Quickest detection of bias injection attacks on the glucose sensor in the artificial pancreas under meal disturbances

Modern glucose sensors deployed in closed-loop insulin delivery systems, so-called artificial pancreas use wireless communication channels. While this allows a flexible system design, it also introduces vulnerability to cyberattacks. Timely detection and mitigation of attacks are imperative for device safety. However, large unknown meal disturbances are a crucial challenge in determining whether the sensor has been compromised or the sensor glucose trajectories are normal. We address this issue from a control-theoretic security perspective. In particular, a time-varying Kalman filter is employed to handle the sporadic meal intakes. The filter prediction error is then statistically evaluated to detect anomalies if present. We compare two state-of-the-art online anomaly detection algorithms, namely the 𝜒 2 and CUSUM tests. We establish a robust optimal detection rule for unknown bias injections. Even if the optimality holds only for the restrictive case of constant bias injections, we show that the proposed model-based anomaly detection scheme is also effective for generic non-stealthy sensor deception attacks through numerical simulations.


Introduction
Type 1 diabetes (T1D) is an autoimmune disease in which insulin secretion is lost due to the self-destruction of pancreatic beta cells.In 2021, a study estimated that there were 8.4 million individuals worldwide affected by T1D [1].Furthermore, this number was projected to increase up to 17.4 million in 2040.Thus, treatment of T1D is of paramount importance.Patients with T1D require exogenous insulin administration to maintain their blood glucose (BG) levels in a safe range.This is achieved by either multiple daily injections of long-acting insulin or by continuous infusion of rapid-acting insulin via a portable pump.The latter offers more flexibility to patients in their social lives and also enables tighter control of the BG levels [2].Moreover, thanks to the advances in wearable medical devices and wireless communication technologies, insulin pump therapy can be conveniently automated.In fact, the concept of automated insulin delivery systems termed the artificial pancreas (AP), has been an active research endeavor since the 1960s [3].Finally, in 2016, the U.S. Food and Drug Administration (FDA) approved a commercial AP for the first time [4].The AP is essentially a control system consisting of three main components: an insulin pump as the actuator, a continuous glucose monitor (CGM) as the sensor, and an embedded controller.The control objective is to maximize the time spent in the normoglycemic range, which is typically 70-140 mg/dl for preprandial (fasting) glucose, and less than 180 mg/dl for postprandial glucose [5].The pump dispenses a proper amount of insulin to regulate the BG levels as dictated by the closed-loop controller.The infusion rate is determined based on real-time CGM readings.
Modern AP systems use wireless communication technologies such as Bluetooth low energy to exchange data between their components.While wireless communication renders the design of a portable AP feasible, it also introduces vulnerabilities to cyber threats.In 2011, a study showed that both passive and active attacks on insulin pumps and glucose sensors were possible with public-domain information and easily accessible off-the-shelf hardware [6].At a security conference in 2012, a white hat hacker hijacked an insulin pump from as far as 300 ft away with the aid of a high-gain antenna to boost the scanner range [7].These early examples of cyberattacks were staged when the targeted systems lacked basic network security measures such as authentication and encryption.Network security measures are clearly necessary, but not sufficient to completely eliminate the risk of cyber threats.In fact, Medtronic Inc., a leading diabetes device company, had to issue cybersecurity-related safety notifications to their users https://doi.org/10.1016/j.jprocont.2024.103162Received 19 October 2023; Received in revised form 22 December 2023; Accepted 8 January 2024 F.E. Tosun et al. in 2019 and 2022, which are also reported on the FDA's site [8].Fortunately, the FDA is aware of no cyberattacks that targeted real AP users.Nevertheless, engineers must constantly strive to minimize the risk of cyber threats.
Complementary to the network security measures such as encryption [9], intelligent anomaly detection algorithms that exploit the input-output history as well as dynamical model knowledge enhance the security of cyber-physical systems (CPS).In particular, the field of control-theoretic security for CPS has emerged and attracted increasing research attention over the last decade.So far as the practical applications are concerned, the existing literature in this field is mainly focused on power, transportation, and industrial process infrastructures [10].However, we believe that biomedical CPS such as the AP would also greatly benefit from a control-theoretic security perspective.
The range of cyberattack strategies against CPS is rather vast.In this work, we focus on sensor bias injection attacks, where the adversary injects a constant bias into the compromised sensor readings.This type of attack requires limited model knowledge as opposed to stealthy false data injection (FDI) attacks [11].Due to ease of implementation, bias injections are arguably more likely than more sophisticated FDI attacks to [12].Moreover, positive bias injections can drive the patient into a hypoglycemic coma (i.e., too low BG levels), which can be fatal, if not detected timely [13].
The intelligence and malicious intent of the adversary constitute the fundamental difference between FDI attacks and natural sensor failures [14].The latter problem was addressed by some notable work for a general class of CGM failures from a process fault detection perspective [15][16][17].However, such fault detection methods cannot adequately address carefully orchestrated FDI attacks since faults are random and not engineered by a smart entity.For instance, to make the attack harder to detect, the adversary can exploit the added uncertainty during meal ingestion by choosing the attack onset accordingly [13].
Typical defense strategies against sensor attacks include secure state estimation schemes that exploit sensor redundancy [18] and machine learning-based methods [19].The former is not suitable for AP systems since currently, the only measurable physiological variable is the BG.The latter requires a significant amount of data collection in both the attack-free and the attack scenarios.Moreover, they are prone to relatively large detection delays as they process data in batches.Consequently, their effectiveness is hindered by the necessity of a sufficiently fast sampling rate.An ideal sensor anomaly detector for the AP must be able to timely detect attacks in the presence of non-persistent meal disturbances without sensor redundancy.
In this work, we formulate the challenge of detecting bias injections on the CGM under meal uncertainty as a statistical change detection problem.We use a time-varying Kalman filter as a software sensor to monitor the state of the AP.The filter uses a physiological model for BG dynamics and CGM readings to estimate the unmeasured states.The filter innovations are evaluated to decide whether an anomaly has occurred.For statistical evaluation, we consider two well-known online anomaly detectors: the  2 and cumulative sum (CUSUM) tests.We compare and study these detectors through the lens of the quickest change detection (QCD) framework, and derive a robust optimal detection procedure for constant bias injection attacks.Through simulations, we show that the proposed method is suboptimal but effective against generic non-stealthy FDI attacks including slow bias injections.
The rest of the article is organized as follows.Section 2 presents the preliminaries and the problem formulation.The proposed online anomaly detection scheme is introduced in Section 3. Section 4 delves into the implementations of the  2 and CUSUM detectors within the formalism of QCD theory.The efficacy of the proposed method is demonstrated through numerical simulations in Section 5. Finally, Section 6 summarizes the key findings of our study and provides concluding remarks.

Preliminaries
This section presents the necessary preliminaries for a thorough understanding of this paper.The first subsection presents the mathematical notation used throughout this paper.The second subsection presents the physiological model for BG dynamics.The final subsection presents the mathematical formulation of the attack detection problem.

Notation
For the convenience of the reader, the notation is grouped into the following categories: Algebra Miscellaneous: The symbols ≜ and ≡ mean ''defined as'' and ''identical to'', respectively.The infimum (greatest lower bound) and supremum (least upper bound) of the set  are denoted by inf  and sup , respectively.

Physiological model for BG dynamics
In this work, we consider the Medtronic virtual patient (MVP) model for BG dynamics in T1D [20].It is a low-order control-relevant model whose validation was performed against independent clinical data [21].In control systems terminology, the insulin infusion rate is the control input and meal intakes are disturbances to BG regulation.The MVP model consists of the following set of ordinary differential equations: where  ℎ () (g/min) is the meal intake, () (g) is the glucose mass in the first gut compartment, and   is the corresponding time constant.
Typically, meals are assumed to be ingested instantly [22].Thus,  ℎ () is modeled as an impulse train as: where   (min) is the time instant of the th meal intake,   (g) is the amount of the carbohydrate (CHO) consumed at   , and (⋅) is the Dirac delta function.

Problem setup
In this section, we formulate sensor anomaly detection as a statistical change detection problem.In our context, an anomaly is defined as any deviation of the controlled CPS (i.e., the AP) from the nominal behavior.In this work, we consider model-based anomaly detection that involves two subsequent steps: residual generation and evaluation [23].As the name suggests, a model-based detection scheme utilizes model knowledge and input-output history to detect anomalous behavior in the system.
We employ a discrete-time (DT) Kalman filter as the residual generator since the CGM provides measurements at discrete sampling instants.Designing a Kalman filter requires a linear model.However, the MVP model is nonlinear and in continuous time.Hence, we derive an approximate DT linear model as follows.Let  ∈ N be the discretetime index, and ℎ be the sampling period with  = ℎ.Then, the following DT linear system approximates the combined dynamics of ( 1) and ( 2): where The linearization is made around the fasting equilibrium with basal insulin delivery rate.The appendix presents a detailed explanation of the linearization and discretization procedures.

Meal announcements
A meal intake is characterized by the size and time of the consumed CHO as in (3).We assume the time of each meal intake is accurately reported by the patient.However, the meal size estimate is subject to error [24].The meal size can be estimated by manual CHO counting or with the aid of a dedicated computer vision-based app such as Go-CARB [25].Alternatively, instead of inputting the exact CHO amount, the user may be prompted to select from a three-or four-scale meal size [22].In any case, a meal announcement may be formulated as: where ĉ (g) is the th meal size estimate,   is the corresponding discrete-time index, and  ,  is the Kronecker delta function defined as follows: In this setting, the round-off error regarding the time of meal onset is neglected.The actual meal size   is an unknown deterministic variable.
For simplicity, we model the meal estimation error as a normal variable as follows: where c is the error in estimating the size of the th meal,   is the corresponding standard deviation.

Attack detection as a hypothesis testing problem
A constant bias injection on the CGM is modeled as: where [⋅] denotes the discrete unit step function,   is the attack start time, and ā is the amount of injected bias.These two attack parameters are unknown but deterministic.The attack detection may be formulated as a binary hypothesis testing problem where the null and alternative hypotheses are, respectively, as follows: The probability laws corresponding to  0 and  1 are required to implement a statistical test, and derived in the next section.

Proposed detection scheme
In this section, we present the proposed model-based detection scheme for FDI attacks as depicted in Fig. 1 where )  ] is the associated error covariance, and [] is the filter gain [26].The recursions start from The difference between the measured and the predicted output by the Kalman filter is called the innovation, and is defined as follows: In the absence of anomalies, that is [] ≡ 0, [] is a zero-mean white Gaussian sequence with standard deviation   [] = √  []  +  [27].The innovation [] is a non-stationary random sequence since   [𝑘] is time-varying.To circumvent this issue, we normalize [] with its variance as follows: The standardized innovation sequence [] is independent and identically distributed (IID), and chosen as the residual signal for anomaly detection.
When  0 holds true, we have already established that [] ∼  (0, 1).Similarly, when  1 holds true, [] simply assumes a Gaussian with the same variance but a time-varying mean for any additive deterministic FDI attack.To derive the mean of [] under such attacks, consider the following residual dynamics: Fig. 1.A schematic diagram of the proposed anomaly detection scheme. In Here,   [] is simply the deviation of the residual from the true noisy measurements at time .Thus; when  1 holds true, the residual becomes For ease of theoretical exposition, a steady-state analysis of the attacked residual is in order.The steady-state error covariance P is obtained by solving the following DT algebraic Riccati equation: The corresponding steady-state filter gain K is equal to: Let x and r be the corresponding steady-state values of x [] and   [𝑘].By definition, they are computed by solving (16) for x [ + 1] = x [] = x .Thus, we get: where  is a scaling factor for the residual-mean under a constant bias injection.
Since  − K is Schur stable, the inverse of ( − K − ) uniquely exists.Due to filter dynamics, it takes a few iterations before the attacked residual-mean   [] converges to its steady-state value of r .Nevertheless, the transients are neglected in the subsequent analysis as the Kalman filter is known to converge quickly.Consequently, the detection of bias injections on the CGM is formulated as a sequential (online) change detection problem as follows: This is a classical problem of detecting a shift in the mean of a Gaussian sequence with known variance and unknown change point which is in our case the attack start time   .The major challenge here is the lack of knowledge regarding the change parameter r , which is a linear function of the injected bias ā as in (21).Since it is not realistic to know ā beforehand, a conceivable way to address this issue is to employ a  2 detector which only requires the probability distribution corresponding to  0 .However, despite the simplicity, negligence of the alternative hypothesis  1 may result in significant performance loss in detection delay as shown in Section 5.
If r is (assumed to be) known,  1 is a simple hypothesis just as  0 .On the contrary,  1 is a composite hypothesis if r belongs to a set with at least two elements.Thus, we call (22) a composite change detection problem when r is not fully known.In detection theory, there are two major paradigms to handle composite change detection problems: adaptive and minimax [28].Adaptive detectors such as the generalized likelihood ratio test aim to detect the change by estimating the unknown r .However, they are computationally infeasible in realtime unless a sliding-window approach is used.However, this results in performance loss since only partial data history is used [29].On the other hand, a minimax detector aims to guarantee a certain performance under the worst-case scenario.More precisely, a minimax detector is tuned according to the least favorable value of r instead of estimating it.The upside of the minimax approach is that it is of the same complexity as a simple change detection problem where r is known.Moreover, it admits a recursive solution; hence, all data history can be exploited with minimal computational burden.
In this work, we propose to employ a minimax robust two-sided CUSUM detector as summarized in Algorithm 1.As explained in detail in Section 4.2.3, the detector is tuned to be sensitive to the maximum tolerable bias in CGM readings.Due to the symmetry, the detector is equally sensitive to the positive and negative biases.In essence, we treat the unknown change parameter r as a tuning knob that adjusts the trade-off between the detector's sensitivity to the noise and detection performance.As evident from (21), it is a function of both the system dynamics and the injected bias ā.This approach ensures robust detection for a wide range of attack parameters.

Quickest change detection theory
In this section, we present some key notions regarding statistical hypothesis testing, more specifically in the context of QCD.In particular, QCD algorithms aim to detect abrupt changes in the statistical properties of a random process as quickly as possible after the unknown change time whilst satisfying a specified false alarm constraint.We restrict the discussion to the case where the observations before and after the change are IID.We denote the pre-and post-change distributions by  0 and  1 , respectively.We begin by introducing some key definitions.
Definition 2 (Kullback-Leibler Divergence).The Kullback-Leibler divergence (KLD) between two distributions  1 and  0 is defined as The information-theoretic notion of KLD was proposed as a measure of the dissimilarity between  1 and  0 in the seminal work of Kullback and Leibler [30].In particular, ( 1 ∥  0 ) is 0 only when  1 () =  0 (), and positive otherwise.It is a key quantity in characterizing the performance of QCD algorithms [31] as well as the stealthiness of FDI attacks in stochastic CPS [32].

Definition 3 (Stopping Time).
A stopping time on a random sequence (  ) ≥1 is a random variable  such that for each discrete-time instant , the event { = } belongs to the -algebra generated by ( 1 , … ,   ).
To put it simply,  depends only on the information available up to and including time , but not on any future information.An online anomaly detector may be conveniently defined in terms of a stopping time on its residual sequence as follows: where [] is the test statistic at time , which is a causal function of  [𝑘] and  is the decision threshold.Thus, the stopping time of a detector is a positive integer-valued random variable that gives the number of residual measurements taken until an alarm is triggered for the first time.The stopping time is a quintessential notion for quantifying the operating characteristics of a detector including the detection delay as shall be explained now.
For notational brevity, let E   [ ] be the mean value of  when the change point is   .Consequently, let E ∞ [ ] denote the mean of  when the change occurs at infinity, or equivalently when no attack is present.In particular, E ∞ [ ] is the average time between false alarms which should ideally be as large as possible.From now on, we refer to this quantity as the false alarm interval (FAI).When no prior distribution on   is available, the following constraint set is used for the QCD algorithms of interest [31]: The parameter  denotes the minimum acceptable FAI.Next, let us define the detection delay as  −  , which is clearly a random variable.Thus, we consider the average detection delay (ADD) as follows: Please note that in the present setting,  −   = 1 implies instant detection of the attack.Ideally, we wish to find the stopping time in the set   that minimizes (27) uniformly over all possible change points   ≥ 0. However, such procedures do not exist [29].Instead, one can resort to a minimax (i.e., worst-case) approach.To this end, we consider the worst-case (maximal) ADD as originally proposed by Pollak [33]: Hence, we seek to find an optimal detector  * such that: In words, an optimal detection rule minimizes the maximal ADD within the feasible set   .Unfortunately, finding  * proves to be intractable in most cases, but certain QCD algorithms such as the CUSUM test are second-order asymptotically (i.e., as  → ∞) optimal [31].The exact definition of second-order optimality is highly technical and beyond the scope of this paper.Instead, hereafter, we shall colloquially refer to it as nearly optimal.Based on the theoretical foundations laid out above, we now delve into the online anomaly detectors explored in this study.

𝜒 2 Test
The  2 test is a general-purpose, widely-used anomaly detector to monitor CPS due to its simplicity [34].It is implemented as follows: where  ≥ 1 is the window size,    2 is the corresponding stopping time and [ < 0] = 0.When  = 1, the  2 detector ( 30) is said to be stateless (or memoryless) and stateful otherwise.Since [] is a sequence of independent standard normal variables,    2 [] follows the  2 distribution with  degrees-of-freedom, hence the name.The threshold  is typically chosen to guarantee a false alarm probability of  as follows: The value for  can easily be obtained by solving (31) with the aid of statistical software or a distribution table.
To make a meaningful comparison between the  2 and CUSUM tests, we must use the same metric for the false alarm constraint, namely the FAI.In general, there is no direct relation between  and . Only in the stateless case, they are reciprocals as E ∞ [ 1  2 ] = 1∕.In the stateful case, the test statistic    2 [] is a random walk, and finding the value of  ensuring E ∞ [   2 ] =  involves deriving and solving complicated integral equations.One can instead use Monte Carlo (MC) method to compute  which is arguably simpler and more intuitive.

CUSUM test
The CUSUM test exploits the full history of measurements as well as the knowledge of the post-change distribution, as opposed to the  2 test.The rationale behind this algorithm is to exploit the different behavior of the LLR before and after the change.The following relations between the LLR and the KLD are easily derived from ( 23) and ( 24): where   is the LLR at time .As can be seen from (32),   has a negative mean before the change and a positive mean after the change.Hence, computing the cumulative sum ∑   should be informative about whether a change has occurred.More precisely, ∑   is most likely to attain its minimum at the change point.
In (22), the pre-change distribution  0 is the standard Gaussian whereas the post-change distribution  1 is a Gaussian with mean r and unit variance.In the following subsections, we present three variations of this algorithm.

One-sided CUSUM test
This is the most basic version of the algorithm.Suppose we have a simple change detection problem with r =  where  is a known constant.Then, the LLR sequence of the residual measurements reads as: The one-sided CUSUM test may be implemented recursively as follows: with the recursion starting from   [0] = 0.The recursive nature of (34) enables efficient real-time implementation of the test [31].When  is selected to ensure E ∞ [  ] = ,   is nearly optimal in the sense of (29) with the following asymptotic relationship [29]: It is also exactly optimal with respect to Lorden's more pessimistic measure of worst detection delay which we do not consider in this work [31].Therefore, we believe the CUSUM test among all other known QCD algorithms is the most suitable choice for this work.

Two-sided CUSUM test
Now, suppose we only know the magnitude but not the sign of r such that r ∈ {−, } with  > 0 being the magnitude.Then, the LLRs corresponding to the positive and negative changes, respectively, read as: The two-sided CUSUM test is simply two one-sided tests running in parallel as follows: where Similarly, when  is selected to ensure E ∞ [ 2 ] = , the test is nearly optimal in the sense of (29) [29].

Minimax robust two-sided CUSUM test
The optimality properties of the one-and two-sided CUSUM tests hold only when the presumed change parameter is equal to the true change parameter which is seldom the case.In general, the true change parameter belongs to a so-called uncertainty set.The minimax robust CUSUM test is then simply the ordinary CUSUM test where the presumed change parameter is equal to the worst change parameter.The worst change parameter is the one which renders the postchange distribution least favorable for detection [35].This approach ensures robustness to the unknown change parameter by minimizing the worst-case delay among all values of r within the uncertainty set.
Finding the worst change parameter is not always possible, but luckily, in our case, it is straightforward.Suppose, we know only the minimum magnitude of change such that the uncertainty set is  = {r  ∈ R ∶ |r  | ≥ }.Then, the worst change parameter is ± due to Theorem III.2 in [35].Hence, we propose to employ the two-sided CUSUM detector (37) with  being the minimum change magnitude to which we wish to be sensitive.This value can be determined from (21) for a given bias ā.If the true change magnitude |r  | turns out to be greater than , the attack will get detected even faster as it should be intuitively clear.Please note that smaller bias injections with |r  | <  are also detectable albeit with a delay.The idea is to design a detector with maximal FAI by tolerating the increased detection delay for less harmful attacks.We emphasize that  is a tuning parameter for the detector rather than an absolute bound on the true change parameter.

Numerical simulations
In this section, we present the numerical simulations conducted to demonstrate the efficacy of the proposed detection scheme as well as the theoretical discussion in the previous section.

In silico experimental design
Throughout the rest of the section, we use the MVP simulator as described by ( 1) and ( 2) with the parameter values in Table 1 [20].The simulator corresponds to the T1D Patient block in Fig. 1.The Kalman filter processes the CGM measurements based on the DT dynamical model ( 4) whose numerical values of the system matrices can easily be calculated by referring to Table 1 and the appendix.Similar to [36], we set  as a diagonal matrix with the following entries: (10 −6 , 10 −6 , 10 −6 , 0.5, 10 −6 , 0, 0) and  = 60 (∕) 2 .We select the maximum tolerable bias as 15 (∕).The desired FAI is set to 300 samples, which amounts to slightly less than one false alarm per day assuming a sampling period ℎ = 5 minutes.We employ a DT-PID controller with a filtered derivative term as follows: The target glucose level  0 is set to 100 mg/dl, and the corresponding basal insulin rate Ū is given in (A.6).The controller parameters are:   = 0.2 (mIU/min)/(mg/dl),   = 90 (min),   = 60 (min), and  = 0.1.

Detection performance in the absence of meals
We compare the  2 (30) and two-sided CUSUM (37) detectors without meals under constant bias injections.Fig. 2 plots the operating characteristics of these detectors under two scenarios as computed by MC simulations.In the first scenario, the presumed change parameter is equal to the true change parameter with ā = 15 (mg/dl).The results for this scenario are illustrated by the top three curves.In this case, the optimal and minimax robust CUSUM detectors are identical by definition.The stateless  2 detector suffers from a large detection delay.The stateful  2 detector with a sliding window length of 5 samples greatly reduces the detection delay, yet it is still too large.The delay can be further reduced by increasing , but with a higher computational cost in terms of memory and arithmetic operations.However, the CUSUM detector will outperform the  2 detector for any arbitrarily large  with much less computational cost.
In the second scenario, we have a larger bias injection with ā = 30 (mg/dl).In this case, the maximal ADD of the minimax robust CUSUM detector is lower than that of the first scenario.Moreover,  the performance degradation is insignificant for the desired FAIs as depicted by the bottom two curves.The bottom-most curve refers to the hypothetical scenario where the attack parameter ā is known exactly, and the optimal CUSUM detector is used.The gap between the curves of the minimax robust and optimal CUSUM detectors may be thought of as the price to pay for the loss of information about the true change parameter.
Thus far, we have assumed perfect model knowledge.Next, we investigate the robustness of the proposed method to model mismatch.Since the insulin sensitivity can vary up to 30% over the day, we select   as the perturbed variable for our investigation [37].
In particular, we simulate the ''real'' BG dynamics with the values in Table 1, but overestimate   by 30% in the Kalman filter equations.The results are reported Fig. 3.The maximal ADD is slightly increased due to the discrepancy between the statistics of the theoretical and observed residual.However, the performance degradation is acceptable in spite of the large parameter uncertainty.

Detection performance in the presence of meals
In this subsection, we present an illustrative example to show the efficacy of the proposed method under partially known meal disturbances.The simulations were performed over a 24 h period with 3 meals taken at 5 h, 13 h, and 18 h.To assess the robustness of our method to meal uncertainties, two distinct scenarios were considered.
The first scenario incorporated a small variance of  1  = 10 grams for the meal estimates, while the second scenario incorporated a larger variance of  2  = 30 grams.The meal intakes were identical and equal to 75 g.
In order to be stealthier, the attacker slowly injects the bias using a first-order low-pass filter as follows: where  is a parameter that determines the rate of bias injection and is taken as 0.1.The attacker makes the attack onset   coincide with the third meal intake time so as to exploit the extra uncertainty stemming from the unknown meal size.The attack sequence is depicted in Fig. 4(c).We perform closed-loop MC simulations of the proposed detection algorithm for this attack scenario.The ADDs of the  2 and CUSUM detectors for both small and large meal uncertainties are reported in Table 2.The CUSUM detector has quite satisfactory performance as the attack is detected soon after its onset.The stateful  2 detector performs reasonably well against the large bias injection with small meal uncertainty.However, its detection performance under large meal uncertainty is not as good.The detection delay of the stateless  2 detector is unacceptably large even for the small meal variance.
Fig. 4 shows a representative outcome from the simulations for the small meal variance.In particular, Fig. 4(a) plots the blood and sensor glucose trajectories.Before the attack starts at 18 h, the difference between the blood and sensor glucose values is only due to the sensing delay and measurement noise.Thankfully, the two-sided minimax robust CUSUM test is able to detect the attack well before hypoglycemia is achieved as depicted in Fig. 4(d).
Fig. 4(b) plots the meal disturbance trajectories.The time-varying Kalman filter gradually corrects the meal disturbance estimate, which is initially computed from the meal announcement by the user, as glucose measurements come in.The filter estimate of the meal disturbance gets worse during the FDI attack which is reflected as an anomaly in the CUSUM test statistics.This shows that the time-varying Kalman filter can successfully handle erroneous meal estimates.

Conclusion
In this work, we considered deterministic FDI attacks on the CGM deployed in an AP under partially known meal disturbances.Our problem formulation was generic enough to address natural additive sensor faults, as well.We proposed a model-based detection scheme that is effective, robust, and easy to implement.A time-varying Kalman filter was used to handle the sporadic meal disturbances with known meal intake times.The standardized Kalman filter innovation sequence was chosen as the residual signal due to its amenability to statistical evaluation.We derived the worst-case optimal detection rule against constant bias injection attacks, namely the minimax robust two-sided CUSUM test.We also empirically showed the robustness of our approach to model mismatch.
In future work, we aim to characterize the trade-off between the impact and stealthiness of sensor deception attacks.We also plan to address the problem of distinguishing unannounced meals from a sensor attack as well as intraday variation in physiological parameters.
and  ℎ [] ∈ R is the partially known meal disturbance from the user-provided meal announcement as explained in the next subsection.We introduce the process noise [] ∈ R 7 to account for modeling errors (e.g., due to linearization).The output [] ∈ R is the realtime CGM readings which are corrupted by the inherent sensor noise [] ∈ R as well as a possible FDI [] ∈ R. We assume that [], [], and the initial state [0] are mutually independent random variables with [] ∼  (,  ⪰ ), [] ∼  (0,  > 0), and [0] ∼  (, ).

( 14 )
where x[] ≜ [] − x[] is the state estimation error, and Cℎ [] ≜ ∑ c  ,  is the meal estimation error.Next, we exploit the linearity of the Kalman filter by invoking the superposition principle.To this end, let us decompose x[] into two parts as x[] = x [] + x [] where

Fig. 2 .
Fig.2.The trade-off plots between the FAI and the SADD for the 2 and CUSUM detectors under a small and a large bias injection attack.The shaded area represents the desired FAIs.

Fig. 3 .
Fig. 3.The trade-off plots between the FAI and the SADD for the robust CUSUM detector with the exact model and model mismatch.

:
The sets of natural and real numbers are denoted by N and . We consider a slightly modified version of the standard Kalman filter to handle erroneous meal announcements.Let us define a time-varying process noise  ′ [] ≜  +  2     ,  to include the effect of the meal uncertainty in state estimation.Let [] ≜ {([], Ĉℎ [], []) ∶ 0 ≤  ≤ } be the set of inputoutput observations up to time .Then, the Kalman filter equations read as: particular, x [] is the state estimation error under no attack while x [] is the isolated contribution of the attack to x[].The effect of x [] on the residual measurements is manifested by the following dynamics:

Table 1
The MVP model parameters with their numerical values identified for a certain subject.

Table 2
Monte Carlo estimates of the ADD (in samples) of detectors for  = 300,