Cyber Security of Sensor Systems for State Sequence Estimation: an AI Approach

TL;DR

The paper tackles the threat of adversarial sensor data on state sequence estimation by proposing a protective outer shell (APCC) that can surround any unprotected estimator and rely solely on unattacked training data. It introduces two variants, APCC-SIMPLE and APCC-ADDITIONAL, to handle attackers with and without knowledge of the protection scheme, respectively, and provides a mathematical treatment of worst-case attacks (edge and water-filling) to quantify performance guarantees. Through extensive CVN-inspired simulations with Gaussian and Laplacian noise, the authors show APCC-SIMPLE closely matches Genie performance in many cases, while APCC-ADDITIONAL delivers significantly better worst-case resilience under knowledgeable attacks, often approaching Genie performance even with many sensors attacked. The work demonstrates that integrating data-driven prediction, consistency checks, and histogram-based constraints can robustly protect ML-driven sequence estimation against powerful, time-varying sensor attacks, with implications for CVNs and broader sensor networks where attack surfaces are large and unpredictable.

Abstract

Sensor systems are extremely popular today and vulnerable to sensor data attacks. Due to possible devastating consequences, counteracting sensor data attacks is an extremely important topic, which has not seen sufficient study. This paper develops the first methods that accurately identify/eliminate only the problematic attacked sensor data presented to a sequence estimation/regression algorithm under a powerful attack model constructed based on known/observed attacks. The approach does not assume a known form for the statistical model of the sensor data, allowing data-driven and machine learning sequence estimation/regression algorithms to be protected. A simple protection approach for attackers not endowed with knowledge of the details of our protection approach is first developed, followed by additional processing for attacks based on protection system knowledge. In the cases tested for which it was designed, experimental results show that the simple approach achieves performance indistinguishable, to two decimal places, from that for an approach which knows which sensors are attacked. For cases where the attacker has knowledge of the protection approach, experimental results indicate the additional processing can be configured so that the worst-case degradation under the additional processing and a large number of sensors attacked can be made significantly smaller than the worst-case degradation of the simple approach, and close to an approach which knows which sensors are attacked, for the same number of attacked sensors with just a slight degradation under no attacks. Mathematical descriptions of the worst-case attacks are used to demonstrate the additional processing will provide similar advantages for cases for which we do not have numerical results. All the data-driven processing used in our approaches employ only unattacked training data.

Figures (9)

• Figure 1: Figure illustrating spoofing attack on a radar. (a) Unattacked. (b) Attacked.
• Figure 2: Block diagram of our approach. The block AD is an EDAD approach as per the text. We have two APCC options, APCC-SIMPLE (1. only) and APCC-ADDITIONAL (both 1 and 2) in the APCC block in the figure.
• Figure 3: Block diagram of APCC-SIMPLE with $\beta=99\%$.
• Figure 4: Block diagram with $\alpha=99\%$ illustrating how the APCC-ADDITIONAL processing builds on the APCC-SIMPLE processing, resulting in a decision on if each sensor is unattacked at a given time.
• Figure 5: Block diagram illustrating the worst-case water-filling attack for APCC-ADDITIONAL. The red lines show places where there is enough room between the upper bound and the sensor data histogram to insert one or two attacks and these attacks cause the greatest degradation to the estimation/fusion.