Papers
Topics
Authors
Recent
Search
2000 character limit reached

Non-Stationary Concurrent Replay Attacks

Updated 8 July 2026
  • The paper identifies non-stationary concurrent replay attacks as integrity breaches where adversaries replay recorded, evolving sensor data across multiple channels to mimic normal operation.
  • It highlights that the changing dynamics in systems like nuclear reactors, moving-target control, and GNSS complicate traditional detection methods while enabling stealthy manipulation.
  • Adaptive detection techniques, including dual-window residual analysis and moving-target defenses, have shown improved accuracy (over 93%) in distinguishing legitimate from falsified signals.

Non-stationary concurrent replay attacks are integrity attacks in which an adversary records evolving measurements or signals during one interval and later re-injects them across multiple channels while the underlying process continues to evolve. In nuclear reactor cyber-physical systems, this means capturing multivariate time series of sensor readings during one operational regime and then injecting those previously recorded values concurrently on a subset of sensors; in control systems, it includes replaying past outputs while simultaneously injecting actuator inputs; in GNSS, record-and-replay attacks are commonly termed meaconing and can be carried out by relaying or replaying live signals or navigation-message content (Dahm et al., 17 Aug 2025, Weerakkody et al., 2017, Lenhart et al., 2022). The distinguishing technical difficulty is non-stationarity: startup, transients, steady state, shutdown, time-varying secret dynamics, or mobile radio conditions all make successful replay contingent on matching an evolving trajectory rather than a fixed statistical profile.

1. Formalization and threat model

A reactor-centered formulation models the true multivariate sensor vector as X(t)RnX(t)\in\mathbb{R}^n, with components xi(t)x_i(t), evolving along a non-stationary trajectory driven by physics and control actions. An adversary records a sequence

X(tτ),X(tτ+1),,X(tτ+L1)X(t-\tau),\, X(t-\tau+1),\dots,X(t-\tau+L-1)

and then, starting at time tt, injects these past values concurrently on a subset of sensors S{1,,n}\mathcal{S}\subseteq\{1,\dots,n\}. The observed measurements become

X~i(t+k)={xi(tτ+k),iS,  k=0,,L1, xi(t+k),iS.\tilde X_i(t + k)= \begin{cases} x_i(t-\tau+k),&i\in\mathcal{S},\;k=0,\dots,L-1,\ x_i(t+k),&i\notin\mathcal{S}. \end{cases}

A successful attack must maintain

X~(t)X(t)εt\|\tilde X(t)-X(t)\|\le\varepsilon\quad\forall\,t

for small ε>0\varepsilon>0 in order to remain stealthy, yet eventually drive the reactor toward an unsafe region by causing

X~(t)X(t)>EH,\|\tilde X(t)-X(t)\|>E_H,

where EHE_H is the minimum deviation to induce harm. The defender’s goal is to raise an alarm as soon as

xi(t)x_i(t)0

that is, before physical safety is compromised (Dahm et al., 17 Aug 2025).

The same concurrency appears in the moving-target control setting considered by Weerakkody and Sinopoli, where an adversary can read and modify every xi(t)x_i(t)1 and xi(t)x_i(t)2 channel, record blocks of true outputs xi(t)x_i(t)3 over some past interval, replay them to the detector, and simultaneously inject xi(t)x_i(t)4 on the actuators so as to push the real state (Weerakkody et al., 2017). In GNSS, Lenhart et al. describe distributed attacks in which signals from different locations are relayed over the Internet and replayed within range of the victim receiver, and the message-level variant allows replaying signals from multiple GNSS constellations and/or bands simultaneously (Lenhart et al., 2022).

Domain Replay object Concurrent aspect
Nuclear reactor signals Previously recorded multivariate sensor values Several sensors at once
Moving-target control systems Past outputs xi(t)x_i(t)5 Replay plus actuator injection
GNSS meaconing Raw I/Q or decoded parameters and nav-bits Multiple satellites, constellations, and/or bands simultaneously

This suggests that “concurrent” does not merely indicate multiplicity of channels; it denotes coordinated manipulation across sensing and, in some settings, actuation, with timing chosen to preserve short-horizon plausibility under non-stationary dynamics.

2. Why non-stationarity makes replay both stealthy and detectable

The reactor study states that false data injections have been shown to bypass conventional linear time-invariant state estimators and failure detectors based on statistical thresholds, and that the dynamic, nonlinear, multi-variate nature of sensor signals, combined with inherent noise and limited availability of real-world training data, makes characterization of such threats and their differentiation from anticipated process anomalies particularly challenging (Dahm et al., 17 Aug 2025). This is the central paradox of non-stationary replay: the attack can be difficult to distinguish from legitimate trajectory evolution precisely because the nominal process is itself changing.

A related point appears explicitly in the moving-target formulation. In a stationary or purely deterministic-model setting, an adversary who recorded a long block of past xi(t)x_i(t)6 values can replay them perfectly and drive the real xi(t)x_i(t)7 arbitrarily without ever upsetting the filter residual. By contrast, when the defender augments the plant with extraneous modes whose dynamics are linear time-varying and secret, any replay of old extraneous-sensor values will quickly mismatch the filter’s prediction unless the adversary perfectly predicts the secret matrices (Weerakkody et al., 2017). Non-stationarity is therefore ambivalent: it can mask replay when defenders assume fixed models, but it can also expose replay when defenders deliberately introduce secret variation.

GNSS provides a different manifestation of the same issue. Navigation Message Authentication prevents spoofing by simulation, but authentication does not prevent record-and-replay attacks, commonly termed meaconing. In other words, cryptographic validity of the content does not preclude malicious displacement in time, space, or delay structure (Lenhart et al., 2022). A common misconception is that authenticated content is therefore sufficient; the GNSS results directly contradict that assumption.

The reactor results also show the practical cost of simplistic detection. Single-point thresholding, for example xi(t)x_i(t)8, yielded only xi(t)x_i(t)9–X(tτ),X(tτ+1),,X(tτ+L1)X(t-\tau),\, X(t-\tau+1),\dots,X(t-\tau+L-1)0 per-second detection on FDI sets, whereas the two-window residual scheme materially improved detection (Dahm et al., 17 Aug 2025). The significance is methodological: in non-stationary settings, short-horizon residual spikes and longer-horizon drifts need to be aggregated differently.

3. One-class recurrent prediction and adaptive residual analysis

The reactor framework learns a one-class predictor X(tτ),X(tτ+1),,X(tτ+L1)X(t-\tau),\, X(t-\tau+1),\dots,X(t-\tau+L-1)1 of future reactor states, training only on normal data X(tτ),X(tτ+1),,X(tτ+L1)X(t-\tau),\, X(t-\tau+1),\dots,X(t-\tau+L-1)2. Given a sliding window of length X(tτ),X(tτ+1),,X(tτ+L1)X(t-\tau),\, X(t-\tau+1),\dots,X(t-\tau+L-1)3, the input is

X(tτ),X(tτ+1),,X(tτ+L1)X(t-\tau),\, X(t-\tau+1),\dots,X(t-\tau+L-1)4

The study explores standard RNNs, Gated Recurrent Units, and Long Short-Term Memory cells. For a GRU cell,

X(tτ),X(tτ+1),,X(tτ+L1)X(t-\tau),\, X(t-\tau+1),\dots,X(t-\tau+L-1)5

where X(tτ),X(tτ+1),,X(tτ+L1)X(t-\tau),\, X(t-\tau+1),\dots,X(t-\tau+L-1)6 is the hidden state, X(tτ),X(tτ+1),,X(tτ+L1)X(t-\tau),\, X(t-\tau+1),\dots,X(t-\tau+L-1)7 the current input, and X(tτ),X(tτ+1),,X(tτ+L1)X(t-\tau),\, X(t-\tau+1),\dots,X(t-\tau+L-1)8 the one-step-ahead prediction of X(tτ),X(tτ+1),,X(tτ+L1)X(t-\tau),\, X(t-\tau+1),\dots,X(t-\tau+L-1)9. Training minimizes the mean squared prediction error

tt0

The reported hyperparameters, selected by grid search, are window length tt1, hidden dimension tt2, batch size tt3, learning rate tt4, and epochs tt5 (Dahm et al., 17 Aug 2025).

At run time, each prediction yields the per-step residual

tt6

Rather than thresholding tt7 alone, the framework forms two rolling averages,

tt8

with tt9 and S{1,,n}\mathcal{S}\subseteq\{1,\dots,n\}0. An anomaly flag is raised whenever

S{1,,n}\mathcal{S}\subseteq\{1,\dots,n\}1

with S{1,,n}\mathcal{S}\subseteq\{1,\dots,n\}2 and S{1,,n}\mathcal{S}\subseteq\{1,\dots,n\}3 (Dahm et al., 17 Aug 2025). The paper describes this as an adaptive two-window scheme that detects both sudden large perturbations via the short window and longer but subtler drifts via the medium window.

The one-class structure is consequential because the model is trained only on normal operational data. This directly addresses the limited availability of real-world attack data noted in the reactor setting and frames replay detection as deviation from learned normal temporal structure rather than classification across a catalog of attack labels.

4. Explainability and sensor-level attribution

The reactor framework couples residual analysis with explainability modules: a modified SHAP algorithm and rule-based correlations. The modified WindowSHAP groups each sensor’s S{1,,n}\mathcal{S}\subseteq\{1,\dots,n\}4-length history into one feature window and computes, for each sensor S{1,,n}\mathcal{S}\subseteq\{1,\dots,n\}5,

S{1,,n}\mathcal{S}\subseteq\{1,\dots,n\}6

Unlike classic SHAP, missing windows are occluded by replacing them with a moving baseline equal to each signal’s first value in the window; for count-rates, zero is used. The result is a per-sensor contribution to the current prediction error, where negative S{1,,n}\mathcal{S}\subseteq\{1,\dots,n\}7 means that the sensor’s trend correlates with the model error, while near-zero or positive values imply conformity to nominal behavior (Dahm et al., 17 Aug 2025).

The rule-based layer encodes domain rules linking control-rod active state S{1,,n}\mathcal{S}\subseteq\{1,\dots,n\}8 to measured position S{1,,n}\mathcal{S}\subseteq\{1,\dots,n\}9, and neutron count X~i(t+k)={xi(tτ+k),iS,  k=0,,L1, xi(t+k),iS.\tilde X_i(t + k)= \begin{cases} x_i(t-\tau+k),&i\in\mathcal{S},\;k=0,\dots,L-1,\ x_i(t+k),&i\notin\mathcal{S}. \end{cases}0 to measured change rate X~i(t+k)={xi(tτ+k),iS,  k=0,,L1, xi(t+k),iS.\tilde X_i(t + k)= \begin{cases} x_i(t-\tau+k),&i\in\mathcal{S},\;k=0,\dots,L-1,\ x_i(t+k),&i\notin\mathcal{S}. \end{cases}1. For each rod, if X~i(t+k)={xi(tτ+k),iS,  k=0,,L1, xi(t+k),iS.\tilde X_i(t + k)= \begin{cases} x_i(t-\tau+k),&i\in\mathcal{S},\;k=0,\dots,L-1,\ x_i(t+k),&i\notin\mathcal{S}. \end{cases}2 cm but X~i(t+k)={xi(tτ+k),iS,  k=0,,L1, xi(t+k),iS.\tilde X_i(t + k)= \begin{cases} x_i(t-\tau+k),&i\in\mathcal{S},\;k=0,\dots,L-1,\ x_i(t+k),&i\notin\mathcal{S}. \end{cases}3, the rule flags an anomaly; if two consecutive time steps are anomalous and data valid, it is classified as FDI for that rod. For the count-rate sensor, the rule checks

X~i(t+k)={xi(tτ+k),iS,  k=0,,L1, xi(t+k),iS.\tilde X_i(t + k)= \begin{cases} x_i(t-\tau+k),&i\in\mathcal{S},\;k=0,\dots,L-1,\ x_i(t+k),&i\notin\mathcal{S}. \end{cases}4

with no corresponding rod motion (Dahm et al., 17 Aug 2025).

These two explainability modes serve different functions. SHAP attributes anomalous prediction error to specific signal histories, whereas the rule system tests whether physically meaningful correlations have been broken. The paper reports that modified SHAP correctly highlighted falsified signals and suppressed nominal ones, and that rule breaks pinpointed exactly which sensors were attacked (Dahm et al., 17 Aug 2025). This is significant because replay attacks in multivariate systems are not only a detection problem; they are also an origin-identification problem.

5. Empirical validation on PUR-1 and the structure of the observed attacks

The reactor experiments use a real-world dataset from Purdue’s PUR-1 research reactor, described as fully digital instrumentation and control. Data were collected over X~i(t+k)={xi(tτ+k),iS,  k=0,,L1, xi(t+k),iS.\tilde X_i(t + k)= \begin{cases} x_i(t-\tau+k),&i\in\mathcal{S},\;k=0,\dots,L-1,\ x_i(t+k),&i\notin\mathcal{S}. \end{cases}5. Of these, X~i(t+k)={xi(tτ+k),iS,  k=0,,L1, xi(t+k),iS.\tilde X_i(t + k)= \begin{cases} x_i(t-\tau+k),&i\in\mathcal{S},\;k=0,\dots,L-1,\ x_i(t+k),&i\notin\mathcal{S}. \end{cases}6 of normal operation, comprising X~i(t+k)={xi(tτ+k),iS,  k=0,,L1, xi(t+k),iS.\tilde X_i(t + k)= \begin{cases} x_i(t-\tau+k),&i\in\mathcal{S},\;k=0,\dots,L-1,\ x_i(t+k),&i\notin\mathcal{S}. \end{cases}7 cycles, were split X~i(t+k)={xi(tτ+k),iS,  k=0,,L1, xi(t+k),iS.\tilde X_i(t + k)= \begin{cases} x_i(t-\tau+k),&i\in\mathcal{S},\;k=0,\dots,L-1,\ x_i(t+k),&i\notin\mathcal{S}. \end{cases}8 into train, validation, and test. The remaining X~i(t+k)={xi(tτ+k),iS,  k=0,,L1, xi(t+k),iS.\tilde X_i(t + k)= \begin{cases} x_i(t-\tau+k),&i\in\mathcal{S},\;k=0,\dots,L-1,\ x_i(t+k),&i\notin\mathcal{S}. \end{cases}9 were partitioned into five challenge sets: #2 Transients with X~(t)X(t)εt\|\tilde X(t)-X(t)\|\le\varepsilon\quad\forall\,t0 cases, #3 Scrams with X~(t)X(t)εt\|\tilde X(t)-X(t)\|\le\varepsilon\quad\forall\,t1 genuine scrams, #4 FDI-A with neutron counts falsified, #5 FDI-B with counts and change-rate falsified, and #6 FDI-C with counts, rate, and X~(t)X(t)εt\|\tilde X(t)-X(t)\|\le\varepsilon\quad\forall\,t2 rod positions falsified. Inputs were min–max normalized, windowed at X~(t)X(t)εt\|\tilde X(t)-X(t)\|\le\varepsilon\quad\forall\,t3 cadence, and fed into the GRU model with window length X~(t)X(t)εt\|\tilde X(t)-X(t)\|\le\varepsilon\quad\forall\,t4, hidden size X~(t)X(t)εt\|\tilde X(t)-X(t)\|\le\varepsilon\quad\forall\,t5, learning rate X~(t)X(t)εt\|\tilde X(t)-X(t)\|\le\varepsilon\quad\forall\,t6, and X~(t)X(t)εt\|\tilde X(t)-X(t)\|\le\varepsilon\quad\forall\,t7 epochs. Detection performance was measured by per-second accuracy, precision, recall, and F1 score under the dual-window residual analysis (Dahm et al., 17 Aug 2025).

Forecasting accuracy on normal, transient, and scram test sets remained high, with RMSE X~(t)X(t)εt\|\tilde X(t)-X(t)\|\le\varepsilon\quad\forall\,t8. For attack detection, single-point thresholding yielded only X~(t)X(t)εt\|\tilde X(t)-X(t)\|\le\varepsilon\quad\forall\,t9–ε>0\varepsilon>00 per-second detection on FDI sets. By contrast, the two-window residual scheme achieved ε>0\varepsilon>01 detection accuracy on all FDI sets, with false positives below ε>0\varepsilon>02 on all normal sets; recall was approximately ε>0\varepsilon>03 and ε>0\varepsilon>04 approximately ε>0\varepsilon>05 (Dahm et al., 17 Aug 2025). The abstract also states that the framework was able to detect false data injections with accuracy higher than ε>0\varepsilon>06 and less than ε>0\varepsilon>07 false positives, differentiate from expected process anomalies, and identify the origin of the falsified signals (Dahm et al., 17 Aug 2025).

Two limitations are stated directly. First, there can be some delay at the very onset of an FDI, when the replayed data still closely matches plant dynamics. Second, the rule-based component requires domain-specific rule tuning (Dahm et al., 17 Aug 2025). A plausible implication is that high-fidelity replay is most difficult to detect during the interval in which adversarially injected trajectories remain locally consistent with ongoing plant evolution.

6. Moving-target defenses and the role of secret time variation

The moving-target approach begins with the ordinary linear-Gaussian plant

ε>0\varepsilon>08

with ε>0\varepsilon>09 and X~(t)X(t)>EH,\|\tilde X(t)-X(t)\|>E_H,0. The controller uses the steady-state Kalman filter

X~(t)X(t)>EH,\|\tilde X(t)-X(t)\|>E_H,1

with gain X~(t)X(t)>EH,\|\tilde X(t)-X(t)\|>E_H,2, and applies the LQG law X~(t)X(t)>EH,\|\tilde X(t)-X(t)\|>E_H,3 to minimize the infinite-horizon cost

X~(t)X(t)>EH,\|\tilde X(t)-X(t)\|>E_H,4

To thwart an adversary who knows X~(t)X(t)>EH,\|\tilde X(t)-X(t)\|>E_H,5 and can read and modify all sensor and actuator channels, the defender augments the state with extraneous modes X~(t)X(t)>EH,\|\tilde X(t)-X(t)\|>E_H,6 whose dynamics are linear time-varying and secret. With stacked state X~(t)X(t)>EH,\|\tilde X(t)-X(t)\|>E_H,7, the augmented system is

X~(t)X(t)>EH,\|\tilde X(t)-X(t)\|>E_H,8

where

X~(t)X(t)>EH,\|\tilde X(t)-X(t)\|>E_H,9

and EHE_H0 are IID random matrices drawn each step from a distribution known only to the defender (Weerakkody et al., 2017).

New sensors measure the extraneous states through

EHE_H1

so the full measurement is

EHE_H2

with EHE_H3 IID random and secret (Weerakkody et al., 2017). The defender runs a Kalman filter on EHE_H4 and forms the one-step residual

EHE_H5

which under no attack is zero-mean Gaussian with covariance

EHE_H6

The detector is

EHE_H7

where EHE_H8 is chosen to achieve a desired false-alarm rate EHE_H9 (Weerakkody et al., 2017).

The paper then analyzes an almost omnipotent adversary who knows the original plant, the LQG gains, and the distribution of the secret matrices, but not their realizations. Two canonical strategies are considered: “Subtract-influence,” in which the attacker estimates the bias his own xi(t)x_i(t)00 would cause and injects a canceling term, and “Estimate-expected,” in which the attacker tries to track the defender’s one-step prediction and injects a signal to drive the residual toward zero (Weerakkody et al., 2017). Because the defender’s secrets change each step, the attacker faces a time-varying identification problem under noise. The paper invokes the Bayesian Cramér–Rao bound and gives a recursive formula for the Fisher information; it then proves that even the best-possible stealthy choice of attacked measurements yields a residual cost lower bounded by

xi(t)x_i(t)01

If this bound exceeds xi(t)x_i(t)02, the attack must be detected with high probability (Weerakkody et al., 2017).

The technical significance is direct: one can exploit non-stationarity defensively by embedding hidden, rapidly changing dynamics in extra sensors. This stands in contrast to the reactor setting, where one learns normal non-stationary evolution and detects deviations from it.

7. GNSS meaconing, authenticated replay, and broader implications

Lenhart et al. describe a non-stationary, distributed meaconing system with two logical nodes, ARX and ATX, connected by an IP network. ARX samples genuine Signal In Space signals, extracts navigation-level data, and forwards either raw I/Q in signal-level mode or decoded parameters and nav-bits in message-level mode to one or more ATX nodes; each ATX then re-generates RF waveforms and radiates them into the victim’s antenna environment (Lenhart et al., 2022). The implementation uses off-the-shelf hardware, including BladeRF 2.0 or LimeSDR USB, a u-blox LEA-6T reference receiver, a u-blox Zed-F9P victim receiver, GNU Radio, GNSS-SDR, LTE Cat-12 USB modem with OpenVPN, and GPS-SDR-SIM forked to accept live nav bits and auth bits (Lenhart et al., 2022).

The bandwidth contrast between replay modalities is sharp. Signal-level relay requires

xi(t)x_i(t)03

which is approximately xi(t)x_i(t)04 for xi(t)x_i(t)05, xi(t)x_i(t)06, and xi(t)x_i(t)07. Message-level relay uses

xi(t)x_i(t)08

so with xi(t)x_i(t)09, xi(t)x_i(t)10, while measured load peaked at approximately xi(t)x_i(t)11 to allow margin and multi-constellation (Lenhart et al., 2022). To sustain replay without underrun, the one-way IP delay xi(t)x_i(t)12 and jitter xi(t)x_i(t)13 must satisfy

xi(t)x_i(t)14

with xi(t)x_i(t)15 (Lenhart et al., 2022).

The paper emphasizes that OS-NMA still becomes public after a short prediction window, so message-level relay can preserve and forward exactly the authenticated bits, including the TESLA-style time-delayed MACs. ARX demodulates the frame, collects xi(t)x_i(t)16, forwards them with timestamp xi(t)x_i(t)17, and ATX re-injects them into GPS-SDR-SIM’s nav-frame builder so that the victim’s native OS-NMA verification logic passes unchanged (Lenhart et al., 2022). Selective signal delays xi(t)x_i(t)18 bias the PVT solution through the linearized pseudorange equations

xi(t)x_i(t)19

yielding perturbation

xi(t)x_i(t)20

By coordinating delays on several signals, the attacker can steer the victim along an arbitrary small-motion trajectory, or induce purely temporal offsets, depending on the chosen delay vector (Lenhart et al., 2022).

Experimentally, signal-level relay achieved victim take-over approximately xi(t)x_i(t)21 after start, with position-tracking error less than xi(t)x_i(t)22 RMS after steady state and velocity-tracking error less than xi(t)x_i(t)23 RMS; message-level relay typically achieved victim lock at xi(t)x_i(t)24, then followed the ARX path with xi(t)x_i(t)25–xi(t)x_i(t)26 RMS error and velocity error approximately xi(t)x_i(t)27, though occasional LTE dropouts caused transient xi(t)x_i(t)28–xi(t)x_i(t)29 jumps or brief re-acquisition delays (Lenhart et al., 2022). The countermeasure discussion points to Angle-of-Arrival and multi-antenna checks, time-consistency and PVT-RAIM, network-assisted cross-checks with inertial dead-reckoning, multiple internal PVT hypotheses, and challenge mechanisms over the data link (Lenhart et al., 2022).

Taken together, the reactor, control, and GNSS results indicate two broad defense patterns. One pattern is predictive monitoring with one-class training, adaptive residual aggregation, and explanation modules that separate falsified trajectories from expected process anomalies (Dahm et al., 17 Aug 2025). The other is deliberate introduction of hidden, time-varying structure so that replay becomes self-inconsistent (Weerakkody et al., 2017). GNSS shows that cryptographic authenticity alone is insufficient against replay and that physical-layer or hybrid checks are required (Lenhart et al., 2022). Future work identified in the reactor study includes attention-based architectures, ensemble forecasting, and broader FDI scenarios such as drift and scaling attacks (Dahm et al., 17 Aug 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Non-Stationary Concurrent Replay Attacks.