Model-free False Data Injection Attack in Networked Control Systems: A Feedback Optimization Approach

Against this backdrop, recent literature has proposed increasingly sophisticated FDI attacks, with the hope that understanding their workings would lead to the design of mitigative measures that improve the systems’ security [5, 6, 7, 8]. Among them, data-driven attack strategies – whereby an attack signal is designed solely relying on the available system’s measurements – have received growing attention. However, three critical issues deserve further consideration. First, many of the existing works tacitly assume that, while unknown, the underlying system follows a linear time invariant dynamics [9, 10, 11]. This significantly restricts the power of the adversary. Second, without any prior information about the system model, the ability that the adversary achieves its attack objective needs to be explored. It is conducive to analyzing the system’s vulnerability. Third, when the capability of the adversary is limited, e.g., the attack energy is limited [12], it is practical and promising to excavate the potential attack’s impact while achieving the malicious objective.

In this work, we tackle the aforementioned issues by proposing a novel data-driven FDI attack that, crucially, does not rely on prior information regarding the system’s model, and applies to general non-linear dynamics. Towards this goal, we leverage zeroth-order optimization methods, a class of optimization algorithms that do not necessitate the availability of the cost function’s gradient, but simply exploit function evaluations [13]. More specifically, we leverage zeroth-order optimization methods in the context of feedback optimization, where optimization algorithms are utilized as feedback controllers for dynamical systems [14]. These tools provide a new approach to design data-driven attacks.

In this work, we design a model-free FDI attack that does not rely on knowledge of the underlying dynamics and that applies to general linear and non-linear systems. Specifically, we aim at steering the output of an unknown dynamical system to a (maliciously chosen) trajectory, through the sole use of real-time measurements. We do so in the bounded attack model, where an upper bound on the energy of the injected signal is given. A comparison between the existing FDI attack strategies and our work is shown in Table I.

Compared to our conference version [15], we extend the proposed model-free attack strategy to systems with internal noise and explore its effects on the optimality of the obtained solutions. Moreover, we significantly expand upon the related work, motivation, performance analysis, and simulation results. The main contributions are summarized as follows.

• •

  We construct a zeroth-order feedback optimization framework for the design of an FDI attack strategy, where the adversary has limited capability and no prior information about the system model.

• •

  We propose a model-free attack scheme that drives the output of the system to a maliciously chosen trajectory. From a methodological standpoint, its novelty lies in directly updating the attack signal based on the objective function evaluations.

• •

  We theoretically characterize the solution’s optimality gap. Further, we analyze the impact of the attack signal’s dimension, of the iteration numbers, of the variance of the objective function, and of the convergence rate of the dynamical system on the optimality gap. Finally, we extend the proposed model-free attack scheme to noisy systems and derive an upper bound of the optimality gap.

The rest of the paper is organized as follows. Section II reviews the related works. Section III introduces the system and adversary model and formulates the FDI attack design problem. In Section IV, we design the proposed model-free attack strategy and analyze the optimality gap. Section V extends the model-free attack scheme to noisy systems. In Section VI, we analyze the design of stealthy attacks. Simulation results are presented in Section VII. Finally, we conclude our work in Section VIII.

Consider a discrete-time dynamical system

where $x_{k}\in\mathbb{R}^{n}$ is the system state at iteration $k$, $u_{k}\in\mathbb{R}^{m}$ is the system input, $y_{k}\in\mathbb{R}^{q}$ is the system output.

Consider that the adversary can compromise the stable system and manipulate the state $x_{k}$ arbitrarily and aims to steer the output value $y^{a}_{k}$ to its expected trajectory. The dynamical system under attack can be rewritten as

where the attack selection matrix $\Gamma\in\mathbb{R}^{n\times p}$ is defined as the non-zero columns of $\mathrm{diag}(\gamma_{1},\ldots,\gamma_{n})$ with the binary variable $\gamma_{i}=1$ if the $i$-th dimensional state is compromised, and $\theta_{k}\in\mathbb{R}^{p}$ is the injected false data. Then, we make the following assumption about the ability of the adversary.

Assumption 2 is common for energy-constrained adversaries [12], which means that the injected false data is bounded. With Assumptions 1 and 2, it is easy to obtain the following lemma to show that the compromised system (2) is still stable.

Additionally, the Lyapunov theorem presented in [21, Theorem 2.7] guarantees that there exist a Lyapunov function $V:\mathbb{R}^{n}\times\mathbb{R}^{m}\times\mathbb{R}^{p}\rightarrow\mathbb{R}$ and parameters $\alpha_{1},\alpha_{2},\alpha_{3}>0$ such that

Based on (3) and (4), the rate of the change in one step of the function value $V(x^{a},u,\theta)$ is denoted by

The smaller $\mu$ is, the faster the system converges to the steady state [22]. The formal interpretation of $\mu$ will be presented later in Lemma 4.

In this paper, we aim to design a completely model-free attack strategy, which is independent of the characteristics and parameters of the system model itself.

Herein, we consider that the adversary’s objective is to steer the output value $y^{a}_{k}$ to follow its expected malicious trajectory $\bar{y}_{k}$ as closely as possible. We also consider that the adversary has limited attack energy. Therefore, the total goal of adversaries is to reduce both the error between the true system output and expected trajectory and the consumed attack energy as much as possible. In addition, since our proposed attack strategy performs the optimization with the same objective function at each iteration $k$, we omit the subscript $k$ and formally formulate the problem as

where $y^{a}=h(u,\theta)$ is the steady-state map under attacks in (2) to guarantee the stability of the compromised system (2), $\bar{y}$ is the expected trajectory and $Q\in\mathbb{R}^{p\times p}$ is the positive definite weight matrix chosen by the adversary according to the tradeoff between the limited attack energy and tracking deviation $\|y^{a}-\bar{y}\|$. We also make a common assumption for the optimized objective function as follows.

The challenges of solving problem $\mathcal{P}_{1}$ come from two aspects. One is the nonlinearity of the system model. For the unknown nonlinear system model (2), it is hard to regress its critical system parameters. The other is how to use the compromised measurements to guide the output value to move along the desired trajectory while reducing the consumed attack energy as much as possible. Since $h(u,\theta)$ is unknown, it is difficult to directly obtain the gradients of the objective function with respect to the independent variable $\theta$ to solve problem $\mathcal{P}_{1}$.

The key idea of the zeroth-order optimization is to utilize the objective function evaluations to construct gradient estimates, thus avoiding using the gradients directly. We aim to construct the gradient estimates of the objective function to solve problem $\mathcal{P}_{1}$. Different from the traditional zeroth-order optimization framework for the design of the controller with non-manipulated measurements, our design focuses on utilizing the compromised measurements to design the attack signal in the original control systems with designed controllers. Herein, we mainly explore the model-free attack strategy without detector constraints and the attack design under detector constraints will be analyzed in Section VI.

The attack strategy design in this paper is inspired by the gradient estimates based on the residual feedback in [13].

For an objective function $\Phi(w):\mathbb{R}^{p}\rightarrow\mathbb{R}$, the gradient estimate proposed in [13] is

where $v_{k}$ and $v_{k-1}$ are independent random vectors selected uniformly from the unit sphere $\mathcal{S}_{p}\triangleq\{v_{k}\in\mathbb{R}^{p}:\|v_{k}\|=1\}$, i.e., $v_{k}\sim U(\mathcal{S}_{p})$ and $\delta>0$ is the smoothing parameter. Note that only a new objective function evaluation needs to be computed at each iteration in (7) because the objective value evaluated at the previous iteration $k-1$ is reused at the current iteration $k$.

According to [13, Lemma 5], $\hat{\nabla}\Phi(w_{k})$ in (7) is an unbiased estimate of the gradient of the smooth approximation $\Phi_{\delta}(w)$ for $\Phi(w)$ at $w_{k}$, where

The properties of $\Phi_{\delta}(w)$ are shown as follows.

From (9c), we know that $\Phi_{\delta}(w)$ is $\frac{Mp}{\delta}$-smooth, i.e., its gradient $\nabla\Phi_{\delta}(w)$ is $\frac{Mp}{\delta}$-Lipschitz continuous.

The proposed attack strategy iteratively updates attack inputs along the composite direction of the negative gradient estimates of the objective function and the projected gradients. Such a design only utilizes real-time measurements and thus makes the attack strategy intrinsically model-free.

We denote $\mathcal{U}$ as the constraint set in problem $\mathcal{P}_{1}$. With the zeroth-order optimization framework, the proposed model-free attack strategy can be divided into three steps and the schematic of the attack strategy design is shown in Fig.1.
Step $1$: Compute the gradient estimate $\tilde{\phi}_{k}$

where $v_{k}$ and $v_{k-1}$ are independent probing signals and follow the uniform distribution from the Euclidean unit sphere $\mathcal{S}_{p}$, i.e., $v_{k}\sim U(\mathcal{S}_{p})$. Since only the real-time measurements are available for the adversary and it is hard to directly compute the gradients of the objective function in problem $\mathcal{P}_{1}$, we first utilize the probing signal $v_{k}$ for measurements, which can be used to construct the objective function evaluations $\Phi(\theta_{k},y_{k+1}^{a})$ and $\Phi(\theta_{k-1},y_{k}^{a})$ at the current and previous iteration. Herein, the historic function evaluation $\Phi(\theta_{k-1},y^{a}_{k})$ is reused at iteration $k+1$. Then we compute the gradient estimates $\tilde{\phi}_{k}$ of the objective function by these evaluations with (10).
Step $2$: Update the obtained solution $w_{k+1}$

where $\Pi_{\mathcal{U}}[\cdot]$ is the projection onto constrained set $\mathcal{U}$, i.e., $\Pi_{\mathcal{U}}[l_{1}]\equiv\mathrm{arg}\min_{l_{2}\in\mathcal{U}}\|l_{1}-l_{2}\|$, and step-size $0<\eta<1$. To constrain the obtained solutions in the feasible region set by $\mathcal{U}$, we turn to the projected gradient descent method for updating the solution $w_{k+1}$ at iteration $k+1$ and solving the optimization problem $\mathcal{P}_{1}$ with constraints.
Step $3$: Update the attack signal $\theta_{k+1}$

Finally, the attack signal $\theta_{k+1}$ can be obtained by perturbing the solution $w_{k+1}$ with the probing signal $\delta v_{k+1}$.

Let $\Phi(\theta_{k})\triangleq\Phi(\theta_{k},h(u_{k},\theta_{k}))$. We use the optimality gap, i.e.,

to measure the optimality of the proposed attack strategy at $\theta_{k}$ where $\theta^{*}_{k}$ is the optimal solution at iteration $k$ and $\mathbb{E}_{v_{[k]}}$ is the expectation with respect to $v_{[k]}$ where $v_{[k]}\triangleq(v_{1},\ldots,v_{k})$.

Before we characterize (13), we provide the upper bounds of $\|w_{k+1}-w_{k+1}^{*}\|^{2}$ and $\|w_{k+1}-w_{k}\|^{2}$, and some supporting lemmas for auxiliary analysis. We have

where $(s.1)$ follows from the projection property [23, Lemma 2.4] and [24], i.e., for any $l_{1}\in\mathbb{R}^{p}$ and all $l_{2}\in\mathcal{U}$, we have $\|\Pi_{\mathcal{U}}[l_{1}]-l_{2}\|\leq\|l_{1}-l_{2}\|$, and $(s.2)$ follows the fact that $\|a-b\|^{2}\leq 2(\|a\|^{2}+\|b\|^{2})$. Similarly, we have

Note that we replace the steady output value $h(u_{k},\theta_{k})$ with the real-time output value $y^{a}_{k+1}$ to enter the closed-loop zeroth-order feedback optimization framework. It is unavoidable for the system to produce the error $e_{\Phi}(x^{a}_{k},\theta_{k})$, which is shown as

To derive the optimality gap (13), we first analyze the upper bound of the error $e_{\Phi}(x^{a}_{k},\theta_{k})$ and recursive inequalities of two critical variables, i.e., $\mathbb{E}_{v_{[k]}}[V(x^{a}_{k},u_{k},\theta_{k})]$ and $\mathbb{E}_{v_{[k]}}[\|\tilde{\phi}_{k}\|^{2}]$.

The proofs of Lemmas 3, 4 and 5 are shown in Appendix IX-A, IX-B and IX-C, respectively. Lemma 3 quantifies the close relationship between $\Phi(\theta_{k},y^{a}_{k+1})$ and $\Phi(\theta_{k},h(u_{k},\theta_{k}))$. Lemma 4 measures the proximity of the current state $x^{a}_{k}$ compared with the steady state $x^{a}_{ss}(u_{k},\theta_{k})$. Lemma 5 reflects the first order smoothness of the objective function evaluation $\Phi(\theta_{k},y^{a}_{k+1})$ at the solution $w_{k}$.

Next, we provide the following theorem to characterize the optimality of the obtained solutions. Note that $\Phi(\theta_{k})\triangleq\Phi(\theta_{k},h(u_{k},\theta_{k}))$. For simplicity, all the complexity results in this paper are presented in $\mathcal{O}$ notations.

Theorem 1 shows that the optimality gap is related to the dimension $p$ of the attack signal, the convergence rate $\mu$ of the system, and the iterations $T$. As the iterations $T$ increase gradually, the optimality gap decreases and it can even decay to zero as long as $T$ is large enough.

With noise $d_{k}$, the original system (2) can be rewritten as

where the injected false data $\theta_{k}$ satisfies Assumption 2 and the internal inherent noise $d_{k}\in\mathbb{R}^{r}$ is independent of the state $x_{k}$ and $\theta_{k}$ statistically. Herein, we consider the additive noise $d_{k}$, such as $f(x_{k}^{a},u_{k},d_{k})=f(x_{k}^{a},u_{k})+d_{k}$. Similar to Assumption 1, the above discrete-time system is stable with noise $d_{k}$ before the invasion of attacks, which can be guaranteed by [25, Theorem 2.2] if $d_{k}$ follows a standard Wiener process, i.e., the stochastic noise has zero mean and time-varying covariance. Let $\Phi(\theta,y^{a},d)=\|y^{a,d}-\bar{y}\|+\theta^{\mathrm{T}}Q\theta$. In this case, the optimization problem becomes

where $y^{a,d}=h(u,\theta,d)$ is the steady-state map under attacks in (21) to guarantee the stability of the compromised system. Let $\tilde{\Phi}(\theta)\triangleq\mathbb{E}_{d}[\Phi(\theta,y^{a},d)]$. Then, we provide the following assumptions for the objective function $\Phi(\theta,y^{a},d)$.

Assumption 5 provides a bounded variance of the objective function in the stochastic setting, which also implies that $\mathbb{E}_{d}[(\Phi(\theta,y^{a},d_{01})-\Phi(\theta,y^{a},d_{02}))^{2}]\leq 4\sigma^{2}$ [13]. In Assumption 6, the Lipschitz constants in the noisy system are constrained to be not larger than that in the noiseless system.

Moreover, the following lemma reveals that the compromised system (21) can still be stable in spite of the process and measurement noises and the noises do not influence the Lipschitz constant of the steady-state map.

With the zeroth-order optimization framework, the model-free attack strategy under the discrete-time system with noise $d_{k}$ is designed as

where $d_{k}$ and $d_{k-1}$ are independent random noises that are sampled at iterations $k$ and $k-1$, respectively. Different from (10), the existence of noise will also affect the objective function value. Moreover, the function value is not repeatable at different iterations and it is hard to store the noise value at each iteration for computing the function value. Thus, at iteration $k$, only one evaluation is possible. In other words, compared to (10), it takes the residual of objective function evaluations between two consecutive stochastic feedback points.

With the noise $d_{k}$, the following lemma provides the upper bound of $\mathbb{E}_{v_{[k]}}[V(x^{a}_{k},u_{k},\theta_{k},d_{k})]$ and $\mathbb{E}_{v_{[k]}}[\|\tilde{\phi}_{k}\|^{2}]$ in this stochastic setting.

The proofs of Lemmas 7 and 8 are shown in Appendix IX-E and IX-F, respectively. Different from Lemmas 4 and 5, the internal inherent noise leads to an additional term $16c_{2}\sigma^{2}$ and $\frac{24p^{2}\sigma^{2}}{\delta^{2}}$, respectively.

Next, we show the following theorem to characterize the effects of noise $d_{k}$ on the optimality of the obtained solutions.