# A Study Of Optimal False Information Injection Attack On Dynamic State Estimation in Multi-Sensor Systems

###### Abstract

In this paper, the impact of false information injection is investigated for linear dynamic systems with multiple sensors. It is assumed that the system is unsuspecting the existence of false information and the adversary is trying to maximize the negative effect of the false information on Kalman filter’s estimation performance. The false information attack under different conditions is mathematically characterized. For the adversary, many closed-form results for the optimal attack strategies that maximize Kalman filter’s estimation error are theoretically derived. It is shown that by choosing the optimal correlation coefficients among the bias noises and allocating power optimally among sensors, the adversary could significantly increase Kalman filter’s estimation errors. To be concrete, a target tracking system is used as an example in the paper. From the adversary’s point of view, the best attack strategies are obtained under different scenarios, including a single-sensor system with both position and velocity measurements, and a multi-sensor system with position and velocity measurements. Under a constraint on the total power of the injected bias noises, the optimal solutions are solved from two perspectives: trace and determinant. Numerical results are also provided in order to illustrate the effectiveness of the proposed attack strategies.

## I Introduction

System state estimation in the presence of an adversary that injects false information into sensor readings has attracted much attention in wide application areas, such as target tracking with compromised sensors, secure monitoring of dynamic electric power systems and radar tracking and detection in the presence of jammers [1]. This topic has been studied in [2, 3, 4, 5, 6, 7, 8, 9]. In [2], the problem of taking advantage of the power system configuration to introduce arbitrary bias to the system without being detected was investigated and inspired many researchers further study false information injection along this direction. [3] shows the impact of malicious attacks on real-time electricity market concerning the locational marginal price and how the attackers can make profit by manipulating certain values of the measurements. Some certain strategies are also provied to find the optimal single attack vector. The relationship between the attackers and the control center was discussed in [4], where both the adversary’s attacking strategies and the control center’s detection algorithms have been proposed. Refer to [5] and [6] for more about false information attacks on the electricity market. Inspired by [2], the data frame attack in which deleting the comprised sensors the defender system detects will make the system unobservable was formulated as a quadratically constrained quadratic program (QCQP) in [7]. In [8, 9], the relation between a target and a MIMO radar was characterized as a two-person zero-sum game. However, in the aforementioned publications, only the problem of static system state estimation has been considered.

In this paper, for a linear dynamic system, we analyze the impact of the injected false information on Kalman filter’s state estimation performance over time, which has not got much attention in the literature. Some related publications exist on sensor management [10, 11, 12], where the problem of arranging the sensors to minimize the covariance of the state estimation error so that a more accurate state estimate can be obtained is investigated. This problem is clearly opposite to the problem we study in the paper, where the goal for the adversary is to maximize the mean square state estimation error matrix, and to confuse Kalman filter. In [13], the problem of sensor bias estimation and compensation for target tracking has been addressed. Interested readers are referred to [13] and the references therein for details.

In [14], we have studied the impact of the injected biases on a Kalman filter’s estimation performance, showing that if the false information is injected at a single time, its impact converges to zero as time goes on; if the false information is injected into the system continuously, the estimation error tends to reach a steady state. In [15], we have found the best strategies for the adversary to attack Kalman filter system from the perspective of the trace of the mean squared error (MSE) matrix, and obtained some close-form results. Also in [16], based on the previous work, the problem is further refined regarding the determinant of MSE matrix, which the correlation among the elements is taken into consideration. In [17, 18], the Kalman filter system has been investigated regarding the system robustness in the case where sensor reading is continuously jammed by the false information using Greedy search and dynamic programming. However, the it is of great challenge to find the closed form solution in term of determinant of the MSE matrix and optimal solution to the case in which the Kalman filter system is compromised by the false information continuously. Considering the problems mentioned above, in this paper, our goal is to find the closed form optimal attack strategy for the adversary, which maximizes the impact of the false information injection on Kalman filter’s state estimation from the determinant perspective. By adopting the objective function as the determinant of the MSE matrix, we change the problem significantly. As shown later in the paper, the optimal attack strategy that maximizes the determinant of the MSE matrix is a function of Kalman filter’s state estimation covariance and hence ”adaptive” to Kalman filter; whereas that maximizing the trace of the MSE matrix is not a function of Kalman filter’s state estimation covariance. Previous works concentrated more on the situation where the adversary attacks the system by a single shot. In this paper, the problem of continuous attack is also investigated.

The rest of paper is organized as follows. Section II generally describes the discrete-time linear dynamic system. Section III mathematically characterizes the impact of determined or random false information on Kalman filter’s system. Section IV and V analyze how to get the best strategy to attack Kalman filter’s system from trace and determinant cases standing from the perspective of the adversary. Under the constraint on the adversary’s total sensor bias noise power, different strategies are proposed to maximize Kalman filter’s mean squared state estimation error for different scenarios. Section VI provides the simulation results and Section VII concludes the paper.

## Ii Kalman filter System

## Iii System Model

The discrete-time linear dynamic system can be described as below,

(1) |

where is the system state transition matrix, is the system state vector at time , is a known input vector, is the input gain matrix, and is a zero-mean white Gaussian process noise with covariance matrix . Let us assume that sensors are used by the linear system. The measurement at time collected by sensor is

(2) |

with being the measurement matrix, and a zero-mean white Gaussian measurement noise with covariance matrix , for . We further assume that the measurement noises are independent across sensors. The matrices , , , , and are assumed to be known with proper dimensions. In this paper, we assume that a bias is injected by the adversary into the measurement of the th sensor at time intentionally. Therefore, the measurement equation (2) becomes

(3) |

where is the corrupted measurement, is either an unknown constant or a random variable independent of and .

For compactness, let us denote the system sensor observation as , which contains the observations from all the sensors. Similarly, let us denote the system bias vector as which includes the biases at all the sensors. Correspondingly, the measurement matrix becomes

(4) |

With these notations, it is easy to convert (2) and (3) into the following equations respectively.

(5) |

and

(6) |

Further, we have the measurement error covariance matrix corresponding to is

(7) |

which is obtained by using the assumption that measurement noises are independent across sensors.

## Iv Impact of False Information Injection

In this paper, let us assume that the adversary attacks the system by injecting false information into the sensors while unaware of such attacks. We start with the case where biases () are continuously injected into the system starting from a certain time . Note that single injection is just a special case of continuous injection when are set to be nonzero at time and zero otherwise.

In the continuous injection case, Kalman filter’ extra state estimation error, which is caused by the continuous bias injection alone, is derived in [19] and provided as follows.

###### Proposition 1.

Kalman filter’s state estimation error at time is

(8) |

where is Kalman filter’s state estimate in the presence of the bias sequence , is Kalman filter’s state estimate in the absence of the bias,

(9) |

is the identity matrix, and is Kalman filter gain [20] at time . As a result, the extra state estimation error at time due to the continuous bias injected at and after time is

(10) |

If {} is a zero-mean, random, and independent sequence, the extra mean squared error (EMSE) at a particular time instant due to the bias alone is provided in the following proposition. Using the results from Proposition 1, the proof of Proposition 2 is provided as well.

###### Proposition 2.

When the bias sequence is zero mean, random, and independent over time, the at time due to the biases injected at and after time , denoted as , is

(11) |

where

(12) |

is an identity matrix, and is the covariance matrix of .

Proof Sketches: Let us denote as Kalman filter’s state estimation error in the absence of any false information, and

(13) |

From (LABEL:eq:err), we can get

where the last line is due to the fact that and have zero mean, are independent from each other when , and are independent from . Using this fact again, we further have

where has been defined in Proposition 2.

## V The Optimal Attack Strategy

#### V-1 Problem Formulation for a General Linear System

In this paper, we investigate the optimal attack strategy that an adversary can adopt to maximize the system estimator’s estimation error. This problem can be formulated as a constrained optimization problem. Without loss of generality, let us consider that the attacker is interested in maximizing the system state estimation error at time right after a single false bias is injected at time . In this case, we are interested in designing the injected random bias’ covariance matrix such that

(15) |

where is a constant, is the matrix trace operator, and is Kalman filter’s state estimation error covariance matrix at time in the absence of any false information. Note that it is meaningful to have a constraint on the trace of , since it can be deemed as the power of injected sensor bias , and a smaller power for reduces the probability that the adversary is detected by the system estimator using an innovation based detector. Note that the optimization problem is equivalent to one that maximizes , since is not a function of , and trace is a linear operator. If one is more interested in the determinant of the estimation MSE matrix, a similar optimization problem can be easily formulated as follows.

(16) |

#### V-2 Equivalent Measurement in Multi-Sensor Systems

To simplify the mathematical analysis, it is helpful to derive the equivalent sensor measurement, which is a linear combination of the observations from all the sensors, and is a sufficient statistic containing all the information about the systems state. The equivalent sensor measurement vector and its corresponding covariance matrix should have much smaller dimension than the original measurement vector and its covariance, making the mathematical manipulation and derivation later in the paper much simpler. In a information filter recursion [20], which is equivalent to Kalman filter recursion, we have

(17) |

where and . It is clear that represents the prior knowledge about the system state based on past sensor data, and the second term in (17) represents the new information from the new sensor data , which can be expanded by using (4) and (7) as follows.

(18) |

In the following derivations, we skip the time index for simplicity. Our purpose is to find an equivalent measurement such that

(19) |

where , and

(20) |

Let us consider two cases. First, suppose all the s are the same () , then it is natural to set . Note that a sufficient condition for (20) to be true is

(21) |

Taking the covariance on the both sides of (21), we get

(22) |

This implies that

(23) |

In the second case, let us assume that the system state is observable based on the observations from all the sensors, meaning that the Fisher information matrix is invertible. In this case, by setting , using (20), and following a similar procedure as in the first case, we have

(24) |

and

(25) |

## Vi A Target Tracking Example

In this paper, we give a concrete target tracking example. We assume that the target moves in a 1-dimensional space according to a discrete white noise acceleration model [20], which can still be described by the plant and measurement equations given in (1) and (2). In such a system, the state is defined as , where and denote the target’s position and velocity at time respectively. The input is a zero sequence. The state transition matrix is

(26) |

where is the time between measurements. The process noise is , where is a zero mean white acceleration noise, with variance , and the vector gain multiplying the scalar process noise is given by . The covariance matrix of the process noise is therefore .

In this paper, we investigate the attack strategies for two scenarios. In the first scenario, only position measurements are available to the sensors, whereas in the second scenario, the sensors measure both position and velocity of the target.

### Vi-A Attack Strageties Analysis From Trace perspective

#### Vi-A1 Attack Strategy For Multiple Position Sensors

In this case, it is assumed that at each sensor, only the position measurement is available, so that . At each sensor, the measurement noise process is zero-mean, white, and with variance, . In order to simplify the problem, we think of as the equivalent measurement, which is a linear combination of the measurements from all the sensors. Using the results we derived in Section V-2 for the first case, namely (21) and (23), the measurement equation (3) becomes

(27) |

where

(28) |

(29) |

and

(30) |

which is the corresponding coefficient/weight for the th sensor. In this target tracking problem, let us first consider the strategy that maximizes the trace of the Kalamn filter estimation error, which is the solution of (15) in Section V-1. In this case,

(31) |

where is the variance of the random bias injected at the th sensor (), and is the correlation coefficient between and . Therefore, (15) is equivalent to

(32) |

To simplify this problem, we first use the equivalent measurement to convert the multi-sensor problem to a single sensor problem. Namely, in Proposition 2 by replacing

with , and replacing with

we can easily show that . Since is a scalar and is not a function of , maximizing the trace of is equivalent to maximizing .

First, let us consider the case where the random biases at different sensors are independent, meaning that for . The optimal strategy for the adversary in this case is clearly to put all the bias power to the sensor with the largest coefficient :

###### Proposition 3.

For a system with sensors, if the adversary injects independent random noises, the best strategy is to allocate all the power to the sensor with smallest noise variance.

Next, let us consider the more general case where the random biases are dependent. By inspecting (VI-A1), it is clear that to maximize , we need to set all the s to 1. As a result, (VI-A1) becomes

(34) |

Now, the optimization problem in (32) has been converted to the following problem:

(35) |

The above problem can be solved by using standard constrained optimization techniques [21] based on gradient and Hessian, which are rather involved. Here we solve the problem using a much simpler geometric solution, which has been shown to give the same solution as that by the standard optimization techniques. We start with the simplest case with two sensors, in which we need to solve the following optimization problem.

(36) | |||||

s.t. |

We can get the optimal solution by analyzing the problem geometrically with the norm vector of the objective function as shown in the Fig. 1. The constraint of the problem is represented by the circle with a radius of . We move the line with the slope to get the largest intercept between and axis under the constraint that there is an intersection between the circle and the line . The corresponding optimal solution is found when becomes a tangent line to the circle, which is

(37) |

For a system with arbitrary number of sensors, we can repeat the same procedure to find the optimal solution by using hyperplanes and hyperspheres. In general, the optimal attack strategy can be found and summarized as follows.

###### Theorem 1.

For a system with sensors, the optimal strategy for the adversary is to inject dependent random noises with a pairwise correlation coefficient of . The random bias power is allocated such that

(38) |

#### Vi-A2 Attack Strategy For A Single Position And Velocity Sensor

In this case, let us assume that the sensors collect both position and velocity measurements of the target. Therefore, the measurement matrix for the th sensor is , where is a identity matrix. At the th sensor, the adversary injects the bias noise vector to the sensor measurement , where consists biases in position and velocity measurements. Let us assume that the system bias vector is zero-mean and has a covariance matrix . Further, the th submatrix for is defined as

(39) |

for . and are the position and velocity bias noise standard deviations at the th sensor respectively. The s are defined as the proper correlation coefficients between components of the bias vector, and , for . Since the position bias and velocity bias have different units, we need an appropriate constraint for bias noise power. Here we assume that the total noise power is defined as

(40) |

Note that this is a meaningful power definition, since the two terms in the above equation has the same unit. Recall that according to the target tracking system plant equation and ignoring the system process noise, we have . Therefore, the power defined in (40) can be interpreted as the summation of the extra mean squared errors for the position estimate caused by independent bias injections. We can see that the best attack strategy derived under a constraint on power defined in (40) can be easily adjusted and extended for other power definitions, as long as in the new definition, the second term is proportional to .

As we can use the equivalent sensor to represent the multiple sensors, we focus on the single-sensor case first. If we are interested in the case of , maximizing the trace of is equivalent to maximize the . We assume that the adversary knows the system models and the prior information at time zero, so that he/she can calculate the offline Kalman filter gain matrix recursively. Therefore, the best strategy the adversary can adopt to attack the system is the solution to the following optimization problem:

(41) |

where

(42) |

and

(43) |

It is easy to show that

(44) |

According to the sign of , we can set the value of the to maximize the objective function. For example, if is positive, we set and the optimization problem becomes

(45) | |||

To solve this constrained optimization problem, let us first denote

(46) |

The constraint in (41) can be written as

(47) |

Now we set and . Plugging and into the objective function, we have the following equivalent optimization problem

(48) |

where

(49) | |||||

(50) |

Clearly, the optimal solution is

(51) |

We summarize this result in the following theorem.

###### Theorem 2.

For a system with one sensor observing position and velocity of the target, the optimal strategy for the adversary is to inject random noise that has dependent position and velocity components. If , the correlation coefficient should be set as , and the random bias power is allocated such that

(52) | |||

When , we should set and set and . The rest of the equations in formula (52) remains the same.

#### Vi-A3 Attack Strategy For Multiple Position And Velocity Senors

In this case, , and the measurement matrix is . The measurement covariance matrix for the th sensor is assumed to be

(53) |

Now, according to (25), we have

(54) |

According to (24), we define

(55) |

as the weighting matrix for the th sensor’s observation . Further, we define

(56) |

both of which are positive numbers. The equivalent noise injection is therefore

(57) |

So the covariance matrix of the equivalent bias vector is

(58) |

where has been defined in (39). It can be shown that

(59) |

Where

(60) |

(61) |

The optimization problem can be written as follows.

(62) | |||

where

(63) |

is Kalman filter gain calculated using the equivalent measurement covariance matrix and equivalent measurement matrix . It is easy to show that

(64) | |||

Clearly, all the s that appear in and should be set as 1 to maximize the objective function. The optimal values for s in depend on Kalman filter gain . More specifically, when , all the s that appear in should be set to ; otherwise, they should be set as . Let us first suppose that is true, then we have

(65) |

So far, we have converted the objective function in (62), which involves 10 variables to one that involves only 4 variables. Considering that the power constraint reduces one degree of freedom, we only need to solve an optimization problem in a 3-dimensional space.

#### Vi-A4 Strategy For A Single Sensor With Multiple Time Attack

Based on Proposition 2, we get the extra mean square matrix,

Suppose at the time , the adversary wants to attack the system continuously from time to , the weight for different time is , as shown below,

(66) | |||

where . So the objective function in the multi-shot attack case is the trace of the weighted sum of the EMSE matrices at different time points that is . It is equivalent to maximize the trace of the weighted sum of the MSE matrices of the state estimates, because once the system reaches its steady state, becomes constant, and the weighted sum of