A Multiplicative Coordinated Stealthy Attack for Nonlinear Cyber-Physical Systems with Homogeneous Property

Stealthy attacks to cyber-physical systems (CPS) refer to the ones that avoid attack detection mechanisms augmented to the systems typically in the form of anomaly detectors. Various types of stealthy attacks have been reported in the literature. Among the attacks with stealthy property, a recently reported multiplicative coordinated attack is particularly dangerous in that it corrupts sensor and actuator data in a coordinated manner, and it does not require precise system knowledge in order to be stealthy. It must be noted that most of these attacks are applicable to CPS, the physical counterparts of which are of linear dynamics. This could be a limitation since most of the physical dynamic systems that are encountered from CPS perspective are of nonlinear nature. In this work, we present a version of multiplicative coordinated stealthy attack for a class of CPS, the physical counterpart of which possesses nonlinear dynamics. Speciﬁcally, for the physical systems with homogeneous property, the attack is constructed and the eﬀect is analyzed. Various simulations are carried out to illustrate the eﬀect of the attack.


Introduction
e improvement of computing power in embedded systems and significant advances of communication and network technologies have created a new field of cyber-physical systems (CPS) which tightly integrate physical and cyber components. Over the past years, CPS has emerged as an important paradigm to design large-scale distributed systems such as electric power grid systems, water distribution systems, and smart vehicular systems [1,2]. However, recently, the cases where anonymous attackers penetrate the network systems and compromise CPS have increased [3]. e cyber attacks on CPS have caused considerable damages of the physical processes and brought enormous losses in property. e representative attack cases include the attack on Maroochy Shire Council's sewage control systems [4] and the Stuxnet worm virus attack on Supervisory Control and Data Acquisition (SCADA) systems [5].
For developing countermeasures for the known attacks [6][7][8][9]10], comprehensive analysis of the feasible cyber attack mechanisms should be preceded. To date, many cyber attack mechanisms have been discovered and analyzed in [11][12][13][14][15][16][17][18][19]. e representative attack methodologies include Denial of Service (DoS) attack [11], replay attack [12,13], bias injection attack [14], zero dynamics attack [15], robust zero dynamics attack [16], robust pole dynamics attack [17], datadriven covert attack [18], etc. e DoS attack is a jamming method for obstructing data transmission, which is realized by injecting a considerable amount of requests into specific communication channels. e replay attack is an attack method realized by recording sensor measurement outputs for an extended period of time and replacing the measurements with the stored data. e bias injection attack is a type of false data injection attack, which is achieved by injecting the arbitrary constant in the control or sensor signals. e zero dynamics attack is a model based on stealthy attack method, and the attackers generate the sophisticated attack signals using unstable zero dynamics of the targeted system. While the zero dynamics attack requires the exact model knowledge of the target system, the robust zero dynamics attack was developed based on a robust control tool called as a disturbance observer. e attack corrupts the plant without the needs of the exact model knowledge and maintains the stealthiness for finite period. Robust pole dynamics attack is similar but applicable to linear systems with unstable dynamics. e data-driven covert attack is the attack strategy which can compromise the linear systems with parameter uncertainties. e attack utilizes a least mean square method for the parameter estimation, and the attack signals calculated from the estimated model are simultaneously injected into the input and output channels.
Fortunately, the existing attack methods reported in [11][12][13][14][15][16][17][18] have restrictions. For achieving the DoS attack, the attackers need much resources in that all possible communication channels should be occupied. e replay attack can be easily detected by watermarking the actuator signals.
is is because the recorded output signals do not respond to the watermarks coded in the signals. e bias injection attack is not perfectly stealthy, which can be easily detected by anomaly detectors designed for monitoring the anomalous operations. e zero dynamics and robust zero dynamics attacks are dangerous only for the systems with nonminimum phase zeros. Robust pole dynamics attack is only to systems with unstable poles. e data-driven covert attack needs the minimum model knowledge such as the system dimension, although the complete model knowledge is not known to the attackers.
Recently, a notable stealthy attack mechanism capable of overcoming the said restrictions was developed in [19]. e attack is named a multiplicative coordinated stealthy attack and follows the method which multiplicatively compromises both the sensor and control signals in a coordinated manner. e attack design does not require model knowledge as long as the target system is linear. It is not detected by the watermarking technique. e applicability of the attack is not limited to the systems with nonminimum phase zeros nor unstable dynamics. e current work of the multiplicative coordinated stealthy attack introduced in [19], however, has focused on compromising the CPS, the physical counterpart of which is of linear dynamics. In this paper, as an extension of the attack to a class of CPS whose physical counterpart is of nonlinear dynamics, we specifically show that the multiplicative coordinated stealthy attack can compromise target CPS whose physical counterpart is of linear dynamics or of nonlinear dynamics with homogeneous property [20][21][22].
Main research interest of this paper is to reveal that a multiplicative coordinated stealthy attack is applicable to CPS with nonlinear physical plants with homogeneous property and to carry out relevant analysis. We show that the multiplicative coordinated attack is capable of forcing the states of target system far away from the desired trajectories without being detected. Attackers only need to know homogeneity degrees of the target systems. e attack can be realized, even if the attackers have incorrect information about the physical plant and have insufficient knowledge of the controller and the anomaly detector. e comparison with existing attacks (e.g., replay attack and false data injection attack) emphasizes that the multiplicative coordinated attack is particularly dangerous. Finally, two methods capable for detecting the multiplicative coordinated stealthy attacks are briefly discussed and demonstrated through simulations.
It should be noted that the security problem of the nonlinear dynamical systems has been rarely discussed in [23][24][25], while most of the systems have the nonlinearity. e problem of the attack detection and isolation for a class of discrete time nonlinear systems under sensor attack was addressed in [23]. e paper of Kim et al. [24] presented a detection method for the sensor attack and developed a resilient state estimation algorithm for uniformly observable nonlinear systems. e authors in [25] considered the sampled data consensus problem for a class of nonlinear multiagent systems under cyber attack. e rest of this paper is organized as follows. In Section 2, mathematical preliminaries in order to define homogeneous systems are presented. In Section 3, we introduce a class of the nonlinear CPS and the multiplicative coordinated stealthy attack method for homogeneous nonlinear systems is proposed and analyzed. Various simulations are conducted in Section 4. e detection methods for the attack are briefly discussed in Section 5. Finally, conclusions are formulated in Section 6. All proofs are included in Appendix.

Mathematical Preliminaries
Before presenting a stealthy attack method for nonlinear homogeneous systems, we here introduce the basic definitions of homogeneity and the properties. e notion of homogeneity was first introduced in [26] for the stability analysis of a nonlinear system, which has led to interesting results as reported in [20][21][22]. In order to understand whether any function or system has the homogeneous property or not, the concept of dilation is required, and we simply introduce the definition below. Definition 1. For fixed coordinates x � (x 1 , x 2 , . . . , x n ) T ∈ R n / 0 { } and real numbers r i > 0 for 1 ≤ i ≤ n, a dilation Δ r ε : R n ⟶ R n is defined as where ε > 0 with r i being called as homogeneous weights of x [20][21][22]. Now, by using the dilation, we can define the homogeneous function. Definition 2 shows the definition of the homogeneous function, and Lemma 1 shows that the homogeneous functions have a property.

Definition 2.
A function U : R n ⟶ R is said to be a generalized homogeneous function of degree k ∈ R with respect to a dilation Δ r ε with an exponent r, if the following equality holds for all ε > 0. If the exponent r is (1, . . . , 1), the function U(x) is said to be a classical homogeneous function [20][21][22].  [20][21][22].
In next section, we first introduce a CPS and focus on the attack scenario where physical plants are remotely controlled via some unreliable communication network, and the attackers can penetrate such network systems without any restriction. Next, we show that a coordinated attack method can be applied into the nonlinear physical plants with homogeneous properties.

A Multiplicative Coordinated Stealthy
Attack in Cyber-Physical Systems

A Cyber-Physical
System. In this subsection, we briefly discuss a common CPS including a physical plant, a controller, and an anomaly detector. First consider a class of the controllable canonical nonlinear plants on the physical layer which is given by where x � (x 1 , x 2 , . . . , x n ) T ∈ R n is the plant state, u ∈ R is the control input containing actuator attack signal, y ∈ R is the system output, f n : R n ⟶ R, g n : R n ⟶ R, and h n : R n ⟶ R are continuous and smooth mapping, and Ω x denotes the compact set of x. e matrices A and B are, respectively, defined as where I n− 1 ∈ R (n− 1)×(n− 1) is the identity matrix and 0 n− 1 ∈ R n− 1 is the zero vector. Next, we consider a controller given by where c ∈ R m is the controller state, y ∈ R is the sensor output including sensor attack, y r ∈ R is the desired reference assumed to be sufficiently smooth and bounded, u ∈ R is the bounded controller output, and C(·) and U(·) are continuous and smooth mappings. Without loss of generality, it is assumed that the controller (5) is designed such that the system output follows some desired reference trajectory under attack-free condition and it is capable of forcing x to follow the desired reference y r in Ω x . Before introducing the anomaly detector, we assume that (3) satisfies following Assumption 1. is is necessary for constructing the uniformly nonlinear observer in the anomaly detector [27] and guarantees the observability for all control inputs u.
ere exists a diffeomorphism function Ξ : where α n (·) and β j (·) for 1 ≤ j ≤ n are globally Lipschitz in s, For monitoring the system behavior of (3) and detecting the anomalous operations, the anomaly detector is commonly designed. e anomaly detector can be combined with (5) and consists of a full state observer [24,28], a residue signal monitoring system, and an alarm system, which is represented by where z � (z 1 , z 2 , . . . , z n ) T ∈ R n is the estimated state for (6), y ∈ R is the observer output, c ∈ R is the residue signal, and P ∈ R n×n is the positive definite solution of with the observer design parameter θ > 1 and 0 n×n ∈ R n×n . e anomaly detector in (7) will trigger the alarm if and only if where δ T > 0 is a threshold value which is chosen according to a suitable trade-off between the attack detection and the false alarm rate.
where L f h n (x) is a Lie derivative of h n (x) along vector field f [27][28][29].
Remark 2. Unlike linear systems, the observability of the nonlinear system depends on the control input u [27]. Without loss of generality, the system designers will pursue to monitor the system in all regions regardless of u and the Mathematical Problems in Engineering state observer of (7) may realize it. As reported in [24], some papers related to the nonlinear system security have already used the observer, and this paper also follows the common system setting.

A Multiplicative Coordinated Stealthy Attack.
A smart attacker may hope to corrupt the physical plant of (3) without being detected. Defining ϵ � y r − y we say that this type of attack has stealthy and effective properties, which is given as follows: Definition 3. Let c T ≥ 0 be a permissible predefined maximum error bound, and δ T be a detection bound. An attack is called δ T stealthy and c T effective, if are satisfied in a steady state [19].
In Definition 3, (11) implies that the attack is not detected by the common anomaly detectors of (7). Also, (12) implies that the attack is effective in the sense of degrading the tracking performance in a steady state. To be more specific, here, ϵ in (12) represents the tracking error occurring due to the attack, and we will call I ϵ � ‖ϵ‖ as the attack impact in this paper.
In our attack scenario, several assumptions are required to achieve (11) and (12). e assumptions are described below.

Assumption 2.
e nonlinear functions in (3) have homogenous properties given by where α ω , β ω , c ω are the degrees of the homogeneity for f n (x), g n (x), and h n (x) with respect to Δ r ε , respectively.
ere exists a Lyapunov function V(x, c) for the stability of the nonlinear feedback control system given by Assumption 4. e system outputs and control inputs are available to the malicious attackers.

Assumption 5.
e reference is not identically zero.
Assumption 6. CPS operates in a steady state during attack period.
Assumption 2 indicates that we only consider the nonlinear systems with homogeneity property. Note that all linear systems always satisfy homogenous property. Assumption 3 indicates that for the feedback system of (3) and (5), the equilibrium point at the origin is asymptotically stable. is may be readily satisfied by the designed tracking controllers. Assumption 4 indicates that the attackers can arbitrarily change control input signals and sensor measurements without any restriction. Assumption 5 indicates that we only consider the cases of nonzero reference. is is a necessary condition for the attack to be effective. Assumption 6 means the attacks may occur in steady state.
Remark 3. Based on Assumption 4, the malicious attackers can inspect the measurements in real time and can know whether Assumption 5 and Assumption 6 are satisfied or not. If the intercepted measurements remain the nonzero constant for a long period, the CPS works in a steady state and the attacks can occur.
Under Assumptions 1, 2, 3, 4, 5, and 6, we introduce the multiplicative coordinated attack posed on the cyber layer. e attack signals selected by attackers take the multiplicative form given by where a u and a y are the attack signals for actuator and sensor, respectively. Now, using (15), the stealthy condition of a u and a y for covertly compromising the nonlinear systems is derived. Let us find the equilibrium points of the nonlinear systems under the attack and attack-free cases. Recall that a u � a y � 1 is satisfied in attack-free case for all t. We first define an attack-free nonlinear physical system as where x 0 � (x 0,1 , x 0,2 , . . . , x 0,n ) T ∈ R n is the plant state, y 0 is the system output, and y 0 is the corrupted system output. Define equilibrium points of x, y, y, x 0 , y 0 , y 0 , and u as x ⋆ , y ⋆ , y ⋆ , x ⋆ 0 , y ⋆ 0 , y ⋆ 0 , and u ⋆ , respectively. en, (3) and (16) are given in a steady state by Without loss of generality, for guaranteeing the stealthiness, the received output should have the value identical with the attack-free output, i.e., y ⋆ � y ⋆ 0 , and this results in en, Assumption 2 and (18) yield   4 Mathematical Problems in Engineering and by using (17) and (19), we have en, (20) yields a relational expression of a u and a y given by and based on this equation, we can present the multiplicative coordinated stealthy attack method for compromising the nonlinear systems with the homogeneity property.
where κ > 1 is some positive constant.
Proof. see Appendix A.
□ e multiplicative coordinated attack in eorem 1 has the stealthy property of (11) and the effective property of (12). Now, we quantitatively calculate the attack impact, i.e., I ϵ . From eorem 1, we can find a relation equation in a steady state given by y � κ ω y � κ ω y r . By using this, I ϵ is finally obtained as where M ϵ (κ; ω) � 1 − κ ω . e attack impact, i.e., I ϵ , is proportional to ‖M ϵ (κ; ω)‖, and this is represented in the function determined by the parameters of κ and ω. While ω in ‖M ϵ (κ; ω)‖ is determined by the homogeneous properties of the system, i.e., α ω , β ω , c ω , the attack design parameter κ is arbitrarily chosen by attackers. As κ is largely chosen under ω > 0, the attack impact, i.e., I ϵ , increases accordingly. e property of M ϵ (κ; ω) is shown in Figure 1, and it is indeed observed that by choosing large κ, ‖M ϵ (κ; ω)‖ increases. Clearly, the attackers should adjust κ for increasing I ϵ , and from the proper selection of κ, the attack impact I ϵ can be made greater than c T . Here, it should be noted that even if attackers do not have sufficient information about controller (5) and anomaly detector (7), the coordinated attack can be accomplished. Indeed, the attack method of (22) only requires the information on homogeneous degree of physical plant, i.e., α ω , β ω , c ω .

Remark 4.
In a practical view, the attackers may have to consider the saturation of systems [30,31]. If the attackers have specific information about the permissible input range of the actuator, the attack signal a u , i.e., κ ∈ [κ, κ], should stay in a region given by where s and s are the lower and upper limits of the saturating actuator, respectively. en, ‖ϵ‖ is restricted by for the admissible range of κ in (24).

Corollary 1. Let Assumptions 1, 2, 3, 4, 5, and 6 hold. If the control input stays in zero, malicious attackers can choose a stealthy and effective attack signal as
where ] is some constant.
Proof. see Appendix B.
□ e method in Corollary 1 implies that the attackers may compromise (3) only by using the output signal without any needs of the control input signal. e attackers can only use the single communication channel (output channel), and this relieves Assumption 4. Also, in the creation of the attack signal, the homogenous properties, i.e., ω, are not used. is means that the riskiness of the attack can be increased in that the attackers do not need the system model knowledge. If the target system is linear and has one or more poles at the original point of s-domain, the attacker may use Corollary 1.
It is worth noting that the stealthy attack technique for the linear systems can also be verified from eorem 1. We define the linear system as

Mathematical Problems in Engineering
where A P , B P , and C P are the matrices with appropriate dimensions. By following the canonical form of (3), the functions of (27) can be represented by where a i for all i, b, and c j for all j are some constants. e homogeneity degrees of (28) satisfy α ω � c ω and β ω � 0 with respect to Δ r ε , which yields erefore, from eorem 1, the attack signals should be chosen as a u � κ and a y � κ − 1 , and we can propose Corollary 2 as the method for stealthily compromising the linear systems.
Proof. see [19] for more detailed proof.

□
When the attackers compromise the linear systems, any model knowledge about the system dynamics is not required. However, for the stealthy attacks of the nonlinear systems, the attackers may need the minimum knowledge of homogeneity degrees in the nonlinear dynamics.
Until now, we presented the attack methods for the specific systems which have the forms of (3) and (27). However, rigorously, eorem 1 and Corollary 2 do not confine the attack targets into the specific systems of (3) and (27). is means if a target system can be changed into the forms of (3) and (27), the stealthy attack may be achieved. In other words, if there exists new state variable ζ ∈ R n given by where Φ : R n ⟶ R n is a diffeomorphism function such that the system transformed has the forms of (3) or (27), the stealthy attack can be achieved. Here, it should be pointed out that if the attackers use the coordinate changes of (30), considerable model knowledge may be required compared with the existing methods proposed in eorem 1 and Corollary 2. e additional description will be proposed in the simulation of Section 4.
It is worth noting that the multiplicative coordinated stealthy attack may not be easily detected by the existing watermarking detection methods. is is because the response of the probing signals can be obtained without any modification under the attack. Comparing with the replay attacks being easily detected by the probing signals [12,13], the coordinated attack methods are much dangerous. e additional description will be also presented in Section 4.
From attacker's perspective, we introduce several efficient attack methods. Below is, for the nonlinear systems, the extended version of the linear attack method introduced in [19].
Remark 5. When the attacks occur, the abrupt changes of the control input and system output may incur the poor transient performance such as the peaking phenomenon of undershoot or overshoot [32].
is means that the stealthiness can be hindered at the initial time of attack. As a remedy, we introduce the attack method that can guarantee the transient performance as where L(s) is the stable low-pass filter with unity dc-gain.

Remark 6.
In order to destroy the nonlinear systems (3), the attackers may hope to employ the increasing time-varying signals, i.e., _ a u > 0. e attack may be achieved, if a u ≥ 1 is slowly increasing such that is satisfied.

Example 1.
In this section, we conduct various simulations and study the multiplicative coordinated stealthy attack. Let us consider a nonlinear forced physical system given by where x(0) � (0, 0) T . For following a desired reference y r � 1, we design a feedback linearized tracking controller introduced in [33] as where z � (z 1 , z 2 ) T ∈ R 2 . e nonlinear observer in the anomaly detector is designed as e homogeneous degrees of (33) are determined as α ω � 3, β ω � 0, and c ω � 1 with respect to Δ 1,1

{ } ϵ
. We assume that the attackers who aspire to corrupt (33) choose the attack signals as 6 Mathematical Problems in Engineering for t ∈ [50, 150]. e simulation results are shown in Figure 2. e output signal, the corrupted output signal, and the residue signal are shown in Figures 2(a)-2(c), respectively. Before the attack, it is observed that the output signal in Figure 2(a) follows the reference. However, after the attack, due to the attack signals injected into the target system, the actual plant output does not track the reference. e attack impact occurs in control system. e received system output in Figure 2(b) seems as if the output signal asymptotically follows the reference. e anomaly detector which receives the corrupted output signal does not trigger the alarm. Indeed, as shown in Figure 2(c), the residue signal does not exceed the threshold value. From the results, we can claim that the attack has effective and stealthy properties.
For the system of (33)-(36), calculating the attack impacts over several attack signals κ may be worthy work. e result is illustrated in Figure 3. e attack impact is calculated as 0.7544, which is identical with the size of the tracking error shown in Figure 2(a).
In this simulation, it needs to be emphasized that the attackers may have imprecise model knowledge about (33) as where m i for i � 1, 2, . . . , 5 are uncertain parameters. However, even if the attackers have the uncertain parameters, the attack signal in (36) can be formulated.

Example 2.
In this section, we show that the multiplicative coordinated stealthy attack may be more dangerous than the replay attack. For the demonstration, the nonlinear system of (33) is considered again and we assume that probing signals p w is combined with the desired reference y r � 1. e probing signals are selected as various sine waves with different amplitudes over time interval. e new reference denoted by y w r is given by We design a controller capable for tracking y w r as u � 2z 3 1 + 1.5z 2 1 z 2 − 5 _ y − 12.5y + 0.5 € y w r + 5 _ y w r + 12.5y w r .
e anomaly detector identical with (35) is used in this simulation. In order to show the generation of various attack signals, we assume that the attack signals for corrupting (33) are slowly varying as for t ∈ [50, 150]. e results are shown in Figure 4. Unlike the replay attack, the corrupted output reacts to the watermarking signals although the attack occurs.
For clarity, we show the simulation result for the replay attack. It is assumed that the output is recorded from 20 s until 80 s for the replay attack and the recorded output is injected after 90 s. As expected, the recorded output shown in Figure 5 does not respond to the watermarking signals.
rough the simulation, the riskiness of the coordinated attack is definitely highlighted.
In addition, we conduct comparison with the false data injection (sensor) attack [14,15] by simulations. e system considered is the same as before, and we choose the sensor attack signal a y as and it is assumed to be added into y after 50 s, i.e., y � y + a y . e simulation results are shown in Figure 6. As expected, the false data injection attack renders the corrupted output deviate from the desired reference. Unlike the multiplicative coordinated attack, the false data injection attack is easily detected by the anomaly detector. Hence, the potential danger posed by the multiplicative coordinated attack is illustrated.

Example 3. Consider a nonlinear system given by
where Ω x � x ∈ R 2 : x 1 ≥ 0.4, x 2 ≥ 0.5 and x(0) � (1, 1) T . e nonlinear system in (42) does not follow the specific form of (3) and (27). e attackers may not cause severe damage in the system of (42) using methods of eorem 1 and Corollary 2. However, from the specific coordinate transformation, the smart attackers may find the new fact that (42) can be a target system. Define a new state variable ζ � (ζ 1 , ζ 2 ) T ∈ R 2 as ζ 1 � x 1 − x 3 2 � Φ 1 (x) and ζ 2 � x 3 2 � Φ 2 (x). en, we have a linear system given by

Mathematical Problems in Engineering
Now, the attackers can compromise (42) from Corollary 2.
is clearly shows that the multiplicative coordinated attack can be applied into various nonlinear systems. We show that the multiplicative coordinated stealthy attack in Corollary 2 can make the system states of (42) far away from the desired trajectories with the stealthiness. e simulation results are obtained by setting u ⋆ as a constant. e system states, the system output, and the corrupted system output are illustrated in Figure 7. e system states x ⋆ 1 and x ⋆ 2 for κ ∈ [1,10] are shown in Figure 7(a). As κ increases, the system states gradually deviate with the nonlinear nature from the desired trajectories, i.e., x ⋆ when κ � 1. While the actual system output y ⋆ varies for κ, the corrupted output y ⋆ remains steady, as shown in Figure 7(b). e effectiveness is validated.

Remark 7.
It is worth noting that in order to demonstrate the effectiveness of the attack, the experiment using a quadrotor called AR-drone was conducted in [19]. For more detailed description, see [19].

Discussion for Detection Methods
Although this paper mainly focuses on how to formulate the attack signals, proposing detection methods for multiplicative coordinated stealthy attack can be worthy work. In this section, we briefly suggest two detection methods using smart sensors and eliminating homogeneous properties.

Use Smart Sensors.
Using a detection method introduced in [19] may be a solution for detecting the coordinated attacks in the nonlinear systems. Although the detection method has been developed for the linear systems, it seems to be applicable to the nonlinear systems. e detection method proposed in [19] follows design procedure below: (1) Before transmitting the sensor measurements y, the smart sensor with calculation capability adds secret nonzero values χ to the sensor measurements For clarity, we mathematically represent the transmitted signal y T and the constructed signal y C as y T � y + χ, If the multiplicative coordinated attack does not occur, the receiver secures the original signal, i.e., However, when the transmitted signal y T is modified by the coordinated attacks, the constructed signal y C is changed into and this shows that the attackers may not accomplish the stealthy attacks because of the new term, i.e., H(κ; ω; χ).
Here, it should be noted that H(κ; ω; χ) affects the residue signal and as the system designers choose large χ, the new term, i.e., H(κ; ω; χ), increases accordingly. Indeed, we can show that holds for χ 1 > χ 2 . If the system designers hope to detect the attack, χ needs to be chosen as large value.

Eliminate Homogeneous Properties.
Eliminating homogeneous properties may become another detection method. We propose modifying system dynamics by augmenting new nonlinear dynamics which the attackers do not cognize with (3). is may be realized by connecting the new nonlinear systems into (3) as a parallel way. For clear description, we define the modified nonlinear system as  where f v (·), g v (·), and h v (·) are smooth mapping functions, q ∈ R v is new state with v > n, and the matrices A and B are defined as If the system designers can reconfigure (3) as a system without homogeneous characteristics, i.e., the attackers may not accomplish the stealthy attack clearly. Now, we validate the effectiveness of the detection method using smart sensors and consider the systems of Example 1 again. We conduct simulations for several χ, and the results are obtained in Figure 8. In the case when the proposed detection method is not applied, i.e., χ � 0, the anomaly detector cannot detect the attack. However, when the detection method is employed, i.e., χ � 7, 9, the anomaly detector detects the attack as shown in Figures 8(b) and 8(c). e results applying the proposed method in Example 2 are shown in Figure 9. As displayed in Figure 8, we can observe that the coordinated attack is detected. e effectiveness of the proposed method is clearly demonstrated. e detailed analysis for the detection methods will be considered as a future work, and we expect that using smart sensors and eliminating homogeneous properties by modifying system dynamics become appropriate solutions for the attack detection.

Conclusions
e multiplicative coordinated stealthy attack was developed for corrupting the homogeneous nonlinear systems. We analyzed the attack and validated the dangerousness through several simulations. Also, the detection methods were briefly discussed. We hope that the current research results would help to CPS security.
Limits of current study are summarized as follows. is paper only considers single input single output nonlinear systems. Extending the multiplicative coordinated attacks into multiple input multiple output dynamics will be future work. Finally, although this work conceives a method of attack design, discussions on countermeasures are limited. A more comprehensive detection method will be necessary.