Distributed control under compromised measurements:Resilient estimation, attack detection, and vehicle platooning

We study how to design a secure observer-based distributed controller such that a group of vehicles can achieve accurate state estimates and formation control even if the measurements of a subset of vehicle sensors are compromised by a malicious attacker. We propose an architecture consisting of a resilient observer, an attack detector, and an observer-based distributed controller. The distributed detector is able to update three sets of vehicle sensors: the ones surely under attack, surely attack-free, and suspected to be under attack. The adaptive observer saturates the measurement innovation through a preset static or time-varying threshold, such that the potentially compromised measurements have limited influence on the estimation. Essential properties of the proposed architecture include: 1) The detector is fault-free, and the attacked and attack-free vehicle sensors can be identified in finite time; 2) The observer guarantees both real-time error bounds and asymptotic error bounds, with tighter bounds when more attacked or attack-free vehicle sensors are identified by the detector; 3) The distributed controller ensures closed-loop stability. The effectiveness of the proposed methods is evaluated through simulations by an application to vehicle platooning.


Motivations and related work
Networked control systems (NCS) are ubiquitous. The performance of NCS significantly depends on widely deployed sensors which might be compromised due to the presence of malicious attackers [1,2]. The attackers can strategically manipulate the sensor measurements in order to affect stability and performance of NCS. Attack detection, state estimation, and system control are three major components in the design of secure NCS in malicious environments.
To detect whether systems are under attack and identify attacked components, quite a few detection methods are proposed. Attack detection and identification for linear descriptor systems are studied in [3]. Methods of attack detection and correction for noise-free linear systems are proposed in This paper was not presented at any IFAC meeting. Corresponding author: Xingkang He Email addresses: xingkang@kth.se (Xingkang He), ehashemi@uwaterloo.ca (Ehsan Hashemi), kallej@kth.se (Karl H. Johansson). [4]. To detect the Byzantine adversaries with quantized false alarm rates, [2] study a trust-aware consensus algorithm. In [5,6], distributed detectors are designed for false data injection (FDI) attacks in communications. Detection and mitigation methods are proposed by [7] for distributed observers under a class of bias injection attacks. A joint detection and estimation problem is investigated in [8] with the knowledge of some attack statistics. There are some methods for multi-observer based detector design [9][10][11]. However, the computational complexity of these methods substantially increases as the number of sensors is increasing. Thus, designing single-observer based detectors without relying on the knowledge of attack signals needs more investigations. Moreover, most existing methods focus on detecting the attacked sensors, but few results are given for the identification of attack-free sensors.
There are two major approaches in the literature for handling state estimation under sensor attacks. The first approach is based on solving optimization problems [1,[12][13][14][15][16][17]. This approach needs a large number of computational resources in enumerating all sensor combinations in order to find the attacked sensor set. Thus, it is not suitable to large-scale sensor networks if the resources are constrained. The second approach is to use robust techniques in handling poten-tially compromised data, such as discarding a few largest and smallest elements [18][19][20][21], using the signum information of measurement innovations [22], and saturating the innovation which reaches a threshold [23,24]. This approach is more suitable in online estimation since it needs very less computational resources than the first approach. However, there are few results in this direction, especially for dynamical systems under FDI sensor attacks.
Some resilient distributed control strategies have been proposed to achieve formation control of a group of vehicles or robots in malicious environments. There are strategies on how to handle different attacks, such as replay attack on control commands [25], denial-of-service (DoS) attack on measurement and control channels [26], FDI attack in the transmission from controller to actuator [27], attack on network topology of multi-agent systems [28], and stealthy integrity attacks [29]. However, there is no unified architecture integrating resilient estimation, attack detection and distributed control.

Contributions
In this paper, we propose an architecture comprising of a resilient observer, an online attack detector, and a distributed controller, such that a group of vehicles can achieve accurate state estimates and formation control even if the measurements of a subset of the vehicle sensors are compromised by a malicious attacker. The main contributions of this paper are summarized as follows: i) We propose an adaptive resilient observer, designed by saturating the measurement innovation through a preset static or time-varying threshold, such that the potentially compromised measurements have limited influence to the estimation (Algorithm 1). Some essential properties are found: i) The observer is able to provide an upper bound of the estimation error at each time (Proposition 1); ii) If the observer threshold is static and satisfied with some explicit design principle (Proposition 2), the estimation error is asymptotically upper bounded (Theorem 1); and iii) If the observer threshold is time-varying and computed adaptively, the estimation error is also asymptotically upper bounded (Theorem 2) and the bound is tighter than that of the static threshold. ii) We develop an online distributed attack detector with the potentially compromised sensor measurements and the observer's estimates. The designed detector is able to update three sets of vehicle sensors: the ones surely under attack, surely attack-free, and suspected to be under attack (Algorithm 2). Some properties are found: i) The detector is fault-free (Lemma 1), which differs from the existing results with false alarms (e.g., [2]); and ii) If some condition holds, all attacked and attackfree vehicle sensors are identified in finite time (Theorem 3); iii) We design a distributed controller (Algorithm 3) to achieve the formation control of the vehicles. We find that if the controller parameters satisfy some graphrelated conditions, the overall performance function is asymptotically upper bounded in the presence of noise and tending to zero in the absence of noise (Theorem 4 and Corollary 1), which ensures the closed-loop stability of the proposed architecture.
The proposed observer is able to handle more typical sensor attacks than [7,8], such as random attack, DoS attack, bias injection attack, and replay attack. The proposed detector is based on one observer, which requires less computational resources than the detectors based on multiple observers [9][10][11]. Although [20] study a wider range of attacks than this paper, we remove the requirements of graph robustness. Moreover, the sufficiently large communication times between two updates [30] is not required. Note that in comparison with our recent work [24], the current paper studies a different problem, and uses potentially compromised measurements with new approaches.

Outline
The remainder of the paper is organized as follows: Section 2 is on the problem formulation, followed by an overview of the proposed distributed observer-based control architecture in Section 3. Section 4 designs a resilient observer for each vehicle, based on which Section 5 studies the attack detection problem. In Section 6, a distributed controller is proposed to close the loop. After simulations of vehicle platooning in Section 7, the paper is concluded in Section 8.
The main proofs are given in Appendix.
Notations: R n×m denotes the set of real-valued matrices with n rows and m columns, and R n the set of n-dimensional real-valued vectors. Without specific explanation, the scalars and matrices in this paper are real-valued. Denote N + the set of positive integers and N = N + ∪ 0. The matrix I n stands for the n-dimensional square identity matrix. The superscript "T" represents the transpose. The operator diag{·} represents the diagonalization. We denote the Kronecker product of A and B by A ⊗ B. The vector norm x is the 2-norm of a vector x. The matrix norm A is the induced 2-norm, i.e., A = sup x =0 Ax / x . The notations λ min (A) and λ max (A) are the minimal and maximal eigenvalues of a real-valued symmetric matrix A, respectively. The notation a = (a i ) i=1,2,...,n is a vector consisting of elements a 1 , . . . , a n . Let I i∈C be an indicator function, which equals 1 if i ∈ C; otherwise, it is 0. The function · stands for the ceiling function.

Problem Formulation
In this section, we first motivate the problem through a vehicle platooning example, and then formulate the problem. Each vehicle is able to exchange messages with other vehicles nearby through wireless communication.

Motivating example
Consider the five-vehicle platooning in Fig. 1. The aim is to control the speed of all vehicles to a desired value while maintaining a safe distance between any two adjacent vehicles. Each vehicle is able to obtain its position and velocity measurements through a GPS receiver or a similar sensor, and the relative position and velocity measurements to its front vehicle through a sensor like a camera or radar. All vehicles collaborate in the platoon by using their local measurements, and vehicle-to-vehicle communication.
Suppose there is a malicious attacker, which aims to affect the platoon by compromising the position and velocity measurements of vehicle 1. Such attack could be a spoofing attack on a GPS receiver. By using the compromised measurements, vehicle 1 is unable to control its velocity to the desired value. Consequently, the platoon is not able to maintain a proper formation. The data redundancy resulting from the absolute and relative measurements of the follower vehicles, however, provides an opportunity for designing resilient estimation and control algorithms. The algorithms are expected to mitigate such sensor attacks in order to achieve vehicle platooning.

System model
Consider N ≥ 3 vehicles, which are labeled from the leader to the tail by 1, 2, . . . , N . We study the second-order vehicle model: for i = 1, 2, . . . , N , where T > 0 is the time step. Vehicle i is able to obtain its absolute measurements of position and velocity through sensor i, which is a potentially attacked sensor (e.g., a GPS receiver under spoofing attack): where y i,i (t) ∈ R 2 and n i,i (t) ∈ R 2 are the measurement and measurement noise, and the vector a i (t) ∈ R 2 represents an attack signal injected by a malicious attacker. Moreover, we assume each vehicle j ∈ {2, 3, . . . , N } has a secured sensor (e.g., an onboard radar or camera) to measure the relative state between itself and its front vehicle (i.e., vehicle j − 1): where y j−1,j (t) ∈ R 2 and n j−1,j (t) ∈ R 2 are the measurement and measurement noise.
Although the relative state measurements {y j−1,j (t)} are secured, it is not possible to accurately estimate the absolute state x j (t) simply with these measurements. In the rest of the paper, we say that sensor i is under attack if the unsecured sensor of vehicle i is under attack.

Attack model
The attack model is provided in the following assumption.
Assumption 1 There is an unknown and time-invariant attack set S a ⊂ {1, 2, . . . , N } with at most b ≥ 1 elements, such that the corresponding attack signals a i (t) ∈ R 2 , i ∈ S a , t ∈ N, are arbitrary, and the maximum number of attacked sensors b is known to each vehicle. For the set of attack-free vehicle sensors S := {1, 2, . . . , N } \ S a , it holds that a i (t) ≡ 0, i ∈ S, t ∈ N.
Following Assumption 1, a subset S a of the vehicle sensor measurements in (2) can be manipulated arbitrarily, but we do not know which ones. Assumption 1 does not impose any specific distribution or form of a i (t), and covers many typical sensor attacks, including random attack, DoS attack, bias injection attack, and replay attack [31].
The upper bound b of the number of attacked vehicle sensors is used in the observer and detector designs. The assumption on the knowledge of b can be relaxed, but will result in worse performance for the same number of attacked sensors.

Problem
In order to achieve vehicle formation control (e.g., vehicle platooning) in a malicious environment, it is important to estimate the states of all vehicles simultaneously. For example, when a group of vehicles are required to achieve a platoon with a desired speed, it is necessary to estimate the state of the leader vehicle for controller design. However, its absolute measurements are potentially compromised as in (2). In order to have data redundancy for the state estimation of the leader vehicle, the secured relative measurements and accurate estimates of the follower vehicles are necessary.
To measure the overall estimation and control performance for the system (1)-(3), we introduce the performance function ϕ(t): wherex i (t) is the estimate of x i (t) from the observer to be designed, and x * i (t) is the desired vehicle state of the formation satisfying where x 0 (t) is the reference state of the leader vehicle, subject to x 0 (t + 1) = Ax 0 (t), and ∆x i−1,i (t) is the desired relative state between vehicles i − 1 and i, subject to ∆x i−1,i (t + 1) = A∆x i−1,i (t), i = 2, 3, . . . , N . For convenience, we denote ∆x 0, where the scalars q > 0, and ≥ 0, µ ≥ 0 are known to each vehicle.
The upper bounds q, , µ are used in the observer and detector designs. The assumption on the knowledge of q, , and µ can be relaxed, but will result in worse performance for the same noise and initial estimation error.
Problem: How to design an observer-based distributed controller u i (t) for the system (1)   In this section, we first introduce the communication structure of the vehicle network, and then propose an architecture consisting of a resilient observer, an attack detector, and a distributed controller. Moreover, the measurements of each vehicle will be reconstructed based on vehicle-to-vehicle communication.

Communication structure of vehicle network
We model the vehicle communication topology by an undirected graph G = {V, E}, which consists of the set of nodes V = {1, 2, . . . , N } and the set of edges E. If there is an edge (i, j) ∈ E, node i can exchange information with node j. In the case, node j is called a neighbor of node i, and vice versa. Denote the neighbor set of node i ∈ V by N i := {j ∈ V|(i, j) ∈ E}, which in this paper is assumed to be where L ∈ N + is a parameter indicating the neighbor range, . . , L}, and As seen, each vehicle i ∈ V 1 has 2L neighbors, and each vehicle j ∈ V 2 has less than 2L neighbors. The communication topologies of five vehicle control systems (VCSs) for L = 1 and L = 2 are illustrated in Fig. 1 and Fig. 2, respectively. In the following, we use the term 'vehicle' to represent a VCS for convenience. Each vehicle i ∈ V is able to send its neighbor vehicle j ∈ N i a message at time t ∈ N + , denoted by M i (t) (omitting the time index t in the following notation): T is the predicted value of x i (t + 1) from the observer to be designed, α i (t) denotes the estimation error bound to be specified in (20), and Note thatŜ s i (t) ⊆ V is not necessarily a subset of S a , sincê S s i (t) may include some attack-free vehicle sensors. The three sets {Ŝ i (t),Ŝ a i (t),Ŝ s i (t)} are shared between vehicles through the vehicle-to-vehicle network G and updated in a distributed manner described in Section 5. The sets are initialized as empty sets, i.e.,  (6), is the message sent out by VCS j to its neighbors, j = 1, 2, . . . , 5, and a1 is the attack signal.

Resilient observer-based distributed control architecture
We design an architecture for the VCS of each vehicle i in Fig. 3. The architecture integrates the resilient observer in Section 4, the attack detector in Section 5, and the distributed controller in Section 6. The observer leverages the measurements of vehicle i and neighbor vehicles. Then, the estimatex i (t) from the observer is sent to the controller, which employsx i (t) as well as the estimates of neighbor vehicles to generate control signal u i (t). If the observer is inefficient, the observer-based controller would not work well. Therefore, the key point for the observer is how to use the potentially attacked measurements and the measurements from neighbor vehicles efficiently. In Section 4, a resilient observer is proposed by leveraging a new saturation approach. The designed detector is able to update the three sets {Ŝ i ,Ŝ a i ,Ŝ s i }, and send them to the observer. Then, in order to improve the estimation performance, the observer will discard the measurements of the untrustworthy vehicles henceforth, and fully utilize the measurements of the trustworthy vehicles. Note that the detector in Section 5 ensures consistency of the three sets in the sense that they will not conflict. In other scenarios, if an inconsistent case occurs due to some reasons (e.g., the detection data is manipulated), the architecture in Fig. 3 can be employed by abandoning the inconsistent subsets.

Measurement reconstruction via vehicle communication
Based on whether each vehicle has 2L neighbors, we split the vehicle set V into two subsets V 1 and V 2 as shown in (5). In the following, we first reconstruct the measurement equation of vehicle i ∈ V 1 by employing the local measurements (2)-(3) and the messages from neighbor vehicles. Denote y i|j (t), j = i − 1, i + 1 the absolute measurement of vehicle i from the view of vehicle j, calculated as follows: Substituting (2) and (3) Under Assumption 2, it holds that for any j ∈ N i , n i|j (t) ≤ (L + 1)µ =:μ.
Through the graph G, vehicle i ∈ V 1 is able to receive the absolute measurements (i.e., {y j,j (t)}, j ∈ N i ) and relative measurements (i.e., {y j−1,j (t)}), and then calculate the measurements {y i|j (t)} j∈Ni {i} . Hence, it is feasible to reconstruct the measurement equation of vehicle i ∈ V 1 : where

Remark 1
The attack signal a i (t) has at most 2b non-zero elements, which means at least 4L + 2 − 2b elements of z i (t) are not under attack. If L ≥ b, according to the sparse observability [32], the measurement redundancy in (9) enables us to design an effective resilient observer for vehicle i ∈ V 1 .
Next, we reconstruct the measurement equation of vehicle i ∈ V 2 by using the messages from neighbor vehicles: whereŷ i|j is the absolute measurement of vehicle i from the view of vehicle j subject tô and the noisen i|j is subject tô As seen, vehicle i ∈ V 2 uses the estimatex j from neighbor vehicle j and the relative measurements {y m−1,m } from neighbor vehicle m, where j ∈ N i V 1 and m ∈ N i . In next section, we will design a resilient observer for vehicles i ∈ V 1 and i ∈ V 2 with the reconstructed measurements in (9) and (10), respectively.

Observer Design
In this section, we design an observer algorithm and analyze an asymptotic upper bound of the estimation error with a static observer threshold and an adaptive observer threshold, respectively. Since the observer algorithm to be designed uses the detection results, we need the following assumption in this section.

Assumption 3
The setsŜ i (t) andŜ a i (t) introduced in (6) satisfy the following two properties: This assumption is removed after we introduce the detector in Section 5. In other words, the integrated observer and detector in this paper satisfy Assumption 3 (see Lemma 1).

Observer algorithm
From the reconstructed measurement equation (9), we de- For each vehicle i ∈ V, given the sets {Ŝ i (t),Ŝ a i (t)} from the detector, we design the following observer by employing the measurements from (2), (9), and (10): where whereN i is introduced in (10), and k i,ms (t) is designed by leveraging the following saturation method with a threshold β i (t) > 0 (designed in Subsections 4.2 and 4.3): , otherwise.
Remark 2 The observer (12) shows: i) For one sensor in the set V 1 , if it is attacked, i.e., m s ∈Ŝ a i (t), its measurements are no longer employed, i.e., k i,ms (t) = 0; If it is attackfree, i.e., m s ∈Ŝ i (t), its measurements are fully trusted, i.e., k i,ms (t) = 1. Otherwise, the saturation method with the threshold β i (t) can reduce the influence of the potentially compromised measurements. ii) For each vehicle i ∈ V 2 , if it is attack-free (i.e., i ∈ V 2 Ŝ i (t)), it uses its own local measurements with full trust to update the state estimate, otherwise, it uses the estimate of vehicle j i (t) which is either in the set V 1 with redundant measurements or in the set of attack-free vehicle sensors V 2 Ŝ i (t).

Remark 3
The reason to find vehicle j i (t), which is nearest to vehicle i, is to alleviate the influence of the noise in relative measurements. This is seen from (11), wheren i|ji (t) includes the noise of the relative measurements from vehicles j i to i.
Next, we study a real-time upper bound of the estimation error of Algorithm 1. In the following a)-c) items, we define three sequences, namely, ρ i (t), λ i (t), and τ i (t), which are proved in Proposition 1 to be the upper bounds of the estimation errors of the three updates (12). a) For vehicle i ∈ V 1 , we denoteŜ i,1 (t) the estimate of the set of attack-free vehicle sensors in the 2L-neighborhood of Algorithm 1 Resilient Observer 1: Initialization: Initial estimatexi(0), observer parameter ∈ (1, A A −1 ), saturation parameter βi(t), and vehicle communication parameter L 2: Output: State estimatexi(t) 3: for t ≥ 0 do 4: Communications between neighboring vehicles: Vehicle i sends out Mi defined in (6); Time update: For each vehicle i, i ∈ V; where ui(t) is specifically designed by vehicle i; Measurement update: See (12). 5: end for vehicle sensor i, i.e., Then, for i ∈ V 1 , we define a sequence {ρ i (t)} with ρ i (0) = q in the following wherē where the parameter is introduced in (13), (19), and T i is the time after which vehicle sensor i is attack-free by detection, i.e., T i = mint, s.t., i ∈Ŝ i (t + 1).
Remark 4 Although the constructions of the two sequences {λ i (t)} and τ i (t) need each other, they are both well defined. Because, τ i (t) starts at time t = 0, which does not require λ i (t), and λ i (t) starts at t = T i .

PROOF. See Appendix A.
Remark 5 Based on local information and the vehicle-tovehicle network G, vehicle i ∈ V is able to compute the sequence {α i (t)}. It enables evaluation of the error bounds offline by settingŜ a i (t) ≡Ŝ i (t) ≡ ∅, which reduces to the case without detection.
Since the observer threshold β j (t), j ∈ V 1 , in (14) is essential, we study the properties of Algorithm 1 by designing β j (t) in a static way and in an adaptive way respectively in the following two subsections.

Observer property with static threshold
In this subsection, we design the observer threshold β j (t) ≡ β j , for all j ∈ V 1 . Given a scalar ω ∈ (0, 1), denote whereμ is defined in (8). In the following theorem, we study the boundedness of the estimation error of the observer in Algorithm 1 with a static observer threshold β j , j ∈ V 1 introduced in (14).

PROOF. See Appendix B.
Theorem 1 is based on the available information at some time , the corresponding bound is the worst bound which can be offline obtained. With the increase of T i , |Ŝ i (T i )| and |Ŝ a i (T i )| are non-decreasing. As a result, the error bound is non-increasing. Thus, it motivates us to design effective detector to enlarge the setsŜ i (T i ) andŜ a i (T i ).
In the following proposition, we study the feasibility of the condition on ω in Theorem 1.
Remark 6 It can be proved that when b ≤ L, if the time step T is sufficiently small, such that A < 1 , then one can find a scalar ω 0 ∈ (0, 1) and scalars q, , µ satisfying Assumption 2 such that the conditions in (24) are satisfied.

Remark 7
The maximum number of the attacked vehicle sensors that the proposed architecture can tolerate is b = L = N/2 − 1, which is the most general condition. Because the sparse observability [32] shows that if half or more than half vehicle sensors are attacked, it is infeasible to recover the states of all vehicles.

Observer property with adaptive threshold
In this subsection, we design the observer threshold β j (t) in the following way: for t ≥ 1, where ρ j (·) is introduced in (17),μ is in (8), and k j,0 = βj,0 A q+ +μ , in which β j,0 is a positive scalar designed in the following theorem.

PROOF. See Appendix D.
Remark 8 In comparison with Theorems 1 under the same conditions, Theorems 2 shows that the adaptive design of β i (t) achieves better estimation performance than the static design in the sense of providing a smaller error bound.

Detector Design
In this section, we design an attack detector algorithm and then study when all attacked and attack-free vehicle sensors can be identified by the detector in finite time.

Detector algorithm
Based on the relative measurements between two neighbor vehicles, we consider the following detection condition: This condition (27) is to infer whether either sensor i or i − 1 is attacked under the bounded measurement noise. Moreover, in order to find out whether sensor i is under attack, we also consider the following detection condition: where are generated through (17) and (19), respectively.
The two conditions in (27)-(28) will be used to update the two setsŜ a i (t) andŜ s i (t). DenoteŜ s i (t) :=Ŝ s i (t) Ŝ a i (t), which includes the sensors under attack or suspected to be under attack. Then we analyze the minimal number of attacked sensors in the setŜ s i (t) as follows. SplitŜ s i (t) into multiple subsets comprising of successive sensor labels, i.e.,Ŝ s i,j (t), j = 1, 2, . . . , l i , where li j=1Ŝ s i,j (t) =Ŝ s i (t). It is to be proved in Lemma 1 that the minimal number of attacked sensors in the setŜ s i (t) Algorithm 2 Online Attack Detector 1: Initialization: Initial estimate for attacked vehicle sensor set S a i (0) = ∅, initial estimate for suspicious vehicle setŜ s i (0) = ∅, and initial estimate for attack-free vehicle setŜi(0) = ∅, i ∈ V. 2: Output: SetsŜ a i (t),Ŝ s i (t), andŜi(t) 3: for t ≥ 0 do 4: Communications between neighboring vehicles: Vehicle i sends out Mi defined in (6) Each vehicle i fuses the sets from its neighbors: if i ≥ 2, and i / ∈Ŝ a i (t), and i − 1 / ∈Ŝ a i (t) then 6: if (27)  if (29) holds then 22: We conclude that at least five attacked sensors are in the set S s i (t). BecauseŜ s i,1 (t) has at least one,Ŝ s i,2 (t) has one, S s i,3 (t) has at least two, andŜ s i,4 (t) has one. Then we consider the following detection condition: The condition (29) is to infer whether the number of sensors under attack and detected by vehicle i reaches the known maximum number of attacked sensors.
Based on the observer in Algorithm 1 and the detection conditions (27)- (29), an online distributed attack detector is provided in Algorithm 2, which is able to update the three sets:Ŝ a i (t),Ŝ s i (t), andŜ i (t), i ∈ V.

Detector properties
Lemma 1 The observer in Algorithm 1 and the detector in Algorithm 2 for the system (1)-(3) under Assumptions 1-2 satisfy Assumption 3.

PROOF. See Appendix E.
Lemma 1 states that the two setsŜ i (t) andŜ a i (t) are faultfree, which differs from the existing results of false alarms (e.g., [2]) since we study bounded noise. The following proposition studies the finite-time convergence of the detection setsŜ a i (t) andŜ i (t).
Theorem 3 Consider the observer in Algorithm 1 and the detector in Algorithm 2 for the system (1)-(3) under Assumptions 1-2. If there is a time T j and a vehicle j ∈ V, such that the number of the attacked vehicle sensors estimated by vehicle j equals to its upper bound in Assumption 1, i.e., |Ŝ a j (T j )| = b, then there exists a time T * , such that for t ≥ T * , the sets of attacked and attack-free vehicle sensors estimated by each vehicle i ∈ V equals the true sets, i.e., S a i (t) = S a ,Ŝ i (t) = S.
PROOF. By Algorithm 2, when there is a time T j and a vehicle j ∈ V, such that |Ŝ a j (T j )| = b, thenŜ a j (T j ) = S a andŜ j (T j ) = S. Since both |Ŝ a i (t)| and |Ŝ i (t)| are nondecreasing and the vehicle network is finite, there is a time at which all vehicles update their set estimates to the true sets.
Theorem 3 holds under the condition that the attacker compromises b sensors with aggressive attack signals, which is possible when the attacker has no knowledge of the detector. Otherwise, the attacker can inject stealthy signals making the attacked sensors undetectable.

Controller Design
In this section, we design an observer-based distributed controller algorithm, and then analyze the boundedness of the overall performance function of the architecture consisting of the observer in Algorithm 1, the detector in Algorithm 2, and the distributed controller.

Controller algorithm
DenoteN i the set of vehicle(s) nearest to vehicle i, i = 0, 1, . . . , N , i.e., where vehicle 0, which is virtual and introduced for convenience, stands for the reference state of the leader vehicle 1. Assumeŝ i (t) ands i (t) are the estimate and predicted value of s i (t), andv i (t) andv i (t) are the estimate and predicted value of v i (t). Then, we propose a distributed observer-based controller in Algorithm 3, where ∆x s i−1,i (t) and ∆x v i−1,i (t) are the desired relative position and velocity between vehicles i − 1 and i, and g s > 0, g v > 0 are parameters to be determined. Communications between neighboring vehicles: ,v 0 (t)] T =: x 0 (t).

5: end for
Remark 9 The relative state measurements in (3) are not directly used in the controller but the estimates, because: i) The relative measurements are noisy. ii) There is no sensor of the leader vehicle to measure the relative state to the reference state (i.e., x 1 (t) − x 0 (t)).

Closed-loop property
The following lemma, proved in [33], is useful in the following analysis.
Lemma 2 Consider the linear dynamical system x(t+1) = F x(t) + G(t), where F ∈ R n×n is a Schur stable matrix. If lim sup t→∞ G(t) ≤ ς, the equation F T P F − P = −I n has a solution P 0 such that lim sup t→∞ x(t) ≤ 2θς 2 λmax(P ) λmin(P ) , where θ = P + 2 P F 2 .
Let L ∈ R (N +1)×(N +1) be the graph Laplacian matrix [34] corresponding to the neighbor sets in (30). Denote L g ∈ R N ×N the grounded graph Laplacian matrix with respect to the nodes {1, 2, 3, . . . , N }, which is obtained by removing the first row and first column of Laplacian matrix L.

Assumption 4
The parameters g s and g v of the controller in Algorithm 3 are subject to g v > T g s > 0 and Assumption 4 can be satisfied for any positive g s and g v if the time step T > 0 is sufficiently small. In the following theorem, the closed-loop performance function ϕ(t) in (4) is studied. where in whichα i andᾱ i , for i = 1, 2, 3, are introduced in Theorems 1 and 2, respectively.

PROOF. See Appendix F.
Remark 10 It follows from Theorems 1-2 that under the same condition, the upper bounds in Theorem 4 fulfillᾱ + ηξ ≤α + ηξ, because the design of the adaptive observer threshold can employ the measurements more effectively and help to detect more attacked sensors. This illustrates the advantage of using an adaptive threshold instead of a static one in the observer.
Theorem 4 and the following corollary provide the solution to the formulated problem in Section 2.4.
Corollary 1 Consider the observer in Algorithm 1, the detector in Algorithm 2, and the controller in Algorithm 3 satisfying Assumption 4 for the system (1)- (3). Then the performance function ϕ(t) tends to zero, i.e., lim sup t→∞ ϕ(t) = 0, if the system is known to be noise-free, i.e., µ = = 0, and one of the following two conditions is satisfied i) the observer threshold is static, the conditions in Theorem 1 hold, and there is a vehicle sensor i at some T i < ∞, such that |Ŝ a i (T i )| = b; ii) the observer threshold is adaptive, and the conditions in Theorem 2 hold.
Remark 11 Corollary 1 shows the improvement of performance achieved in the noise-free case in comparison to the noisy case Theorem 4. Note that the first conclusion of Corollary 1 means that there is one vehicle that has detected the maximal number of attacked sensors. This makes it possible to conclude that there can be no other attacked sensors, so the mitigation mechanism of the observer can fully compensate for the attack. The second conclusion of Corollary 1 means that whatever the detection results, the observer with the adaptive threshold makes the space of stealthy attacks diminish to an empty set asymptotically.

Simulations
In this section, the effectiveness of the proposed methods is evaluated through simulations by an application to vehicle platooning.
Suppose there are five vehicles, i.e., N = 5, with time step T = 0.01 and time range t = 0, 1, . . . , 500. All elements of the process noise d i (t) and measurement noise n i,j (t), j ∈ N i ∪ {i}, i = 1, . . . , 5, follow the uniform distribution between (0, µ 0 / √ 2), where µ 0 = 0.1. The bounds in Assumption 2 are assumed to be µ = = µ 0 and q = 300. The initial state is η i,s (t) and η i,v (t), respectively, and define the relative position and velocity between vehicle i ∈ {1, 2, 3, 4, 5} and the leader vehicle 0 by ζ i,s (t) and ζ i,v (t), respectively, i.e., where e j i,s (t) and e j i,v (t) are the state estimation errors of vehicle i in position and velocity, respectively, at time t in the j-th run, and s j i (t) and v j i (t) are the position and velocity of vehicle i, respectively, at time t in the j-th run.
First, we study the performance of Algorithms 1-3 with the adaptive observer parameter β(t) designed in (25). For one vehicle i under FDI sensor attacks, assume that the measurements would be compromised by the random attack signal a i (t) = w i (t)x i (t), where w i (t) is drawn from the standard normal distribution. For the case of the attacked vehicle sensor set S a = {3}, the state estimation error, estimation error bounds, and vehicle platooning error are provided in Fig. 4. Fig. 4-(a) shows that the estimation errors in position and velocity are convergent to small neighborhoods of zero rapidly. Fig. 4-(b) shows that the offline bounds of the estimation errors are convergent to small neighborhoods of zero. It is shown in Fig. 4-(c) that the speeds of all vehicles converge to the reference velocity, and the relative positions between two neighbor vehicles tend to the desired one, i.e., 20. We study the performance function ϕ(t) of Algorithms 1-3 with S a = {2, 3} under different noise magnitudes (i.e., and µ) and under different types of attacks in (a) and (b) of Fig. 5, respectively. Fig. 5-(a) shows that ϕ(t) decreases as the noise magnitudes decrease. In Fig. 5-(b), we study four typical attack types, including random attack, DoS attack, bias injection attack, and replay attack [31]. It shows that Algorithms 1-3 with adaptive observer parameter is able to deal with multiple kinds of attacks.
Then, we compare the proposed methods, i.e., Algorithms 1+3 (1 and 3) with static observer parameter β, Algorithms 1-3 with adaptive observer parameter β(t), with PWM, which is obtained from Algorithm 3 by replacing the estimates by measurements, and with PBE, which is obtained from Algorithm 3 by using the estimates following Byzantine strategy [20], as well as PTD [35]. To evaluate the platooning error of each algorithm, we use the performance function φ(t): . The algorithm comparison result is provided in Fig. 5-(c), which shows that our algorithms outperform the other three algorithms, and Algorithms 1-3 achieves best platooning performance among the five algorithms. In Fig. 5-(c), PWM is divergent since the compromised measurements directly affect the platooning.

Conclusion and Future Work
This paper studied how to design a secure observer-based distributed controller such that a group of vehicles can achieve accurate state estimates and formation control under the case that a static subset of vehicle sensors are compromised by a malicious attacker. We proposed an architecture consisting of a resilient observer, an online attack detector, and a distributed controller. Some important properties of the observer, detector, and controller were analyzed. An application of the proposed architecture to vehicle platooning was investigated in numerical simulations.
There are some directions of future work. One is to extend the architecture to the attack detection on actuators of vehicles in platoon. Another is to study more general models of vehicles and sensors. It is also promising to extend the methods from the string vehicle topology to more complex vehicle topologies with higher dimensions and more leaders.
First, we consider each vehicle sensor i ∈ V 1 , which has at least 2L + 1 − b attack-free vehicle sensors as neighbors. Suppose J is the set of these 2L+1−b sensors, i.e., J ⊆ S with |J | = 2L + 1 − b, which is unknown to vehicles but useful for the following analysis. Let J a = N i ∪ {i} − J . It holds that |J a | = b and the sensors in the setŜ a i (t) ⊆ J a are surely attacked under Assumption 3. DenoteK i, (14). LetK  i (t) be the j-th element of n i (t) in (9), and , through which we haveK i (t) ∈ R 2×2 and W i (t) ∈ R 2 . By Algorithm 1, we have According to (14), the measurement update of sensor i at time t will be affected by at most b − |Ŝ a i (t)| attacked vehicle sensors, which remain stealthy till time t. The measurements of these vehicles will be used at time t. Under the noise bound in equation (8) and the saturation operation in equation 14, taking the norm of e i (t) yields where the last inequality is obtained because: 1) In the set J , there are |Ŝ i,1 (t)| attack-free vehicles whose measurements have been fully utilized in the update at time t (i.e., without saturation), whereŜ i,1 (t) is defined in (16); 2) There are 2L + 1 − b − |Ŝ i,1 (t)| attack-free vehicles, whose measure-ment innovations is saturated with the corresponding gain satisfyingK Second, for vehicle i ∈ V 2 Ŝ (t), according to (12) and Assumption 2, it is straightforward to prove that the estimation error is upper bounded by λ i (t). Third, for vehicle i ∈ V 2 −Ŝ(t), By Algorithm 1, we have Regardingn i|ji(t) (t) in (11), according to Assumption 2, the definition j i (t) = arg min j∈Ni∪Ŝi(t) |j − i|, and . Taking norm of both sides of e i (t), we have e i (t) ≤ τ i (t).

B Proof of Theorem 1
At time T i ≥ 0, the estimate of the attacked vehicle sensor set isŜ a i (T i ) and the estimate of the attack-free vehicle set isŜ(T i ). By Assumption 3, both |Ŝ a i (t)| and |Ŝ i (t)| are nondecreasing, thus |Ŝ a i (t)| ≥ |Ŝ a i (T i )| and |Ŝ i (t)| ≥ |Ŝ i (T i )|, for any t ≥ T i . Instead of proving the upper boundedness of the estimation error, in the following we prove the upper boundedness of ρ i (t), λ i (t), and τ i (t), which are upper bounds of the estimation error according to Proposition 1.

C Proof of Proposition 2
Necessity: We assume b > L for the proof by contradiction. Then 2L , where β 0 = A q + +μ. Thus, The assumption b > L does not hold.

D Proof of Theorem 2
According to Proposition 1, we prove the boundedness of the three sequences ρ i (t), λ i (t) τ i (t) for the case that β i (t) is designed as in (25).
First, we consider the case for vehicle i ∈ V 1 . Since β i,0 satisfies the same condition as β i in Theorem 1, according to the proof of Theorem 1, we have k i,0 := βi,0 A q+ +μ < 1 and which corresponds to (B.4). From (D.1) and β i,0 = k i,0 ( A q + +μ), we are able to obtain Submitting β i (t) in (25) into (17) yields By Assumption 3, both |Ŝ a i (t)| and |Ŝ i (t)| are nondecreasing, thus |Ŝ a i (t)| ≥ |Ŝ a i (T i )| and |Ŝ i (t)| ≥ |Ŝ i (T i )|, for any t ≥ T i . Due to k i,0 < 1, we have sup t≥Ti a i,1 (t) ≤ a i,1 (T i ) ≤ 1 −L −b 2L k i,0 and sup t≥Ti a i,2 (t) ≤ a i,2 (T i ), which, together with (D. The proofs for vehicle i ∈ V 2 Ŝ i (T i ) and for vehicle i ∈ V 2 −Ŝ i (T i ) are similar to the proofs in Theorem 1.

E Proof of Lemma 1
We use an inductive method to prove the conclusion. At the initial time, Assumption 3 holds trivially. Assume at time t − 1, Assumption 3 is satisfied. Then, we consider the case at time t. First, we aim to prove the following conclusions corresponding to lines 7, 20, and 24 of Algorithm 2 under the preconditions in lines 5 and 18: i) If the detection condition (27) is satisfied, either sensor i or sensor i − 1 is attacked. ii) If the detection condition (28) is satisfied, sensor i is attacked. iii) If the detection condition (29) is satisfied, the sensors in the set V \ (Ŝ s i (t) ∪Ŝ a i (t)) are attack-free.
Proof of i): By equation (2), for two attack-free sensors i − 1 and i, due to a i = a i−1 = 0, it holds that y i,i (t) − y i−1,i−1 (t) = x i (t)−x i−1 (t)+n i,i (t)−n i−1,i−1 (t), which, together with (3), leads to y i−1,i (t) +y i−1,i−1 (t)−y i,i (t) = n i−1,i (t)+n i−1,i−1 (t)−n i,i (t). Under Assumption 2, taking the norm of its both sides yields the conclusion. The conclusion ii) is satisfied according to Proposition 1 by noting that i / ∈Ŝ i (t). Proof of iii): Since ji j=1Ŝ s i,j (t) =Ŝ s i (t) and each setŜ s i,j (t) contains successive sensor labels, the minimal number of the attacked sensors is no smaller than the sum of the minimal attacked sensor number in eachŜ s i,j (t).
One attacked sensor can lead to at most three suspicious sensors comprising of itself and its two neighbor sensors, hence, eachŜ s i,j (t) contains |Ŝ s i,j (t)|/3 attacked sensors at least. Given the detection condition (29), the conclusion of iii) is obtained by noting that the setŜ s i (t) =Ŝ s i (t) Ŝ a i (t) contains all attacked sensors.
Based on i)-iii), Algorithms 1-2 ensures that the setsŜ a i (t), S s i (t), andŜ i (t) are all fault-free. The updates of the three sets in Algorithm 2 ensures thatŜ i (t) andŜ a i (t) are monotonically non-decreasing. Therefore, Assumption 3 is satisfied at time t.
To prove the Schur stability of P , in the following, we aim to prove for each λ l , l = 1, 2, . . . , N , s falls into the open unit disk, i.e., |s| < 1. By applying bilinear transformation to φ(s), we can transfer the Schur stability of φ(s) into the Hurwitz stability of a continuous-time system. Then we are able to prove that s falls into the open unit disk, i.e., |s| < 1, if and only if g v > T g s > 0 and T 2 g s − 2T g v > − 4 λ l . We refer to [34] for a similar proof. Thus, when (g s , g v ) are chosen as in Assumption 4, P is Schur stable.
From Theorem 1, (F.1), and (F.2), we have lim sup t→∞ δ(t) ≤ η, where η is given in (31). Since P is Schur stable, we use Lemma 2 with respect to (F.3). Due to ẽ i (t) ≤ Ẽ (t) , from the definition of the overall function ϕ(t) in (4) and Theorem 1, the conclusion in 1) is obtained. The proof of 2) is the same as the proof of 1) but using Theorem 2 in the evaluation of the estimation error instead of using Theorem 1.