The Cyber Physical System (CPS) integrates physical components such as sensors and actuators and software components such as application and communication software. Most of the infrastructures that support our lives such as the smart grid, autonomous automotive systems, and robotic systems are typical examples of CPS. In this study, as one of the countermeasures against GPS spoofing, which is one of the most popular sensor attacks, a Secure State Estimation (SSE) is discussed.
GPS spoofing misleads the position and time of the GPS receiver by manipulating sensor readings from satellites or GPS receivers. In particular, the attacks that the attacker inserts into the sensor readings can be arbitrary and are not assumed to follow a specific model. Nevertheless, the developed SSE algorithm makes it possible to accurately estimate the position of the GPS receiver even if some sensor measurements on the GPS system are corrupted by a hostile attacker.
In addition, to help readers better understand the necessity for SSE, a description of Compressed Sensing (CS), which is the origin of the SSE problem will also be covered in advance. Finally, by simulating the demonstration of the GPS spoofing attack on the GPS receiver of the unmanned aerial vehicle (UAV) and its protection with SSE, it can be ensured that SSE can be a promising countermeasure against the GPS spoofing attack.
Background of Secure State Estimation(SSE)
Therefore, several strategies have been proposed to address this combinatorial aspect, such as convex relaxation [9,10] and search space reduction [11,12]. Moreover, a projected gradient descent algorithm is introduced to achieve convex relaxation to make the SSE algorithm more implementable on computationally limited platforms [10]. In [11], a satisfiability modulo theory (SMT) is introduced to reduce the search space by finding a small conflicting sensor set.
Research Objective and Contributions
In principle, SSE can be formulated as an optimization problem [8] known as the NP-hard problem. This is due to the combinatorial property of the attack identification problem, which makes solutions require a lot of computational costs. Although there have been many detection algorithms for detecting spurious GPS signals [15] using Doppler shift and signal-to-noise ratio (SNR), these detection mechanisms only defend the cases before GPS signals are corrupted by a malicious attacker.
This study will present a novel solution to solve the problems after the GPS signals are corrupted by an adversary, using L1/Lroptimization leverage [9], which is one of the methodologies to solve the SSE problem. Since it is possible to mathematically model the situation where pseudoranges are attacked into the SSE problem, L1/Lroptimization can be a new solution against GPS spoofing attacks. In addition, L1/Lroptimization can be used in real-time, as this optimization can be converted to linear programming, which has already been proven for use in an on-board computing environment.
Through the numerical simulation of GPS spoofing attack on Unmanned Aerial Vehicle (UAV) and its defense with L1/Lr optimization, it is proved that a new L1/Lr optimization solution is creditable against GPS spoofing attack in real time.
Outline of the study
Notation
Dynamics and Attack Model
By combining all the sensor measurement equations, we get the following τ-time folded rearranged measurement equation.
Problem Formulation
Condition for Unique Solution of SSE
The linear control system defined by (4) is said to be 2s sparsely observable if for every setΓ⊆ {1, ..,p}with|Γ|=2s, the pair(A,CΓ) is observable. A pair(x(t−τ+1),E) which is the solution to the SSE problem is unique if the linear system satisfies the 2s-sparse observable condition. To prove it by contradiction, we assume that there is another pair solution(x′(t−τ+1),E′) except(x(t−τ+1),E)and the linear system satisfies 2s- save mode.
Conversely, if the linear system does not satisfy 2s-sparse observable condition while |Γ| is at most 2s, then there exists a nonzero vector vso that v∈kerOΓ. We can now define E by setting its first blockEi equal to Oi(x′(t−τ+1)−x(t−τ+1))ifi∈Γ1and zero otherwise. Similarly, we define E′ by setting its first blockEi′ equal to Oi(x(t−τ+1)−x′(t−τ+1))ifi∈Γ2and zero otherwise.
Compressed Sensing - the Origin of Secure State Estimation
Condition for Unique Solution of Sparse Signal Recovery in CS
Methodologies to Reconstruct Sparse Signal in CS
In the CS literature, the basic methodology to reconstruct the sparse signal is to find the sparsest vectorE(t) that can explain Y(t) =FE(t) (11). The reason why the sparsest vector can be the unique solution for reconstructing the sparse signal problem in CS is due to the uncertainty principle [17]. Moreover, the sparse signal E(t) can also be estimated by the iterative algorithms such as orthogonal matching pursuit [18].
The next steps in the algorithm window show how the OMP approaches the solution of (14) by iteration in detail. The reason why the name of Algorithm 1 implies orthogonal is because the solution in each step is chosen such that the new residual r is orthogonal to all chosen columns in the matrix F. On the other hand, since E equals Y−Ox (t−τ+1) according to the relation (7), the above minimization problem can also be formulated as follows in the SSE literature.
Although all these methods can be applied to solve the SSE problem, the relaxation method, which is also called Basis Pursuit[19], is chosen in this study for its reliability. That is, in order to counter GPS spoofing attacks, the countermeasure algorithm must be guaranteed in real time. Since the minimization problem can be easily converted to linear programming, which has already been proven to be used as a real-time algorithm [20], it can be the most reliable algorithm in practice than any other methodology.
To use l1-minimization in the SSE problem, the linear system (4) should obviously satisfy a stricter condition than the 2s-sparse observable condition. In this study, since the GPS system has satisfied the strict condition, it will be addressed from the next chapter how to formulate the GPS spoofing problem into SSE problem and solve it with minimization. In this chapter, the GPS system's basic components and operating principle will first be explained.
Finally, it will be described how the GPS spoofing problem can be formulated as an SSE problem.
Global Positioning System(GPS)
First, the ephemeris data contains the trajectory information of GPS satellites, as shown in Figure 7. This information is used by the GPS receiver to estimate the location of GPS satellites, which should be a prerequisite for accurate pseudoranges. The cross-correlation between the replica of the code and the incoming code in the GPS receiver provides the signal delay that is directly used to calculate psedu-oranges.
Estimation for Position and Clock Bias of GPS Receiver
GPS Spoofing
The limitation of the existing methods for detecting a spoof attack is that they depend entirely on the designed threshold, which should also be different depending on the performance of the GPS receiver. To compensate for these limitations, in this study, the GPS spoofing attack is handled by the SSE algorithm.
SSE against GPS Spoofing Attack
By adding up each pseudo-orange delta for all satellites, we can derive the following equation. Since only some satellites can be attacked in the real physical world, a∈RK (K is the total number of satellites) can be a rare attack vector. We can restore x∈R4 with respect to G∈RK×4 and δ ρa∈RK through optimization l1, which is one of the SSE algorithms that provides real-time operation [26].
One simulates the static status of the GPS receiver when the UAV is hovering and the other simulates the dynamic situation of the GPS receiver when the UAV follows waypoints. In addition, regarding the attack vector, one simulates the situation when the constant attack is injected into the pseudorange measurement and the other simulates the situation when the ramp attack is injected into the pseudorange measurement. Finally, the limitation of the SSE algorithm is shown through the scenario according to the number of attacked channels.
GPS Spoofing Attack on UAV(Unmanned Aerial Vehicle)
The first scenario simulates a GPS spoofing attack situation when the receiver is in static and dynamic states. Both static and dynamic receiver SSE estimates are shown to be nearly identical to estimates from normal operation without sensor attack. The second scenario simulates a GPS spoofing attack situation based on the type of attack.
Because the attack vector estimate is very similar to the actual attack vector, the position estimate with SSE is also very similar to the estimate in normal operation without sensor attack. As shown in Figure 20, if the number of channels attacked is less than or equal to 3, the position estimation error is less than or 2.1302 [m], which means that the estimation performance of SSE is almost equal to the estimation of normal operation. In particular, after formulating a GPS spoofing attack scenario in an SSE problem, we prove that l1 minimization, the kind of convex relaxation method, is useful through several numerical simulations on UAV systems.
Moura, “Optimal Attack Strategies Subject to Detection Constraints of Cyber-Physical Systems,” IEEE Transactions on Control of Network Systems, vol. Bullo, “Attack Detection and Identification in Cyber-Physical Systems,” IEEE Transactions on Automatic Control, vol. Diggavi, “Secure estimation and control for cyber-physical systems under adversarial attacks,” IEEE Transactions on Automatic Control, vol.
Tabuada, “Event-triggered state observers for sparse sensor noise/attacks,” IEEE Transactions on Automatic Control, vol. Secure state estimation for cyber-physical systems under sensor attacks: A satisfiability module theory approach," IEEE Transactions on Automatic Control, vol. Eun, "On excess observability: From security index to attack detection and elastic state estimation," IEEE Transactions on Automatic Control, vol.
Kaabouch, “Detection of GPS spoofing attacks on unmanned aerial systems,” in 2019 16th IEEE Annual Consumer Communications & Networking Conference (CCNC). Gilbert, “Signal recovery from random measurements via orthogonal matching pursuit,” IEEE Transactions on Information Theory, vol. Capkun, “On the Requirements for Successful GPS Spoofing Attacks,” in Proceedings of the 18th ACM Conference on Computer and Communications Security, 2011, pp.
