Showing papers by "Paulo Tabuada published in 2014"
TL;DR: A new simple characterization of the maximum number of attacks that can be detected and corrected as a function of the pair (A,C) of the system is given and it is shown that it is impossible to accurately reconstruct the state of a system if more than half the sensors are attacked.
Abstract: The vast majority of today's critical infrastructure is supported by numerous feedback control loops and an attack on these control loops can have disastrous consequences. This is a major concern since modern control systems are becoming large and decentralized and thus more vulnerable to attacks. This paper is concerned with the estimation and control of linear systems when some of the sensors or actuators are corrupted by an attacker. We give a new simple characterization of the maximum number of attacks that can be detected and corrected as a function of the pair $(A,C)$ of the system and we show in particular that it is impossible to accurately reconstruct the state of a system if more than half the sensors are attacked. In addition, we show how the design of a secure local control loop can improve the resilience of the system. When the number of attacks is smaller than a threshold, we propose an efficient algorithm inspired from techniques in compressed sensing to estimate the state of the plant despite attacks. We give a theoretical characterization of the performance of this algorithm and we show on numerical simulations that the method is promising and allows to reconstruct the state accurately despite attacks. Finally, we consider the problem of designing output-feedback controllers that stabilize the system despite sensor attacks. We show that a principle of separation between estimation and control holds and that the design of resilient output feedback controllers can be reduced to the design of resilient state estimators.
1,199 citations
01 Dec 2014
TL;DR: A control methodology that unifies control barrier functions and control Lyapunov functions through quadratic programs is developed, which allows for the simultaneous achievement of control objectives subject to conditions on the admissible states of the system.
Abstract: This paper develops a control methodology that unifies control barrier functions and control Lyapunov functions through quadratic programs. The result is demonstrated on adaptive cruise control, which presents both safety and performance considerations, as well as actuator bounds. We begin by presenting a novel notion of a barrier function associated with a set, formulated in the context of Lyapunov-like conditions; the existence of a barrier function satisfying these conditions implies forward invariance of the set. This formulation naturally yields a notion of control barrier function (CBF), yielding inequality constraints in the control input that, when satisfied, again imply forward invariance of the set. Through these constructions, CBFs can naturally be unified with control Lyapunov functions (CLFs) in the context of a quadratic program (QP); this allows for the simultaneous achievement of control objectives (represented by CLFs) subject to conditions on the admissible states of the system (represented by CBFs). These formulations are illustrated in the context of adaptive cruise control, where the control objective of achieving a desired speed is balanced by the minimum following conditions on a lead car and force-based constraints on acceleration and braking.
703 citations
15 Apr 2014
TL;DR: This work presents a method for state estimation in presence of attacks, for systems with noise and modeling errors, and describes how implementation issues such as jitter, latency and synchronization errors can be mapped into parameters of the state estimation procedure that describe modeling errors.
Abstract: The interaction between information technology and physical world makes Cyber-Physical Systems (CPS) vulnerable to malicious attacks beyond the standard cyber attacks. This has motivated the need for attack-resilient state estimation. Yet, the existing state-estimators are based on the non-realistic assumption that the exact system model is known. Consequently, in this work we present a method for state estimation in presence of attacks, for systems with noise and modeling errors. When the the estimated states are used by a state-based feedback controller, we show that the attacker cannot destabilize the system by exploiting the difference between the model used for the state estimation and the real physical dynamics of the system. Furthermore, we describe how implementation issues such as jitter, latency and synchronization errors can be mapped into parameters of the state estimation procedure that describe modeling errors, and provide a bound on the state-estimation error caused by modeling errors. This enables mapping control performance requirements into real-time (i.e., timing related) specifications imposed on the underlying platform. Finally, we illustrate and experimentally evaluate this approach on an unmanned ground vehicle case-study.
252 citations
TL;DR: This paper introduces a self- triggered strategy based on performance levels described by a quadratic discounted cost and shows quantitatively that the proposed scheme can outperform conventional periodic time-triggered solutions.
159 citations
TL;DR: This paper considers three recently proposed aperiodic control algorithms which have the potential to address the wide deployment of wireless sensor and actuator networks in cyber-physical systems and shows how these controllers can be implemented over the IEEE 802.15.4 standard.
Abstract: Wide deployment of wireless sensor and actuator networks in cyber-physical systems requires systematic design tools to enable dynamic tradeoff of network resources and control performance. In this paper, we consider three recently proposed aperiodic control algorithms which have the potential to address this problem. By showing how these controllers can be implemented over the IEEE 802.15.4 standard, a practical wireless control system architecture with guaranteed closed-loop performance is detailed. Event-based predictive and hybrid sensor and actuator communication schemes are compared with respect to their capabilities and implementation complexity. A two double-tank laboratory experimental setup, mimicking some typical industrial process control loops, is used to demonstrate the applicability of the proposed approach. Experimental results show how the sensor communication adapts to the changing demands of the control loops and the network resources, allowing for lower energy consumption and efficient bandwidth utilization.
154 citations
Posted Content•
TL;DR: A novel algorithm is presented that uses a satisfiability modulo theory approach to harness the complexity of secure state estimation and leverages results from formal methods over real numbers to provide guarantees on the soundness and completeness of the algorithm.
Abstract: We address the problem of detecting and mitigating the effect of malicious attacks to the sensors of a linear dynamical system. We develop a novel, efficient algorithm that uses a Satisfiability-Modulo-Theory approach to isolate the compromised sensors and estimate the system state despite the presence of the attack, thus harnessing the intrinsic combinatorial complexity of the problem. By leveraging results from formal methods over real numbers, we provide guarantees on the soundness and completeness of our algorithm. We then report simulation results to compare its runtime performance with alternative techniques. Finally, we demonstrate its application to the problem of controlling an unmanned ground vehicle.
149 citations
TL;DR: Energy-based models derived from first principles that are not subject to hard-to-justify classical assumptions are used to derive intuitive conditions ensuring the transient stability of power systems with lossy transmission lines.
Abstract: During the normal operation of a power system, all the voltages and currents are sinusoids with a frequency of 60 Hz in America and parts of Asia or of 50 Hz in the rest of the world. Forcing all the currents and voltages to be sinusoids with the right frequency is one of the most important problems in power systems. This problem is known as the transient stability problem in the power systems literature. The classical models used to study transient stability are based on several implicit assumptions that are violated when transients occur. One such assumption is the use of phasors to study transients. While phasors require sinusoidal waveforms to be well defined, there is no guarantee that waveforms will remain sinusoidal during transients. In this paper, we use energy-based models derived from first principles that are not subject to hard-to-justify classical assumptions. In addition to eliminate assumptions that are known not to hold during transient stages, we derive intuitive conditions ensuring the transient stability of power systems with lossy transmission lines. Furthermore, the conditions for transient stability are compositional in the sense that one infers transient stability of a large power system by checking simple conditions for individual generators.
96 citations
TL;DR: It is shown that the proposed notion of robustness captures two intuitive goals: bounded disturbances lead to bounded deviations from nominal behavior, and the effect of a sporadic disturbance disappears in finitely many steps.
Abstract: While the importance of robustness in engineering design is well accepted, it is less clear how to design cyber-physical systems (CPS) for robustness. With the objective of developing a robustness theory for CPS, we introduce a notion of robustness for cyber systems inspired by existing notions of input-output stability in control theory. We show that the proposed notion of robustness captures two intuitive goals: bounded disturbances lead to bounded deviations from nominal behavior, and the effect of a sporadic disturbance disappears in finitely many steps. For cyber systems modeled as finite-state transducers, the proposed notion of robustness can be verified in pseudo-polynomial time. The synthesis problem, consisting of designing a controller enforcing robustness, can also be solved in pseudo-polynomial time.
78 citations
TL;DR: A novel solution to the minimum attention control problem for linear systems by interpreting ‘attention’ as the inverse of the interexecution time, and providing a technique to construct a suitable ∞-norm-based (extended) Lyapunov function.
Abstract: In this paper, we present a novel solution to the minimum attention control problem for linear systems. In minimum attention control, the objective is to minimise the `attention' that a control task requires, given certain performance requirements. Here, we interpret `attention' as the inverse of the interexecution time, i.e., the inverse of the time between two consecutive executions. Instrumental for our approach is a particular extension of the notion of a control Lyapunov function and the fact that we allow for only a finite number of possible interexecution times. By choosing this extended control Lyapunov function to be an ?-norm-based function, the minimum attention control problem can be formulated as a linear program, which can be solved efficiently online. Furthermore, we provide a technique to construct a suitable ?-norm-based (extended) control Lyapunov function. Finally, we illustrate the theory using a numerical example, which shows that minimum attention control outperforms an alternative `attention-aware' control law available in the literature.
50 citations
01 Dec 2014
TL;DR: This paper begins the process of synthesizing the control software module for adaptive cruise control from formal specifications given in Linear Temporal Logic, and will endow each interacting software module with an assume-guarantee specification stating under which environment assumptions the module is guaranteed to meet its specifications.
Abstract: A plethora of driver convenience and safety automation systems are being introduced into production vehicles, such as electronic stability control, adaptive cruise control, lane keeping, and obstacle avoidance. Assuring the seamless and safe integration of each new automation function with existing control functions is a major challenge for vehicle manufacturers. This challenge is compounded by having different suppliers providing software modules for different control functionalities. In this paper, we report on our preliminary steps to address this problem through a fresh perspective combining formal methods, control theory, and correct-by-construction software synthesis. In particular, we begin the process of synthesizing the control software module for adaptive cruise control from formal specifications given in Linear Temporal Logic. In the longer run, we will endow each interacting software module with an assume-guarantee specification stating under which environment assumptions the module is guaranteed to meet its specifications. These assume-guarantee specifications will then be used to formally prove correctness of the cyber-physical system obtained when the integrated modules interact with the physical dynamics.
46 citations
TL;DR: The 18 papers in this special issue can be clustered into five areas: abstraction and verification; cyber-physical security; resource-constrained embedded and wireless control; event-based estimation and control; and applications.
Abstract: The 18 papers in this special issue can be clustered into five areas: abstraction and verification; cyber-physical security; resource-constrained embedded and wireless control; event-based estimation and control; and applications.
TL;DR: This paper shows how to perform Kron reduction for a class of electrical networks, called homogeneous Electrical networks, without steady state assumptions, and the reduced models can be used to analyze the transient as well as the steady state behavior of these electrical networks.
01 Dec 2014
TL;DR: This work proposes an observer that recursively updates the state estimate as new measurements become available for linear systems whose sensor measurements are corrupted by a malicious attacker and shows that by utilizing event-triggered techniques the proposed observer is computationally more efficient than previously reported solutions to the secure state reconstruction problem.
Abstract: We consider the problem of designing a Luenberger-like observer for linear systems whose sensor measurements are corrupted by a malicious attacker. The attacker capabilities are limited in the sense that only a subset of all the sensors can be attacked although this subset is unknown. This leads to the problem of reconstructing the system state when the measurements are corrupted by sparse noise and we propose an observer that recursively updates the state estimate as new measurements become available. We show that by utilizing event-triggered techniques, the proposed observer is computationally more efficient than previously reported solutions to the secure state reconstruction problem.
01 Dec 2014
TL;DR: It is shown that even when ρ out of a total 3ρ +1 observers are actively attacked, the state is still correctly estimated, and guarantees on the secrecy of the plant's state against corrupting observers are based on the Cramer-Rao lower bound from estimation theory.
Abstract: Motivated by the need to protect Cyber-Physical Systems against attacks, we consider in this paper the problem of estimating the state in a private and secure manner despite active adversary attacks; adversaries that can attack the software/ hardware where state estimation is performed. To combat such threats, we propose an architecture where state estimation is performed across multiple computing nodes (observers). We then show that even when ρ out of a total 3ρ +1 observers are actively attacked: 1) using a combination of outputs from the observers, the state is still correctly estimated; 2) the physical plant is still correctly controlled; 3) the adversary can only obtain limited knowledge about the state. Our approach is inspired by techniques in cryptography for secure message transmission and information-theoretic secrecy. In addition, our guarantees on the secrecy of the plant's state against corrupting observers are based on the Cramer-Rao lower bound from estimation theory.
15 Apr 2014
TL;DR: In this paper, the robustness of CPS is defined as the degree to which a system or component can function correctly in the presence of invalid inputs or stressful environment conditions, and robustness is defined in terms of input-output dynamical stability.
Abstract: According to the IEEE standard glossary of software engineering, robustness is the degree to which a system or component can function correctly in the presence of invalid inputs or stressful environment conditions. In this paper we present a design methodology for robust cyber-physical systems (CPS) based on a notion of robustness for CPS termed input-output dynamical stability. It captures two intuitive aims of a robust design: bounded disturbances have bounded consequences and the effect of sporadic disturbances disappears as time progresses. Our framework to synthesize robust CPS is based on an abstraction and refinement procedure, where the robust CPS is obtain through the refinement of a design for an abstraction of the concrete CPS. The soundness of the approach is ensured through the use of several novel notions of simulation relation introduced in this paper.
Posted Content•
TL;DR: A novel, efficient algorithm is developed that uses a Satisfiability-Modulo-Theory approach to isolate the compromised sensors and estimate the system state despite the presence of the attack, thus harnessing the intrinsic combinatorial complexity of the problem.
Abstract: We address the problem of detecting and mitigating the effect of malicious attacks to the sensors of a linear dynamical system. We develop a novel, efficient algorithm that uses a Satisfiability-Modulo-Theory approach to isolate the compromised sensors and estimate the system state despite the presence of the attack, thus harnessing the intrinsic combinatorial complexity of the problem. By leveraging results from formal methods over real numbers, we provide guarantees on the soundness and completeness of our algorithm. We then report simulation results to compare its runtime performance with alternative techniques. Finally, we demonstrate its application to the problem of controlling an unmanned ground vehicle.
Posted Content•
TL;DR: This work provides a framework that automatically synthesizes revisions to formal specifications that restrict the assumed behaviors of the environment and the behavior of the system, and provides a means for explaining such modifications to the user in a concise, easy-to-understand manner.
Abstract: The aim of this work is to address issues where formal specifications cannot be realized on a given dynamical system subjected to a changing environment. Such failures occur whenever the dynamics of the system restrict the robot in such a way that the environment may prevent the robot from progressing safely to its goals. We provide a framework that automatically synthesizes revisions to such specifications that restrict the assumed behaviors of the environment and the behaviors of the system. We provide a means for explaining such modifications to the user in a concise, easy-to-understand manner. Integral to the framework is a new algorithm for synthesizing controllers for reactive specifications that include a discrete representation of the robot's dynamics. The new approach is demonstrated with a complex task implemented using a unicycle model.
01 Dec 2014
TL;DR: This paper introduces discounted input-output dynamical stability as a variant of a recently introduced notion of robustness for discrete and cyber-physical systems and provides an approximate solution to the synthesis problem whose complexity depends on the accuracy of the approximation.
Abstract: In this paper we introduce discounted input-output dynamical stability as a variant of a recently introduced notion of robustness for discrete and cyber-physical systems. We analyze the verification and synthesis problems for this new notion of robustness for discrete systems given by finite-state automata. We show that the verification problem can be solved in terms of a linear program and hence is solvable in polynomial time. We provide an approximate solution to the synthesis problem whose complexity depends on the accuracy of the approximation. We discuss the merits and drawbacks of discounted input-output dynamical stability in comparison with existing robustness concepts for discrete systems.