H Control for ICPS with Hybrid-Triggered Mechanism Encountering Stealthy DoS Jamming Attacks

: In recent years, with the upgrading of the attack technology, stealthy DoS jamming attacks have become the primary factor to threaten the security of Industrial Cyber-Physical Systems (ICPS). Considering the complex industrial scenarios of ICPS, which are inﬂuenced by a variety of external and internal interference, a H ∞ controller designing problem is studied in this paper for an ICPS which deploys a hybrid-triggered mechanism (HTM) in the wireless channel encountering stealthy DoS jamming attacks. By employing a compensation mechanism which is employed in the controller to mitigate the impacts of attacks, external disturbance, limited channel capacity, wireless channel noise, we establish a closed-loop system and prove the closed-loop system is mean square exponentially stable and can achieve the desired H ∞ disturbance rejection level theoretically. Finally, simulation examples are used to demonstrate effectiveness of the proposed H ∞ controller.


Introduction
Recently, the traditional "air-gap" Industrial Control System (ICS) has been deeply integrated with advanced information technology (IT) and communication technology (CT) under the trend of Industry 4.0 [1], and then the Industrial Cyber-Physical System (ICPS) [2][3][4][5] was proposed and can be employed in many crucial infrastructures, such as smart grids [6], transportation systems [7], smart buildings [8], etc. However, almost all the ICPSs are facing serious security issues due to the lack of consideration of effective security guaranteeing mechanisms when engineers design and deploy an ICS [9]. In the past decade, many security events of ICPS occurred in nuclear facility, petroleum industry, and subway system, which resulted in huge economic loss and great social instability [10][11][12]. After analyzing the intrusion processes of these malicious security events, researchers found that these attackers not only have a comprehensive information of the system, but also have the ability to bypass intrusion detection systems and launch stealthy attacks [13,14]. Obviously, the ICPSs are at a distinct disadvantage from the defender's point of view.
As a research hotspot, recently, security issues in different control scenarios have been studied [15], and malicious attacks have been categorized into Denial-of-Service (DoS) jamming attacks, false data injection attacks, replay attacks, wormhole attacks, etc. [16][17][18][19][20]. Due to the integration of more shared and general CTs in ICPSs, DoS jamming attacks, which aim to interference communication quality, can be considered as the most reachable attacks [21][22][23][24]. Foroush et al. [25] established a periodic attack strategy for a DoS jammer in which partial information has been detected, and then studied a resilience controller design problem for a remote wireless control scenario. However, the assumption of partial information of the jammer has been detected, which is conservative from the view of H ∞ controller design problem for an ICPS with HTM to solve the stable operation of the ICPS encountering stealthy DoS jamming attacks.
• Unlike the existing studies that consider energy limitation of the attacker, we focus on attack purpose and stealthiness, and consider that the attacker keeps sensing the wireless channel traffic and cleverly uses a reactive attack strategy to achieve its purpose and ensure its stealthiness. • We consider both of the stealthy DoS jamming attacks, external disturbance, limited channel capacity, wireless channel noise, and use the SER of wireless channel in a unified framework to describe the channel's communication quality.
Notation: R n stands for the n-dimensional Euclidean space. The symbol · stands for Euclidean norm. Z + stands for the set of positive integers. For a matrix A, λ max (A) (λ min (A)) stands for the largest (smallest) eigenvalue of A, A T stands for the transposition of A, and A > 0 (A < 0) stands for a positive (negative) definite matrix. Let I and 0 be identity matrix and zero matrix with appropriate dimensions, respectively. Pr[·] stands for the probability of a stochastic event. E{·} denotes the expectation of a stochastic variable. The symbol * within a matrix represents the symmetric entries.

Problem Formulation
In this section, the problem of H ∞ control for an ICPS with HTM encountering stealthy DoS jamming attacks is formulated.

Basic Structure
The basic structure of an ICPS with HTM encountering stealthy jamming attacks can be shown in Figure 1, which consists of a physical system, a time-triggered sensor, a controller, and an actuator. Specifically, states of the physical system are captured by the sensor and transmitted to the controller through a memoryless wireless channel with a HTM. Meanwhile, based on Ref. [33], a stealthy DoS jammer who keeps sensing the traffic of wireless channel and uses the reactive attack strategy to increase the probability of packet dropouts, and we assume that the ICPS does not have any intrusion detected systems and does not know any information of the DoS jammer's attack strategy. Considering the physical system has the following form where x(k) ∈ R n , y(k) ∈ R m , z(k) ∈ R q , and ω(k) ∈ R q stand for the system state, measured output, controlled output, and external disturbance input belonging to l 2 [0, ∞), respectively. A, B, C 1 , C 2 , D 1 , and D 2 are known real matrices with appropriate dimensions. Consider the wireless channel has independent Additive White Gaussian Noise (AWGN), communication quality of the wireless channel can be modeled as [43,44] where p s , ξ > 0 and σ 2 stand for transmission power, network parameter and AWGN power, respectively. Meanwhile, q = 1/ √ 2π

Hybrid-Triggered Mechanism
A HTM is deployed in the wireless channel to alleviate the limitation of network resources. Specifically, Time-triggered mechanism (TTM): Consider the measured output via only the TTM which received by the controller can be described as Event-triggered mechanism (ETM): An ETM is deployed to improve the network bandwidth utilization, and consider the event-triggered condition as where Φ > 0 and Ψ > 0 stand for event-triggered matrices to be designed, {k s } s≥0 ⊆ Z + with k 0 = 0, {k s } s≥1 stand for the packet transmission instants sequence. We define then (4) can be rewritten as Then, the measured output via only the ETM which received by the controller can be described asỹ (k) = e y (k) + y(k), Therefore, we can define a Bernoulli distribution stochastic variable θ(k) to stand for the probability of triggered mechanism being selected, and by combining (3) with (7), the measured output via the HTM, which is received by the controller, can be described as where The sojourn probabilityθ can be obtained by the following statistical method where k i is the times of θ(k) = 1 in the interval [1, n], and we assume thatθ in the wireless channel is known.

Stealthy DoS Jamming Attacks
A stealthy DoS jammer who uses reactive attack strategy keeps sensing the traffic of wireless channel and changes attack modes autonomously according to whether a packet is transmitting in the wireless channel [33]. Denoting α(k) ∈ {0, 1} stands for different periods, the nth working subcycle of the DoS jammer, which consists of the start time T(n), the duration of attack period ta(n), and the duration of silent period ts(n), can be described as where α(k) = 1 and α(k) = 0 stand for the attack period and the silent period, respectively. Combining (2), the inherent packet dropouts caused by limited capacity of wireless channel and channel noise are considered in the silent periods, and in the attack periods, the DoS jammer uses attack power p a on the wireless channel to increase the probability of packet dropouts. Then, we have Combining with (10) and (11), SER for the wireless channel can be described in a unified framework as

Closed-Loop System
Letȳ(k) stand for received measurement of the controller, and let mutually independent Bernoulli stochastic variable β(α(k), k) indicate whether a packet is successfully received or not by the controller, we have Then, combining with (11), (12), and (13), we have whereβ ∈ [0, 1) is a known constant. Due to the deployment of HTM, it is difficult for the controller to know whether the packet is dropped or just not transmitted. Additionally, the ICPS dose not know the attack strategy of the DoS jammer due to it lack of intrusion detection systems. Thus, an compensation mechanism which employs the latest transmitted quantized measurement is established in the controller to decrease the impact of packet dropouts. Specifically, if the packet is received by the controller, we useȳ(k) =ỹ(k). Otherwise, the previous packet y(k − 1) will be used. Therefore, combining with (13), we havē To achieve the control objective, we consider an observer-based controller as Observer : whereŷ k is the observer output, L is the observer gain matrix, and K is the controller gain matrix. We denote the estimation error as Then, a closed-loop system for the ICPS with HTM encountering stealthy DoS jamming attacks can be described as Assumption 1. The matrix B is of full column rank.
As the closed-loop system (19) is a stochastic parameter system, the following Definition is needed.
By the Definition 1, the objective of this paper is to design a controller to guarantee the closed-loop system (19) which satisfies the following requirements simultaneously.

Main Results
In this section, proof process of the H ∞ control is discussed. First, the required Lemmas are listed.

Lemma 3 ([38]
). For the matrix B of full-column rank, if there exist positive definite matrices P 1 ∈ R m×m , P 2 ∈ R (n−m)×(n−m) , and matrix P satisfies then there exist a nonsingular matrixP, such that PB = BP.

Stability Analysis
Theorem 1. Consider the ICPS with HTM encountering stealthy DoS jamming attacks. Given the controller gain matrix K and the observer gain matrix L. The closed-loop system (19) is exponentially mean-square stable, if there exist positive definite matrices P and S satisfying (24). where Proof. We define a Lyapunov function as V(η(k)) = x(k) T Px(k) + e(k) T Se(k).

H ∞ Controller Design
Theorem 2. Consider the ICPS with HTM encountering stealthy DoS jamming attacks. The closed-loop system (19) is exponentially mean-square stable and the H ∞ norm constraint (21) is achieved for all nonzero ω(k), if there exist positive definite matrices P and S, the controller gain matrix K and the observer gain matrix L satisfying (30). where Proof. Letη(k) = η(k) T ω(k) T T , and combine with (26). For any nonzero ω(k), we have (30) implies that Λ < 0, we have For k = 0 → ∞, by summing up (31) we can obtain Due to η(0) = 0 and Theorem 1, we have which means the H ∞ norm constraint (21) is achieved. This completes the proof.

Theorem 3.
Consider the ICPS with HTM encountering stealthy DoS jamming attacks. The closed-loop system (19) is exponentially mean-square stable and the H ∞ norm constraint (21) is achieved for all nonzero ω(k), if there exist positive definite matrices P 1 , P 2 and S, real matrices X and Y satisfying (34) and (35). Furthermore, the controller gain matrix K and the observer gain matrix L can be given by (36).
where Ω 1 = −P, Proof. Because (30) is not an LMI, we need to pre-and post-multiply both side of (30) with matrix diag{I, I, I, I, P, S, S, Ψ, S, I} and obtain Let X =PK, Y = SL, and combining with (35), we have (34), which means the closedloop system (19) is exponentially mean-square stable and the H ∞ norm constraint (21) is satisfied. However, it should be noted that (34) has matrix equation constraint.

Numerical Simulation
In this section, numerical simulations are used to demonstrate the effectiveness of the proposed H ∞ control method. Consider the transmission power P s = 1.5, the AWGN power σ 2 = 1.0, and the network parameter ξ = 3. Then, the probability of inherent randomly packet dropouts caused by external disturbance, limited channel capacity, and channel noise can be calculated as 0.0850. By choosing the attack power of DoS jammer p a = 1.7500, the probability of packet dropouts caused by attacks increases to 0.5034.
(1) Consider an uninterruptible power system (UPS) with 1KVA. Its discrete-time model (1) can be described with 10 ms at half-load operating point in the following [ Figure 2 shows the norm of states for the UPS encountering stealthy DoS jamming attacks, which indicates that the proposed H ∞ control method can achieve the control objective successfully and effectively. Figure 3 shows switch times of the HTM. Figure 4 shows times of the DoS jamming attacks on the wireless channel.    Figure 5 shows the norm of states for the tunnel diode circuit encountering stealthy DoS jamming attacks, which indicates that the proposed H ∞ control method can achieve the control objective successfully and effectively. Figure 6 shows switch times of the HTM. Figure 7 shows times of the DoS jamming attacks on the wireless channel.

Conclusions
In this paper, considering the external disturbance, limited channel capacity, and channel noise, a H ∞ controller designing problem was studied for an ICPS with HTM encountering stealthy DoS jamming attacks. A closed-loop system was established based on a compensation mechanism, which compensates the impacts of stealthy DoS jamming attacks and inherent random packet dropouts. We proved that the closed-loop system is mean square exponentially stable and can achieve the desired H ∞ disturbance rejection level, and simulation results shown the effectiveness of the H ∞ control method. In the future, we will study the controller designing problem for industrial scenarios which deployed intrusion detection systems and industrial protocol enhancement methods, and the relationship between system security and operating efficiency will be further discussed.