Multi-path switching protection for networked control systems under unbounded DoS attacks

Zhu Qiaohui, Liang Qipeng, Kang Yu, Zhao Yunbo,*

1. College of Information Engineering, Zhejiang University of Technology, Hangzhou 310000, China;2. School of Information Science and Technology, University of Science and Technology of China, Hefei 230027, China

Abstract: The strategy design and closed-loop stability of networked control systems under unbounded denial of service (DoS) attacks are probed. A multi-path switching protection strategy is firstly designed by noticing the usually available multiple paths in data communication networks. The strategy consists of a DoS attack detection module at the actuator side to identify DoS attacks from normal data packet dropouts, and a multi-path switching module at the sensor side to effectively switch the data transmission path when necessary. Then, the sufficient conditions for the closed-loop system being global mean square asymptotic stability are given, with a corresponding controller gain design method. Numerical examples illustrate the effectiveness of the proposed approach.

Keywords: networked control systems; unbounded DoS attack; DoS attack detection; multi-path switching

1 Introduction

Networked Control Systems (NCSs), whose data transmission channels are closed by some form of data communication networks such as the Internet, have witnessed its fast development and wide applications in recent years[1,2], due to its unique advantages including, e.g., the structural flexibility, the reduced overall cost, the easier implementation, etc[3,4]. These advantages are, however, not obtained at no cost; in fact, the unique characteristics introduced by the inserted data communication networks such as network-induced delay[5,6], data packet dropout[7-9], etc., have already been challenging control theorists and engineers in this field for decades. In recent years, besides these long-going challenges, the security issue has become one main focus[10-14], since the open and often shared data communication network in NCSs is so convenient for the attackers to intrude.

Among these network attacks, the Denial of Service (DoS) attack is the most often seen which can cause severe consequences to NCSs[15-21]. A DoS attack plays its role by sending massive requests to the target machine to exhaust all the network resources, thus failing the legitimate users. As the result of a DoS attack, the controller (actuator) in NCSs will be unable to receive data from the sensor (controller), and therefore the considered NCS will be forced to run in the open-loop, resulting in severe disasters[22-24].

In order to deal with the above challenge, considerable work has already been done, for periodic DoS attacks[25-27], random DoS attacks[28-33], on-off Dos attacks[34,35], and so forth. The considered models and approaches include queuing models[28], Bernoulli modeling[29-31]for DoS attacks, the Markov modeling of DoS attacks[32,33], the frequency and duration description of DoS attacks[35], the periodic event-triggered resilient control under DoS attacks[36], the design and analysis of multi-channel NCSs under DoS attacks[35,38], pulse control that maximizes the frequency and duration of the tolerable DoS attack[39], the design of adaptive-event-triggered filter under DoS attacks[40], just to name a few.

We observe that most existing works assume that the DoS attack is somewhat bounded, either in its frequency, or duration, or some other index. Such an assumption means that the data exchange in the NCSs is not completely shut down under DoS attacks and hence various control approaches can be proposed to stabilize the system in such a scenario. Though this bounded DoS attack assumption can be fair and sound in the community of communication networks, it may not be appropriate for NCSs. In fact, one can readily realize that an NCS can be permanently damaged as long as the system is left open-loop for a sufficiently long time. Therefore, to DoS attack an NCS, the attacker should either be strong enough to kill the NCS at one round by forcing it open-loop for a sufficiently long time, or otherwise be too unwise to start any attack at the first instance. For such an "unbounded" DoS attack, conventional approaches will not work since the data exchange has been completely shut down.

The above observation on the "unbounded" DoS attack motivates this present work. Unlike most existing works with the frequency and duration constraints of the DoS attack, here we assume no power boundary. This assumption basically means that any control strategy relying on the constraints of the DoS attacker will not work. To deal with this challenge, we seek for help from the intrinsic nature of large data communication networks, where there are often many independent paths from the data sender to the receiver. This "multi-path" privilege then justifies our strategy: whenever the current path is attacked, the NCS should move to another path as soon as possible to recover the data transmission. Following this philosophy, in this paper we propose a so-called "multi-path switching protection" strategy, which can effectively detect the occurring DoS attack, and then switch the data transmission path to close the NCS. Under this strategy, we provide the sufficient conditions for the global mean square asymptotic stability of the closed-loop system, and numerical examples will illustrate the effectiveness of the proposed approach.

The remainder of the paper is organized as follows. Section 2 formulates the problem of interest, and section 3 discusses the attack detection method and the multi-path switching protection strategy. Then, Section 4 gives the sufficient conditions to ensure the global mean square asymptotic stability of the system under the designed multi-path switching protection strategy, and the controller is designed on this basis. The effectiveness of the proposed approach is demonstrated through numerical simulation in Section 5, and the paper is concluded in Section 4.

2 Related works and problem formulation

Consider the system setup as shown in Figure 1, where the sensing data from the sensor the controller and the control data from the controller to the actuator are transmitted via the data communication network, and the plant is modeled as a linear discrete-time system as

Figure 1. Illustrating networked control systems under DoS attack, where multiple independent paths exist for both the sensor-to-controller and the controller-two-actuator channels.

x(k+1)=Ax(k)+Bu(k)

(1)

In our system setup in Figure 1, the data communication networks are assumed to have three features: ① Data transmissions are subject to unbounded DoS attacks; ② Data transmissions can be lossy in a stochastic nature; ③ For both the sensor-to-controller and the controller-to-actuator channels, multiple independent paths exist for data transmissions. These assumptions are further discussed in detail in what follows.

2.1 Unbounded DoS attacks

DoS attacks are common in data communication networks which are often exposed to the open space. In such type of attacks, the DoS attacker can simply generate massive useless data transmission requests to jam the channel. Since NCSs are essentially relying on data communication networks to transmit their sensing and control data, they are not free from such attacks, and extensive works have already been seen in recent years to deal with the resulting challenges for the system design and analysis.

One can immediately see that the core to the design and analysis of NCSs under DoS attacks is first to appropriately model DoS attacks within the NCS framework. In order to explain our DoS attack model clearly, we first discuss several classic models for comparison. We use Atand Aηto represent the duration and frequency of the DoS attack, and modify the original expression of each model to fit this unified frameworks, then the reader may readily compare the similarity and difference of these models.

The periodic DoS attack model[26]In such a model, the considered NCS is attacked at every time instantsnTperiodwithnbeing integers andTperiod>0 being the attack period, and the duration of each attack isTd,Td

At:Td

(2a)

(2b)

With the above periodic DoS attack model, the attack is deterministic and periodic, i.e., we can readily know that during [nTperiod,nTperiod+Td]) ?nthe considered NCS is being attacked while during [nTperiod+Td, (n+1)Tperiod), ?nit is not.

The random DoS attack model[31]This original model considers a discrete-time system. In such a model, once the attack is triggered, it will last exactly one sampling periodTsample(for continuous-time system the duration may be changed to some other value), and whether the considered NCS is attacked at each time instantk, is determined by a random variableσ(k) subject to the Bernoulli distribution, that is

At:Tsample

(3a)

Aη:σ(k)

(3b)

With the above random DoS attack model, the DoS attack is triggered with certain probability Pr{σ(k)}, but for each attack the duration is constant and fixed.

The frequency and duration limited model[34]In such a model, during the time interval (τ,t), both the attack duration At(τ,t) and the frequency Aη(τ,t) are upper bounded as

(4a)

(4b)

One may readily notice that all these above three classic DoS attack models assume some type of "boundedness" of either or both of the attack duration and frequency. These assumptions seem reasonable, since attacks are at least subject to power consumption, which is always limited. Hence attacks can never be without limit.

However, one may also notice that, to destroy any practical control system, the duration and frequency of the DoS attack (whose effect is to cut the information exchange channel), do not necessarily need to be infinite, for obviously, any practical control systems can only be left open-loop without being destabilized for a limited time. In this sense, any DoS attack should always be sufficiently “unbounded”for a considered control system, and conversely, any DoS attacker that is not sufficiently powerful enough, should not start the attack at all.

The above discussion means that a more practically meaningful assumption on DoS attacks is "unbounded" as follows, which basically fails most existing studies, and motives out present work

At: unbounded

(5a)

Aη: unbounded

(5b)

2.2 Lossy data transmission

Besides DoS attacks, normal data transmissions without DoS attacks can still be lossy. That is, for any data packets transmitted in the considered NCS, it can reach its destination only with certain probability. Since the data transmission in the sensor-to-controller and the controller-to-actuator channels are separate and independent, and for the control system what really matters is mainly the round-trip transmission, we may consider only the combined effects of the lossy transmission in both channels. For this reason, we simply assume that the sensing datax(k) can successfully reach the actuator (after being used at the controller side) with probabilityp. Define

(6)

then it is obvious that Pr{θk=1}=1-pand Pr{θk=0}=p.

2.3 Multiple independent paths

As mentioned earlier, both the sensor-to-controller and the controller-to-actuator channels can contain multiple feasible paths to transmit the data independently (e.g. the solid and dashed paths in Figure 1). This is true in most typical data communication networks, since in these communication networks, data links are essentially unreliable, and the redundancy in data links is a common method to improve the quality of data transmissions.

Figure 2. Illustrating the multi-path switching protection strategy for networked control systems subject to unbounded DoS attacks but with multiple independent paths.

As assumed in equation(5), a DoS attacker may attack the currently activated path of both the sensor-to-controller and the controller-to-actuator channels, and when such an attack happens, it is sufficiently powerful, i.e., within reasonably finite time, the control system can not recover its data transmission from the path under attack. However, with multiple independent paths of both the sensor-to-controller and the controller-to-actuator channels, it is now possible to switch the path from the currently under attack one to another free one. We may further assume that, for a path that is newly switched to, it is not that easy to be recognized and attacked, which then consequently means that with multiple independent paths the frequency of DoS attacks is naturally bounded, that is

At: unbounded

(7b)

(7b)

Hence, unlike the unbounded DoS attack assumption in equation(5) which basically means that no control strategy can be designed to stabilize the system, the existence of multiple independent paths makes the attack frequency Aηbounded, thus giving us the opportunity to design appropriate control strategies to stabilize the system.

Finally, our goal in this work is to design appropriate control strategies for the system in Figure 1, where the system plant is described as in equation(1), and the data transmissions in both the sensor-to-controller and the controller-to-actuator channels are subject to both lossy transmissions as described in equation(6) and DoS attacks as in equation(7). One may realize that the co-existence of DoS attacks and lossy transmissions are the key challenge to deal with, since the existence of the normal data loss makes DoS attacks not easily identifiable, and consequently, no path switching rule can be directly implemented. In the section that follows, we will propose a DoS attack detection method, with which a path switching rule can then be defined.

3 Design of the multi-path switching protection strategy

For the NCS that suffers from unbounded DoS attacks and has multiple independent paths, we propose a multi-path switching protection strategy with two modules. The DoS attack detection module is designed in the actuator to identify whether the DoS attack is currently in progress, by comparing the difference between the random packet dropouts and the packet dropouts caused by the DoS attack. The multi-path switching module is designed on the sensor to switch paths when a DoS attack is detected. In what follows we will detail the design of the two modules and finally give the overall algorithm.

3.1 Design of the DoS attack detection module

To detect whether a DoS attack is ongoing is the first step to design the path switching rule. This however is not easy. The main challenge here is that the packet dropout itself can not be simply used as an indicator for the DoS attack, since the lossy data transmission can also cause data packet dropout.

To deal with this challenge, one may notice that packet dropouts caused by the normal lossy channel and DoS attacks should have different features. As assumed in equation(6), the former should behave probabilistically, i.e., a data packet may drop or not with certain probability, while the latter should be persistent once it occurs.

Bear this in mind, the logic to detect DoS attacks is then clear: it should be regarded as a DoS attack at timekif the recorded consecutive data packet dropouts at the actuator side, denoted byNd(k) are beyond certain threshold, denoted byNd, or otherwise it should be regarded as normal dropouts. For example, with packet dropouts ratep= 0.1, the occurrence of a consecutive 5 packet loss might be regarded as a DoS attack, since the probability of causing such a consecutive 5 packet loss is as low as 0.00001 should it be only credited to random packet loss, and we have good reasons to think that an event with a low probability of 0.00001 should not easily happen in the real world.

Then, it becomes clear that for the design of the DoS attack detection module the key is first to calculate the consecutive data packet dropoutsNd(k) and then determine the thresholdNd.

The determination ofNd(k) can be easily done by the DoS attack detection module. We may simply run a counter within this module, which updates its value at every time instantk, either being initiated by 0 if the control signal calculated at timek, denoted byuc(k) is received, or added by 1 if otherwise. That is

(8)

The determination of the thresholdNdcan be tricky. It is readily understood thatNdbeing too large will mean that ongoing DoS attack is not detected whileNdbeing too small will mean that normal data packet dropout is detected as DoS attacks. In order to balance between these two types of errors, we introduceαreflecting the detection sensitivity and define the thresholdNdas

Nd=logpα

(9)

With equations(8) and (9), the DoS attack detection module can finally be designed as

(10)

where the indicatorσd(k) indicates whether a DoS attack occurs at timek.

With equations(8), (9) and (10), the working logic of the DoS attack detection module can be interpreted as follows. At every time instantk, this module updates its counterNd(k) and compare it with the thresholdNd, and claims the occurrence of a DoS attack wheneverNd(k)>Nd. Notice that whenever the module makes such a claim, the actual consecutive data packet dropout is larger thanNd, and if conversely, no DoS attack is ongoing while these data packet dropouts are contributed by normal data loss, the probability of having larger thanNdconsecutive dropouts is less thanpNd=α. Hence,αas the tunable parameter, can be used to control the balance of the aforementioned two types of errors: the largerαis, the more actual DoS attacks can be recognized, and the more normal data loss will be falsely recognized as DoS attacks. In practice, the value ofαshould be carefully chosen by considering both the system cost and performance.

3.2 Design of the multi-path switching module

With Subsection 3.1, the DoS attack detection module can effectively detect whether a DoS attack is ongoing. Once such an attack is detected, the current path (the solid one in Figure 2) which can not be recovered in a short time should be switched to a new available path (the dashed one in Figure 2), thanks to the multiple available paths for NCSs.

Figure 3. The considered system is unstable under unbounded DoS attack, if the proposed multi-path switching protection strategy is not in use.

Figure 4. The considered system is stable under the unbounded DoS attack, if the proposed multi-path switching protection strategy is in use.

One may intuitively think that the switching rule can be simply designed as "switching the path whenever a DoS attack is detected, i.e.,σd(k) isTRUE". As the newly switched path is hardly found by the DoS attackers and hence can maintain service for some time, such a switching rule can then effectively deal with DoS attacks.

The above approach is sound should only the effects of DoS attacks be of interest. However, we notice that even without DoS attacks, the normal data loss can also produce consecutive data packet dropouts, which may destabilize the system in severe conditions. Therefore, we may take advantage of the switching module that will be designed anyway for DoS attacks to further overcome the negative effects of the normal data loss.

With the above considerations, our multi-path switching module can then be designed as

(11)

where the indicator functionσP(k) indicates whether the current path at timekshould be switched, and the actual switching boundNis defined as

N=min{Nd,Nc}

(12)

whereNcis the maximum number of consecutive data packet dropouts under which the considered NCS can still maintain its required performance, the determination of which will be further detailed in subsection 4.2.

With equations(11) and (12), the working logic of the multi-path switching rule can then be interpreted as follows. At every time instantk, this module obtains the current number of consecutive data packet dropoutsNd(k), compares it with the actual switching boundN, and finally decides whether to switch the path according to equation(11).

3.3 The multi-path switching protection algorithm

In our system design, the controller simply generates the control signal based on its latest available sensing data and sends it to the actuator. The actuator then selects its latest available control signal to apply it to the plant. Hence, the control signal actually applied can be determined as

(13)

The overall algorithm of the multi-path switching protection strategy for NCSs with unbounded DoS attacks and multiple independent paths, can then be organized as in Algorithm 3.1.

Algorithmic 3.1 Multi-path switching protection algorithm

1InitializationGiven the plant model in equation(1), data loss probabilityp, and the design parametersα. Calculate the thresholdNdby equation(9), determine the allowed maximum number of consecutive data packet dropoutNcby equation(40), and calculate the actual thresholdNby equation(12).

2SamplingAt timek, the sensor samples the plant and sends the samplex(k) to the controller.

3ControllerThe controller generates the control law and sends the control signal to the actuator.

4ExecutionandSwitchingConditionThe actuator applies the available control signal as in equation(13) to the plant, and its DoS attack detection module calculates the consecutive data packet dropoutNd(k) by equation(8) and sends it to the sensor.

5SwitchingThe sensor decides whether to switch the path according to equation(11).

4 Stability analysis and controller design

This section first obtains the closed-loop system under the multi-path switching protection strategy proposed in Section 3, then analyzes the closed-loop system stability, and finally proposes a design method for the controller gainK.

The following concept of global mean square asymptotic stability is needed.

Definition 4.1[41]The system in equation(1) is said to be globally mean-square asymptotically stable (GMSAS), if for any given initial statex(0)∈Rn, it holds that

4.1 Closed-loop system under state feedback control

We consider a simple state feedback controller for equation(13), but we should bear in mind that any control law can be applied to equation(13) provided it can ensure the desired system performance.

For state feedback control, the general form of the control signals in equation(13) can be specified as

uc(k)=Kx(k)

(14a)

(14b)

where the control gainKis to be designed.

z(k+1)=Φθkz(k)

(15)

where

(16)

(17)

Similarly, the closed-loop system under DoS attack can be written as

z(k+1)=Φ0z(k)

(18)

With equation(15) and (18), the closed-loop system can be written as

(19)

4.2 Closed-loop stability

Theorem 4.1Givenξ,p, 0<γ<1,β>1, the closed-loop system in equation(19) is GMSAS, if

(20a)

whereξ=supAηis the upper bound of the attack frequency,

(20b)

(20c)

andP0,P1,P2are symmetric positive definite matrices that satisfy the following inequalities,

(20d)

(20c)

(20f)

ProofWe consider two subsystems, being DoS attacked or not, denoted byΣ1andΣ2, respectively.

Consider subsystemΣ1. Choose the following Lyapunov function candidate

V1(k)=zT(k)Pθkz(k)

(21)

Along the trajectory of the closed-loop system in equation(19), we obtain that

E(V1(k+1)|z(k),θk)-γV1(k)=

E(zT(k+1)Pθ (k+1)z(k+1)|z(k),θk)-

γzT(k)Pθkz(k)=

(22)

Combining equations(20d) and (20e), from equation(22) we obtain

E(V1(k+1)|z(k),θk)-γV1(k)<0

(23)

Therefore, recursion can be obtained in subsystemΣ1, as

E(V1(k)|z(ti),θ(ti))<γk-tiV1(ti)

(24)

wheretiis the moment when the path is switched for theith time, andt0=0.

For anykin the subsystemΣ1, it holds that

E{‖z(k)‖2}

(25)

Now consider subsystemΣ2. Choose the following Lyapunov function candidate

V2(k)=zT(k)P2z(k)

(26)

Along the closed-loop system in equation(19), we obtain

E(V2(k+1)|z(k))-βV2(k)=

(27)

Combining (20f), from (27) we obtain

E(V2(k+1)|z(k))-βV2(k)<0

(28)

Therefore, recursion can be obtained in subsystemΣ2, as

(29)

For anykin the subsystemΣ2, it holds that

(30)

In what follows we prove that

‖z(ti+1)‖<‖z(ti)‖

(31)

In fact, by combining equations(20a), (25), (30), one obtains that

E{‖z(ti+1)‖2}<

c2βNc1γT-NE{‖z(ti)‖2}<

[c2βNc1γT-N]i+1‖z(t0)‖2

(32)

With equation(32), we can rewrite equation(25) as

E{‖z(k)‖2}

(33)

Using equation(20), it yields that

c2βNc1γT-N<1

(34)

Thus,

(35)

SinceE{‖z(k)‖2}>0, by combining equations(33), (35), one obtains that

(36)

Analogously, with equation(32), we can rewrite equation(30) as

[c2βNc1γT-N]i‖z(t0)‖2

(37)

Due to equation(34), it yields that

(38)

SinceE{‖z(k)‖2}>0, by combining equations(37), (38), one obtains that

(39)

Finally by Definition 4.1, the closed-loop system in equation(19) is GMSAS.

From Theorem 4.1, we may determineNcas follows to ensure the system stability,

(40)

Remark 4.1One may notice that earlier works[34,35]often assume the constraints on both the DoS attack frequency and duration to ensure the system performance, while in our present work, only attack frequency Aηis constrained. What is more, unlike these earlier works where these constraints are arbitrarily assumed, our constraint on the attack frequency makes sense in practice. Indeed, the attack frequency relies on the path switch and it is reasonable to say that for a newly switched path the attacker must take some time to find it to initiate the attack.

Additionally, according to equations(7) and (34), it can be further obtained that the GMSAS of the system can be ensured as long as the DoS attack frequency is upper bounded as

(41)

4.3 Controller design

Based on Theorem 4.1, we give the following feedback gain design method.

Theorem 4.2Givenξ,p, 0<γ<1,β>1. If (20a) can be ensured withc1,c2being defined in Theorem 4.1, andP0,P1,P2being the solution of the following inequalities.

(42)

(43)

(44)

then the control gainKas solved in equations(42), (43) and (44) ensures the GMSAS of the closed loop system in equation(19).

ProofUsing Shure’s complement lemma, equations (20d), (20e), (20f) can be transformed into equations (42), (43), (44), and thence the theorem can be readily obtained.

Equations (42), (43), (44) are nonlinear matrix inequalities, which cannot be solved directly using the LMI toolbox. Cone Complementary Linearization Iteration (CCL) algorithm[42]can be used to obtain an approximated solution by converting it into its linear counterpart.

5 Numerical example

Consider the system in equation(1) with an added disturbance termw(k), as follows

x(k+ 1)=Ax(k)+Bu(k)+w(k).

In the simulation,w(k) is assumed to be Gauss white noise with its variance being 0.01, and the system matrices are taken from reference [43], as

which can be readily seen to be open-loop unstable, with their eigenvalues being 0.7788, 0.6065 and 1.2840, respectively.

In the simulation, the initial state of the considered system is set asx(0)=[1 1 1]T, and the normal data loss probability isp=0.3. We simulate the system for 200 time steps, and the unbounded DoS attacks occur arbitrarily, attacking the current path in use, with the upper bound of the attack frequencyξ=0.02.

From Theorem 4.2 and equation(40), we may obtainNc=13.8460, andNd=9.5624 can be determined forα=10-5. HenceN=Nd. Further, using Theorem 4.2, the controller gainKcan be calculated as follows (withγ=0.8,β=1.1)

K=[0.1490,0.0334,-0.7513].

Figures 3 and 4 show the system state trajectories of two cases, either without or with the use of the proposed multi-path switching protection strategy, where DoS attacks occur at time instants 56, 118, and 179, respectively. It is readily seen from Figure 3 that without the use of our proposed strategy, the system states will become unbounded soon after the first DoS attack at time instant 56, which is understandable since the occurrence of the DoS attack means the system has to run in the open-loop afterwards. However, with the use of our proposed strategy, we see from Figure 4 that the system trajectory can soon recover from the instability trend caused by the consecutive data packet dropout due to the DoS attack, since the path switching strategy can close the control loop after a finite number of consecutive data packet dropouts.

Figure 5. The state trajectory under the packet-based state feedback controller under the unbounded DoS[21].

Figure 6. The multi-path switching protection strategy can effectively identify unbounded DoS attacks, and does not mistake them for normal data packet dropouts.

In order to further prove the effectiveness of our proposed multi-path switching protection strategy, we compare our strategy with the packet-based state feedback controller under DoS attacks as proposed in reference[21]. Under the above system parameters, Figure 5 shows that the method in reference[21] actually destabilizes the system.

In Figure 6 we further show the time instants of normal data packet dropout (the vertical green lines), the dropouts caused by DoS attacks (the vertical blue lines), and the time instant of path switching (the red circle), under the use of the multi-path switching protection strategy. From Figure 6 we see that our multi-path switching protection strategy can effectively identify unbounded DoS attacks and seldom mistake DoS attacks from normal data packet dropouts.

Figure 7. The considered system is stable for α=5×10-4.

Figure 8. DoS attack, packet dropout and path switching signal when N=6.3132.

In order to further evaluate the effects ofα, we letα=5×10-4and rerun the simulation. In this case,Nd=6.3132, andN=Nd. The controller gainKremains unchanged. The system trajectories are shown in Figure 7, and the time instants of normal data packet dropouts, the unbounded DoS attacks (54, 113, and 175 respectively) and the path switching are shown in Figure 8.

By comparing Figure 4 with Figure 7, it can be seen, without surprise, that the largerαis, the smallerNcis, the faster DoS attack is identified, and finally the better the system performance can be. On the other hand, it is also not surprising to see that a largerαcan mean more normal data packet dropouts being mistakenly identified as DoS attacks. In fact, from the 100 repeated experiments for both cases (α=10-5andα=5×10-4respectively), we find that the false identification ratio (the number of all mistakenly identified switching divided by the total number of path switching in the 100 experiments) increases from 0.33% to 1.58%, but both are relatively small and acceptable.

6 Conclusion

Different from most existing works where the DoS attacks are usually assumed to be bounded in some sense, in the present work we claim that unbounded DoS attacks may be more often seen for networked control systems. Based on this observation, we formulate the corresponding problem, with a novel control strategy specially designed for unbounded DoS attacks, as well as the closed-loop stability analysis and numerical verifications. We believe that our work can be practically meaningful, and will further improve the design in the face of various complicated scenarios.