Moving Horizon FDIA: Stealthy Attack Design
- The paper introduces MH-FDIA, a methodology that designs attack sequences over a moving horizon to maximize estimator bias while maintaining stealth.
- It leverages a receding window optimization that ensures recursive feasibility, with validations on linear power grid and nonlinear autonomous vehicle case studies.
- The approach offers theoretical guarantees and utilizes projected gradient iterations, highlighting both attack strategies and potential defender countermeasures.
Moving-Horizon False Data Injection Attack (MH-FDIA) is a systematic methodology for constructing stealthy and effective attack sequences targeting moving horizon estimators (MHE) in cyber-physical systems (CPS). It addresses fundamental weaknesses of conventional (static) false data injection attacks (FDIA) by designing the attack over a receding time window, explicitly enforcing recursive feasibility and stealthiness constraints across the moving horizon. The methodology provides theoretical guarantees and outperforms prior FDIA methods when evaluated on linear power grid and nonlinear autonomous vehicle case studies (Zheng et al., 2023).
1. System and Estimator Framework
MH-FDIA is developed for discrete-time linear time-invariant (LTI) systems described by: where is the state, the input, the measurement, and , are bounded process and measurement noise.
A moving-horizon estimator (MHE) of fixed window length reconstructs the state trajectory at each time by solving the optimization: subject to 0.
After estimation, a residual-based bad data detector (BDD) computes: 1 where 2, triggering an alarm if 3.
2. Limitations of Conventional FDIA
Classical FDIAs operate at a single time step, seeking 4 to maximize bias: 5 and enforce stealthiness under a static (single-sample) BDD.
These static designs exploit the algebraic structure of 6, constructing 7 in the range of 8 to evade BDD. However, in MHE, the BDD operates over a moving window, and the constraint becomes: 9 As the time window recedes, past attack injections that satisfied the single-sample test may cause the sliding-window residual to exceed threshold, breaking stealthiness and recursive feasibility. Thus, static FDIAs are generally ineffective against MHE.
3. MH-FDIA Optimization Formulation
MH-FDIA formulates attack design over the moving window. The attacker selects an injection sequence 0 to maximize state estimate bias while maintaining stealth throughout the horizon. The formal optimization is: 1 where the stage cost 2 (with 3 being the stacked vector of attack injections) measures the MHE bias.
This approach explicitly incorporates the attack history and window-wide stealthiness, ensuring recursive feasibility as the MHE horizon shifts.
4. Theoretical Properties and Guarantees
Under standard assumptions—4 stable, 5 observable, bounded noise, and restricted attack support (only selected rows of 6 are compromised)—MH-FDIA provides:
- Complete Parameterization: All stealthy attacks over a fixed window can be described, via singular value decomposition 7, as 8, characterizing attack success in 9.
- Recursive Feasibility: Letting 0 span the null of un-attacked rows, feasibility of 1 is equivalent to 2.
- Projected Gradient Iteration: The bias function 3 can be iteratively increased via 4 with 5 in the gradient direction of 6 and step-size 7 adjusted to keep the residual constraint active but not violated.
- Monotonicity and Feasibility: Steps can be constructed so that each iterate increases attack bias without ever violating stealth constraints.
This systematic methodology guarantees that the attack sequence remains stealthy under the receding-horizon BDD and continually increases influence on the MHE state estimate.
5. Representative Numerical Studies
MH-FDIA is validated through simulations on both linear and nonlinear CPS benchmarks:
a) IEEE-14 Bus System
- Linearized swing dynamics, window 8, sampling 9 s, stealth threshold 0, attack support 1 of measurements.
- Baseline: static eigenvalue-maximization FDIA (Liu–Ning–Reiter method)
- Metrics: steady-state estimator bias 2, maximum BDD residual
- Results: MH-FDIA achieves up to 3 higher bias while keeping residuals below detection threshold, fully utilizing the feasible region unlike the static baseline. Projected-gradient iterations typically converge within a few thousand steps, with convergence speed significantly improved by increasing the step-size parameter 4.
b) Autonomous Vehicle Path-Tracking (Nonlinear DDWMR Model)
- Kinematics with UKF state estimation, sliding-window linearization, window 5, stealth threshold 6 per step (7).
- Attacks on 2 encoder channels, with trajectories including straight, circular, and figure-8 paths.
- Metrics: path deviation 8, BDD residual.
- Results: Robot systematically deviates from its planned path post-injection, while BDD residual remains within detectability limits. The trajectory’s qualitative shape persists, as the MH-FDIA accounts for attack history and system evolution.
6. Implications for Attacker and Defender Strategies
MH-FDIA conclusively demonstrates that recursive feasibility is essential for stealthy attack success against MHE. Any attack sequence not designed with the fullhorizon window in mind is almost certainly detectable after a few steps.
Recommended countermeasures for defenders include:
- Randomizing MHE window length 9 or detection threshold 0
- Sensor “probing” via known artificial offsets
- Cross-window consistency checks or higher-order residual computations
- Parallel observers with staggered onset times and comparison of corresponding estimates
A plausible implication is that broadened MHE window management and sensor fusion may provide enhanced resilience if implemented with these countermeasures.
7. Open Research Directions
Extensions and open questions highlighted in the literature include:
- Generalization of MH-FDIA to nonlinear MHE without reliance on windowed linearization
- Data-driven MH-FDIA design that circumvents the need for full model knowledge, enabling practical applicability to partially-known CPSes
- Rigorous stability analysis of closed-loop systems under attack, including the interplay between attack-induced bias and control system performance
These research directions suggest the continuing evolution of MH-FDIA approaches will shape both resilient estimator design and advanced anomaly detection in complex cyber-physical systems (Zheng et al., 2023).