scispace - formally typeset

Proceedings ArticleDOI

A Sliding Mode Observer Approach for Attack Detection and Estimation in Autonomous Vehicle Platoons using Event Triggered Communication

01 Dec 2019-pp 5742-5747

TL;DR: Stability of the observer and robustness of the detection threshold in the case of event-triggered communication, following a realistic Vehicle-to-Vehicle network protocol are proved.

AbstractPlatoons of autonomous vehicles are being investigated as a way to increase road capacity and fuel efficiency. Cooperative Adaptive Cruise Control (CACC) is one approach to controlling platoons longitudinal dynamics, which requires wireless communication between vehicles. In the present paper we use a sliding mode observer to detect and estimate cyber-attacks threatening such wireless communication. In particular we prove stability of the observer and robustness of the detection threshold in the case of event-triggered communication, following a realistic Vehicle-to-Vehicle network protocol.

Summary (2 min read)

Introduction

  • The reliance of CACC platoons on inter-vehicle wireless communications, be it periodic or event-triggered [7]–[9], may expose them to the same kind of threats as other networked control systems or Cyber-Physical Systems (CPS), such as Denial of Service (DoS), routing, replay and stealthy data injection attacks (see [10], [11]).
  • While several works considered the case of event-triggered sliding mode control, such as [31]–[34], the present approach would be, to the best of the authors knowledge, the first contribution considering sliding mode observers for fault, or cyber-attack detection and estimation in systems where event–triggered communication is present.

A. Error Dynamics of a Platoon using CACC

  • In the present paper the authors will use the CACC formulation in [6] and its extension to event triggered communication introduced in [8], while the event-triggering condition will follow [22], [23].
  • Ei and the string-stability of the platoon have been analysed in [6] and [8].

B. Attack and communication-induced effects

  • The authors are not interested here in the actual implementation of the attack, for this, one can refer to [12]–[15].
  • (8) Here TL, TH and ∆yL ∈ R2 are user-designed parameters that define, respectively, the minimum and maximum intertriggering times, and the threshold for communication.
  • In summary, communication is triggered on changes in local measurements of car i−1 since the last communication.

III. SLIDING MODE OBSERVER

  • In this section a Sliding Mode Observer (SMO) for the dynamics Ei in eq. (5) is presented.
  • Both are chosen to they verify the hypothesis of Theorem 1, to guarantee the SMO stability.
  • This proof will only consider the upper bound of 1,i(t), the lower bound can be proved in a similar manner.

IV. ATTACK DETECTION THRESHOLDS

  • As a novel contribution, the authors are introducing two pairs of robust attack detection thresholds on νi,fil, which are guaranteed against false alarms, even in the presence of measurement uncertainties and event-triggered communication.
  • Each pair will comprise an upper and a lower bound on the values of νi,fil in non-attacked conditions.
  • The two pairs are termed One-Switch-Ahead (OSA) and Multiple-SwitchesAhead (MSA) thresholds, for reasons that will be apparent in next sections.
  • For brevity, the authors will derive only the upper bound of each threshold, which is of interest in the odd time intervals, as the lower bounds and the behaviour during even time intervals can be obtained via similar reasoning.

A. One-Switch-Ahead (OSA) Threshold

  • Let us consider the behaviour of νi,fil during the odd interval, [t2k t2k+1] .
  • This re-initialisation on the signal the threshold is attempting to bound leads to inconsistent detection.

B. Multiple-Switches-Ahead (MSA) Threshold

  • The MSA threshold is based on the possible behaviour of νfil over more than one switch ahead in time, after a hypothetical occurrence of the worst case behaviour considered for the OSA threshold.
  • Furthermore, ν̄i,fil,OSA(t2k) will only become the threshold if it is lower then the ν̄i,fil,MSA(t2k).

C. Threshold for Event Triggered Communication

  • In case of event triggered communication, ∆ui−1 includes both the attack φi, and the communication-induced effect ∆uC,i−1 as defined in Section II-B.
  • The proposed modification to the threshold will prevent this.
  • Just like the attack, the communication error affects the observer through the dynamics of 2,i, and thus the threshold through ̄2,i .
  • This worst case is when the maximum communication error ∆ūC,i−1 , ũi−1(τl) − ũi−1(τl−1) occurs constantly since the last communication.
  • This scenario is implemented by computing all the terms needed for the threshold, using ̄2,i where ∆ui−1 = ∆ūC,i−1 for every t2k in the period [τl−1 τl].

V. ATTACK ESTIMATE

  • In this section some preliminary results will be introduced toward the goal of estimating the attack term φ.
  • This approach is valid only for the case without measurement uncertainty and with continuous observer dynamics.

VI. SIMULATION RESULT

  • A CACC-controlled platoon of three vehicles using event triggered communication, equipped with the sliding mode observer presented in this paper, is implemented in Matlab/Simulink.
  • The parameters used in the simulation are shown in tables I and II.
  • The detection delays in these scenarios are 0.23 [s] and 0.6 [s], for the Continuous and Event triggered communication respectively.
  • This detection time is scenario specific and depends on many parameters, including the attack and noise magnitudes, and the observer design parameters.

VII. CONCLUDING REMARKS

  • Event-triggered Vehicle to Vehicle communication protocol based on the ETSI ITS G5 standard.
  • This is combined with an adaptive threshold that is robust against false detection.
  • This is done by combining the One-Switch-Ahead and the Multiple-SwitchesAhead thresholds.
  • A second theoretical result was provided regarding the stability of the SMO under measurement uncertainties and event-triggered communication.
  • Simulation results verified the expected behaviour and robustness of the proposed solution, and showed that attack estimation could be attained in practice also under non-ideal conditions.

Did you find this useful? Give us your feedback

...read more

Content maybe subject to copyright    Report

Delft University of Technology
A sliding mode observer approach for attack detection and estimation in Autonomous
Vehicle Platoons using event triggered communication
Keijzer, Twan; Ferrari, Riccardo M.G.
DOI
10.1109/CDC40024.2019.9029315
Publication date
2019
Document Version
Final published version
Published in
Proceedings 2019 IEEE 58th Conference on Decision and Control (CDC 2019)
Citation (APA)
Keijzer, T., & Ferrari, R. M. G. (2019). A sliding mode observer approach for attack detection and estimation
in Autonomous Vehicle Platoons using event triggered communication. In
Proceedings 2019 IEEE 58th
Conference on Decision and Control (CDC 2019)
(pp. 5742-5747). IEEE .
https://doi.org/10.1109/CDC40024.2019.9029315
Important note
To cite this publication, please use the final published version (if applicable).
Please check the document version above.
Copyright
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent
of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Takedown policy
Please contact us and provide details if you believe this document breaches copyrights.
We will remove access to the work immediately and investigate your claim.
This work is downloaded from Delft University of Technology.
For technical reasons the number of authors shown on this cover page is limited to a maximum of 10.

Green Open Access added to TU Delft Institutional Repository
'You share, we take care!' - Taverne project
https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher
is the copyright holder of this work and the author uses the
Dutch legislation to make this work public.

A Sliding Mode Observer Approach for Attack Detection and Estimation in
Autonomous Vehicle Platoons using Event Triggered Communication
Twan Keijzer
Delft Centre for Systems and Control
Delft University of Technology
t.keijzer@tudelft.nl
Riccardo M.G. Ferrari
Delft Centre for Systems and Control
Delft University of Technology
r.ferrari@tudelft.nl
Abstract Platoons of autonomous vehicles are being inves-
tigated as a way to increase road capacity and fuel efficiency.
Cooperative Adaptive Cruise Control (CACC) is one approach
to controlling platoons longitudinal dynamics, which requires
wireless communication between vehicles. In the present paper
we use a sliding mode observer to detect and estimate cyber-
attacks threatening such wireless communication. In particular
we prove stability of the observer and robustness of the de-
tection threshold in the case of event-triggered communication,
following a realistic Vehicle-to-Vehicle network protocol.
I. INTRODUCTION
Autonomous vehicle platoons and Cooperative Adaptive
Cruise Control (CACC) are topics that received significant
attention by researchers in recent years [1]–[6]. CACC
is a longitudinal cooperative control technique that allows
platoons, or strings, of autonomous vehicles to coordinate
themselves. The goal is to have vehicles in the platoon trav-
elling closer together than human drivers, or non-cooperative
control approaches like Adaptive Cruise Control, can. Ben-
efits of this lower inter-vehicle spacing include better fuel
efficiency and road utilization. Vehicles in a CACC platoon
measure relative position and velocity of the preceding
vehicle, and also communicate (see figure 1) in order to attain
string stability, which is an important property resulting in
dampening of velocity changes down the platoon [6].
Wireless communication!
ii+1 i-1
v v v
i
d
i-1 i+1
i+1 i-1
i
d
d
radar!
Fig. 1. CACC equipped string of vehicles. The V2V communication is
implemented wirelessly, and is subjected to a class of cyber attacks.
The reliance of CACC platoons on inter-vehicle wireless
communications, be it periodic or event-triggered [7]–[9],
may expose them to the same kind of threats as other
networked control systems or Cyber-Physical Systems (CPS),
such as Denial of Service (DoS), routing, replay and stealthy
data injection attacks (see [10], [11]). Indeed, vulnerabilities
of Vehicle-to-Vehicle (V2V) networks to cyber attacks have
been investigated in [12]–[15]. While CACC can provide
limited robustness to network induced effects such as random
packet losses (see [16], [17]), the case of a malicious
attacker targeting the (V2V) network should be addressed
by dedicated detection and fault-tolerant control methods.
While the case of faults in autonomous vehicles forma-
tions was addressed in [18] and [19] with an observer-
based approach, few works dealt with cyber-attacks. [20]
considered the problem of designing a model based observer
for detecting DoS attacks, which were characterised as an
equivalent time delay in the communication network.
In this paper we are going to extend some preliminary
results presented by the authors in [21], where a Sliding-
Mode Observer (SMO) was introduced for estimating false
data injection attacks. The contribution of the paper is
twofold: we prove the stability of the SMO under event-
triggered communication and less restrictive assumptions on
measurement uncertainties, and we introduce robust adaptive
attack detection thresholds for such a scenario. In particular,
we will assume the vehicle platoon is using a realistic event-
triggered communication protocol based on the current ETSI-
ITS G5 V2V communication standard [22], [23].
The use of sliding mode observers for fault detection
was pioneered by [24] and developed further by [25], [26],
amongst others. By monitoring the so-called equivalent out-
put injection (EOI), this method allows to estimate actuator
and sensor faults or, as in [21] and the present case, a false
data injection attack. Previous results considered continuous
communication, and did not derive an adaptive detection
threshold guaranteed to be robust against uncertainties or
communication-induced effects. The literature on fault detec-
tion for event-triggered systems, instead, includes works such
as [27]–[29], which are concerned with the simultaneous de-
sign of the triggering condition and the fault detector, while
[30] addressed the case of asynchronous communication and
packet loss for fault detection of networked control systems.
While several works considered the case of event-triggered
sliding mode control, such as [31]–[34], the present approach
would be, to the best of the authors knowledge, the first
contribution considering sliding mode observers for fault,
or cyber-attack detection and estimation in systems where
event–triggered communication is present.
The remainder of the paper is organized as follows.
Section II introduces event-triggered CACC for a vehicle
platoon and describes the attack and its effect on the platoon.
Section III presents the sliding mode observer and character-
izes its stability, and section IV presents the attack detection
threshold and provides theoretical results on its robustness.
Section V provides preliminary results on attack estimation.
In sections VI and VII, respectively, the simulation results,
and conclusion and future work are presented.
A. Notation
Throughout the paper, a notation such as x
i
will denote a
variable x pertaining to the i–th vehicle, while x
i,(j)
will
denote the j–th component of the vector x
i
.
2019 IEEE 58th Conference on Decision and Control (CDC)
Palais des Congrès et des Expositions Nice Acropolis
Nice, France, December 11-13, 2019
978-1-7281-1398-2/19/$31.00 ©2019 IEEE 5742
Authorized licensed use limited to: TU Delft Library. Downloaded on May 26,2021 at 08:25:06 UTC from IEEE Xplore. Restrictions apply.

II. PROBLEM FORMULATION
A. Error Dynamics of a Platoon using CACC
In the present paper we will use the CACC formulation
in [6] and its extension to event triggered communication
introduced in [8], while the event-triggering condition will
follow [22], [23]. We will consider a string of m N
homogeneous vehicles (see Figure 1), each modeled as
"
˙p
i
(t)
˙v
i
(t)
˙a
i
(t)
#
=
"
v
i
(t)
a
i
(t)
1
τ
(u
i
(t) a
i
(t))
#
, (1)
where p
i
(t), v
i
(t), a
i
(t) and u
i
(t) R are the position,
velocity, acceleration and the input of the i-th vehicle, re-
spectively; furthermore, τ represents the engine’s dynamics.
Each vehicle is assumed to measure its own local output y
i
,
[p
i
v
i
a
i
]
>
+ ξ
i
and, with its front radar, the relative output
y
i,i1
, [d
i
v
i
]
>
+ η
i
, where d
i
(t) , (p
i1
(t)p
i
(t)L)
is the inter-vehicle distance, L is the length of each vehicle,
v
i
, v
i1
v
i
is the relative velocity and ξ
i
and η
i
are
the measurement uncertainties affecting the vehicle sensors.
Assumption 1: For each i–th vehicle, the measurement
uncertainties ξ
i
and η
i
are unknown but they are upper
bounded by known quantities
¯
ξ
i
and ¯η
i
, i.e. |ξ
i,(j)
(t)|
¯
ξ
i,(j)
(t) and |η
i,(j)
(t)| ¯η
i,(j)
(t) for all j, and all t.
The objective of the i–th vehicle is to keep a desired inter-
vehicle distance d
r,i
using a constant time headway policy
d
r,i
(t) = r
i
+ hv
i
(t) , (2)
while making the relative velocity v
i
tend to zero in steady
state. in eq. (2) r
i
and h are the desired distance at stand still,
and the time headway between the vehicles respectively. [6]
Let us introduce the position error e
i
(t) , d
i
(t) d
r,i
(t)
and its time derivative ˙e
i
(t) = v
i
ha
i
(t). In [6], a CACC
control law is initially proposed in ideal conditions, as the
solution to the following equation
˙u
i
(t) =
1
h
[u
i
(t) + (k
p
e
i
(t) + k
d
˙e
i
(t)) + u
i1
(t)] . (3)
As can be seen from Eq. (3), the local control law depends
on measured quantities, such as the relative position and
velocity, which will be corrupted by noise. Furthermore,
the control law depends on the intended acceleration of the
preceding vehicle, u
i1
(t), which shall be received through
a wireless V2V communication network.
In this paper the presence of measurement uncertainties
and non-ideal communication are explicitly incorporated in
the control law giving
˙u
i
(t) =
1
h
h
u
i
(t) +
k
p
ˆe
i
(t) + k
d
ˆ
˙e
i
(t)
+ ˜u
i1
(t)
i
, (4)
where ˆe
i
, e
i
+η
i,(1)
i,(2)
,
ˆ
˙e
i
, ˙e
i
+η
i,(2)
i,(3)
, and
˜u
i1
(t) = u
i1
(t) + u
i1
(t) is the last received value of
u
i1
(t). u
i1
will be further defined in subsection II-B.
By following similar steps as in [6] and [21], we can write
the i–th vehicle error dynamics, under control law (4), as
E
i
:
˙x
e
i
(t) = A
e
x
e
i
(t) + B
e
ζ
i
(t)
y
e
i
(t) = C
e
x
e
i
(t) + D
e
ζ
i
(t)
, (5)
where C
e
= D
e
and the following quantities were introduced
A
e
,
"
0 1 0
0 0 1
k
p
τ
k
d
τ
1
τ
#
, B
e
,
"
0 0 0
0 0 0
k
p
τ
k
d
τ
1
τ
#
C
e
,
1 0
0 1
0 0
>
, x
e
i
,
"
e
i
(t)
˙e
i
(t)
¨e
i
(t)
#
, ζ
i
,
"
η
i,(1)
i,(2)
η
i,(2)
i,(3)
u
i1
(t)
#
(6)
The stability and performance of the error dynamics E
i
and
the string-stability of the platoon have been analysed in [6]
and [8]. As the present paper is concerned with the design
of a cyber-attack detection and estimation scheme, and not
the event-triggered CACC control scheme itself, for well-
posedness we will require the following
Assumption 2: Control law u
i
(Eq. (4)) and triggering
condition σ (Eq. (8)) are chosen such that, without cyber-
attacks and when Assumption 1 holds, E
i
is stable for each
vehicle i and string stability of the platoon is guaranteed.
B. Attack and communication-induced effects
In this paper, following [8], [22], [23], the transmission of
u
i1
is assumed to be event triggered. Furthermore a man-in-
the-middle attack on the transmitted u
i1
is considered. We
are not interested here in the actual implementation of the
attack, for this, one can refer to [12]–[15]. For the observer,
the effects of communication, u
i1,C
(t), and the attack,
φ
i
(t), will be combined in u
i1
(t) = u
i1,C
(t) + φ
i
(t).
The event-triggered communication causes a variable de-
lay in the signal received by car i, defined as
τ
0
= 0, τ
l+1
, inf {t τ
l
: σ = 1} , (7)
where τ
l
is the last transmission time, and σ is a triggering
condition based on the local measurements, y
i1
, in car i1:
σ , (t τ
l
T
H
(t τ
l
> T
L
j = {1, 2} : |y
i1,(j)
(τ
l
) y
i1,(j)
(t)| y
L,(j)
)).
(8)
Here T
L
, T
H
and y
L
R
2
are user-designed parameters
that define, respectively, the minimum and maximum inter-
triggering times, and the threshold for communication.
In summary, communication is triggered on changes in
local measurements of car i1 since the last communication.
This is combined with a minimum and maximum inter-
triggering time. The error introduced by the event-triggered
communication is denoted by u
i1,C
(t).
III. SLIDING MODE OBSERVER
In this section a Sliding Mode Observer (SMO) for the
dynamics E
i
in eq. (5) is presented. To this end, first the
change of variables z
1,i
=
h
x
e
i
,(1)
x
e
i
,(2)
i
, ζ
1,i
=
ζ
i,(1)
ζ
i,(2)
, z
2,i
=
x
e
i
,(3)
, b =
1
τ
is performed in order to separate the
measured and unknown states, giving:
h
˙z
1,i
˙z
2,i
i
=
h
A
11
A
12
A
21
A
22
ih
z
1,i
z
2,i
i
+
h
0
A
21
ζ
1,i
+ bu
i1
i
, (9)
y
e
i
= z
1,i
+ ζ
1,i
. (10)
An observer design is presented, in eqs. (11) and (12), to
make the states slide along
y,i
(t) = 0 even in the presence
of noise-, communication- and attack-induced effects.
ˆ
˙z
1,i
ˆ
˙z
2,i
=
h
A
11
A
12
A
21
A
22
ih
ˆz
1,i
ˆz
2,i
i
h
ν
i
0
i
(11)
5743
Authorized licensed use limited to: TU Delft Library. Downloaded on May 26,2021 at 08:25:06 UTC from IEEE Xplore. Restrictions apply.

ν
i
(t) = (A
11
+ P )
y,i
(t) + M
i
sgn(
y,i
(t)) (12)
Here M
i
is a positive constant, and P R
2×2
is a positive
definite matrix. Both are chosen to they verify the hypothesis
of Theorem 1, to guarantee the SMO stability. The observer
error dynamics can be written as in eqs. (13), (14).
1,i
(t) = ˆz
1,i
(t) z
1,i
(t)
2,i
(t) = ˆz
2,i
(t) z
2,i
(t)
y,i
(t) = ˆz
1,i
(t) (z
1,i
(t) + ζ
1,i
) =
1,i
(t) ζ
1,i
(13)
˙
i
(t) =
h
A
11
A
12
A
21
A
22
i
i
(t)
ν
i
(t)
A
21
ζ
1,i
(t) + bu
i1
(t)
(14)
Theorem 1:
1,i
(t), under the observer dynamics in (14),
can be bounded by ¯
1
=
¯
ζ if M
i
> |A
12
¯
2,i
| +
A
11
¯
ζ
.
Proof: This proof will only consider the upper bound of
1,i
(t), the lower bound can be proved in a similar manner. It
will be proven that if
1,i
>
¯
ζ, then ˙
1,i
< 0. This is sufficient
to prove
¯
ζ
1,i
t. First note that
1,i
>
¯
ζ implies
y,i
> 0,
so the first row of eq. (14) can be rewritten to
˙
1,i
= P (ζ
1,i
1,i
) + A
11
ζ
1,i
+ A
12
2,i
M
i
(15)
Substituting the condition on M
i
gives
˙
1,i
<P (ζ
1,i
1,i
) + (A
11
ζ
1,i
|A
11
¯
ζ|)
+ (A
12
2,i
|A
12
¯
2,i
|) 0
(16)
¯
ζ, ¯
2,i
and other bounds are proven in the appendix.
In this paper, as in [24] and subsequent works on SMO-
based fault estimation, the EOI, derived from ν
i
, will be
used for estimating attacks [24]. The EOI used here will be
obtained from the filter in eq. (17) [35].
ν
i,fil
=
K
s + K
ν
i
, (17)
where K > 0 is a design constant and s is the Laplace
domain complex variable.
IV. ATTACK DETECTION THRESHOLDS
As a novel contribution, we are introducing two pairs of
robust attack detection thresholds on ν
i,fil
, which are guar-
anteed against false alarms, even in the presence of mea-
surement uncertainties and event-triggered communication.
Each pair will comprise an upper and a lower bound on the
values of ν
i,fil
in non-attacked conditions. The two pairs
are termed One-Switch-Ahead (OSA) and Multiple-Switches-
Ahead (MSA) thresholds, for reasons that will be apparent
in next sections. For the sake of clarity, in Subsections IV-A
and IV-B we will assume there is no event-triggered com-
munication, i.e. u
i1,C
(t) = 0. The effects of its presence
on the thresholds will be illustrated in Subsection IV-C.
For the sake of notation, we will assume that the SMO is
initialized at time t
0
, and that sgn(
y,i
(t
0
)) = 1. This means
that between t
0
and the next switch at t
1
, and all following
odd intervals [t
2k
t
2k+1
], with k N, the discontinuous
term ν
i
and
y,i
(t) are positive, ν
i,fil
will be increasing, and
1,i
(t) will be decreasing. This is also shown in Figure 2.
Furthermore ν
i,fil
will be initialised at ν
i,fil
(t
0
) = 0 and we
will denote a threshold value calculated at t
k
by ¯ν
i,fil
(t
k
).
For brevity, we will derive only the upper bound of each
threshold, which is of interest in the odd time intervals, as the
lower bounds and the behaviour during even time intervals
can be obtained via similar reasoning.
A. One-Switch-Ahead (OSA) Threshold
Let us consider the behaviour of ν
i,fil
during the odd
interval, [t
2k
t
2k+1
] (see Figure 2a). By introducing, in eq.
(18), the upper bound ¯ν on ν
i
, the time domain solution to
(17) can be upper bounded during the interval as in eq. (19).
¯ν =
(A
11
+ P )(¯
1
+
¯
ζ)
+ M
i
(18)
ν
i,fil
(t) e
K(tt
2k
)
ν
i,fil
(t
2k
) + (1 e
K(tt
2k
)
)¯ν (19)
Remark 1: The right-hand side of eq. (19) is an upper
bound for ν
i,fil
(t). However, it can be easily proved that
the inequality in eq. (19) will also hold in case of an attack.
Therefore, it is not a valid threshold for attack detection.
Next, in eq. (19), the hypothetical maximum time between
switches
¯
t = max(t
2k+1
t
2k
) can be defined as an upper
bound for t. It will be shown in the following that this bound
can be exceeded in case of an attack, and therefore eq. 20
is a valid threshold for attack detection.
¯ν
i,fil,OSA
(t
2k
) = e
K
¯
t
ν
i,fil
(t
2k
) + (1 e
K
¯
t
)¯ν , (20)
¯
t corresponds to the longest time for which
y,i
=
1,i
ζ
1,i
can stay positive. This is the case when
1,i
decreases
from its maximum value, ¯
1
, to its minimum value, ¯
1
,
with a minimum rate ˙
1
= min(|˙
1,i
|). Note that, for this to
happen, ζ
1,i
<
1,i
during the whole time. This is visualised
in Figure 2b and results in the following expression for
¯
t
¯
t =
1
˙
1
(21)
The bounds, ¯
1
, ˙
1
, and
¯
ζ are derived in theorem 1, Appen-
dices A and C respectively, and shown in eqs. (22)-(24).
¯
1
=
¯
ζ =
¯η
i,(1)
+ h
¯
ξ
i,(2)
¯η
i,(2)
+ h
¯
ξ
i,(3)
(22)
˙
1
= |A
12
¯
2,i
| + M
i
(23)
¯
2,i
=
2,i,0
e
A
22
t
2A
21
¯
ζ bu
i1
A
22
(24)
One can see in eq. 24 that ¯
2,i
depends on the attack. The
threshold is designed assuming no attack, so u
i1
= 0.
Therefore, it is easy to check that if there is an attack,
2,i
can become bigger than ¯
2,i
(with u
i1
= 0). Therefore
eq. 20 is a valid threshold for attack detection.
At t
2(k+1)
this threshold needs to be recalculated using a
new initial value of ν
i,fil
(t
2(k+1)
), as illustrated in Figure 2.
This re-initialisation on the signal the threshold is attempting
to bound leads to inconsistent detection. Even though an
attack can cause detection between recalculations, it is also
dependent on the noise behaviour. As before, ζ
1,i
<
1,i
needs to hold during
¯
t for the threshold to be reached, and
even though this chance is non-zero in case of an attack, in
every period [t
2k
t
2k+1
] there is a large chance an attack
is not detected. Therefore in the next section a threshold is
designed that is not dependent on ν
i,fil
.
B. Multiple-Switches-Ahead (MSA) Threshold
The MSA threshold is based on the possible behaviour of ν
fil
over more than one switch ahead in time, after a hypothetical
occurrence of the worst case behaviour considered for the
OSA threshold.
5744
Authorized licensed use limited to: TU Delft Library. Downloaded on May 26,2021 at 08:25:06 UTC from IEEE Xplore. Restrictions apply.

Citations
More filters

Journal ArticleDOI
TL;DR: This paper analyzed the attacks that already targeted self-driving cars and extensively present potential cyber-attacks and their impacts on those cars along with their vulnerabilities and the possible mitigation strategies taken by the manufacturers and governments.
Abstract: Intelligent Traffic Systems (ITS) are currently evolving in the form of a cooperative ITS or connected vehicles. Both forms use the data communications between Vehicle-to-Vehicle (V2V), Vehicle-to-Infrastructure (V2I/I2V) and other on-road entities, and are accelerating the adoption of self-driving cars. The development of cyber-physical systems containing advanced sensors, sub-systems, and smart driving assistance applications over the past decade is equipping unmanned aerial and road vehicles with autonomous decision-making capabilities. The level of autonomy depends upon the make-up and degree of sensor sophistication and the vehicle’s operational applications. As a result, self-driving cars are being compromised perceived as a serious threat. Therefore, analyzing the threats and attacks on self-driving cars and ITSs, and their corresponding countermeasures to reduce those threats and attacks are needed. For this reason, some survey papers compiling potential attacks on VANETs, ITSs and self-driving cars, and their detection mechanisms are available in the current literature. However, up to our knowledge, they have not covered the real attacks already happened in self-driving cars. To bridge this research gap, in this paper, we analyze the attacks that already targeted self-driving cars and extensively present potential cyber-attacks and their impacts on those cars along with their vulnerabilities. For recently reported attacks, we describe the possible mitigation strategies taken by the manufacturers and governments. This survey includes recent works on how a self-driving car can ensure resilient operation even under ongoing cyber-attack. We also provide further research directions to improve the security issues associated with self-driving cars.

4 citations


Cites background from "A Sliding Mode Observer Approach fo..."

  • ...Attack detection and resilient platooning operation are further investigated in [30], [31] [32]....

    [...]

  • ...Vehicle platooning is a great example of such research focus, where the platoon vehicles can detect a malicious member and take decisions without any input from the node under attack [27], [28] [29], [30] [31], [32]....

    [...]


Proceedings ArticleDOI
28 Jan 2021
TL;DR: A residual-based fault detection and exclusion (FDE) algorithm is developed to enhance the performance of the tightly coupled Global Navigation Satellite System (GNSS) and Inertial Navigation System (INS) system using Renyi divergence and its modification as the measure to evaluate whether there exists a fault in the system.
Abstract: In this paper, a residual-based fault detection and exclusion (FDE) algorithm is developed to enhance the performance of the tightly coupled Global Navigation Satellite System (GNSS) and Inertial Navigation System (INS) system. Specifically, Renyi divergence (RD) and its modification are introduced as the measure to evaluate the distance/divergence between the state estimate of propagation and update steps to indicate whether there exists a fault in the system. The properties of this indicator mechanism are discussed analytically in detail. An FDE algorithm is constructed based on this divergence measure. Appropriate methods to select the parameters of the proposed divergence measure to increase the probability of the fault detection and decrease the false alarm rate of the FDE algorithm are proposed. The results are demonstrated and validated in the Computer Aided Design of Aerospace Concepts (CADAC++) flight simulation platform.

3 citations


Journal ArticleDOI
01 Jan 2022
Abstract: This letter proposes a threat discrimination methodology for distinguishing between sensor replay attacks and sensor bias faults, based on the specially designed watermark integrated with adaptive estimation. For each threat type, a watermark is designed based on the changes that the threat imposes on the system. Threat discrimination conditions are rigorously investigated to characterize quantitatively the class of attacks and faults that can be discriminated by the proposed scheme. A simulation is presented to illustrate the effectiveness of our approach.

2 citations


Proceedings ArticleDOI
24 Oct 2020
Abstract: An autonomous vehicle platoon is a network of autonomous vehicles that communicate together to move in a desired way. One of the greatest threats to the operation of an autonomous vehicle platoon is the failure of either a physical component of a vehicle or a communication link between two vehicles. This failure affects the safety and stability of the autonomous vehicle platoon. Transmissibility-based health monitoring uses available sensor measurements for fault detection under unknown excitation and unknown dynamics of the network. After a fault is detected, a sliding mode controller is used to mitigate the fault. Different fault scenarios are considered including vehicle internal disturbances, cyber attacks, and communication delays. We apply the proposed approach to a bond graph model of the platoon and an experimental setup consisting of three autonomous robots.

1 citations


Posted Content
08 Apr 2021
Abstract: Platoons of autonomous vehicles are being investigated as a way to increase road capacity and fuel efficiency. Cooperative Adaptive Cruise Control (CACC) is an approach to achieve such platoons, in which vehicles collaborate using wireless communication. While this collaboration improves performance, it also makes the vehicles vulnerable to cyber-attacks. In this paper the performance of a sliding mode observer (SMO) based approach to cyber-attack detection is analysed, considering simultaneous attacks on the communication and local sensors. To this end, the considered cyber-attacks are divided into three classes for which relevant theoretical properties are proven. Furthermore, the harm that attacks within each of these classes can do to the system while avoiding detection is analysed based on simulation examples.

1 citations


References
More filters

Book
01 Feb 1992
TL;DR: The theory and practical application of Lyapunov's Theorem, a method for the Study of Non-linear High-Gain Systems, are studied.
Abstract: I. Mathematical Tools.- 1 Scope of the Theory of Sliding Modes.- 1 Shaping the Problem.- 2 Formalization of Sliding Mode Description.- 3 Sliding Modes in Control Systems.- 2 Mathematical Description of Motions on Discontinuity Boundaries.- 1 Regularization Problem.- 2 Equivalent Control Method.- 3 Regularization of Systems Linear with Respect to Control.- 4 Physical Meaning of the Equivalent Control.- 5 Stochastic Regularization.- 3 The Uniqueness Problems.- 1 Examples of Discontinuous Systems with Ambiguous Sliding Equations.- 1.1 Systems with Scalar Control.- 1.2 Systems Nonlinear with Respect to Vector-Valued Control.- 1.3 Example of Ambiguity in a System Linear with Respect to Control ..- 2 Minimal Convex Sets.- 3 Ambiguity in Systems Linear with Respect to Control.- 4 Stability of Sliding Modes.- 1 Problem Statement, Definitions, Necessary Conditions for Stability ..- 2 An Analog of Lyapunov's Theorem to Determine the Sliding Mode Domain.- 3 Piecewise Smooth Lyapunov Functions.- 4 Quadratic Forms Method.- 5 Systems with a Vector-Valued Control Hierarchy.- 6 The Finiteness of Lyapunov Functions in Discontinuous Dynamic Systems.- 5 Singularly Perturbed Discontinuous Systems.- 1 Separation of Motions in Singularly Perturbed Systems.- 2 Problem Statement for Systems with Discontinuous control.- 3 Sliding Modes in Singularly Perturbed Discontinuous Control Systems.- II. Design.- 6 Decoupling in Systems with Discontinuous Controls.- 1 Problem Statement.- 2 Invariant Transformations.- 3 Design Procedure.- 4 Reduction of the Control System Equations to a Regular Form.- 4.1 Single-Input Systems.- 4.2 Multiple-Input Systems.- 7 Eigenvalue Allocation.- 1 Controllability of Stationary Linear Systems.- 2 Canonical Controllability Form.- 3 Eigenvalue Allocation in Linear Systems. Stabilizability.- 4 Design of Discontinuity Surfaces.- 5 Stability of Sliding Modes.- 6 Estimation of Convergence to Sliding Manifold.- 8 Systems with Scalar Control.- 1 Design of Locally Stable Sliding Modes.- 2 Conditions of Sliding Mode Stability "in the Large".- 3 Design Procedure: An Example.- 4 Systems in the Canonical Form.- 9 Dynamic Optimization.- 1 Problem Statement.- 2 Observability, Detectability.- 3 Optimal Control in Linear Systems with Quadratic Criterion.- 4 Optimal Sliding Modes.- 5 Parametric Optimization.- 6 Optimization in Time-Varying Systems.- 10 Control of Linear Plants in the Presence of Disturbances.- 1 Problem Statement.- 2 Sliding Mode Invariance Conditions.- 3 Combined Systems.- 4 Invariant Systems Without Disturbance Measurements.- 5 Eigenvalue Allocation in Invariant System with Non-measurable Disturbances.- 11 Systems with High Gains and Discontinuous Controls.- 1 Decoupled Motion Systems.- 2 Linear Time-Invariant Systems.- 3 Equivalent Control Method for the Study of Non-linear High-Gain Systems.- 4 Concluding Remarks.- 12 Control of Distributed-Parameter Plants.- 1 Systems with Mobile Control.- 2 Design Based on the Lyapunov Method.- 3 Modal Control.- 4 Design of Distributed Control of Multi-Variable Heat Processes.- 13 Control Under Uncertainty Conditions.- 1 Design of Adaptive Systems with Reference Model.- 2 Identification with Piecewise-Continuous Dynamic Models.- 3 Method of Self-Optimization.- 14 State Observation and Filtering.- 1 The Luenberger Observer.- 2 Observer with Discontinuous Parameters.- 3 Sliding Modes in Systems with Asymptotic Observers.- 4 Quasi-Optimal Adaptive Filtering.- 15 Sliding Modes in Problems of Mathematical Programming.- 1 Problem Statement.- 2 Motion Equations and Necessary Existence Conditions for Sliding Mode.- 3 Gradient Procedures for Piecewise Smooth Function.- 4 Conditions for Penalty Function Existence. Convergence of Gradient Procedure.- 5 Design of Piecewise Smooth Penalty Function.- 6 Linearly Independent Constraints.- III. Applications.- 16 Manipulator Control System.- 1 Model of Robot Arm.- 2 Problem Statement.- 3 Design of Control.- 4 Design of Control System for a Two-joint Manipulator.- 5 Manipulator Simulation.- 6 Path Control.- 7 Conclusions.- 17 Sliding Modes in Control of Electric Motors.- 1 Problem Statement.- 2 Control of d. c. Motor.- 3 Control of Induction Motor.- 4 Control of Synchronous Motor.- 18 Examples.- 1 Electric Drives for Metal-cutting Machine Tools.- 2 Vehicle Control.- 3 Process Control.- 4 Other Applications.- References.

5,146 citations


Proceedings ArticleDOI
17 Jun 2008
TL;DR: This position paper identifies and defines the problem of secure control, investigates the defenses that information security and control theory can provide, and proposes a set of challenges that need to be addressed to improve the survivability of cyber-physical systems.
Abstract: In this position paper we investigate the security of cyber-physical systems. We (1) identify and define the problem of secure control, (2) investigate the defenses that information security and control theory can provide, and (3) propose a set of challenges that need to be addressed to improve the survivability of cyber-physical systems.

732 citations


"A Sliding Mode Observer Approach fo..." refers background in this paper

  • ...The reliance of CACC platoons on inter-vehicle wireless communications, be it periodic or event-triggered [7]–[9], may expose them to the same kind of threats as other networked control systems or Cyber-Physical Systems (CPS), such as Denial of Service (DoS), routing, replay and stealthy data injection attacks (see [10], [11])....

    [...]


Journal ArticleDOI
Abstract: Cyber-secure networked control is modeled, analyzed, and experimentally illustrated in this paper. An attack space defined by the adversary's model knowledge, disclosure, and disruption resources is introduced. Adversaries constrained by these resources are modeled for a networked control system architecture. It is shown that attack scenarios corresponding to denial-of-service, replay, zero-dynamics, and bias injection attacks on linear time-invariant systems can be analyzed using this framework. Furthermore, the attack policy for each scenario is described and the attack's impact is characterized using the concept of safe sets. An experimental setup based on a quadruple-tank process controlled over a wireless network is used to illustrate the attack scenarios, their consequences, and potential counter-measures.

673 citations


Dissertation
01 Jan 2002
TL;DR: A new method using Linear Matrix Inequalities is presented, which can robustly reconstruct faults in the presence of a class system of uncertainty, minimising the effect of the uncertainty on the fault reconstruction in an £ 2 sense.
Abstract: This thesis describes the use of a class of sliding mode observers for fault detection and iso­ lation purposes. Existing work has shown that the equivalent output error injection term as­ sociated with the sliding mode observer, which represents the average value of the nonlinear switched term (which induces and maintains the sliding motion), if properly scaled, yields ac­ curate reconstructions of actuator faults. Existing observer design methods generate a certain class of observer gains, but do not utilise all degrees of freedom. In this thesis, a new method, exploiting this freedom is presented. The method uses Linear Matrix Inequalities and is easily implementable using standard software packages. New methods for accurately reconstructing sensor faults are also presented where appropriate filtering of certain measurable signals yields a fictitious system in which the original sensor faults are treated as actuator faults. Using the principles of actuator fault reconstruction in the existing work, sliding mode observers can be designed for the fictitious system to accurately reconstruct the sensor faults. This improves on the previous work where effectively only the steady state components of the sensor faults could be reconstructed. A new method using Linear Matrix Inequalities is presented, to syn­ thesise observers which can robustly reconstruct faults in the presence of a class system of uncertainty, minimising the effect of the uncertainty on the fault reconstruction in an £ 2 sense. The robust fault reconstruction scheme is demonstrated by means of a case study, which is a nonlinear model of an aero-engine. System identification is used to obtain a linear model of the engine. An uncertainty representation is also obtained about which the observer is designed. The results from the case study show that the robust fault reconstruction scheme works and is effective.

625 citations


"A Sliding Mode Observer Approach fo..." refers methods in this paper

  • ...The use of sliding mode observers for fault detection was pioneered by [24] and developed further by [25], [26], amongst others....

    [...]

  • ...Furthermore, as νi is a discontinuous switching term, the EOI νi,fil will be used to estimate ∆ui−1 [24]....

    [...]

  • ...In this paper, as in [24] and subsequent works on SMObased fault estimation, the EOI, derived from νi, will be used for estimating attacks [24]....

    [...]


Journal ArticleDOI
TL;DR: This paper considers fault detection and estimation issues for a class of nonlinear systems with uncertainty, using an equivalent output error injection approach, and a particular design of sliding mode observer is presented for which the parameters can be obtained using LMI techniques.
Abstract: This paper considers fault detection and estimation issues for a class of nonlinear systems with uncertainty, using an equivalent output error injection approach. A particular design of sliding mode observer is presented for which the parameters can be obtained using LMI techniques. A fault estimation approach is presented to estimate the fault and the estimation error is dependent on the bounds on the uncertainty. For a special class of uncertainty, a fault reconstruction scheme is presented where the reconstructed signal can approximate the fault signal to any accuracy. The proposed fault estimation/reconstruction signals are only based on the available plant input/ouput information and can be calculated on-line. Finally, a simulation study on a robotic arm system is presented to show the effectiveness of the scheme.

472 citations


"A Sliding Mode Observer Approach fo..." refers methods in this paper

  • ...The use of sliding mode observers for fault detection was pioneered by [24] and developed further by [25], [26], amongst others....

    [...]