Analysis of Byzantine Attacks for Target Tracking in Wireless Sensor Networks

Herein, the problem of target tracking in wireless sensor networks (WSNs) is investigated in the presence of Byzantine attacks. More specifically, we analyze the impact of Byzantine attacks on the performance of a tracking system. First, under the condition of jointly estimating the target state and the attack parameters, the posterior Cramer–Rao lower bound (PCRLB) is calculated. Then, from the perspective of attackers, we define the optimal Byzantine attack and theoretically find a way to achieve such an attack with minimal cost. When the attacked nodes are correctly identified by the fusion center (FC), we further define the suboptimal Byzantine attack and also find a way to realize such an attack. Finally, in order to alleviate the negative impact of attackers on the system performance, a modified sampling importance resampling (SIR) filter is proposed. Simulation results show that the tracking results of the modified SIR filter can be close to the true trajectory of the moving target. In addition, when the quantization level increases, both the security performance and the estimation performance of the tracking system are improved.


Introduction
Wireless sensor networks can be flexibly deployed in various application environments and perform tasks such as the sensing, acquisition, processing, and transmission of target information. When the perceived information needs to combine with nodes' locations to develop its own value, the self-localization process of sensor nodes becomes the application premise of wireless sensor networks (WSNs). In practical applications, when WSNs are deployed in a non-secure environment, the sensor nodes may be subjected to various attacks. Through modifying the reference data (such as anchor positions or ranging information), the attackers can produce severe damage to the localization accuracy [1][2][3][4][5].
How to prevent attackers from modifying the reference data or how to realize reliable localization under attack has always been the research focus in the field of secure localization. In the past decades, researchers have proposed many reliable localization strategies. The most intuitive strategy is to employ some techniques to protect the integrity of the reference data and make the observation process robust. This strategy can be called the secure localization strategy based on robust observations. The representative work includes the distance bounding protocol [6] and the SeRLoc algorithm [7]. These methods mainly use the time constraints, space constraints, or signal coding techniques to protect the physical properties of beacon information. However, this type of method relies on additional hardware units and is not suitable for large-scale promotion.
When modified observations from attackers (or as we called them, the malicious observations) are unavoidable, the researchers propose detecting and eliminating the malicious observations and then using the remaining honest observations to achieve node localization [8][9][10]. This strategy can Sensors 2019, 19, 3436 2 of 16 be called the secure localization strategy based on malicious node detection. A typical work is the MEF-based localization algorithm proposed in Reference [8]. A common feature of this type of method is that the detection of malicious nodes usually needs to compare a large amount of data, thus causing a heavy calculation overhead. Meanwhile, a certain type of detection method can only detect a specific type of malicious attack. So, the applicability of this kind of method is weak.
In order to reduce the requirements on the hardware, and also to improve the applicability of secure localization algorithms, some researchers choose to develop methods to improve the robustness of the position computation process (i.e., the key process of node localization). In the traditional trilateration method, the position estimates are derived in the sense of least squares. Since the cost function of this method is the sum of the squared errors of all sample data, it is very sensitive to the outliers. A single malicious observation may cause a serious deviation in the position estimate. In response to this problem, Li et al. [11], proposed a positioning mechanism based on the idea of least median of squares, which estimates the unknown parameters by minimizing the median of the residual squares. Results show that, in the absence of measurement noise, even if there are 50% of outliers in the observation data, this method can still output the correct position estimate. In Reference [12], the authors combined iterative gradient descent with selective pruning of inconsistent measurements to achieve reliable localization. During each iteration, the forward direction is corrected by eliminating the suspicious gradient vectors, thereby ensuring that the iterative path is constantly approaching the true position of the unknown node. A common feature of the above methods is that they enhance the reliability of the positioning system by improving the robustness of the position computation process. Therefore, this type of strategy can be called the secure localization strategy based on robust computing.
Most existing secure localization algorithms study how to defend against malicious attacks from the perspective of defenders. Few articles examine the impact of different attack strategies on the positioning systems from the perspective of attackers. This paper focuses on the target tracking problem under Byzantine attacks and investigates the optimal Byzantine attack strategy for malicious nodes in different situations. The prototype of Byzantine attacks comes from the issue of Byzantine generals [13], where some traitors try to confuse other loyal generals by delivering false information. Here, we apply the malicious behaviors of delivering false data into sensor networks. For the fragile sensor networks, such a type of attack is easy to implement. A typical example is the man-in-the-middle (MiM) attack [14]. In the MiM attacks, the attacker first disguises itself as a legal fusion center (FC) to collect data from sensor nodes. Then, they modify the data and send false information to the real FC.
Vempaty et al. [15,16], analyzed the distributed estimation problem under Byzantine attacks. In their model, the attackers are unaware of the true states of the target, the quantization scheme employed by each node, and the estimation method used by the FC. They can only access and modify the quantized results of attacked nodes. By means of the posterior Cramer-Rao lower bound (PCRLB), the authors successfully quantized the impact of a Byzantine attack on the system performance and derived the minimum number of attacked nodes to achieve the maximum degradation to the system performance. Based on the above, Nadendla et al. [17], extended the system framework from binary quantization to L-dimensional (L ≥ 2) quantization and found the optimal Byzantine attack that blinds any distributed inference network. In Reference [18], the authors investigated the optimal processing of honest observations and malicious observations. When the number of observations or the total number of nodes approaches infinity, the authors theoretically proved that the FC has the ability to classify all nodes according to the types of attacks.
In this paper, we consider a WSN that is deployed for the purpose of tracking the real-time state (denoted as θ t ) of a moving target. After obtaining noisy measurements about the target, the sensors first quantize their raw observations and then send the quantized measurements to a fusion center, which is responsible for estimating θ t . Figure 1 shows the simplified model of the entire system. Here, we extend the framework of the target tracking problem in Reference [19] to a more general case where sensors use L-dimensional quantization schemes. The PCRLB for total unknowns (including unknown target states and unknown attack parameters) is calculated. From the perspective of attackers, we define the optimal Byzantine attack and derive how to achieve such an attack with a minimal cost. When all attacked nodes are correctly identified by the FC, we further define the suboptimal Byzantine attack and also find a way to realize such an attack. In order to alleviate the negative impact of Byzantine attacks, we propose a modified SIR filter. Simulation results show that by using the modified SIR filter, the tracking results can be very close to the true trajectory of the moving target. In addition, when the quantization level increases, the security performance and the estimation performance of the tracking system are both improved. perspective of attackers, we define the optimal Byzantine attack and derive how to achieve such an attack with a minimal cost. When all attacked nodes are correctly identified by the FC, we further define the suboptimal Byzantine attack and also find a way to realize such an attack. In order to alleviate the negative impact of Byzantine attacks, we propose a modified SIR filter. Simulation results show that by using the modified SIR filter, the tracking results can be very close to the true trajectory of the moving target. In addition, when the quantization level increases, the security performance and the estimation performance of the tracking system are both improved. The remainder of this paper is organized as follows. Section 2 describes the system model for the target tracking problem under Byzantine attacks. Next, we calculate the PCRLB of the unknowns and determine the optimal and suboptimal attack strategy for the attackers in Section 3. In Section 4, the modified SIR filter is proposed, and simulation results are also presented. Finally, conclusions are made in Section 5.

System Model
We consider a single target moving in a 2-dimensional plane whose dynamics is defined by a  directions. The evolution of the target state sequence is defined as follows: where F  is the state transition matrix and t w is the process noise, which is assumed to be white and Gaussian with zero mean and covariance matrix, 1 Q . It is assumed that the FC has exact knowledge of the target state-space model and the process noise statistics. In order to track the real target state, a sensor network consisting of N spatially distributed sensors is deployed. Each sensor measures the signal emitted from the target. The measured signal at each sensor follows: where ,  The remainder of this paper is organized as follows. Section 2 describes the system model for the target tracking problem under Byzantine attacks. Next, we calculate the PCRLB of the unknowns and determine the optimal and suboptimal attack strategy for the attackers in Section 3. In Section 4, the modified SIR filter is proposed, and simulation results are also presented. Finally, conclusions are made in Section 5.

System Model
We consider a single target moving in a 2-dimensional plane whose dynamics is defined by a state vector, θ t = [x t , y t , vx t , vy t ] T , where x t and y t are the x and y coordinates of the moving target in the time unit, t, respectively. The values vx t and vy t denote the velocities in the x and y directions. The evolution of the target state sequence is defined as follows: where F is the state transition matrix and w t is the process noise, which is assumed to be white and Gaussian with zero mean and covariance matrix, Q 1 . It is assumed that the FC has exact knowledge of the target state-space model and the process noise statistics. In order to track the real target state, a sensor network consisting of N spatially distributed sensors is deployed. Each sensor measures the signal emitted from the target. The measured signal at each sensor follows: where s i,t is the received signal amplitude at the ith sensor at time instant t. The measurement noises, , are assumed to be independent across sensors and follow a common Gaussian distribution, N (0, σ 2 ). The value P 0 is the measured power at the reference distance d 0 , α is the path-loss exponent, and d i,t is the distance between the target and the ith sensor. Without loss of generality, we assume d 0 = 1 and α = 2. Due to the energy and bandwidth constraints, each sensor locally quantizes its received signal, s i,t , and sends the quantized result, u i,t , to the FC through an ideal channel. The quantized process follows: where L is the quantization level and λ are the quantization thresholds of sensor i at time instant t, T , the FC can sequentially estimate the target state, θ t , using a sampling importance resampling (SIR) method [20].
However, in a non-secure environment, the sensor nodes may be subjected to various attacks. This paper considers the Byzantine attacks, in which the attackers deteriorate the system performance by capturing several nodes and forcing them to transmit false information. In the following, the attacked and un-attacked nodes are called Byzantine nodes and honest nodes, respectively. Here we assume that the attackers cannot interfere with the acquisition of the analog data, s i,t , and the transmission of the quantized data, u i,t . It can only locally access and modify the quantized data of Byzantine nodes. More specifically, when the sensor i is honest, its quantized data, u i,t , remains unchanged. When the sensor i is attacked, its quantized data, u i,t = l, can be modified to ). Note that, the Byzantine attack parameter satisfies For the sake of compactness, we arrange the attack parameters at time instant t + 1 as an unknown vector, as follows:

Performance Metric
In order to quantify the impact of Byzantine attacks on the system performance, we set the PCRLB as the performance metric. When the attack vectors are considered, the system state model can be reformulated as follows: where β t is the process noise, which is assumed to be white and Gaussian with zero mean and a covariance matrix, Q 2 . In the above model, the total unknown vector is then the mean square error matrix of the estimation error satisfies the following: where J t is the Fisher information matrix (FIM). Reference [21] shows that J t can be sequentially calculated through the following method: where Note that the above expectations are taken with respect to the joint probability distribution, p(Θ 0:t+1 , V 1:t+1 ). In our framework, the log-likelihood function, log p V t+1 Θ t+1 , evaluated at V t+1 = r t+1 , can be expressed as follows: where the δ-function is defined as follows: The probability, p where parameter, ρ, represents the probability that any node is attacked. According to the quantization process, the conditional probability, Pr u i,t+1 = m θ t+1 , can be calculated as follows: where Ψ(x) is the complementary cumulative distribution function of the standard normal distribution.

Optimal Byzantine Attacks
For the attackers, the goal is to cause as much damage to the system as possible. Here, we call the event of causing maximum damage as blinding the FC, which refers to making the observations from sensors non-informative to the FC. When the Byzantine nodes adopt an attack strategy such that the observation data, V t+1 , does not contain any information about Θ t+1 , then the Fisher information of Θ t+1 obtained from V t+1 become zero, and the only beneficial way to estimate Θ t+1 is to use the prior information of the unknowns. From (9) and (10), we know that this is the minimum increment of Fisher information that FC can obtain at time unit t + 1. In other words, such an attack strategy achieves the maximum degradation to J t+1 . Based on this, the following definition is given: Consider a distributed estimation framework where the parameter of interest is Θ t+1 and the contaminated observation data is V t+1 . A Byzantine attack is said to be optimal if it makes the Fisher information of Θ t+1 obtained from V t+1 become zero. Theorem 1. If a Byzantine attack is such that for any t ≥ 0, then the observation data, V t+1 , does not contain any information about Θ t+1 .
Proof. By substituting Equation (15) into Equation (8), we have the following: As can be seen from the equation, at time instant t + 1, D 22,b t is the only matrix that is related to V t+1 and can contribute to J t+1 . Thus, to make the observations V t+1 do not contain any information about Θ t+1 the attackers need to ensure that any t ≥ 0, D 22,b t = 0 Proposition 1. If the attack parameters satisfy that for any t ≥ 0, l, m ∈ [0, L − 1], then the optimal Byzantine attack is achieved.
Proof. From Equation (16), we know that D 22,b t can be divided into four blocks as follows: where According to the definition of p (m) i,t+1 , we have the following: In the above equation, Γ m i,t+1 is as follows: where γ l i,t+1 /2σ 2 and it satisfies that When the attack parameters satisfy Equation (20), it can be shown that for any m ∈ [0, L − 1] as follows: As a result, for any t ≥ 0, B 11 = 0, B 12 = 0, and B 22 = 0. By Theorem 1, it can be concluded that under the conditions of Equation (20), the attackers realize the optimal Byzantine attack. Equation (29) demonstrates that when the attack parameters satisfy Equation (20), the conditional probability, p (m) i,t+1 , of any node at any time is independent of the observation data, v i,t+1 , and its value is only determined by parameter L. In other words, there is no information about Θ t+1 in the new observations. At this point, the only beneficial information that can be utilized is the prior information of the unknowns.
By noticing that q (t+1) m,m ≥ 0, we obtain the following: In general, the stronger the attackers are, the larger the value of parameter ρ will be. In order to achieve optimal Byzantine attacks and minimize the requirements on the attackers' capabilities, it is desirable to set ρ = ρ min (L − 1)/L . At this point, the optimal attack parameters become the following: When L = 2 and ρ = ρ min = 1/2, the attack parameters in Equation (31) become q which implies that to achieve the optimal Byzantine attack, all Byzantine nodes must flip their own local quantized measurements with a probability of '1'. Figure 2 depicts the relationship between ρ min and L. It can be observed that when L gradually increases, ρ min also increases. If ρ min is considered as the proportion of attacked nodes in the network, when L = 2, ρ min = 0.5, it means that in order to achieve optimal Byzantine attacks, the attackers need to capture at least 50% of sensor nodes in the network. As L increases, the number of nodes that need to be captured also increases, which places a higher requirement for the attackers. In the extreme cases (i.e., L → ∞, ρ min = 1), all nodes in the network must be captured by the attackers. must flip their own local quantized measurements with a probability of '1′. Figure 2 depicts the relationship between min  and L. It can be observed that when L gradually increases, min  also increases. If min  is considered as the proportion of attacked nodes in the network, when L = 2, min  = 0.5, it means that in order to achieve optimal Byzantine attacks, the attackers need to capture at least 50% of sensor nodes in the network. As L increases, the number of nodes that need to be captured also increases, which places a higher requirement for the attackers. In the extreme cases (i.e., L → ∞, min  = 1), all nodes in the network must be captured by the attackers.

Sub-Optimal Byzantine Attacks
In the analysis of optimal Byzantine attacks, it is assumed that the FC knows the probability that each node is captured (i.e., ρ), but it is not clear about the real attribute of each node (i.e., malicious or honest.). In that case, it is possible for attackers to make the new observations of all nodes containing no information about +1 t Θ . Recently, the work in References [2,18] shows that, for some classes of Byzantine attacks with a sufficient number of observations, the FC is able to perfectly identify and categorize the attacked sensors into different groups. Thus, in this section, we further derive the most destructive Byzantine attack strategy when the FC knows the real attributes of all nodes. It is worth mentioning that under this case, the least amount of Fisher information that can be obtained to develop the PCRLB is the information contained in the observations from un-attacked sensors. In other words, if the data contribution from each attacked sensor observation to the FIM becomes zero, then the maximum degradation of the PCRLB can be achieved. Based on this, the following definition is given.

Sub-Optimal Byzantine Attacks
In the analysis of optimal Byzantine attacks, it is assumed that the FC knows the probability that each node is captured (i.e., ρ), but it is not clear about the real attribute of each node (i.e., malicious or honest.). In that case, it is possible for attackers to make the new observations of all nodes containing no information about Θ t+1 . Recently, the work in References [2,18] shows that, for some classes of Byzantine attacks with a sufficient number of observations, the FC is able to perfectly identify and categorize the attacked sensors into different groups. Thus, in this section, we further derive the most destructive Byzantine attack strategy when the FC knows the real attributes of all nodes. It is worth mentioning that under this case, the least amount of Fisher information that can be obtained to develop the PCRLB is the information contained in the observations from un-attacked sensors. In other words, if the data contribution from each attacked sensor observation to the FIM becomes zero, then the maximum degradation of the PCRLB can be achieved. Based on this, the following definition is given.

Definition 2.
Consider a distributed estimation framework where the FC knows the attribute of each node. A Byzantine attack is said to be suboptimal if it makes the Fisher information of Θ t+1 obtained from each attacked sensor observation become zero.
When the true states of all nodes are known to the FC, the log-likelihood function of received data can be expressed as follows: where S 0 and S 1 are the sets of honest sensors and Byzantine sensors, respectively. The probabilities p (m) i∈S 0 ,t+1 and p (m) i∈S 1 ,t+1 are defined as follows:  (10), we get the following: where the matrices H 22,0 t and H 22,1 i,t are defined as follows: Theorem 2. If the Byzantine attacks are such that for any i ∈ S 1 and t ≥ 0, then the observation data of each attacked node does not contain any information about Θ t+1 . (8), we get the following:

Proof. By substituting Equation (34) into Equation
As can be seen from Equation (38), at time instant t + 1, i∈S 1 H 22,1 i,t is the only matrix that is related to the Byzantine nodes' observations and can contribute to J t+1 . Thus, to make each attacked sensor observation containing no information about Θ t+1 , the attackers need to ensure that H 22,1 i,t = 0 for any t ≥ 0 and i ∈ S 1 .

Proposition 2. Given the Equations (32) and (34), if the Byzantine attack parameters satisfy that for any t
then the suboptimal Byzantine attack is achieved.
i,t can also be further divided into four bocks as follows: where From (33), we know the following: where parameter m i∈S 1 ,t+1 l,m ·γ l i,t+1 . When the condition Equation (39) is satisfied, As a result, for any i ∈ S 1 and t ≥ 0, H 22,1 i,t = 0. By Theorem 2, it can be concluded that under the conditions of Equation (39), the suboptimal Byzantine attacks are achieved.
From Equation (43), we know that when the attack parameters satisfy Equation (39), the conditional probability, p (m) i∈S 1 ,t+1 , becomes independent of the attacked sensor observations. In other words, the attacked sensor observations received by the FC do not contain any valid information about the unknowns. Therefore, the FC can only use the prior information and the un-attacked sensor observations to estimate the unknowns.

Numerical Results
In this subsection, we present numerical results in support of our analysis on Byzantine attacks in a target tracking problem. It is assumed that the mobile target is free to move within a 600 × 600 square area. The target motion model is assumed to be a near constant velocity model and the state transition matrix and the covariance matrix of the process noise are defined as follows: where T is the observation interval and q is a process noise parameter. In the monitoring area, N sensor nodes are evenly distributed and the total number of Byzantine nodes is M = ρ·N. The observations between nodes are assumed to be independent. The total observation time is T s . All nodes adopt the same entropy-based heuristic quantization scheme proposed in Reference [22] at any time and all Byzantine nodes modify their local quantized observations according to the settings of Equation (20). The default parameter settings are listed in Table 1.

Parameters Values
Network size 600 × 600 In simulations, we calculated the frequency of v i,t+1 = 0 for all nodes and all time units over 1000 randomized trials. The results listed in Figure 3 show that when the Byzantine attack parameters satisfy Equation (20)    Next, we assume that the first M sensor nodes are Byzantine nodes and their attack parameters follow Equation (39). However, these malicious nodes are correctly identified by the FC. Under this circumstance, we also calculated the frequency of v i,t+1 = 0 for all Byzantine nodes and all time units over 1000 randomized trials. The results, listed in Figure 4, show that when the Byzantine parameters follow Equation (39), the frequency of v i,t+1 = 0 is approximately 0.5 for all Byzantine nodes and all time units. In other words, the conditional probabilities of received data become p

The Modified SIR Filter
In order to alleviate the negative impact of Byzantine attacks on the system performance, a modified SIR filter is proposed. Table 2 shows the main flow of the filter. 2 While ≤ s t T do 3 Prediction: 4 Calculating the weights: 5 Resampling according to the weights: 6 Preliminary estimation:

The Modified SIR Filter
In order to alleviate the negative impact of Byzantine attacks on the system performance, a modified SIR filter is proposed. Table 2 shows the main flow of the filter.  Initialization: Set t = 1, randomly draw N p particles θ (i) 0 from p(θ 0 ) and set w (i) Preliminary estimation: Byzantine node identification: Determine the states of all nodes based on θ t and V t , and prune out the attacked observations from all Byzantine nodes. 8 Update the particle set with the remaining observations and output the final target state estimation,θ t , at time unit t. 9 Set t = t + 1. 10 End While In the above filter, N p is the total number of valid samples, p(θ 0 ) is the initial distribution of the target state, and p(θ t |θ t−1 ) denotes the particle prediction function. In the resampling step, the number of copies of the particle θ (i) t is proportional to its weight, τ (i) t . In step 7, we adopt the Byzantine identification scheme proposed in [23] to determine the attributes of sensor nodes. However, the scheme in [23] only considers binary quantization and is not completely suitable for our cases. So, some small modifications are made here. First, parameterγ i,t is calculated through the following formula: where χ is defined as follows: In the above equations,v i,t is the observation estimated based on θ t andγ i,t characterizes the probability that node i modifies the quantized observation at time t, and its value is related to the historical observations v i,1 , · · · , v i,t and the preliminary target state estimation θ t . From Equation (31), we know that in order to achieve the optimal Byzantine attacks with minimal cost, the Byzantine nodes must modify the original quantized data to other possible values. Thus, we use the following statistic to determine the nodes' states: In the above equation, the numerator Λ i,t describes the deviation betweenγ i,t and the probability that honest nodes modify the quantized observations. The denominator describes the deviation betweenγ i,t and 1 (i.e., the probability that the malicious nodes modify the quantized observations under optimal Byzantine attacks). When Λ i,t > 1, the denominator is smaller than the numerator. Thus, we incline to accept that node i is a Byzantine node. Otherwise, node i is identified as an honest node.
After determining the states of all nodes, we prune out the observation data from all Byzantine nodes and use the remaining observations to update the particle set and output the final estimate of the unknown target state.

Numerical Results
In this subsection, the performance of the modified SIR algorithm is evaluated. For the mobile target, it is assumed to freely move in a 600 × 600 square area. The real initial target state is θ 0 = [5, 5, 6, 6] T . The state dynamics are modeled using the matrix F and Q 1 , defined in Equation (44). There are N = 100 evenly distributed sensors in the monitoring area and the total number of Byzantine nodes is M = 40. The total observation time is T s = 80. All nodes adopt the same quantization scheme as in Section 3.4. The Byzantine attack parameters follow the Equation (31). For the filter, the initial state particles are generated from p(θ 0 ), which is assumed to be Gaussian, and its expectation and variance are E(θ 0 ) and Var(θ 0 ), respectively. The default parameter settings are listed in Table 3.  Figure 5 shows the estimation results in a particular realization. From Figure 5a, it can be observed that by employing the Byzantine identification scheme, the estimated tracks can be close to the true trajectory of the moving target. Figure 5b shows the improvement of tracking performance in the sense of localization errors when L increases. In our paper, the localization errors are defined as the distances between the estimated coordinates and the true locations of the moving target. It can be observed that the median of localization errors when L = 2 is 3 times larger than that of localization errors when L = 8. Figure 6 shows the detection rate and false detection rate in this realization. It can be seen that the modified SIR filter can identify all the Byzantine nodes within a certain period of time. More precisely, when L = 2, all the Byzantine nodes are detected during the first 30 rounds of tracking. When L = 8, the time required to identify all malicious nodes is shorter (i.e., t = 5). Combined with the former results in Figure 5, it can be concluded that when L increases, both the tracking results and the security performance of the system are improved. Figure 5 shows the estimation results in a particular realization. From Figure 5a, it can be observed that by employing the Byzantine identification scheme, the estimated tracks can be close to the true trajectory of the moving target. Figure 5b shows the improvement of tracking performance in the sense of localization errors when L increases. In our paper, the localization errors are defined as the distances between the estimated coordinates and the true locations of the moving target. It can be observed that the median of localization errors when L = 2 is 3 times larger than that of localization errors when L = 8. Figure 6 shows the detection rate and false detection rate in this realization. It can be seen that the modified SIR filter can identify all the Byzantine nodes within a certain period of time. More precisely, when L = 2, all the Byzantine nodes are detected during the first 30 rounds of tracking. When L = 8, the time required to identify all malicious nodes is shorter (i.e., t = 5). Combined with the former results in Figure 5, it can be concluded that when L increases, both the tracking results and the security performance of the system are improved.  Figure 5 shows the estimation results in a particular realization. From Figure 5a, it can be observed that by employing the Byzantine identification scheme, the estimated tracks can be close to the true trajectory of the moving target. Figure 5b shows the improvement of tracking performance in the sense of localization errors when L increases. In our paper, the localization errors are defined as the distances between the estimated coordinates and the true locations of the moving target. It can be observed that the median of localization errors when L = 2 is 3 times larger than that of localization errors when L = 8. Figure 6 shows the detection rate and false detection rate in this realization. It can be seen that the modified SIR filter can identify all the Byzantine nodes within a certain period of time. More precisely, when L = 2, all the Byzantine nodes are detected during the first 30 rounds of tracking. When L = 8, the time required to identify all malicious nodes is shorter (i.e., t = 5). Combined with the former results in Figure 5, it can be concluded that when L increases, both the tracking results and the security performance of the system are improved.

Conclusions
In summary, the problem of target tracking with quantized sensor observations is considered in the presence of Byzantine attacks. From the perspective of attackers, we have analyzed the most destructive effect of Byzantine attacks on the system performance in the sense of PCRLB. The results showed that the fusion center becomes 'blind' to the information from all sensors when the Byzantine attack parameters follow Equation (20). In such a case, the total observations received by the fusion center do not contain any information about the target parameters, which generates the maximum degradation to the PCRLB. When the Byzantine attack parameters follow Equation (39), only the attacked observations do not contain any information about the target parameters, which generates the maximum degradation to the PCRLB when all the Byzantine nodes are correctly identified by the fusion center. We have also proposed a modified SIR filter to minimize the negative impact of attackers on the system. Results show that increasing the quantization level can effectively improve the estimation performance and security performance of the system. Author Contributions: Conceptualization, Q.W. and Q.Z.; Investigation, Y.Y. and Q.Z.; Methodology, P.X. and Q.Z.; Writing-original draft, Y.Y. and Q.Z.; Writing-review & editing, P.X. and Q.W.
Funding: This research received no external funding.