# Secure Mode Distinguishability for Switching Systems Subject to Sparse Attacks \thanksreffootnoteinfo

###### Abstract

Switching systems are an important mathematical formalism when dealing with Cyber-Physical Systems (CPSs). In this paper we provide conditions for the exact reconstruction of the initial discrete state of a switching system, when only the continuous output is measurable, and the discrete output signal is not available. In particular, assuming that the continuous input and output signals may be corrupted by additive malicious attacks, we provide conditions for the secure mode distinguishability for linear switching systems. As illustrative example, we consider the hybrid model of a DC/DC boost converter.

^{†}

^{†}thanks: [

footnoteinfo]NOTICE: this is the authorâs version of a work that was accepted for publication in IFAC 2017 World Congress. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in IFAC World Congress, July 2017 (see Fiore et al. (2017b)).

First]Gabriella Fiore First]Elena De Santis First]Maria Domenica Di Benedetto

witching systems, mode distinguishability, secure state estimation.

## 1 Introduction

In Cyber-Physical Systems (CPSs) physical processes, computational resources and communication capabilities are tightly interconnected. Traditionally, the physical components of a CPS are described by means of differential or difference equations, while the cyber components are modeled by means of discrete dynamics. Therefore, hybrid systems, that are heterogeneous dynamical systems characterized by the interaction of continuous and discrete dynamics, are a powerful modeling framework to deal with CPSs. Switching systems are an important subclass of hybrid systems and can be viewed as a higher level abstraction of a hybrid model. In general, for switching systems the observability property is concerned with the possibility of reconstructing the hybrid state, i.e. both the discrete state (also called mode or location) and the continuous one.

The focus of this paper is on the exact reconstruction of the discrete state of a switching system, when only the continuous output is accessible and the discrete output is not available, using the formalism introduced in De Santis (2011) and developed in De Santis and Di Benedetto (2016), where the authors address the problem of discrete state reconstruction for ideal autonomous and controlled switching systems. In this paper, we extend those results, by investigating the scenario in which the continuous input and output signals may be corrupted by additive malicious attacks. This is motivated by the great importance of security issues for CPSs, where the presence of a feedback loop between the physical processes and the controllers through the communication network may increase the vulnerability of the system to failures or malicious attacks. In this case, security measures protecting only the computational and communication layers are not sufficient for guaranteeing the safe operation of the entire system against the presence of malicious attackers. Therefore, new strategies that explicitly address the strong interconnection between the physical, the computational and the network layers are needed.

There exists a vast literature dealing with security for CPSs (see Amin et al. (2009) and Pasqualetti et al. (2015) to name a few). In general, cyber attacks can be divided in two main categories (see Amin et al. (2009)): deception attacks compromising the integrity of the information, and denial-of-service attacks compromising the availability of the information. Recent results focus on the case when the attack is not represented by a specific model, but it is assumed to be unbounded and influencing only a small subset of sensors and/or actuators, i.e., the attack is sparse but its intensity can be unbounded (see Fawzi et al. (2014), Chong et al. (2015), Shoukry et al. (2015), Shoukry and Tabuada (2016), Hu et al. (2016), Shoukry et al. (2016), Fiore et al. (2017a)). In Fawzi et al. (2014) the authors propose a method to estimate the state of a linear time invariant system when an unknown (but fixed in time) set of sensors and actuators is corrupted by sparse deception attacks. They prove that, if the number of corrupted devices is smaller than a certain threshold, then it is possible to exactly recover the internal state of the system, by means of an algorithm derived from compressed sensing techniques. A more computational efficient version of the algorithm is presented in Shoukry and Tabuada (2016) where the authors introduce a notion of strong observability and a recursive algorithm that estimates the state despite the presence of the attack. The same assumption on the sparsity of the attack signal is made in Chang et al. (2016) where the authors consider a more general case in which the set of attacked nodes can change over time. A similar approach is used in Chong et al. (2015) where a continuous time linear system is considered. In order to overcome the limitations imposed by the combinatorial nature of the problem, in Shoukry et al. (2016) the authors formulate the problem as a satisfiability one, and propose a sound and complete algorithm based on the Satisfiability Modulo Theory paradigm. All the above-mentioned works are concerned with the state estimation for linear systems and cannot be directly applied to switching systems.

### 1.0.1 Contribution.

In this paper, we investigate under which conditions the exact reconstruction of the initial discrete state of a switching system is resilient against the presence of a sparse attack. In order to estimate the current mode of the switching system when the discrete output is not available and only the continuous output signal is accessible, we need to distinguish which discrete state is indeed active, i.e. we need to distinguish between any two dynamical systems, based on the continuous information only. This problem has been addressed in the literature for switching systems where the continuous input and output information is not corrupted by failures or malicious attacks (see De Santis and Di Benedetto (2016) and references therein for a complete review of existing results on this topic). In Baglietto et al. (2014) the authors investigate the problem of identifying the current location of a switching system when the continuous measurement signal is corrupted by noise. This disturbance is assumed to have bounded magnitude and therefore their results do not apply to the case in which the additive signal is not a measurement noise but an intentional attack performed by a malicious attacker, the magnitude of which can be unbounded. Thus, when the continuous input and output signals can be compromised by a malicious attacker, we extend the characterization presented in Fawzi et al. (2014) by defining a notion of secure distinguishability. We model an attack on the sensors as an attack on the continuous output signal of the switching system, and an attack on the actuators as an attack on the continuous input signal. We consider both the case of autonomous switching systems and the case of controlled switching systems.

The paper is organized as follows. In Section 2 we provide a general formulation of our problem. In Section 3 we investigate the case of controlled switching systems in which both the sensor measurements and the actuator signals can be corrupted by a malicious attacker. In Section 4 we consider the case of autonomous switching systems with sparse attacks on sensors. In Section 5 we provide an illustrative example, in which we check if the dynamics of a DC/DC boost converter are securely distinguishable, making use of the hybrid model provided in Theunisse et al. (2015).

### 1.0.2 Notation.

In this paper we use the following notation. indicates the identity matrix, indicates the null matrix of proper dimensions (which can be trivially deduced by the context). Given a vector , is its support, that is the set of indexes of the non-zero elements of ; is the cardinality of , that is the number of non-zero elements of . The vector is said to be -sparse if . indicates the set containing all the -sparse vectors such that . Given the function , is the collection of samples of , i.e. . The function is said to be cyclic -sparse if, given a set , such that , and , for all . is the set containing all the cyclic -sparse vectors . Given a matrix and a set , we denote by the matrix obtained from by removing the rows whose indexes are contained in . If is the support of a vector , its complement is . Thus, is the matrix obtained from by removing the rows whose indexes are contained in , or, equivalently, the rows whose indexes are not contained in . Given the set we denote by the matrix obtained from by removing the columns whose indexes are contained in . is the matrix obtained from by removing the columns whose indexes are not contained in .

## 2 Problem Formulation

In this paper we consider a nominal switching system, where the finite set of discrete states is . A linear discrete-time dynamical system is associated to each discrete state , which is fully described by the tuple as follows:

(1) | ||||||

where , denotes the set of nonnegative integer numbers, is the (continuous) state of the system, is the output measured by the sensors, is the input sent by the controller to the actuators. The collection of all subsystems , is denoted by . We assume that only the continuous input and output signals are known, whereas the initial discrete state , and the initial continuous state are unknown. The switching signal specifies which dynamical system is currently active in each time instant, that is, which is the current discrete state. In this paper we assume that the switching signal is unknown and arbitrary, therefore we do not exploit any information about the underlying graph topology, representing the admissible transitions between discrete states. Let be the initial time. For a given , we assume that no switching occurs in the interval . In other words, we assume that the switching system dwells enough time in each discrete mode before a new transition takes place. More specifically, we assume the existence of a minimum dwell time such that each discrete state remains active for at least steps.

We consider the scenario in which sensor measurements (continuous output) are sent to the controller, which estimates the true discrete state of the system and the corresponding initial continuous state (which are unknown). Based on this estimation, the controller sends the control signal (continuous input) to the actuators, as shown in Fig. 1.

We assume that sensor measurements and actuator inputs are exchanged by means of a wireless communication network, and that both of them could be compromised by an external malicious attacker. With this assumption, we consider both the case in which the attacker compromises the devices (sensors or actuators, also called nodes) and the case in which the attacker affects the communication links between different devices (that is, between sensors/actuators and the controller).

The corrupted system can be described as follows:

(2) | ||||

where is the -sparse attack vector on actuator signals, and is the -sparse attack vector on sensor measurements. We assume that the malicious attacker has only access to a subset of sensors , and to a subset of actuators , meaning that the set of attacked nodes is fixed over time (but unknown). This assumption is motivated by the fact that it is reasonable to suppose that, in a real system, the attacker has not access to the whole set of monitoring and controlling devices.

We assume that the attack on sensor measurements is cyclic -sparse (for brevity, -sparse), and that the attack on actuator signals is cyclic -sparse (for brevity, -sparse). Roughly speaking, Assumption 2 means that we know that both the set of attacked sensors and the set of attacked actuators have bounded cardinality (that is, , , respectively), but we do not know which nodes are actually compromised. Let denote the -th component of , (i.e., the component of corresponding to the -th sensor), at time . If , then for all and the -th sensor is said to be secure (i.e. not attacked). If , then can assume any value and this corresponds to the case in which the attacker has access to the -th sensor. The same holds for attacks on the actuators.

The problem that we consider in this paper is to provide conditions for the exact reconstruction of the discrete state of a switching system in the time interval , based on the knowledge of the corrupted continuous output signal and the continuous input signal (which can be corrupted by a malicious attacker, too). The reconstruction of the discrete mode of the switching system corresponds to understanding which continuous dynamical system is evolving, in a set of known ones. This means that, given a pair of linear systems, we have to investigate the possibility of distinguishing which one of the two systems is active, based on the continuous output and input information, despite the presence of sparse attacks. The initial discrete state can be reconstructed if and only if each pair in can be distinguished. If the initial discrete state can be reconstructed, then also the discrete state after each switching can be reconstructed, provided that the dwell time is sufficiently large.

For the nominal system in (1), different distinguishability notions have been proposed, based on the role of the input function and of the continuous initial state (see De Santis (2011) for an exhaustive analysis). In this paper, we integrate these notions, by introducing the secure distinguishability property for the corrupted switching system in (2), and we investigate under which conditions this property holds. More specifically, we assume that the continuous input and output signals can be corrupted by sparse attacks, as in Fawzi et al. (2014). However, in spite of considering a discrete-time linear system, we extend the characterization in Fawzi et al. (2014) to switching systems. Therefore, our attention is focused in providing conditions which enable the correct identification of the current location of the switching system, despite the presence of sparse attacks.

For the sake of clarity, we first review the notion of distinguishability between nominal linear systems, described as in (1), in which the distinguishability is required for generic inputs and for all initial states. A generic input sequence is any input sequence that belongs to a dense subset of the set , equipped with the norm. Let , , be the output evolution when the dynamical system is active with initial state , and let be the set of all input functions . {defn} (De Santis (2011)) Two linear systems and , , are input-generic distinguishable if there exists such that, for any pair of initial states and , and for a generic input sequence , with , . The systems and are called indistinguishable if they are not input-generic distinguishable.

## 3 Controlled switching systems

In this section we consider the corrupted system in (2), with attacks on sensor measurements and on input signals which are -sparse and -sparse, respectively.

First, we recall the result on input-generic distinguishability for the nominal system in (1). The distinguishability notion implies the comparison between the output evolutions of different dynamical systems. Thus, let two nominal linear systems and , , be given. We consider the augmented linear system , which is fully described by the triple , such that:

(3) |

with , , .

The following matrices are also associated with the augmented system :

(4) | ||||

where is the null matrix, . is the steps-observability matrix for the augmented system , and it is made up of the steps-observability matrices and for the linear systems and , respectively. {thm} (De Santis (2011)) Two nominal linear systems and , , are input-generic distinguishable if and only if .

In this section, we assume that, for any pair , the linear systems and are input-generic distinguishable.

We now extend Definition 2 and Theorem 3 to take into account the presence of the (unknown) attack on sensors and actuators, as in (2), when the controller is not aware neither of which actuators are corrupted, nor of which sensors are corrupted. In this case, the distinguishability between different modes is required for generic inputs, generic sparse attacks on actuators, for all sparse attacks on sensors, and for all initial states.

Two linear systems and , , are securely distinguishable with respect to generic inputs, generic sparse attacks on actuators and for all sparse attacks on sensors (shortly, securely distinguishable), if there exists such that , for any pair of initial states and , for any pair of sparse attack vectors and , and for any generic .

To the aim of characterizing the secure distinguishability property, we consider the augmented linear system depicted in Fig. 2. We assume that the sets of attacked actuators for and are, respectively, and , with . The sets of attacked sensors for and are, respectively, and , with .

We can reformulate the component of the state due to the attack on actuators as and , where , . , are the matrices obtained from and by removing the columns whose indexes are not contained in and , respectively.

The augmented linear system is represented by the following equations:

(5) | ||||

where , , , , .

The following matrices are associated with the augmented system in (5):

(6) | ||||

where , , , is the steps-observability matrix for the augmented system .

Let two linear systems and , , and sets , , , , be given. Consider the input sequence , with , the attack sequences on actuators , with , , and the attack sequences on sensors , . The set , is defined as:

(7) | ||||

Given sets , such that , , , let be the maximal subspace such that

(8) | ||||

Let be the maximal -controlled invariant subspace contained in (as defined in Basile and Marro (1992)).

Given sets , such that , , , there exists as in (8) if and only if:

(9) |

If this inclusion holds, then .

Assume that exists.
Then is a

-controlled invariant subspace contained in ,
hence because of maximality of .
Condition (8) implies that . On the other side, suppose that
.
Then .
Since

and

then , because of maximality of . Therefore .

The output sequence of the augmented system in (5) can be written in compact form as:

(10) |

where , , , , , , and the matrices are defined in (6).

Given sets , with , and with , , for (10) has a solution , for all , for all , for all , and for all , if and only if .

Assume that . Then the set is non-empty. Therefore , and the following holds: . Thus .

Assume now that . Therefore . As is the maximal -controlled invariant subspace contained in , then there exist and such that .

Two linear systems and , , are securely distinguishable if and only if the following conditions hold:

(11) | |||

for any tuple of sets , with , , and , , for .

## 4 Autonomous switching systems

In this section, an autonomous switching system, whose continuous output is corrupted by a sparse attack, is considered. A dynamical system is associated to each discrete state as follows:

(12) | ||||

where represents the -sparse attack on the sensor measurements.

Let two nominal autonomous linear systems and be given (that is, in (12) the attack vectors are such that , ). When both and have initial condition in the origin (i.e., ), the output evolutions are identically zero. Thus, for autonomous systems, the distinguishability between different modes can not be required for any initial state. Therefore, the following distinguishability notion is considered, in which the possibility of both autonomous linear systems having initial condition in the origin, is excluded.

(Vidal et al. (2002)) Two autonomous linear systems and , , are distinguishable, if there exists such that, for any pair of initial states and (with or ), . The nominal autonomous linear systems and are called indistinguishable if they are not distinguishable.

Our aim is to investigate under which conditions it is possible to determine the current mode of the autonomous switching system in (12) (without knowing the continuous initial state), when the continuous output signal is corrupted. In order to do so, we extend Definition 4 to take into account the presence of the (unknown) attack on sensors.

Two autonomous linear systems and , , are -securely distinguishable if there exists such that, for any pair of initial states and (with or ), and for any pair of -sparse attack vectors and , .

As already described in the previous section, in order to compare the output evolutions of two autonomous linear systems and , , we consider the augmented linear system , depicted in Fig. 3, which is fully described by the pair , such that:

(13) |

with , . The following steps-observability matrix is associated with the augmented system :

(14) |

where .

First, we recall the result concerning the distinguishability of two nominal autonomous systems. {thm} (Vidal et al. (2002)) Two nominal autonomous linear systems and , , are distinguishable for any initial state and (with or ) if and only if .

In this section, we assume that, for any pair , the linear systems and are distinguishable. {rem} In Assumption 4 we consider a number of observations (i.e., equal to the state space’s dimension of the augmented system ). It can be noted that, adding further observations (i.e., beyond samples) would not increase the rank of the observability matrix because, due to the Cayley-Hamilton theorem, they would be a linear combination of the first components.

Two autonomous linear systems and , , are -securely distinguishable if and only if, for any set with , the matrix obtained from the pairs and has full column rank.

Assuming to collect observations, the output of the augmented linear system , as shown in Fig. 3, is:

(15) | ||||

Let us rearrange equation (15) as:

(16) | ||||

where , , , , and .

By contradiction, assume that for any set , , the observability matrix obtained from the two pairs and has full column rank (i.e. ), and that there exist two initial states and ( or ) and a pair of attack vectors , , such that . Let be the set of indexes , for which the corresponding -th element of is different from zero (i.e. ), thus . , which is a contradiction.

Assume now that there exists a set of indexes , , for which the observability matrix obtained from the two pairs and has not full column rank (i.e. there exists such that ), and that there exist two initial states and ( or ) and a pair of attack vectors , , such that . is the set of indexes , for which the corresponding -th element of is different from zero (i.e. ). Assume now to partition the set as such that and . For the sake of clarity consider and assume that the pair is such that:

(17) | ||||

where , , indicates the -th element of the vector . Thus , which contradicts the initial assumption of distinguishability.

Proposition 4 corresponds to an observability notion stronger than the classical one, for the augmented system . This means that for the linear system the observability property must be satisfied even after the removal of a proper number of output signals (in particular, after the removal of the corrupted sensors).

Proposition 4 gives a bound on the cardinality of the set of attacked sensors (that is, for the sparsity of the attack vector). In particular, it is trivial to check that the following condition has to be satisfied: .

This condition corresponds to the maximum number of correctable errors (i.e., the maximum number of attackable sensors) derived in Fawzi et al. (2014) for the discrete-time linear system. Here, we obtain the same bound for secure mode distinguishability of switching systems.

## 5 Numerical results

In this section, in order to show the applicability of the proposed conditions, we apply them to a DC/DC boost converter. We make use of the hybrid model described in Theunisse et al. (2015), in which the behavior of the DC/DC boost converter is modeled by means of three discrete modes (two corresponding to the open switch, one corresponding to the closed switch), thus . When the switch is open, two dynamical systems and can be active, depending on the diode conducting or not. When the switch is closed, a single dynamics can be considered. The dynamical systems are described by the following matrices:

(18) | ||||

We assume to consider the following output matrices:

(19) |

The model provided in Theunisse et al. (2015) takes into account continuous-time linear systems. We consider here their discretized version, to model the situation where the sensors send the measurement signals with a time triggered strategy. If the systems were autonomous, for any pair , the linear systems and would be distinguishable for any initial state and (with or ), as , for any . In this case, if the sensors were corrupted, we should test the condition given in Proposition 4 for -secure distinguishability. The number of attacked sensors has to satisfy the condition , therefore the attacker can have access to no more than one sensor or, in other words, (at least) two sensors must be secure. In order for and to be -securely distinguishable, for any set , , , the matrix , , obtained from the pairs and should be full column rank. The results are shown in the first column of Table 1.

4 | 4 | 2 | |

3 | 3 | 2 | |

3 | 3 | 2 |

Actually, we can conclude that if and were autonomous, they would not be -securely distinguishable, due to the rank loss for some combinations of sensors. The same holds for the pairs and . However, since the dynamical systems are not autonomous, we can verify the conditions provided in Section 3. In particular, assuming that the actuator is secure, we can check if the conditions in Theorem 3 are satisfied. Both conditions in Theorem 3 are satisfied, therefore and are securely distinguishable with respect to generic inputs and for all sparse attacks on sensors, with .

## 6 Conclusions

Motivated by the fact that switching systems are an important mathematical formulation for dealing with CPSs, in this paper we investigate under which conditions it is possible to estimate the discrete state of a switching system, when only the continuous output is accessible, and the discrete information is not available. We consider the case in which both sensor measurements and actuator inputs may be compromised by malicious sparse attacks, and we define under which conditions any two discrete modes are securely distinguishable. The aim of our future work is to propose a computational efficient estimator of the discrete state of switching systems when sensor measurements and/or actuator signals are corrupted by sparse malicious attacks. In addition, a more realistic scenario will be investigated, in which bounded process and measurement noises are also considered in the model of the switching system.

## References

- Amin et al. (2009) Amin, S., Cárdenas, A.A., and Sastry, S.S. (2009). Safe and secure networked control systems under denial-of-service attacks. In Hybrid Systems: Computation and Control, 31–45. Springer.
- Baglietto et al. (2014) Baglietto, M., Battistelli, G., and Tesi, P. (2014). Mode-observability degree in discrete-time switching linear systems. Systems & Control Letters, 70, 69 – 76. doi:http://dx.doi.org/10.1016/j.sysconle.2014.05.006.
- Basile and Marro (1992) Basile, G. and Marro, G. (1992). Controlled and conditioned invariants in linear system theory. Prentice Hall Englewood Cliffs.
- Chang et al. (2016) Chang, Y.H., Hu, Q., and Tomlin, C.J. (2016). Secure estimation based Kalman filter for Cyber-Physical Systems against adversarial attacks. CoRR, abs/1512.03853v2. URL http://arxiv.org/abs/1512.03853v2.
- Chong et al. (2015) Chong, M.S., Wakaiki, M., and Hespanha, J.P. (2015). Observability of linear systems under adversarial attacks. In American Control Conference (ACC), 2015, 2439–2444. doi:10.1109/ACC.2015.7171098.
- De Santis (2011) De Santis, E. (2011). On location observability notions for switching systems. Systems & Control Letters, 60(10), 807–814.
- De Santis and Di Benedetto (2016) De Santis, E. and Di Benedetto, M.D. (2016). Observability of hybrid dynamical systems. Foundations and TrendsÂ® in Systems and Control, 3(4), 363–540. doi:10.1561/2600000009.
- Fawzi et al. (2014) Fawzi, H., Tabuada, P., and Diggavi, S. (2014). Secure estimation and control for Cyber-Physical Systems under adversarial attacks. IEEE Transactions on Automatic Control, 59(6), 1454–1467. doi:10.1109/TAC.2014.2303233.
- Fiore et al. (2017a) Fiore, G., Chang, Y.H., Hu, Q., Di Benedetto, M.D., and Tomlin, C.J. (2017a). Secure state estimation for Cyber Physical Systems with sparse malicious packet drops. In American Control Conference (ACC), 2017.
- Fiore et al. (2017b) Fiore, G., De Santis, E., and Di Benedetto, M.D. (2017b). Secure mode distinguishability for switching systems subject to sparse attacks. IFAC World Congress, 2017.
- Hu et al. (2016) Hu, Q., Chang, Y.H., and Tomlin, C.J. (2016). Secure estimation for Unmanned Aerial Vehicles against adversarial cyber-attacks. 30th Congress of the International Council of the Aeronautical Sciences (ICAS).
- Pasqualetti et al. (2015) Pasqualetti, F., Dorfler, F., and Bullo, F. (2015). Control-theoretic methods for cyberphysical security: geometric principles for optimal cross-layer resilient control systems. IEEE Control Systems, 35(1), 110–127. doi:10.1109/MCS.2014.2364725.
- Shoukry et al. (2016) Shoukry, Y., Chong, M., Wakaiki, M., Nuzzo,