

since Ji,c, i = 1, 2, . . . , r are constants.Therefore, Problem 5.1 can be converted to the following

problem.Problem 5.2:

max Tr

[ r∑i=1

Mi �αi (ni )

](19)

s.t.r∑

i=1

ni ei ≤ etotal, (20)

where ni denotes the consecutive attack times over channel iin the active periods for i = 1, 2, . . . , r .

Note that this is an integer programming problem. Thus,the optimal solution (n∗

1, n∗2, . . . , n∗

r ) can be obtained by

exhaustive search method.3 From the above analysis, one canobtain the following theorem to solve Problem 5.1.

Theorem 5.1: The optimal attack schedule γ ∗ forProblem 5.1 is with any n∗

i times consecutive attack onchannel i , respectively, at active periods, where

(n∗1, n∗

2, . . . , n∗r ) = arg max∑r

i=1 ni ei ≤etotal

Tr

[ r∑i=1

Mi �αi (ni )

]. (21)

The expected corresponding cost function can be calculatedas follows:

E[Jtotal(γ∗)] =

r∑i=1

Ji,c + 1

TTr

[ r∑i=1

Mi �αi (n∗i )

].

3The attacker needs only to run an exhaustive search method once beforetaking action. From constraint (20), we can see that the time complexity of

exhaustive search method for Problem 5.2 is no more than O(nr−1), wheren = �(etotal/emin)� with emin = min{e1, e2, . . . , er }. Thus, it is not expensiveto run the exhaustive search method.



Proof: First, if the DoS attacker assigns ni timesattack actions on channel i for i = 1, 2, . . . , r , where∑r

i=1 ni ei ≤ etotal, then from Theorem 4.1, one can see thatthe optimal decision is any attack with consecutive attack ni

times on channel i .Second, in order to find optimal attack assignment

(n∗1, n∗

2, . . . , n∗r ), from Problem 5.2, we just need to maximize

Tr

[ r∑i=1

Mi �αi (ni )

].

An example is presented to illustrate Theorem 5.1 asfollows.

Example 5.1: Consider Problem 5.1 with TON = 4, n = 3,and TOFF = 5. If (n∗

1, n∗2) = (2, 1) is obtained from (21) for

the given system parameters, it can be seen that in any activeperiod, the attack schedules⎛⎜⎜⎜⎝

γ ∗m,1

γ ∗m,2

γ ∗m,3

γ ∗m,4

⎞⎟⎟⎟⎠ =

⎛⎜⎜⎜⎝

1 0

1 0

0 1

0 0

⎞⎟⎟⎟⎠,

⎛⎜⎜⎜⎝

1 0

1 0

0 0

0 1

⎞⎟⎟⎟⎠,

⎛⎜⎜⎜⎝

0 0

1 0

1 0

0 1

⎞⎟⎟⎟⎠,

⎛⎜⎜⎜⎝

0 0

0 1

1 0

1 0

⎞⎟⎟⎟⎠, or

⎛⎜⎜⎜⎝

0 1

0 0

1 0

1 0

⎞⎟⎟⎟⎠

are optimal.If the subsystems are with identical parameters, we can

get the optimal attack schedules for some special casesas follows.

Corollary 5.1: Consider the WNCS with identical subsys-tems, i.e., A1 = A2 = · · · = Ar , B1 = B2 = · · · = Br ,�w1 = �w2 = · · · = �wr , Q1 = Q2 = · · · = Qr , andR1 = R2 = · · · = Rr .

1) If the attacker uses the same energy to attack thechannels, i.e., e1 = e2 = · · · = er , then any consecutiveattack n = �(etotal/e1)� times over channel i∗ is optimal,where i∗ = arg maxi αi .

2) If the attack success probabilities over different channelsare the same, i.e., α1 = α2 = · · · = αr , then any con-secutive attack n = �(etotal/e j∗)� times over channel j∗is optimal, where j∗ = arg min j e j .

Proof: See the Appendix.Similar to Section IV-B, we can see that the system is stable

when TOFF > 0. If TOFF = 0, the attacker can always jam one ofthe wireless channels. Let γc,i = infγ {γ |X = A′

i X Ai +�wi −γ A′

i X Bi (B ′i X Bi + Ri )

−1 B ′i X Ai }, i = 1, 2, . . . , r . From [26],

it can be seen that the system is stable if and only if αi <1 − γc,i ,∀i .

VI. EXAMPLES

A. Example I: Single System

We consider system (1) with A = 2, B = 1,�w = 1,Q = 1, and R = 1. Assume that the length of the attacker’sactive period is TON = 80, inactive period is TOFF = 20, andthe attack energy constraint is n = 20. We use Monte Carlomethod to illustrate the effects of different attack scheduleson expected cost function E(J ) and the system stability underoptimal attacks. The simulation system runs 10 000 times foreach illustration.

Fig. 4. Illustrating example on attacking effect of expected cost function E(J )with different attack schedules.

Fig. 5. System state under optimal attack schedule with and without attack,respectively. Here, the attacker can take action n = 20 times in any activeperiod TON = 100 with successful probability α = 0.2. TOFF = 40.

1) Different Attack Schedules: Fig. 4 shows the variationof the expected cost function under different attack scheduleswhen the sensor uses a deterministic channel for transmission.In Fig. 4, we examine the attack effect under different attacksuccess probabilities from α = 0.01 to α = 0.35. Thetop curve of Fig. 4 stands for the performance under theattack schedule given by Theorem 4.1, i.e., E[J (γ ∗)], whichmaximizes the expected cost function. It can also be seenthat the expected cost function rapidly increases with α. Thesecond line from the top shows the performance under acommon attack schedule with consecutive attack sequencet1 = t2 = 10. It can be seen that the expected cost functiongrows much slower than E[J (γ ∗)]. We also can find thatthe performances under uniform attack with energy constraintin each active period are nearly the same as those withoutattack.

2) System Stability: Figs. 5 and 6 plot the evolution of thesystem state with different attack parameters TON and TOFF.In Fig. 5, the attacker is working with n = 20, TON = 80,TOFF = 40, and α = 0.2. From Theorem 4.1, the attackschedule in Fig. 5 (attacking at time [81, 100], [221, 240],[361, 380], and so on) is an optimal attack policy. In Fig. 5,the dashed line demonstrates that the system is still stable



Fig. 6. System state under optimal attack schedule with and without attack,respectively. Here, the attacker can always take action in any active periodTON = 20 with successful probability α = 0.2. TOFF = 1.


under this optimal attack schedule. The solid line shows thesystem’s state without attack. In Fig. 6, the attacker is workingwith TON = n = 20 and TOFF = 1. We can see that the stateis still stable under this optimal attack.

Figs. 7 and 8 show the effectiveness of optimal attackschedule on the system state when there is no inactive period,i.e., TOFF = 0 and TON = n. From Theorem 4.2, the stabilitydepends on the attack successful probability α. In our example,the critical value can be calculated by γc = 1 − (1/A2) =0.75 [26]. From Fig. 7, one can see that the system isstill stable when it suffers from the consecutive attack withsuccessful probability α = 0.2 < 1 − γc = 0.25. The systemwill become unstable, however, if the successful probability isα = 0.8 > 1 − γc, which has been shown in Fig. 8.

B. Example II: Multiple Subsystems

We also consider WNCS with two subsystems (13) withA1 = 0.5, B1 = 1,�w1 = 1, Q1 = 1, R1 = 1,A2 = 1.2, B2 = 1,�w2 = 0.5, Q2 = 1, and R2 = 1.Assume that the length of attacker’s active period is TON = 80and TOFF = 20. The attacker uses the same energy to jam


Fig. 9. Maximal value of cost E(Jtotal) under different assignments (n1, n2)when α1 = 0.1 and α2 = 0.6. Here, n2 = 20−n1 and A2 = 1.2. The optimalassignment is (n∗

1, n∗2) = (2, 18).

channels 1 and 2, and the corresponding attack successprobabilities are α1 and α2. Due to the energy constraint,he can at most attack n = 20 times in any activeperiod.

Consider Problem 5.2 with given parameters. We can obtainthe optimal attack assignment by exhaustive search method.Fig. 9 shows the variation of maximal value of E(Jtotal)under different assignments (n1, n2) when α1 = 0.1 andα2 = 0.6. It can be seen that the optimal assignmentis (n∗

1, n∗2) = (2, 18). Fig. 10 shows one optimal attack

schedule in an active period. In this schedule, the attackerjams channel 1 in times 2 and 3 and jams channel 2 fromtime 11 to 28.

Table I shows the optimal attack assignment (n∗1, n∗

2)under different attack success probabilities (α1, α2). Inter-estingly, in some cases, e.g., (α1, α2) = (0.5, 0.2), thoughthe probabilities satisfy the condition α1 > α2, the optimalassignment is opposite, i.e., n∗

1 < n∗2. The reason is that the

optimal assignment also depends on the system parameters.



TABLE I

OPTIMAL ATTACK ASSIGNMENT (n∗1 , n∗

2) UNDER DIFFERENT ATTACK SUCCESS PROBABILITIES (α1, α2)

Fig. 10. Optimal attack schedule in an active period. Here, α1 = 0.1 andα2 = 0.6.

Fig. 11. Maximal value of cost E(Jtotal) under different assignments(n1, n2) when α1 = 0.1 and α2 = 0.6. Here, n2 = 20 − n1 and A2 = 1.5.The optimal assignment is (n∗

1, n∗2) = (0, 20).

From (19), we can see that the objective function is thepolynomial function of α1, α2. The system parameters deter-mine the coefficients of the polynomial function, and thusaffect the optimal assignment (n∗

1, n∗2). In order to show the

impact of system parameters on the attack assignment, wechange the parameter A2 in subsystem 2 with A2 = 1.5.Fig. 11 shows the variation of maximal value of E(Jtotal) underdifferent assignment (n1, n2) when A2 = 1.5. We can see thatthe optimal attack assignment for this new WNCS is differentfrom that in Fig. 9.

We also compare the effect of different attack schedulesin Fig. 12. The top curve is the variation of E(Jtotal) under

Fig. 12. Illustration of the effect on cost E(Jtotal) under optimal attackschedule. Two reference curves are the cost E(Jtotal) under consecutive attackn1 = n = 20 times on channel 1 and consecutive attack n2 = n = 20 timeson channel 2, respectively. Here, α1 = 0.2.

optimal attack schedule with increasing α2. Two referencecurves are the cost E(Jtotal) under consecutive attack onchannel 1 and consecutive attack on channel 2, respectively.One can also see that when α2 < 0.2, the effect of optimalattack schedule and that of consecutive attack on channel 1are very close. Thus, consecutive attack n1 = n = 20 timeson channel 1 is a suboptimal attack schedule when α2 < 0.2.Similarly, we can also see that consecutive attackn2 = n = 20 times on channel 2 is a suboptimal attackschedule when α2 > 0.6.

VII. CONCLUSION

In this paper, we studied the optimal DoS attack policy withthe energy constraint to maximize the LQG cost function.We first formulated an optimization problem from the per-spective of a DoS attacker, in which the attacker can jam thetransmission channel with limited actions in any active period.Then, we analyzed the properties of the LQG cost functionunder any given feasible attack schedule. The optimal attackschedules and corresponding expected cost are obtained, whichdemonstrate that grouping the limited attacks together in everyactive period is optimal. We further studied the system stabilityunder optimal attack schedules. We also investigated theoptimal attack schedule in WNCS with multiple subsystems.



Simulation examples demonstrate the effectiveness of theproposed optimal jamming attack policy.

APPENDIX

In this section, we prove Lemmas 3.2, 3.3, and 3.4 andCorollary 5.1.

Proof of Lemma 3.2: If P1 ≥ P2, we have

f (P1) − f (P2) = Tr(M P1) − Tr(M P2)

= Tr[M(P1 − P2)] ≥ 0.

�Proof of Lemma 3.3: Since γs = 0 and γs+1 = 1, we have

Ps = 0 and Ps+1 = E[wsw′s] = �w with probability α, and

Ps+1 = 0 with probability 1 − α. By the recursive method fortime s + k, one has

Pr{

Ps+k = Hi} =

⎧⎨⎩

αi − αi+1, i = 0, 1, . . . , k − 1,

αk, i = k,

where H0 = 0.Then, we can see that

E[Ps+k] =k∑

i=0

HiPr{Ps+k = Hi}

=k−1∑i=0

(αi − αi+1)Hi + αk Hk

which finishes the proof. �Proof of Lemma 3.4:

1) According to the analysis in Section III, we have

�α(t2) − �α(t1) =t1∑

k=0

(t2 − t1)(αk − αk+1)Hk +

t2∑k=t1+1

× [(t2−k)(αk − αk+1)+ αk]Hk ≥ 0.

2) It can be seen that

�α(t) − �α(t1 ⊕ t2)

=t2∑

k=1

[αk(Ht1+k −Hk)+

k−1∑i=0

(αi − αi+1)(Ht1+i − Hi)

]≥ 0.

3) Since the proof of this result is similar to that of 2), itis omitted here.

4) It suffices to prove

�α(t1 ⊕ t2) ≤ �α((t1 − 1) ⊕ (t2 + 1))

with t1 ≤ t2. In fact

�α((t1 − 1) ⊕ (t2 + 1)) − �α(t1 ⊕ t2)

=t2∑

k=t1

αk+1(Hk+1 − Hk) ≥ 0.

�

Proof of Corollary 5.1:

1) From the definition of �α(t), we have

�α(t) =t∑

j=1

⎡⎣ j−1∑

i=0

(αi − αi+1)Hi + α j H j

⎤⎦

=t∑

j=1

⎡⎣H0 +

j∑i=1

αi (Hi − Hi−1)

⎤⎦.

Then, it can be seen that �α(t) is monotonically increas-ing with α when t is fixed. Thus, we have

r∑i=1

�αi (ni ) ≤r∑

i=1

�α∗i(ni ) ≤ �α∗

i(n),

where n1 +n2 +· · ·+nr = n. It implies that consecutiveattack n times over channel i∗ in the active periods isoptimal.

2) Since e j∗ = min e j , we haver∑

i=1

ni e j∗ ≤r∑

i=1

ni ei ≤ etotal,

which impliesr∑

i=1

ni ≤ n =⌊

etotal

e j∗

⌋.

From Lemma 3.4, we can see that �α(t) is monotoni-cally increasing with t when α is fixed. Then, it can beseen that

r∑i=1

�αi (ni ) =r∑

i=1

�α j∗ (ni ) = �α j∗ (n1 ⊕ n2 ⊕ · · · ⊕ nr )

≤ �α j∗ (n).

Thus, we can infer that the consecutive attack n timesover channel j∗ in every active period is optimal. �

REFERENCES

[1] H. Zhang, P. Cheng, L. Shi, and J. Chen, “Optimal Denial-of-Serviceattack scheduling against linear quadratic Gaussian control,” in Proc.Amer. Control Conf., 2014, pp. 3996–4001.

[2] P. Antsaklis and J. Baillieul, “Special issue on technology of networkedcontrol systems,” Proc. IEEE, vol. 95, no. 1, pp. 5–8, Jan. 2007.

[3] R. A. Gupta and M.-Y. Chow, “Networked control system: Overviewand research trends,” IEEE Trans. Ind. Electron., vol. 57, no. 7,pp. 2527–2535, Jul. 2010.

[4] Y. Wang, S. X. Ding, D. Xu, and B. Shen, “An H∞ fault estimationscheme of wireless networked control systems for industrial real-time applications,” IEEE Trans. Control Syst. Technol., vol. 22, no. 6,pp. 2073–2086, Nov. 2014.

[5] A. A. Cárdenas, S. Amin, and S. S. Sastry, “Research challenges forthe security of control systems,” in Proc. 3rd Conf. Hot Topics Secur.,2008, Art. ID 6.

[6] S. Amin, G. A. Schwartz, and S. S. Sastry, “Security of interdependentand identical networked control systems,” Automatica, vol. 49, no. 1,pp. 186–192, 2013.

[7] Y. Mo, R. Chabukswar, and B. Sinopoli, “Detecting integrity attacks onSCADA systems,” IEEE Trans. Control Syst. Technol., vol. 22, no. 4,pp. 1396–1407, Jul. 2014.

[8] A. Teixeira, K. C. Sou, H. Sandberg, and K. H. Johansson, “Securecontrol systems: A quantitative risk management approach,” IEEEControl Syst., vol. 35, no. 1, pp. 24–45, Feb. 2015.

[9] H. Zhang, P. Cheng, L. Shi, and J. Chen, “Optimal Denial-of-Serviceattack scheduling with energy constraint,” IEEE Trans. Autom. Control,doi: 10.1109/TAC.2015.2409905.



[10] S. Amin, A. A. Cárdenas, and S. S. Sastry, “Safe and secure networkedcontrol systems under Denial-of-Service attacks,” in Hybrid Systems:Computation and Control. Berlin, Germany: Springer-Verlag, 2009,pp. 31–45.

[11] M. Zhu and S. Martínez, “On the performance analysis of resilientnetworked control systems under replay attacks,” IEEE Trans. Autom.Control, vol. 59, no. 3, pp. 804–808, Mar. 2014.

[12] Y. Yuan, Q. Zhu, F. Sun, Q. Wang, and T. Basar, “Resilient control ofcyber-physical systems against Denial-of-Service attacks,” in Proc. 6thInt. Symp. Resilient Control Syst., 2013, pp. 54–59.

[13] H. Zhang, P. Cheng, L. Shi, and J. Chen, “Optimal DoS attack policyagainst remote state estimation,” in Proc. IEEE 52nd Annu. Conf.Decision Control, Dec. 2013, pp. 5444–5449.

[14] R. A. Poisel, Modern Communications Jamming Principles and Tech-niques. Norwood, MA, USA: Artech House, 2011.

[15] A. Gupta, C. Langbort, and T. Basar, “Optimal control in the presenceof an intelligent jammer with limited actions,” in Proc. 49th IEEE Conf.Decision Control, Dec. 2010, pp. 1096–1101.

[16] H. S. Foroush and S. Martínez, “On event-triggered control of linearsystems under periodic Denial-of-Service jamming attacks,” in Proc.IEEE 51st Annu. Conf. Decision Control, Dec. 2012, pp. 2551–2556.

[17] A. Kashyap, T. Basar, and R. Srikant, “Correlated jamming on MIMOGaussian fading channels,” IEEE Trans. Inf. Theory, vol. 50, no. 9,pp. 2119–2123, Sep. 2004.

[18] M. Li, I. Koutsopoulos, and R. Poovendran, “Optimal jamming attackstrategies and network defense policies in wireless sensor networks,”IEEE Trans. Mobile Comput., vol. 9, no. 8, pp. 1119–1133, Aug. 2010.

[19] M. Zuba, Z. Shi, Z. Peng, and J.-H. Cui, “Launching Denial-of-Servicejamming attacks in underwater sensor networks,” in Proc. 16th ACMInt. Workshop Underwater Netw., 2011, p. 12.

[20] V. Gupta, B. Hassibi, and R. M. Murray, “Optimal LQG control acrosspacket-dropping links,” Syst. Control Lett., vol. 56, no. 6, pp. 439–446,2007.

[21] K. Xin, X. Cao, J. Chen, P. Cheng, and L. Xie, “Optimal controllerlocation in wireless networked control systems,” Int. J. Robust NonlinearControl, vol. 25, no. 2, pp. 301–319, Jan. 2015.

[22] L. Shi, Y. Yuan, and H. Zhang, “Sensor data scheduling for linearquadratic Gaussian control with full state feedback,” in Proc. Amer.Control Conf., 2012, pp. 2030–2035.

[23] Y. M. Cho and P. Gyugyi, “Control of rapid thermal processing:A system theoretic approach,” IEEE Trans. Control Syst. Technol., vol. 5,no. 6, pp. 644–653, Nov. 1997.

[24] P. Lancaster and L. Rodman, Algebraic Riccati Equations. Oxford, U.K.:Oxford Univ. Press, 1995.

[25] V. Gupta, R. M. Murray, L. Shi, and B. Sinopoli, “Networked sensing,estimation and control systems,” Dept. Control Dyn. Syst., CaliforniaInst. Technol., Pasadena, CA, USA, Tech. Rep., 2009.

[26] B. Sinopoli, L. Schenato, M. Franceschetti, K. Poolla, and S. S. Sastry,“Optimal control with unreliable communication: The TCP case,” inProc. Amer. Control Conf., 2005, pp. 3354–3359.

[27] A. Cervin and T. Henningsson, “Scheduling of event-triggered con-trollers on a shared network,” in Proc. IEEE Conf. Decision Control,Dec. 2008, pp. 3601–3606.

[28] S.-L. Dai, H. Lin, and S. S. Ge, “Scheduling-and-control codesign fora collection of networked control systems with uncertain delays,” IEEETrans. Control Syst. Technol., vol. 18, no. 1, pp. 66–78, Jan. 2010.

[29] A. Sampath, H. Dai, H. Zheng, and B. Y. Zhao, “Multi-channel jam-ming attacks using cognitive radios,” in Proc. 16th Int. Conf. Comput.Commun. Netw., 2007, pp. 352–357.

Heng Zhang received the Ph.D. degree in controlscience and engineering from Zhejiang University,Hangzhou, China.

He is currently a Faculty Member with the HuaihaiInstitute of Technology, Lianyungang, China. Hiscurrent research interests include security andprivacy in cyber-physical systems, control, andoptimization theory.

Peng Cheng (M’10) received the B.E. degreein automation and the Ph.D. degree in controlscience and engineering from Zhejiang University,Hangzhou, China, in 2004 and 2009, respectively.

He is currently an Associate Professor with theDepartment of Control Science and Engineering,Zhejiang University. His current research interestsinclude networked sensing and control,cyber-physical systems, and robust control.

Prof. Cheng serves as an Associate Editor ofWireless Networks and the International Journal

of Communication Systems. He served as a Guest Editor of the IEEETRANSACTIONS ON CONTROL OF NETWORK SYSTEMS. He was thePublicity Co-Chair of the IEEE Mobile Adhoc and Sensor Systems in 2013,and the Local Arrangement Chair of ACM MobiHoc 2015.

Ling Shi (M’08) received the B.S. degreein electrical and electronic engineering fromThe Hong Kong University of Science andTechnology, Hong Kong, in 2002, and thePh.D. degree in control and dynamical systems fromthe California Institute of Technology, Pasadena,CA, USA, in 2008.

He is currently an Associate Professor withthe Department of Electronic and ComputerEngineering, The Hong Kong University of Sci-ence and Technology. His current research interests

include networked control systems, wireless sensor networks, event-basedstate estimation and sensor scheduling, and smart energy systems.

Prof. Shi serves as a Subject Editor of the International Journal of Robustand Nonlinear Control. He served as a Guest Associate Editor of the SpecialIssue on Secure Detection, Estimation, and Control in Cyber-Physical Systemsin the IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, and a GuestAssociate Editor of the Special Issue on Secure Control of Cyber PhysicalSystems in the IEEE TRANSACTIONS ON CONTROL OF NETWORK SYSTEMS

in 2015.

Jiming Chen (M’08–SM’11) received the B.Sc.and Ph.D. degrees in control science and engineer-ing from Zhejiang University, Hangzhou, China,in 2000 and 2005, respectively.

He was a Visiting Researcher with the FrenchInstitute for Research in Computer Science andAutomation, Rocquencourt, France, in 2006, theNational University of Singapore, Singapore, in2007, and the University of Waterloo, Waterloo, ON,Canada, from 2008 to 2010. He is currently a FullProfessor with the Department of Control Science

and Engineering, and the Vice Director of the State Key Laboratory ofIndustrial Control Technology and the Institute of Industrial Process Control,Zhejiang University. His current research interests include sensor networksand networked control.

Prof. Chen serves as an Associate Editor of several international journals,including the IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED

SYSTEM, the IEEE NETWORK, and the IEEE TRANSACTIONS ON CONTROL

OF NETWORK SYSTEMS. He was a Guest Editor of the IEEE TRANSACTIONSON AUTOMATIC CONTROL.

ieee transactions on control systems ...ireless networked control systems (wncss), in which physical...

Documents