Resilient Event-based Control for Nonlinear Cyber-Physical Systems under Intermittent Deception Attacks

We address the resilient event-based control of nonlinear cyber-physical systems subject to deception attacks. In particular, an improved Takagi–Sugeno (T-S) fuzzy model is employed to solve the mismatch problem between the fuzzy system and fuzzy controllers. From the attacker’s point of view, we construct a novel queuing model to depict the intermittent behaviors of deception attacks. Then, a resilient event-based communication scheme is proposed, which is dynamically switched with diﬀerent attack modes. The idea is to appropriately reduce the number of triggers according to the severity level of attacks, which can further save network resources. By using piecewise Lyapunov functional methods, we ﬁnd a solution to the co-design of fuzzy controllers and event-triggering parameters while the concerned system is guaranteed to be exponentially stable. Finally, we apply the proposed approaches to a mass–spring–damping system, where the eﬀectiveness is well veriﬁed.


Introduction
Recent years have witnessed remarkable processes of cyber-physical systems (CPSs), which can be defined as a tight coupling of computation, communication, and physical plants [1,2]. Some potential applications include, but are not limited to, next generation smart grids, autonomous vehicles, health-care devices, and home automations [3]. From the perspective of control modeling, the dynamic physical process of CPSs is more likely assumed to be a linear model [4] while the nonlinear characteristic is consistent with the actual situation. Then, linear approximation approaches have been developed to resolve the difficulty in analyzing nonlinear systems, for instance, Takagi-Sugeno (T-S) fuzzy models have been verified as an effective alternative [5]. Compared with conventional T-S fuzzy approaches, where the same membership and premise variables are employed in the design of fuzzy systems and fuzzy controllers, an imperfect premise matching design strategy is proposed to increase the design flexibility [6], especially in network circumstances. [7] constructed independent membership and premise variables for the concerned system and feedback controllers in the presence of cyber attacks. In [8], a novel type-2 fuzzy fliter was established to investigate nonlinear networked control systems subject to parameter uncertainties, where the premise variables were different from those of the fuzzy system.
During the operation of a CPS, there is no doubt that shared or own networks are regarded as a core ingredient. Every component and their interconnections can be a risk factor to cyber attacks because CPSs are large-scale and geographically dispersed [9]. Moreover, cyber security techniques alone are not enough to guarantee CPS's security while control approaches can be adopted as a kind of compensation practices [10]. Then, new challenges are posed to control issues, in which denial of service (DoS) attacks and deception attacks have attracted plenty of research interests [11][12][13][14][15]. It is definitely a critical task to model the cyber attacks appropriately before control design. For DoS attacks, a few typical models or handling methods have been proposed. Stochastic models were employed to depict DoS attacks, for instances, Bernoulli models [16] and Markov models [17]. However, [18] mentioned that it was not entirely realistic to reflect the real intentions of attackers by stochastic models. Then, the so-called queuing model was established and the effect of DoS attacks was treated as a special kind of network-induced delay. The concepts of DoS frequency and duration are used to constrain the attacker's action. In such a way, it is possible to capture more types of DoS attacks. On this basis, [19] set the constraints on sleeping and active intervals of nonperiodic DoS attacks, which can be considered as an extension of DoS frequency and duration. When it comes to deception attacks, almost all related mathematical models in the literature belong to stochastic approaches [20], which don't give full attention to the deception attack itself, especially from the attacker's point of view. Deception attacks are a type of stealth attacks, and intermittent attack behaviors contribute to evading security detection mechanisms. In this sense, it is of theoretical and practical significance to model deception attacks in terms of queuing approaches, frequency and duration, which motivates us in present work.
On another hand, network resources are not scarce for current technologies, but idle resources takes an outstanding role in the scene of an emergency. To improve the utilization of network resources, event-triggered control strategies have been developed, for instances, [21] constructed an event-based sampling strategy, in which the control input was updated only at a bunch of discrete time instants; [22] considered the nature of digital information and proposed a novel event-triggered mechanism (ETM) with periodic sampling behaviors. These approaches have inspired a massive amount of outcomes [23][24][25][26][27] and the reference therein. In recent years, great efforts have been made to improve the ETMs. In [28], a new event-triggered data transmission scheme was proposed, in which the related triggering parameter was adaptive according to the variation of state error. [29] proposed a memory event-triggered scheme to reduce the redundant packet transmission, in which some recent released data were stored at the event generator. [30] investigated dynamic event-triggered control strategies, which gave rise to a larger inter-execution time compared to static strategies. In [31], a novel re-silient triggering strategy was established by taking into account the uncertainty caused by DoS attacks. In [32], the event-triggered strategy and periodic control strategy were integrated to reduce the transmission delay caused by DoS attacks. It is worth noting that related work is still an ongoing research issue, especially for the CPSs subject to cyber attacks, e.g., it is a promising work to adjust the event-triggered strategy in the presence of deception attacks, which inspires another motivation of this work.
The objective of this paper is to put forward the joint investigation of security requirements and resource constraints for nonlinear CPSs. Considering the network between system plant and remote controllers, the T-S fuzzy models of the monitored system and controllers are designed separately to characterize the nonlinear factors. Unlike previous stochastic approaches, deception attacks in present work are depicted as a kind of queuing model, which is closer to the real intention of attackers. To the best of the authors' knowledge, it is the first attempt to exploit such a queuing model. Moreover, this work devotes to the perfection of ETMs. Compared to the improved schemes [29][30][31][32], the properties of deception attacks are tightly integrated in the design of event-triggered strategies. To sum up, the main contributions of this paper are summarized as follows: 1) Improved T-S fuzzy models are employed to increase the design flexibility, and a novel queuing model is constructed to depict deception attacks; 2) A new dynamic event-triggered communication scheme is developed to alleviate the burden of network resources, which is adaptive for the intermittent aggressive behaviors of deception attacks; and 3) By using piecewise Lyapunov functional methods, we propose a solution to jointly design fuzzy controllers and event-triggering parameters, which can guarantee the monitored system exponentially stable under deception attacks. Finally, a mass-spring-damping system is introduced to verify the effectiveness of the proposed approaches.
Notation: In this paper, R nx represents the n xdimensional Euclidean space, I is an identity matrix, and R n×m represents a n × m real matrix. For a matrix P , P −1 denotes its inverse while P T is the transpose. For a symmetric matrix P , we define λ min (P ) and λ max (P ) as the minimum and maximal eigenvalue of P . For a real number h, h means the largest integer no more than h. Without special declarations, matrices are assumed to have compatible dimensions. tem state is periodically sampled, and the sampled data is transmitted over the network only when some pre-set conditions are satisfied, for instance, the system error exceeds a prescribed threshold, which is decided by the event trigger. A zero-order-holder (ZOH) is employed to keep the control information until next event occurs. It is noticeable that switching event triggers and controllers are adopted, which is relevant to the dynamic event-triggered strategies to be designed. In the following, the detailed models of fuzzy system, deception attacks, ETM, and fuzzy controllers will be demonstrated successively.

Physical Plant
Consider a nonlinear cyber-physical system, which can be approximated by a T-S fuzzy model: Plant rule i: IF φ 1 (x(t)) is W i1 and · · · and φ r (x(t)) is W ir THEṄ where x(t) ∈ R nx and u(t) ∈ R nu are the state vector and control input, respectively; A i , B i are constant matrices with appropriate dimensions corresponding to rule i; q is the number of fuzzy rules, φ(x(t)) = [φ 1 (x(t)), φ 2 (x(t)), · · · , φ r (x(t))] denote the premise variables, W iv (v = 1, 2, · · · , r) represent the fuzzy sets. Through the singleton fuzzifier, product interference, and center-average defuzzifier, the concerned system (1) can be expressed aṡ where Here, it is assumed that i (φ(x(t))) > 0 for all t > 0, which yields ϑ i (φ(x(t))) > 0 and q i=1 ϑ i (φ(x(t))) = 1. For simplicity, we use ϑ i to represent ϑ i (φ(x(t))) in the following presentation.
Due to the presence of the network, fuzzy controllers and the system model do not need to share the same premise variables [8], which can increase the design flexibility. The rule of the jth controller can be given by IFφ 1 (x(t)) isŴ j1 and · · · andφ p (x(t)) isŴ jp THEN wherex(t) denotes the real state information arriving at the controller side through network, K j (j = 1, 2, · · · , q) is the controller gain,φ(x(t)) = [φ 1 (x(t)),φ 2 (x(t)), · · · , φ p (x(t))] andŴ jv (v = 1, 2, · · · , p) are the premise variables and fuzzy sets, respectively. The defuzzified form of (3) can be expressed as where where the properties of γ j (φ(x(t))) and ω j (φ(x(t))) can refer to the ones in the system model; similarly, we use ω j to represent ω j (φ(x(t))).
Here, we make the following assumptions, which are of great significance for detailed design work.
Assumption 1 During network transmission, the transmission delays and package losses are out of scope of this paper. Moreover, we assume the system states can be measured integrally.
Assumption 2 Network security is a process of game. The attackers devote themselves to escaping from network security mechanisms while the defenders try to detect and resist attacks effectively. For CPSs, it is a tough work to segregate the attack completely at the network layer while network control approaches can be considered as a kind of security arrangements. The cyber attacks in this work are assumed to be detectable, which contributes to controller design for better system performance. We consider a kind of intermittent attack signal expressed as: where {f n + f n of f } stand for the time instants when the deception attack begins to act on the system with 0 ≤ f n < f n + f n of f < f n+1 for n ∈ N. From the definition, we define Υ 1 n [f n , f n +f n of f ) as the sleeping time interval of the malicious attack while Υ 2 n [f n +f n of f , f n+1 ) is regarded as the active time interval. Inspired by [19], it is reasonable to make the following assumption.
For Υ 2 n , we can always find a scalar f max > 0 satisfying where f n on = f n+1 − f n − f n of f is defined as the duration of the nth attack.
Remark 1 Note that previous works dealing with deception attacks, such as [24,33], are inclined to model the attack as a stochastic process. Such approaches rely heavily on the intentions of attackers, which are sometimes hard to determine in advance. Relatively, inspired by the queueing model of DoS attacks in [19], the intermittent deception attack signal is considered as a combination of sleeping time intervals and active time intervals. From the attacker's point of view, such intermittent aggressive behaviours can create more confusability for security detection and a high level of malicious attack may be produced in a finite-time active interval.
Remark 2 Different from the simplicity of creating DoS attacks, the deception attackers usually need to detect and gain some critical information of the target system. Such a process will bring a noticeable rise in energy consumption. So, it is reasonable to set some power constraints for intermittent deception attacks. Through the lower bound f min and the upper bound f max , Assumption 3 depicts the constraints in terms of time duration.
Under the above deception attack, the real state information in (4) can be rewritten aŝ where ς(t) denotes the injected false data, which is a bounded energy signal.
Assumption 4 It is assumed that the energy signal ς(t) satisfies: where the constant ε is determined by the characteristics of malicious attacks.
Remark 3 Note that deception attacks aim to make the system deviate from the expected performance while they make efforts to avoid security monitoring. A customary approach is to produce the attack signal on the basis of the current system state with ς(t) = ς(x(t)). So, Assumption 4 is reasonable from the attackers perspective.
Before proceeding further, we first make a modification on the model of deception attacks. As an eventtriggered communication scheme with periodic sampling is employed in Fig. 1, the analyzing emphasis is layed on the sampling instants. From this point of view, the attack sequences in Eq. (5) can be rewritten as where for more detailed definitions of F n and F of f , we can refer to the ones in Eq. (5).
Without loss of generality, we redefine Υ 1 n [F n , F n + F n of f ) as the sleeping time interval and Υ 2 n [F n + F n of f , F n+1 ) the active time interval. Assumption 3 should also be updated as follows.
Assumption 5 For Υ 1 n , we can always find a scalar For Υ 2 n , we can always find a scalar F max > 0 satisfying

Remark 4
The modification on the model of deception attacks is precisely illustrated in Fig. 2. For example, the deception attack arrives between the 5th and 6th sampling instant. In the framework of the designed communication scheme, we can consider the 6th sampling instant as the initial point of an effective attack. Such treatments make the behaviors of deception attacks synchronized with the event-triggered mechanism to be designed.

Design of Resilient Event-Triggered Mechanism
Inspired by [22], an improved event-triggered mechanism is proposed with consideration of the malicious attacks: where α and δ are predefined positive scalars, h is the sampling period. For k ∈ N, {b 1 n,k } are the releasing instants in the nth sleeping interval Υ 1 n while {b 2 n,k } are the releasing instants in the nth active interval Υ 2 n .
n,k h + sh) denotes the current system state to be determine whether it should be transmitted. Ω > 0 is a weighting matrix to be designed.
Remark 5 Note that Eqs. (13)- (16) give a full description of the proposed ETM, which is closely associated with the deception attack signal. It can be inferred from Eq. (16) that event triggerings are compulsorily executed at the sampling instants when off/on or on/off transitions of deception attacks occur. Moreover, it is not difficult to derive the following constraint relationships: Meanwhile, let λ 1 Without loss of generality, we assume b 1 n,λ 1 n +1 h F n + F n of f and b 2 n,λ 2 n +1 h F n+1 , which will contribute to the analysis below.

Remark 6
In fact, the dynamic ETM (13) provides diverse triggering strategies corresponding to different attack modes. When the concerned system is healthy with Λ(t) = 1, the triggering condition degenerates into the typical form as in [22]. When the system is suffering from the malicious attacks with Λ(t) = 2, it is not needed that e T (t)Ωe(t)−δx T (b 2 n,k h)Ωx(b 2 n,k h) keeps always negative when (sh) remains positive. It can be inferred that the ETM (13) with Λ(t) = 2 obtains a larger inter-execution time. In realistic circumstances, the data is corrupted by the attack and less data is expected to release in the active interval of deception attacks. Of course, the control performance should be ensured in the meantime. Note that the tendency of interexecution time is related to the value of ε in Assumption 4, and a larger ε yields a larger inter-execution time.

The Overall Model
Referring to the work in [22], we divide [b As a zero-order-holder is employed in the physical plant, the control input with a switching control strategy under deception attacks is expressed as where K j,Λ(t) are the cotroller gains of switching fuzzy controllers.
According to the Eqs. (2), (18), (19), we obtain an overall closed-loop system model expressed as: According to the definition of DoS Frequency in [34], the following definition is made.
Definition 1 (Attack Frequency): Define N (0, t) = card n ∈ N | 0 < F n + F n of f < t as the number of off/on transitions of intermittent deception attacks over (0, t), where card denotes the number of elements in the set. If there are constants τ a > 0 and ν > 0 satisfying N (0, t) ≤ ν + t/τ a , we say that the deception attack signal merged by Υ 1 n and Υ 2 n satisfies the attack frequency constraint described by τ a and ν.
We are now in a position to begin the control issue as: based on the proposed resilient ETM (13), the control objective of this work is to design appropriate switching fuzzy controllers, which can guarantee the concerned system (20) exponentially stable (ES) [19] under the intermittent deception attack signal (10).
Case 1 Consider the situation that t ∈ [S m n,k,s , S m n,k,s+1 ) with m = 1. The time derivative of V 13 (t) is expressed as: Where It is not difficult to derive that Then, we define where M 11 , M 12 , N 11 , N 12 are arbitrary matrices with suitable dimensions. Combining the time derivative of V 11 (t), V 12 (t) and the Eqs. (20), (26), (27) and (28), one haṡ Taking consideration of the ETM (13), we gaiṅ Applying the Schur's complement to Eq. (30), it is indicated that With ω j − ι j ϑ j ≥ 0, it is clear that (23)- (25) are sufficient conditions to guarantee Integrating both sides of (32) for t ∈ [S 1 n,k,s , S 1 n,k,s+1 ), one has Case 2 Consider the situation that t ∈ [S m n,k,s , S m n,k,s+1 ) with m = 2. By conducting a similar analytical procedure as in Case 1, we conclude that the conditions (23) - (25) with m = 2 can guaranteeV 2 (t) − 2β 2 V 2 (t) < 0. Integrating both sides of it for t ∈ [S 2 n,k,s , S 2 n,k,s+1 ), we obtain According to the sufficient condition (22), it is not difficult to see that where β 0 = e 2(β1+β2)h . Next, by combining Case 1 and Case 2, we try to gain the general relationship between V (t) and V (0) for all t > 0. We assume that n off/on transitions of intermittent deception attack occur within (0, t), which Fig. 3, combining Eqs. (33) - (35) and Assumption 5, we have From the constructed Lyapunov-Krasovskii functional, it is easy to see that Taking (37) and (38) into account, it yields that So far, we can conclude that the concerned system (20) is exponentially stable with a decay rate /2. This completes the proof.
On this basis, we devote our attention to developing a co-design method for fuzzy controllers and eventtriggering parameters.

Simulation Examples
A mass-spring-damping system is considered to verify the proposed approach [35], whose dynamic equation is defined as: where m is the mass, x denotes the displacement from a reference point, u(t) stands for the external control input. The fricion force F f is defined as F f = cẋ with c > 0; the restoring force of the spring F s is given by F s =k(1 + a 2 x 2 )x with constantsk and a. Then, the dynamic equation can be rewritten as: 2], m = 1kg, c = 2N · m/s, k = 8, and a = 0.3m −1 . We choose x 1 (t) as the premise variable and construct a T-S fuzzy model for (48): where the corresponding matrices can be given as:  According to the modeling method in [35], the membership functions can be defined as ϑ 1 = x 2 1 (t)/4 and ϑ 2 = 1 − ϑ 1 .
As shown in Fig. 4, an intermittent deception attack signal is considered with the power-constrained parameters f min = 200h, f max = 80h, where the sampling period is set as h = 0.01. According to Assumption 5, we have F min = 200h, F max = 81h. The function of deception attacks is assumed to be ς(t) = −tanh(0.42x 1 (t)) −tanh(0.42x 2 (t)) .
It is clear that the upper bound ε = 0.42 in Assumption 4 can be gained. Moreover, the other parameters involved in Theorem 2 are chosen as: β 1 = 0.09, β 2 = 0.15, µ 1 = 1.05, µ 2 = 1.05, ρ 11 = ρ 12 = ρ 21 = ρ 22 = 1.5, ρ 23 = 1.2, α = 0.3, ι 1 = 0.1, ι 2 = 0.08 and δ = 0.1, which satisfies the sufficient condition (21). By using the LMI toolbox, feasible solutions of the inequations in Theorem 2 can be found. The weighting matrices of the ETM and the controller gains are given as For simulation purposes, we choose the initial state as x 0 = −2 2 T . The state responses and corresponding releasing period are depicted in Fig. 5. Some preliminary conclusions can be drawn as follows: it is demonstrated that the concerned system is asymptotic stable in the presence of deception attacks; comparatively well control performance can be gained owing to the adopted   Table 1, the larger the triggering parameter δ, the fewer sampled data are transmitted. Fig. 6 illustrates the responses of the control input, which is a piecewise continuous signal.   To further verify the effectiveness of the proposed switching event-triggered communication scheme, comparative experiments are conducted with various values of α and in different network environments, that is, with and without deception attacks. Table 2 lists the related parameter settings and simulation results. For the proposed resilient ETM, larger α yields smaller releasing number. That is, the network resource utilization can be further enhanced. In Fig. 5, compared to the sleeping interval of deception attacks, it is clear that fewer data are triggered in the active interval. It is worth pointing out that there is always a certain upper bound for α when ε is prescribed. Here, the situation α = 0 denotes a special case, where the resilient ETM degenerates into the original ETM as in [22]. The corresponding state responses and releasing period are demonstrated in Fig. 7. The triggering trend in the active interval is the same as that in the sleeping interval. 258 (177, in Fig. 5) sampled data are transmitted through network while the control performance has no advantage over the one in Fig. 5. It is inferred that the resilient ETM is superior to the original ETM in saving network resources. Moreover, Fig. 8 gives the comparative results, with and without deception attacks. Owing to the switching controllers, almost equally good control performance is obtained in the two circumstances. Of course, only 70 event triggerings are needed when no deception attacks are injected to the system.
On another hand, the inter restricted relationship between F min and F max are involved in the sufficient condition (21). For prescribed parameters β 1 = 0.09, β 2 = 0.15, µ 1 = 1.05, µ 2 = 1.05, and τ a = 0.4, Tables 3 -5 shows the comparative results. Table 3 lists the maximum F max allowed for every value of F min . From Table 4 and Table 5, we can notice that a larger sleeping interval of deception attacks generates a larger decay rate, while the larger the active interval, the smaller the decay rate. This result is consistent with the negative impact of deception attacks in the active interval.

Conclusion
This paper has investigated the event-triggered control issue of CPSs subject to intermittent deception attacks. A queuing model is constructed to depict the deception attack. Then, a novel event-based communication scheme is proposed to further optimize network resources, which is dynamically switched corresponding with the intermittent attack behaviors. By piecewise Lyapunov functional approaches, the fuzzy controllers and event-triggering parameters have been jointly designed. Finally, the effectiveness of the proposed approaches is verified by a mass-spring-damping system. From the simulation results, we can conclude that the concerned system is asymptotic stable with the proposed resilient ETM in the presence of deception attacks. Meanwhile, the resilient ETM gives rise to a larger inter-execution time while the control performance remains a good level. It improves not only the utilization ratio of network resources but also the security level of CPSs. Moreover, the inter restricted relationship of attack constraints is discussed, which is of great significance in practical application.