Optimal Jamming Attack System Against Remote State Estimation in Wireless Network Control Systems

Recently, public attention is thoroughly aroused as to the security threats of Wireless Network Control System (WNCS), which can seriously disrupt the system operation. In order to achieve the attack effect that each sensor is damaged and maximize the terminal estimation error covariance, it is necessary to study an attack system from the attacker’s perspective. In this paper, we establish an attack system, which includes: the multi-sensor importance evaluation model, the time allocation of jamming attack, and the attack rules. Specifically, we firstly establish the wireless network control system model and the jamming attack model. Then, according to the transmission data and channel parameter information which is intercepted by the attackers, we establish an evaluation model of sensor based on the Mean Impact Value (MIV) algorithm. Then, based on the evaluation results of each sensor, we establish a distribution model of the number of attacks on each sensor. Then, we perform two jamming attack rules(continuous attack rule and good-sensor-late-attack rule)to attack each sensor. Finally, we use the attack system to conduct digital simulation experiments in first-order and high-order system. There is no different between the MIV-based sensor evaluation method in the multi-sensor importance evaluation experiment and sensor performance evaluation based on estimation error. In the jamming attack time allocation experiment, effect that every sensor was attacked had been achieved. In the attack rule experiment, we compare the experimental results of “continuous attack” and “ discontinuous attack”, and the result shows that the effect of “continuous attack” is better than that of “intermittent attack”. Similarly, we have conducted comparative experiments on all attack strategies, and the results show that “ good-sensor-late-attack ” strategy has the best effect. The effectiveness of the attack system is proved by digital simulation experiment.


I. INTRODUCTION
Wireless networked control systems (WNCS) are defined as a spatial distributed system which connects sensors, remote estimators and controllers by wireless communication network [1], [2].With the rapid development of Internet technology, WNCS have been extensively used, such as smart grid, smart logistics, smart transportation and smart home [3], [4].
The associate editor coordinating the review of this manuscript and approving it for publication was Byung-Seo Kim .
At present, WNCSs have been increasingly important in industrial systems. Due to their ''openness'' characteristics [5], they are prone to be attacked. As a result, the security issues of WNCSs have aroused so much interest from researchers [6], [7]. Attackers study how to attack WNCSs, while defenders study how to detect attacks [8], [9]. Generally speaking, there are four types of network attacks [10]: space hiding-time hiding attacks, such as system simulation attacks, Stuxnet-type replay attacks, etc.; space non-hidden-time hiding attacks, such as zero dynamic attacks, zero-dynamic induced attacks, etc.; space hiding-time non-hiding attacks, such as data Injection attacks, topological attacks, etc.; VOLUME 9, 2021 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ space does not hide-time does not hide attacks, such as DoS attacks, general replay attacks, etc. Based on the above categories, the most common attack methods mainly include: false data injection attack, replay attack and DoS attack. The false data injection attack is defined as modifying the integrity data of data packets transmitted between components in the system [11]. Further, the researcher defines a stealthy fake data injection attack [12], [13]. As for the replay attack, it first records data from the system, and then injects the recorded data into the system to perform the attack [14], [15]. The DoS attack exploits limited network resources by constantly sending excess data to attack network. Jamming attack is a typical Dos attack which can block the transmission of information. Therefore, this paper mainly considers jamming attack.In the paper [16], based on the defender's perspective, the researcher proposed a scheme, which can detect node compromise attack without having the need to share a key ring. However, there are few research results on jamming attacks from the perspective of attackers. In the paper [17], the attacker studied the Dos attack strategy that maximizes the LOG cost function under energy constraints. Because the state estimate is obtained on the sensor, and the state estimation value and the estimated error covariance are transmitted to the remote estimator through the wireless network channel. Therefore, it leads to increase the pressure of network bandwidth, and the sensor must be a smart sensor. In [18], a necessary and sufficient condition is established for the scenario where the attacks are undetectable by the detector of the multi-sensor system. But the point is that it's difficult to get sensor parameters. In the paper [19], researcher established a multivariate evaluation model. Based on this evaluation model, the suitable number of sensors can be obtained. The work in [20] applies the idea of cooperative game to design an optimal power allocation strategy when there are multiple attackers. The authors in [21] present a probabilistic attack method that the attacker perceives the channel state and execute the DoS attack only when the channel is idle. The authors in [22] investigate optimal attack schedule problems of the wireless Cyber-Physical Systems with two sensors under DoS attack. However, the researchers didn't take it into consideration that the allocated attack time of each sensor is different because of the different relative importance. In addition, they also didn't take account of the ''universality'' of the attack.
This paper studies the scenario where multiple sensors transmit measured values to remote estimators through wireless channels. We should ensure every sensor being attacked. Meanwhile, each sensor has a different contribution to the physical device, and relative importance of each sensor is different, so the attack time is also different. Therefore, in order to maximize the terminal estimated error covariance, the purpose of this article is to design an optimal attack system from the attacker's point of view based on the different importance of each sensor under the constraints of the attacker. The main contributions of this article are as follows: (1) We firstly establish a complete jamming attack system, including multi-sensor importance evaluation model, the time allocation of jamming attack and two attack rules.
(2) Then, in the multi-sensor importance evaluation model, we use the idea of MIV algorithm to analyze the relative importance of each sensor.
(3) Then, based on the results of sensor importance analysis, we allocate the attack time of each sensor. We guarantee that every sensor is attacked, and the relatively important sensor will be attacked for more time.
(4) Then, with the goal of maximizing the terminal estimated error covariance, we formulate two attack rules.
(5) Finally, this paper proves the validity of the conclusion through digital simulation experiment.
The rest of this paper is organized as follows. Section II presents the system model and attack model, and proposes a method for the identification of sensor structure parameter, and formulates the optimal jamming attack scheduling problem. Section III constructs an attack system, which includes multi-sensor importance evaluation, the time allocation of jamming attack and attack rules. In Section IV, we provide several numerical examples to validate our theoretical results. Section V draws conclusions.
Notations: In the whole paper, Z are the sets of all integers. R n represents the Euclidean space with n-dimension. P[X ] and E[X ] refer to probability and expectation for a random variable X , whose spectral radius is presented by ρ(X ).

A. SYSTEM EQUATIONS AND OBSERVATION EQUATIONS
As shown in Figure 1, a wireless network control system is composed of physical devices, multiple sensors and remote estimators. It has broader application because of its characteristics of cheapness, easy deployment and easy expandability [23]. Taking the discrete-time linear time-invariant system as an example, this paper constructs the system equation and observation equation of the wireless network control system, as shown below [24]: where k ∈ Z is a discrete time series, x(k) ∈ R n x is the state value of the system, assuming that the initial state of the system is x(0), y i (k) ∈ R m y is the measured value of the ith sensor, ω(k)is the process noise, assuming it is Gaussian white noise, the mean is 0, and the variance is Q ≥ 0, v i (k) ∈ R n y is the measurement noise, assuming it is Gaussian white noise, the mean is 0, and the variance is , ω(k), and v i (k) are mutually independent.

B. THE IDENTIFICATION OF SENSOR STRUCTURE PARAMETER
This paper assumes that there are N sensors in total and the attacker cannot know the structural parameter information of the sensor,which means that the measurement matrix H in formula (1) cannot be known, but the attacker can obtain the data set y as follows by monitoring and recording the measurement value of each sensor: where y i represents the ith sensor and y ik represents the measured value of the ith sensor at the kth moment. It is assumed that the attacker is aware of the knowledge of system dynamics, that is, the attacker can use the existing priori knowledge to analyze the measurement equation and determine model structure. This paper adopted ''Maximum Exponential Square State Estimator'' which was proposed in the papers [25], [26] and [27]. So the objective function is as follows: where ω i is the weight; σ is the Parzen window width.
, where i represents the ith sensor. The derivative of F to H is obtained: Let ∂F ∂H = 0, then the closed-form solution of H is as follows: The attacker monitors the wireless communication network and launches a jamming attack to block measurement value of transmission y i , i ∈ {1, 2, . . . , N }. This paper use variable θ to describe the attacker's attack status, as shown below: Therefore, the function y * a (k) represents the data received by the remote estimator, as shown below: According to the modified Kalman filter [28], [29], the optimal estimated valuex a (k) is obtained in the remote estimator, as shown below: where s represents the attack scheduling of the attacker, namely: s = (ξ (1), ξ (2), . . . , ξ (T )), ξ (k) = i means that the attacker attacks the ith sensor at k time,K a (k) refers to the gain of the Kalman filter,

D. THE JAMMING ATTACK MODEL
There is an attacker in the scenario considered in this paper. Since wireless communication signals can only be transmitted over one channel at a time, the attacker can only attack one channel at once [30]. ξ (k) = i means that the attacker VOLUME 9, 2021 In order to make the attack broader, it is required that each sensor must be subject to jamming attacks, namely: where τ i represents the attack time of the ith sensor. The accuracy of the measurement data varies because of the quality differences of sensors. Therefore, the assigned attack time is relevant to the relative importance of each sensor. In this paper, the relatively important sensors get more jamming attack time, and the relatively less important sensors get less jamming attack time, namely: where η i represents the relative importance of the ith sensor and τ i represents the attack time of the ith sensor. [32], as mentioned in [34], the estimation errorP a (T ) at the end time T is an important indicator to measure the estimation performance. Therefore, this paper solves the following problems: where J T (s) =P a (T ) is the estimated error at the end time under the attack strategy s.

III. THE SYSTEM OF JAMMING ATTACK A. MULTI-SENSOR IMPORTANCE EVALUATION BASED ON CMIV MODEL
This paper establishes a CMIV (Centralized-Mean-Impact-Value) model. This model is used to evaluate the relative importance of multi-sensor. And the model employs the Mean Impact Value (MIV) algorithm, as shown in Figure 2. The MIV algorithm was first applied to Neural Network to reflect the influence of feature input in each dimension, on at the output of Neural Network. Later, the researcher uses the MIV algorithm to evaluate the influence weight of the network feature input on the network output [33].
Assuming that there are N sensors. The first layer of the model, input the data of sensor measurement y i and get y 1±δ through the function Z (y i ), as shown below: where Z (y i ) represents the self-increment and self-decrement of the measured value of the evaluated ith sensor.
The second layer of the model takes the output y 1±δ of the first layer as input, and get x attack+ (k|k) and x attack− (k|k) through the function G(y 1±δ ), as shown below: where I represents the identity matrix, h T represents the transpose of matrix h and A T represents the transpose of matrix A.
In the third layer of the model, the outputs x attack+ (k|k) and x attack− (k|k) of the second layer are used as inputs, and the outputs ), as follows: where . 2 represents the two-dimensional norm, let 0.1 ≤ δ ≤ 0.3, i = 1, 2, . . . . . . N . In summary, the final output MI V i of the model is the average impact value of the ith sensor which need to be evaluated. In the same way, the average influence value MIV = [MI V 1 , MI V 2 , . . . . . . , MI V N ] of each sample in the data set y = [y 1 (k), y 2 (k), . . . . . . y N (k)] could be calculated according to the above steps. The absolute value of MI V i is regarded as the relative importance of each sensor, namely: where η i represents the importance of the ith sensor, and |.| represents the absolute value.

B. THE TIME ALLOCATION OF JAMMING ATTACK
From the perspective of the attacker, the allocation of attack time is relevant to the relative importance of each sensor. The attack time of the relatively important sensor should be more than the attack time of the relatively unimportant sensor. At the same time, in order to ensure each sensor being attacked, this paper allocates the attack time of each sensor based on the sensor evaluation result of the CMIV model, as shown below: where τ represents the total attack time allocated by the attacker, τ i represents the attack time allocated by the ith sensor and N means there is a total of N sensors.

C. JAMMING ATTACK RULE
As described in formula 1: where w(k) and v i (k) are zero-mean Gaussian white noise, and their variances are Q and R i respectively, and they are independent of each other. Rewrite Equation (10) as: where h = AP(k)A T + Q, g = i∈s H T R −1 i H . Theorem 1: With the goal of maximizing the estimated errorP(T ) at the terminal, the optimal strategy for solving problem 2.1 is: continuous attack is better than discontinuous attack.
Theorem 2: With the goal of maximizing the estimated errorP(T ) at the terminal, the optimal strategy to solve problem 2.1 is: the attacker follows the ''good-sensorlate-attack'' strategy.
Proof: The smaller the measurement noise in formula (26), the more accurate the sensor's measurement value generally is. Suppose the variances of the measurement noises of the three sensors are r 1 , r 2 , r 3 and r 1 < r 3 , so 1 , namely g r1r2 > g r3r2 . As shown in formula (26),P(k+1) is inversely proportional to g, soP r1r2 (k+1) <P r3r2 (k+1). Therefore, the attacker follows the '' good-sensor-late-attack '' strategy to maximizeP(T ).

IV. ILLUSTRATIVE EXAMPLES A. SIMULATION ANALYSIS OF MULTI-SENSOR IMPORTANCE EVALUATION
Assuming that the wireless network control system consists of three sensors. The followings are measured values of the three sensors in Figure 3-5. In these figures, the x-axis represents time in seconds, and the y-axis represents the measured value of the sensor.

1) THE SIMULATION OF IMPORTANCE EVALUATION OF SENSORS BASED ON CMIV MODEL
This paper evaluates relative importance of 3 sensors according to the CMIV sensor evaluation model proposed earlier in the paper. The main parameters of the CMIV sensor   following table:  Table 1 shows, the MI V 1 is 0.0467, the MI V 2 is 0.0912, the MI V 3 is 0.1375. The MI V 1 is smaller than the MI V 2 and the MI V 2 is smaller than the MI V 3 .

2) THE SIMULATION OF IMPORTANCE EVALUATION OF SENSOR BASED ON REAL SYSTEM MODEL
The system state equation parameters and the measurement equation parameters of these three sensors are as follows: Use the MIV algorithm to evaluate the relative importance of the three sensors and obtain successively: MI V 1 , MI V 2 , MI V 3 , as shown in the following table:  The table 2 shows, the MI V 1 is 0.0547, the MI V 2 is 0.1166, MI V 3 is 0.1542.The MI V 1 is smaller than the MI V 2 , and the MI V 2 is smaller than the MI V 3 .

3) THE SIMULATION OF SENSOR IMPORTANCE EVALUATION BASED ON ESTIMATION ERROR OF REAL SYSTEM
The system state equation parameters and the measurement equation parameters of the three sensors are as follows: Use the Kalman filter algorithm to simulate the three sensors, and obtain the one-dimensional norm of the estimated errors of three sensors in turn, as follows:  Table 3, the average estimation error of sensor 1 is greater than that of sensor 2, and the average estimation error of sensor 2 is greater than that of sensor 3.

According to
The comparison of the simulation results in Table 1 and Table 2 shows that the sensor importance evaluation method based on sensor structure parameter identification, and the sensor importance evaluation method based on the real system have the same MIV value order of the three sensors. According to Kalman filtering algorithm, the smaller the estimation error, the better the performance of the sensor. From Table 3, it can be concluded that the performance of sensor 3 is better than that of sensor 2, and the performance of sensor 2 is better than that of sensor 1. The importance of the sensors obtained by the MIV value sorting is the same as the sensor performance evaluation results obtained in Table 3. Considering only to attack sensor 3, assume that the attack strategy 1 is a continuous attack, namely: r 1 = 1 1 1 1 1 1 1 and suppose attack strategy 2 is an intermittent attack, namely: where {.} is attack rule, ''1'' means to launch an attack, ''0'' means no attack. Figure 6 shows the variation curve of the estimation error, ''O'' represents attack strategy1 and ''*'' represents attack strategy2. In attack strategy 1, when the attack is completed, the estimation error is 0.2287. In attack strategy 2, when the attack is completed, the estimated error is 0.2151. The estimation error of terminal time in attack strategy 1 is larger than that in strategy 2.  where {.} is attack rule, the first line represents the attack strategy for the first sensor, the second line represents the attack strategy against the second sensor, and the third line represents the attack strategy against the third sensor, ''1'' means to launch an attack, ''0'' means no attack. Figure 7 shows the changes of estimated error of six attack strategies. The figures show that the attack strategies with the largest estimated error performance at the end time k = 60 are attacking strategy s 1 and attack strategy s 3 . When the estimated error performance at the end point of the two attack strategies is the same, we reversely compare the estimated error at each point from the end point. In the time period k = 54 to k = 60, the estimation error of attack strategy s 1 and attack strategy s 3 is the same. When k = 53,the estimated error performance of attack strategy s 1 is greater than that of attack strategy s 3 , so one of the optimal attack rules for problem 2.1 is s 1 .
Use the MIV algorithm to evaluate the relative importance of the two sensors and obtain successively: MI V 1 , MI V 2 , as shown in the following table:

2) THE SIMULATION OF SENSOR IMPORTANCE EVALUATION BASED ON THE ESTIMATION ERROR
Use the Kalman filter algorithm to simulate the two sensors, and obtain the one-dimensional norm of the estimated errors of two sensors in turn, as follows: According to Table 5, the average estimation error of sensor 1 is greater than that of sensor 2.
According to Kalman filtering algorithm, the smaller the estimation error, the better the performance of the sensor. According to Table 5, the performance of sensor 2 is better than that of sensor 1. The sensor importance obtained by sorting the MIV value in Table 4 is the same as the sensor performance evaluation result obtained in Table 5.

2) COMPARATIVE SIMULATION ANALYSIS OF CONTINUOUS ATTACK AND DISCONTINUOUS ATTACK
Considering only to attack sensor 2, assume that the attack strategy 1 is a continuous attack, namely: v 1 = {111111} and suppose the attack strategy 2 is an intermittent attack, namely: where {.} is attack rule, ''1'' means to launch an attack, ''0'' means no attack. Figure 8 shows the variation curve of the estimation error. ''O'' is attack strategy 1 and ''*'' is attack strategy 2. In attack strategy 1, when the attack is completed, the estimated error is 1.0345. In attack strategy 2, when the attack is completed, the estimated error is 1.0129. The estimation error of terminal time in attack strategy 1 is larger than that in strategy 2. So, one of the optimal attack rules for problem 2.1 is v 1 .
Therefore, the validity of theorem 3.1 in this paper can be proved. where {.} is attack rule, the first line represents the attack strategy for the first sensor, the second line represents the attack strategy against the second sensor, ''1'' means to launch an attack, ''0'' means no attack. Figure 9 shows the curve of estimation error covariance over time. As can be seen from the figure, the attacker did not launch attack from k = 1 to k = 45. From k = 46 to k = 60, attacker launched attack. Comparing the estimation error covariance of the two attack strategies, the estimation error covariance of attack strategy 1 is 2.684 at the end point k = 60, and that of attack strategy 2 is 1.319. At the end point, the estimation error covariance of attack strategy 1 is larger than that of attack strategy 2.

V. CONCLUSION
In this paper, we establish an attack system. Specifically, the attack system consists of three layers: the multi-sensor importance evaluation based on CMIV model, the time allocation of Jamming attack and attack rules. The sensor importance evaluation model based on CMIV can accurately evaluate the relative importance of each sensor. The allocation model of the number of sensor attacks can ensure that each sensor is attacked and the more important sensors are attacked for more time. The attack criterion can ensure that the estimation error covariance of the remote estimator is maximized at the end point, when sensor is attacked. We proved its effectiveness by simulation experiments. Future works include the study of attack rules for maximizing the average estimation error of remote estimator, jamming attack rules for wireless networked control systems with network delay, and jamming attack rules for non-Gaussian white noise scenarios [35].