advertisement

4634 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 68, NO. 8, AUGUST 2023 Decentralized False-Data Injection Attacks Against State Omniscience: Existence and Security Analysis Tian-Yu Zhang , Member, IEEE, Dan Ye , Senior Member, IEEE, and Yang Shi , Fellow, IEEE Abstract—This article focuses on how false-data injection (FDI) attacks compromise state omniscience, which needs each node in a jointly detectable sensor network to estimate the entire plant state through distributed observers. To reveal the global vulnerability of state omniscience, we investigate decentralized FDI (DFDI) attacks that destabilize the estimation error dynamics but eliminate their influences on the residual in each sensor node. First, the sufficiency and necessity for the existence of such attacks are studied from system eigenvalues and attackable sensors. Second, the self-generated DFDI attack sequences independent of system real-time data are designed to achieve the attack objective with elaborate parameters. Especially, the DFDI attack sequences are improved to maintain real values even if the system matrix only has unstable imaginary eigenvalues. Finally, we analyze the secure range for observer interaction weights and the sensor protection scheme to guarantee the security of state omniscience under DFDI attacks. The theoretical results for DFDI attacks are demonstrated with the linearized discrete-time model of an aircraft system. Index Terms—Complete stealthiness, cyber-physical system security, decentralized false-data injection (DFDI) attacks, distributed observers, state omniscience. Manuscript received 15 February 2022; revised 8 May 2022; accepted 9 September 2022. Date of publication 26 September 2022; date of current version 28 July 2023. This work was supported in part by the National Natural Science Foundation of China under Grant 62173071, Grant U1813214, and Grant 61621004, in part by the China Postdoctoral Science Foundation (BX20220061), in part by the LiaoNing Revitalization Talents Program under Grant XLYC1907035, in part by the Liaoning BaiQianWan Talents Program (202062), and in part by the Fundamental Research Funds for the Central Universities (N2204008). Recommended by Associate Editor F. Zhang. (Corresponding author: Dan Ye.) Tian-Yu Zhang is with the College of Information Science and Engineering, Northeastern University, Shenyang, Liaoning 110819, China (e-mail: zhangtianyu1994@qq.com). Dan Ye is with the College of Information Science and Engineering, and State Key Laboratory of Synthetical Automation for Process Industries, Northeastern University, Shenyang, Liaoning 110819, China (e-mail: yedan@ise.neu.edu.cn). Yang Shi is with the Department of Mechanical Engineering, University of Victoria, Victoria, BC V8W2Y2, Canada (e-mail: yshi@uvic.ca). Color versions of one or more figures in this article are available at https://doi.org/10.1109/TAC.2022.3209396. Digital Object Identifier 10.1109/TAC.2022.3209396 I. INTRODUCTION ISTRIBUTED estimation recently attracts increasing attention owing to its wide applications in the monitoring for transportation systems [1], ecological environments [2], power grids [3], and so on. When a sensor network is only jointly detectable for physical plants, distributed estimation is extremely challenging since plant states may not be observed by a single sensor node [4]. A key challenge is the creditability of inadequate local measurements in face of cyber-attacks. This promotes security to be a significant concern of distributed estimation and furnishes the motivation of this article. As a typical objective of distributed estimation, state omniscience is to observe the entire state of a plant in each sensor node even if local measurements are not adequate. In this scenario, information exchanges among sensor nodes are of importance to ensure the estimation objective. Distributed estimation for state omniscience has been researched with two main techniques: Kalman filters [5] and state observers [6]. Distributed Kalman filters iterate feedback gains to obtain optimal noise attenuation, but require more information interactions of covariance matrices [7], [8]. Benefited by only exchanging estimation signals, state-observer-based techniques are widely studied in [9] and [10] for discrete-time cases and [11], [12], [13] for continuous-time cases. In [9], the necessary and sufficient condition for state omniscience is proved to be the joint detectability of each source component in a sensor network. Moreover, the Kalman observable canonical decomposition is brought to design the distributed observers for state omniscience in [10]. For continuous-time cases, the distributed observers with and without the augmented states are developed based on jointly detectable sensor networks in [11] and [12], respectively. Then, a complete decentralization method is proposed to design the distributed observers without the knowledge for the structure and number of sensor networks [13]. However, when sensor networks are compromised by malicious attacks, the precision of state omniscience will suffer major crises in each distributed observer. Among various malicious attacks, false-data injection (FDI) attacks attract increasing attention due to their serious disruptions on plant operations and deep stealthiness against monitors [14], [15]. Compared with such attacks, other typical attacks (e.g., denial-of-service attacks and replay attacks) are either less destructive or less stealthy [16], [17], [18], [19]. From the D 0018-9286 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information. Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. ZHANG et al.: DFDI ATTACKS AGAINST STATE OMNISCIENCE: EXISTENCE AND SECURITY ANALYSIS boundedness of attack effectiveness, FDI attacks are further divided into imperfect FDI attacks [20], [21], [22], [23] and perfect FDI attacks [25], [26]. Imperfect FDI attacks only cause bounded influences on system performances under stealthiness constraints. Thus, their attack effectiveness is yoked to stealthiness, which implies that the price of stronger attack effectiveness is sacrificing stealthiness. Nevertheless, the implementation of such attacks has no particular requirements for system structures. The trade-off between the attack effectiveness and stealthiness of imperfect FDI attacks is studied in [20], [21], [22], [23], [24]. To guarantee cyber-security under imperfect FDI attacks, centralized secure estimation that reconstructs the real state of physical plants is widely studied in [27], [28]. Furthermore, the distributed secure estimators under attacked sensor measurements and attacked communication links are investigated in [29] and [30], respectively. In [31], [32], the attack detection methods are proposed to counter imperfect FDI attacks based on distributed estimation. Although plenty of results have been obtained for imperfect attacks, none of them focuses on how FDI attacks affect system stability. Perfect FDI attacks destabilize systems under stealthiness constraints, which implies that unbounded attack influences are stealthily brought into system performances. The perfection feature ensures that attack effectiveness is not constrained by stealthiness [33], [34]. In static state estimation for different systems, the existence of perfect FDI attacks that only modify sensor outputs is studied in [35], [36]. However, perfect sensor FDI attacks in dynamic state estimation have more complex requirements for system structures. The existence of perfect sensor FDI attacks is studied from the eigenvalues of system matrices in [25], [37], [38]. By compromising multiple channels, e.g., actuator and sensor channels, perfect FDI attacks can be achieved with weaker requirements for system structures [39], [40], [41]. Compared with actuators, sensors are more vulnerable in distributed dynamic estimation due to the wide applications of wireless sensor networks [24], [30]. In [42], perfect sensor FDI attacks are developed to destabilize the estimation error dynamics of at least one node in the distributed observers. However, it is still an open problem whether the estimation error dynamics of all observers will be destabilized by FDI attacks. This ignites our interest in what pivotal role the perfect sensor FDI attacks play in distributed estimation for state omniscience. In this article, FDI attacks which destabilize the estimation error dynamics of all distributed observers are called as perfect decentralized false-data injection (DFDI) attacks. Since sensor nodes can share the detection results with each other, the deeper stealthiness is an important concern of DFDI attacks. In our previous work [43], complete stealthiness is proposed to asymptotically remove the influences of FDI attacks on detectors. Compared with the stealthiness that maintains bounded influences against detectors [25], [37], [38], [42], complete stealthiness is more appropriate with the stealthy purpose of DFDI attacks. Hence, a class of perfect DFDI attacks with complete stealthiness, which dispersively compromises the measurement outputs of sensor networks, is researched to reveal the global 4635 vulnerability of state omniscience. The main contributions of this article are summarized as follows. 1) Different from existing perfect FDI attacks that only destabilize at least one distributed observer [26], [42], perfect DFDI attacks are developed to destabilize all observers and hold complete stealthiness. 2) From the viewpoints of system matrix eigenvalues and attackable sensors, the sufficiency and necessity are developed for the existence of perfect DFDI attacks with complete stealthiness. 3) The attack sequences are designed to achieve the proposed attack objective without the real-time data of attacked systems, and their steady-state stealthy performances are evaluated. In addition, the designed attack sequences maintain real values by involving multiple system eigenvalues whereas the one in [43] is imaginary value. 4) Based on the necessary conditions of attack existence, we propose the secure range for observer interaction weights and a sensor protection scheme that exposes the considered attacks to detectors. Notation: R and N denote the sets of real numbers and natural numbers, respectively. For a matrix X, X T represents its transpose, span(X) stands for its column spanning space and cs(X) is the vector set constituted by all the columns of X. For a square matrix X, ρ(X) denotes its spectral radius, Λ(X) represents the set of its all eigenvalues and Ω(X) is the set of its all eigenvectors. Define ΛP (X) = {λ ∈ Λ(X)||λ| > 1} and ΛQ (X) = {λ ∈ Λ(X)||λ| ≥ 1} as the subsets of Λ(X). Denote ΩP (X) = {v|(X − λI)v = 0, λ ∈ ΛP (X)} and ΩQ (X) = {v|(X − λI)v = 0, λ ∈ ΛQ (X)} as the subsets of Ω(X). For a vector υ, υ, and υ∞ stand for its Euclidean norm and infinite norm, respectively. X and X∞ are the matrix norms induced by the Euclidean norm and infinite norm of vectors, respectively. X ⊗ Y denotes the Kronecker product of the matrices X and Y . For a complex number c, c∗ , Re{c}, and |c| represent its conjugate complex number, real part, and modulus, respectively. The identity matrix with n dimensions is represented as In . 1 is an appropriate-dimensional vector with all elements being 1. 0 is a zero vector with appropriate dimensions. N (μ, σ 2 ) stands for the Gaussian distribution with mean μ and variance σ 2 . Prob(Z) is the probability of a random event Z. II. PROBLEM FORMULATION AND PRELIMINARIES A. Graph Theory Let a directed graph G = (V, E) describe the interaction relations of the sensor network. V = {1, 2, . . . , N } and E ⊆ V × V represent the sets of sensor nodes and interaction links, respectively. A digraph is strongly connected if any two distinct nodes are connected by a directed path. Denote ai,j = 1 if there exists a directed edge from the jth node to the ith node. Then, the Laplacian matrix of the graph G is L = [li,j ]N ×N , where li,i = N j=1,j =i ai,j and li,j = −ai,j for i = j. Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. 4636 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 68, NO. 8, AUGUST 2023 B. System Model The physical layer including the observed plant and sensors is described by the following discrete-time linear system: xk+1 = Axk + ωk yi,k = Ci xk + υi,k , i = 1, . . . , N (1) where xk ∈ Rn is the physical plant state and yi,k ∈ Rmi is the measurement output of the ith sensor node. Then, yk T T , . . . , yN,k ]T ∈ Rm represents the global measurement of [y1,k the sensor network. The process noise and measurement noise obey ωk ∼ N (0, Q) and υi,k ∼ N (0, Ri ), respectively. Assumption 1: The plant is jointly detectable for the sensor T T ] , A) is detectable. network, that is, the matrix pair ([C1T · · · CN Assumption 2: The interaction network G among the sensor nodes is strongly connected. The following definition introduces the objective of state omniscience. Definition 1 (see [9], [10]): A group of distributed observers achieve state omniscience if each sensor node’s observer asymptotically estimates the entire state of the physical plant under noise-free cases, i.e., limk→∞ x̂i,k − xk = 0, ∀i ∈ V. In the cyber layer, the distributed observers for state omniscience are designed as follows: wi,j Ax̂j,k +Li (yi,k −Ci x̂i,k ), i = 1, . . . , N (2) x̂i,k+1 = j∈Ni where Ni {j ∈ V|li,j = 0} and wi,j is the interaction weight satisfying j∈Ni wi,j = 1. In light of [9], to achieve state omniscience, the weight matrix W [wi,j ]N ×N should satisfy that (i) every eigenvalue of W is simple; (ii) every eigenvector of W has no zero entries. Let W be the set of all the matrices W that match the abovementioned two properties. Represent the estimation error and residual of the ith sensor node as ei,k xk − x̂i,k and zi,k yi,k − Ci x̂i,k , respectively. Furthermore, the dynamics of the global estimation error and residual are ek+1 = (W ⊗ A − L̄C̄)ek + 1 ⊗ ωk − L̄υk zk = C̄ek + υk (3) T T where ek [eT1,k , . . . , eTN,k ]T , zk [z1,k , . . . , zN,k ]T , and T T T υk [υ1,k , . . . , υN,k ] . C̄ diag(C1 , . . . , CN ) and L̄ diag(L1 , . . . , LN ) are block diagonal matrices. To achieve state omniscience, the weight matrix W and observer gain L̄ are supposed to satisfy W ∈ W and ρ(W ⊗ A − L̄C̄) < 1, respectively. Remark 1: In [9], it is proved that almost all the choices of the weight matrix satisfy W ∈ W under Assumption 2. In addition, a particular choice of W ∈ W is W = IN − L, where 0 < < (maxi∈V li,i )−1 . To reveal potential anomalies, the residual-based detector T Πi zi,k and residual-energy-based detector ḡi,k = gi,k = zi,k k 1/k( p=0 zi,p )T Π̄i kp=0 zi,p are applied in each sensor node [25], [37], [44], where Πi and Π̄i are positive-definite matrices. Whenever gi,k (ḡi,k ) is larger than the threshold Fig. 1. Distributed observers under DFDI attacks. value gi,th (ḡi,th ), the corresponding detector gives an alarm. Furthermore, the false alarm rates of the residual-based and residual-energy-based detectors are pF i,k Prob(gi,k > gi,th ) Prob(ḡ > ḡ ), respectively. By transmitting a and p̄F i,k i,th i,k flag bit, the alarms of arbitrary sensor node can be reported to the whole sensor network with low bandwidth. C. DFDI Attack Model DFDI attacks dispersedly tamper with sensor measurements to damage distributed observers (see Fig. 1). The attacked outputs of the sensor nodes are described as a = Ci xk + Γi ai,k + υi,k , i = 1, . . . , N yi,k (4) where ai,k and Γi = diag(γi,1 , . . . , γi,mi ) are the attack sequence and attack target matrix against the ith sensor node, respectively. If the jth measurement of the ith sensor node is attacked, then γi,j = 1, and γi,j = 0 otherwise. Remark 2: In many practical applications, sensor data is transmitted to observers through wireless communications. Vulnerable wireless communications give attackers the opportunity to compromise transmitted sensor data with FDI attacks modeled in (4). The attack model in (4) describes a class of attack behaviors which compromise sensor output data with elaborate malicious signals. Not only perfect sensor FDI attacks in [25], [35], [36], [37], [42], and [43] but also imperfect sensor FDI attacks in [21], [22], [24], [27], [28], and [32] can be represented by (4). Furthermore, the distributed observers under DFDI attacks are written as follows: a wi,j Ax̂aj,k +Li (yi,k −Ci x̂ai,k ), i = 1, . . . , N (5) x̂ai,k+1 = j∈Ni where x̂ai,k is the attacked state estimation in the ith sensor a a yi,k − Ci x̂ai,k be the node. Let eai,k xi,k − x̂ai,k and zi,k estimation error and residual of the ith sensor node under attacks. According to [25], [37], [43], we focus on the attacked components of the estimation errors and residuals, i.e., ẽi,k a − zi,k . Then, ẽk [ẽT1,k , . . . , ẽTN,k ]T eai,k − ei,k and z̃i,k zi,k Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. ZHANG et al.: DFDI ATTACKS AGAINST STATE OMNISCIENCE: EXISTENCE AND SECURITY ANALYSIS T T and z̃k [z̃1,k , . . . , z̃N,k ]T have the following dynamics: ẽk+1 = (W ⊗ A − L̄C̄)ẽk − L̄Γ̄ak z̃k = C̄ ẽk + Γ̄ak (6) (7) where Γ̄ diag(Γ1 , . . . , ΓN ) and ak [aT1,k , . . . , aTN,k ]T . Since the attacks do not occur at k = −1, the initial values of the error systems (6) and (7) are ẽ0 = 0 and z̃0 = Γ̄a0 , respectively. To explore more dangerous attack behaviors in distributed observers, we analyze perfect DFDI attacks that destabilize the estimation error dynamics and hold deeper stealthiness in each node. Therefore, perfect DFDI attacks with strict stealthiness, which cause no influences on detectors, are introduced as follows. Definition 2: Perfect DFDI attacks with strict stealthiness are achieved in the distributed observers (5) if for any k ∈ N[0, ∞), the estimation error and residual of each sensor node satisfy (i) limk→∞ ẽi,k = ∞ and (ii) z̃i,k = 0. Proposition 1: There exists no perfect DFDI attacks with strict stealthiness in the distributed observers (5). Proof: According to (6), the dynamics of ẽk are rewritten as follows: ẽk = − k−1 (W ⊗ A)k−p−1 L̄z̃p . (8) p=0 It is easy to obtain ẽk = 0 when z̃k = 0 is established at any time. Thus, limk→∞ ẽi,k = ∞ and z̃i,k = 0, ∀k ∈ N[0, ∞) cannot hold simultaneously, which implies that perfect DFDI attacks with strict stealthiness are inexistent in the distributed observers (5). Although there exist no perfect DFDI attacks with strict stealthiness, how to asymptotically remove the attack influences on detectors is still our concern. In view of this purpose, we introduce the following definition for perfect DFDI attacks with complete stealthiness. Definition 3: Perfect DFDI attacks with complete stealthiness are achieved in the distributed observers (5) if there exist positive constants α and β such that for any k ∈ N[0, ∞), the estimation error and residual of each sensor node satisfy the following: i) limk→∞ ẽi,k = ∞; ii) z̃i,k ≤ α; iii) limk→∞ z̃i,k = 0; iv) kp=0 z̃i,p ≤ β. Proposition 2: When the distributed observers (5) are compromised by DFDI attacks, the residual-based detector a a T a a = (zi,k ) Πi zi,k and residual-energy-based detector ḡi,k = gi,k k k a T a 1/k( p=0 zi,p ) Π̄i p=0 zi,p satisfy F (i) limk→∞ (pD i,k − pi,k ) = 0 if limk→∞ z̃i,k = 0; k D (ii) limk→∞ (p̄i,k − p̄F i,k ) = 0 if p=0 z̃i,p ≤ β, ∀k ∈ N[0, ∞), a D a where pD i,k Prob(gi,k > gi,th ) and p̄i,k Prob(ḡi,k > ḡi,th ) are the detection rates of the residual-based and residualenergy-based detectors, respectively. Proof: The proof is similar to [43, Props. 1 and 2] and omitted here. 4637 Remark 3: Different from the deterministic stealthiness in Definition 3, some works consider the statistical stealthiness a [20], described by the probability distributions of zi,k and zi,k [21], [39]. Obviously, the probability distributions of zi,k and a a are the same when zi,k is equal to zi,k , but not vice versa. zi,k Therefore, when DFDI attacks guarantee limk→∞ z̃i,k = 0, ∀i ∈ V, the deterministic stealthiness in Definition 3 is stronger than the statistical stealthiness in the steady state. III. EXISTENCE OF PERFECT DFDI ATTACKS In this section, the sufficiency and necessity for the existence of perfect DFDI attacks with complete stealthiness are investigated, respectively. Suppose |ΛP (W ⊗ A)| = s and |ΛQ (W ⊗ A)| = s̄. Obviously, the eigenvalue λq ∈ Λ(W ⊗ A) and eigenvector vq ∈ A W Ω(W ⊗ A) can be decomposed as λq = λW q λq and vq = vq ⊗ W A A W A vq , where (λq IN − W )vq = 0 and (λq In − A)vq = 0. The Jordan canonical form of W ⊗ A is defined as J = V (W ⊗ A)U , where U = V −1 = [u1 , . . . , uN n ] is an invertible matrix. Let DW and JA be the diagonal canonical form of W and the Jordan canonical form of A, respectively. Thus, there is an invertible matrix UA = VA−1 such that JA = VA AUA . Furthermore, the Jordan canonical form J of W ⊗ A is described as J = DW ⊗ JA and any column of U can be W A rewritten as uq = vqW ⊗ uA q for vq ∈ Λ(W ) and uq ∈ cs(UA ). Evidently, J can be partitioned as Ja 0 Va (9) W ⊗ A = U J V = [Ua Ub ] 0 Jb Vb where Ja ∈ Rs̄×s̄ is the Jordan block corresponding to the eigenvalues λq ∈ ΛQ (W ⊗ A). It is easy to observe Va Ua = Is̄ , Vb Ub = IN n−s̄ , and Va Ub = Vb Ua = 0. Several useful lemmas are introduced as follows. Lemma 1 (see [43]): Let X ∈ RN n×N n be an arbitrary matrix that satisfies ρ(X) < 1. The matrix norm and vector norm in the linear space RN n×N n are defined as X Gε VX XUX G−1 ε ∞ and ν Gε VX ν∞ respectively, where Gε = diag(1, ε, ε2 , . . . , εN n−1 ) and ε < 1 − ρ(X). Let UX = VX−1 be an invertible matrix such that JX = VX XUX is the Jordan canonical form of the matrix X. Then, the norm has the following properties. i) For the matrix X satisfying ρ(X) < 1, one has X < 1; ii) The vector norm is compatible with the matrix norm, i.e., Xν ≤ X ν ; iii) The vector norm satisfies ν ≤ √ N nUX G−1 ε ν . Nn Lemma 2: For any given constant vector νp ∈ R , if there exist the constant vectors φ = 0 and φ̄ such that ∞ p=0 (W ⊗ A)p νp = ∞ · φ + φ̄ holds, then φ ∈ span(Ua ). Proof: Please see Appendix A. The existence of perfect DFDI attacks with complete stealthiness is analyzed in the following theorems. Theorem 1 (Sufficiency): There exist DFDI attacks satisfying Definition 3 in the distributed observers (5) if Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. 4638 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 68, NO. 8, AUGUST 2023 (i) the system matrix satisfies ρ(W ⊗ A) > 1; (ii) there exists at least one eigenvector vq ∈ ΩP (W ⊗ A) such that the attack target matrix satisfies C̄vq ∈ span(Γ̄). Proof: This theorem is true when there exist the particular attack sequences satisfying Definition 3 under conditions (i) and (ii). The design of the particular attack sequences is given in Section IV and omitted here. Based on the global condition of the attack targets, we further analyze whether a sensor node is the required attack target for DFDI attacks satisfying Definition 3. Corollary 1: The global attack target matrix satisfies C̄vq ∈ span(Γ̄) if and only if Ci vqA ∈ span(Γi ) for any sensor node i ∈ V. Proof: Please see Appendix B. Theorem 2 (Necessity): There exist DFDI attacks satisfying Definition 3 in the distributed observers (5) only if (i) the system matrix satisfies ρ(W ⊗ A) ≥ 1; (ii) there exists at least one vector uq ∈ cs(Ua ) such that the attack target matrix satisfies C̄uq ∈ span(Γ̄). Proof: Please see Appendix C. Corollary 2: The global attack target matrix satisfies C̄uq ∈ span(Γ̄) if and only if Ci uA q ∈ span(Γi ) for any sensor node i ∈ V. Proof: Combined with uq = vqW ⊗ uA q , the proof is similar to Corollary 1. Remark 4: If a sensor node satisfies Ci vqA = 0 for vqA ∈ ΩP (A), then perfect DFDI attacks with complete stealthiness can be achieved without compromising this sensor node. This implies that DFDI attacks may destabilize all observers by compromising a part of sensor nodes. Remark 5: With two particular cases, we introduce the existence of perfect DFDI attacks with complete stealthiness under ρ(W ⊗ A) = 1 with two particular cases. Firstly, choose W ⊗ A = 1. Then, for any k ∈ N[0, a constant β̄ ∞), there exists ∞ z̃ ≤ β̄ if such that limk→∞ ẽk = L̄ ∞ p=0 p p=0 z̃i,p ≤ β holds for any i ∈ V. This implies that such attacks are inexistent in this particular case. Secondly, choose W ⊗ A = −1. Then, there exist L̄1 = 0 and z̃p = ((−1)p 1)/(p + 1), which satisfy the constraints in Definition 3, such that limk→∞ ẽk = ∞ p=0 1/(p + 1)|L̄1| = ∞ is established. Thus, such attacks are existent in this particular case. These cases can be extended to the high-dimensional situations when W ⊗ A is diagonalizable. As a result, the existence of such attacks is undetermined for ρ(W ⊗ A) = 1. IV. DESIGN OF PERFECT DFDI ATTACKS Consider ρ(W ⊗ A) > 1 and choose vq1 , . . . , vqs∗ ∈ ΩP (W ⊗ A) to satisfy that their corresponding vqA1 , . . . , vqAs∗ ∈ Ω(A) are linearly independent. Due to vq = vqW ⊗ vqA , the vectors vq1 , . . . , vqs∗ are also linearly independent. The DFDI attack sequences against the sensor outputs are designed as W ai,k+1 = ai,k − θq,k+1 λk+1 vi,q δi,q , i = 1, . . . , N (10) q q∈S W where S {q1 , . . . , qs∗ }, vi,q is the ith element of vqW and δi,q A is a solution of Ci vq = Γi δi,q . The coefficient θq,k is chosen as κq for k ∈ N[0, τq ) and μq κq for k ∈ N[τq , ∞), where κq and μq are constants. τq ∈ N[1, ∞) is the switching instant values of the attack sequences (10) are of θq,k . The initial W δi,q , i = 1, . . . , N . Obviously, the attack ai,0 = − q∈S θq,0 vi,q sequences (10) are independent of the real-time data in the sensor network, which reflects the “self-generated” feature. Let the attack target Γi satisfy Theorem 1. Under the attack sequences (10), ẽk and z̃k satisfy: Ek+1 ẽk+1 − ẽk = (W ⊗ A − L̄C̄)Ek + L̄Γ̄ θq,k λkq δq Zk z̃k − z̃k−1 = C̄Ek − Γ̄ q∈S θq,k λkq δq (11) q∈S W T W T where δq [v1,q δ1,q , . . . , vN,q δN,q ]T . Without loss of generality, we suppose τq1 ≤ τq2 ≤ · · · ≤ τqs∗ . Proposition 3: The solutions of the error dynamics (6) and residual dynamics (7) under the attack sequences (10) are ẽk = − k ∗ q∈Sk−1 q∈S p=0 τq + κq λpq vq + q∈Sk−1 p=0 − k κq (W ⊗ A − L̄C̄)p vq + k κq λpq vq p=0 μq κq λpq vq q∈Sk−1 p=τq +1 k (μq − 1)κq λτqq (W ⊗ A − L̄C̄)p−τq vq q∈Sk−1 p=τq +1 (12) and z̃k = − k κq C̄(W ⊗ A − L̄C̄)p vq q∈S p=0 − k q∈Sk p=τq (μq − 1)κq λτqq C̄(W ⊗ A − L̄C̄)p−τq vq (13) where Sk {q ∈ S|τq ≤ k} and Sk∗ S \ Sk . Proof: Please see Appendix D. Furthermore, the necessary and sufficient condition that the DFDI attack sequences (10) satisfy Definition 3 is analyzed as follows. Theorem 3: The DFDI attack sequences (10) satisfy Definition 3 in arbitrary distributed observers that conform to (5) with W ∈ W, ρ(W ⊗ A) > 1 and ρ(W ⊗ A − L̄C̄) < 1 if and only if κq = 0, (1 − μq )λτqq ∃q ∈ S − 1 = 0, ∀q ∈ Sκ (14) where Sκ {q ⊆ S|κq = 0}. Moreover, for any k ∈ N[0, ∞), z̃k and kp=0 z̃p have the following upper bounds: √ N n|κq |Û G−1 ∗ C̄vq z̃k ≤ (15) 1 − W ⊗ A − L̄C̄ q∈S Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. ZHANG et al.: DFDI ATTACKS AGAINST STATE OMNISCIENCE: EXISTENCE AND SECURITY ANALYSIS k √ z̃p ≤ N n|κq |Û G−1 ∗ C̄(Hq,τq −1 + Lq,∞ ) p=0 q∈S (16) where Hk,q kp=0 pl=0 W ⊗ A − L̄C̄l vq , Lq,∞ τ q (1 − W ⊗ A − L̄C̄ )−1 p=1 W ⊗ A − L̄C̄ p vq , ∗ < 1 − ρ(W ⊗ A − L̄C̄), and Û = V̂ −1 is an invertible matrix that leads to the Jordan canonical form Jˆ = V̂ (W ⊗ A − L̄C̄)Û . Proof: Please see Appendix E. Although it has been proved that kp=0 z̃i,p is bounded for any k ∈ N[0, ∞) in Theorem 3, we desire to investigate the accurate value of ∞ p=0 z̃i,p to further evaluate the attack stealth capability. Corollary 3: Suppose that the distributed observers (5) are compromised by the DFDI attack sequences (10) under (14), z̃ then ∞ p=0 i,p is given by the following equality: ∞ p=0 z̃i,p = κq Ci Δq,i , i = 1, . . . , N (17) q∈S where Δq = [ΔTq,1 , . . . , ΔTq,N ]T Ξq,τq −1 + Θq,∞ , Ξq,k k p l p=0 l=0 (W ⊗ A − L̄C̄) vq and Θq,∞ (I − W ⊗ A + τ q L̄C̄)−1 p=1 (W ⊗ A − L̄C̄)p vq . Proof: Please see Appendix F. Evidently, the attack sequences (10) may be imaginary number when W ⊗ A has imaginary eigenvalues. Hence, we further investigate how the attack sequences (10) maintain real values even if W ⊗ A only has unstable imaginary eigenvalues. Theorem 4: Let q and q̄ refer to the conjugate eigenvalues, i.e., λq = λ∗q̄ . When W ⊗ A only has unstable imaginary eigenvalues, the DFDI attack sequences (10) are real values under κq = q κq̄ ∈ R, τq = τq̄ ∈ N[1, ∞) and μq = μ∗q̄ = 1 − λ−τ q , ∀q ∈ S. Proof: Please see Appendix G. Remark 6: When the system matrix only has unstable imaginary eigenvalues, the attack sequences in [43] with a single eigenvalue must be imaginary. By involving multiple eigenvalues of the system matrix, the attack sequences (10) can maintain real values since the imaginary eigenvalues of a real system matrix are in pairs and conjugate. Remark 7: Note that 1 is a eigenvector of the weight matrix W . When the attack sequences (10) are designed to satisfy vqW = 1, ∀q ∈ S, one has that ẽi,k of all observer nodes reach the same values according to (12). Therefore, the attacker can also hold stealthiness against the neighbor error x̂ai,k − x̂aj,k , ∀i, j ∈ V, under condition (14). V. SECURE ANALYSIS UNDER PERFECT DFDI ATTACKS As stated in Theorems 1 and 2, the spectral radius ρ(W ⊗ A) and attack targets Γ̄ are pivotal to perfect DFDI attacks with complete stealthiness. First, for the security of state omniscience, we investigate how to decrease ρ(W ⊗ A) by choosing wi,j . The relationship between ρ(W ⊗ A) and ρ(A) is introduced as follows. 4639 Lemma 3: For the distributed observers (5) that satisfy j∈Ni wi,j = 1, one has ρ(W ⊗ A) ≥ ρ(A). Proof: Due to j∈Ni wi,j = 1, it is inferred that W 1 = 1, which implies that 1 is an eigenvalue of W . Hence, there exist W A A λW q ≥ 1 and λq = λq λq ≥ λq , which implies ρ(W ⊗ A) ≥ ρ(A). Based on Lemma 3, choosing wi,j to guarantee ρ(W ⊗ A) = ρ(A) is an important principle for the security of state omniscience. Thus, the secure range for the interaction weights of the distributed observers (5) is summarized as follows. Theorem 5: For the distributed observers (5) with j∈Ni wi,j = 1, if the interaction weights satisfy wi,j > 0 for any i, j ∈ V, then ρ(W ⊗ A) = ρ(A) holds. Proof: Based on Gerschgorin theorem and j∈Ni wi,j = 1, W one obtains |λW q − wi,i | ≤ 1 − wi,i for any λq ∈ Λ(W ) and i ∈ V when wi,j ≥ 0 holds for any i, j ∈ V. Then, we have −1 < 2wi,i − 1 ≤ λW q ≤ 1 due to wi,i > 0, ∀i ∈ V. FurtherA A more, any λq ∈ Λ(W ⊗ A) satisfies |λq | ≤ |λW q ||λq | ≤ |λq | since |λW q | ≤ 1 is established. Finally, combining with ρ(W ⊗ A) ≥ ρ(A) in Lemma 3 results in ρ(W ⊗ A) = ρ(A). Secondly, the sensor protection scheme is studied to defend perfect DFDI attacks with complete stealthiness. Let ΓP i = P P , . . . , γi,N ) be the sensor protection matrix, where diag(γi,1 P = 1 if the jth measurement of the ith sensor node is proγi,j P = 0 otherwise. A sensor cannot be chosen as the tected, and γi,j attack target when it is protected, that is, ΓP i Γi = 0. Theorem 6: Perfect DFDI attacks with complete stealthiness cannot be achieved in the distributed observers (5) if there exists a sensor node i ∈ V such that the protected sensors satisfy A A W A ΓP i Ci uq = 0 for any uq corresponding to uq = vq ⊗ uq ∈ cs(Ua ). Proof: Supposing Ci uA q ∈ span(Γi ), there is a constant vecA tor ϑi,q such that Ci uA = Γi ϑi,q . Then, we obtain ΓP q i Ci uq = P A ΓP i Γi ϑi,q = 0, which violates Γi Ci uq = 0. Thus, if there exists P A i ∈ V such that Γi Ci uq = 0 for any uA q corresponding to / span(Γ̄) holds for any uq ∈ cs(Ua ). uq ∈ cs(Ua ), then C̄uq ∈ As a result, there exist no perfect DFDI attacks with complete stealthiness in the distributed observers (5) according to Theorem 2. satCorollary 4: Consider the sensor protection matrix ΓP i isfying Theorem 6. If the distributed observers (5) are compromised by DFDI attacks, which lead to limk→∞ ek = ∞, then there exists a sensor node i ∈ V such that its residual-based and residual-energy-based detectors expose such attacks with D limk→∞ pD i,k = limk→∞ p̄i,k = 1. Proof: If the protection matrix ΓP i of a sensor node satisfies / span(Γ̄) for any uq ∈ cs(Ua ). Theorem 6, then we have C̄uq ∈ Hence, according to the proof of Theorem 2, it is obtained that limk→∞ zk = ∞ holds if limk→∞ ek = ∞. When limk→∞ zk = ∞ is established, we have limk→∞ pD i,k = D limk→∞ p̄i,k = 1, ∃i ∈ V, by following the similar proofs of [43, Props. 1 and 2]. Remark 8: For a continue-time plant, the discrete-time observers (2) will lose more information with the sampling interval T > 0 increasing. For the continue-time system matrix G, we Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. 4640 Fig. 2. IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 68, NO. 8, AUGUST 2023 Longitudinal attitude of aircrafts. have A = eGT [45]. If a eigenvalue of G has the positive real part (or all the eigenvalues of G have the negative real parts), then ρ(A) > 1 (or ρ(A) < 1) holds under any T . Hence, the existence of perfect DFDI attacks with complete stealthiness is not influenced by T when the attack targets are selected arbitrarily. However, the attack sequences (10) need to be redesigned for different T since they depend on the eigenvalues of W ⊗ A. Moreover, the secure range of the observer weights in Theorem 5 remains the same for ρ(W ⊗ A) = ρ(A) under different T . To establish a robust protection scheme for different T , one can protect all the output data of a sensor node i ∈ V satisfying Theorem 6. Remark 9: The proposed results in this article can be extended to linearizable nonlinear systems. For a nonlinear system satisfying [46, Th. 1], it is linearized as (1) with the coordinate transformation xk = T (x∗k ), where x∗k is the state of original nonlinear systems. Then, the state estimation of original nonlinear systems is obtained by x̂∗i,k+1 = T −1 (x̂i,k+1 ), where T −1 (·) is the inverse function of T (·). Even in nonlinear systems, we can still consider the attack objective in Definition 3, which depends on the indexes ẽi,k and z̃i,k of linearized systems. Therefore, the corresponding results of perfect DFDI attacks with complete stealthiness can be extended into such linearizable nonlinear systems. VI. SIMULATION RESULTS In this section,we demonstrate perfect DFDI attacks with complete stealthiness based on the longitudinal motion model of an aircraft system in [47], which is discretized with a sampling period 0.1s. The considered aircraft states x1,k , . . . , x6,k are the forward velocity, attack angle, pitch rate, pitch angle, elevon deflection, and canard deflection, respectively. Fig. 2 illustrates the longitudinal attitude of the aircraft, whose system matrix A, shown at the bottom of this page. Notice that the system matrix A has the real eigenvalues 0.5668, 0.9742, 0.0498, 0.0498 and imaginary eigenvalues 1.0711 + 0.0319i, 1.0711 − 0.0319i. ⎡ 0.9961 ⎢ ⎢0.0001 ⎢ ⎢0.0011 A=⎢ ⎢0.0001 ⎢ ⎢ ⎣ 0 0 −4.4069 0.8738 0.9503 0.0509 0 0 −1.9937 0.0799 0.8133 0.0895 0 0 Fig. 3. Information interaction graph of sensor network under DFDI attacks. Suppose that the aircraft system (Plant) is measured by three sensor nodes: S1 , S2 , and S3 . The sensor node S1 measures the deflections of the elevon and canard. Consider that S1 sends the integrated data x5,k + x6,k to the observer O1 for saving communication resources. Moreover, S2 acquires the forward velocity and attack angle, and S3 acquires the pitch rate and pitch angle. These two sensor nodes also send the integrated data to the observers O2 and O3 , respectively. Thus, the measurement matrices are C1 = [0 0 0 0 1 1], C2 = [1 1 0 0 0 0], and C3 = [0 0 1 1 0 0]. The interaction network G among these sensors is strongly connected and illustrated in Fig. 3. Let the covariance matrices of the process and measurement noises be Q = diag(0.022 I4 , 0.12 I2 ), R1 = 0.12 , R2 = 0.052 , and R3 = 0.052 . The initial state x0 is a zero-mean Gaussian random variable with covariance 0.082 I6 . By checking the detectability of each sensor node, we know that (C2 , A) and (C3 , A) are detectable but (C1 , A) is not detectable. Consider that the interaction weight matrix is chosen as ⎡ ⎤ 0.5 0.25 0.25 ⎢ ⎥ W = ⎣0.25 0.5 0.25⎦ 0.25 0 0.75 which satisfies wi,j > 0 for any i, j ∈ V in Theorem 5. Hence, ρ(W ⊗ A) = ρ(A) = 1.0715 holds. Then, the observer gains are designed as, shown at the bottom of the next page. Next, the estimation errors in these sensor nodes under no attacks are shown in Fig. 4, where ei,j,k is the jth element of ei,k . Although the system state is not detectable for the node S3 , the estimation error dynamics of S3 are still stable through the data interactions with other two nodes. Since the dynamics of all the estimation errors are stable, the distributed observers in S1 , S2 , and S3 achieve state omniscience for the aircraft system. Based on Theorem 1, perfect DFDI attacks with complete stealthiness can be achieved with appropriate attack targets due −3.2034 −0.0001 −0.0018 0.9999 0 0 1.5378 −0.0647 −0.8605 −0.0659 0.0498 0 ⎤ −1.0289 ⎥ 0.0423 ⎥ ⎥ 0.6070 ⎥ ⎥. 0.0466 ⎥ ⎥ ⎥ ⎦ 0 0.0498 Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. ZHANG et al.: DFDI ATTACKS AGAINST STATE OMNISCIENCE: EXISTENCE AND SECURITY ANALYSIS Fig. 5. a3,k . 4641 Trajectories of attack sequences a2,k and a3,k . (a) a2,k ; (b) Fig. 4. Trajectories of estimation error ei,j,k under no attacks. (a) e1,j,k ; (b) e2,j,k ; (c) e3,j,k . to ρ(W ⊗ A) = 1.0715 > 1. Then, set λ1 = 1.0711 + 0.0319i and λ2 = 1.0711 − 0.0319i. According to Theorem 1 and Corollary 1, the attacker only needs to attack the sensor nodes S2 and S3 , i.e., Γ1 = 0 and Γ2 = Γ3 = 1, since the sensor node S1 satisfies C1 v1A = C1 v2A = 0. Furthermore, the decentralized attack sequences, namely Attacks I, are designed as (0.9965 − 0.002i) a2,k+1 = a2,k + 0.5774θ1,k+1 λk+1 1 (0.9965 + 0.002i) + 0.5774θ2,k+1 λk+1 2 (−0.0221 − 0.0096i) a3,k+1 = a3,k + 0.5774θ1,k+1 λk+1 1 (−0.0221 + 0.0096i) + 0.5774θ2,k+1 λk+1 2 (18) ∗ ∗ where θ1,k = θ2,k = 0.1144 for k ∈ N[0, 10) and θ1,k = θ2,k = 0.0596 + 0.0168i for k ∈ N[10, ∞). The attack parameters κ1 = κ2 = 0.1144, μ1 = μ∗2 = 0.5209 + 0.1469i and τ1 = τ2 = 10 satisfy Theorem 3, which implies that Attacks I achieve the attack objective in Definition 3. Under these attack paz̃1,p = 0, ∞ rameters, one has ∞ p=0 p=0 z̃2,p = 1.9987, ∞ z̃ = 0.0727 and z̃ = 2 based on Corol ∞ 3,p p p=0 p=0 lary 3. Since the attack parameters satisfy Theorem 4, a2,k and a3,k are real values all the time in Fig. 5. In Figs. 6 and 7, the performance indexes of Attacks I are shown, where ẽi,j,k is the jth element of ẽi,k . Fig. 6 illustrates that Attacks I lead to the divergence of ẽi,k in each node. In Fig. 7, z̃i,k converges to zero and kp=0 z̃i,p is bounded in each node, which depicts the stealthy Attacks I. In capacities of addition, it is shown in Fig. 7 that kp=0 z̃1,p , kp=0 z̃2,p , Fig. 6. Trajectories of ẽi,j,k under Attacks I. (a) ẽ1,j,k ; (b) ẽ2,j,k ; (c) ẽ3,j,k . kp=0 z̃3,p , and kp=0 z̃p converge to 0, 1.9987, 0.0727, and 2, respectively. This supports the theoretical results in Corollary 3. Therefore, by only compromising the sensor nodes S2 and S3 , Attacks I achieve perfect DFDI attacks with complete stealthiness. Consider that any sensor node is monitored by the residualbased detector gi,k and residual-energy-based detector ḡi,k with T L1 = 0.0358 −0.0126 −0.0906 −0.0052 0.0127 0.0122 L2 = 1.3388 −0.0343 −0.0848 −0.0390 0.0006 −0.0005 L3 = −9.6888 0.3796 1.0258 0.2863 −0.0017 0.0014 T T . Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. 4642 Fig. 7. IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 68, NO. 8, AUGUST 2023 Trajectories of z̃i,k and z̃i,k ; (b) k k z̃ p=0 i,p under Attacks I. (a) z̃ . p=0 i,p Fig. 9. Trajectories of ẽi,j,k under Attacks II. (a) ẽ1,j,k ; (b) ẽ2,j,k ; (c) ẽ3,j,k . Fig. 8. Detection rates and false alarm rates of each node’s detectors under Attacks I. Πi = Π̄i = 1. The threshold values are g1,th = 0.25, ḡ1,th = 0.3, g2,th = 3, ḡ2,th = 11.5, g3,th = 0.2, and ḡ3,th = 0.18. Based on 10000 Monte Carlo simulations, the alarm rates of the residualbased and residual-energy-based detectors are depicted in Fig. 8. Obviously, all the detection rates against Attacks I converge to the false alarm rates in these sensor nodes. Hence, perfect DFDI attacks with complete stealthiness can deceive such two classes of detectors. Furthermore, two comparative examples are given to demonstrate the danger of complete stealthiness and the effectiveness of the sensor protection scheme. 1) Perfect DFDI Attacks without Complete Stealthiness: In this example, we implement the DFDI attack sequences, namely Attacks II, which have the same parameters as the attack sequences (18) except for μ1 = μ2 = 5. Obviously, such DFDI attack sequences have no complete stealthiness since the attack parameters violate Theorem 3. In Fig. 9, Attacks II still make ẽi,k diverge in each node. However, compared with Fig. 7, Fig. 10 illustrates that z̃i,k cannot converge to zero and kp=0 z̃i,p is unbounded in a part of nodes. Therefore, the Fig. 10. Trajectories of z̃i,k and z̃i,k ; (b) k k z̃ p=0 i,p under Attacks II. (a) z̃ . p=0 i,p Fig. 11. Detection rates and false alarm rates of each node’s detectors under Attacks II. Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. ZHANG et al.: DFDI ATTACKS AGAINST STATE OMNISCIENCE: EXISTENCE AND SECURITY ANALYSIS 4643 Fig. 14. Detection rates and false alarm rates of each node’s detectors when S2 is protected from Attacks I. Fig. 12. Trajectories of ẽi,j,k when S2 is protected from Attacks I. (a) ẽ1,j,k ; (b) ẽ2,j,k ; (c) ẽ3,j,k . the sensor node S2 . In Fig. 14, the DFDI attack sequences can be detected in the sensor nodes S2 and S3 since the detection rates increase to one hundred percent. Although Attacks I deceive S1 within the simulation time, the alarms of S2 or S3 can be reported to S1 with just a flag bit. As a result, the sensor protection scheme ensures Attacks I to be exposed in each node. VII. CONCLUSION Fig. 13. Trajectories of z̃i,k and from Attacks I. (a) z̃i,k ; (b) k k z̃ p=0 i,p when S2 is protected z̃ . p=0 i,p From system eigenvalues and attack targets, we investigate how DFDI attacks destabilize all observers and hold complete stealthiness against state omniscience. The results show that DFDI attacks can even cause such global destruction by only compromising a part of sensor nodes. Moreover, the attack sequences are designed to achieve the abovementioned objective with the elaborate match of the attack parameters. In addition, these attack sequences are improved to maintain real values by involving multiple system eigenvalues. Finally, the security of state omniscience under DFDI attacks is analyzed from the interaction weights of distributed observers and the protection scheme of sensors. In future works, we will focus on the security of multiagent systems and complex dynamic networks under perfect FDI attacks. APPENDIX A detection rates of the detectors increase in these nodes, which is shown in Fig. 11. Especially, the detection rates of the residualenergy-based detectors in S2 and S3 increase to one hundred percent. As a result, although DFDI attacks without complete stealthiness can destabilize the estimation error dynamics in each node, their stealthy capacities against the residual-based and residual-energy-based detectors are much weaker than DFDI attacks with complete stealthiness. 2) Sensor Protection Scheme: According to Theorem 6, Attacks I cannot achieve the attack objective in Definition 3 when the measurement output of S2 or S3 is protected. Consider that I, then Figs. 12 and 13 depict that S2 is protected from Attacks ei,k , z̃i,k , and kp=0 z̃i,p diverge in each sensor node. Therefore, the stealthiness of Attacks I is broken by protecting A. Proof of Lemma 2 Based on (9), one has ⎡ ∞ p (W ⊗ A) = [Ua p=0 ∞ Jap ⎢p=0 Ub ] ⎢ ⎣ 0 ⎤ ⎥ Va ⎥ ∞ ⎦ V b Jp 0 p=0 b which leads to ⎡ ∞ p=0 ∞ ⎢p=0 V (W ⊗ A)p U V νp = ⎢ ∞ ⎣ p=0 Jap Va νp Jbp Vb νp ⎤ ⎥ ⎥ ⎦ Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. 4644 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 68, NO. 8, AUGUST 2023 Va =∞· φ + V φ̄. Vb (19) Since ρ(Jb ) < 1 and νp is a constant vector, there exists a constant ν̄ ≥ νp such that ∞ ∞ Vb ν̄ p Jb Vb ν p ≤ Jb p Vb ν̄ ≤ < ∞. 1 − Jb p=0 p=0 for any sensor node. As a result, ρ(W ⊗ A) ≥ 1 is established if perfect DFDI attacks with complete stealthiness can be achieved in the distributed observers (5). Next, we prove that there exist no perfect DFDI attacks with complete stealthiness if condition (ii) is violated. According to Lemma 2, when limk→∞ ẽi,k = ∞ is established for any node, one has p This implies that ∞ constant vector. Therefore, p=0 Jb Vb νp is a ∞ p p p=0 Ja Va νp = ∞ holds if ∞ p=0 (W ⊗ A) νp = ∞. Then, it is obtained from (19) that Va φ = 0 and Vb φ = 0. Define u1 , . . . , us̄ as the columns of Ua and us̄+1 , . . . , uN n as the columns of Ub . Since U is a full-rank matrix, the vector φ = 0 is represented as φ = l1 u1 + · · · + lN n uN n , where the constants l1 , . . . , lN n are not all zero. However, if ls̄+1 , . . . , lN n are not all zero, then we have Vb φ = 0 that violates Vb φ = 0. As a result, φ is rewritten as φ = l1 u1 + · · · + ls̄ us̄ . Due to Va φ = 0, there exists at least one constant li = 0 for i ∈ {1, . . . , s̄}, which implies φ ∈ span(Ua ). B. Proof of Lemma 2 (If) If Ci vqA ∈ span(Γi ) is established for any sensor node, then there exist the constant vectors δ1,q , . . . , δN,q such that W T W T δ1,q , . . . , vN,q δN,q ]T Ci vqA = Γi δi,q , ∀i ∈ V. Denote δq [v1,q W W W with vi,q being the ith entry of vq . Since vq has no zero entries, the equation C̄(vqW ⊗ vqA ) = Γ̄δq holds, which means C̄vq ∈ span(Γ̄). (Only if) When C̄vq ∈ span(Γ̄) is satisfied, there exists a constant vector δq such that C̄vq = Γ̄δq . Hence, it is obtained that Ci vqA = Γi δi,q , ∀i ∈ V. As a result, Ci vqA ∈ span(Γi ) holds for any sensor node. lim ẽk = ∞ · k→∞ s̄ lq uq + φ̄ (22) q=1 where l1 · · · , ls̄ are constants and at least one of them is nonzero. / span(Γ̄) holds for any q ∈ {1, . . . , s̄}, it Furthermore, if C̄uq ∈ can be deduced that s̄ (23) lim z̃k = ∞ · lq C̄uq + Γ̄ak + φ̄ = ∞ k→∞ q=1 which violates Definition 3. In conclusion, at least one vector uq ∈ cs(Ua ) satisfies C̄uq ∈ span(Γ̄) if there exist perfect DFDI attacks with complete stealthiness in the distributed observers (5). D. Proof of Proposition 3 First, we deduce the solution of the error dynamics (6) under the DFDI attack sequences (10). It is easy to see the initial value of Ek is zero, i.e., E0 = 0. Due to Γ̄δq = C̄vq , for k ∈ N[1, τq1 + 1), Ek is described by Ek = (W ⊗ A − L̄C̄)Ek−1 + L̄C̄ κq λk−1 vq (24) q q∈S which follows that Ek − ⎛ κq λkq vq = (W ⊗ A − L̄C̄) ⎝Ek−1 − q∈S C. Proof of Theorem 2 ⎞ κq λk−1 vq ⎠ . q q∈S (25) Here, we analyze if condition (i) is violated, then there exist no perfect DFDI attacks with complete stealthiness in the distributed observers (5). When ρ(W ⊗ A) < 1 holds, one obtains W ⊗ A < 1 according to Lemma 1. From (8), the Euclidean norm of ẽk satisfies k−1 √ ẽk ≤ N nU G−1 L̄ z̃p W ⊗ Ak−p−1 p=0 (20) where < 1 − ρ(W ⊗ A). For any k ∈ N[0, ∞), z̃i,k ≤ α and kp=0 z̃i,p ≤ β both mean that z̃k ≤ ᾱ holds for a constant ᾱ. Based on norm equivalence, there exists a constant α̃ that z̃k ≤ α̃, ∀k ∈ N[0, ∞). Furthermore, we have such ∞ p −1 and p=0 W ⊗ A = (1 − W ⊗ A ) √ N nU G−1 L̄ α̃ <∞ (21) lim ẽk ≤ k→∞ 1 − W ⊗ A which violates limk→∞ ẽi,k = ∞, ∀i ∈ V. Therefore, if ρ(W ⊗ A) < 1, then limk→∞ ẽi,k = ∞ and z̃i,k ≤ α (or kp=0 z̃i,p ≤ β), ∀k ∈ N[0, ∞), cannot hold simultaneously Then, (25) is iterated as ⎛ Ek = (W ⊗ A − L̄C̄)k ⎝E0 − ⎞ κq v q ⎠ + q∈S κq λkq vq . q∈S (26) Combing (26) with E0 = 0 results in Ek = − κq (W ⊗ A − L̄C̄)k vq + κq λkq vq q∈S (27) q∈S for k ∈ N[0, τq1 + 1). To obtain the solution of Ek for k ∈ N[τq1 + 1, τqs∗ + 1), the dynamics of Eτq1 +1 are first studied as a guide. Supposing τq1 < τq2 , one obtains τ Eτq1 +1 = (W ⊗ A − L̄C̄)Eτq1 + L̄C̄μq1 κq1 λq1q1 vq1 + L̄C̄ κq λτqq vq (28) q∈S\q1 which is equivalent to τ Eτq1 +1 − μq1 κq1 λq1q1 +1 v q1 − κq λqτq +1 vq q∈S\q1 Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. ZHANG et al.: DFDI ATTACKS AGAINST STATE OMNISCIENCE: EXISTENCE AND SECURITY ANALYSIS ⎛ = (W ⊗ A − L̄C̄) ⎝Eτq1 − − (μq1 − ⎞ and for k ∈ N[τqs∗ + 1, ∞) κq λτqq vq ⎠ q∈S ẽk = − τ 1)κq1 λq1q1 (W k + τq τ − (μq1 − 1)κq1 λq1q1 (W ⊗ A − L̄C̄)vq1 . (29) Therefore, we have the following dynamics of Ek for k ∈ N[τqr + 1, τqr+1 + 1). μq κq λk−1 vq Ek = (W ⊗ A − L̄C̄)Ek−1 + L̄C̄ q q∈Sk−1 ∗ q∈Sk−1 κq λk−1 vq . q (30) Here, Sk−1 = {q1 , . . . , qr } for k ∈ N[τqr + 1, τqr+1 + 1). Then, it can be deduced from (30) that κq (W ⊗ A − L̄C̄)k vq Ek = − q∈S + μq κq λkq vq + q∈Sk−1 − ∗ q∈Sk−1 κq λkq vq (μq − 1)κq λτqq (W ⊗ A − L̄C̄)k−τq vq . (31) − − (35) As a result, (33)–(35) constitute solution (12) of the error dynamics (6) under the attack sequences (10). Second, the solution of the residual dynamics (7) is analyzed. For k ∈ N[0, τq1 ), we have κq λkq vq Zk = C̄Ek − C̄ = − ẽk = − κq (W ⊗ A − L̄C̄) vq + q∈S p=0 k (32) κq λpq vq q∈S p=0 (33) ẽk = − τq κq λpq vq + q∈Sk−1 p=0 − ∗ q∈Sk−1 p=0 κq (W ⊗ A − L̄C̄)p vq + q∈S p=0 + k k k κq C̄(W ⊗ A − L̄C̄)k vq . (36) Next, it is obtained that for k ∈ N[τqr , τqr+1 ) μq κq λkq vq − C̄ κq λkq vq Zk = C̄Ek − C̄ = − q∈Sk∗ q∈Sk κq C̄(W ⊗ A − L̄C̄)k vq (μq − 1)κq λτqq C̄(W ⊗ A − L̄C̄)k−τq vq . (37) Based on (32), for k ∈ N[τqs∗ , ∞) μq κq λkq vq Zk = C̄Ek − C̄ = − q∈S κq C̄(W ⊗ A − L̄C̄)k vq q∈S − (μq − 1)κq λτqq C̄(W ⊗ A − L̄C̄)k−τq vq . In light of (36)–(38), the solutions for the dynamics of z̃k obey that for k ∈ N[0, τq1 ) z̃k = − κq λpq vq μq κq λpq vq (38) q∈S for k ∈ N[τqr + 1, τqr+1 + 1) k q∈S q∈Sk Based on (27), (31), and (32), the solutions for the dynamics of ẽk satisfy that for k ∈ N[0, τq1 + 1) p q∈S q∈S k (μq − 1)κq λτqq (W ⊗ A − L̄C̄)p−τq vq . q∈S p=τq +1 − q∈S (μq − 1)κq λτqq (W ⊗ A − L̄C̄)k−τq vq . μq κq λpq vq q∈S Similarly, for k ∈ N[τqs∗ + 1, ∞), one has Ek = − κq (W ⊗ A − L̄C̄)k vq + μq κq λkq vq q∈S k q∈S p=τq +1 k q∈Sk−1 κq λpq vq + q∈S p=0 q∈S + L̄C̄ κq (W ⊗ A − L̄C̄)p vq q∈S p=0 ⊗ A − L̄C̄)vq1 ⎛ ⎞ = (W ⊗ A − L̄C̄)τq1 +1 ⎝E0 − κq v q ⎠ 4645 k κq C̄(W ⊗ A − L̄C̄)p vq (39) q∈S p=0 for k ∈ N[τqr τqr+1 ) z̃k = − q∈Sk−1 p=τq +1 k κq C̄(W ⊗ A − L̄C̄)p vq q∈S p=0 (μq − 1)κq λτqq (W ⊗ A − L̄C̄)p−τq vq q∈Sk−1 p=τq +1 − k q∈Sk p=τq (34) (μq − 1)κq λτqq C̄(W ⊗ A − L̄C̄)p−τq vq (40) Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. 4646 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 68, NO. 8, AUGUST 2023 and for k ∈ N[τqs∗ , ∞) z̃k = − κq k where πk = k − τq + 1 for k ∈ N[τq , ∞), and πk = 0 otherwise. Then, we obtain that k p (47) z̃k ≤ |κq |C̄ (W ⊗ A − L̄C̄) vq . C̄(W ⊗ A − L̄C̄)p vq q∈S p=0 − k q∈S p=τq p=πk q∈S (μq − 1)κq λτqq C̄(W ⊗ A − L̄C̄)p−τq vq . (41) With ρ(W ⊗ A − L̄C̄) < 1, one has k (W ⊗ A − L̄C̄)p vq p=0 As a result, solution (13) of the residual dynamics (7) is inferred from (39) to (41). k ≤ √ p N nÛ G−1 ∗ W ⊗ A − L̄C̄ vq p=0 E. Proof of Theorem 3 and k p (W ⊗ A − L̄ C̄) v q p=k−τq +1 (If) According to (12) in Proposition 3, it can be obtained that lim ẽk = − κq Ψq,∞ − (μq − 1)κq λτqq Ψ̄q,∞ k→∞ q∈S + τq q∈S κq λpq vq q∈S p=0 where k−τq Ψq,k + ∞ μq κq λpq vq (42) q∈S p=τq +1 k p=0 (W L̄C̄)p vq . p ⊗ A − L̄C̄) vq Ψ̄q,k and Due to ρ(W ⊗ A − L̄C̄) < 1, p=1 (W ⊗ A − Ψq,∞ and Ψ̄q,∞ can be solved by (I − W ⊗ A + L̄C̄)Ψq,∞ = vq (43) (I − W ⊗ A + L̄C̄)Ψ̄q,∞ = (W ⊗ A − L̄C̄)vq . (44) Note that the first three items in the right-hand side of (42) are all constant vectors. For any q ∈ S, one has λq > 1, which q > 0. Thus, if there is κq = 0, q ∈ S, means μq = 1 − λ−τ ∞ q W A then q∈S p=τq +1 μq κq λpq vi,q vq = ∞ is established for W any i ∈ V since vq has no zero entries and vqA1 , . . . , vqAs∗ are linearly independent. As a result, limk→∞ ei,k = ∞, ∀i ∈ V, is obtained. Based on (13), z̃k is described as (κq + (μq − 1)κq λτqq )C̄Ψq,∞ . (45) lim z̃k = − k→∞ q∈S If (1 − μq )λτqq − 1 = 0, ∀q ∈ Sκ , then (1 + (μq − 1)λτqq )κq = 0 holds for any q ∈ S, which implies limk→∞ z̃k = 0. Moreover, the upper bound of z̃k under condition (14) is investigated. According to (14), we can rewrite (13) as follows: z̃k = − k k ≤ Fq,k kp=0 W ⊗ Due to W ⊗ A − L̄C̄ < 1, and Gq,k kp=k−τq +1 W ⊗ A − A − L̄C̄p vq L̄C̄p vq are monotonically increasing for k ∈ N[0, τq ) and decreasing for k ∈ N[τq , ∞), respectively. Hence, it is obtained that for k ∈ N[0, τq ) k √ (W ⊗ A − L̄C̄)p vq ≤ N nÛ G−1 ∗ Fq,τq −1 p=π k and for k ∈ N[τq , ∞) k √ (W ⊗ A − L̄C̄)p vq ≤ N nÛ G−1 ∗ Gq,τq . p=πk ∞ p Further considering p=0 W ⊗ A − L̄C̄ vq = (1 − W ⊗ A − L̄C̄ )−1 vq > Fq,τqr −1 > Gq,τqr , the upper bound of z̃k satisfies (15) at any time. As a result, there exists a constant α such that z̃i,k ≤ α, ∀k ∈ N[0, ∞) when z̃k is bounded at any time. By (13), kp=0 z̃p is described as k z̃p = − p=0 − − = − + p q∈S p=πk k p−τ q k p−τ q q∈Sk p=τq l=0 κq C̄(W ⊗ A − L̄C̄) vq κq C̄(W ⊗ A − L̄C̄)p vq κq C̄(W ⊗ A − L̄C̄)l vq q∈Sk p=τq l=0 κq C̄(W ⊗ A − L̄C̄) vq μq κq λτqq C̄(W ⊗ A − L̄C̄)l vq κq λτqq C̄(W ⊗ A − L̄C̄)l vq (48) which follows from (1 − μq )λτqq − 1 = 0, ∀q ∈ Sκ that q∈Sk p=k−τq +1 k p k q∈S p=0 l=0 p k p N nÛ G−1 ∗ W ⊗ A − L̄C̄ vq . p=k−τq +1 q∈Sk∗ p=0 √ (46) k p=0 z̃p = − p k κq C̄(W ⊗ A − L̄C̄)l vq q∈Sk∗ p=0 l=0 Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. ZHANG et al.: DFDI ATTACKS AGAINST STATE OMNISCIENCE: EXISTENCE AND SECURITY ANALYSIS k − p κq C̄(W ⊗ A − L̄C̄)l vq q∈Sk p=τq l=p−τq +1 q −1 p τ − κq C̄(W ⊗ A − L̄C̄)l vq q∈Sk p=0 l=0 k = − p κq C̄(W ⊗ A − L̄C̄)l vq q∈Sk p=τq l=p−τq +1 − p k−π k κq C̄(W ⊗ A − L̄C̄)l vq . (49) q∈S p=0 l=0 Then, we have k k ≤ z̃ |κ | C̄ p q (W ⊗ A − L̄C̄)l vq p=τq l=p−τq +1 q∈Sk k−π p k + |κq |C̄ (W ⊗ A − L̄C̄)l vq . p=0 p p=0 l=0 q∈S (50) Based on Lemma 1, the last term of (50) satisfies k−π p k l (W ⊗ A − L̄C̄) vq p=0 l=0 ≤ k−π k p √ l N nÛ G−1 ∗ W ⊗ A − L̄C̄ vq . by contradiction, if Ψq1 ,∞ , . . . , Ψqs∗ ,∞ are linearly dependent, then there exist the constants lq1 , . . . , lqs∗ such that lq1 Ψq1 ,∞ + · · · + lqs∗ Ψqs∗ ,∞ = 0. Combining with Ψq,∞ = (I − W ⊗ A + L̄C̄)−1 vq , one has (I − W ⊗ A + L̄C̄)−1 (lq1 vq1 + · · · + lqs∗ vqs∗ ) = 0. Then, lq1 vq1 + · · · + lqs∗ vqs∗ = 0 holds since I − W ⊗ A + L̄C̄ is full rank, which violates the linear independence of vq1 , . . . , vqs∗ . As a result, Ψq1 ,∞ , . . . , Ψqs∗ ,∞ are linearly independent. Then, we prove that the attack sequences (10) violate Definition 3 if (14) is not established. When κq = 0, ∀q ∈ S, holds, it is easy to see limk→∞ ẽk = 0 according to (42), which violates Definition 3. If (1 − μq )λτqq − 1 = 0, ∃q ∈ Sκ , then there exists q ∈ S such that (1 + (μq − 1)λτqq )κq = 0. Since Ψ q1 ,∞ , . . . , Ψqs∗ ,∞ are linearly independent, one obtains q∈S (κq + (μq − 1)κq λτqq )Ψq,∞ = 0. Thus, when (1 − μq )λτqq − 1 = 0, ∃q ∈ Sκ , is established, there are system parameters (e.g. C̄ is row full rank) such that q∈S (κq + (μq − 1)κq λτqq )C̄Ψq,∞ = 0, which implies limk→∞ z̃i,k = 0, ∃i ∈ V according to (45). Furthermore, we intend to prove that the index (iv) is also violated if (1 − μq )λτqq − 1 = 0, ∃q ∈ Sκ . Let us rewrite (48) as k z̃p = − p=0 p=0 l=0 Furthermore, it can be deduced from (50) that p k l (W ⊗ A − L̄C̄) vq p=τq l=p−τq +1 ≤ k p p=τq l=p−τq +1 k √ l N nÛ G−1 ∗ W ⊗ A − L̄C̄ vq . p κq C̄Ξq,k − q∈S q∈Sk where Ξq,k satisfies p=0 p l=0 (W ⊗ A − L̄C̄)l vq . Notice that Ξq,k (I − W ⊗ A + L̄C̄)Ξq,k = − k (W ⊗ A − L̄C̄)p+1 vq + kvq p=0 which implies (I − W ⊗ A + L̄C̄)Ξq,∞ =−Ψ̄q,∞ + ∞ limk→∞ kvq . Based on (51), it is obtained that p=0 z̃p = τq − q∈S ηq C̄Ξq,∞ , where ηq (1 + (μq − 1)λq )κq . If (1 − μq )λτqq − 1 = 0, ∃q ∈ Sκ , i.e., ηq = 0, ∃q ∈ S, is satisfied, then there exist system parameters (e.g., C̄ is row full rank) such that ∞ p=0 z̃p = ∞. In conclusion, (14) holds if the attack sequences (10) satisfy Definition 3 in arbitrary distributed observers that conform to (5) with W ∈ W, ρ(W ⊗ A) > 1 and ρ(W ⊗ A − L̄C̄) < 1. F. Proof of Corollary 3 L̄C̄l vq where Lq,k p=τq l=p−τq +1 W ⊗ A − is also monotonically increasing for k ∈ N[0, Combinτ∞). q W ⊗ A − ing with Lq,∞ = (1 − W ⊗ A − L̄C̄ )−1 p=1 L̄C̄p vq , the upper bound of kp=0 z̃p satisfies (16) at any time. As a result, there exists a constant β such that kp=0 z̃i,p ≤ β, ∀k ∈ N[0, ∞), since kp=0 z̃p is bounded for any time. In conclusion, the attack indexes in Definition 3 are achieved by the attack sequences (10) if (14) is established. (Only if) To analyze the necessity, we first prove that Ψq1 ,∞ , . . . , Ψqs∗ ,∞ are linearly independent. Based on the proof (μq − 1)κq λτqq C̄Ξq,k−τq (51) k p=0 l=0 Obviously, Hk,q = kp=0 pl=0 W ⊗ A − L̄C̄l vq is monotonically increasing for k ∈ N[0, ∞), which results in k−π p √ k l (W ⊗ A − L̄C̄) vq ≤ N nÛ G−1 ∗ Hq,τq −1 . 4647 Combined with (13) and (14), lows: ∞ z̃p = − p=0 q −1 p τ ∞ p=0 z̃p is described as fol- κq C̄(W ⊗ A − L̄C̄)l vq q∈S p=0 l=0 − ∞ p κq C̄(W ⊗ A − L̄C̄)l vq . (52) q∈S p=τq l=p−τq +1 Define Θq,k kp=τq pl=p−τq +1 (W ⊗ A − L̄C̄)l vq , then it is τq obtained that Θq,∞ = (I − W ⊗ A + L̄C̄)−1 p=1 (W ⊗ A − Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. 4648 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 68, NO. 8, AUGUST 2023 L̄C̄)p vq . Substituting Ξq,k and Θq,∞ into (52) results in ∞ p=0 z̃p = − κq C̄Δq = − q∈S κq C̄(Ξq,τq −1 + Θq,∞ ). q∈S (53) As a result, ∞ q∈S κq Ci Δq,i holds since C̄ p=0 z̃i,p = is block diagonal. G. Proof of Theorem 4 The global model of the DFDI attack sequences (10) is given as ak+1 = ak − θq,k+1 λk+1 δq . q (54) q∈S Consider an imaginary eigenvalue λq ∈ ΛP (W ⊗ A), which corresponds to an imaginary eigenvector vq ∈ ΩP (W ⊗ A). Due to ((λq IN n − W ⊗ A)vq )∗ = (λ∗q IN n − W ⊗ A)vq∗ , there is an imaginary eigenvalue and an imaginary eigenvector of W ⊗ A that satisfy λq̄ = λ∗q and vq̄ = vq∗ , respectively. According to C̄vq = Γ̄δq , δq and δq̄ are also conjugate. Hence, by choosing κq = κq̄ ∈ R, we obtain θq,k λkq δq + θq̄,k λkq̄ δq̄ = 2κq Re{λkq δq } for any k ∈ N[0, τq ). Then, for k ∈ N[τq , ∞), one has θq,k λkq = q κq (λkq − λk−τ ) based on (14), which implies θq,k λkq δq + q k q θq̄,k λq̄ δq̄ = 2κq Re{(λkq − λk−τ )δq } with τq = τq̄ ∈ N[1, ∞) q ∗ and μq = μq̄ . As a result, ak is real number for any time unq der κq = κq̄ ∈ R, τq = τq̄ ∈ N[1, ∞) and μq = μ∗q̄ = 1 − λ−τ q , ∀q ∈ S. REFERENCES [1] E. Hashemi, M. Pirani, B. Fidan, A. Khajepour, S. Chen, and B. Litkouhi, “Distributed robust vehicle state estimation,” in Proc. IEEE Intell. Veh. Symp., 2017, pp. 693–698. [2] J. Zeng, J. Liu, T. Zou, and D. Yuan, “State estimation of wastewater treatment processes using distributed extended Kalman filters,” in Proc. IEEE Conf. Decis. Control, 2016, pp. 6721–6726. [3] M. H. Cintuglu and D. Ishchenko, “Secure distributed state estimation for networked microgrids,” IEEE Internet Things J., vol. 6, no. 5, pp. 8046–8055, Oct. 2019. [4] U. A. Khan and A. Jadbabaie, “On the stability and optimality of distributed Kalman filters with finite-time data fusion,” in Proc. Amer. Control Conf., 2011, pp. 3405–3410. [5] R. Olfati-Saber, “Distributed Kalman filtering for sensor networks,” in Proc. IEEE Conf. Decis. Control, 2007, pp. 5492–5498. [6] S. Battilotti and M. Mekhail, “Distributed estimation for nonlinear systems,” Automatica, vol. 107, pp. 562–573, Sep. 2019. [7] I. Matei and J. S. Baras, “Consensus-based linear distributed filtering,” Automatica, vol. 48, no. 8, pp. 1776–1782, Aug. 2012. [8] G. Battistelli, L. Chisci, G. Mugnai, A. Farina, and A. Graziano, “Consensus-based linear and nonlinear filtering,” IEEE Trans. Autom. Control, vol. 60, no. 5, pp. 1410–1415, May 2015. [9] S. Park and N. C. Martins, “Design of distributed LTI observers for state omniscience,” IEEE Trans. Autom. Control, vol. 62, no. 2, pp. 561–576, Feb. 2017. [10] A. Mitra and S. Sundaram, “Distributed observers for LTI systems,” IEEE Trans. Autom. Control, vol. 63, no. 11, pp. 3689–3704, Nov. 2018. [11] L. Wang and A. S. Morse, “A distributed observer for a time-invariant linear system,” IEEE Trans. Autom. Control, vol. 63, no. 7, pp. 2123–2130, Jul. 2018. [12] W. Han, H. L. Trentelman, Z. Wang, and Y. Shen, “A simple approach to distributed observer design for linear systems,” IEEE Trans. Autom. Control, vol. 64, no. 1, pp. 329–336, Jan. 2019. [13] T. Kim, C. Lee, and H. Shim, “Completely decentralized design of distributed observer for linear systems,” IEEE Trans. Autom. Control, vol. 65, no. 11, pp. 4664–4678, Nov. 2020. [14] A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson, “A secure control framework for resource-limited adversaries,” Automatica, vol. 51, pp. 135–148, Jan. 2015. [15] C. Zhou, B. Hu, Y. Shi, Y. Tian, X. Li, and Y. Zhao, “A unified architectural approach for cyberattack-resilient industrial control systems,” Proc. IEEE, vol. 109, no. 4, pp. 517–541, Apr. 2021. [16] Y. Li, L. Shi, P. Cheng, J. Chen, and D. E. Quevedo, “Jamming attacks on remote state estimation in cyber-physical systems: A game-theoretic approach,” IEEE Trans. Autom. Control, vol. 60, no. 10, pp. 2831–2836, Oct. 2015. [17] Q. Sun, J. Chen, and Y. Shi, “Event-triggered robust MPC of nonlinear cyber-physical systems against DoS attacks,” Sci. China Inf. Sci., vol. 65, Jan. 2022, Art. no. 110202. [18] C. Deng, D. Zhang, and G. Feng, “Resilient practical cooperative output regulation for MASs with unknown switching exosystem dynamics under DoS attacks,” Automatica, vol. 139, May. 2022, Art. no. 110172. [19] Y. Mo, R. Chabukswar, and B. Sinopoli, “Detecting integrity attacks on SCADA systemss,” IEEE Trans. Control Syst. Technol., vol. 22, no. 4, pp. 1396–1407, Jul. 2014. [20] C.-Z. Bai, V. Gupta, and F. Pasqualetti, “On Kalman filtering with compromised sensors: Attack stealthiness and performance bounds,” IEEE Trans. Autom. Control, vol. 62, no. 12, pp. 6641–6648, Dec. 2017. [21] Z. Guo, D. Shi, K. H. Johansson, and L. Shi, “Worst-case stealthy innovation-based linear attack on remote state estimation,” Automatica, vol. 89, pp. 117–124, Mar. 2018. [22] J. Shang, H. Yu, and T. Chen, “Worst-case stealthy attacks on stochastic event-based state estimation,” IEEE Trans. Autom. Control, vol. 67, no. 4, pp. 2052–2059, Apr. 2021. [23] P. Cheng, Z. Yang, J. Chen, Y. Qi, and L. Shi, “An event-based stealthy attack on remote state estimation,” IEEE Trans. Autom. Control, vol. 65, no. 10, pp. 4348–4355, Oct. 2020. [24] H. Song, P. Shi, C.-C. Lim, W.-A. Zhang, and L. Yu, “Attack and estimator design for multi-sensor systems with undetectable adversary,” Automatica, vol. 109, Nov. 2019, Art. no. 108545. [25] Y. Mo and B. Sinopoli, “False data injection attacks in control systems,” in Proc. 1st Workshop Secure Control Syst., Stockholm, Sweden, 2010, paper 7. [26] A.-Y. Lu and G.-H. Yang, “Malicious attacks on state estimation against distributed control systems,” IEEE Trans. Autom. Control, vol. 65, no. 9, pp. 3911–3918, Sep. 2020. [27] J. Huang, D. W. C. Ho, F. Li, W. Yang, and Y. Tang, “Secure remote state estimation against linear man-in-the-middle attacks using watermarking,” Automatica, vol. 121, Nov. 2020, Art. no. 109182. [28] M. Showkatbakhsh, Y. Shoukry, S. N. Diggavi, and P. Tabuada, “Securing state reconstruction under sensor and actuator attacks: Theory and design,” Automatica, vol. 116, Jun. 2020, Art. no. 108920. [29] L. An and G.-H. Yang, “Distributed secure state estimation for cyberphysical systems under sensor attacks,” Automatica, vol. 107, pp. 526–538, Sep. 2019. [30] W. Yang, Y. Zhang, G. Chen, C. Yang, and L. Shi, “Distributed filtering under false data injection attacks,” Automatica, vol. 102, pp. 34–44, Apr. 2019. [31] M. Deghat, V. Ugrinovskii, I. Shames, and C. Langbort, “Detection and mitigation of biasing attacks on distributed estimation networks,” Automatica, vol. 99, pp. 369–381, Jan. 2019. [32] J. Yang, W.-A. Zhang, and F. Guo, “Adaptive distributed Kalman-like filter for power system with cyber attacks,” Automatica, vol. 137, Mar. 2022, Art. no. 110091. [33] F. Pasqualetti, F. Dörfler, and F. Bullo, “Attack detection and identification in cyber-physical systems,” IEEE Trans. Autom. Control, vol. 58, no. 11, pp. 2715–2729, Nov. 2013. [34] Y. Chen, S. Kar, and J. M. F. Moura, “Dynamic attack detection in cyberphysical systems with side initial state information,” IEEE Trans. Autom. Control, vol. 62, no. 9, pp. 4618–4624, Sep. 2017. [35] R. Deng, G. Xiao, R. Lu, H. Liang, and A. V. Vasilakos, “False data injection on state estimation in power systems—Attacks, impacts, and defense: A. survey,” IEEE Trans. Ind. Informat., vol. 13, no. 2, pp. 411–423, Apr. 2017. [36] Z. Zhao, Y. Huang, Z. Zhen, and Y. Li, “Data-driven false data-injection attack design and detection in cyber-physical systems,” IEEE Trans. Cybern., vol. 51, no. 12, pp. 6179–6187, Dec. 2021. Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply. ZHANG et al.: DFDI ATTACKS AGAINST STATE OMNISCIENCE: EXISTENCE AND SECURITY ANALYSIS [37] L. Hu, Z. Wang, Q.-L. Han, and X. Liu, “State estimation under false data injection attacks: Security analysis and system protection,” Automatica, vol. 87, pp. 176–183, Jan. 2018. [38] A.-Y. Lu and G.-H. Yang, “Malicious adversaries against secure state estimation: Sparse sensor attack design,” Automatica, vol. 136, Feb. 2022, Art. no. 110037. [39] Z.-H. Pang, G.-P. Liu, D. Zhou, F. Hou, and D. Sun, “Two-channel false data injection attacks against output tracking control of networked systems,” IEEE Trans. Ind. Electron., vol. 63, no. 5, pp. 3242–3251, May 2016. [40] Q. Zhang, K. Liu, Y. Xia, and A. Ma, “Optimal stealthy deception attack against cyber-physical systems,” IEEE Trans. Cybern., vol. 50, no. 9, pp. 3963–3972, Sep. 2020. [41] W. Xu, Z. Wang, L. Hu, and J. Kurths, “State estimation under joint false data injection attacks: Dealing with constraints and insecurity,” IEEE Trans. Autom. Control, to be published, doi: 10.1109/TAC.2021.3131145. [42] T. Sui and X. M. Sun, “The vulnerability of distributed state estimator under stealthy attacks,” Automatica, vol. 133, Nov. 2021, Art. no. 109869. [43] T.-Y. Zhang and D. Ye, “False data injection attacks with complete stealthiness in cyber-physical systems: A self-generated approach,” Automatica, vol. 120, Oct. 2020, Art. no. 109117. [44] D. Ye and T.-Y. Zhang, “Summation detector for false data-injection attack in cyber-physical systems,” IEEE Trans. Cybern., vol. 50, no. 6, pp. 2338–2345, Jun. 2020. [45] K. Ogata, Discrete-Time Control Systems. Englewood Cliffs, NJ, USA: Prentice-Hall, 1987. [46] W. Lin and C. I. Byrnes, “Remarks on linearization of discrete-time autonomous systems and nonlinear observer design,” Syst. Control Lett., vol. 25, no. 1, pp. 31–40, May 1995. [47] L. An and G.-H. Yang, “Secure state estimation against sparse sensor attacks with adaptive switching mechanism,” IEEE Trans. Autom. Control, vol. 63, no. 8, pp. 2596–2603, Aug. 2018. Tian-Yu Zhang (Member, IEEE) received the B.S. degree in electrical engineering and automation from the North China University of Science and Technology, Tangshan, China, in 2016 and the M.S. and Ph.D. degrees in control science and engineering from Northeastern University, Shenyang, China, in 2018 and 2022, respectively. He is currently a Postdoctoral Research Fellow with the College of Information Science and Engineering, Northeastern University, Shenyang, China. His research interests include security of cyberphysical systems, distributed estimation, and multiagent systems. Dr. Zhang was the recipient of the fellowship of China National Postdoctoral Program for Innovative Talents in 2022. 4649 Dan Ye (Senior Member, IEEE) received the B.S. and M.S. degrees in mathematics and applied mathematics from Northeast Normal University, Changchun, China, in 2001 and 2004, respectively, and the Ph.D. degree in control theory and engineering from Northeastern University, Shenyang, China, in 2008. She was a Lecturer with the Northeastern University from 2008 to 2010. She is currently a Professor of the College of Information Science and Engineering, Northeastern University. Her research interest includes fault-tolerant control, robust control, adaptive control, and security of cyber-physical systems. Yang Shi (Fellow, IEEE) received the Ph.D. degree in electrical and computer engineering from the University of Alberta, Edmonton, AB, Canada, in 2005. From 2005 to 2009, he was an Assistant Professor and Associate Professor with the Department of Mechanical Engineering, University of Saskatchewan, Saskatoon, SK, Canada. In 2009, he joined the University of Victoria, Victoria, BC, Canada, and he is currently a Professor with the Department of Mechanical Engineering, University of Victoria, Victoria, BC, Canada. His current research interests include networked and distributed systems, model predictive control (MPC), cyber-physical systems (CPS), robotics and mechatronics, control of autonomous systems (AUV and UAV), and energy system applications. Dr. Shi was the recipient of the University of Saskatchewan Student Union Teaching Excellence Award in 2007, and the Faculty of Engineering Teaching Excellence Award in 2012 at the University of Victoria (UVic). He is the recipient of the JSPS Invitation Fellowship (short-term) in 2013, the UVic Craigdarroch Silver Medal for Excellence in Research in 2015, the 2017 IEEE TRANSACTIONS ON FUZZY SYSTEMS Outstanding Paper Award, the Humboldt Research Fellowship for Experienced Researchers in 2018. He is currently the Chair of IEEE IES Technical Committee on Industrial Cyber-Physical Systems, and Co-Editor-in-Chief for IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS. He is currently an Associate Editor for Automatica, IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, etc. He is currently a General Chair of the 2019 International Symposium on Industrial Electronics (ISIE) and the 2021 International Conference on Industrial Cyber-Physical Systems (ICPS). He is a Fellow of ASME, CSME, and Engineering Institute of Canada (EIC), and a registered Professional Engineer in British Columbia, Canada. Authorized licensed use limited to: BEIJING INSTITUTE OF TECHNOLOGY. Downloaded on September 08,2023 at 08:55:17 UTC from IEEE Xplore. Restrictions apply.