Stochastic Models to Mitigate Sparse Sensor Attacks in Continuous-Time Non-Linear Cyber-Physical Systems

Borja Bordel Sánchez ,Ramón Alcarria and Tomás Robles

1Information Technologies Department,Universidad Politécnica de Madrid,Madrid,28031,Spain

2Geospatial Information Department,Universidad Politécnica de Madrid,Madrid,28031,Spain

ABSTRACT Cyber-Physical Systems are very vulnerable to sparse sensor attacks.But current protection mechanisms employ linear and deterministic models which cannot detect attacks precisely.Therefore,in this paper,we propose a new non-linear generalized model to describe Cyber-Physical Systems.This model includes unknown multivariable discrete and continuous-time functions and different multiplicative noises to represent the evolution of physical processes and random effects in the physical and computational worlds.Besides,the digitalization stage in hardware devices is represented too.Attackers and most critical sparse sensor attacks are described through a stochastic process.The reconstruction and protection mechanisms are based on a weighted stochastic model.Error probability in data samples is estimated through different indicators commonly employed in non-linear dynamics (such as the Fourier transform,first-return maps,or the probability density function).A decision algorithm calculates the final reconstructed value considering the previous error probability.An experimental validation based on simulation tools and real deployments is also carried out.Both,the new technology performance and scalability are studied.Results prove that the proposed solution protects Cyber-Physical Systems against up to 92% of attacks and perturbations,with a computational delay below 2.5 s.The proposed model shows a linear complexity,as recursive or iterative structures are not employed,just algebraic and probabilistic functions.In conclusion,the new model and reconstruction mechanism can protect successfully Cyber-Physical Systems against sparse sensor attacks,even in dense or pervasive deployments and scenarios.

KEYWORDS Cyber-physical systems;sparse sensor attack;non-linear models;stochastic models;security

1 Introduction

Cyber-Physical Systems(CPS)are seamless integrations of physical and computational processes[1].Many different architectures and approaches to support these unions have been reported,from schemes based on the control theory [2] to feedback loops in computational systems [3].But all proposed CPS implementations include a sensing platform to monitor the evolution of the physical world[1].That platform is dense,including thousands of networked sensor nodes capable of capturing information through several different physical parameters [4].Those data must be injected into computational processes,to ensure that the cybernetic and physical worlds evolve together in a feedback control loop[5].

Therefore,precise information about physical processes is essential to ensure that the loop is convergent and follows the expected evolution [6].However,it is hardly possible to obtain precise information in real applications [4].Many random effects have an impact on the behavior of CPS,such as noise,transmission errors,measurement,digitalization,and discretization processes[4].In that way,information finally injected into computational processes is not the raw or authentic information acquired from the physical world,but a non-deterministic transformation of it.And this transformed information prevents the CPS from integrating the computational and physical processes with the expected synchronicity and showing the required behavior[7].

Furthermore,as Cyber-Physical Systems are used in more scenarios and applications,including critical infrastructures,they are more exposed to new risks.Eventual and unexpected cyberattacks are the main ones.Although innovative attack strategies have been reported to exploit specific vulnerabilities of CPS [8],nowadays the greatest risks for CPS are still associated with classic cyberattacks such as the Sparse Sensor Attack(SSA).In the SSA[9],attackers introduce false information and/or cause delays in the sensing platform monitoring the physical world at a low level,so the CPS behavior is altered or denied.It is the most common attack in control solutions,and new uncertainty about the physical information injected into the computational processes is to be handled.

In this context,reconstruction mechanisms to recover the original and real information extracted from the physical world are essential[10].The state of any CPS may be described as a multidimensional vector,where each position represents a physical parameter.By establishing the analytical law that describes the trajectory of all those state variables in the phase space,the transformed information received may be corrected through a theoretically predicted CPS state [11].However,in the general case,all physical parameters are not independent,but they are interrelated through complex physical laws[12].The appearance of complex non-linear laws,together with the need for stochastic terms to describe random effects such as sparse sensor cyberattacks,turns quite difficult to find a general highprecision model.Thus,traditional reconstruction schemes are based on some basic assumptions,so the mathematical expressions describing the evolution of CPS are easier to manipulate and implement[13].

Our work is motivated by limitations and vulnerabilities caused by these simple assumptions,which make CPS weaker against cyberattacks than other state-of-the-art technological systems.Namely:

? First,Cyber-Physical Systems are assumed to evolve according to a linear law.

? Second,all terms are considered deterministic,including noise and attacking signals.

? Third,all physical variables are assumed to be fully independent of each other.

? And fourth,physical processes are assumed to be discrete,so digitalization and transmission processes do not have to be explicitly considered.Although those linear deterministic models present important advantages(for example,they can be manipulated to find analytical expressions for the detection and identification of SSA),their applicability is very limited[14].

? Only closed CPS based on a reduced number of physical variables with a smooth and invariant behavior(such as the temperature in a climatized space)are governed and can be secured and protected by such a simple model.

Therefore,more complex and general models are required to protect and mitigate SSA in multidimensional CPS with a continuous-time non-linear behavior.In this paper,we address this challenge.

Three innovative contributions are introduced in this paper:

? A complex non-linear model to describe the CPS behavior in a general situation.

? New signals and models for SSA and digitalization processes.

? The third and final contribution is an innovative reconstruction scheme.

The proposed model describes the behavior of CPS using unknown generic functions,which are developed as Taylor series.This model also includes stochastic terms to represent physical,transmission,and measurement noises.Besides,SS attacks are described as a new signal whose value follows a probabilistic behavior according to a given discrete random variable.Physical processes are represented by continuous-time signals that are discretized using an event-based scheme.The resulting multidimensional model injects discrete data into computational processes,but is too complex to generate analytic expressions to mitigate SSA in CPS.Finally,the proposed reconstruction scheme is supported by a weighted stochastic model where the error probability is estimated through different indicators commonly employed to describe non-linear dynamics (such as the Fourier transform,first-return maps,or the probability density function).A decision algorithm calculates the final reconstructed value considering the previous error probability.

The rest of the paper is organized as follows.Section 2 analyzes the state-of-the-art on cyberattacks and countermeasures in CPS.Section 3 describes the proposed solution,including the mathematical model to describe the behavior of the CPS and the reconstruction and protection scheme to mitigate SSA.Finally,Section 4 describes the experimental validation and the results obtained.Section 5 concludes the paper.

2 Related Works

Cyber-Physical Systems are one of the most promising technological revolutions nowadays.They are expected to govern all production,domestic,and critical digital systems.Due to this relevance,many authors have investigated how to protect CPS against various well-known and innovative attacks.In general,we can distinguish two different protection approaches:those based on control theory and those supported by Information Technologies(IT).

IT protection mechanisms for CPS are usually data processing and filtering modules to remove and correct malicious or corrupted data packets.Stochastic techniques and models [4],advanced filtering algorithms such as the Kalman filter [15],hardware-enabled algorithms such as parameter estimation[16],and pattern recognition techniques to identify unusual information[17]are the most common technologies.As well as game-theory and other common technologies for CPS protection,such as honeypots [18] or Software-Defined Networks [19].However,a limited number of works supporting this vision may be found,as information theory techniques are high-level and agnostic concerning the underlying hardware platform[20].And the most critical cyber risks in CPS nowadays are associated with sensor and actuator nodes[8].Different authors have identified new attack vectors and strategies [8],so feedback loops in CPS can be used to magnify cyberattacks starting in a single hardware node and spreading throughout the entire system.Furthermore,these IT protection technologies are computationally heavy and require long processing times,so they are not effective against fast cyberattacks.Other low-level lightweight techniques are required.

Physical infrastructure protection is,then,a priority in CPS.And most works on CPS security employ control theory to design new hardware protection schemes.Globally,all these technologies follow the same strategy[21]:they estimate or predict a secure future state for the physical platform and/or control loop,which is used to mitigate different types of attacks.Although this paradigm could fully protect CPS [22],it is very difficult to implement in practice and the reported implementation presents different weaknesses.Techniques may be local(or decentralized),distributed,or centralized.

Decentralized state estimation techniques are handled by independent sensing nodes.They are sparse as individual sensors have very limited information and actuation capabilities,so the achieved protection level is poor.Continuous bidimensional linear models are employed to detect perturbations and attacks (typically Denial of Service attacks) and modify the behavior of nodes by,for example,increasing their computational resources [23].The objective is to guarantee the local stability of the control loops by mitigating all perturbances [21].In contrast,other decentralized CPS protection schemes use variance-based strategies (also known as ‘secure control’[14]).This approach is more general and can be applied against a generic cyberattack.Using discrete bidimensional models,tuned filters and tuned control loops can be varied to reduce system errors,even while a cyberattack is running [24].However,even if local control loops can operate normally,with variance-based techniques the global system is handling corrupted data,and that impacts the later global behavior.Some authors have shown that global system protection requires cooperation and information sharing among all agents[21].Distributed techniques fill this gap.

Distributed secure state estimation is useful against systemic attacks such as Byzantine attacks[25].System states are deducted through an optimization process where linear models represent the sensors’outputs and graphs [26],Markov chains [27],binary decision trees [28],and other mathematical paradigms (such as the Lipschitz continuity) [29] are used to represent the interconnections and transmissions among nodes.Custom quasi-linear models for specific applications,such as seriesparallel systems,have been also reported [30,31].However,these protection mechanisms are passive and cannot deploy countermeasures to mitigate the impact of cyberattacks.Then,they must be complemented with specific controllers[32,33]to apply active protection policies on the CPS.Anyway,the final performance of distributed protection techniques is highly dependent on the number of trusted nodes,not affected by the attack[21,34].Furthermore,linear and quasi-linear models cannot represent the output of most complex sensing platforms [35].Thus,reported schemes can only be applied to a reduced number of application scenarios,excluding critical risks such as massive or viral attacks and common nonlinear algorithms.

On the other hand,recently distributed artificial intelligent solutions,such as federated learning[36],Support Vector Machines[37],feature selection[38]or eXplainable Artificial Intelligence(XAI)[39],have also been applied to CPS securitization and intrusion detection.But performance must be enhanced through additional techniques such as reinforcement learning[40].Intelligent solutions must be designed for very specific attacks,as they are usually focused on Denial-of-Service attacks.Although the final results are promising,the balance between cost and performance is still worse than the one observed in other distributed techniques,and they are preferred to be used for privacy preservation[41].

The main disadvantage of distributed protection mechanisms is the increase in system congestion,due to the large number of transmissions required to run the distributed algorithms.On the contrary,centralized approaches may handle global stability and attacks(as distributed techniques)but with a lower system overload.Most reported works follow this paradigm.

Centralized control is usual in CPS,as it is the traditional approach in legacy Supervisory Control And Data Acquisition(SCADA)systems.Different kinds of multi-dimensional models are employed to represent the state of every single node on the platform.These models can be analytically manipulated to define protection algorithms based on Orthogonal-Triangular(QR)decomposition[42]or Linear–Quadratic (LQ) control [43],mitigating the impact of attacks.Models can be deterministic[44] or include some stochastic terms to represent noises [45].Besides,continuous [44] and discrete[46] models may be found.However,most of these models are linear and only consider the selfmaintained evolution of the node output and the measurement errors(in line with traditional control theory models).While other relevant effects,such as the digitalization process or the transmission protocols,are not considered,although they can be relevant.On the other hand,nonlinear models are very rare[47]and they are only developed for specific use cases.This centralized approach is successful against false information attacks(also known as sparse sensor attacks or deception attacks[14]),as it handles a full picture of the CPS.However,current models are very limited,and analytical protection algorithms have a reduced impact in real applications.

Table 1 summarizes the main current approaches and their associated open challenges.

Table 1:State-of-the-art

In this paper,we address this challenge,with a continuous-time generic multidimensional nonlinear model,and a protection policy based on probabilistic decision-making schemes.

3 Proposed Scheme

The proposed solution includes two different phases.First,a multidimensional stochastic model is employed to estimate or predict the future state of the CPS.Later,the obtained secure state estimation is compared to the real state produced by the physical platform.Both values are compared using a probabilistic model,where several indicators are considered.The system state may be replaced or corrected using the predicted secure state if the decision-making algorithm indicates the information is false(corrupted or caused by an SSA).This section describes in detail the entire scheme.Section 3.1 introduces the stochastic model,while Section 3.2 presents the decision-making and protection algorithms.

3.1 Secure State Estimation.Model Description

A CPS is supported by a dense sensing platform includingNdifferent sensor nodesnm.These nodes monitor and control a catalogue ofPdifferent physical variablesxi(t)(1).Each variable is monitored inKidifferent geographical locations(2),so every node controls a different physical variable in a different location(3).If any nodenmmonitors more than one variable,we are analyzing it as two independent nodes located in the same geographical position.

The information to be finally injected into the computational processes(or system state)is a set ofMdiscrete state variablesyj[k],related to the physical variables through a vector unknown function,S(·),named as“system function”(4).This system function integrates five different processes:(i)the physical world’s evolution,(ii) the transduction phase,(iii) the measurement scheme,(iv) the data transmission,and(v)the final processing stage.

The physical world(i)is considered a closed autonomous system,with no external intervention,so the future evolution of the physical variables is only determined by the past values of those same variables (5).The function relating the past and future values of the physical variablesis unknown and,in the general case,non-linear.For clarity,we are using vectorto represent the full ordered collection of physical variables(6).Although it is unknown,vector functionF(·)could be developed as Taylor’s series.

Finally,it is necessary to estimate the value for meanμttand varianceσtt,so error in the proposed model may be properly handled.In general,errors are bigger as values for the meanμtand varianceσtgo up.Then,a superior limit is a good approximation for both parameters(23),which may be easily calculated considering the reproducibility of the Gaussian random variables.In order to get the final values for the meanμttand varianceσttit is enough to apply the same reproducibility law a second time(24).

Finally,as every sensor nodenmhas a different functionTm,the whole CPS is represented by a set ofNdifferent Eq.(27),which can be represented in one vector expression(28).

The third subprocess to be represented in our model is the measurement scheme (iii).This,basically,is a digitalization scheme,developed internally by sensor nodes(see Fig.1).Discrete signalare obtained through an ideal sampling scheme(29),where electrical signals are multiplied by a Dirac comb or impulse trainwith periodTm(30).This periodTmis different for each sensor nodenm.

Figure 1:Ideal sampling scheme

In this digitalization process only the quantification noiseis relevant.This noise,as the digitalization scheme is invariant in time,is also time-invariant,and characterized by a uniform random variable(31).

whereΔmis the quantification step,fixed for every nodenm.

The fourth process to be represented is the data transmission(iv).In general,hardware platforms in CPS are low-energy,and they sleep most of the time.Being event-based,they only activate the transmission subsystem when an event is detected in the physical world.We are defining functionφm[k]as event-triggering function (32).This function takes as value the unit in the discrete time instant a new event must be generated.Its value is zero otherwise.Functionu(·)is the Heaviside step function,keis the last time instant where an event took place,andemis a parameter,different for each nodenm.If signalchanges its value more thanemunits,a new event is triggered.

Data transmission is,once again,an open process,so it is vulnerable to attacks.Denial-of-Service(DoS)attacks in this case.But SSA too(as the transduction phase).Bernoulli distributionΓbrepresents the probability of a DoS attack to be running.Parameterbis equal to the unit if an attack is being performed,or zero if not(33).The attack probabilityρbvaries with time(asΓbis a stochastic process).The estimation scheme for this probability is part of the attack detection algorithm(see Section 3.2).Similarly,Bernoulli distributionΓcrepresents the probability of a SSA to be running at the data transmission stage(34).

All parameters and their meaning are equivalent to distributionsΓaandΓb.

Then,the final analytical model to describe the behavior of CPS includes five different Eq.(40).All parameters and coefficients are known(or may be estimated)butλr,αrandβrwhich must be calculated.The value for those parameters is obtained from an initial calibration process and an optimization algorithm based on the minimization of the Mean Square Error(MSE).

3.2 Reconstruction and Protection Mechanisms

The proposed model (see Section 3.1) considers seven sources of perturbations.On the one hand,errors may be caused by four different phenomena:erratic behaviors in the physical variables,electrical noises,quantification noise,and transmission perturbations.And,on the other hand,three different potential attacks affect CPS in the general case:SSA at the transduction phase,and SSA and Denial-of-Service attacks at the transmission phase.Fig.2 represents the proposed reconstruction and protection mechanisms.

Figure 2:Protection and reconstruction mechanism

As a novelty,the proposed reconstruction and protection mechanism evaluates all these potential perturbations to build a global stochastic process (contrary to traditional deterministic models).This stochastic process B[p,k](41)is discrete.pis a discrete variable representing the four possible situations a CPS state may achieve: unperturbed (p=0),noisy (p=1),SSA-attacked (p=2) and DoS-attacked(p=3).Whilekis a variable representing the discrete time.Similarly,we can defineMstochastic sub-processes Bj[p,k]for each one of theMstate variablesyjconsidered in the CPS.

Figure 3:Stop-band filtering for autocorrelation calculation

Using these five indicators,we can now estimate the probability distribution of the stochastic process B[p,k].Mathematical models for all this probability distribution are a genuine contribution of this work.The unperturbed state(p=0)is only probable when the probabilityμpdfis very high(close to the unit),and distancesμFouandμrtare very low.Any other value is indicating a noisy state(p=1),which is still probable even for smaller values of probabilityμpdfand bigger values of distancesμFouandμrt.But noisy states require a low value for autocorrelationμauto be probable (on the contrary,the CPS may be under a cyberattack).Because of this sensitivity,exponential and power laws are the most adequate ones to represent the probability of the unperturbed stateγ0[k](63),while linear evolutions and slower exponential laws fit the more tolerant behavior of the probability lawγ1[k] of the noisy state(64).

On the other hand,SSA-attacked state(p=2)is characterized by very a low probabilityμpdfbut very high distancesμFouandμrt.As well as a relevant non-null value in the aggregated autocorrelationμauand the aggregated first order forward differencesμdiff.On the contrary,DoS-attacked states(p=3)are usually associated to moderate values for the probabilityμpdf(states are delayed but not manipulated)while still very high distancesμFouandμrt(as they are delayed,states are not coherent with the historical series).The aggregated autocorrelationμauand the aggregated first order forward differencesμdifftend also to be quite reduced.Following a similar philosophy to employed before,we can define the evolution laws for the probabilitiesγ2[k](65)andγ3[k](66).

In an equivalent manner we may calculate the probability distribution for all stochastic subprocesses Bj[p,k](67)

Figure 4:Reconstruction and protection algorithm

Sizes for parametersRunandRrare actually very important and sensible.Large values for those sizes avoid most spurious numerical and transitory effects,but they reduce the precision and sensitivity of the protection and reconstruction algorithm to detect short-term attacks and high-frequency noises.While reduced values for parametersRunandRrbehave exactly the opposite.The balance cannot be generalized and therefore must be found for every specific application.

4 Experimental Validation

To validate the proposed mechanisms for the protection of Cyber-Physical Systems against Sparse Sensor and Denial of Service attacks,an experimental validation was conducted.Section 4.1 describes the experimental methodology,while Section 4.2 presents the obtained results.

4.1 Experimental Methodology and Environment

The experiments were based on an emulated industrial scenario with real hardware devices(microcontrollers).The experimental works were divided into two different phases.First,we focused on analyzing the precision and attack detection capacity of the proposed technology.The second phase focused on studying the performance and scalability of the proposed model and the reconstruction and protection mechanism.

For all the experiments,the proposed CPS was supported by a collection of ESP-32 microcontrollers.Its number is variable depending on the experiment.ESP-32 microcontrollers are low-cost System-on-Chip provided with Wireless Fidelity (WiFi) and Bluetooth capabilities.It is based on a Tensilica Xtensa LX6 processor,and it includes several peripheral interfaces(Universal Asynchronous Receiver-Transmitter-UART-,Pulse Width Modulation-PWM-,Serial Peripheral Interface-SPI-,etc.),so it can handle a large catalog of different sensors.In our experiments,each ESP-32 node was provided with two sensors,monitoring four physical variables in total.The first sensor was a CCS811 sensor to monitor air quality.It can provide two different variables:carbon dioxide equivalent(eCO2)and organic volatile compounds concentration (TVOC).The second sensor is a DTH-11 device,which generates measurements for the environmental humidity and temperature.The measurement periodicity is variable and depends on the experiment.

All these sensors employed a WiFi connection to send all the collected information to a cloud server,located within the same building.Hypertext Transfer Protocol(HTTP)messages and Representational State Transfer(REST)interfaces were employed to support these communications.The server was a Linux-based machine (Ubuntu 18.04 LTS) with the following hardware characteristics: Dell R540 Rack 2U,96 GB RAM,two processors Intel Xeon Silver 4114 2.2G,HD 2 TB SATA 7,2K rpm.In this server,both the proposed model and the reconstruction and protection algorithm were hosted and executed.A Node.js server was deployed to collect all data from the sensor nodes and send them to the computational process executing our proposal.A supervisory process was continuously evaluating the evolution and performance of the proposed algorithms and model.The acquired information was employed to carry out a statistical analysis using the MATLAB 2022a software,to validate our hypotheses.All experiments were repeated twelve times to remove possible spurious effects.The results for every measurement are obtained as the average of all these individual twelve realizations.

In the first phase,we performed two different experiments.The first experiment was aimed at analyzing the precision of the proposed model (Section 3.1) by comparing (using the Mean Square Error metric) the information received by the computational processes in the real CPS deployment and the samples predicted by the proposed model.Data were collected for 24 h,and the relative(percentage) Mean Square Error was calculated for all the acquired samples.The experiment was repeated for different values of parametersRP,RT,andRF,which control the complexity of the proposed model.In this experimental phase,these three parameters are considered to have the same value.

The second experiment in this first phase was aimed at analyzing the probability of the proposed reconstruction and protection algorithm to successfully detect the real situation that occurs in the CPS.Some additional ESP32 nodes were deployed to increment the electrical noise in the environment and/or perform Sparse Sensor and Denial of Service attacks.Different situations were generated,with a duration of ten minutes.It was monitored if the proposed algorithm was able to identify them properly.The second experiment had a duration of 24 h too.Results were processed to generate a confusion matrix representing the algorithm’s behavior.The experiment was repeated for different values ofRun,andRrparameters.During these experiments,both parameters had the same value.

In the second experimental phase,we evaluated the performance and scalability.We measured the computational time needed for the proposed model and the reconstruction and protection algorithm to obtain a final and stable output.The first experiment focused on the mathematical model.The calculation time was analyzed for different values of parametersRP,RT,andRF(all three had the same value)and different quantities of state variables(M).To allow this experiment,the number of sensor nodes in the CPS was increased with each realization.Each configuration was operating for 24 h.The result was obtained as the average of all measurements collected.

Finally,the second experiment in this second phase evaluated the computational time required by the reconstruction and protection algorithm.The experiment was repeated for different values ofRun,andRrparameters.During these experiments,both parameters had the same value.Different quantities of state variables(M)were also considered.Each configuration was operating for 24 h.The result was obtained as the average of all collected measurements.

4.2 Results

To evaluate the behavior of the proposed technology,first,we analyze the precision of our model(Section 3.1),comparing the predicted future CPS states and the actual state finally achieved.Fig.5 shows the results.As can be seen,the evolution is exponential,as expected from the error in the Taylor series,as the number of terms increases.In general,all configurations show good behavior,although models with only two terms introduce an error of 12%(which may be too high for some applications).The minimum error(2%)may be achieved for models with more than 12 terms.This error is caused by the truncation of the Taylor series,so they can be numerically computed.But,as a counterpart,the resulting finite series does not perfectly represent the original function and we are introducing a numerical error.

Other limitations in the proposed model (such as the numerical precision of the underlying hardware platform) are also affecting,so,only by increasing the number of terms in Taylor’s series cannot reduce the global error as much as desired.But for a very large catalog of applications,an error of 2%is acceptable and can be tolerated.Even,for those scenarios where computationally lightweight solutions are preferred,schemes with four or five terms generate an error of around 6%,which is a standard error for mass non-critical applications.In common applications,errors below 10%can be handled.From these results,we can conclude that the proposed model represents with good precision the physical processes in CPS.

Similarly,we need to analyze the capacity of the proposed reconstruction algorithm to successfully detect the real situation that is happening in the CPS.Fig.6 shows the results of this experiment.For all possible situations,three regions are identified.First,for low values ofRunandRrparameters(below 20),transitory effects are dominant,indicators do not capture properly the CPS behavior,and sensitivity(rate of situation correctly classified)decreases.Random natural variations may be relevant when very short periods are analyzed.To focus on global tendencies,larger collections of data samples are needed.In that way,later,in the central region,RunandRrparameters present good enough values(between 20 and 60),and the proposed algorithm works with a very satisfactory behavior(sensitivity is between 91% and 98%).In this region,short-time transitory effects are not dominant because larger time series are employed in the reconstruction mechanism,and global tendencies are easily detected.But when the values forRunandRrparameters increase beyond a certain limit (60 samples in this case),real fluctuations effects and high-frequency perturbations are ignored when they are aggregated in a large operation.Then,sensitivity decreases.In this region,even natural fluctuations and changes are not significant compared to long-term tendencies.Relevant changes are ignored,because we are integrating too many samples in the same series,and calculation algorithms do not have enough sensitivity.

Figure 6:Precision of the proposed reconstruction and protection

In conclusion,RunandRrparameters must be balanced:small values cause instabilities,while too big values generate a loss of sensitivity.Values between 20 and 60 are the most appropriate region,as shown above(Fig.5).

On the other hand,the proposed algorithm does not show the same sensitivity when detecting the different situations in a CPS.In general,situations whose probability is calculated using functions with a higher growth rate (such as the exponential) are more sensitive to the quality of indicators representing the CPS (first return maps,STFT,etc.) and then more sensible to the value ofRunandRrparameters.This is because small changes in the exponents may generate big variations in the final function.Values must be selected very carefully and according to previous observations.For example,the probability for the SSA-attacked situation is only supported by an exponential function,so it is the one with the most relevant fluctuations.The noisy situation,which includes a linear term,is much flatter.That means SSA-attacked situations are much more difficult to detect,and probably a heuristic calibration process is required in real deployments and scenarios.

Anyway,the sensitivity of the proposed algorithm(in balanced values ofRunandRrparameters)is very satisfactory.Noisy situations are detected on 98% of the occasions,while unperturbed and SSA-attacked situations are correctly identified on 92% of the times.The DoS-attacked situation is the one with the worst behavior,but its sensitivity is just slightly lower:91%.With these results,we can conclude that the proposed algorithm can reconstruct and protect Cyber-Physical Systems against attacks and perturbations.

To go deeper into the analysis of these data,we present the complete confusion matrix(Table 2)for the configurationRun=Rr=40.

Table 2:Confusion matrix for the configuration Run=Rr=40

As can be seen,most errors when identifying the situation in the CPS are false detections of the noisy situation.Probably,that is caused by the linear term in its probability function,which does not reduce its value as much as the exponential function.If this sensitivity needs to be improved,that linear term should be enriched with new indicators and functions.

It is also important to evaluate the performance and scalability of the proposed solution to identify its limitations.Fig.7 shows the computational time required for the proposed model to operate.

Figure 7:Computational delay and scalability(mathematical model)

As can be seen,the evolution of the computational delay is linear.This is because our model consists of additions and multiplications,without loops or recursive problems.Besides,each new state variable is independent of the others,so the increase is linear.This facilitates the employment of this protection and reconstruction solution in future dense and pervasive scenarios,where up to ten million sensors per square kilometer could be deployed.

Moreover,the delay is always in the range of milliseconds.Additions and multiplications are performed very efficiently on modern computers,and they require a short time to perform millions of operations.In this case,even for a CPS that includes 100 devices (i.e.,400 state variables) and very complex models (with almost 20 terms in the Taylor series),the computational time required to operate the model is below 100 milliseconds(70 milliseconds,to be precise).Considering the most usual Cyber-Physical Systems capture information from the environment every few seconds,this delay is satisfactory.

Finally,the same scalability and performance analysis must be applied to the reconstruction and protection algorithm.Fig.8 shows the results.Here,again,the evolution is almost linear,because all the proposed computational procedures do not require any loop or recursive processing.In this case,for the largest deployment(one hundred devices)and a typical value forRunandRrparameters,the delay is above one second.This may be slightly above the acceptable maximum for certain critical realtime applications.For smaller deployments and the same configuration,the delay is below one second(between 100 and 600 milliseconds).But even delays above one second are acceptable in mass noncritical applications,where data are acquired every few seconds.Due to linear evolution,scalability is guaranteed(even in future scenarios)as consumed resources grow at the same rate as the number of sensor nodes in the physical platform.

Figure 8:Computational delay and scalability(reconstruction and protection algorithm)

In conclusion,considering the limitations that may arise in critical real-time applications,the performance of the proposed reconstruction and protection mechanism is satisfactory.

5 Conclusions and Future Works

This paper presents a new stochastic model to represent the behavior of Cyber-Physical Systems precisely.This model includes unknown multivariate discrete and continuous-time functions and different multiplicative noises to represent the evolution of physical processes and random effects in the physical and computational worlds.As a novelty,in this model,engineered processes such as the digitalization stage are represented too.Additionally,and contrary to the commonly employed deterministic attackers,in this new model attackers are described through a stochastic process.Standard error sources are estimated through different indicators and non-linear techniques(such as the Fourier transform,first-return maps,or the probability density function).Finally,the reconstruction mechanism consists of a weighted stochastic model combining all error sources.The actual reconstructed value is generated as the output from a decision algorithm.

Experimental results show that the precision of the proposed model is above 90%,with a residual error between 6% and 2% for the most common configurations.Additionally,the sensitivity of the proposed reconstruction and protection algorithm is up to 92%.Considering all this,the proposed solution is a valid security scheme for CPS.

Future works will analyze new indicators and probability functions to improve the sensitivity,especially in noisy situation.In addition,the solution will be deployed in real industrial scenarios with legacy systems,to study the impact of second-order effects such as reduced connectivity or human accidents and manipulations.

Acknowledgement:The authors also gratefully acknowledge the helpful comments and suggestions of the reviewers,which have improved the presentation.

Funding Statement:This work is supported by Comunidad de Madrid within the framework of the Multiannual Agreement with Universidad Politécnica de Madrid to encourage research by young doctors(PRINCE).

Author Contributions:The authors confirm contribution to the paper as follows:study conception and design: Borja Bordel;data collection: Ramón Alcarria,Borja Bordel;analysis and interpretation of results:Ramón Alcarria,Tomás Robles;draft manuscript preparation:Borja Bordel,Tomás Robles.All authors reviewed the results and approved the final version of the manuscript.

Availability of Data and Materials:Data sharing is not applicable to this article as no new data were created or analyzed in this study.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.