Optimal Jamming Attack Scheduling of Interactive Channels

Recently, public attention is thoroughly aroused as to the security threats of Cyber-Physical Systems (CPS), which can seriously disrupt the system operation. In order to analyze the impact of potential cyber-attacks, one needs to investigate the attack scheduling strategy from the attacker’s perspective. In this paper, we investigate the optimal attack schedules to degrade the system performance through multiple interactive channels against remote state estimation, which is different from the studies through multiple independent channels. Specifically, a channel is affected when the attacker launches an attack on another one, causing two different loss rates of the data package. Based on this, we represent the estimation error covariance of the remote estimator. Then we give the optimal jamming attack schedule theoretically. Finally, the effectiveness of the theoretical results is shown by numerical simulations.


I. INTRODUCTION
Cyber-Physical Systems are agents with integrated control, communication, computation. CPS have a wide application in many areas, such as aerospace, chemical processes, manufacturing, civil infrastructure, energy, intelligent transportation and battle field [1]- [3], [5], [10], [23]. The emergence of cyber-attacks has made wireless CPS more and more vulnerable. Take a very famous example, in June 2010 ''Stuxnet'' attacked an Iranian nuclear facility at Natanz, which damaged 60 persent hosts [4]- [6]. It is the first time that physical devices have been damaged by malicious computer programs.
Based on the attacker's model knowledge, disclosure and disruption resources, cyber-attacks can be categorized into Denial-of-Service (DoS) attack, replay attack, false data injection attack, zero dynamics attack, covert attack and eavesdropping attack [7], [10]. Common malicious attacks are DoS attack [8], replay attack [9] and false data injection attack [7]. DoS attack aims to cause random loss of transmitted data by jamming the wireless communication channels to block the exchange of information between the system components, which is the most reachable attack [11]- [13]. Such attack can ignore protocols normally used and continu-The associate editor coordinating the review of this manuscript and approving it for publication was Parul Garg. ally transmit on a wireless channel with a set of frequency bands [14]. Jamming attack may be regarded as a special form of DoS attack [15]. In the present note, we focus on jamming attack.
Jamming attack in CPS has been well studied in recent literature [16], [17], [19]. Document [17] gives four different models of jamming attack and evaluates the properties in sending and receiving data packets of a wireless node. Literature [19] describes the transmission between sensors and estimator with a binary random process. In order to understand the behavior of potential attackers, one needs to investigate malicious attacks from the viewpoint of an attacker [13]. Therefore, the optimal attack scheduling strategy and the corresponding attack effect are urgently to be studied for CPS security [20]. Document [5] is the first work on DoS attack schedules against remote state estimation. On the condition that the attacker's energy is limited, the authors consider a system where only one sensor processes the measurements and sends the data to a remote estimator through a wireless channel. The research purpose of document [5] is to determine when the attacker should perform an attack to maximize the average error of the remote estimation. With energy constraints for both the sensor and the attacker, the research showes that the optimal attack scheduling strategy is continuous attacks during the activation period when there is only one channel to transmit data [23]. Expand to scenario with multiple systems, there are some interesting results have been studied against DoS attack [16], [18], [21], [22]. For multiple systems, most existing works which investigate the optimal attack schedules mainly focus on multiple independent wireless channels. Paper [23] firstly uses two sensors to observe a system, and transmits data to remote estimator through two independent wireless channels. The optimal attack scheduling strategy is to continuously attack one channel when the total states of the system are observed. Reference [10] assumes that the system has two sensors to observe two states, and the energy of the attacker is limited. When the measurements are transmitted through two independent channels, the optimal attack scheduling strategy is to continuously attack one of the channels.
In the actual physical environment, due to the similar channel frequency bands or signal crosstalk, an interactive relationship will occur between channels. That is, when an attacker launches jamming attack on one of the channels, packet loss also occurs to the other channels. Reference [10] dosen't fully integrate with physical reality, only study the case of transmitting through independent channels. Motivated by this, we investigate the optimal attack schedules to degrade the system performance through multiple interactive channels, which is different from the above studies through multiple independent channels. Specially, we assume that there are two sensors transmitting data packets to a remote estimator through two interactive channels. The transmission success rate is adopted to characterize the coupling relationship between the channels. The attacker with limited attack energy budget decides whether to block the channel to deteriorate the remote estimation quality at each sampling time. The main contribution of this paper is to construct the optimal jamming attack schedules when data packets are transmitted through two interactive wireless channels.
The rest of this paper is organized as follows. Section II presents the system model and attack model, and formulates the optimal jamming attack scheduling problem. Section III constructs the optimal jamming attack schedules when data packets are transmitted through two interactive wireless channels. In Section IV, we provide several numerical examples to validate our theoretical results. Section V draws conclusions.
Notations: In the whole paper, Z and Z + are the sets of all integers and nonnegative integers, respectively. R n represents the Euclidean space with n−dimension. S n + is the set of the positive semi-definite matrices with n − by − n dimension. For simplicity, we denote X ≥ 0 for X ∈ S n + . While X > 0, it means that X is a positive definite matrix. In terms of functions f , f 1 , f 2 : S n + → S n + , define f 1 • f 2 (X ) = f 1 (f 2 (X )), and f t (X ) = f • f • · · · f t times (X ). P[X ] and E[X ] refer to probability and expectation for a random variable X , whose spectral radius is presented by ρ(X ). The notation · refers to the floor function.

II. PROBLEM FORMULATION A. SYSTEM MODEL
As shown in Fig.1, we consider a general discrete linear time-invariant (LTI) process in wireless CPS: is the measurement noise which is also assumed to be white Gaussian with covariance matrix R i > 0. We assume that the initial state of the plant is zero-mean white Gaussian followed its covariance matrix P i (0) > 0. Moreover, x i (0), υ i (k) and ω i (k) are assumed to be independent with each other. The To make the problem tractable, we assume that (A 1 , C 1 ), (A 2 , C 2 ) are both observable [10].
Kalman filter is an optimal linear filter. In remote state estimation, each sensor gets a local state estimation by Kalman filter firstly. We usex i (k) andP i (k) to represent the local state estimation and its corresponding estimation error covariance matrix, i.e., (2) The standard Kalman filter process is as follows: wherē Furthermore,P i (k) converges quickly to a steady-state value in an exponential speed. Without any performance loss, we assume that the steady value of P i (k) is represented byP i (i = 1, 2), which reaches the steady state at a time k.

B. ATTACK MODEL
We suppose that there is only one jamming attacker in the system. The attacker can launch jamming attack on only one of the channels because the wireless communication radio can only act upon one of the channels at each time step [25]. On condition that the attacker's energy is limited, the attacker decides which channel to attack at every moment. If there is no jamming attacker in the wireless channels, the data packets will arrive at remote estimator successfully. For any k, λ(k) = i(i = 1, 2) represents that the channel i is under the jamming attack, and λ(k) = 0 denotes that none of the channels is under the jamming attack launched by the jamming attacker. Because only one of the channels can be jammed by the attacker at every moment, it follows that 1 λ(k)=1 + 1 λ(k)=2 ≤ 1, ∀k ∈ Z + , in which 1 cond is an indicator function, i.e., 1 cond = 1 if cond holds and 1 cond = 0 otherwise.
In this paper, we research on the case where transmission channels interact with each other, that is, there is a coupling relationship between channels. The transmission success probability satisfying Pr[γ ij (k) = 1] = γ ij is used to reflect the coupling relationship between channels. More specifically, when the attacker launches an attack on channel 1, the probability of successful transmission of channel 1 is γ 11 , and the probability of successful transmission of channel 2 is γ 12 ; when the attacker attacks channel 2, the probability of successful transmission of channel 1 is γ 21 , and the probability of successful transmission of channel 2 is γ 22 .

C. PROBLEM FORMULATION
For a time horizon T , the attacker's schedule can be denoted as s = (λ(1), λ(2), . . . , λ(T )). Denotex i (k) and P i (k) as the state estimation of the remote estimator and the corresponding estimation error covariance matrix, respectively, i.e., Average Error: For a given attack schedule, the average expectation of the estimation error covariance is defined as J i (s), i.e., Problem 2.1: Find out the optimal energy efficient attack schedule which maximizes the whole estimation error, that is  (16) in which S = {0, 1, 2} T is the set of all the possible jamming attack schedules. Constraint (13) means that the total energy of the attacker is limited to , where i represents the consumed energy that the attacker launches jamming attack on channel i once. Constraint (14) shows that only one channel is under jamming attack at a time k. Constraint (15) shows that each channel is attacked at least once during the period T. Constraint (16) means the remaining energy, which is equal to the total energy minus the spent energy, to attack on any channel. In other words, the attacker uses enough energy to attack more times on the wireless channels, which can degrade the estimation performance at a much higher level.

III. OPTIMAL ENERGY EFFICIENT JAMMING ATTACK SCHEDULE
The optimal estimationx i (k) and its corresponding error covariance matrix P i (k) can be calculated using the following formulas: in which h i (X ) = A i XA T i + Q i , i = 1, 2. In the following, we aim to find out the optimal energy efficient jamming attack schedule to solve Problem 2.1.
Lemma 2: h(X ) = AXA T + Q is monotonically increasing for any X .
Proof: Assume X 1 > X 2 , then X 1 − X 2 > 0, and thus A(X 1 − X 2 )A T > 0. However, Paper [10] has proved that the optimal energy efficient jamming attack schedule is continuously jamming one of the channels until the attacker runs out of its total energy. For our problem, according to the interaction of the two physical systems and the results in [10], without loss of generality, we suppose that the form of the optimal energy efficient attack schedule is as follows: in which τ 1 1 + τ 2 2 ≤ , τ i ∈ Z + , i = 1, 2. Denote E[P i (k)] = M i (k) and its initial value of error covariance as: For simplicity, it is assumed that 1 2 = α β , where α and β denote two co-prime integers. It means that the energy of launching β times consecutive attack on channel 1 equals to that of launching α times consecutive attack on channel 2. Thus, according to (18), we have (1 − γ 11 ) q h q 1 (P 1 ) Define J as the total expectation of the estimation error covariance, then Lemma 3: ForP 11 andP 1 defined by (25) and (20), respectively, it holds thatP 11 ≥P 1 .
Proof: In fact, where the inequality is due to Lemma 1.

Lemma 4:
The more attacks result in the greater degradation of system performance.
Proof: Assume J 1 and J 2 as the total expectation of the estimation error convariance of attacking channel i for n times and attacking channel i for n − 1 times. Then, Similiarly, M i (n) −P i > 0 dued to Lemma 3. Therefore, J 1 > J 2 . We can get the conclusion that the more attacks result in the greater degradation of system performance.
Based on the above analysis, we have the following theorem which gives the optimal energy efficient attack schedule.
Theorem 1: Consider the system with two sensors which is formed as (1). s τ * 1 ,τ * 2 is the optimal energy efficient jamming attack schedule for Problem 2.1, in which τ * 1 , τ * 2 ∈ Z + can be calculated as follows when It holds that For any k ≥ 1, we know that .

IV. ILLUSTRATIVE EXAMPLES
In this section, some numerical simulations are provided to show the optimal energy efficient jamming attack schedule    Fig.2, we can find that our proposed theorem still holds the maximum with the value of γ ij . Fig.4. provides the response trajectory of Tr[J (s τ 1 ,τ 2 )] varying with τ 2 . Combining Fig.2. and Fig.3., the theorem we mentioned is still seasible to find the optimal scheduling strategy.

V. CONCLUSIONS
In this paper, we consider the case where the data packets are transmitted through two interactive wireless channels. Specifically, one channel can be affected when attacker jammed another channel, which causes two different loss rates of the data package. We propose a theorem to find out the optimal jamming attack schedule and proved its correctness by some simulations. Future works include investigating the case of multiple channels eoretic method and considering the attacker is equipped with energy constraints and studying the case where there is an constraint with sensors.