Stealthy Deactivation of Safety Filters

TL;DR

This work analyzes safety guarantees for CPS that rely on control-barrier function (CBF) based safety filters, and proposes a stealthy false-data injection attack that biases state estimates to deactivate such filters. The attack optimizes injected measurements $y^a$ under a stealth constraint to increase the perceived safety margin $h_S(\hat{x})$, potentially enabling unsafe control actions to be applied. A complementary detector monitors the direction of residual-induced state changes via $\rho(y,\hat{x})$ and a moving-average criterion to identify inward biases toward the safe set. Demonstrations on a double-integrator show effective safety-filter deactivation and the detector’s ability to identify the attack, highlighting practical security implications for safety-filtered CPS. The work offers a pathway to robust detection and motivates future research on attacks with reduced information requirements and alternative attack horizons.

Abstract

Safety filters ensure that only safe control actions are executed. We propose a simple and stealthy false-data injection attack for deactivating such safety filters; in particular, we focus on deactivating safety filters that are based on control-barrier functions. The attack injects false sensor measurements to bias state estimates to the interior of a safety region, which makes the safety filter accept unsafe control actions. To detect such attacks, we also propose a detector that detects biases manufactured by the proposed attack policy, which complements conventional detectors when safety filters are used. The proposed attack policy and detector are illustrated on a double integrator example.

Figures (4)

• Figure 1: Overview of the system architecture considered in this paper. The safety filter produces a safe control action $u_{\text{act}}$ given a desired control $u_{\text{des}}$ and the current estimated state $\hat{x}$. An adversary tries to deactivate this filter through false-data injections on the communication channel between the sensors and the observer by replacing the true measurement $y$ with a synthetic measurement $y^a$.
• Figure 2: The actual trajectory $x(t)$ and the perceived trajectory $\hat{x}(t)$ when the false-data injection attack defined by \ref{['eq:grad-attack']} is performed.
• Figure 3: The safety margin and resulting state trajectories when an attack with random directions according to \ref{['eq:random-attack']} is occurring, and when an adversary performs false-data injection attacks according to \ref{['eq:grad-attack']} with $h(x) = x_1$ and $h(x)=\left(x_1x_2\right)$, respectively.
• Figure 4: The correlation measure $\rho$ defined in \ref{['eq:rho']} and a moving average according to \ref{['eq:ma']} under two different attacks: a stealthy false-data injection attack with random directions according to \ref{['eq:random-attack']}, and a stealthy false-data injection attack according to \ref{['eq:grad-attack']}. An example threshold ($\nu = 0.9$) for a detector of the form \ref{['eq:ma']} is shown as a dashed line, which would detect the attack in \ref{['eq:grad-attack']} after about 0.2 seconds.

Theorems & Definitions (22)

• Definition 1: Safety
• Definition 2: Forward invariance
• Lemma 1: Forward invariance $\rightarrow$ safety
• proof
• Theorem 1: Nagumo's theorem nagumo1942lage
• Definition 3: Control Barrier Function
• Theorem 2: CBF $\rightarrow$ forward invariance ames2017cbf
• Definition 4: Deactivation
• Remark 1
• Theorem 3