Networked Systems under Denial-of-Service: Co-located vs. Remote Control Architectures
Shuai Feng, Pietro Tesi

TL;DR
This paper compares the robustness of co-located and remote control architectures in networked systems under DoS attacks, analyzing stability and robustness gaps to inform design choices.
Contribution
It introduces a remote control architecture that approximates co-location, analyzing its stability and robustness relative to traditional co-located systems.
Findings
Remote architecture closely approximates co-located robustness.
Quantifies the stability gap between architectures.
Provides insights for flexible, cost-effective control system design.
Abstract
In this paper, we study networked systems in the presence of Denial-of-Service (DoS) attacks, namely attacks that prevent transmissions over the communication network. Previous studies have shown that co-located architectures (control unit co-located with the actuators and networked sensor channel) can ensure a high level of robustness against DoS. However, co-location requires a wired or dedicated actuator channel, which could not meet flexibility and cost requirements. In this paper we consider a control architecture that approximates co-location while enabling remote implementation (networked sensor and actuator channels). We analyze closed-loop stability and quantify the robustness "gap" between this architecture and the co-located one.
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSmart Grid Security and Resilience · Security in Wireless Sensor Networks · Network Time Synchronization Technologies
Networked Systems under Denial-of-Service: Co-located vs. Remote Control Architectures
Shuai Feng
Pietro Tesi
ENTEG, Faculty of Science and Engineering, University of Groningen, 9747 AG Groningen, The Netherlands (e-mail: {s.feng,p.tesi}@rug.nl).
Abstract
In this paper, we study networked systems in the presence of Denial-of-Service (DoS) attacks, namely attacks that prevent transmissions over the communication network. Previous studies have shown that co-located architectures (control unit co-located with the actuators and networked sensor channel) can ensure a high level of robustness against DoS. However, co-location requires a wired or dedicated actuator channel, which could not meet flexibility and cost requirements. In this paper we consider a control architecture that approximates co-location while enabling remote implementation (networked sensor and actuator channels). We analyze closed-loop stability and quantify the robustness “gap” between this architecture and the co-located one.
keywords:
Cyber-physical systems; Denial-of-Service; Networked control systems; Sampled-data control; Control under limited information.
1 introduction
The field of cyber-physical systems is becoming more and more important in control engineering and computer science due to its broad spectrum of applications. Especially for safety-critical applications, there is a need for analysis, synthesis and design tools that can guarantee secure and reliable operations despite the presence of malicious attacks (Cheng et al., 2017).
Security of cyber-physical systems involves several research areas, including anomaly detection, verification, and estimation and control in the presence of attacks. Moreover, the problem varies depending on the type of attack one is considering. One usually classifies cyber attacks as either deception attacks, examples being zero-dynamics and bias injection attacks or Denial-of-Service (DoS) attacks. The former affect the data trustworthiness via the manipulation of packets transmitted through the network (Fawzi et al., 2011; Teixeira et al., 2015). DoS attacks are instead intended to affect the timeliness of the information exchange, i.e., to induce packet losses (Xu et al., 2005; Amin et al., 2009). In particular, it is known that DoS attacks are relatively easy to launch (Xu et al., 2005), even without knowledge of the targeted system.
This paper deals with DoS attacks. We consider a control system in which plant-controller communication is networked. An attacker can induce closed-loop instability by denying the communication on sensor and actuator channels. The problem of interest is to design control systems that can tolerate DoS as much as possible. Networked control in the presence of packet losses has been widely investigated (Hespanha et al., 2007). However, it is known that communication failures induced by DoS can exhibit a temporal profile quite different from the one induced by genuine packet losses; in particular, communication failures induced by DoS need not follow a given class of probability distributions (Amin et al., 2009). This raises new theoretical challenges from the perspective of analysis as well as control design.
The literature on networked control under DoS is large and quite diversified. In (Gupta et al., 2010; Amin et al., 2009), the authors address the problem of finding optimal control and DoS attack strategies assuming a maximum number of jamming actions over a prescribed control horizon. A similar problem is considered in (Ugrinovskii and Langbort, 2014), where the authors study zero-sum games between controllers and strategic jammers. In (Zhang et al., 2016), the authors investigate DoS from the attacker’s viewpoint, and characterize optimal DoS attack scheduling strategies. Shisheh Foroush and Martínez (2013) consider periodic DoS attacks. The objective is to identify salient features of the DoS signal such as maximum on/off cycle in order to de-synchronize the transmission times from the occurrence of DoS. In (De Persis and Tesi, 2014b; De Persis and Tesi, 2015), a framework is introduced where no assumption is made regarding the “structure” of the DoS attack. Instead, a model is considered that constrains DoS only in terms of its frequency and duration. The contribution is an explicit characterization of DoS frequency and duration for which stability can be preserved through state-feedback control. Extensions have been considered dealing with co-located robust controller design (Feng and Tesi, 2017), nonlinear (De Persis and Tesi, 2014a) and distributed (Senejohnny et al., 2015) systems, as well as with systems where jamming attacks and genuine packet losses coexist (Cetinkaya et al., 2016).
In a recent paper (Feng and Tesi, 2016), we have investigated networked systems under DoS attacks from the perspective of designing “maximally robust” controllers. There, it is shown that co-located architectures (control unit co-located with the actuators and networked sensor channel) can guarantee the highest possible level of robustness against DoS, in the sense that they can guarantee closed-loop stability for all the DoS signals with frequency and duration below a certain critical threshold beyond which stability can be lost irrespective of the adopted control system. Unfortunately, co-location requires wired or dedicated actuator channels, which could not meet flexibility and cost requirements.
In this paper, we consider a control system that approximates co-location while enabling remote implementation (networked sensor and actuator channels). The proposed architecture relies on packet-based control and actuator buffering. The basic idea is to transmit data packets containing plant input predictions whenever DoS is absent, and use the data stored in the actuator buffer during the periods of DoS. This idea has already proved effective to compensate for network delay (Chaillet and Bicchi, 2008; Bemporad, 1998) as well as packet losses (Quevedo et al., 2011; Quevedo and Nešić, 2011). In this paper, however, the peculiarity of the problem leads to a different analysis and design. We follow a “worst-case” type of analysis, accounting for the situation where the network undergoes periods of DoS much larger than the buffer capacity.
The paper contribution is twofold. First, we provide conditions on the prediction horizon under which closed-loop stability is preserved. The analysis is general enough to account for: (i) process disturbances; (ii) measurement and network noise; (iii) non-zero computation times. As a second contribution, we explicitly quantify the robustness “gap” between this control architecture and the co-located one, showing that the ideal bound obtained with co-location is recovered as the prediction horizon increases.
1.1 Notation
We denote by the set of reals. For any , we denote . We let denote the set of nonnegative integers, . For any , we denote . The prime denotes transpose. Given a vector , is its Euclidean norm. Given a matrix , is its spectral norm. Given a measurable time function and a time interval we denote the norm of on by . Given a measurable time function we say that is bounded if its norm is finite.
2 Framework and paper outline
2.1 Process dynamics and network
The process to be controlled is given by
[TABLE]
where ; is the state, is the control input and is measurement vector; and are matrices of appropriate size with stabilizable; and are unknown (bounded) disturbance and noise signals, respectively.
We assume that sensor and actuator channels are networked and subject to Denial-of-Service (DoS) status. The former implies that measurements and control commands are sent only at discrete time instants. Let denote the sequence of transmission attempts. Throughout the paper, we assume for simplicity that the transmission attempts are carried out periodically with period , i.e.,
[TABLE]
with by convention. We refer to DoS as the phenomenon for which some transmission attempts may fail.
We shall denote by , , the sequence of time instants at which samples of are successfully transmitted.
2.2 Control objective
The objective is to design a controller , possibly dynamic, in such a way that the closed-loop stability is maintained despite the occurrence of DoS in measurement and control channels. In this paper, by closed-loop stability we mean that all the signals in the closed-loop system remain bounded for any initial condition and bounded noise and disturbance signals, and converge to zero in the event that noise and disturbance signals converge to zero.
2.3 Denial-of-Service: Assumptions
Clearly, the problem in question does not have a solution if the DoS amount is allowed to be arbitrary. Following (De Persis and Tesi, 2015), we consider a general DoS model that constrains the attacker action in time by only posing limitations on the frequency of DoS attacks and their duration. Let , , denote the sequence of DoS off/on transitions, i.e., the time instants at which DoS changes from zero (transmissions are possible) to one (transmissions are not possible). Hence, represents the -th DoS interval, of length , over which the network is in DoS status. If , then takes the form of a single pulse at . Given with , let denote the number of DoS off/on transitions over , and let
[TABLE]
denote the subset of where the network is in DoS status.
We make the following assumptions.
Assumption 1
(DoS frequency). There exist constants and such that
[TABLE]
for all with .
Assumption 2
(DoS duration). There exist constants and such that
[TABLE]
for all with .
Remark 2.1
Assumptions 1 and 2 do only constrain a given DoS signal in terms of its average frequency and duration. In practice, can be defined as the average dwell-time between consecutive DoS off/on transitions, while is the chattering bound. Assumption 2 expresses a similar requirement with respect to the duration of DoS. It expresses the property that, on the average, the total duration over which communication is interrupted does not exceed a certain fraction of time, as specified by . Like , the constant plays the role of a regularization term. It is needed because during a DoS interval, one has . Thus serves to make (8) consistent. Conditions and imply that DoS cannot occur at an infinitely fast rate or be always active.
2.4 Previous work and paper outline:
co-located and remote control architectures
In Feng and Tesi (2016), we have investigated the problem of designing control architectures that achieve maximal robustness against DoS. We briefly summarize the main result of that paper. Consider the control architecture depicted in Figure 1. The control system is co-located with the process actuators and is equipped with prediction capabilities so as to reconstruct the missing measurements during DoS periods. Let be the sampling rate of the control system, where . Notice that choosing allows to differentiate between controller sampling rate and transmission rate, maintaining possibly large. Finally, let and . The predictor equations are given by
[TABLE]
where , and the control action is given by
[TABLE]
Here is a state-feedback matrix such that all the eigenvalues of have negative real part. The control system consists of a predictor and a state-feedback matrix. The former emulates the process dynamics during the DoS period, and is “reset” whenever new measurements become available.
Theorem 2.2** **(Feng and Tesi (2016))
Consider a process as in (4) under a co-located control system as in (14) and (15). Given any positive definite symmetric matrix , let denote the solution of the Lyapunov equation . Let the controller sampling rate be such that
[TABLE]
when , and
[TABLE]
when , where is the logarithmic norm of and is a positive constant satisfying , where is equal to the smallest eigenvalue of and . Then, the closed-loop system is stable for any DoS sequence satisfying Assumptions 1 and 2 with arbitrary and , and with and such that
[TABLE]
The bound (18) is the best bound that one can achieve for the class of DoS signals satisfying Assumptions 1 and 2 in the sense that at or above the threshold “1” (when ) one can preserve stability only for some DoS signals, not for all. In fact, as soon as we reach the threshold “1”, and can give rise to DoS signals that disrupt all the transmission attempts. Consider, for example, the DoS signal given by . This signal yields and satisfies Assumption 1 and 2 with , , and . By construction, this DoS signal disrupts all the transmission attempts since it is synchronized with the transmission times. Note that condition requires . This means that, on the average, DoS cannot occur at the same rate as (or faster than) .
Despite its robustness, the control architecture in (14)-(15) has a number of practical shortcomings: co-location requires a wired or dedicated control channel, which could not meet flexibility and cost requirements. In order to mitigate these shortcomings, we consider an architecture that allows for remote control. As shown in Figure 2, we consider a “packetized-and-buffered” architecture in which the controller transmits a sequence of control values containing process input predictions. Whenever communication is available, these values are stored in a buffer and used during the DoS periods. In the remainder of this paper, we formally investigate stability and robustness properties of this architecture. We show that under (18) closed-loop stability is preserved as long as the prediction horizon satisfies
[TABLE]
where is the buffer size, is the actuator sampling interval, and are process-dependent constants, and is a DoS-dependent constant. The above stability condition can can be equivalently rewritten as
[TABLE]
This inequality explicitly quantifies the gap between co-located and remote architectures, showing that the latter approaches the ideal bound as .
3 Remote control architecture
The actuator implements a sample-and-hold control strategy with sampling period , . The control unit operates at the time instants at which process measurements are available, returning controls
[TABLE]
where the variable defines the prediction of at time . In particular, satisfies
[TABLE]
where and where and are as in (14). In practice, the control unit implements a sampled-data version of the process dynamics, which are “reset” whenever a new process measurement becomes available.
Let , where , and . The control input applied to the process is
[TABLE]
In words, the control action is kept to zero until the first process measurement is received. Thereafter, as shown in Figure 3, over each interval the actuator applies the values in the buffer until the buffer is empty and the last value in the buffer is kept until . On the other hand, if then all the samples in the buffer are discarded and a new sequence of controls is stored. This renders (27) a “receding horizon” control policy.
Notice that (27) assumes that there is no noise in the actuator channel. This is because, if the actuator receives , where is a noise, the contribution of can be absorbed in the process disturbance . Also notice that (27) assumes that the time needed to compute all the samples in (21) is zero. This assumption can be relaxed as discussed in Section 4.
4 Main result
We first present a lemma which is key to our developments. Then, we analyze the closed-loop behavior within and outside the prediction horizon and provide stability conditions.
4.1 Key lemma
The lemma relates DoS parameters and time elapsing between successful transmissions.
Lemma 4.3** **(Feng and Tesi (2016))
Consider a transmission policy as in (5), along with a DoS signal satisfying Assumptions 1 and 2. If (18) holds true, then the sequence of successful transmissions satisfies and for all , where
[TABLE]
4.2 Closed-loop behavior within the prediction horizon
Lemma 1 guarantees that the time elapsing between successful transmissions is always bounded under (18). In particular, is finite. This makes it possible to focus the attention on the closed-loop behavior from onwards. Consider a generic interval and let
[TABLE]
Notice that might be empty, which happens whenever . Thus, in the sequel, we implicitly consider only the intervals which are nonempty. Exploiting (30), we can rewrite the process dynamics as
[TABLE]
where . Given any symmetric positive definite matrix , let be the unique solution of the Lyapunov equation . Let . Its derivative along the solutions to (31), satisfies
[TABLE]
where is the smallest eigenvalue of , and . One sees that closed-loop stability depends on , which, in turn, depends on the actuator sampling period . In general, it is not possible to get a dissipation inequality in (32) for an arbitrary . Nonetheless, this is possible provided that is suitably chosen.
Lemma 4.4
Consider a dynamical system as in (4) under the control action (27). Let the actuator sampling period be chosen as in Theorem 1. Then, there exists a positive constant such that
[TABLE]
for all , where .
Proof. See Appendix A.
In view of Lemma 2, it is immediate to verify that if actuator sampling period is properly chosen then closed-loop stability is guaranteed since (33) induces an ISS-type of property to the Lyapunov function. In fact, (33) yields
[TABLE]
where and .
Observe now that for any positive real , the Young’s inequality (Hardy et al., 1952) yields
[TABLE]
Using this inequality with , we obtain
[TABLE]
where and , where denotes the largest eigenvalue of .
Accordingly,
[TABLE]
for all , where .
4.3 Closed-loop behavior outside the prediction horizon
Lemma 1 guarantees that the time elapsing between successful transmissions is always bounded under (18). Specifically, it ensures that for all , where is a DoS-dependent constant. Consider now a transmission instant . At this time, the buffer is full. If and there is no DoS at then the buffer is filled again at and the analysis of Section 4.2 applies. This scenario can be viewed as a co-located one. Thus, there are two critical cases: (i) when meaning that the prediction horizon does not cover one transmission period; and (ii) when , which means that the network is subject to DoS periods that exceed the prediction horizon (cf. Figure 3). We now discuss this scenario in detail.
Let with . Recall that the prediction error satisfies
[TABLE]
for all . By hypothesis, which means that . This implies that (38) is valid for . Hence, the triangular inequality yields
[TABLE]
for all . We first look at . Note that is continuous on . This, along with Lemma 2, implies that
[TABLE]
Combining this inequality with (39), we get
[TABLE]
for all . Then, combining (4.3) and (32) yields
[TABLE]
By applying again the Young’s inequality with , we obtain
[TABLE]
where .
Hence, for every such that we have
[TABLE]
where . On the other hand, for every such that we have
[TABLE]
From these expressions, we conclude that during each interval exceeding the prediction horizon the Lyapunov function satisfies
[TABLE]
where .
4.4 Stability analysis
The foregoing analysis indicates that the overall behevior of the system can be regarded as the one of a switched system that behaves stably over the intervals and unstably over the intervals . We have the following result.
Theorem 4.5
Consider a dynamical system as in (4) under the control action (27). Given any positive definite symmetric matrix , let denote the solution of the Lyapunov equation with stable. Let the actuator sampling period be as in Theorem 1. Consider any DoS pattern satisfying (18). Then, the closed-loop system is stable if the prediction horizon satisfies
[TABLE]
where is as in Lemma 1, and where , and are as in Theorem 1 and where and are the smallest and largest eigenvalues of , respectively.
Proof. Recall that exists finite in view of Lemma 1. Hence, we can restrict ourselves to study the closed-loop behavior from onwards. We also assume without loss of generality that otherwise the result follows immediately from the analysis of Section 4.2. We show that
[TABLE]
where is defines as
[TABLE]
and where
[TABLE]
Note that in view of (47).
We prove this claim through an induction argument. The claim trivially holds for since . Assume next that the claim is true up to with . First recall that (37) implies
[TABLE]
for all , where the second inequality follows from . Then, we have two cases. Assume , which implies that . Note that by construction. Hence, at time we have . This shows that (4.4) holds true at . Assume next . In view of (37) and since is continuous, we get
[TABLE]
Combining this inequality with (46) yields
[TABLE]
for all , where the third inequality follows from the fact that and the definition of , while the last inequality follows from the fact that and the fact that for all . Thus, (4.4) holds true at .
Using this property, the proof can be easily finalized. In fact, (4.4) and (55) yield
[TABLE]
for all , and the sum term is bounded for any since . This concludes the proof.
Remark 4.6
One sees from (47) that in order to get stability it is not necessary that the prediction horizon covers the maximum period of DoS. In fact, also large DoS periods can be tolerated. In particular, one sees that robustness increases with: (i) small values of , which corresponds to mild open-loop unstable dynamics; and (ii) large values of , which corresponds to a large decay rate of the DoS-free closed-loop dynamics. The latter should be therefore taken into account when designing the state-feedback matrix .
Remark 4.7
Taking into account the expression of from Lemma 1, it is immediate to see that (47) can be equivalently rewritten as (20). This shows that the considered architecture approaches the ideal bound (18) as . Inequality (20) does also quantify the “gap” between remote and co-located architectures for given any finite .
Remark 4.8
In this paper, we have assumed that the time needed to compute control values is zero. This assumption can be restrictive if is large. As discussed in Feng and Tesi (2016), Lemma 1 follows from the fact that every time interval of duration contains at least a DoS-free interval of duration . This result can be generalized. In fact, one can show that if we replace (18) with
[TABLE]
then every time interval of duration
[TABLE]
contains at least a DoS-free interval of duration . This property is very useful to account for non-zero computation times . In fact, this property makes it possible to regard as an extended DoS interval. The only modification is that the sequence of control values should start from .
5 A Numerical Example
The numerical example is taken from (Forni et al., 2010). The system to be controlled is open-loop unstable and is characterized by the matrices
[TABLE]
The state-feedback matrix is given by
[TABLE]
The control system parameters are , , , , , , and . Disturbance and noise are random signals with uniform distribution in .
The network transmission rate is given by s. As for the actuator sampling period, Theorem 1 yields . We select s in order to synchronize the controller sampling rate with .
Figure 4 shows simulation results comparing the co-located architecture in (Feng and Tesi, 2016) with the one proposed in this paper. We consider a sustained DoS attack with variable period and duty cycle, generated randomly. Over a simulation horizon of s, the DoS signal yields s and . This corresponds to values (averaged over s) of , , and , and of transmission failures. Moreover,
[TABLE]
For the co-located architecture, the requirement for closed-loop stability is clearly satisfied.
Consider next the remote architecture. In agreement with (47), to get stability one needs a prediction horizon , which corresponds to . One sees from Figure 4 that without buffering, namely when , the closed-loop system is unstable. On the other hand, is sufficient to obtain a satisfactory closed-loop response. The results indicate that in some cases, like the one discussed here, small values of can approximate well the co-located architecture without actually requiring large or co-location. In this sense, the proposed control architecture provides an effective solution to trade-off ease of implementation and robustness against DoS.
The conservativeness of the theoretical bound on is somewhat implicit to the “worst-case” type of analysis pursued here.
6 Concluding remarks
In this paper, we have investigated networked systems in the presence of Denial-of-Service attacks, comparing co-located and remote control architectures. While the former achieves the highest level of robustness for a very large class of DoS signals, it need not be always feasible from a practical point of view. We introduced a control architecture that approximates co-location while enabling remote implementation. This architecture relies on “packet-based” control: the control unit transmits a sequence of controls containing process input predictions. Whenever communication is allowed, the controls are stored in a buffer and used during the DoS periods. We studied closed-loop stability, quantifying the robustness “gap” between this architecture and the co-located one. As it emerges from both the analysis and the numerical simulations, the proposed architecture provides an effective solution for trading-off ease of implementation and robustness against DoS.
The present results can be extended in many directions. The case of partial state measurements represents an interesting research venue, where the results in (Feng and Tesi, 2017) may prove relevant in this regard. Another interesting research line pertains the study of remote control architecture when sensor and actuator channels are independent. In this case, it is interesting to study closed-loop stability in connection with asynchronous DoS.
Appendix A Proof of Lemma 2
Consider any interval , . The proof is divided into two steps. First, we provide an upper bound on the error dynamics at the sampling times . Second, we provide an upper bound on the error dynamics between inter-samplings. This provides an upper bound on over the whole interval .
We start by deriving an upper bound on . It is simple to verify that the dynamics of the variable related to the predictor equation satisfies
[TABLE]
for all such that . Moreover, the process dynamics satisfies
[TABLE]
for all . Combining these two expressions, we get
[TABLE]
for all such that . Here, we exploited the relation and the fact that
[TABLE]
where the second equality is obtained using the change of variable . We then have
[TABLE]
where .
We can now provide an upper bound on the prediction error between inter-sampling instants. To this end, observe that the dynamics of satisfies
[TABLE]
where . Let now
[TABLE]
where . Then, the solution of (73) satisfies
[TABLE]
for all , where we defined and .
Observe that and that is monotonically increasing with . Thus, any positive real such that
[TABLE]
ensures (33) with .
The explicit expression for follows from Theorem 1.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Amin et al. (2009) Amin, S., Càrdenas, A., and Sastry, S. (2009). Safe and secure networked control systems under denial-of-service attacks. Hybrid systems: Computation and Control , 31–45.
- 2Bemporad (1998) Bemporad, A. (1998). Predictive control of teleoperated constrained systems with unbounded communication delays. In 37th IEEE Conference on Decision and Control, Tampa, FL, USA .
- 3Cetinkaya et al. (2016) Cetinkaya, A., Ishii, H., and Hayakawa, T. (2016). Networked control under random and malicious packet losses. IEEE Transactions on Automatic Control , (99), 1–16.
- 4Chaillet and Bicchi (2008) Chaillet, A. and Bicchi, A. (2008). Delay compensation in packet-switching networked controlled systems. In Decision and Control, 2008. CDC 2008. 47th IEEE Conference on , 3620–3625. IEEE.
- 5Cheng et al. (2017) Cheng, P., Datta, A., Shi, L., and Sinopoli, B. (eds.) (2017). Special issue on secure control of cyber physical systems. IEEE Transactions on Control of Network Systems .
- 6De Persis and Tesi (2014 a) De Persis, C. and Tesi, P. (2014 a). On resilient control of nonlinear systems under denial-of-service. In Proc. of the IEEE Conference on Decision and Control, Los Angeles, CA, USA .
- 7De Persis and Tesi (2014 b) De Persis, C. and Tesi, P. (2014 b). Resilient control under denial-of-service. In Proc. of the 19th IFAC World Conference, Cape Town, South Africa , 134–139.
- 8De Persis and Tesi (2015) De Persis, C. and Tesi, P. (2015). Input-to-state stabilizing control under denial-of-service. IEEE Transactions on Automatic Control , 60(11), 2930–2944.
