skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Variable Window and Deadline-Aware Sensor Attack Detector for Automotive CPS
Cyber-physical systems (CPS) are susceptible to physical attacks, and researchers are exploring ways to detect them. One method involves monitoring the system for a set duration, known as the time-window, and identifying residual errors that exceed a predetermined threshold. However, this approach means that any sensor attack alert can only be triggered after the time-window has elapsed. The length of the time-window affects the detection delay and the likelihood of false alarms, with a shorter time-window leading to quicker detection but a higher false positive rate, and a longer time-window resulting in slower detection but a lower false positive rate. While researchers aim to choose a fixed time-window that balances a low false positive rate and short detection delay, this goal is difficult to attain due to a trade-off between the two. An alternative solution proposed in this paper is to have a variable time-window that can adapt based on the current state of the CPS. For instance, if the CPS is heading towards an unsafe state, it is more crucial to reduce the detection delay (by decreasing the time-window) rather than reducing the false alarm rate, and vice versa. The paper presents a sensor attack detection framework that dynamically adjusts the time-window, enabling attack alerts to be triggered before the system enters dangerous regions, ensuring timely detection. This framework consists of three components: attack detector, state predictor, and window adaptor. We have evaluated our work using real-world data, and the results demonstrate that our solution improves the usability and timeliness of time-window-based attack detectors.  more » « less
Award ID(s):
2143256
PAR ID:
10424741
Author(s) / Creator(s):
; ;
Date Published:
Journal Name:
26th International Symposium On Real-Time Distributed Computing (ISORC)
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; (, CIGRE D2 Colloquium, Helsinki, Finland)
    In this paper, a signature-based Intrusion Detection System (IDS) is developed to detect cyber intrusions of a distribution system with a high level penetration of solar energy. To identify cyberattack events, an attack table is constructed based on the Temporal Failure Propagation Graph (TFPG) technique. It includes the information of potential cyberattack patterns in terms of attack types and time sequence of anomaly events. Once the detected anomaly events are matched with any of the predefined attack patterns, it is judged to be a cyberattack. Since the attack patterns are distinguishable from other system failures, it reduces the false positive rate. To study the impact of cyberattacks on solar devices and validate the performance of the proposed IDS, a realistic Cyber-Physical System (CPS) simulation environment available at Virginia Tech (VT) is used to develop an interconnection between the cyber and power system models. The CPS model demonstrates how communication system anomalies can impact the physical system. The results of two example cyberattack test cases are obtained with the IEEE 13 node test feeder system and the power system simulator, DIgSILENT PowerFactory. 
    more » « less
  2. ; ; (, IISE Transactions)
    Cyber-physical systems (CPS) have been increasingly attacked by hackers. CPS are especially vulnerable to attackers that have full knowledge of the system's configuration. Therefore, novel anomaly detection algorithms in the presence of a knowledgeable adversary need to be developed. However, this research is still in its infancy due to limited attack data availability and test beds. By proposing a holistic attack modeling framework, we aim to show the vulnerability of existing detection algorithms and provide a basis for novel sensor-based cyber-attack detection. Stealthy Attack GEneration (SAGE) for CPS serves as a tool for cyber-risk assessment of existing systems and detection algorithms for practitioners and researchers alike. Stealthy attacks are characterized by malicious injections into the CPS through input, output, or both, which produce bounded changes in the detection residue. By using the SAGE framework, we generate stealthy attacks to achieve three objectives: (i) Maximize damage, (ii) Avoid detection, and (iii) Minimize the attack cost. Additionally, an attacker needs to adhere to the physical principles in a CPS (objective iv). The goal of SAGE is to model worst-case attacks, where we assume limited information asymmetries between attackers and defenders (e.g., insider knowledge of the attacker). Those worst-case attacks are the hardest to detect, but common in practice and allow understanding of the maximum conceivable damage. We propose an efficient solution procedure for the novel SAGE optimization problem. The SAGE framework is illustrated in three case studies. Those case studies serve as modeling guidelines for the development of novel attack detection algorithms and comprehensive cyber-physical risk assessment of CPS. The results show that SAGE attacks can cause severe damage to a CPS, while only changing the input control signals minimally. This avoids detection and keeps the cost of an attack low. This highlights the need for more advanced detection algorithms and novel research in cyber-physical security. 
    more » « less
  3. ; ; ; ; ; (, ACM Transactions on Embedded Computing Systems)
    The increasing autonomy and connectivity in cyber-physical systems (CPS) come with new security vulnerabilities that are easily exploitable by malicious attackers to spoof a system to perform dangerous actions. While the vast majority of existing works focus on attack prevention and detection, the key question is “what to do after detecting an attack?”. This problem attracts fairly rare attention though its significance is emphasized by the need to mitigate or even eliminate attack impacts on a system. In this article, we study this attack response problem and propose novel real-time recovery for securing CPS. First, this work’s core component is a recovery control calculator using a Linear-Quadratic Regulator (LQR) with timing and safety constraints. This component can smoothly steer back a physical system under control to a target state set before a safe deadline and maintain the system state in the set once it is driven to it. We further propose an Alternating Direction Method of Multipliers (ADMM) based algorithm that can fast solve the LQR-based recovery problem. Second, supporting components for the attack recovery computation include a checkpointer, a state reconstructor, and a deadline estimator. To realize these components respectively, we propose (i) a sliding-window-based checkpointing protocol that governs sufficient trustworthy data, (ii) a state reconstruction approach that uses the checkpointed data to estimate the current system state, and (iii) a reachability-based approach to conservatively estimate a safe deadline. Finally, we implement our approach and demonstrate its effectiveness in dealing with totally 15 experimental scenarios which are designed based on 5 CPS simulators and 3 types of sensor attacks. 
    more » « less
  4. ; ; ; (, IEEE Real-Time Systems Symposium (RTSS))
    While many research efforts on Cyber-Physical System (CPS) security are devoted to attack detection, how to respond to the detected attacks receives little attention. Attack response is essential since serious consequences can be caused if CPS continues to act on the compromised data by the attacks. In this work, we aim at the response to sensor attacks and adapt machine learning techniques to recover CPSs from such attacks. There are, however, several major challenges. i) Cumulative error. Recovery needs to estimate the current state of a physical system (e.g., the speed of a vehicle) in order to know if the system has been driven to a certain state. However, the estimation error accumulates over time in presence of compromised sensors. ii) Timely response. A fast response is needed since slow recovery not only comes with large estimation errors but also may be too late to avoid irreparable consequences. To address these challenges, we propose a novel learning-based solution, named sequence-predictive recovery (or SeqRec). To reduce the estimation error, SeqRec designs the first sequence-to-sequence (Seq2Seq) model to uncover the temporal and spatial dependencies among sensors and control demands, and then uses the model to estimate system states using the trustworthy data logged in history. To achieve an adequate and fast recovery, SeqRec designs the second Seq2Seq model that considers both the current time step using the remaining intact sensors and the future time steps based on a given target state, and embeds the model into a novel recovery control algorithm to drive a physical system back to that state. Experimental results demonstrate that SeqRec can effectively and efficiently recover CPSs from sensor attacks. 
    more » « less
  5. ; ; ; (, IEEE Real-Time Systems Symposium (RTSS))
    In Cyber-Physical Systems (CPS), sensor data integrity is crucial since acting on malicious sensor data can cause serious consequences, given the tight coupling between cyber components and physical systems. While extensive works focus on sensor attack detection, attack diagnosis that aims to find out when the attack starts has not been well studied yet. This temporal sensor attack diagnosis problem is equally important because many recovery methods rely on the accurate determination of trustworthy historical data. To address this problem, we propose a lightweight data-driven solution to achieve real-time sensor attack diagnosis. Our novel solution consists of five modules, with the attention and diagnosis ones as the core. The attention module not only helps accurately predict future sensor measurements but also computes statistical attention scores for the diagnosis module. Based on our unique observation that the score fluctuates sharply once an attack launches, the diagnosis module determines the onset of an attack through monitoring the fluctuation. Evaluated on high-dimensional high-fidelity simulators and a testbed, our solution demonstrates robust and accurate temporal diagnosis results while incurring millisecond-level computational overhead on Raspberry Pi. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email