Stochastic DoS Attack Allocation Against Collaborative Estimation in Sensor Networks

I. Introduction

WIRELESS sensor networks (WSNs), which are interconnected by a large number of cooperative wireless sensor nodes, have been extensively applied in many areas [1]. The optimal estimation algorithms based on minimum mean square error, such as Kalman filtering and information filtering, are often used in WSN state estimation for obtaining accurate estimate [2]–[7]. However, due to the wireless communication characteristics of WSNs, attackers can easily monitor the channels in the task domain of the network, inject bitstream into the channel, and replay the previously captured packets [8]–[10]. It is important to conduct in-depth research on attacks in sensor networks.

The research on state estimation of networks under attacks can be classified into two categories: one is secure estimation against attacks, the other is to place the attacks from the standpoint of attackers. Secure estimation in centralized or distributed networks has been studied preliminarily. Chi-square detection and Euclidean detector were used to detect data anomalies caused by attacks [11]–[14]. Scheduling strategies including event triggering strategies were proposed out to mitigate the impact of attacks [15]–[17]. K-means algorithm for classifying trust nodes had also been studied [18]. In [19], a distributed secure estimation problem on GE F404 engine was researched. An efficient distributed resilient estimator and attack detection mechanism for sensor networks under deception attacks on both the system dynamics and sensor intercommunication links were proposed in [20]. A distributed finite-time filter was proposed for discrete time positive systems in sensor networks under random deception attacks [21]. Du et al. [22] studied distributed state estimation problem under deception attacks and denial of service (DoS) attacks, and proposed a novel alternating direction method of multipliers (ADMM)-based distributed state estimation method.

How to allocate attacks is another hot topic [23]–[29]. DoS attacks can cause network congestion and packet losses, which makes the remote estimator difficult to obtain uniformly bounded state estimation errors in the network. Qin et al. [23] studied the optimal attack scheduling scheme of the energy-constrained attacker in packet-dropping networks. The corresponding time-centralized attack strategies were given to maximize the trace of the average estimation error and the terminal estimation error. Similarly, using the Markov decision process, Ding et al. [24] proposed a two-player zero-sum stochastic game framework to investigate such a situation: sensors need to select a single channel to send data packets and reduce the possibility of being attacked; at the same time, attackers need to determine the attacked channel under the constraints of energy budget. Cao et al. [25] proposed a probabilistic DoS attack scheme against remote state estimator over a Markov channel in cyber-physical systems. Li et al. [26] designed an attack jamming approach on remote state estimation in cyber-physical systems by using a game theory. Zhang et al. [27], [28] studied a scenario, in which the optimal attack power allocation of energy-constrained DoS attackers to maximize the terminal estimation error was discussed. An attack power allocation mechanism with low cost was put forward. A dynamic attack energy disposal algorithm with ascertained attack capability in each period was also designed. In relevant works, most of the considerations focus on DoS attacks in single channel between the sensor and the remote estimator. Few researches have discussed DoS attack allocation in multiple channels of cooperative sensor networks. In [23] an attack scheduling approach was proposed to maximize the sum of the estimation errors of two remote estimators corresponding to two sensors, with the assumption that each sensor was completely observable. Yang et al. [29] studied DoS attack arrangement within an energy budget in centralized state estimation, and proposed a selection scheme of which sensor to be attacked under the assumption that different kinds of sensors are completely observable.

Although the DoS attack allocation problem has attracted wide attention [23]–[29], to the best of our knowledge, the problem of DoS attack scheduling in collaboratively working sensor networks has not been well addressed in the literature. The main difficulties may come from the following two aspects.

1) The network is composed of multiple heterogeneous sensors and single sensor is not necessarily observable. Unlike previous works [23], [27], [28], where the steady-state value is used to update estimation when there is no attack, in this paper each sensor transmits its measurement and the remote estimator uses the received measurements to update estimation. The existing attack scheduling schemes for remote estimator with one observable sensor cannot be applicable.

2) The attack probabilities and attack energy to be exerted by the attacker to the sensors can be different. The function of the packet dropout probability about attack energy is nonlinear and there is trade-off between collective observability and attack energy. Hence the attack scheduling problem is a nonlinear programming problem with high complexity and computation.

This paper focuses on designing a stochastic scheduling and attack power allocation scheme from the perspective of the energy-constrained DoS attacker, so as to influence the estimation of the collaboratively working sensor network with minimum attack energy cost. An allocation scheme consisting of three steps is proposed. The contributions of this paper contain the following.

1) Unlike attack allocation in single sensor’s communication [23]–[28], in sensor networks, multiple sensors’ channels should be attacked. The minimum number of channels needed to attack and how to select the channels are given.

2) A necessary condition and a sufficient condition on the packet loss probabilities of the attacked channels such that the mean square estimation error of the estimator is divergent are provided.

3) The optimal attack probabilities and attack power with minimum energy consumption to destroy the collective observability of the network are proposed.

The rest of this paper is arranged as follows. Section II formulates the filter in WSNs and DoS attack model, and states an overview of the problem. In Section III, the minimum number of channels needed to attack and how to select the channels are firstly given, and then the conditions of the packet loss probabilities making the estimation error divergent are provided for general and special systems respectively. In Section IV the optimal attack probability and power with minimum energy consumption are discussed. Finally, in Section V, the simulation results verify the effectiveness of the attack mechanism.

Notations: $\mathbb{R}^n$ denotes the set of $n$ dimensional vectors over real numbers and $\mathbb{R}^{m\times n}$ is the set of real matrices with $m$ rows and $n$ columns. $\mathbb{Z}^{+}$ denotes the set of positive integers. We write $X\geq 0$ to denote that $X$ is positive semi-definite. $\mathbb{E}\left \{ \cdot \right \}$ represents the mathematical expectation. ${\rm{tr}}\ (\cdot)$ and $\rho(\cdot)$ stand for the trace and spectral radius of matrix, respectively. $\left \lfloor r \right \rfloor$ denotes the largest integer that does not exceed $r$, $r\in\mathbb{R}$. $\Pr(\cdot)$ means the probability. $\left | S \right |$ stands for the cardinality of set $S$. $\dim( \cdot )$ denotes the dimension of space. $x(i)$ denotes the $i$th element of vector $x$. ${\rm{diag}}\left \{ R_i, i = 1,\ldots,n \right \}$ denotes a diagonal matrix with diagonal blocks $R_i, i = 1,\ldots,n$. ${\rm{col}}\{C_i, i = 1,\ldots,n\}$ is a short form of matrix $[C_1^T,\ldots,C_n^T]^T$.

II. Problem Formulation

In this section, the target’s system model, the sensor network, the impacts of DoS attacks, and the optimal attack allocation problem are formulated.

A Target and Sensor Network

Consider a linear time-invariant system to be monitored:

where $x_k\in \mathbb{R}^{n_x}$ is the state vector of the system at time $k$, $n_x\in\mathbb{Z}^{+}$, $k = 0,1,2,\ldots$. $A$ is the system matrix; $v_k\in \mathbb{R}^{n_x}$ is the process white Gaussian noise with covariance $Q>0$. The initial state $x_0$ is a Gaussian random vector with zero mean and covariance $\Pi_0\geq 0$.

A sensor network composed of $N$ sensors is used to measure the system. The sensor set is described as ${\cal V} = \left \{ s_i\mid i = 1,2,\ldots,N \right \}$. These sensors have the ability to measure, calculate and communicate. The measurement of sensor $s_i$ at time step $k$ is obtained with the following form:

where $z_{i,k}\in \mathbb{R}^{n_{z_i}}$ is a measurement vector for target system, $n_{z_i}\in\mathbb{Z}^{+}$; $C_i$ is the measurement matrix; $w_{i,k}\in \mathbb{R}^{n_{z_i}}$ is a zero-mean white Gaussian noise with covariance matrix $R_i>0$, and $w_{1,k},\ldots,w_{N,k}$, $v_k$ are uncorrelated.

Assumption 1: The system matrix $A$ is known and the system is not necessarily Schur stable. $(A,Q^{\frac{1}{2}})$ is controllable. $(A,C_i)$ is not necessarily detectable but $(A,C)$ is detectable, where $C = [C_1^T,C_2^T,\ldots,C_N^T]^T$.

A centralized information Kalman filter is adopted in the remote estimator to estimate the state of the target. Sensors in the network transmit their innovation vectors $C_i^TR_i^{-1}z_{i,k}$ and innovation matrices $C_i^TR_i^{-1}C_i$ to the remote estimator, which updates the state estimate by the information received. Denote $\Omega_k^-$ and $\Omega_k^+$ as the a priori and a posteriori information matrices of the estimator, respectively, $P_k^-$ and $P_k^+$ as the a priori and a posteriori covariance matrices in Kalman filter, respectively. Then, $\Omega_k^- = (P_k^-)^{-1}$, $\Omega_k^+ = (P_k^+)^{-1}$. Similarly, the a priori and a posteriori estimation state vectors of the estimator are denoted as $x_k^-$ and $x_k^+$.

Assumption 2: All sensors are clock synchronized and there is no communication delay in the network. When there is no attack in the network, there is no packet dropout. The packet that each sensor transmits at each time instant consists of $L$ bits and the transmission error is of bit-to-bit independent.

The estimator firstly computes the a priori information matrix and vector as following:

Then, the information fusion center updates the a posteriori estimate by using the received information [5]

and

where ${\cal V}_k^0$ denotes the set of sensors whose packets are successfully received at time $k$.

B DoS Attack Model

There exists an attacker in the network. The purpose of the attacker is to occupy the communication bandwidth by DoS attack, which jams some channels between sensors and the remote estimator and increases the packet loss probabilities. Under DoS attacks, the remote estimator may not estimate the system state successfully.

If the communication channel from sensor $s_i$ to the estimator is attacked by the attacker, from [30] its SNR (signal-to-noise ratio) is

where $G^a$ is the channel gain from the attacker to the remote estimator and $G^s$ is that from a sensor to the estimator. $\delta^s$ is the transmission power of sensors. $\delta_{i}^{a}$ is the attack power statically assigned to the channel. $\sigma^2$ is the noise power and $\delta^sG^s \gg \sigma^2$.

The transmitted packet of each sensor consists of multiple bits, and only if every bit is received correctly, the packet is considered as successfully received. Then from Assumption 2, the probability of one packet reception is described as [28]

where ${\cal Q}(x) = 1/\sqrt{2\pi}\int_{x}^{\infty}e^{-t^2/2}dt$. Therefore, under the DoS attack, the packet in sensor $s_i$’s communication channel is randomly dropped with probability

When sensor $s_i$’s channel is not invaded, which means $\delta_{i}^{a} = 0$, the packet dropout probability is $p_i = 1-\mu_i\mid _{\delta_{i}^{a} = 0}$, which is very close to zero. This fact conforms to Assumption 2 that when there is no attack, the packet loss probability is zero.

Considering a limited energy budget, there is no need for the attacker to keep implementing DoS attacks to one channel with high attack power at every time. Therefore, we consider the stochastic attack mechanism satisfying the following assumption.

Assumption 3 (Attack Rule): The attacker randomly exerts DoS attacks to part of transmission channels with certain fixed probabilities and power.

Under the stochastic DoS attack scheme, each channel is inflicted by attack with some probability. Define $\gamma_i$ ($0\leq \gamma_i \leq 1$, $i = 1,2,\ldots,N$) as the probability that sensor $s_i$’s communication channel is attacked. Let $\theta_{i,k}$ denote the attacked status of sensor $s_i$’s channel. If the channel from sensor $s_i$ to the center suffers from jamming at time $k$, $\theta_{i,k} = 1$; otherwise, $\theta_{i,k} = 0$. Obviously, $\Pr(\theta_{i,k} = 1) = \gamma_i$. This paper focuses on allocating intruded channels by appropriate probabilities $\gamma_i$ and attack power $\delta_{i}^{a}$ ($i = 1,2,\ldots,N$) to destroy the estimation of the estimator with the minimum cost.

Being exposed to attack results in significantly increased packet loss probability. We define another variable $d_{i,k}$ to indicate whether the packet of sensor $s_i$ is successfully received by the remote estimator at time $k$, where if the packet on the channel from sensor $s_i$ to the estimator is not received successfully at time $k$, $d_{i,k} = 1$; otherwise, $d_{i,k} = 0$.

Due to the stochastic properties of the attacks and packet losses, $d_{i,k}$ can be modeled by a Bernoulli process with distribution

The block diagram for the sensor network under attack is shown in Fig. 1.

Figure  1.  The estimation network under attack

DownLoad: Full-Size Img PowerPoint

C Attack Allocation Problem

The attacker’s intention is to prevent the remote estimator from obtaining the effective state estimate with a bounded mean square estimation error. Since the packets of the sensors are lost randomly, the DoS attacker aims at making the trace of the mathematical expectation on a prior covariance matrix $P_k^-$ unbounded, and meanwhile, minimizing the attack energy consumed. During a long period $T$, the number of time steps that sensor $s_i$’s transmission channel is attacked can be approximated to $\gamma_i T$, and thus the attack power allocated in this channel is $\gamma_i T\delta_i^a$. Hence, the problem above can be summarized as follows:

Problem 1:

In the following sections, we will investigate how to select $\gamma_i$ and $\delta_i^a$ ($i = 1,2,\ldots,N$) to solve Problem 1.

Remark 1: It should be noted that considering a control input signal for the system does not affect the problem formulation if the control input is known to the estimator.

III. Attack Placement and Probability Condition

To solve Problem 1, we can search the optimal attack probabilities and power by using the condition of $\lim_{k\rightarrow \infty} {\rm{tr}}\ \mathbb{E} \{ P_k^- \}\rightarrow\infty$. It is a nonlinear programming problem with high complexity and computation. To reduce the complexity and computation, we will solve Problem 1 from three steps. The first step is to look for the minimum number and further the placement of channels to be attacked. Given the attacked node set, the second step is to investigate the conditions on the packet loss probabilities such that the covariance is unbounded. The last step is to search the attack probabilities and power based on the packet loss probability conditions to minimize the energy consumed. In this section, we will discuss the first and the second steps in order.

A Mathematical Expectation of the Covariance Matrix

To begin with, we give the equation of the expected covariance matrix.

Define ${\cal V}^0_k = \left \{s_i|i\in {\cal V}, d_{i,k} = 0\right \}$ as the set of the sensors successfully sending information to the remote estimator at time $k$. Besides, ${\cal V}^d_k = \left \{s_i|i\in {\cal V}, d_{i,k} = 1\right \}$ denotes the set of sensors whose packets are dropped at time $k$. At any time $k$, ${\cal V} = {\cal V}^0_k \cup {\cal V}^d_k$.

Define $z_k = {\rm{col}} \{ z_{i,k},s_i\in {\cal V}^0_k \}$ as the augmented vector collecting the sensors’ measurements that are successfully transmitted to the processing center at time $k$, $\bar{C}_k = {\rm{col}} \{ C_i, s_i\in {\cal V}^0_k \}$ as the collective measurement matrices of the corresponding sensors, and $\bar{R}_k = {\rm{diag}} \{ R_i,s_i\in {\cal V}^0_k \}$.

Therefore, from (3), (5), and the Matrix Inversion Lemma, we obtain

and its expected value is

Let $J_1,J_2,\ldots, J_{2^N}$ stand for all possible node sets ${\cal V}^0_k$, $\tilde{J} = \{ J_t:t = 1,2,\ldots, 2^N \}$ represent the set including all the possible sets $J_t,\;t = 1,2,\ldots, 2^N$. For convenience, we denote $\bar{C}_k$and $\bar{R}_k$ as ${\cal C}_{J_t} = {\rm{col}}\{ C_{j_l},1\leq l \leq s\}$ and ${\cal R}_{J_t} = {\rm{diag}}\{ R_{j_1}, R_{j_2}, \ldots,$$R_{j_{s}}\}$ respectively when ${\cal V}^0_k = J_t = \{j_1,j_2,\ldots,j_s\}$. From the stochastic properties of $d_{i,k}$, we have

Then, the mathematical expectation expression of state error covariance satisfies the following equation:

where $\emptyset$ denotes the empty set.

For formulation convenience, we define operators $g(\cdot\mid_{J_t}), J_t\in \tilde{J}$ as follows: when $J_t\neq \emptyset$,

when $J_t = \emptyset$,

Therefore,

B Placement of Attacks

To destroy the observability of the entire network for the sake of preventing the estimator from obtaining effective state estimation, at least a certain number of channels are required to attack. This subsection discusses the minimum number of attacked channels to destroy the collective observability of the network. An effective way to enhance the aggressivity and reduce the energy of the attacker is to select fixed channels to attack. For design simplicity, we consider the attack model satisfying the following assumption.

Assumption 4: The attacker is allocated to attack fixed sensors’ channels.

In the following part, the existence of the minimum number of attacked channels is investigated by the concept of network collaborative observability. Before discussion, the concept of undetectable subspace should be introduced. Let the unstable subspace of system matrix $A$ be expressed as $U(A)$. In Assumption 1, $A$ is assumed to be not Schur stable. Consequently $U(A)$ is not empty. The undetectable subspace of sensor $s_i$ is defined by

For any node subset ${\cal V}_s\subseteq {\cal V}$, the undetectable subspace of ${\cal V}_s$ is defined by

Proposition 1: For system (1) and sensor networks satisfying Assumptions 1–4, there is a minimum number of channels needed to be attacked. Once the number of the attacked channels is less than it, the estimation error of the estimator must be bounded in mean square. The minimum number $m_{\min}$ is equal to

Proof: Assume there are $m$ nodes’ channels suffering from random attacks, whose set is denoted as ${\cal S}_a =\{ s_{a_1},$$s_{a_2},\ldots,s_{a_m} \}$, and $m<m_{\min}$. Then from the form of (20), we have that $U_{{\cal V}/{\cal S}_a}^{-} = \emptyset$, which means that even all channels of nodes in ${\cal S}_a$ are attacked and the packets on them are dropped, the network is still collectively observable. Then, by applying the Kalman information filtering algorithm, the estimation error is bounded. So, the effective number of attacked channels $m$ should be larger than $m_{\min}$.

When $m = m_{\min}$, select one node set in $\{{\cal V}_s\subseteq {\cal V}:$ $U_{{\cal V}/{\cal V}_s}^{-}\neq \emptyset,|{\cal V}_s| = m_{\min} \}$ to be attacked. Then, if sufficiently large attacks are allocated, the attacked channels are nearly always dropped, which can make the estimation error of the network unbounded. ■

Remark 2: We can search $m_{\min}$ by sorting the node sets according to the cardinality and bisection method. By verifying the condition $U_{{\cal V}/{\cal V}_s}^{-}\neq \emptyset$, we can also obtain an effective attacked node set with minimum cardinality. Single or multiple sets may satisfy the requirement after filtration. Here, we choose the set ${\cal V}^*$ to make $U_{{\cal V}/{\cal V}^*}^-$ have the worst stability, i.e., through structural decomposition, the unobservable part of system $(A, {\cal C}_{{\cal V}/{\cal V}^*})$ has the maximum spectral radius, which represents the maximum value of the eigenvalues’ modulus.

C Probability Condition for General System

To simplify the problem, in the following, we will fix the possible attacked node set as ${\cal V}^*$, which is designed according to Remark 2. Renumber the nodes in ${\cal V}^*$ as $1,2,\ldots,m$, $m = m_{\min}$. Then, there are $M = 2^m$ possible node sets $J_1,\ldots,J_M$, in which each node successfully transmits its information to the center, and for any $J_s\in\tilde{J}$ ($1\leq s \leq M$), ${\cal V}/J_s\subset {\cal V}^*$. Correspondingly, $r_{J_s} = \prod_{i\in J_s}(1-\lambda_i)\prod_{j\notin J_s}\lambda_j$, $\lambda_i = \gamma_ip_i$ denotes the probability of packet loss on the communication channel of $s_i$, where $p_i$ is defined in (9).

In this subsection, we mainly investigate the condition of the packet loss probabilities on the channels of the nodes in ${\cal V}^*$ such that $\lim_{k\rightarrow \infty} {\rm{tr}}\ \mathbb{E}\left \{ P_k^- \right \}\rightarrow\infty$. We firstly give an important lemma.

Lemma 1: The sequence

is convergent and bounded, if and only if there exist a symmetric positive definite matrix $X$ and matrices $Y_{J_s}$, $s = 1,2,\ldots,M$, such that $\Omega(\lambda_1,\lambda_2,\ldots,\lambda_{m}) < 0$, where $r_{J_s} = \prod_{i\in J_s}(1-\lambda_i)\prod_{j\notin J_s}\lambda_j$, $g(\cdot\mid_{J_s})$ is defined in (15), $\Omega(\lambda_1,\lambda_2, \ldots,\lambda_{m})$ is defined in (22) (show at the bottom of this page).

Proof: According to the Schur complement lemma, $\Omega(\lambda_1,\lambda_2,\ldots,\lambda_{m})<0$ is equivalent to that there exist positive definite matrix $\bar{P}$ and matrices $\bar{F}_{J_s}$ such that the following inequality holds

Necessity: If the sequence (21) is convergent, there exists $\bar{P}>0$ such that $\bar{P} = \sum_{s = 1}^M r_{J_s}g(\bar{P}\mid_{J_s})$, which implies when $\bar{F}_{J_s} = A\bar{P}{\cal C}_{J_s}^T({\cal C}_{J_s}\bar{P}{\cal C}_{J_s}^T+{\cal R}_{J_s})^{-1}$, the inequality (23) holds.

Sufficiency: Firstly, we prove that when $\Omega(\lambda_1,\lambda_2,\ldots,\lambda_{m})$ < 0 is feasible, the sequence is bounded.

Define linear operators

where $\bar{F}_{J_s}$ is the gain satisfying (23), $\bar{{{K}}} = \{\bar{K}_{J_s},1\leq s \leq M\}$, and $\bar{K}_{J_s}$ is the gain. Obviously, the operator $f$ is linear and non-decreasing with $P$. For any given $P_0>0$, there exists a positive constant $\alpha_1$ such that $P_0\leq \alpha_1 \bar{P}$. Choose $0<\beta<1$ such that $f(\bar{P})\leq \beta \bar{P}$. Then

and thus

Since when $\bar{K}_{J_s} = AP_k^-{\cal C}_{J_s}^T({\cal C}_{J_s}P_k^-{\cal C}_{J_s}^T+{\cal R}_{J_s})^{-1}$, $\phi(\bar{{{K}}},P_k)$ is minimum, we have

where $\bar{{{F}}} = \{\bar{F}_{J_s},1\leq s \leq M\}$, $U = \sum_{s = 1}^{M}r_{J_s}\bar{F}_{J_s}{\cal R}_{J_s}\bar{F}_{J_s}^T+Q$, and $\alpha_2$ is a positive constant satisfying $U\leq \alpha_2\bar{P}$.

Secondly, we prove its convergence. For sequence $\{\tilde{P}_{k},k\geq 0\}$ satisfying (21), when $\tilde{P}_0 = 0$, we have $\tilde{P}_{1} = Q\geq \tilde{P}_0$. And then by the fact that $g$ is a monotonically non-decreasing operator, $\tilde{P}_2\geq \sum_{s = 1}^M r_{J_s}g(\tilde{P}_0\mid_{J_s})\geq \tilde{P}_1$. From a simple inductive argument, we have that the sequence is monotonically non-decreasing and bounded. It is obvious that the sequence converges, i.e., $\lim_{k\rightarrow\infty}\tilde{P}_k = \bar{P}$, where $\bar{P}$ is a positive semi-definite solution of equation $\bar{P} = \sum_{s = 1}^M r_{J_s}g(\bar{P}\mid_{J_s})$.

For sequence $\{\hat{P}_{k},k\geq 0\}$ satisfying (21) and $\hat{P}_0\geq \bar{P}$, $\hat{P}_1 = \sum_{s = 1}^M r_{J_s}g(\hat{P}_0\mid_{J_s})\geq \hat{P}_0$. Similarly, for any $k \geq 0$, $\hat{P}_k\geq \hat{P}_0$. Let $\bar{F}_{J_s} = A\bar{P}{\cal C}_{J_s}^T({\cal C}_{J_s}\bar{P}{\cal C}_{J_s}^T+{\cal R}_{J_s})^{-1}$, we have

Since the operator is stable, i.e., $\lim_{k\rightarrow \infty}f(\hat{P}_k-\bar{P}) = 0$, when $\hat{P}_0\geq \bar{P}$, the sequence $\{\hat{P}_{k},k\geq 0\}$ also converges to $\bar{P}$.

Under any initial condition $P_0$, there exists $\hat{P}\geq \bar{P}$ such that $0\leq P_0 \leq \hat{P}$. From the properties of operator $\phi$,

and similarly the sequences under these three initial conditions satisfy that $\tilde{P}_k\leq P_k \leq \hat{P}_k$. Since both $\tilde{P}_k$ and $\hat{P}_k$ converge to $\bar{P}$, under any initial condition the sequence $P_k$ converges to $\bar{P}$ as well. This lemma has been proved. ■

Lemma 1 gives a necessary and sufficient condition for the convergence of the algebraic Riccati equation (21). By using Lemma 1, we can obtain the following probability conditions making the estimation error unstable.

Proposition 2: For system (1) and sensor networks under Assumptions 1–4, fix the possible attacked node set as ${\cal V}^*$. The attacker can successfully destroy the estimation of the center, i.e., $\lim_{k\rightarrow \infty} {\rm{tr}} \mathbb{E}\left \{ P_k^- \right \}\rightarrow\infty$, if the attack probabilities and attack power make $r_{J_1}\rho^2(A_{U^-_{J_1}})\geq 1$, and only if the LMI $\Omega(\lambda_1,\lambda_2,\ldots,\lambda_{m})<0$ is unfeasible, where $J_1 = {\cal V}/{\cal V}^*$, $A_{U^-_{J_1}}$ denotes the undetectable part of system matrix $A$ from observability structural decomposition of $(A, {\cal C}_{J_1})$.

Proof :

Sufficiency: Define the node set $J_1 = {\cal V}/{\cal V}^*$. From the definition of ${\cal V}^*$, it is obvious that $U^-_{J_1}\neq \emptyset$. Since the channels of the sensors in $J_1$ are not attacked, from (17), we have

where $F_{J_1,k} = AP_k^-{\cal C}_{J_1}^T({\cal C}_{J_1}P_k^-{\cal C}_{J_1}^T+{\cal R}_{J_1})^{-1}$. If $r_{J_1}\rho^2(A_{U^-_{J_1}})\geq 1$, then $\mathbb{E} \{P_{k+1}^-\}$ must be divergent, where $\rho(A_{U^-_{J_1}})$ denotes the spectral radius of the undetectable part $A_{U^-_{J_1}}$ of node set $J_1$, which can be obtained from observability structural decomposition. The sufficient condition has been proved.

Necessity: Since the operator $g(P_k^-\mid_{J_t})$ in (16) is concave, by using the Jensen’s Inequality and (17) we have

From Lemma 1 and the inequality (24), if $\Omega(\lambda_1,\lambda_2,\ldots, \lambda_{m}) < 0$ is feasible, $\mathbb{E}\{P_{k+1}^- \}$ must be bounded. The necessity part has been proved. ■

Remark 3: Proposition 2 provides a necessary condition and a sufficient condition on the packet loss probabilities $\lambda_i$, $1\leq i \leq m$, to solve Problem 1. We can directly obtain a suboptimal feasible probability set $\Lambda$ by verifying the sufficient condition $r_{J_1}\rho^2(A_{U^-_{J_1}})\geq 1$ and decreasing $\lambda_1,\lambda_2,$$\ldots,\lambda_m$ in sequence by fixed step from $\lambda_1 = \lambda_2 = \ldots = \lambda_m = 1$. To propose a better feasible probability set, the idea of traversal and off-line verification can be used. Firstly, by verifying $r_{J_1}\rho^2(A_{U^-_{J_1}})< 1$ we get a probability set $\overline{\Lambda}$. Secondly, for $(\lambda_1,\lambda_2,\ldots,\lambda_{m})\in \overline{\Lambda}$, when $\Omega(\lambda_1,\lambda_2,\ldots,\lambda_{m})<0$ is unfeasible, the corresponding probability vector is recorded in the solution set $\underline{\Lambda}$. By using these two steps, we can narrow the scope of traversal in the third step, in which we implement Monte Carlo simulations of the estimation process by using the probability vectors in $\underline{\Lambda}$ in sequence. When the average estimation errors have tremendous variations around a probability vector, the corresponding probability vector is recorded in the critical solution set $\Lambda$.

D Probability Allocation for Special System

In this subsection, we consider a special case and give explicit probability conditions to solve Problem 1.

Assumption 5: The system state consists of $r$ modes with a corresponding diagonal form of the system matrix $A$

where $Q = {\rm{diag}}\left \{ Q_s,1\leq s \leq r \right \}$, $\rho(A_s)\geq 1$, and $(A_s,Q_s^{\frac{1}{2}})$ is controllable. $r$ modes of the system are measured by $r$ different types of sensors. Each sensor belongs to only one type, which observes one mode of the system state vector. Denote ${\cal O}_s,s = 1,2,\ldots,r$, as the set of sensors that can detect the $s$th mode in the system. Define $\left |{\cal O}_s \right | = n_s>0$. For any $i\in {\cal O}_s$, $(A_s,C_i)$ is observable.

Because the network is collaboratively observable, the absence of some key measurements will destroy the observability of the whole network. If we attack all the sensors of one type, the network will be intermittently unobservable, which may make it difficult to obtain a uniformly bounded mean square estimation error. Based on this idea, we can give the explicit minimum number of attackers.

Proposition 3: For system (25) and networks satisfying Assumptions 2–5, the minimum number of attacked communication channels is $m_{\min} = \min_{1\leq s \leq r}\left\{n_s\right \}$. Once the number of attacked channels is less than $m_{\min}$, the estimation error of the estimator must be bounded in mean square sense.

Proof: The proof is similar to that of Proposition 1. When $m < m_{\rm min}$, for any mode of the system there exists at least one sensor to measure it and the network is always collectively observable, which can ensure that the estimation error of the remote estimator is bounded. ■

From the proof of Proposition 3, to minimize the attack power, it is better to place the attacks to the nodes of the same type. In the following, we will give an explicit sufficient condition and necessary condition on the packet loss probabilities to solve Problem 1.

Proposition 4: For system (25) and networks satisfying Assumptions 2–5, the attacker can successfully destroy the estimation of the center, if there exists a system mode $s$ ($1\leq s \leq r$), fix the possible attacked node set as ${\cal O}_s$, the attack probabilities and attack power make the packet loss probabilities satisfy that

and only if there exists a system mode $s, 1\leq s \leq r$, such that

where $\lambda^u(A_s)$ stands for unstable eigenvalues of $A_s$.

Proof: For system (25), the equation of the covariance can also be decoupled. Assume the attacked node set is ${\cal O}_s$, define $P_{k}^{-(s)}$ as the covariance matrix corresponding to the $s$th mode, then

Sufficiency: From (28) we have that $\mathbb{E}\{P_{k+1}^{-(s)}\}\geq$ $\prod_{j\in {\cal O}_s}\lambda_jA_s\mathbb{E}\{P_k^{-(s)}\}A_s^T+Q_s$. Similar to the proof of Proposition 2, if $\prod_{s_i \in {\cal O}_s}\lambda_i\geq\frac{1}{\rho^2(A_{s})}$, then $\mathbb{E}\{P_{k}^{-(s)}\}$ is divergent.

Necessity: Define $\bar{P}_{k}^{-(s)} = \mathbb{E}\{P_k^{-(s)}\}$. From (28) and the proof of Proposition 2, we have

where $o_s$ denotes any one node in ${\cal O}_s$, and for any $i \in {\cal O}_s$, $C_{i} = C_{o_s}$, $R_{i} = R_{o_s}$.

From [31] and [32], if $\prod_{j\in {\cal O}_s}\lambda_j<\dfrac{1}{\prod{\left |\lambda^u(A_{s}) \right |^2}}$, the sequence $\bar{P}_{k}^{-(s)}$ will be bounded. ■

Remark 4: For all nodes in ${\cal O}_s$, it is optimal to allocate uniform packet loss probability to minimize the sum of their probabilities and guarantee the necessary condition and the sufficient condition in Proposition 4. Define $o_s$ as one node in ${\cal O}_s$ and assume for $i \in {\cal O}_s$, $\lambda_{i} = \lambda_{o_s}$. From Proposition 4 we can obtain a lower bound $\underline{\lambda}_s$ and an upper bound $\bar{\lambda}_s$ of the optimal probability $\lambda_s^*$ to make the estimation error of the estimator divergent when the node set ${\cal O}_s$ is attacked, i.e., $\underline{\lambda}_s = {1}/{\prod{\left |\lambda^u(A_{s}) \right |^{\frac{2}{n_s}}}}$, $\bar{\lambda}_s = {1}/{(\rho(A_{s}))^{\frac{2}{n_s}}}$. Then, we implement Monte Carlo simulations of the estimation process by using the probabilities in $[\underline{\lambda}_s,\bar{\lambda}_s]$ in sequence and look for the critical probability $\lambda_s^*$. Although placing attacks to the minimum number of channels can reduce the cost of attack energy to a certain extent, it is not necessarily the optimal solution since the probability condition depends on the system mode $A_s$ as well. We can search an attack node set ${\cal O}_{s^*}$ to minimize the sum of the packet loss probabilities $n_s\lambda_s^*$, i.e., $s^* = {\rm{arg}} \min_{1\leq s \leq r}\{n_s\lambda_s^*\}$. The critical probability vector corresponding to the node set is recorded as set $\Lambda$.

In this section, an attack node set ${\cal V}^*$ and a universally applicable approach to finding feasible probability set $\Lambda$ have been given. In the next section, we will discuss how to design the attack probabilities and power to minimize the overall attack energy.

IV. Optimization of Attack Parameters

In the above section, we have solved the first two steps of the stepwise solution to Problem 1. In this section, the third step, which aims at finding the minimum of $\sum_{ s_i\in {\cal V}^*}\gamma_i\delta_i^a$ based on the first two steps, will be discussed.

From Section II-B, the probability of the packet loss on the channel is positively correlated with the attack power. We use a function $\psi(\cdot)$ to briefly represent this relationship, i.e., $p_i = \psi(\delta_i^a)$, where the form of the function $\psi(\cdot)$ can be obtained by (7)–(9). Since the DoS attacker injects attacks to the communication channel of $s_i$ with a probability $\gamma_i$ at any time step, we obtain $\lambda_i = \gamma_ip_i = \gamma_i\psi(\delta_i^a)$ accordingly.

Provided that the placement of attacks ${\cal V}^*$ and the feasible packet loss probability set $\Lambda$ have been given by Remark 2 and Remark 3 (or by Remark 4 for special systems), in the following we investigate the optimal attack power $\delta_i^a$ and attack probability $\gamma_i$ in the feasible packet loss probability set $\Lambda$ to minimize the attack energy $\sum_{i \in {\cal V}^*} \gamma_i\delta_i^a$.

Replacing $\gamma_i$ by $\lambda_i/\psi(\delta_i^a)$, the cost function ${\lambda_i\delta_i^a}/{\psi(\delta_i^a)}$ just depends on $\delta_i^a$ and Problem 1 is simplified to the following problem.

Problem 2:

where the attack sensor set ${\cal V}^*$ is obtained by Remark 2; the set of critical probability vector $\Lambda$ is obtained by Remark 3 or Remark 4.

The packet loss probability $\lambda_i$ and attack energy depend on both $\gamma_i$ and $\delta_i^a$. We firstly give an example to show the relationships among the packet loss probability $\lambda_i$, attack power $\delta_i^a$, attack probability $\gamma_i$, and energy $\gamma_i\delta_i^a$. Define the parameters in (7) and (8) as $G_s = G_a = 1,\delta_s = 10,\sigma = 0.1, L = 32$. The impact of attack parameters $\gamma_i$ and $\delta_i^a$ on attack energy and packet loss probability $\lambda_i$ is shown in contour overlap sketch map in Fig. 2. Here dotted lines represent the contours of packet loss probability and solid lines represent that of attack energy. The x-axis indicates attack possibility $\gamma_i$ within the range from 0 to 1; the y-axis indicates attack power $\delta_i^a$. In Fig. 2, both the packet loss probability and attack energy decline from upper-right to lower-left. Moreover, for fixed $\lambda_i$ (represented by a red dotted line), we can always find an optimal solution $\delta_i^a$ to minimize the energy under the condition that $0\leq {\lambda_i}/{\psi(\delta_i^a)}\leq 1$.

Figure  2.  Contour overlap sketch map

DownLoad: Full-Size Img PowerPoint

Remark 5: To solve Problem 2, we can look for parameters to minimize ${\lambda_i\delta_i^a}/{\psi(\delta_i^a)}$ under condition (30) for fixed $\lambda_i$ and search the global optimal parameters by testing all feasible probabilities in $\Lambda$.

By solving Problem 2, the original nonlinear programming problem with high complexity and high coupling is simplified to a linear programming problem with largely reduced difficulties. Moreover, in Problem 1 two optimal coupled attack parameters for each channel should be searched while in Problem 2, just one parameter $\delta_i^{a}$ is required to be considered. This solution may be a suboptimal solution of Problem 1. However, the complexity in solving Problem 1 has been reduced considerably.

V. Numerical Simulations

A General System

We firstly verify the effectiveness of the allocation mechanism for general systems. In this part, we consider a military gas turbine engine as the target model. In order to evaluate and monitor the state information of the engine, an on-board engine monitoring system [33] is used.

Three incompletely observable sensors send information to process center and the network parameters in (7) and (8) are given as $G_s = G_a = 1,\;\delta_s = 10,\;\sigma = 0.1,\;L = 32$. According to [33], a discrete-time model of the engine system is concerned as follows:

The measurement matrices of sensors are $C_1 = \left[0\ 1\ 1\right ]$, $C_2 = \left[1\ 1\ 0\right ]$ and $C_3 = \left[0\ 0\ 1\right ]$. Obviously, we get ${\cal V}^\ast = \left \{ s_2 \right \}$. The effect of attack is shown in Fig. 3. When the channel between sensor $s_2$ and the estimator is attacked by the attacker, the estimation error increases largely.

Figure  3.  Estimation errors with and without DoS attack: engine monitoring system.

DownLoad: Full-Size Img PowerPoint

When the system has an unstable eigenvalue, the same attack results in more lethal effect. When $A = \left[ {\begin{array}{*{20}{c}}{1.0890}&0&{0.2022}\\{0.0145}&{0.9608}&{ - 0.0316}\\{0.0259}&0&{0.8032}\end{array}} \right],$ according to Proposition 2, $\lambda \geq 0.8234$ is obtained. The optimal solution for attack energy is then obtained with $\gamma = 1,\delta^a = 7.5325$. Meanwhile, the traces of the estimation error covariance matrices with and without DoS attack are shown in Fig. 4. Obviously, the attack strategy is effective.

Figure  4.  Estimation errors with and without DoS attack: general unstable case

DownLoad: Full-Size Img PowerPoint

B Special System

In this subsection, we consider a system with diagonal form and there are 4 incompletely observable sensors sending information to the process center through communication channels, where the monitoring process of the smart grid is studied. In the smart grid, some separate self-generating areas can be regarded as independent power agents ([21]). The system is $A = \left[ {\begin{array}{*{20}{c}}{1.01}&{0.1136}&0&0\\0&{0.3825}&0&0\\0&0&{0.4237}&{0.5346}\\0&0&0&{1.5}\end{array}} \right]$ and the sample time is $T = 0.1{\rm s}$. Each mode of the system state represents the power distribution of an agent, which is detected by a sensor, and there are couplings between agents. Sensor $s_i$ is only available to agent $i$. For simple expression, four state components $x_k(i), 1\leq i \leq 4$, respectively stand for the power distributions of agents 1, 2, 3 and 4.

The system has two diagonal blocks, thus we easily get $m_{\min} = 2$ based on Proposition 3. ${\cal O}_1 = \left \{ s_1,s_2\right \}$ and ${\cal O}_2 = \left \{ s_3,s_4\right \}$.

From Proposition 4, we obtain the optimal packet loss probability $\lambda_3^* = \lambda_4^* = {1}/{1.4692}$ with ${\cal V}^* = {\cal O}_2$. By solving Problem 2, the optimal attack parameters are $\gamma_3 = \gamma_4 = 1, \delta_3^a = \delta_4^a = 7.6821$, respectively. It is noteworthy that if we choose ${\cal V} = {\cal O}_1$, more attack energy will be consumed with $\gamma_1 = \gamma_2 = 1, \delta_1^a = \delta_2^a = 8.4678$. The traces of the estimation error matrices with existence and absence of DoS attack are shown in Fig. 5. It is shown that the proposed attack scheme deteriorates the estimation performance.

Figure  5.  Estimation errors with and without DoS attack: special case

DownLoad: Full-Size Img PowerPoint

VI. Conclusions

In this paper, a suboptimal stochastic DoS attack mechanism is designed to destroy the centralized state estimation in wireless sensor networks, which makes the estimation error of the system unbounded with minimum energy consumption. The mechanism is composed of three steps, where the attack node set, the feasible induced packet loss probability set, and the attack probabilities and power are proposed in sequence. This paper focuses on attack management in centralized estimation networks. How to place attacks in distributed estimation networks and delayed networks is of our research interest in future.