An Event-Triggered Fault Detection Approach in Cyber-Physical Systems with Sensor Nonlinearities and Deception Attacks

In this paper, a general event-triggered framework is constructed to investigate the problem of remote fault detection for stochastic cyber-physical systems subject to the additive disturbances, sensor nonlinearities and deception attacks. Both fault-detection residual generation and evaluation module are fully described. Two energy norm indices are presented so that the fault-detection residual has the best sensitivity to faults and the best robustness to unwanted factors including additive disturbances and false information injected by attacker. Moreover, the filter gain and residual weighting matrix are formulated in terms of stochastic Lyapunov function, which can be conveniently solved via standard numerical software. Finally, an application example is presented to verify the performance of fault detection by comparative simulations. The prolonged battery life is experimentally evaluated and analyzed via a wireless node platform.


Introduction
Cyber-Physical Systems (CPSs) refer to the integration of sensing, control, communication, computation and physical processes [1]. These tightly integrated systems extend existing networked systems (such as networked control systems (NCSs) [2] and wireless sensor networks (WSNs) [3]) in both size and complexity. Applications of CPSs are promising in areas including smart grid [4], autonomous automobile systems [5], medical monitoring and process control systems [6]. Their reliability and stability, however, are very susceptible to operational and environmental conditions [7]. This is why a health management unit for CPSs should be established for health monitoring and diagnosis. The reliability problems are not new in the NCSs field, in particular in the areas of model-based fault diagnosis approach [8][9][10]. In the model-based fault-detection approach, state observers or filters are usually used to generate residual signals, which are smaller than pre-designated thresholds when no faults exist [11].
In WSNs, information transmission from sensor to a remote estimator/actuator consumes energy that is often a significant fraction of the system's overall energy balance. Similar to the WSNs, communication resources for CPSs are also limited. Recently, an event-triggered transmission scheme has received a lot of attention to overcome the limitations of traditional design methodologies for resource-constrained problems [12][13][14][15]. Summarizing the existing works, we can easily find that data are transmitted or processed only when certain events indicate that an update is required. Hence, resources can be used only when require and saved otherwise. Another issue which should be considered is related to deception attacks in data transmission. This kind of attack may be imposed because of the pervasive utilization of

Main Contribution
However, most existing results only take the secure estimation/control problem into account, and secure fault-detection filter design for CPSs still remains open and challenging. Especially, the main motivation of this paper is how to defend the effects of the deception attacks, sensor nonlinearities and additive disturbances under the event-triggered decision rule. Moreover, while most of the previous results are proposed for deterministic systems, providing an effective method for stochastic systems also motivates the present study. The main contribution of this paper includes three aspects: (1) A new event-triggered fault-detection filter for CPSs is proposed against the phenomena of sensor nonlinearities, deception attacks and additive disturbances, where the sensor nonlinearities is assumed to occur randomly according to a random variable satisfying the Bernoulli distribution. (2) A fault-detection filter problem is formulated by maximizing the sensitivity of faults and minimizing the influences of additive disturbances and false information injected by attackers. The filter gain and residual weighting matrix are derived by stochastic Lyapunov function, which can be easily solved via standard numerical software. (3) At the end of this paper, an application example to event-triggered fault detection of one-dimensional target tracking is presented. The estimation accuracy and fault-detection capacity are demonstrated by comparative simulations. The prolonged battery life is experimentally evaluated and analyzed via a wireless node platform.
Nomenclature: The terms filter and state estimator are used synonymously in this paper. N and R denote the sets of natural and real numbers, respectively. R m×n denotes the sets of m by n real-valued matrices, whereas R n is short for R n×1 . R n×n + and R n×n ++ are the sets of n × n positive semi-definite and positive definite matrices, respectively. When X ∈ R n×n + , it is simply denoted as X ≥ 0 or X > 0 if X ∈ R n×n ++ . For X ∈ R m×n , X T denotes the transpose of X. A diagonal matrix is denoted by diag [·]. In symmetric block matrices, " * " is used as an ellipsis for terms induced by symmetry.
I denotes a identity matrix with appropriate dimensions. λ min (X) and λ max (X) are minimum and maximum eigenvalues of matrix X, respectively. Furthermore, a diagonal matrix is denoted by diag {·}, and 2 [0, ∞) is the space of square integrable vectors. E[·] and Prob {x} denote the mathematical expectation and the occurrence probability of the event x, respectively.

Problem Statement
Consider the following discrete-time stochastic CPS defined on a probability space (Ω, F, P) where the (unavailable) system state vectors , the unknown disturbances and fault signals represent x k ∈ R n , d k ∈ R q and f k ∈ R r , respectively. A scalar Wiener process w k is defined on a complete space where Ω is the sample space, F is the σ-algebra of subsets of the sample space, and P is the probability measure on F. Fault and disturbance signals are assumed to be 2 signals ( f , w ∈ s 2 ). The measurement model with randomly occurring sensor nonlinearities is described by In the above sensor model,ȳ k are ideal measurement values, andȳ k ∈ R s are measurement values subject to randomly occurring sensor nonlinearities, which are satisfied with the following condition: In Equation (3), S 2 > S 1 > 0 and η ∈ R s are two diagonal matrices and a scalar, respectively. The random constant variable is a Bernoulli-distributed white sequence which can be described as follows for a given positive scalar β ∈ [0, 1]. Furthermore, the matrices A 1 , A 2 , A d , D 1 , F 1 ,C, D 2 and F 2 are known constant matrices with appropriate dimensions. The random variable β k is uncorrelated with noise process w k .

Remark 1.
Many actual applications inevitably result in the sensor saturations which have the nonlinear characteristic of sensors. This characteristic can severely restrict system performance or, even worse, lead to undesirable oscillatory behaviors [37]. Recently, the design of reliable controller and estimator against sensor saturations for various systems has received increasing attention [37][38][39]. Note that all the above works are based on a common assumption that the sensor saturation occurs persistently. However, the sensor saturation itself may be subject to randomly fluctuated condition changes because it can be considered in a network environment. Hence, this assumption has been removed in this paper. In addition, since the randomly occurring sensor saturation is taken into account in event-triggered fault-detection filter design, the result obtained is less conservative.
As discussed in Section 1, the information sent by attackers during the network transmission is modeled as follows y a,k = −Mȳ k + Mε k where the information y a,k is used by the adversary for the deception attacks, and the non-zero ε k ∈ 2 , is an unknown but energy-bounded information. The matrix M represents the physical constraints of attack information, and is assumed to be of the following form where the unknown but bounded matrix M has an upper boundM > 0 and a lower bound M > 0.

Remark 2.
It should be mentioned that, from the adversary's perspective, the unknown but bounded matrix M is regarded as physical constraints in the model of deception attacks (Equation (5)) which was introduced in [40]. Such physical constraints are unavoidable such as launching devices powered by limited capacity, networks with limited bandwidth, and defender's system equipped with protection software [41]. Hence, the established attack model in Equation (5) under consideration is quite comprehensive that is closer to the practical engineering case. On the other hand, the sensitivity problem of fault-detection becomes more complicated because the false information ε k sent by attacker is assumed to be energy-bounded, which has a similar form as additive disturbances and system faults.
For technical convenience, the actual measurement can be decomposed into a linear and a nonlinear part as y k =ȳ k + My a,k + φ (y a,k ) where and a positive definite matrixM ∆ =M − M. The introduction of the stochastic variables w k and β k render the fault-detection filter to be stochastic instead of a deterministic one. Thus, before proceeding further, it is necessary to introduce the notion of stability in the mean-square sense.

Definition 1.
A discrete stochastic process ξ k is said to be mean-square stable, if there exist constantsρ 1 ≥ 0, ρ 2 > 0 and 0 ≤ρ 3 < 1 such that where I + is the set of positive integer.
Traditionally, the system stability is studied by using the Lyapunov's methodology. The following lemma presents sufficient conditions for the mean-square stability of a stochastic system in terms of a stochastic Lyapunov functional.

Event-Triggered Fault-Detection Filter Analysis and Design
Generally speaking, fault detection mainly contains a residual generator and a residual evaluator as in [11]. The event-triggered fault-detection filter is presented and its mean-square stability is proved.

Residual Generator
For the purpose of residual generation, the following fault-detection filter is constructed: wherex k is the estimated system state, L is a filter gain with appropriate dimensions to be determined,ŷ k denotes output estimation information and C = (I − M)C. To save computation and communication resources, an event-triggered sensor data transmission scheme is introduced to determine whether the measurement information should be transmitted. The variables i k and y i k denote the last released instant and the released measurement information, respectively, with k ∈ [i k , i k+1 ), and i k+1 is the next released instant of the event generator. The error state e k , the output estimation error e y,k and the residual signal r k are defined as the following form where V is a residual weighting matrix to be designed. Subtracting estimator Equation (13) from system Equation (1) results in the following estimation error dynamics The purpose of this section is that the designed fault-detection filter (Equation (13)) should be robust against randomly occurring sensor nonlinearities and deception attacks. More specifically, we are interested in looking for the filter gain L and the residual weighting matrix V such that the following requirements are met simultaneously: (1) The dynamic error system in Equation (15) is mean-square stable whend k = 0 or f k = 0.
(2) Under the zero initial condition, the fault-detection filter satisfies for all admissible d k , ε k and f k .

Remark 4.
Requirement (1) ensures mean-square stability of estimation error e k . Requirement (2) on the high sensitivity to the faults and simultaneously the strong robustness to the additive disturbances d k and false information ε k sent by attacker is, in fact, a multiple-objective optimization problem that can be formulated as finding a fault-detection filter (Equation (13)) to minimize γ 1 and maximize γ 2 .
In the following, robustness against additive disturbances d k and malicious data ε k is studied. To achieve this objective, a fault-detection filter with the fault-free case ( where γ 1 measures the disturbances robustness in the fault-free case. Theorem 1. Consider the system in Equation (1) in the fault-free case ( f k = 0) with the sensor measurements in Equation (7) subject to randomly occurring sensor nonlinearities and deception attacks. For given γ 1 > 0, if there exists positive definite symmetric matrices P j (j = 1 and 2), two real scalars λ 1 and λ 2 as well as matrix R with appropriate dimensions such that the following LMI is satisfied

then the estimation error
in Equation (15) is mean-square stable whend k = 0 under the event condition In addition, the residual r k satisfies E r k The filter gain can be computed by L = P −1 1 R.
Proof. The proof is given in Appendix A.

Remark 5.
If Ξ k = 0, then it is easily checked that y i k = y k . This means that the presented event-triggered fault-detection filter will reduce to a traditional time-driven H ∞ filter [42]. Therefore, according to Theorem 1, the following corollary can extend to the case of time-driven fault-detection filter.

Corollary 1.
Assume that Ξ k = 0. Consider that Theorem 1 holds. For given γ 1 > 0, if there exists positive definite symmetric matrices P j (j = 1 and 2) and matrix R with appropriate dimensions such that the condition in Equation (18) is satisfied, then the filter in Equation (13) is reduced to time-driven H ∞ filter and the estimation error in Equation (15) is mean-square stable whend k = 0. In addition, the residual r k satisfies The filter gain can be computed by L = P −1 1 R.
Proof. The derivation of Corollary 1 is similar to that of Theorem 1; it is therefore omitted.
In the following, the sensitivity problem of the residual r k to fault f k is considered. To achieve this goal, a fault-detection filter with the disturbance-free case d k = 0 will be designed such that where γ 2 measures the fault sensitivity in the disturbance-free case.
Theorem 2. Consider stochastic system described by Equation (1) in the presence of disturbance-free case (d k = 0) and the measurements in Equation (2) suffering from randomly occurring sensor nonlinearities and deception attacks. For a given positive scalar γ 2 , if there exist positive definite symmetric matrices P j (j = 5 and 6), two real scalars λ 1 and λ 2 as well as matrixR with appropriate dimensions, such that the following LMI is satisfied , then the estimation error in Equation (15) is exponentially mean-square stable when f k = 0, and guarantees that E r k 2 > Moreover, the event condition in Equation (23) is satisfied and the filter gain can be computed by Proof. The proof is presented in Appendix B.
Similar to Corollary 1, The results proposed in Theorem 2 are extended to the case of time-driven fault-detection filter, as claimed by the following corollary.

Corollary 2.
Assume that Ξ k = 0. Consider that Theorem 2 holds. For given γ 2 > 0, if there exists positive definite symmetric matrices P j (j = 5 and 6) and matrixR with appropriate dimensions such that the condition in Equation (24) is satisfied, then the filter in Equation (13) is reduced to time-driven H − filter and the estimation error in Equation (15) is mean-square stable when f k = 0. In addition, the residual r k satisfies The filter gain can be computed by L = P −1 5R .
Proof. The derivation of Corollary 2 is similar to that of Theorem 2; it is therefore omitted.

Remark 6.
Theorem 1 provides the worst-case criterion for the effects of additive disturbances and false information sent by attacker on the residual. Satisfaction of the performance index in Equation (16) ensures that the filter gain fromd k to e k is less than γ 2 1 . On the other hand, Theorem 2 obtains the sensitivity of the residual to system faults. Satisfaction of the performance index in Equation (17) ensures that the filter gain from f k to e k is more than γ 2 2 . Both give a directly quantitative indicator for robustness and sensitivity of event-triggered fault-detection filter.
Inspired by [42], the following algorithm 1 is utilized to compute the filter parameters so as to achieve the optimal trade-off between robustness againstd k and sensitivity to f k .

Algorithm 1 Computation of event-triggered fault-detection filter parameters
Step 1: Calculate the minimum of γ 1 and the maximum of γ 2 using Equations (18) and (24) in Theorem 1 and Theorem 2, respectively.
Step 3: If the obtained γ 1 and γ 2 can make Equations (18) and (24) feasible simultaneously, then the optimal filter gain L and the residual weighting matrix V can be determined. Otherwise, go to Step 3.
Step 6: Construct the residual generator r k in Equation (14), and the filter in Equation (13). End

Residual Evaluator
As mentioned in Section 3.1, the responsibility of the residual evaluation is to produce appropriate fault alarms. The prescribed evaluation function is compared with the predefined threshold J th . If the value of the evaluation function exceeds J th , an alarm of fault is triggered. We choose as the residual evaluation function, where t 0 denotes the initial evaluation time instant and T stands for the evaluation time. It should be noted that the evaluation time T is limited because the evaluation of residual signal over the whole time horizon is impractical. Let J th For a given threshold J th , the generation of the alarms can be outlined in Algorithm 2.

Algorithm 2 Fault-alarming strategy
Step 1: Design an event-triggered fault-detection filter of the form in Equation (13) based on the design procedure of Algorithm 1.
Step 3: Determine the residual evaluation function r T and the threshold J th .
Step 4: If r T is above the threshold J th , then a fault is detected and the corresponding fault alarm can be turned on. Otherwise, the system is healthy. End Remark 7. In [22], an event-triggered reduced-order fault-detection filter is derived where a copy of remote fault-detection filter is employed at the sensor side to avoid the delay issue of fault-alarming. Comparatively, the fault-alarming strategy described in Algorithm 2 of this paper is less additional computing burden than that in [22] because the local fault-detection filter is not required in this paper. Furthermore, the proposed strategy also could be an excellent fault-alarm, which is verified via an experimental example in the next section.

Target Tracking Description and Modeling
In this subsection, a one-dimensional target tracking [43] is simulated to demonstrate the effectiveness of the proposed event-triggered fault-detection approach. The dynamic model of the considered one-dimensional target tracking is described by where τ and d k are the sampling period and the unknown acceleration, respectively. Target state x k = p T k ,ṗ T k T and y k is the sensor information at time k. The variables p k andṗ k denote the target position and velocity, respectively. In this example, the sampling period τ = 0.1. Sensor nonlinearity is assumed that s (η) = 1.

Assessment of Effectiveness of the Designed Fault-Detection Filter
In this subsection, we test the efficiency of the proposed event-triggered fault-detection filter by the following experiments.

Experiment 1: Robustness on Event-Triggered Filter
To compare the estimation performance, the state estimation trajectories without fault f k are shown in Figure 1a,b which reveal comparison between our filter using event-triggered data-transmission (ED) and the proposed filter using periodical data-transmission (PD). The event-triggered transmission behaviors are also illustrated in Figure 1c. As shown in Figure 1, two lines are almost coincident as time increases. Obviously, the estimation accuracy is not affected by the event-triggered data transmission scheme. Further, to verify the estimation performance clearly, the effect on event-triggered filter is examined subject to the different probabilities of sensor nonlinearity. Table 1 shows the root mean-square estimation error (RMEE) of system state 1 corresponding to increased probabilities. One can see that the estimation performance degrades slightly as β increases.  As illustrated in Figure 1, predefined deception attacks cannot affect the filter estimation accuracy. However, different deception attacks may lead to the different estimation performance. In this experiment, the estimation performance is evaluated subject to different false information ε k sent by attackers. Constant false information, time-varying false information and unbounded false information are respectively created as ε k = 0.1, ε k = 0.1 sin (0.15k) and ε k = 0.1e 0.2k .
The root mean-square estimation error curves are shown in Figure 2 for the CPS subject to different deception attacks. One can see that the estimation error convergence is guaranteed under the constant false information and time-varying false information. However, as shown in Figure 2, it is a pity that the proposed filter is infeasible for the unbounded deception attacks.  Here, two fault scenarios are considered as follow: an incipient fault: a sudden-changing fault: Ford k = 0, the residual evaluation function responses for an incipient fault (Equation (32)) and a sudden-changing fault (Equation (33)) are demonstrated in Figures 3 and 4, respectively. The same responses with the above givend k are demonstrated in Figures 5 and 6. It can be noted that the proposed residual can not only detect the fault in time, but also identifies the system fault from the influence of disturbance d k and false information ε k .

Experiment 4: Energy Conservation Effect on a Wireless Node.
In the final experiment, an experimental node is applied to test its lifetime to verify whether the proposed event-triggered scheme is energy-saving. As shown in Figure 7, the node includes the following components: (i) a STM32F103 micro-controller (computation module) with ARM cortex-M3 CPU determines when to transmit data packets via our event-triggered scheme; (ii) an ESP8266 wireless transceiver (wireless communication module) transmits data packets from sensor to remote fault-detection filter; (iii) a 75 mAh lithium-polymer battery system (power management module) ensures a constant voltage output received from the Lithium-ion battery; and (iv) a digital voltmeter is regarded as a battery lifetime monitoring system. Please refer to the user manuals [44,45] for more information about this node. The relationship between time and voltage for periodical and event-triggered scheme is illustrated in Figure 8. It is not difficult to find that the final battery lifetime for periodical and event-triggered data-transmission are 30 min and 34 min, respectively. In other words, the battery life is extended by 11.7%, and thus the wireless node can be used for a longer time to become more energy-efficient.   Figure 8 that the voltage of the battery is 3.9 V completely charged. The voltage of the battery using the periodical data-transmission has dropped to 3 V after 28 min. This indicates that the presented wireless node cannot work normally since its working voltage must exceed 3 V [44,45].

Conclusions and Future Work
The problem of event-triggered fault detection for stochastic CPSs was investigated in this work. The addressed system was subject to randomly occurring sensor nonlinearities, additive disturbances and deception attacks. Using the stochastic stability analysis, the closed-loop estimation error dynamics were mean-square stable under the proposed event condition. On the other hand, two performance criteria were utilized for the design of fault-detection residual to achieve the robustness of unwanted factorsd k and the sensitivity of faults f k , respectively. Finally, an application example of one-dimensional target tracking was illustrated to obtain the benefits of the proposed event-triggered fault-detection approach by comparative simulations. The wireless node platform clearly verified conservative consumption of the battery energy. Even though the event-triggered transmission scheme is always used to improve the battery lifetime of sensor networks of CPSs, the threshold monitoring significantly affects the power consumption in practice [46]. Hence, the self-triggered scheme may be an interesting direction for prevent such monitoring [47,48] in CPSs.
Author Contributions: Y.L. conceived, designed, performed, and analyzed the experiments and wrote the paper under the guidance of L.P. and X. L.

Acknowledgments:
The authors wish to thank the anonymous referees and the Editor for providing many invaluable comments and suggestions that led to significant improvement of the paper. Without their help, the paper would not be in its present shape.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Proof of Theorem 1
Proof. The Lyapunov function is constructed as follows where P j (j = 1 and 2) are symmetric positive definite matrices. It follows from Equations (1) and (15) that (3) and (8) are satisfied, the above equation can be formulated that

and the conditions in Equations
Without considering the disturbanced k and using the inequality in Equation (18), one can obtain that where 0 < α 1 < min {λ min (−Λ) , α 2 } and α 2 = max {λ max (P 1 ) , λ max (P 2 )}. From Equation (A4), the following inequality can be deduced that which satisfies conditions of Lemma 1. Therefore, the dynamic error system in Equation (15) is mean-square stable ford k according to Definition 1. Now, we consider the influence of unknown disturbanced k and introduce the following criterion For any nonzerod k ∈ 2 [0, ∞) and zero initial condition, one has which further results in E r T k r k − γ 2 1 E d T kdk + ∆V k = β 2 e T k C T V T VCe k + β 2 1 s T (Cx k )M T V T VMs (Cx k ) + d T k D T

2M
T V T VMD 2 d k + ε T k M T V T V Mε k + φ T (y a,k ) V T Vφ (y a,k ) + β 2 s T (Cx k )M T V T VMs (Cx k ) + β 2 x T k C T V T VCx k + 2ββ 1 e T k C T V T VMs (Cx k ) + 2βe T k C T V T VMD 2 d k + 2βe T k C T V T V Mε k + 2βe T k C T V T Vφ (y a,k ) + 2β 1 s T (Cx k )M T V T VMD 2 d k + 2β 1 s T (Cx k )M T V T V Mε k + 2β 1 s T (Cx k )M T V T Vφ (y a,k ) + 2d T k D T

2M
T V T Vε k + 2d T k D T

2M
T V T Vφ (y a,k ) . By using the Schur lemma and the notation R = P 1 L, we deduce that the inequality in Equation (A8) is equivalent to Equation (15), i.e., η T d,k Λη d,k < 0. Consequently, the condition in Equation (15) guarantees J 1 < 0 for any k, which implies that E r k 2 < γ 2 1 E d k 2 .

Appendix B. Proof of Theorem 2
Proof. It is obvious that Equation (24) implies Equation (18), hence it follows from Theorem 1 that the estimator in Equation (13) in the presence of the disturbance-free case is exponentially mean-square stable. Next, for any nonzero f k and zero initial condition, a performance index function is introduced as where ∆V k = E [V k+1 |e k , . . . , e 0 , x k , . . . , x 0 ] − V k , and define the increment of V k along the trajectories of Equation (15) in the disturbance-free case. It turns out ∆V k − E r T k r k + γ 2 2 E f T k f k = β 2 e T k C T V T VCe k + β 2 1 s T (Cx k )M T V T VMs (Cx k ) + f T k F T

2M
T V T VMF 2 f k + φ T (y a,k ) V T Vφ (y a,k ) + β 2 s T (Cx k )M T V T VMs (Cx k ) + β 2 x T k C T V T VCx k + 2ββ 1 e T k C T V T VMs (Cx k ) + 2βe T k C T V T VMF 2 f k + 2βe T k C T V T Vφ (y a,k ) + 2β 1 s T (Cx k )M T V T VMF 2 f k + 2β 1 s T (Cx k )M T V T Vφ (y a,k ) + γ 2 2 where With the help of the inequality in Equation (24), we have Now, summing up Equation (A12) from 0 to ∞ with respect to k yields