Attack Detector: Principles & Methods

• Attack detectors are systems that identify adversarial manipulations in networks and cyber-physical systems using control theory and machine learning.
• They utilize dynamic windowed analyses and projection techniques to compare measured outputs with expected behavior for rapid anomaly detection.
• Designs incorporate side initial state information to restrict undetectable attack spaces, ensuring timely and reliable detection of threats.

An attack detector is a system or algorithm designed to identify adversarial, malicious, or otherwise unauthorized manipulations within cyber-physical systems, computer networks, or machine learning models. In high-assurance domains, attack detectors serve as the last line of defense, operating under the assumption that other preventive controls may be bypassed. The design and evaluation of attack detectors is an active research area, integrating principles from control theory, statistics, machine learning, and formal security modeling. Modern attack detectors aim to address threats ranging from data-deception in CPS to malware dissemination and adversarial attacks on AI systems.

1. Fundamental Concepts and System Models

The canonical setting for attack detection in cyber-physical systems involves a discrete-time LTI (linear time-invariant) plant under data-deception, described by

$$x(k+1) = A x(k) + B a(k), \;\;\; y(k) = C x(k) + D a(k)$$

where $x(k)\in\mathbb{R}^n$ is the system state, $y(k)\in\mathbb{R}^p$ is the output, $a(k)\in\mathbb{R}^s$ is the adversarial input, and $(A,B,C,D)$ are plant and attack matrices. The attacker's objective is to modify output trajectories without being detected by an attack detector observing $y(k)$ (and possibly some side initial state information). The global view is to distinguish between

• Plant under attack: output/component statistics/frequency deviating due to $a(k)\neq 0$
• Plant under normal operation: $a(k) = 0$

The design of effective detectors requires formalizing attack models (e.g., false data injection, patch-based attacks, sensor/actuator manipulation), specifying the adversary's information and access, and defining what it means for an attack to be undetectable.

2. Undetectability, Weakly Unobservable Subspaces, and Side Information

A central result for dynamic attack detection is the characterization of undetectable attacks, particularly in the presence of side initial state information:

Given an attack sequence $E(T)=[a(0)^\top \ldots a(T)^\top]^\top$, the output evolves as

$Y(T) = \mathcal{O}_T x(0) + \mathcal{M}_T E(T)$

where $\mathcal{O}_T=[C; CA; \ldots; CA^T]$ is the extended observability matrix and $\mathcal{M}_T$ is the lower block-triangular input–output matrix.

If the detector has access to side information $y_\Omega = \Omega x(0)$ (with $\Omega\in\mathbb{R}^{q\times n}$), then an attack is undetectable if and only if there exists $$\theta\in\mathcal{N}(\Omega)\cap\mathcal{V}(\Sigma)$$ such that

$\mathcal{M}_T E(T) = -\mathcal{O}_T \theta$

where the weakly unobservable subspace is

$$\mathcal{V}(\Sigma) = \left\{ \theta: \exists\,E(n-1)\;\text{such that}\; \mathcal{M}_{n-1}E(n-1)+\mathcal{O}_{n-1}\theta = 0 \right\}$$

This condition generalizes earlier results: with no side information ($\Omega=0$), any $\theta\in\mathcal{V}(\Sigma)$ is admissible; with full knowledge ($\operatorname{rank}\Omega=n$), only zero-state-inducing attacks ($\mathcal{M}_T E(T) = 0$) are undetectable.

Attacks that can maintain undetectability indefinitely (arbitrary-long horizon) also require that the attack-induced state evolution plus the undetectable component remains in $\mathcal{V}(\Sigma)$ at all steps, i.e.,

$$\mathcal{C}_T E(T) + A^{T+1} \theta \in \mathcal{V}(\Sigma)$$

where $\mathcal{C}_T$ is the controllability matrix.

3. Classes of Attack Detectors and Dynamic Detection Algorithms

Attack detectors are categorized by the information and statistical tests they use:

• Static detectors, which compare instantaneous or time-aggregated measurements against thresholds or invariants.
• Dynamic (windowed) detectors, which analyze measurements over finite time windows using system dynamics or projections.

A provably correct dynamic detector can be constructed as follows: given a measurement window of length $l \ge n+1$, the detector forms

$$\overline{Y}(k) = [y(k-l+1)^\top, \ldots, y(k)^\top]^\top$$

and,

$$\widehat{Y}(k) = \begin{cases} [y_\Omega^\top, \overline{Y}(l-1)^\top]^\top, & k=l-1 \ \overline{Y}(k), & k \ge l \end{cases}$$

$$\mathcal{H}(k) = \begin{cases} [\Omega^\top; \mathcal{O}_{l-1}^\top ]^\top, & k=l-1 \ \mathcal{O}_{l-1}, & k \ge l \end{cases}$$

Let $\Pi_{\mathcal{H}(k)}$ denote the orthogonal projector onto $\operatorname{Range}\mathcal{H}(k)$. The attack detector declares "Attack" as soon as $$\widehat{Y}(k)\neq \Pi_{\mathcal{H}(k)}\widehat{Y}(k)$$. For window length $l\ge n+1$, this detector is both consistent (no false alarms) and sound (every detectable attack is declared within the window).

4. Specialized and Generalized Undetectable Attack Classes

A structurally critical class is the zero-state-inducing attack, defined by $\mathcal{M}_T E(T)=0$. Such attacks drive the system state but result in output sequences identical to the zero-state, and are completely undetectable even with side initial state information. These attacks exist for arbitrarily long horizons if and only if the intersection of the output-nulling reachable subspace $\mathcal{W}_1$ and the weakly unobservable subspace $\mathcal{V}(\Sigma)$ is nontrivial.

In practical terms, zero-state-inducing attacks are the only ones that evade detection when the initial state is known exactly. Partial knowledge restricts the space of possible undetectable attacks depending on the kernel and image of $\Omega$.

5. Impact of Detector Side Information

Availability of side information (linear functions of the initial state) alters the fundamental detectability boundaries. Even a single known coordinate (for instance, $\Omega = [1, 0, \cdots, 0]$) can render attacks detectable that would be perfectly stealthy in the classic system-without-side-information setting. Simulation evidence demonstrates that a windowed detector with side information can raise an alarm within three time steps for certain zero-dynamics attack scenarios, whereas the same detector with $\Omega=0$ fails to detect such attacks at all.

This highlights the importance of initial state observability enhancements (e.g., through out-of-band monitoring) and their integration into dynamic attack detection architectures.

6. Simulation Results, Performance Guarantees, and Practical Deployment

Application to a linearized longitudinal model of a remotely piloted aircraft (n=4, p=3, actuator/sensor attack channels) demonstrates three key empirical findings:

• A dynamic windowed detector with side information ($\Omega$ full rank or nontrivial) strictly outperforms the detector with no side information, achieving rapid, early detection of attacks otherwise perfectly stealthy.
• Consistency (no false positives) and completeness (detection of all detectable attacks) are guaranteed for window sizes $l\ge n+1$.
• The detector's computational demands are limited to linear algebraic operations (projection onto subspace), making real-time deployment tractable.

In summary, the combination of system-theoretic subspace analysis, explicit accounting for side initial state information, and projection-based dynamic windowed detection yields a comprehensive solution that characterizes all undetectable attack classes, enables provable security guarantees, and offers evidence for practical efficacy in simulation. This approach concretely delineates the roles of system structure, initial knowledge, and attack trajectory in the broader taxonomy of attack detectors in cyber-physical systems (Chen et al., 2015).