Carlos Murguia

Sahand Hadizadeh Kafash, Jairo Giraldo, Carlos Murguia et al.

For LTI control systems, we provide mathematical tools - in terms of Linear Matrix Inequalities - for computing outer ellipsoidal bounds on the reachable sets that attacks can induce in the system when they are subject to the physical limits of the actuators. Next, for a given set of dangerous states, states that (if reached) compromise the integrity or safe operation of the system, we provide tools for designing new artificial limits on the actuators (smaller than their physical bounds) such that the new ellipsoidal bounds (and thus the new reachable sets) are as large as possible (in terms of volume) while guaranteeing that the dangerous states are not reachable. This guarantees that the new bounds cut as little as possible from the original reachable set to minimize the loss of system performance. Computer simulations using a platoon of vehicles are presented to illustrate the performance of our tools.

Carlos Murguia, Iman Shames, Justin Ruths et al.

As more attention is paid to security in the context of control systems and as attacks occur to real control systems throughout the world, it has become clear that some of the most nefarious attacks are those that evade detection. The term stealthy has come to encompass a variety of techniques that attackers can employ to avoid being detected. In this manuscript, for a class of perturbed linear time-invariant systems, we propose two security metrics to quantify the potential impact that stealthy attacks could have on the system dynamics by tampering with sensor measurements. We provide analysis mathematical tools (in terms of linear matrix inequalities) to quantify these metrics for given system dynamics, control structure, system monitor, and set of sensors being attacked. Then, we provide synthesis tools (in terms of semidefinite programs) to redesign controllers and monitors such that the impact of stealthy attacks is minimized and the required attack-free system performance is guaranteed.

Carlos Murguia, Iman Shames, Farhad Farokhi et al.

We study the problem of maximizing privacy of data sets by adding random vectors generated via synchronized chaotic oscillators. In particular, we consider the setup where information about data sets, queries, is sent through public (unsecured) communication channels to a remote station. To hide private features (specific entries) within the data set, we corrupt the response to queries by adding random vectors. We send the distorted query (the sum of the requested query and the random vector) through the public channel. The distribution of the additive random vector is designed to minimize the mutual information (our privacy metric) between private entries of the data set and the distorted query. We cast the synthesis of this distribution as a convex program in the probabilities of the additive random vector. Once we have the optimal distribution, we propose an algorithm to generate pseudo-random realizations from this distribution using trajectories of a chaotic oscillator. At the other end of the channel, we have a second chaotic oscillator, which we use to generate realizations from the same distribution. Note that if we obtain the same realizations on both sides of the channel, we can simply subtract the realization from the distorted query to recover the requested query. To generate equal realizations, we need the two chaotic oscillators to be synchronized, i.e., we need them to generate exactly the same trajectories on both sides of the channel synchronously in time. We force the two chaotic oscillators into exponential synchronization using a driving signal. Simulations are presented to illustrate our results.

Tianci Yang, Carlos Murguia, Margreta Kuijper et al.

We address the problem of state estimation, attack isolation, and control for discrete-time Linear Time Invariant (LTI) systems under (potentially unbounded) actuator false data injection attacks. Using a bank of Unknown Input Observers (UIOs), each observer leading to an exponentially stable estimation error in the attack-free case, we propose an estimator that provides exponential estimates of the system state and the attack signals when a sufficiently small number of actuators are attacked. We use these estimates to control the system and isolate actuator attacks. Simulations results are presented to illustrate the performance of the results.

Haleh Hayati, Carlos Murguia, Nathan van de Wouw

Federated learning (FL) has emerged as a privacy solution for collaborative distributed learning where clients train AI models directly on their devices instead of sharing their data with a centralized (potentially adversarial) server. Although FL preserves local data privacy to some extent, it has been shown that information about clients' data can still be inferred from model updates. In recent years, various privacy-preserving schemes have been developed to address this privacy leakage. However, they often provide privacy at the expense of model performance or system efficiency, and balancing these tradeoffs is a crucial challenge when implementing FL schemes. In this manuscript, we propose a Privacy-Preserving Federated Learning (PPFL) framework built on the synergy of matrix encryption and system immersion tools from control theory. The idea is to immerse the learning algorithm, a Stochastic Gradient Decent (SGD), into a higher-dimensional system (the so-called target system) and design the dynamics of the target system so that: the trajectories of the original SGD are immersed/embedded in its trajectories, and it learns on encrypted data (here we use random matrix encryption). Matrix encryption is reformulated at the server as a random change of coordinates that maps original parameters to a higher-dimensional parameter space and enforces that the target SGD converges to an encrypted version of the original SGD optimal solution. The server decrypts the aggregated model using the left inverse of the immersion map. We show that our algorithm provides the same level of accuracy and convergence rate as the standard FL with a negligible computation cost while revealing no information about the clients' data.

Tunga R, Carlos Murguia, Justin Ruths

A model-based windowed chi-squared procedure is proposed for identifying falsified sensor measurements. We employ the widely-used static chi-squared and the dynamic cumulative sum (CUSUM) fault/attack detection procedures as benchmarks to compare the performance of the windowed chi-squared detector. In particular, we characterize the state degradation that a class of attacks can induce to the system while enforcing that the detectors do not raise alarms (zero-alarm attacks). We quantify the advantage of using dynamic detectors (windowed chi-squared and CUSUM detectors), which leverages the history of the state, over a static detector (chi-squared) which uses a single measurement at a time. Simulations using a chemical reactor are presented to illustrate the performance of our tools.

Navid Hashemi, Carlos Murguia, Justin Ruths

As more attention is paid to security in the context of control systems and as attacks occur to real control systems throughout the world, it has become clear that some of the most nefarious attacks are those that evade detection. The term stealthy has come to encompass a variety of techniques that attackers can employ to avoid detection. Here we show how the states of the system (in particular, the reachable set corresponding to the attack) can be manipulated under two important types of stealthy attacks. We employ the chi-squared fault detection method and demonstrate how this imposes a constraint on the attack sequence either to generate no alarms (zero-alarm attack) or to generate alarms at a rate indistinguishable from normal operation (hidden attack).

Carlos Murguia, Justin Ruths

For given system dynamics, observer structure, and observer-based fault/attack detection procedure, we provide mathematical tools -- in terms of Linear Matrix Inequalities (LMIs) -- for computing outer ellipsoidal bounds on the set of estimation errors that attacks can induce while maintaining the alarm rate of the detector equal to its attack-free false alarm rate. We refer to these sets to as hidden reachable sets. The obtained ellipsoidal bounds on hidden reachable sets quantify the attacker's potential impact when it is constrained to stay hidden from the detector. We provide tools for minimizing the volume of these ellipsoidal bounds (minimizing thus the reachable sets) by redesigning the observer gains. Simulation results are presented to illustrate the performance of our tools.

Carlos Murguia, Henk Nijmeijer, Justin Ruths

In this manuscript, we study the problem of robust synchronization in networks of diffusively time-delayed coupled nonlinear systems. In particular, we prove that, under some mild conditions on the input-output dynamics of the systems and the network topology, there always exists a unimodal region in the parameter space (coupling strength versus time-delay), such that if they belong to this region, the systems synchronize. Moreover, we show how this unimodal region scales with the network topology, which, in turn, provides useful insights on how to design the network topology to maximize robustness against time-delays. The results are illustrated by extensive simulation experiments of time-delayed coupled Hindmarsh-Rose neural chaotic oscillators.

Haleh Hayati, Carlos Murguia, Nathan van de Wouw

Federated learning (FL) has emerged as a method to preserve privacy in collaborative distributed learning. In FL, clients train AI models directly on their devices rather than sharing data with a centralized server, which can pose privacy risks. However, it has been shown that despite FL's partial protection of local data privacy, information about clients' data can still be inferred from shared model updates during training. In recent years, several privacy-preserving approaches have been developed to mitigate this privacy leakage in FL, though they often provide privacy at the cost of model performance or system efficiency. Balancing these trade-offs presents a significant challenge in implementing FL schemes. In this manuscript, we introduce a privacy-preserving FL framework that combines differential privacy and system immersion tools from control theory. The core idea is to treat the optimization algorithms used in standard FL schemes (e.g., gradient-based algorithms) as a dynamical system that we seek to immerse into a higher-dimensional system (referred to as the target optimization algorithm). The target algorithm's dynamics are designed such that, first, the model parameters of the original algorithm are immersed in its parameters; second, it operates on distorted parameters; and third, it converges to an encoded version of the true model parameters from the original algorithm. These encoded parameters can then be decoded at the server to retrieve the original model parameters. We demonstrate that the proposed privacy-preserving scheme can be tailored to offer any desired level of differential privacy for both local and global model parameters, while maintaining the same accuracy and convergence rate as standard FL algorithms.

Carlos Murguia, Justin Ruths

A vector-valued model-based cumulative sum (CUSUM) procedure is proposed for identifying faulty/falsified sensor measurements. First, given the system dynamics, we derive tools for tuning the CUSUM procedure in the fault/attack free case to fulfill a desired detection performance (in terms of false alarm rate). We use the widely-used chi-squared fault/attack detection procedure as a benchmark to compare the performance of the CUSUM. In particular, we characterize the state degradation that a class of attacks can induce to the system while enforcing that the detectors (CUSUM and chi-squared) do not raise alarms. In doing so, we find the upper bound of state degradation that is possible by an undetected attacker. We quantify the advantage of using a dynamic detector (CUSUM), which leverages the history of the state, over a static detector (chi-squared) which uses a single measurement at a time. Simulations of a chemical reactor with heat exchanger are presented to illustrate the performance of our tools.

Haleh Hayati, Carlos Murguia, Nathan van de Wouw

We address the problem of synthesizing distorting mechanisms that maximize privacy of stochastic dynamical systems. Information about the system state is obtained through sensor measurements. This data is transmitted to a remote station through an unsecured/public communication network. We aim to keep part of the system state private (a private output); however, because the network is unsecured, adversaries might access sensor data and input signals, which can be used to estimate private outputs. To prevent an accurate estimation, we pass sensor data and input signals through a distorting (privacy-preserving) mechanism before transmission, and send the distorted data to the trusted user. These mechanisms consist of a coordinate transformation and additive dependent Gaussian vectors. We formulate the synthesis of the distorting mechanisms as a convex program, where we minimize the mutual information (our privacy metric) between an arbitrarily large sequence of private outputs and the disclosed distorted data for desired distortion levels -- how different actual and distorted data are allowed to be.

Tianci Yang, Carlos Murguia, Margreta Kuijper et al.

We address the problem of state estimation and attack isolation for general discrete-time nonlinear systems when sensors are corrupted by (potentially unbounded) attack signals. For a large class of nonlinear plants and observers, we provide a general estimation scheme, built around the idea of sensor redundancy and multi-observer, capable of reconstructing the system state in spite of sensor attacks and noise. This scheme has been proposed by others for linear systems/observers and here we propose a unifying framework for a much larger class of nonlinear systems/observers. Using the proposed estimator, we provide an isolation algorithm to pinpoint attacks on sensors during sliding time windows. Simulation results are presented to illustrate the performance of our tools.

Tianci Yang, Carlos Murguia, Margreta Kuijper et al.

We address the problem of state estimation, attack isolation, and control of discrete-time linear time-invariant systems under (potentially unbounded) actuator and sensor false data injection attacks. Using a bank of unknown input observers, each observer leading to an exponentially stable estimation error (in the attack-free case), we propose an observer-based estimator that provides exponential estimates of the system state in spite of actuator and sensor attacks. Exploiting sensor and actuator redundancy, the estimation scheme is guaranteed to work if a sufficiently small subset of sensors and actuators are under attack. Using the proposed estimator, we provide tools for reconstructing and isolating actuator and sensor attacks; and a control scheme capable of stabilizing the closed-loop dynamics by switching off isolated actuators. Simulation results are presented to illustrate the performance of our tools.

Carlos Murguia, Farhad Farokhi, Iman Shames

This paper presents a secure and private implementation of linear time-invariant dynamic controllers using Paillier's encryption, a semi-homomorphic encryption method. To avoid overflow or underflow within the encryption domain, the state of the controller is reset periodically. A control design approach is presented to ensure stability and optimize performance of the closed-loop system with encrypted controller.

Tianci Yang, Carlos Murguia, Margreta Kuijper et al.

We address the problem of robust state estimation of a class of discrete-time nonlinear systems with positive-slope nonlinearities when the sensors are corrupted by (potentially unbounded) attack signals and bounded measurement noise. We propose an observer-based estimator, using a bank of circle-criterion observers, which provides a robust estimate of the system state in spite of sensor attacks and measurement noise. We first consider the attack-free case where there is measurement noise and we provide a design method for a robust circle-criterion observer. Then, we consider the case when a sufficiently small subset of sensors are subject to attacks and all sensors are affected by measurement noise. We use our robust circle-criterion observer as the main ingredient in building an estimator that provides robust state estimation in this case. Finally, we propose an algorithm for isolating attacked sensors in the case of bounded measurement noise. We test this algorithm through simulations.

Tianci Yang, Carlos Murguia, Margreta Kuijper et al.

We address the problem of attack detection and isolation for a class of discrete-time nonlinear systems under (potentially unbounded) sensor attacks and measurement noise. We consider the case when a subset of sensors is subject to additive false data injection attacks. Using a bank of observers, each observer leading to an Input-to-State Stable (ISS) estimation error, we propose two algorithms for detecting and isolating sensor attacks. These algorithms make use of the ISS property of the observers to check whether the trajectories of observers are `consistent' with the attack-free trajectories of the system. Simulations results are presented to illustrate the performance of the proposed algorithms.

Carlos Murguia, Iman Shames, Farhad Farokhi et al.

We study the problem of maximizing privacy of quantized sensor measurements by adding random variables. In particular, we consider the setting where information about the state of a process is obtained using noisy sensor measurements. This information is quantized and sent to a remote station through an unsecured communication network. It is desired to keep the state of the process private; however, because the network is not secure, adversaries might have access to sensor information, which could be used to estimate the process state. To avoid an accurate state estimation, we add random numbers to the quantized sensor measurements and send the sum to the remote station instead. The distribution of these random variables is designed to minimize the mutual information between the sum and the quantized sensor measurements for a desired level of distortion -- how different the sum and the quantized sensor measurements are allowed to be. Simulations are presented to illustrate our results.

Tushar Vaidya, Carlos Murguia, Georgios Piliouras

Black-Scholes (BS) is the standard mathematical model for option pricing in financial markets. Option prices are calculated using an analytical formula whose main inputs are strike (at which price to exercise) and volatility. The BS framework assumes that volatility remains constant across all strikes, however, in practice it varies. How do traders come to learn these parameters? We introduce natural models of learning agents, in which they update their beliefs about the true implied volatility based on the opinions of other traders. We prove convergence of these opinion dynamics using techniques from control theory and leader-follower models, thus providing a resolution between theory and market practices. We allow for two different models, one with feedback and one with an unknown leader.