Learning-Based Cooperative False Data Injection Attack and Its Mitigation Techniques in Consensus-Based Distributed Estimation

For the false data injection attack (FDIA) in the consensus-based distributed estimation, the information of weight matrix is critical for both attackers and defenders. In this paper, we study the impact of the weight matrix on the FDIA and the attack mitigation techniques. We first propose a learning-based cooperative FDIA strategy, where malicious nodes acquire the information of weight matrix cooperatively and launch the attack covertly. Two types of FDIA, the sudden FDIA and the dynamic FDIA, are considered to tamper the consensus result of the network to a pre-designed false value. Moreover, using the obtained information of weight matrix, a real-time surveillance and response mechanism is constructed to enhance the covertness of FDIA strategy. Since the surveillance and response mechanism can bypass existing FDIA detection methods, we further investigate the attack mitigation techniques against the learning-based cooperative FDIA. A real-time FDIA detection method and a reassessment mechanism with a punishment scheme are presented to resist the surveillance and response mechanism in the learning-based cooperative FDIA. Comprehensive simulation results verify that the attacker can obtain the information of weight matrix, and tamper the consensus result to a false value by launching the learning-based cooperative FDIA. And the real-time FDIA detection method can detect the malicious nodes efficiently and promptly.


I. INTRODUCTION
In the consensus-based distributed estimation, a collection of nodes with processing and communication functions are linked together through a connected topology. The nodes cooperate with each other through local interactions to estimate an unknown scalar or vector parameter in realtime [1], [2]. It is shown in [3] that the consensus update process in the consensus-based distributed estimation can be modeled as a linear transformation with weight matrix.
Owing to the open structure of the network, the consensusbased distributed estimation is vulnerable to various attacks, The associate editor coordinating the review of this manuscript and approving it for publication was Tiago Cruz .
where false data injection attack (FDIA) is one of the most typical attacks [4], [5]. In FDIA, attackers access the network or compromise some nodes in the network in order to make them send some false data to their neighbors during the consensus update process. The goal of attackers is to tamper the consensus result to a false value or make the consensus unable to be achieved.
To tolerate a certain amount of faulty or malicious nodes in the network, some resilient consensus algorithms have been developed to make sure that the consensus result approximately converges to the true value [6]- [12]. In [6], authors proposed a resilient consensus update rule, where each node updates its estimation as the average of maximum and minimum estimations among its neighbors, and some mobile nodes are deployed to identify the nodes violating the update rule. An approximate Byzantine consensus algorithm, named as weighted mean subsequence reduced (W-MSR) algorithm, is proposed in [7]. In the W-MSR algorithm, each node discards a certain amount of largest and smallest estimations received from its neighbors, and updates its estimation as the linear combination of the remainder estimations. The necessary and sufficient conditions for the W-MSR algorithm reaching an approximate consensus under various attack models are provided [7]- [9]. In [10], a flag raising distributed estimation (FRDE) algorithm is proposed to perform resilient asymptotic consensus estimation and detect malicious nodes simultaneously. It is also proven in [10] that if normal nodes performing the FRDE algorithm are connected and globally observable, their estimations are almost surely consistent. An iterative, consensus + innovations algorithm for the distributed estimation, named as constant weight saturated innovation update (CSIU) algorithm, is proposed in [11]. It is shown in [11] that the estimations of normal nodes performing the CSIU algorithm will converge to the true value at an exponential rate if less than 30 percent of nodes are under attack. As the dynamics of the estimated parameters can be modeled as a linear discrete time-varying function, a resilient distributed filtering method based on the Krein space is proposed in [12]. In this method, an innovation analysis method and a projection technique in Krein space are utilized to calculate a resilient estimate, and the residual is used to detect the FDIA.
In [13]- [17], efficient FDIA detection mechanisms have been proposed to detect malicious nodes in the network. In the stubborn FDIA model considered in [13], malicious nodes do not receive any message from their neighbors, and update their estimations as the sum of an artificial noise and a constant false value. The temporal difference characteristic and the spatial difference characteristic are used to identify stubborn malicious nodes in [13] and [14], respectively. In [15]- [17], a general FDIA model is considered, and two corresponding attack detection mechanisms are proposed. It is shown in [15] that if normal nodes have full knowledge of weight matrix and the network topology satisfies some specific conditions, each normal node can estimate the realtime state vector using local observations, and the residual of estimation can be utilized to identify malicious nodes. In [16] and [17], a distributed filter is designed based on the theory of unknown input observability and the information of weight matrix. With the distributed filter, normal nodes can estimate the real-time state vector and detect malicious nodes among their neighbors.
To detect malicious nodes, an assumption that normal nodes have full knowledge of weight matrix is used in those FDIA detection methods [15]- [17]. However, the assumption seems unreasonable in a real-world large-scale distributed network. The reasons are two-fold. First, due to the dynamic nature of network, the dimension and value of weight matrix may change frequently. Second, normal nodes may not be willing to share their weight vectors with other nodes for security consideration. From the perspective of a normal node, it is unreasonable to use the real-time weight matrix to identify malicious nodes. However, from the perspective of a malicious node, obtaining the real-time information of weight matrix is benefit to the improvement of the covertness of its attack behavior. Although normal nodes with defense strategy can dynamically adjust their weight vectors when some suspicious situations occur, malicious nodes can learn about the defense strategies of normal nodes according to the real-time information of weight matrix, and try to bypass the defense mechanisms. Therefore, the information of weight matrix is significant for both attackers and defenders in the network.
Several algorithms are addressed to acquire the information of weight matrix [18], [19]. In [18], a novel algorithm is proposed to calculate the minimal polynomial of weight matrix in the network with time-invariant topology. A distributed consensus algorithm is proposed to calculate the Chebyshev polynomials of weight matrix using the second order difference equation [19]. However, the polynomials of weight matrix obtained in [18] and [19] cannot be utilized to construct a covert FDIA strategy or an effective FDIA detection mechanism. Therefore, in this paper, we investigate the method for obtaining the weight matrix, and the effect of weight matrix on the FDIA and the FDIA mitigation techniques.
Our main contributions are summarized as follows. First, we propose a learning-based cooperative FDIA strategy against the consensus-based distributed estimation. In the proposed attack strategy, malicious nodes cooperate with each other to acquire the information of weight matrix. Two kinds of covert FDIA, the sudden FDIA and the dynamic FDIA, are launched using the obtained weight matrix. Under the presented FDIAs, the consensus result of the network is tampered to a pre-designed false value.
Second, a surveillance and response mechanism is presented for malicious nodes to enhance the covertness of FDIA. In the proposed mechanism, malicious nodes keep surveilling the consensus update process of normal nodes using the obtained weight matrix. By switching between launching the FDIA and performing normal consensus update dynamically, the attacker with the proposed surveillance and response mechanism can bypass existing FDIA detection methods.
Third, in order to ensure the security of consensus-based distributed estimation, a real-time attack detection method against the learning-based cooperative FDIA is proposed. Moreover, to mitigate the effect of false-alarm of the FDIA detection system on the performance of consensus-based distributed estimation, a reassessment mechanism is constructed to reassess malicious nodes. With the embedded punishment scheme, the reassessment mechanism can resist the surveillance and response mechanism in the learning-based cooperative FDIA strategy effectively.
The rest of the paper is organized as follows. Section II introduces the system model and the problem to be resolved in this work. In Section III, we propose a learning-based cooperative FDIA strategy against the consensus-based distributed estimation. The attack mitigation techniques against the FDIA are presented in Section IV. Simulation results and discussions are given in Section V. Finally, we conclude the paper in Section VI.
For clarity, we explain some notations used in this paper. Boldface lower and upper case letters denote column vector and matrix, respectively. For matrix A and column vector a, the element at the i-th row and the j-th column in A is denoted as a ij , and the i-th element in a is denoted as a i . Superscript (·) T represents the transpose operation. I is an identity matrix with appropriate dimension, 1 is a vector of 1s with appropriate dimension, and 0 is a null matrix or null vector with appropriate dimension. diag (a) denotes a diagonal matrix, where a i is the i-th diagonal element. A normal distribution with mean µ and variance σ 2 is denoted as N µ, σ 2 . The set of real numbers is denoted as R, and the set of positive integers is denoted as Z + .

II. SYSTEM MODEL AND PROBLEM FORMULATION
In this section, we introduce the network model for the consensus-based distributed estimation, the model of FDIA and some typical attack detection mechanisms. Then, the problem aiming to be resolved is formulated.

A. NETWORK MODEL
We consider a network consisting of N nodes with the same configuration. The topology of the network is modeled as a connected and undirected graph G = (V, E), where V = {1, 2, . . . , N } is the set of nodes, and E is the set of communication links. If (i, j) ∈ E, node i and node j are adjacent, and node i can receive information from node j. The neighboring set of node i is defined as In the consensus-based distributed estimation, an unknown scalar or vector parameter is first estimated by the nodes in the network separately. Then each node iteratively updates its estimation as a linear combination of estimations received from its neighbors and its own one. After multiple iterations, all the nodes in the network will come to a consensus [2].
It is assumed that a total K instances of consensusbased distributed estimation is implemented over network G. In instance k, 1 ≤ k ≤ K , the initial estimation at node i is denoted as x k i (0). Then, each node exchanges the estimation with its neighbors, and updates its estimation using the estimations received from its neighbors. At iteration t, t ≥ 1, the consensus update at node i can be expressed as where w ii and w ij are the weights for the consensus update process, w ii > 0, w ij ≥ 0, j ∈ N i , and w ii + j∈N i w ij = 1.
According to (1), the consensus update at node i can be rewritten as and the consensus update in the network can be represented as where x k (t) is the N ×1 state vector of the network at iteration t of instance k, and , w ij is the element at the i-th row and the j-th column of W, and W is the N × N weight matrix. Since the row-sum of W equals to 1, W is a right stochastic matrix. If W is a symmetric matrix, W is also a doubly-stochastic matrix.
We assume that the total number of iterations implemented in each instance of consensus-based distributed estimation is T .

B. ATTACK MODEL
It is assumed that some attackers exist in the network. In order to degrade the performance of consensus-based distributed estimation, attackers capture some unprotected nodes and make them be malicious. The malicious nodes will launch the FDIA; that is, malicious nodes send some pre-designed false data to their neighbors during the consensus update process. The goal of attackers is to tamper the consensus result to a false value or make the consensus unable to be achieved.
The FDIA can be classified into two types, the stubborn FDIA and the general FDIA. Since the stubborn FDIA problem and its mitigation techniques have been well studied in [13] and [14], we focus on the general FDIA problem in this paper.
In the model of general FDIA, malicious nodes inject some pre-designed false data into their states during the consensus update process. Let the set of malicious nodes be A = a 1 , a 2 , · · · , a f , where f denotes the number of malicious nodes in the network, and A ⊆ V. Under the general FDIA, the consensus update in the network can be expressed as where u k a i (t) denotes the data injected by malicious node a i at iteration t of instance k; e i denotes an N × 1 unit vector, the i-th element in e i is 1 and the other elements are 0s; B A = e a 1 , e a 2 , · · · , e a f , and u k

C. MALICIOUS NODE DETECTION MECHANISM
In [15]- [17], two malicious node detection mechanisms against the general FDIA are addressed. It is proven in [15] that, if the network topology satisfies some specific conditions, normal nodes can estimate the real-time state vector x k (t) using local observations. In [16] and [17], a distributed filter is designed for normal nodes to estimate the real-time state vector x k (t).
The residual of estimated real-time state vector can be expressed as wherex k (t) is the estimate of state vector x k (t), and r k (t) is the N × 1 residual vector. Using r k (t), malicious nodes can be identified as follows. If element r k i (t), 1 ≤ i ≤ N , satisfies r k i (t) > η, node i is identified as malicious node, where η is a pre-defined decision threshold for the FDIA detection mechanisms.

D. PROBLEM FORMULATION
For malicious node detection mechanisms proposed in [15]- [17], normal nodes should obtain full knowledge of weight matrix W. However, in a real large-scale network, this assumption is unreasonable. The reasons are described in Section I.
From the perspective of an attacker, it is significant to acquire the real-time information of weight matrix W and utilize the acquired information to enhance the covertness of FDIA. Normal nodes with defense strategies can dynamically adjust the weight vectors if some suspicious situations occur. For example, while detecting some abnormal behaviors of neighbor node j, node i can set w ij to be 0 and neglect the message from node j. By acquiring the real-time information of weight matrix W, malicious nodes can learn about the defense strategies of normal nodes, and try to bypass the defense mechanisms.
Therefore, it is significant for both attackers and defenders to acquire the information of weight matrix. In this work, we first investigate the method for acquiring weight matrix, and then study the effect of the information of weight matrix on the FDIA and the FDIA mitigation techniques.

III. LEARNING-BASED COOPERATIVE FDIA
In this section, a learning-based cooperative FDIA strategy against the consensus-based distributed estimation is presented.
We assume that malicious nodes in the network consist of an injector and several listeners. The proposed learningbased cooperative FDIA strategy consists of two stages. In the first stage, all the malicious nodes perform the normal consensus update without launching attack. Meanwhile, the listeners send their states and the states received from their neighbors to the injector. With the information of all the malicious nodes, the injector can acquire the information of weight matrix W. In the second stage, the injector utilizes the obtained information of weight matrix to launch two kinds of covert FDIA, the sudden FDIA and the dynamic FDIA. In addition, a real-time surveillance and response mechanism is constructed for malicious nodes to enhance the covertness of attack.

A. STAGE ONE: LISTENING AND LEARNING
In order to simplify the description, we first consider an ideal scenario, and then extend it to a general scenario.
According to the distribution of malicious nodes in network G, we define two concepts as follows.
Definition 1: The set of observable nodes to A , V A ,

Definition 2: If and only if
In this ideal scenario, the injector can obtain the real-time state vector x k (t) since all the listeners send their states and the states received from their neighbors to the injector. Using the state vectors from iteration 0 to N , the injector can construct the following equation, where X k (0 : According to [15]- [17], [20] and [21], weight matrix W is a ''structured matrix''. Hence, X k (0 : N − 1) and X k (1 : N ) are nonsingular matrices for almost any initial state vector x k (0). That is, the set of initial state vector making X k (0 : N − 1) and X k (1 : N ) be singular lies on an algebraic hyper-surface of parameters space R N ×1 . Hence, at iteration N , the weight matrix can be estimated by the injector aŝ In real applications, in order to improve the robustness of estimation to background noise and transmission error, some redundant observations should be added. The state vectors from iteration 0 to N should be adopted for the estimation, where N = N + N , N is the redundancy of observations, and N ≥ 0. The improved estimation process can be expressed aŝ where (·) † denotes the pseudo-inverse of a matrix.

2) SCENARIO 2: NETWORK G IS PARTIALLY OBSERVABLE TO A
Since network G is partially observable to A, only the states of observable nodes within V A are available to the injector. In order to conveniently describe the listening and learning process in scenario 2, we define the concept of the vulnerable node set for A using the observable node set V A .

Definition 3: The vulnerable node set for A is defined as
For each vulnerable node v, v ∈ V V , the states of node v and its neighbors are available to the injector. The injector VOLUME 8, 2020 can estimate the weight vector of vulnerable node v using (8). However, since the injector does not have full information about the network topology, the vulnerable node set is still unknown. Hence, the injector should first search for the vulnerable nodes within set V A \A.
For each vulnerable node v, v ∈ V V , the states of node v at each iteration t, x k v (t), are the linear combination of states of nodes within V A at iteration t − 1. Therefore, the state vector of vulnerable node v,

Proposition 1: Let A be a full column rank matrix. The orthogonal projectors onto
completely. Therefore, according to Proposition 1, the set of vulnerable nodes can be identified When the injector has no information of the number of nodes in the network, an upper bound of the number of nodes, N , can be used as the dimension of the state vector. If the redundancy of observations N , N =N − N , is large enough, the vulnerable nodes can be identified correctly.
Moreover, due to the limited calculation precision, the orthogonal projection of state vector of a vulnera- T , may not exactly equal to 0. Therefore, the set of vulnerable nodes can be identified as where | · | 1 denotes the 1-norm of a vector; η V is the decision threshold for identifying vulnerable nodes, and ρ is a parameter chosen by the injector, and ρ > 1.
After obtaining the set of vulnerable nodes, the injector can estimate the weight vector of vulnerable node v, v ∈ V V , aŝ Fromŵ v,V A , the injector obtains not only the information of the neighboring set of node v (i.e., nodes correspond to non-zero elements inŵ v,V A ), but also the detailed information of consensus update process of node v.

B. STAGE TWO: FALSE DATA INJECTION
With the weight matrix or weight vectors acquired in stage one, the injector can launch a covert FDIA. The goal of the injector is tampering the final consensus result of the network to a false value G k , as well as remaining unsuspicious to normal nodes.
Here, we assume that the weight matrix remains unchanged if no attack is launched in the network. However, if some malicious nodes launch the FDIA, normal nodes with defense strategies can adjust their weight vectors to resist the attack. With these assumptions, the injector can launch two kinds of covert FDIA, the sudden FDIA and the dynamic FDIA.

1) SUDDEN FDIA STRATEGY
The sudden FDIA is launched in scenario 1, where network G is fully observable to A.
According to Subsection III-A1, the injector can obtain the estimate of weight matrix,Ŵ. Let row vector v T be the left eigenvector ofŴ associated with eigenvalue 1, and v TŴ = v T . The elements of v T also indicate the contribution of the nodes' states to the consensus result, and lim t→∞ x k (t) = v T x k N + 1 1. The injector, denoted as a A , can tamper its own state at iteration N + 1 as where v a A is the a A -th element of v T ;v T a A is a 1 × N vector, the a A -th element ofv T a A is 0 and other elements are the same as those in v T .
After iteration N + 1, malicious nodes keep performing the normal consensus update without launching attack. If the weight matrix remains unchanged after iteration N + 1, the final consensus result of the network can be expressed as which means the goal of the injector is achieved. In a real network environment, due to the equipment malfunction and transmission error, a normal node may occasionally send some abnormal data to its neighbors. Since the injector only inject false data at iteration N + 1, it imitates the behavior of a normal node suffered from burst equipment malfunction or transmission error. Hence, the covertness of the proposed sudden FDIA strategy is ensured.
However, there are two shortcomings for the sudden FDIA strategy. First, the sudden FDIA can only be launched in scenario 1, which is ideal for an injector with limited resource. Second, if some normal nodes dynamically adjust the weight vectors to resist the attack, the consensus result will deviate from the goal of the injector, G k . To overcome these deficiencies, we further develop a dynamic FDIA strategy.

2) DYNAMIC FDIA STRATEGY
In the dynamic FDIA, the injector utilizes the obtained weight matrix or weight vectors to inject a pre-designed false data u k a A (t) to its state at each iteration. The consensus update at the injector can be expressed as where the injector should be transformed into a listener. Meanwhile, if there exists a listener adjacent to at least one node within V V , it is assigned as a new injector. µ A is an attack parameter determined by the injector, and µ A > 0. The larger the value of µ A , the more quickly all of the nodes converge to G k . However, if the value of µ A is too large, the injector can be detected by normal nodes with a high probability.
In the proposed dynamic FDIA strategy, the reason to make the injected data u k a A (t) be proportional tow V V ,a A is that, if the value ofw V V ,a A gets smaller, the nodes within V V, A begin to distrust the injector, and the injector should scale down the injected data u k a A (t).

C. REAL-TIME SURVEILLANCE AND RESPONSE MECHANISM
Since normal nodes with defense strategies can resist the FDIA by dynamically adjusting their weight vectors during the consensus update process, malicious nodes should surveil the behavior of normal nodes. Once malicious nodes observe some normal nodes adjusting their weight vectors, some corresponding response mechanisms can be implemented to enhance the covertness of attack. After launching the sudden FDIA, malicious nodes keep surveilling the behavior of normal nodes. The surveillance of normal node v utilizes the consistency of states among observable nodes at iteration t and the state of node v at iteration t + 1. That is, the adjustment of the weight vector of normal node v can be declared if the magnitude of In order to evaluate the effectiveness of FDIA, the injector should determine whether w v,a A is less than a threshold ϕ S or not, and −w v,a A ≤ ϕ S ≤ 0. Therefore, the surveillance of normal node v, v ∈ V\A, can be expressed as where sgn (x) is a modified sign function, and sgn (x) = 1, x ≥ 0; D v 1 denotes the hypothesis that node v is adjusting its weight vector; D v 0 denotes the hypothesis that node v keeps its weight vector unchanged. Parameter ϕ S is chosen by the injector. The larger the value of parameter ϕ S , the more sensitive the surveillance mechanism will become. In an extreme case of The goal of the injector, G k , can be achieved only if the weight matrix remains unchanged after the sudden FDIA. Therefore, once some normal nodes are found adjusting their weight vectors, the injector will return to stage one to acquire the updated information of weight matrix, and then launch the dynamic FDIA.
After launching the dynamic FDIA, malicious nodes keep surveilling the behavior of vulnerable node v, v ∈ V V , as whereŵ v,V A is the estimated weight vector of node v. Next, the response mechanism is constructed according to the result of the surveillance process in (15). The injector can adopt two kinds of response mechanisms, the conservative response mechanism and the radical response mechanism.
In the conservative response mechanism, once observing at least one vulnerable node within V V adjusting its weight vector, the injector stops launching the dynamic FDIA immediately, and returns to stage one to acquire the updated information of weight matrix. Only if the updated information of weight matrix shows thatŵ v,a A = 0 for all v ∈ V V,A , the injector continues to launch the dynamic FDIA. Furthermore, parameter ϕ S can be increased to improve the sensitivity of the real-time surveillance mechanism.
In the radical response mechanism, the injector stops launching the dynamic FDIA and returns to stage one if the surveillance results are D v 1 for all v ∈ V V,A . If the updated information of weight matrix shows that at least one node v within V V,A satisfiesŵ v,a A = 0, the injector keeps on launching the dynamic FDIA. Furthermore, parameter ϕ S can be decreased to reduce the sensitivity of the real-time surveillance mechanism.

IV. ATTACK MITIGATION TECHNIQUES
In order to enhance the security of consensus-based distributed estimation, we further study the attack mitigation techniques. It is assumed that normal nodes do not know whether the other nodes are normal or not. In this case, each normal node resists the FDIA with local information separately. To defend against the learning-based cooperative FDIA, a real-time attack detection method using local observations is proposed for normal nodes. Moreover, to mitigate the effect of false-alarm of the real-time FDIA detection system on the estimation performance, we address a reassessment mechanism to reassess malicious nodes.
A. REAL-TIME FDIA DETECTION METHOD Let (t) be the one-shot statistic at time t. For a traditional real-time event detection system [24], [25], if the event happens at time t, the expectation of (t) satisfies The real-time statistic at time t, S(t), is updated as S (t) = max {0, S (t − 1) + (t)} . If the event does not happen, S(t) keeps hovering around 0. If the event happens after time τ , S(t) rises rapidly after time τ .
For a real-time detection method against the learning-based cooperative FDIA, it is important to construct an applicable one-shot statistic satisfying the following conditions. For normal node i and its neighbor node j, the expectation of oneshot statistic, k ij (t), should satisfy two conditions, namely denotes the hypothesis that node j does not launch the FDIA, and H j 1 denotes the hypothesis that node j launches the FDIA. Based on the one-shot statistic, the real-time statistic can be constructed as The quickest stopping time for node i declaring that node j is launching the FDIA can be expressed as where inf {·} denotes the infimum operation, and h is a predefined decision threshold for the real-time detection method. Once the occurrence of FDIA is declared for node j, node i sets w ij to be 0 and neglects the message from node j after T ij (h).
In order to construct an applicable one-shot statistic, we define the spatial-difference-based statistic for node i and its neighbor node j at each iteration as s k where k ij (t) is an upper bound of the magnitude of spatialdifference-based statistic when node j does not launch the FDIA.
If the malicious nodes do not launch the FDIA, we have , the spatial-difference-based statistic can be rewritten as The eigenvalue decomposition of [W] t , t ≥ 1, can be expressed as where λ n denotes the n-th eigenvalue of W, 1 ≤ n ≤ N ; denotes an N × N diagonal matrix, and λ n is the n-th diagonal element of ; v n and u n denote the n-th column of matrices V and U, respectively, v n is the right eigenvector of W associated with eigenvalue λ n , and U T = V −1 . Without loss of generality, we assume that |λ 1 | ≥ |λ 2 | ≥ · · · ≥ |λ N |. According to the Gershgorin circle theorem [26], since the elements of matrix W are not less than 0 and W1 = 1, we have λ 1 = 1, v 1 = 1/ √ N and |λ n | ≤ 1, 2 ≤ n ≤ N . Substituting (20) into (19), the spatial-differencebased statistic can be rewritten as where e ij = e j − e i and c n = e T ij v n u T n x k (0). Since e T ij 1 = 0 and v 1 = 1 √ N , we have c 1 = 0. Hence, where c = [c 2 , c 3 , · · · , c N ] T , Vad λ is an (N − 1) × (N − 1) Vandermonde matrix, the first row of Vad λ is λ T = [λ 2 , λ 3 , · · · , λ N ], the i-th row of Vad λ is λ T diag λ i−1 , and diag λ is an (N − 1) × (N − 1) diagonal matrix with diagonal elements {λ n } N n=2 . It is assumed that the values in λ are non-zero and different from each other. It is proven in [26] that matrix Vad λ is nonsingular if the values in λ are non-zero and different from each other. Therefore, row vector λ N 2 , λ N 3 , · · · , λ N N can be expressed as a unique linear combination of the rows of Vad λ , and a unique (N − 1) × 1 vector d exists and satisfies The left side of (23) can be rewritten as and the right side of (23) can be rewritten as Since s k ij (t) = λ t 2 , λ t 3 , · · · , λ t N c , t ≥ 1, we have (26), one finds that if the malicious nodes do not launch the FDIA, the spatial-difference-based statistic at iteration N + τ can be represented as a linear combination of spatial-difference-based statistics from iteration τ + 1 to N +τ −1. Taking advantage of this property, the upper bound of the magnitude of spatial-difference-based statistic in (18) can be constructed to satisfy E k ij (t) |H j 0 ≤ 0. Since eigenvalues {λ n } N n=2 are unknown to normal nodes, the elements of d still cannot be directly calculated with (24). However, since the eigenvalues in λ are different from each other, some eigenvalues with large magnitude can be asymptotically estimated by normal nodes with local observations. Here, two variables,ṡ k ij (t) ands k ij (t), are defined asṡ k The estimation of eigenvalues can be summarized in Theorem 1. Theorem 1: The estimates of eigenvalues λ 2 , λ 3 , and λ 4 can be sequentially calculated by (27a)-(27c), whereas other eigenvalues λ i , i ≥ 5, cannot be uniquely determined.

where T is the total number of iterations implemented in each instance of consensus-based distributed estimation.
The proof of Theorem 1 is given in Appendix.
As shown in (27a), (27b), and (27c), the calculation of λ 2 ,λ 3 , andλ 4 are completely decentralized, which means that each normal node can obtain the estimations of λ 2 , λ 3 , and λ 4 with local information separately. According to Theorem 1, the rest of the eigenvalues, {λ n } N n=5 , cannot be estimated. Hence, the spatial-difference-based statistic cannot be predicted with (26). To deal with this issue, we construct an optimization problem to obtain an upper bound of the magnitude of spatial-difference-based statistic satisfying E k ij (t) |H j 0 ≤ 0. According to (24)- (27), the real-time upper bound of the magnitude of spatial-difference-based statistic can be constructed by solving the optimization problem as where variables λ n N n=2 are used to calculate {d i } N −1 i=1 with the LeVerrier-Faddeev algorithm in (24). Since the eigenvalues in {λ n } N n=5 should satisfy the inequality constraints |λ n | < |λ n−1 | (5 ≤ n ≤ N ), the optimal k ij (t) obtained in problem (P.1) must be larger than s k ij (t) , which satisfies E k ij (t) |H j 0 ≤ 0. VOLUME 8, 2020 In order to simplify the calculation for the upper bound of the magnitude of spatial-difference-based statistic, the inequality constrain conditions in (P.1) can be relaxed as λ k ≤ |λ 4 |, k ≥ 5. And the problem in (P.1) can be transformed into Since the inequality constrain conditions in (P.1) are tighter than those in (P.2), the upper bound of the magnitude of spatial-difference-based statistic calculated in (P.2) is larger than that in (P.1). Hence, the upper bound of the magnitude of spatial-difference-based statistic calculated in (P. can be considered simultaneously to find the optimal combination choice that results in a maximum k ij (t).

If the injector a A launches the FDIA at iteration t
. Without loss of generality, it is assumed that the magnitude of injected false data is much larger than the magnitude of spatial-difference-based statistic before the FDIA is launched. Under this assumption, the upper bound of the magnitude of spatial-difference-based statistic calculated in problem (P.3) can be asymptotically approximated as is the variables obtained by solving problem (P.3). Since the magnitude of u k a A (t A − 1) is much larger than the magnitude of spatial-difference-based statistic before the FDIA is launched, we have Therefore, the upper bound of the magnitude of spatial-difference-based statistic will experience a sharp increase after iteration t A − 1.
In order to make the upper bound of the magnitude of spatial-difference-based statistic change smoothly and the condition E k ij (t) |H j 1 > 0 be satisfied, we modify the problem formulated in (P.3) by replacing the statistic s k . Similar to problem (P.3), the problem formulated in (P.4) can be solved with the enumeration method. The real-time FDIA detection method can be summarized as Algorithm 1. With the realtime FDIA detection method, each normal node i can obtain the set of malicious nodes in the neighborhood as A i .
Remark 2: Due to the limited memory and computational capability of nodes, the computational complexity of the solving process of problem (P.4) may be too high. In order to reduce the computational burden for each node, the solving process of problem (P.4) can be simplified . However, the obtained k ij (t) cannot be guaranteed to be an upper bound of the magnitude of spatial-difference-based statistic, and the falsealarm probability of the real-time FDIA detection method is likely to increase.
Remark 3: For a real-time FDIA detection mechanism, the most important performance indicator is the detection delay after the FDIA occurs. When encountering the sudden FDIA or the dynamic FDIA presented in Section III, the proposed real-time FDIA detection method may show different detection performance. If the sudden FDIA is launched, the magnitude of spatial-difference-based statistic of the injector experiences a steep increase, and the realtime statistic of the injector also rises quickly. In this circumstance, the injector can be identified by normal nodes in a short time. On the other hand, if the injector launches the dynamic FDIA and sets the attack parameter µ A to be a relatively small value, the magnitude of spatial-differencebased statistic of the injector is likely to be lower than the upper bound obtained in problem (P.4), which results in a low detection probability and a long detection delay. Therefore, it is more difficult to resist the dynamic FDIA than the sudden FDIA.
Calculate the upper bound of the magnitude of spatial-difference-based statistic for each neighbor node j by solving the optimization problem in (P.4). (6).
Calculate the one-shot statistic k ij (t) for each neighbor node j with (18). (7).
Calculate the real-time statistic S k ij (t) for each neighbor node j with (16). (8).
Determine whether the FDIA is launched by neighbor node j or not at iteration t with (17). (9).
Calculate statisticsṡ k ij (t) ands k ij (t) for each neighbor node j with the spatial-difference-based statistics s k ij (t). (10). end for (11). end for Output (12). Output the set of malicious nodes in the neighborhood:

B. RESILIENT WEIGHT VECTOR ADJUSTMENT
Once node j in set N i is identified as a malicious node, normal node i sets the weight w ij to be 0 and stops receiving any information from node j. In order to guarantee the consensus among the normal nodes in the network, the weight vector of each node should be adjusted appropriately after the malicious nodes being isolated.
According to [3], as long as the weight matrix W is doublystochastic, and the spectral radius of matrix W − 11 T N is strictly less than 1, the average consensus of the network can be achieved. In order to satisfy the above two conditions, the weight vectors of normal nodes can be adjusted based on the maximum-degree protocol or the Metropolis protocol [29].
In the maximum-degree protocol, it is assumed that each node knows the total number of nodes in the network, N , or an upper bound for N ,N . In this case, the weights for each normal node i are set to be In the Metropolis protocol, the weights for each normal node i are set to be where D i denotes the degree of node i after the malicious nodes are removed from N i , and D i = |N i | − |A i |. In the Metropolis protocol, each node i shares the real-time D i with its neighbor nodes. After malicious nodes are isolated from normal nodes, the obtained subgraph is denoted as It is proven in [29] that as long as the set of malicious nodes in the neighborhood is correctly identified by each normal node, and subgraph G N is connected, the average consensus can be achieved with either the maximum-degree protocol or the Metropolis protocol.

C. REASSESSMENT OF ATTACKERS WITH PUNISHMENT SCHEME
As we know, the false-alarm is inevitable for an attack detection method. Without the reassessment mechanism, normal nodes implementing the proposed real-time FDIA detection method will eventually regard all of their neighbors as attackers as long as the number of iterations tends to infinity. To mitigate the effect of false-alarm of the proposed realtime FDIA detection method on the estimation performance, we propose a reassessment mechanism to reassess malicious nodes.
If normal node i identifies its neighbor node j as an attacker, the link between node i and node j will be cut off, and w ij = 0. After that, node i keeps assessing the behavior of node j. Once node i observes that the behavior of node j returns to normal, the link between node i and node j will be rebuilt, and w ij > 0.
As shown in Subsection III-C, an intelligent attacker can surveil the behavior of normal nodes and dynamically switch between launching attack and performing normal consensus update. In order to resist the surveillance and response mechanism in the learning-based cooperative FDIA, the behavior of malicious nodes should be inspected continuously. Utilizing the spatial-difference-based statistic, the reassessment mechanism can be expressed as where g (·) denotes the step function, and g (x) = sgn (x) + 1 2; R ij 0 represents the hypothesis that node j returns to normal; R ij 1 represents the hypothesis that node j is still malicious; K R denotes the number of instances used for the reassessment; and η R is the decision threshold for the inspection at each iteration. The reassessment mechanism in (30) indicates that a malicious node can be declared to return to normal only if the magnitude of spatial-difference-based VOLUME 8, 2020 statistic is lower than the decision threshold at each iteration during the reassessing period. In practical application, the decision threshold should be chosen to satisfy the upper bound of the false-alarm probability required by the system. Therefore, the relationship between the decision threshold and the false-alarm probability should be derived.
Similar to [14], we assume that the initial estimation of each node is independent and identically distributed, which follows the normal distribution with mean x k 0 and variance σ 2 x . Thus, the spatial-difference-based statistic s k ij (t) follows the normal distribution with zero-mean and variance σ 2 x . The false-alarm probability of the inspection at each iteration can be expressed as P k FA, , where (·) denotes the cumulative distribution function of the standard normal distribution. The false-alarm probability of the reassessment mechanism in (30) can be expressed as Furthermore, in order to adaptively adjust the judging criteria of the reassessment mechanism to resist an intelligent attacker, we propose a punishment scheme for the reassessment mechanism.
If node j is identified as an attacker, the total number of instances used for reassessing node j is updated as where is a punishment factor, and ∈ Z + . With this punishment scheme, the more times a node being identified as an attacker, the longer the reassessment will last for.

V. NUMERICAL RESULTS AND DISCUSSIONS
A network with 12 nodes is considered, as shown in Fig. 1. For each node i and its neighbor node j, the value of w ij follows the normal distribution with mean µ w and variance σ 2 w , and w ii = 1 − j∈N i w ij . The true value of unknown scalar parameter to be estimated is x 0 . The initial estimation of each node is assumed to be independent and identically distributed, and the initial state vector follows the multivariate normal distribution as x k (0) ∼ N x 0 1, σ 2 x I , where x 0 = 10 and σ 2 x = 1. The performance of learning-based cooperative FDIA strategy and the corresponding FDIA detection method is evaluated in scenario 1 and scenario 2, respectively. As shown in Fig. 1a, in scenario 1, node 11 is set to be the injector, and node 1 and node 6 are set to be the listeners. As shown in Fig. 1b, the injector is node 11 and the listener is node 1 in scenario 2. The observable node set is 3, 4, 7, 8, 9, 11, 12}, and the vulnerable node set is V V = {3, 7, 8}. Node 7 is assumed to deploy the proposed FDIA mitigation techniques.

A. PERFORMANCE OF THE LISTENING AND LEARNING PROCESS IN STAGE ONE OF THE ATTACK
In this subsection, we evaluate the performance of the listening and learning process in scenario 1 and scenario 2, respectively.  information for the estimation. Moreover, we observe that the estimation error decreases as the value of µ w increases. The reason for this phenomenon is that each diagonal element of weight matrix, w ii , 1 ≤ i ≤ N , becomes smaller as µ w increases, which makes the columns of matrix X k (0 : N − 1) be less correlated with each other, and the condition number of X k (0 : N − 1) becomes smaller [27].
2) SCENARIO 2 Fig. 3 shows the performance of the process of identifying vulnerable nodes, where ρ = 1.1, µ w = 0.1, and σ w = 0.02. The false-alarm probability for identifying vulnerable nodes is defined as and the detection probability for identifying vulnerable nodes is defined as From Fig. 3a, we observe that the false-alarm probability for identifying vulnerable nodes decreases as the redundancy of observations increases. The reason is that for an invulnerable node i, i / ∈ V V , if the redundancy of observations increases, the 1-norm of the component of state larger, which makes node i be easier to be identified as an invulnerable node. Moreover, the false-alarm probability for identifying nodes 2 and 9 is smaller than that for identifying nodes 4 and 12. The reason for this phenomenon is that nodes 2 and 9 have two neighbor nodes outside set V A , whereas nodes 4 and 12 only have one neighbor node outside set V A . Therefore, the component of state vectors of nodes 2 and 9 in R X k V A 0 :N − 1 T ⊥ is higher than that of nodes 4 and 12.  From Fig. 3b, we observe that the redundancy of observations has little effect on the detection probability for identifying vulnerable nodes. The reason is that the injector can succeed in identifying vulnerable nodes with 100% accuracy in theory. However, due to the limited calculation precision, the projection of state vector of a vulnerable node v on R X k V A 0 :N − 1 T ⊥ may not exactly equal to 0. Hence, some missed detections may happen occasionally. Moreover, the detection probability for identifying nodes 3 and 8 is higher than that for identifying node 7. The reason for this phenomenon is that nodes 3 and 8 have respectively four and five neighbors, while node 7 only has three neighbors. Hence, the state vectors of nodes 3 and 8 are more Under the same calculation precision, the components of state vectors of nodes 3 and 8 in R X k are smaller than that of node 7, which means nodes 3 and 8 VOLUME 8, 2020    can be correctly identified as vulnerable nodes with a higher probability. Fig. 4 shows the estimation error of weight vectors for vulnerable nodes, where the estimation error is defined as From Fig. 4, we observe that the estimation error decreases as the redundancy of observations or parameter µ w increases. Compared with the result in Fig. 2, the estimation error in scenario 2 is much smaller than that in scenario 1. The reason for this phenomenon is two-fold. First, the number of elements to be estimated in scenario 2 is less than that in scenario 1, which makes the cumulative sum be smaller in scenario 2. Second, for simplicity, we assume that the identifying of vulnerable nodes has been completed without error when we evaluate the estimation error in scenario 2.

B. PERFORMANCE OF THE FALSE DATA INJECTION IN STAGE TWO OF THE ATTACK
In this subsection, we evaluate the effectiveness of the FDIA strategy, including the sudden FDIA and the dynamic FDIA. For simplicity, we assume that normal nodes do not adopt any defense strategy to resist the attack. In the simulations, we set µ w =0.1, σ w = 0.02, and N = 8. The attacker launches the FDIA after iteration N + N = 20. The divergence between the goal of the injector and the true value of unknown scalar parameter is defined as G = G k − x 0 . Fig. 5 shows the consensus update process of node 11 (injector) and node 2 under sudden FDIA. From Fig. 5, we observe that the states of node 11 and node 2 gradually converge to the true value of unknown parameter if no attack is launched. However, if the sudden FDIA is launched by node 11, the state of node 11 experiences a steep rise at iteration 21. After iteration 21, the states of node 11 and node 2 gradually converge to G k . Moreover, a larger value of G leads to a steeper rise of the injector's state at iteration 21 and a longer convergence time.

1) SUDDEN FDIA STRATEGY
2) DYNAMIC FDIA STRATEGY Fig. 6 shows the injected data under dynamic FDIA at each iteration, where G = 5. From Fig. 6, we observe that a larger µ A results in a larger injected data at the beginning of the attack and a shorter convergence time. Compared between the results in Fig. 6a and Fig. 6b, we observe that the injected data at the beginning of FDIA in scenario 1 is slightly different from that in scenario 2. The reason is that the attack parameterw V V ,a A is calculated in different ways for scenario 1 and scenario 2. Fig. 7 shows the consensus update process of node 11 (injector) and node 2 under dynamic FDIA. From Fig. 7, we observe that a larger µ A corresponds to a shorter convergence time and a steeper rise of the injector's state, x k i (t), at the beginning of attack. Fig. 8 shows the cumulative sum of injected data, t u k a A (t). From Fig. 8, we observe that the cumulative sum of injected data converges to a constant value for different values of µ A . The reason for this phenomenon is that no matter what value of µ A is, the expectation of limit value of t u k a A (t), E t→∞ u k a A (t) , equals to G v a A . Therefore, the cumulative sum of injected data only depends on the weight matrix. Furthermore, the injected data in the sudden FDIA is also G v a A . Therefore, if the goal of the injector is determined, the cumulative sum of injected data is a constant value regardless the type of FDIA or the value of µ A .

C. PERFORMANCE OF THE REAL-TIME FDIA DETECTION METHOD
In this subsection, the performance of real-time FDIA detection method against the learning-based cooperative FDIA is evaluated, where µ w =0.1, σ w = 0.02, and N = 8.
In order to implement the real-time FDIA detection method, eigenvalues λ 2 , λ 3 , and λ 4 are first estimated with the algorithm in Theorem 1. Fig. 9 shows the estimation error of the eigenvalues, where the estimation error is defined as Err λ i = (λ i −λ i ) 2 . From Fig. 9, we observe that the estimation error decreases as the total number of iterations in each instance of consensus-based distributed estimation, T , increases. The conclusion is consistent with the analysis in Appendix. Moreover, the estimation errors satisfy Err λ 4 > Err λ 3 > Err λ 2 regardless the value of T . The reason is that eigenvalues λ 2 , λ 3 , and λ 4 are estimated sequentially. Fig. 10 shows the performance of the proposed real-time attack detection method against the sudden FDIA, where the spatial-difference-based statistic, the one-shot statistic, and VOLUME 8, 2020  the real-time statistic obtained by node 7 are shown in 10a, 10b and 10c, respectively.

1) REAL-TIME ATTACK DETECTION METHOD AGAINST THE SUDDEN FDIA
As shown in Fig. 10a, at iteration 21, the spatial-differencebased statistic of the injector, s k 7,11 (t), experiences a steep increase, whereas the spatial-difference-based statistics of the normal nodes, s k 7,3 (t) and s k 7,8 (t), almost remain unchanged. After iteration 21, s k 7,11 (t) gradually declines to 0; meanwhile, the effect of injected data propagate to normal nodes 3 and 8, and makes s k 7,3 (t) and s k 7,8 (t) change in the opposite direction. Moreover, a larger value of G leads to a steeper increase of s k 7,11 (t) at iteration 21 and a longer convergence time.
As shown in Fig. 10b and Fig. 10c, at iteration 21, the oneshot statistic and the real-time statistic of node 11 experience a steep increase, whereas these two statistics of nodes 3 and 8 almost remain unchanged. Therefore, as long as the decision threshold h in (17) is chosen appropriately, the injector can be identified with the real-time FDIA detection method. By cutting off the link connecting with the injector (i.e., setting w 7,11 to be 0), node 7 can resist the sudden FDIA effectively.
To verify the timeliness of the real-time FDIA detection method, we evaluate the performance of attack detection at iteration 21. Fig. 11 shows the receiver operation characteristic (ROC) curve of attack detection against the sudden FDIA at iteration 21, where µ w = 0.02, σ w = 0.005, the false-alarm probability for attack detection is defined as P FA,Att = 1 2 Pr S k 7,3 (21) > h + 1 2 Pr S k 7,8 (21) > h , and the detection probability for attack detection is defined as P D,Att = Pr S k 7,11 (21) > h . From Fig. 11, we observe that a larger magnitude of G results in a better detection performance. The reason is that the data injected by the injector at iteration 21 increases as the magnitude of G increases, which make the injector be identified more easily. Hence, the real-time FDIA detection method can achieve a high detection probability, as well as maintaining a low false-alarm probability at iteration 21.
2) REAL-TIME ATTACK DETECTION METHOD AGAINST THE DYNAMIC FDIA Figs. 12 and 13 show the performance of real-time attack detection method against the dynamic FDIA in scenario 1 and scenario 2, respectively, where G = 5.
As shown in Figs. 12a and 13a, at iteration 21, the spatialdifference-based statistic of the injector, s k 7,11 (t), experiences a steep increase, whereas the spatial-difference-based statistics of the normal nodes, s k 7,3 (t) and s k 7,8 (t), almost remain unchanged. After iteration 21, the spatial-differencebased statistics of the normal nodes, s k 7,3 (t) and s k 7,8 (t), increase first and then decrease. Moreover, we also observe that a larger value of µ A results in a steeper change of spatial-difference-based statistics at the beginning of attack and a shorter convergence time.
As shown in Figs. 12b, 12c, 13b and 13c, at iteration 21, the one-shot statistics and the real-time statistic of the injector, k 7,11 (t) and S k 7,11 (t), experience a steep increase, whereas the one-shot statistics and the real-time statistics of normal nodes, k 7,3 (t), k 7,8 (t), S k 7,3 (t) and S k 7,8 (t), almost remain unchanged. Hence, the dynamic FDIA can be detected by the real-time attack detection method with an appropriate decision threshold. From Figs. 12c and 13c, we also observe that a larger value of µ A results in a steeper increase of S k 7,11 (t) at iteration 21, which makes the injector be identified more easily. Moreover, from Figs. 12c and 13c, we also observe that the real-time statistic of each node will converge to a constant value for different values of µ A . The reason for this phenomenon is that if the dynamic FDIA is launched, the limit value of real-time statistic, S k ij (∞), approximately equals to e T ij ∞ τ =1 W τ e a A E t u k a A (t) = e T ij ∞ τ =1 W τ e a A G/v a A , which only depends on the goal of the injector and the weight matrix. Fig. 14 shows the ROC curve of the real-time attack detection method against the dynamic FDIA at iteration 21, where µ w = 0.1, and σ w = 0.02. From Fig. 14, we observe that the detection performance improves as the value of G or µ A increases. The reason for this phenomenon is that the data injected by the injector at iteration 21 increases as the value of G or µ A increases, which make the injector be identified more easily. Hence, the real-time FDIA detection method can achieve a high detection probability, as well as ensuring a low false-alarm probability at iteration 21.

VI. CONCLUSION
In this paper, we investigated the FDIA problem in the consensus-based distributed estimation. Since the weight matrix is important for both attackers and defenders, the effect of the information of weight matrix on the FDIA and the FDIA mitigation techniques was studied. First, a learning-based cooperative FDIA strategy was designed, where the weight matrix was estimated and utilized to launch the sudden FDIA and the dynamic FDIA. With the obtained information of weight matrix, the attacker can tamper the consensus result of the network to a pre-designed false value. Furthermore, to enhance the covertness of FDIA, a realtime surveillance and response mechanism was constructed for malicious nodes to surveil the consensus update process of normal nodes. By switching between launching the FDIA and performing normal consensus update dynamically, the attacker can bypass existing FDIA detection methods. In order to ensure the security of consensus-based distributed estimation, a real-time attack detection method was proposed to defend against the learning-based cooperative FDIA. Considering that the false-alarm of attack detection system may degrade the performance of consensus-based distributed estimation, we further presented a reassessment mechanism to reassess malicious nodes. With the embedded punishment scheme, the reassessment mechanism can resist the surveillance and response mechanism in the learning-based cooperative FDIA effectively. Comprehensive simulation results show that the attacker can acquire the information of weight matrix and tamper the consensus result to a false value through launching the learning-based cooperative FDIA. Moreover, the proposed real-time FDIA detection method can identify the attacker promptly.

APPENDIX PROOF OF THEOREM 1
The proofs of 27a, 27b, and 27c are sequentially provided as follows.
According to (21), the spatial-difference-based statistic is expressed as s k ij (t) = N n=2 λ t n c n . Since all the eigenvalues in λ are non-zero and different from each other, we have lim t→∞ λ t i λ t 2 = 0, i ≥ 3. Hence, (21) can be rewritten as where o λ t 2 is an infinitesimal of higher order than λ t 2 . According to (A.1), we have lim t→∞ s k ij (t) s k ij (t − 1) This completes the proof of (27a). VOLUME 8, 2020