• <tr id="yyy80"></tr>
  • <sup id="yyy80"></sup>
  • <tfoot id="yyy80"><noscript id="yyy80"></noscript></tfoot>
  • 99热精品在线国产_美女午夜性视频免费_国产精品国产高清国产av_av欧美777_自拍偷自拍亚洲精品老妇_亚洲熟女精品中文字幕_www日本黄色视频网_国产精品野战在线观看 ?

    Cybersecurity Landscape on Remote State Estimation: A Comprehensive Review

    2024-04-15 09:36:34JingZhouJunShangandTongwenChen
    IEEE/CAA Journal of Automatica Sinica 2024年4期

    Jing Zhou,,, Jun Shang,,, and Tongwen Chen,,

    Abstract—Cyber-physical systems (CPSs) have emerged as an essential area of research in the last decade, providing a new paradigm for the integration of computational and physical units in modern control systems.Remote state estimation (RSE) is an indispensable functional module of CPSs.Recently, it has been demonstrated that malicious agents can manipulate data packets transmitted through unreliable channels of RSE, leading to severe estimation performance degradation.This paper aims to present an overview of recent advances in cyber-attacks and defensive countermeasures, with a specific focus on integrity attacks against RSE.Firstly, two representative frameworks for the synthesis of optimal deception attacks with various performance metrics and stealthiness constraints are discussed, which provide a deeper insight into the vulnerabilities of RSE.Secondly, a detailed review of typical attack detection and resilient estimation algorithms is included, illustrating the latest defensive measures safeguarding RSE from adversaries.Thirdly, some prevalent attacks impairing the confidentiality and data availability of RSE are examined from both attackers’ and defenders’ perspectives.Finally, several challenges and open problems are presented to inspire further exploration and future research in this field.

    I.INTRODUCTION

    THE last decade has witnessed rapid progress in the development of cyber-physical systems (CPSs), which are tight integrations of computational, networking, and physical components.CPSs provide a general modeling framework that covers various industrial processes and critical infrastructures,e.g., power grids [1], water distribution networks [2], intelligent transportation systems [3], smart medical devices [4], and industrial control systems [5].The safe and efficient operation of CPSs depends significantly on the reliable transmission of data packets, which could be manipulated craftily by malicious agents particularly if wireless networks are deployed.Stuxnetis one such well-known cyber-worm that caused great damage to nuclear facilities in Iran by injecting falsified control commands [5].In 2015, a synchronized and coordinated cyber-attack compromised three Ukrainian regional electric distribution companies, resulting in power outages affecting approximately 225 000 customers for several hours [6].A recent cyber-attack that crippled the largest fuel pipeline in the U.S.and led to energy shortages across the east coast was another prominent example [7].These realworld incidents evidently indicate the necessity and urgency to explore the inherent vulnerabilities of CPSs and develop defensive countermeasures against cyber-attacks.

    The security of CPSs can be conceptualized as comprising three primary facets in Fig.1: integrity, availability, and confidentiality.Correspondingly, the cyber-threats that undermine these attributes are respectively termed as false-data injection(FDI), denial-of-service (DoS), and eavesdropping attacks[8]–[10].Among these, FDI and DoS attacks have constituted the predominant share of real-world incidents and have been the central focus of academic research in CPS security for the past decade.In DoS attacks, adversaries disseminate noisy packets to obstruct communication channels among data terminals, thereby rendering valuable information inaccessible to the intended recipients [11], [12].FDI attacks, also referred to as integrity attacks, demand more substantial resources for practical implementation.Adversaries must infiltrate communication links to alter original packets or insert falsified data.In both scenarios, CPS nominal performance undergoes significant deterioration, potentially resulting in increased control costs [13], diminished state estimation quality [14], and even instability within closed-loop systems [15].Eavesdropping attacks, while seemingly less intrusive since the attacker’s actions do not directly impact system performance, can still have devastating consequences owing to the leakage of critical information [16], [17].Other less frequently encountered cyber threats in the industrial realm encompass topology poisoning, load redistribution, and data framing attacks [18].Despite the inevitability of these malicious disruptions, adversaries are typically unable to execute uncontrolled attacks due to the countermeasures employed by system defenders, such as virus firewalls, anomaly detectors, and data encryption mechanisms [19]–[21].Moreover, the limited resource budgets of adversaries and their restricted access to secure information also narrow down the spectrum of feasible attack policies.

    Fig.1.Three facets of CPS security.

    Remote state estimation (RSE) is an essential functional module in CPSs.The primary objective of RSE is to derive estimates of physical processes based on measurements collected remotely, such as from sensors or cameras, without necessitating direct physical access.In practical applications,state estimates are usually utilized for feedback control and operation status monitoring, underscoring the pivotal role of RSE in ensuring the safe and efficient operation of industrial facilities.Nevertheless, the discerption of estimators and physical units renders it easier for adversaries to launch cyberattacks compared to integrated systems.Recently, it has been demonstrated in numerous publications that adversaries can manipulate data packets transmitted through unreliable channels of RSE, resulting in significant degradation of estimation performance and the leakage of confidential information [22],[23].While the field of fault detection and fault-tolerant control has witnessed the application of effective algorithms for anomaly detection and enhancing the resilience of physical systems [24], these methods may fail to defend against cyberattacks.Transmission or component failures are usually considered as physical events that affect the performance of RSE in an uncoordinated manner, rendering them relatively easy to detect.On the contrary, cyber-attacks are ingeniously designed by intelligent adversaries, making their detection and mitigation a much more challenging task.

    In the field of smart grids, Liuet al.discovered that by introducing falsified data into the sensor channels, it was possible to greatly amplify the error of least square estimators [1].Moreover, this attack had the capability to completely evade detection by residual-based bad-data detectors.While their primary focus was on least-square estimators, this investigation can be considered as the pioneering effort that ignited widespread research on the vulnerabilities of RSE.The relevant investigation has been extended from static systems in smart grids to dynamic ones in networked control systems.The estimators that are examined consist of both least square estimators and Luenberger observers.In situations where the process and measurement noises follow Gaussian distributions, Kalman filters are typically employed to attain optimal state estimates with minimal mean-square errors.Recently,numerous publications have delved into the examination of security concerns pertaining to a wide array of topics, including event-triggered estimators [25]–[27], distributed estimators [28]–[30], multiple-sensor systems [31], [32], RSE in nonlinear plants [33], [34], and other forms.

    The existing research concerning vulnerabilities of RSE can be broadly classified into two main categories:

    Problem 1: Design of worst-case attacks: This category focuses on developing attacks that are optimized subject to stealthiness and/or energy constraints.These studies seek to identify the most effective strategies for degrading system performance, primarily from the perspective of adversaries.

    Problem 2: Attack detection/identification and resilient estimation algorithms: This category is dedicated to developing methods for detecting and identifying attacks, as well as creating resilient estimation algorithms.These efforts aim to mitigate the impacts of attacks, primarily from the standpoint of defenders.

    Due to practical restrictions, the synthesis of optimal attacks and defensive countermeasures often takes the form of a constrained optimization problem.This problem seeks to maximize the benefit of an agent, whether an attacker or a defender, while adhering to stealthiness, resource budget, and information constraints [23], [35].There are also some studies assuming that the dynamic actions of both attackers and defenders are known to each other.Consequently, each side can react optimally based on their opponent’s actions.The decision-making process for both parties is explored within the framework of game theory [36]–[38].

    To provide an up-to-date perspective on the current state of research and to stimulate further exploration in this area, this paper aims to provide an extensive overview of recent developments in the model-based synthesis of cyber-attacks against RSE and defensive countermeasures.In contrast to many existing surveys that cover a broader range of cyber-attacks,including aspects such as control performance loss, attackresilient control, or domain-oriented reviews [4], [7], [18],[19], [21], [39]–[46], this paper is dedicated to a more detailed examination on the performance degradation of RSE and the defense techniques.A comparison of recent surveys on cybersecurity of CPSs is listed in Table I.

    The remainder of this paper is organized as follows.Section II describes the system model and formulates the problem of cyber-attacks against RSE.Section III discusses the synthesis of integrity attack strategies with various performance metrics and stealthiness/energy constraints.Section IV reviews the representative defensive measures against cyberattacks.Section V briefly discusses other types of attacks that affect data confidentiality and availability of RSE.Finally,Section VI concludes the discussion and addresses some challenging issues related to this topic.

    II.SYSTEM MODEL AND PROBLEM SETUP

    The system configuration of RSE is illustrated in Fig.2.The process dynamics are characterized by a discrete linear timeinvariant (LTI) system:

    wherexkandykrepresent the state and sensor measurement,respectively;wkandvkare the process and measurement noises, respectively.In the majority of existing works,wkandvkare assumed to be zero-mean independent and identically distributed (i.i.d.) Gaussian noises with known covariances.Therefore, a standard Kalman filter without packet dropouts and delays can be employed at the remote end to estimate system states.Letxk|kdenote thea posterioriminimum meansquare error (MMSE) state estimate andPk|kthe corresponding estimation error covariance,

    TABLE I RELATED SURVEYS ON CYBERSECURITY OF RSE

    Fig.2.System configuration of RSE.

    then the state estimation quality, also known as the performance of RSE, can be measured by Trace(Pk|k).To reveal potential faults or attacks within physical units and transmission channels, a residual-based anomaly detector is typically deployed in parallel with RSE and generates a binary alarm sequence according to

    wherezk=yk-Cxk|k-1is called innovation or residual,xk|k-1represents thea prioristate estimates of RSE, and δ>0 is a defender-specified scalar that controls the false-alarm rate(FAR) at nominal conditions;gk(·) is the evaluation function that takes various forms depending on the statistical properties ofwkandvk.Ifgk(zk) exceeds a given detection threshold,an alarm indicating the occurrence of abnormal events will be raised (Ak=1).As will be discussed in the next section, the different selections of the functiong(k) result in two popular frameworks for the design of so-called stealthy integrity attacks.

    In this paper, our discussion primarily centers on the discrete-time LTI system in (1), a model that has been adopted by massive existing studies.This model serves as a fundamental structure that can be readily extended to various scenarios including multiple-sensor systems, distributed estimators, and event-based estimation.The control inputs are omitted in (1)because they do not affect the estimation quality if attacks are launched on only the sensor channel.

    A. Attack Model

    The above system configuration is standard in model-based fault detection [24].Nevertheless in Fig.2, what differentiates cyber-attacks from transmission faults is that the sensor outputs (yk, orzkfor smart sensors) in unreliable links can be intentionally eavesdropped on and altered by adversaries.Our ultimate objective is to safeguard RSE from malicious attacks.However, the ancient proverb “If you know both the enemy and yourself,you will fight hundreds of battles without a loss”highlights the importance of examining worst-case attacks that maximize the adversary’s advantage.InProblem 1, one assumes the perspective of an attacker and explores optimal strategies capable of causing the most significant degradation in estimation quality within RSE, taking into account various stealthiness and performance metrics.These studies are essential for uncovering vulnerabilities of RSE and laying the groundwork for the development of countermeasures.To this end, the following assumptions are often made to characterize the capabilities of potential adversaries.

    1) An attacker knows all system parameters, noise statistics,and other necessary knowledge (system configuration, the type of anomaly detectors, etc.).

    2) An attacker can eavesdrop on and/or modify the original data packets transmitted in unreliable channels.They may also be able to manipulate noise or interference power in transmission links.

    These characteristics enable adversaries to launch FDI,DoS, and eavesdropping attacks.While powerful attackers may be rare in real-world scenarios, the above assumptions align withShannon’s maxim, asserting that a system’s security should not depend on its obscurity [47].Though it might be difficult in practice to obtain system parameters, we frequently adopt the perspective that adversaries can obtain them through methods such as system identification and controller intrusion.Stuxnet cyber-worm serves as a concrete example in the industrial realm [5].Only by assuming that attackers possess comprehensive knowledge of target facilities, we can investigate the impact of the worst-case attacks.

    B. Performance Assessment and Stealthiness Metrics

    2)Error Norm Related Performance: The compromised measurement is designed to cause a large difference between the corrupted and nominal state estimates.Some integrity attacks may cause the RSE to become unstable, leading to unbounded estimation errors.

    From an adversary’s perspective, enabling integrity attacks to bypass anomaly detectors is one of their primary imperatives.In existing studies, different definitions of stealthiness can be categorized as:

    The design of integrity attacks maximizing covariance related performance metrics subject to stochastic stealthiness will be discussed in Section III-A.The design of integrity attacks with estimation error norm related performance and deterministic stealthiness will be discussed in Section III-B.

    III.OPTIMAL ATTACK STRATEGIES

    In the following, two representative frameworks for the design of stealthy integrity attacks are discussed.The relevant studies and defensive measures are classified in Fig.3.

    Fig.3.Synthesis and defensive measures for integrity attacks.

    A. Stochastic Attacks

    In this section, we examine different attacks aimed at maximizing the performance index associated with error covariance while adhering to stealthiness constraints based on statistical properties.Denote the set of eavesdropped data as

    then creating an optimal attack involves determining a mapping from Ikto the space of sensor outputs, and obtaining its general form can be challenging.Note that synthesizing the compromised output) is equivalent to designingif the initial state of RSE is known to the adversary.Some earlier work frequently adopted linear attack models.Recently, general information-based attacks without the linearity assumption have also been derived.

    1)Innovation-Based Static Linear Attacks: In the pioneering work [22], Guoet al.introduced an innovation-based linear attack that maximizesJg, where the compromised innovation is assumed to be a linear transformation of the currentstep nominal innovation, augmented by compensatory Gaussian white noises.It is then proved that the optimal attack strategy is simply inverting the sign of the nominal innovation.This interesting result has sparked extensive research endeavors since then; a majority of them lie in the following linear domain with different S [35], [48]–[53]:

    where S is the index set of employed innovations;and Φkare parameters to be determined.The optimal attack in [22]led to an i.i.d.compromised innovation sequence, enabling it to deceive χ2detectors of arbitrary detection lengths.To strike a balance between attack performance and stealthiness, Li and Yang developed a linear attack that utilizes the current innovation and an additional historical one, positioned beyond the sliding window of χ2detectors [48].This modification enhanced the attack’s stealthiness, enabling it to deceive anomaly detectors that use a fixed-length moving window.To further enhance attack performance by incorporating more information available, Shang and Chen employed a range of historical nominal innovations to design linear attacks [49].They derived explicit solutions for optimal attack coefficients, eliminating the need for numerical optimization.The policy can achieve greater attack performance compared with [22], [48].However, the compromised innovation showed sequential correlations across consecutive steps, allowing the attack to bypass only single-step χ2detectors.

    Owing to its simplicity, the linear strategy has also been adopted to synthesize FDI attacks that maximizeJh.This optimization presents greater complexity as the influence of the compromised measurements will keep propagating through the estimator dynamics.To address this problem, Li and Yang studied a linear attack strategy based on Gaussian distributions with arbitrary means [50].The optimal attack coefficients are determined through the application of the Lagrange multiplier method to solve a constrained quadratic optimization problem.Shanget al.examined a similar linear attack model, where the worst-case attacks without zero-mean constraints are analytically derived [54].The linear attack model has also found applications in various scenarios where attackers can deploy extra sensors to measure system states [35],[51], [53] and in optimal integrity attacks featuring relaxed stealthiness measured by the KL divergence [52], [54].

    2)Dynamic Linear Attacks: Although substantial research efforts have been invested in synthesizing innovation-based linear attacks, the inherent linearity assumption significantly confines the feasible behaviors of attackers, and thus all these policies are not guaranteed to achieve the maximum attack performance globally.In order to address this limitation, Renet al.designed the compromised innovation as a linear combination of the current-step nominal innovation and a historically compromised one, resulting in adynamiclinear attack model [55].It can be proved that the attack generated by this model leads to an equivalent estimation performance degradation as the innovation-based approach that incorporates all historical data [49], but the dynamic one shows distinct advantages since it requires only two parameters to be determined at each step because of the recursive structure.

    The dynamic model in [55] accommodates only the case of symmetric information, where the compromised innovation is designed based on only the eavesdropped measurements.Recently, a surprising finding by Zhouet al.revealed that the information-based optimal attack should be designed as an affine function of the MMSE estimate of the current-step compromised prediction error of RSE [56]–[58].A “separation principle” is proposed as a comprehensive design framework that can accommodate diverse information scenarios.The conclusion indicates that the worst-case attack performance depends on both the quantity of online information available and the width of the detection window.Furthermore,the compromised outputs can also be generated by the following linear time-varying (LTV) system:

    whose coefficient matrices are fully determined offline by system parameters.

    The preceding discussion primarily focuses on a simplified system model in Fig.2.Recently, numerous publications have delved into variations of the fundamental problem formulation, such as those involving partially secured channels [32],[59]–[63] and event-based estimators [26], [27], [64], [65].

    3)Attacks on Partially Secured Channels: In this category,one representative scenario involves measurement data possessing different levels of confidentiality or being transmitted via different mediums to remote terminals.As a consequence,attackers can compromise only the unreliable channels but not the secured ones.In response to this scenario, Guoet al.devised an innovation-based linear attack strategy, which leverages additional equality constraints imposed by secure channels [59], [60].They provided explicit solutions for the optimal attack strategy and analyzed the relationship between the compromised estimation error covariance and the attacked sensors.To further enhance attack effectiveness, Xuet al.proposed the utilization of historical innovation intervals from both secure and insecure sensors to construct linear attacks[63].This approach is also capable of completely deceiving the sequential anomaly detector studied in [31].However, it should be noted that all the aforementioned attacks are formulated in a static linear format and are designed to maximizeJg.The derivation of optimal information-based attacks without the linearity assumption in the presence of secure channels still remains an open problem.

    In practical cases, attackers may compromise only a subset of transmitted links simultaneously due to constraints on their energy or resources.Consequently, the allocation of attack power becomes a significant consideration.In light of this,Renet al.investigated a scenario where attackers could compromise at mostNout ofMchannels at each time, with the objective of maximizingJaat the fusion center [62].This problem was formulated as a Markov decision process (MDP)problem, and the existence of an optimal deterministic and stationary policy was established.

    4)Attacks on Event-Based Estimators: Integrity attacks on event-triggered RSE can either modify the event-triggering mechanism or directly alter the transmitted data.In the former case, Chenget al.investigated an attacker’s objective to degrade RSE performance while evading detection based on communication rates [27].They obtained a closed-form relationship between the compromised event-triggering threshold and the nominal scheduling threshold.In the latter case, Shanget al.studied a more complicated scenario, where adversaries had the capability to launch DoS attacks, injection attacks, or a combination of both, subject to constraints on transmission rates and probability distributions [64].In contrast to prior Gaussian approximations [27], it is shown that the innovation in event-based RSE follows a complete Gaussian crater distribution, which forms the basis for analyzing the stealthiness properties of the proposed attacks.

    There is also some work leveraging event-triggering techniques to design FDI attacks.A representative work is [26],where Zhaoet al.devised an event-triggered policy in which the optimal attack in [22] would be executed if a stochastic event-triggering condition was met.

    5)Other Attack Scenarios: In the stochastic framework,stealthiness is defined based on the statistical properties of single or multiple-step innovations.This definition is consistent with the detection logic of χ2detectors, where innovations in a sliding window are utilized to construct the detection index.On the contrary, several studies adopt the KL divergence between the compromised and nominal innovation (or output) sequences as a measure of stealthiness [14],[66], [67].Some significant findings are presented in [14],[66], where Baiet al.quantified the upper bound of degradation in the worst-case scenario when an attacker ensures a specific level of stealthiness.In order to better evaluate the attack’s impacts on the estimation quality, Li and Yang designed an attack policy that maximizes the weighted combination of the average and terminal error covariance [68].Different from the previous attacks, the synthesis of the attack policy was not based on the historical measurements; the offline designed compromised signal was equivalent to adding an i.i.d.Gaussian noise to the nominal innovation.

    The design of stochastic attacks largely depends on the formulation of the corresponding optimization problem.Generally, it is not appropriate to compare the effectiveness of attack policies if they adopt different stealthiness and performance metrics.In contrast to the deterministic attacks to be covered in the next section, these attacks typically necessitate the accessibility of online data to adversaries.This enables a“closed-loop” design aligning with our intuition: the greater the availability of online data, the more significant the potential for FDI attacks to cause estimation quality degradation.Future endeavors could be dedicated to researching stealthy attacks in distributed estimators and sensor networks, where more sophisticated detectors based on connectivity and topology information are employed to reveal anomalies.Moreover,it is worth pointing out that requiring compromised innovations to match nominal innovations statistically is sufficient(but not necessary) for maintaining the alarm rate (AR).Future studies that directly consider the stealthiness constraint on AR could possibly produce more destructive attacks.

    B. Deterministic Attacks

    The second approach for crafting stealthy deception attacks relies on deterministic system theory.This framework is better suited for designing integrity attacks that compromise systems characterized by bounded noises.By definingand?zkrespectively as the state estimation difference and the residual difference between the compromised and nominal systems, the analysis of deterministic attacks can be achieved based on the following dynamic model [69]:

    whereakdenotes the data injection in sensor channels andKis the estimator gain.This model originates from the linearity of LTI systems and is formulated by considering only the effects of attacks on system dynamics.The main objective is to determine whether there exists an attack sequence capable of causing the above system to exhibit unbounded states while maintaining bounded outputs.

    1)Design of Stealthy Attacks: The pioneering work on vulnerabilities of linear-quadric Gaussian control systems was presented by Mo and Sinopoli [15], where the notions of(?,α)-attackability and perfect attackability are defined.The paper also provided a necessary and sufficient condition for a system to be perfectly attackable, which depends on the unstable eigenvalues (denoted asλ) and eigenvectors ofA.Based on (6), a typical stealthy attack sequence independent of Ikis generated according to

    whereρis a constant andμis determined by the eigenvector associated withλ.Motivated by [15], Huet al.gave a similar insecure definition for RSE and derived necessary and sufficient conditions for such property when all communication channels and partial channels are compromised [69].It should be highlighted that in these studies ?zkhad to stay bounded.To completely mitigate the impact of FDI attacks on the detection function, Zhang and Ye introduced the concept of complete stealthiness, which further necessitates that limk→∞//?zk//→0.This idea was later expanded upon to include energy stealthiness, which aims to deceive the summation (SUM) detector by maintaining a bounded level of accumulated attack energy [70].The study established both necessary and sufficient conditions for crafting FDI attacks with complete stealthiness and energy stealthiness.

    Note that (6) is a dynamic system purely driven byak.The deterministic attack linked to (6) resembles what is commonly known as a “zero-dynamic attack”, typically executed on the controller side [71].This form of attack aims to deceive the controller by making the compromised control signal and sensor output appear consistent with the process’s nominal state.It is crafted using the zero dynamics of a system, where the output remains identically zero due to a specific combination of initial conditions and control inputs.Consequently, the process of synthesizing integrity attacks against RSE can be linked to the development of zero-dynamic attacks in controller channels.

    2)Reachable Set Analysis: In addition to the design of stealthy attacks, noticeable research efforts have been devoted to analyzing the maximum state deviations caused by these attacks [72]–[75].In [73], Kwonet al.considered three kinds of stealthy attacks according to the attackers’ ability to compromise the system.They presented a method to evaluate the reachable error region for sensor-only attacks by formulating a stochastic optimal control problem.Following this study,many endeavors have been undertaken to investigate security concerns within control systems by analyzing reachable sets.For instance, Mo and Sinopoli studied the effect of stealthy integrity attacks on CPSs and demonstrated that the attacker’s strategy can be formulated as a constrained control problem;the characterization of the maximum perturbation can be posed as reachable set computation, which is solved by ellipsoidal approximation methods [74].In [75], Murguiaet al.proposed two security metrics to quantify the potential impact of stealthy attacks: the volume of the attacker’s reachable set and the minimum distance to critical states.The authors also provided synthesis tools to redesign controllers and monitors such that the impact of stealthy attacks is minimized and the desired attack-free performance is guaranteed.

    3)Other Scenarios: The deterministic design framework has also been extended to distributed systems.In [76], Wanget al.studied a slightly different scenario that attackers can corrupt both the output measurements and the state estimates in distributed state estimation.The authors derived necessary and sufficient conditions for the vulnerability of the system under different attack scenarios.

    Based on (6), Chenet al.studied a scenario where attackers aim to regulate the estimation error to a value arbitrarily defined by them, which can reduce the likelihood of detection by amplitude detectors [77].They used dynamic programming to derive an explicit expression for the optimal attack sequence and also analyzed its convergence and feasibility.

    While most of the relevant studies focus on the conditions whether there exists an attack sequence causing instability in estimators, there is also some work investigating the maximum state estimation deviation in a finite horizon.In this case, the design of attack policies is based on solutions to an optimization problem.A representative study is presented in[78], where the optimal deterministic attack is derived bymaximizing a quadratic objective function subject to energy constraints.

    TABLE II DESIGN OF STEALTHY INTEGRITY ATTACKS ON RSE

    Deterministic attacks are typically created by exploiting the control system’s unstable modes.These attack signals can be fully determined without the need for knowledge of the online transmitted data, which differentiates it from stochastic attacks.However, this “open-loop” design may lack robustness in terms of maintaining stealthiness properties.To determine the unstable eigenvalues and eigenvectors of the system matrix, attackers have to possess highly precise information about the system parameters.Otherwise, self-generated attacks may not be able to consistently keep the residual within bounded limits.

    Different attack approaches in the two frameworks are summarized in Table II, where the classification is based on the attack model, performance measure, stealthiness metric, the existence of side information, and the existence of secured transmission channels.

    IV.DEFENSIVE COUNTERMEASURES

    While extensive research has been dedicated to exploring integrity attacks, these studies have significantly contributed to our comprehension of inherent vulnerabilities within RSE.As a result, many effective techniques have been introduced in the past decade to enhance the security of RSE.It is seen that a unified design framework for countermeasures is lacking,with scholars from diverse disciplines making significant contributions through different techniques.

    For general linear descriptor systems, Pasqualettiet al.proposed a mathematical framework for CPSs, attacks, and monitors, and characterized the fundamental limitations of monitoring from system-theoretic and graph-theoretic perspectives[20]; both centralized and distributed monitors that can detect and identify attacks were designed.In [82], Fawziet al.investigated the problem of state estimation for linear systems when some of the sensors are compromised by adversaries.The authors provided an efficient algorithm inspired by techniques in compressed sensing and error correction to estimate the state of the plant despite attacks.Recently, this detection framework has been extended to more general cases where the compromised sensors can change over time and the attack signals can be arbitrary and unbounded [83].

    Regarding the enhancement of RSE security, notable countermeasures include watermarking-based defense [84]–[90],encryption-based defense [91]–[93], moving-target defense(MTD) [94]–[97], and a range of other approaches.Since integrity attacks are intentionally synthesized to deceive traditional passive detectors, most of these countermeasures aim at creating a proactive defense mechanism.As will be discussed later, the enhancement of system security using proactive methods often comes at the expense of sacrificing some other aspects of performance, e.g., control and estimation quality loss, or extra resource consumption.

    A. Watermarking-Based Defense

    Watermarking referring to the technique of embedding secret data into a carrier signal, such as audio, video, or image data, is a widely adopted method in information security to prevent contents from unauthorized modification.The pioneering work of adopting this technique to CPS protection is[84], where Moet al.designed a watermarking signal that is superimposed on the optimal control input and has statistical properties that maximize the detection performance while satisfying a constraint on the control performance.An optimal Neyman-Pearson detector that can determine if the system is under attack by comparing the observed and expected outputs is derived.Similarly, in [85] a secret noisy i.i.d.input is added to the optimal control signal.If the process is operating under normal conditions, the system operator should be able to detect the presence of the watermark in the sensor measurements.In order to defend against powerful adversaries who can read a subset of control inputs to design stealthy attacks,Weerakkodyet al.proposed a robust physical watermarking based on the Neyman–Pearson criterion; a convex optimization problem to obtain the watermark signal was formulated[86].

    The successful application of watermarking-based defense has been demonstrated in [88], where Ahmedet al.implemented the watermarking signal on a real water distribution testbed.The technique is shown to achieve a 100% true positive rate and a low FAR in detecting replay attacks while preserving the system performance and meeting consumer demand.Recently, this method has been extended to the cases of dynamic watermarking to protect linear-parameter-varying systems [89] and simultaneously online watermarking design and system identification [90].

    It is worth emphasizing that the achievability of enhancing security using watermarking is often at the expense of nominal system performance degradation.Given these tradeoffs,the decision to use watermarking for security purposes should be carefully considered in the context of the specific application and its requirements.It is important to strike a balance between security and performance, taking into account factors like the sensitivity of the data, the resources available, and the control signal saturation.

    B. Encryption-Based Defense

    In essence, the goal of data encryption/decryption-based defense is to make the intercepted data as difficult to decipher as possible, thereby enhancing the overall security of the system.Only those who possess the encryption key can decrypt the ciphertext back into its original form.Regarding CPS security, this technique is similar to coding/decoding-based defense, while the latter does not require secret keys to recover the original information.Based on this idea, Miaoet al.proposed a low-cost method of coding the sensor outputs to detect stealthy FDI attacks.They showed the conditions for a feasible coding matrix that can increase the estimation residues under intelligent data injection attacks and provided an algorithm to compute such a matrix.The paper also presented a time-varying coding scheme to defend against attackers who can estimate the coding matrix from intercepted online data [91].

    To defend against the extensively studied innovation-based linear attacks, Shanget al.studied a linear encryption approach to bolster the security of RSE, aiming to safeguard transmitted data against unauthorized alterations [92].This linear encryption technique, synthesized by minimizing the worst-case estimation errors, was developed through the Stackelberg game analysis.Recently, this technique was extended to protect data transmission of traditional sensors by encrypting a subset of packets, which can strike a balance between resource utilization and security enhancement [93].

    It is important to note that encryption-based defense strategies involve the incorporation of additional modules dedicated to data encryption and decryption.The hardware and computational resources required for these processes should be regarded as the overhead incurred in pursuit of heightened security.Moreover, the delays induced by data processing should also be taken into account in real-time systems.In practical scenarios, system defenders should carefully adjust their designs to achieve a favorable equilibrium between these performance metrics.

    C. Moving-Target Defense

    MTD is a proactive strategy designed to enhance the security of computer systems and networks by frequently changing the attack surface and making it more difficult for adversaries to identify and exploit vulnerabilities.The core idea behind MTD is to create a dynamic and unpredictable environment for potential attackers.Following this idea, Tianet al.proposed an approach that actively changes the system configuration to invalidate attackers’ knowledge about the system and detect Stuxnet-like attacks [94].The paper showed that MTD can deal with different types of attacks, such as measurement-independent stealthy attacks, control scaling attacks,and measurement replay attacks.In [95], the authors proposed to introduce extraneous states with time-varying dynamics that are unknown to the adversary but known to the defender and use additional sensors to measure these states.

    More recently, Kanellopoulos and Vamvoudakis proposed a secure control algorithm for CPSs facing sensor and actuator attacks [97].The technique integrated proactive and reactive defenses, with the proactive part using stochastic parameter adjustments to enhance unpredictability and the reactive part detecting attacks via an integral Bellman error computation.To analyze system properties when implementing MTD, the theory of switched systems is frequently employed.This adaptation allows for the examination of stability concerns associated with changes in system configurations.

    MTD is an effective approach to defend against cyberattacks.However, one of its drawbacks is that it can potentially lead to suboptimal system performance when there are no active cyber-attacks.It also introduces extra challenges, as frequent changes in system dynamics or configuration can complicate the design of defense strategies and the analysis of the system’s normal behavior.

    D. Other Defense Methods

    It is seen that a unified framework to design countermeasures against cyber-attacks does not exist.Researchers from diverse disciplines contribute through different techniques[29], [31], [83], [98]–[104].Among the work beyond the scope of proactive detection mechanism, some approaches aim to enhance the performance of traditional detectors through appropriate modifications [98]–[100].A representative work is presented by Ye and Zhang to detect deterministic FDI attacks [100].They introduced a SUM detector, which uses both the current and historical information and has a statistical property that its evaluation value satisfies χ2distribution when the system is normal and increases to infinity when the system is under attack.The superiority of the proposed method is demonstrated by the fact that two types of FDI attacks can be detected by the SUM detector but not theχ2one.

    Detecting stealthy attacks becomes relatively easier when secured transmission channels are in place.Correlations between data packets in both safe and unsafe channels can be leveraged to design a detection mechanism [31], [101], [105].Based on this idea, Liet al.proposed three sequential dataverification and fusion procedures for different detection scenarios [31].This important work serves as a benchmark for many follow-up studies on defense against innovation-based linear attacks.For instance, Guoet al.introduced a Gaussianmixture-model based detection mechanism [101].The expectation–maximization algorithms are applied to cluster the local estimates from different sensors and assign a belief for each sensor, which is used to fuse the measurements accordingly.More recently, Chattopadhyay and Mitra introduced an online learning-based algorithm for secure state estimation [106].The proposed method can accommodate the case where no safe sensors are in place and offers up to 3-dB improvement in MSE compared with [31].However, it is worth pointing out that all these methods assume adversaries adopt the innovation-based linear model.The effectiveness of the countermeasures against broader attack types, such as dynamic linear attacks, should be re-examined in future studies.

    TABLE III REPRESENTATIVE COUNTERMEASURES AGAINST CYBER-ATTACKS

    In distributed state estimation, the information from neighboring sensors can be utilized to build a detection mechanism[29], [107].In [29], Yanget al.designed a protector for each sensor based on the online innovation from its neighboring sensors.A sufficient condition for the stability of the estimator equipped with the proposed protector under hostile attacks was provided, and a critical attack probability that corresponds to a given steady-state estimation error covariance was derived.

    The detection of integrity attacks has been studied using data-based methods [108], [109].In situations where sufficient online data is collected, Shiet al.proposed transfer entropy countermeasures for anomaly detection under various attacks [109].The transfer entropy is utilized to measure causality or information flow between sensor measurements or innovation sequences.The results showed how attacks can disturb the causality and change the transfer entropy values.

    Finally, there are also a few studies investigating attack defense in a game-theoretic framework.A representative work is presented in [110], where Liet al.modeled the interaction between the defender and the attacker as a Stackelberg game,where the defender allocates defense resources to secure sensors and the attacker chooses target sensors to attack.They analyzed the optimal solutions for both sides under different types of budget constraints and transformed the game into linear programming problems.

    The effectiveness of defensive measures varies depending on specific attack scenarios.Some techniques are developed to ensure that adversaries cannot satisfy the corresponding stealthiness condition easily.Therefore, the method may fail to defend against more sophisticated attackers that employ a stricter stealthiness measure.In practical cases, the continuous interplay between attackers and defenders makes the design of defensive measures a topic of enduring significance in the control community.

    Different countermeasures against cyber-attacks are summarized in Table III, where the relevant references, the type of attacks to be defended, the main techniques adopted, and a few comments on their limitations are listed.

    V.BEYOND INTEGRITY ATTACKS

    In this section, we briefly review the design of DoS and eavesdropping attacks and the corresponding countermeasures in the basic problem setup.Interested readers may refer to [25], [119] for event-based estimators and [28], [64],[120]–[123] for hybrid DoS and FDI attacks against RSE.

    A. Denial-of-Service Attacks

    1)Design of DoS Attacks: Synthesizing DoS attacks from an adversary’s perspective can be formulated as a constrained optimization problem, where the attacker aims to maximize the impact on the target system under various constraints, as illustrated by

    where ? represents the total power budget.The constraint on the packet-reception rate (P RR) is imposed with the awareness that, in real-world systems, a DoS attack causing an excessively low PRR at the terminal can be readily detected by alarm systems.

    In [124], [125], Zhanget al.derived the optimal attack schedule under a limited energy budget; they also studied the case where the estimator has an intrusion detector that triggers an alarm when the PRR falls below a threshold.In this context, the attacker’s behavior is symbolized through a binary sequence.At each step, adversaries make a straightforward choice between “attack” or “not attack” to determine whether to completely obstruct the transmission channels.Consequently, the optimal attack schedule design becomes an integer programming problem, which is in general difficult to solve.However, in [125] the authors presented some structural results, showing that grouping the attacks leads to the maximal effect, while separating the attacks as uniformly as possible leads to minimal degradation.In [126], the authors explored optimal strategies for an invader launching DoS attacks on a centralized sensor network to degrade system performance.They provided an analytical solution for single-sensor systems and numerical methods for multiple-sensor systems, both with attack energy constraints.

    One property of wireless communication is that the packet can experience random loss due to channel fading, interference, scattering, and other factors [127].To explore more realistic scenarios, some researchers adopt the assumption that adversaries can manipulate the interference or noise power in signal-to-interference-plus-noise ratio (SINR) channels, where the packet dropout rate is determined by both the strength of desired signals and the level of interference power [128].For such channels, Zhanget al.analyzed the impact of DoS attack power on the estimation accuracy and energy efficiency of the sensor, and found a critical value of attack power that determines the stability of the RSE [129].The result is based on a well-known conclusion that an excessively low PRR for the Kalman filter with intermittent observations will lead to unbounded estimation errors [130].

    To compromise SINR-based channels with limited energy,Penget al.formulated the problem of finding the optimal attack power schedule subject to average energy constraints as an MDP [131].They proved the existence and uniqueness of an optimal deterministic and stationary policy for attackers and showed that the optimal policy has a threshold structure.Liuet al.also formulated the problem of designing optimal DoS attacks as an MDP with a discount factor to balance the current and future rewards [132].The optimal solution is obtained based on the Bellman’s optimality principle.

    2)Defensive Countermeasures: Unlike FDI attacks that can deceive anomaly detectors, maintaining stealthy is usually not a primary concern in the design of DoS attacks.Consequently,the majority of research on defense countermeasures primarily addresses the challenge of ensuring reliable estimation performance in the presence of attacks.

    When CPSs are subjected to DoS attacks, changes in the measurement or control input matrices lead to deviations of system dynamics from their normal conditions.Therefore, the switched system theory is often applied for attack-resilient estimation [133], [134].This approach models the system as one that alternates between normal and attacked states, especially during intermittent DoS attacks.The primary objective is to analyze the stability of a dynamic system operating under these conditions.A representative work is [133], where Chenet al.proposed a switched system method for the fusion estimation of phaser measurement units in power systems.The switching rule is based on the innovations of an extended Kalman filter, with the goal of achieving a balance between metrics concerning the estimation accuracy, convergence speed, and computation time.

    3)Game Theoretic Analysis: Notably, it is found that massive publications studied the interactive actions of attackers and defenders in a game-theoretic framework [36], [37],[115]–[118].The pioneering work is [36], where Liet al.regarded the attack and defense problem as a zero-sum game and proved the existence of a Nash equilibrium.They used Markov chain theory to solve a relaxed problem.This framework was further extended to the case of SINR transmission channels [37], where a modified Nash Q-learning algorithm was applied to solve the Markov game over an infinite time horizon.

    In multiple-channel transmission scheduling, Dinget al.also modeled the interaction between the sensor and the attacker as a two-player stochastic game and used a Nash Qlearning algorithm to find the optimal strategies [116].To study the asymmetric information scenario, the stochastic Bayesian game has been utilized to characterize the strategic interaction between two players in RSE [117].In this case, the sensor possesses acknowledgment information from the estimator, while the attacker does not.Recently, Yuanet al.considered a more practical case in which communication networks are time-varying; the long-term interaction of players is modeled with a Markov game [115].An online minimax Qlearning is applied to solve the problem.

    B. Eavesdropping Attacks

    It is commonly held that the states of the system are treated as sensitive information, which should not be accessible to adversaries.Nevertheless, an attacker who can eavesdrop on the sensor measurements can execute estimation algorithms to gain such confidential information.

    1)Design of Eavesdropping Attacks: There are relatively few studies on the synthesis of optimal eavesdropping attacks.One reason is that stealthiness is usually not a primary concern; thus the attack design often boils down to a standard state estimation problem.In practical cases with secured data transmission, considering that deciphering encrypted data is often resource-consuming, Zhouet al.studied the optimization problem from adversaries’ perspective under energy constraints [23].The authors analyzed the impact of different decryption strategies on eavesdropping performance and proposed a deciphering schedule that minimizes the expected estimation error without exceeding the energy budget.

    In [135], Dinget al.studied an intelligent attacker who can switch between passive and active modes to enhance eavesdropping while evading PRR-based detection.They modeled this trade-off as a constrained MDP and derived conditions for a policy that meets stealthiness requirements and maximizes eavesdropping efficiency.Other relevant studies on the synthesis of eavesdropping attacks in different scenarios can be found in [136], [137].

    2)Optimal Scheduling Based Defense: The majority of current research on eavesdropping attacks on RSE is formulated from the defender’s standpoint, and a typical problem is stated as follows:

    where an optimal sensor schedule within the power budget ?is one in which the estimation error for adversaries (EAttack) is maximized while ensuring that the estimation error for RSE(ERSE) does not surpass a specified threshold.In essence, The optimal scheduling-based defense boosts RSE confidentiality by reshaping sensor transmission decisions, which can balance various indices for optimal overall performance [138]–[141].

    Using the above framework without power constraints, Tsiamiset al.introduced a control-theoretic definition of secrecy for RSE, which requires that the user’s estimation error is bounded while the eavesdropper’s estimation error is unbounded [138].The paper studied a simple secrecy mechanism that randomly withholds measurements from being transmitted.It was proved that the proposed mechanism can achieve perfect expected secrecy if the user’s PRR is higher than the eavesdropper’s P RR.

    Using a linear combination ofERSEandEAttackas the performance metric, Leonget al.derived structural results on the optimal transmission policy, which shows a thresholding behavior in the estimation error covariances [139].The paper also proved that in the situation of infinite horizon, there exist transmission policies that can keep the expectedERSEbounded while the expectedEAttackbecomes unbounded.

    Taking the transmission power into consideration, Wanget al.proposed a problem formulation that considers the estimation errors of both parties and the cost of the sensor’s transmission energy [140].The authors proved that there exist some structural properties for the optimal transmission schedule, such as threshold and switching behaviors, for both the known and the unknown eavesdropper’s estimation errors.

    3)Encryption-Based Defense: The above scheduling-based defense usually enhances the confidentiality of RSE at the cost of a slight reduction in nominal estimation performance.To ensure an optimal state estimation for defenders, there are also plenty of studies considering encrypting the transmission data to defend against eavesdropping attacks [111]–[114].A representative method is presented in [112], where Tao and Ye proposed to protect the RSE from eavesdropping attacks by using time-varying coding and noise-adding techniques.They also derived the minimum encoded dimension and the upper bound of the update period for the time-varying coding scheme.

    Note that the above method requires that the coding matrix not be accessible to adversaries.In order to defend against more powerful attackers, encryption-based methods are adopted in [113], [114].Zouet al.proposed a novel encryption-decryption scheme (EDS) to protect the transmitted data from eavesdropping, using artificial noise injection and secret keys; they designed a finite-horizon energy-to-peak state estimator for LTI systems under EDS.Sufficient conditions for the existence of the EDS and the state estimator are obtained[113].Recently in [114], Shang and Chen proposed linear encryption strategies to protect the transmitted data from eavesdropping.For two types of data transmission, the authors obtained the optimal filtering for the eavesdropper and designed the encryption coefficients by maximizing the eavesdropper’s estimation error covariance.

    The application of privacy-preserving techniques in realworld systems can be found in [142], where Sunet al.introduced a novel privacy-preserving algorithm for distributed economic dispatch in microgrids.The authors provided convergence proof, analyzed privacy levels within a differential privacy framework, and demonstrated effectiveness using an IEEE 39-bus system.

    VI.CONCLUSIONS AND FUTURE WORKS

    The security issue in CPSs is a multidisciplinary topic that requires collaboration of experts from diverse fields, including computer engineering, cryptography, communication, and others.Moreover, domain-specific knowledge from vulnerable industrial sectors, such as energy pipelines and smart grids, is also essential for us to comprehensively understand the execution of these attacks and the mechanisms required for effective protection.This paper discussed the current research status on the design of cyber-attacks against RSE and the corresponding defensive countermeasures.The relevant problems with single-sensor scenarios as well as different variants have been reviewed from both attackers’ and defenders’ perspectives.It is observed that optimization-related tools and algorithms play a central role in the majority of existing studies.

    Though many elegant results have been derived, the applicability of these methods in enhancing the security of realworld systems has not been adequately verified.Almost all existing studies validate the effectiveness of proposed methods using a simplified process model.The design of cyberattacks against state estimators are discussed in smart grids[1], remotely piloted vehicles [77], and IEEE 6 bus power systems [70]; the defensive countermeasures can be found in unmanned aerial vehicles [83], the Tennessee Eastman challenge problem [85], [109], water distribution systems [44],[88], IEEE 39-bus systems [94], [142], aircraft [97], [108],smart grids [98], [102], and artificial neural networks [121].Specifically, Dinget al.outlined a secure state estimation framework for water distribution systems in the presence of unknown disturbance inputs, measurement noises, and malicious attacks [44].The process was modeled by an LTV system and the secure state estimation problem was cast into the feasibility of a recursive convex optimization problem subject to a series of LMIs.In the future, more efforts are needed to verify the effectiveness of these techniques in practical systems.

    In the following, a few topics that have not been sufficiently investigated in existing work are presented.

    A. Data-Driven Design

    Most of the existing studies, whether focusing on the design of optimal attacks or defensive measures, presume that a dynamic model is available to both adversaries and defenders.Nonetheless in practical systems, an accurate system model is difficult or even impossible to obtain, especially for large and complex industrial processes.This is particularly difficult for attackers who usually have only limited access to system knowledge.Therefore, studying cyber-security with partial knowledge of system parameters or pure data-driven methods is a meaningful topic [143]–[147].

    B. Robust Design

    In the model-based approaches to cybersecurity, a majority of them consider the cases that the model possessed by attackers and defenders to be accurate.Based on this assumption,one can design strictly stealthy attacks and countermeasures.However, in practical cases, uncertainties in the model parameters have a great impact on the stealthiness property.In the deterministic framework for designing integrity attacks, the boundness of residuals is achieved by the cancellation of two unbounded attack signals in the direction of unstable eigenvectors.Therefore, even a minor inconsistency in calculating these eigenvectors can prevent the attacks from maintaining residuals within bounded limits consistently.Future research should explore robust stealthiness and defensive measures in the context of model uncertainties [148], [149].A representative study is presented in [149], where a novel class of resilient estimation algorithms is designed when there exist uncertainties in system matrices.

    C. Imperfect Transmission Channels

    The majority of existing results assume that, under nominal conditions, the transmission channel is perfect without delays and packet dropouts.However, the influence of such imperfections on the design of optimal attacks and defensive measures has not been thoroughly studied yet.Future endeavors could be dedicated to analyzing the effects of cyber-attacks in imperfect wireless links.This investigation will enhance the applicability of the related theoretical research to real-world systems.

    D. Modern Industrial Alarm Systems

    Industrial alarm systems are commonly used to provide timely alerts when faults occur in industrial processes.Nowadays, most alarm systems are designed to minimize the impact of faults and improve the effectiveness of corrective responses for field workers [150].As has been pointed out by many industrial experts, there is an urgent requirement to safeguard industrial facilities from cyber-attacks.In future work, it would be valuable to create an integrated platform that combines alarm management tools and fault/attack detection algorithms.This integration aims to prompt the delivery of alerts in case of any abnormal events by making full utilization of available information from different sources and leveraging techniques in different disciplines.

    在线观看一区二区三区| 少妇裸体淫交视频免费看高清| 国产精品亚洲美女久久久| 国产在线精品亚洲第一网站| 久久久国产成人精品二区| 日日干狠狠操夜夜爽| 免费大片18禁| 欧美性猛交黑人性爽| 国产免费av片在线观看野外av| 精品电影一区二区在线| 悠悠久久av| 免费一级毛片在线播放高清视频| 久久热在线av| 欧美高清成人免费视频www| 亚洲欧洲精品一区二区精品久久久| 国产综合懂色| 午夜成年电影在线免费观看| 国产成人av教育| 成年人黄色毛片网站| 国产成人影院久久av| 日日干狠狠操夜夜爽| 母亲3免费完整高清在线观看| 综合色av麻豆| 国产精品日韩av在线免费观看| 亚洲国产精品sss在线观看| 男女那种视频在线观看| 久久午夜亚洲精品久久| 中亚洲国语对白在线视频| 一边摸一边抽搐一进一小说| 中亚洲国语对白在线视频| 国产精品一区二区三区四区久久| 国产精品香港三级国产av潘金莲| 999久久久国产精品视频| 欧美激情久久久久久爽电影| 日韩国内少妇激情av| 老司机深夜福利视频在线观看| 99精品在免费线老司机午夜| 窝窝影院91人妻| 精品久久蜜臀av无| 亚洲国产欧洲综合997久久,| 亚洲最大成人中文| 国产探花在线观看一区二区| 免费看日本二区| 国产成人精品久久二区二区91| 男女床上黄色一级片免费看| 97碰自拍视频| 在线a可以看的网站| 日日夜夜操网爽| 久久伊人香网站| 又爽又黄无遮挡网站| 麻豆成人午夜福利视频| 99在线人妻在线中文字幕| 精品不卡国产一区二区三区| 久久国产精品影院| 精品久久久久久久末码| 精品久久久久久久毛片微露脸| 免费高清视频大片| 国产成人福利小说| 哪里可以看免费的av片| 热99在线观看视频| 亚洲专区中文字幕在线| 麻豆久久精品国产亚洲av| 美女午夜性视频免费| 成年女人毛片免费观看观看9| 嫁个100分男人电影在线观看| 给我免费播放毛片高清在线观看| 在线观看美女被高潮喷水网站 | 欧美在线黄色| 亚洲中文字幕日韩| 国产 一区 欧美 日韩| 国产激情久久老熟女| 精品午夜福利视频在线观看一区| 国产成人啪精品午夜网站| 久久精品国产99精品国产亚洲性色| 亚洲精品久久国产高清桃花| www日本在线高清视频| 黄片大片在线免费观看| 他把我摸到了高潮在线观看| 欧美乱码精品一区二区三区| 伦理电影免费视频| 无人区码免费观看不卡| 精品欧美国产一区二区三| 一边摸一边抽搐一进一小说| 变态另类丝袜制服| 欧美午夜高清在线| 午夜影院日韩av| 黄色 视频免费看| 国产精品亚洲一级av第二区| 在线播放国产精品三级| 亚洲第一欧美日韩一区二区三区| 99热这里只有精品一区 | 亚洲av电影不卡..在线观看| 伦理电影免费视频| 两个人看的免费小视频| 国产97色在线日韩免费| 一本一本综合久久| a级毛片在线看网站| 成人特级av手机在线观看| 精品乱码久久久久久99久播| 亚洲av成人不卡在线观看播放网| av福利片在线观看| 精品无人区乱码1区二区| 嫩草影院入口| 母亲3免费完整高清在线观看| 成人午夜高清在线视频| 18禁美女被吸乳视频| 国产高清视频在线观看网站| 亚洲美女视频黄频| 五月伊人婷婷丁香| 午夜福利在线在线| 黑人巨大精品欧美一区二区mp4| 国产亚洲精品av在线| av女优亚洲男人天堂 | 国产成人精品久久二区二区免费| 亚洲欧美精品综合久久99| 成人鲁丝片一二三区免费| 色av中文字幕| 色综合欧美亚洲国产小说| 精品99又大又爽又粗少妇毛片 | 全区人妻精品视频| www.精华液| 欧美极品一区二区三区四区| 精品午夜福利视频在线观看一区| 少妇的丰满在线观看| 日本黄色片子视频| 国产97色在线日韩免费| 国产亚洲欧美98| x7x7x7水蜜桃| 精品一区二区三区视频在线 | 91久久精品国产一区二区成人 | 日韩欧美一区二区三区在线观看| 亚洲熟妇熟女久久| 88av欧美| а√天堂www在线а√下载| 最近最新免费中文字幕在线| 真人一进一出gif抽搐免费| 一进一出抽搐动态| 少妇的丰满在线观看| 亚洲欧洲精品一区二区精品久久久| 久久久久国产精品人妻aⅴ院| 免费无遮挡裸体视频| 欧美日本视频| 国产av麻豆久久久久久久| 搡老熟女国产l中国老女人| 欧美黄色淫秽网站| 国产精品久久视频播放| 欧美成人一区二区免费高清观看 | 国产欧美日韩精品一区二区| 精品久久久久久久久久久久久| 老司机午夜福利在线观看视频| 很黄的视频免费| 亚洲色图 男人天堂 中文字幕| 国产v大片淫在线免费观看| 桃红色精品国产亚洲av| 国产淫片久久久久久久久 | 日本熟妇午夜| 网址你懂的国产日韩在线| 少妇人妻一区二区三区视频| 国产午夜精品久久久久久| 日韩av在线大香蕉| 最近最新免费中文字幕在线| 69av精品久久久久久| 日本五十路高清| 一夜夜www| 啪啪无遮挡十八禁网站| 久久精品国产99精品国产亚洲性色| 国产探花在线观看一区二区| 真人做人爱边吃奶动态| 亚洲精品一卡2卡三卡4卡5卡| 国产高清视频在线播放一区| 丰满人妻一区二区三区视频av | 一进一出抽搐gif免费好疼| 亚洲自拍偷在线| 琪琪午夜伦伦电影理论片6080| 亚洲黑人精品在线| 这个男人来自地球电影免费观看| 国产欧美日韩一区二区精品| 日本黄色片子视频| 国产成人精品久久二区二区免费| 午夜两性在线视频| 国内少妇人妻偷人精品xxx网站 | 久久草成人影院| 精品久久久久久久久久久久久| 中文字幕久久专区| 亚洲熟女毛片儿| 午夜a级毛片| 黄色视频,在线免费观看| 天天躁日日操中文字幕| 久久久色成人| 免费在线观看亚洲国产| 国产高清videossex| 亚洲国产欧美网| av天堂中文字幕网| 少妇人妻一区二区三区视频| 久久精品影院6| 国产精品久久久久久人妻精品电影| 国产成人一区二区三区免费视频网站| 法律面前人人平等表现在哪些方面| 丁香六月欧美| 亚洲人成网站在线播放欧美日韩| 亚洲一区二区三区色噜噜| 天天躁狠狠躁夜夜躁狠狠躁| 淫秽高清视频在线观看| 18禁黄网站禁片午夜丰满| 久久午夜综合久久蜜桃| 香蕉久久夜色| 日韩欧美国产一区二区入口| 97超视频在线观看视频| 亚洲精品美女久久av网站| 一个人免费在线观看电影 | 亚洲欧美精品综合一区二区三区| 人人妻人人澡欧美一区二区| 国产精品女同一区二区软件 | 噜噜噜噜噜久久久久久91| av在线天堂中文字幕| 嫩草影院入口| 欧美色欧美亚洲另类二区| 国产又黄又爽又无遮挡在线| 欧美日韩精品网址| av中文乱码字幕在线| 国产一区二区在线av高清观看| 国产精品久久视频播放| 老司机午夜福利在线观看视频| 99国产精品99久久久久| 国产一区二区三区视频了| 日本 av在线| 久久久久久国产a免费观看| 99国产精品一区二区蜜桃av| 久久久久国产一级毛片高清牌| 在线国产一区二区在线| 三级国产精品欧美在线观看 | 婷婷丁香在线五月| 黄色成人免费大全| 噜噜噜噜噜久久久久久91| 国内毛片毛片毛片毛片毛片| 两人在一起打扑克的视频| 亚洲一区二区三区不卡视频| 午夜福利高清视频| 老汉色av国产亚洲站长工具| 日韩有码中文字幕| 欧美最黄视频在线播放免费| 国产黄片美女视频| 国产私拍福利视频在线观看| 久久久精品欧美日韩精品| 国产单亲对白刺激| 欧美绝顶高潮抽搐喷水| 午夜免费成人在线视频| 老汉色av国产亚洲站长工具| 18美女黄网站色大片免费观看| 免费在线观看亚洲国产| 国产欧美日韩精品一区二区| 黄色 视频免费看| 久久中文看片网| 少妇裸体淫交视频免费看高清| 午夜激情欧美在线| 国产亚洲精品一区二区www| 在线a可以看的网站| 国产成人系列免费观看| 成年女人永久免费观看视频| 18禁裸乳无遮挡免费网站照片| 精品午夜福利视频在线观看一区| 中文字幕高清在线视频| www.自偷自拍.com| 亚洲av日韩精品久久久久久密| bbb黄色大片| 99精品在免费线老司机午夜| 亚洲专区国产一区二区| 在线观看一区二区三区| 俄罗斯特黄特色一大片| 99在线视频只有这里精品首页| 成人18禁在线播放| 国产精品99久久99久久久不卡| 午夜免费观看网址| 夜夜爽天天搞| 99久国产av精品| 久久精品国产综合久久久| 两个人的视频大全免费| 久久久久久久久久黄片| a在线观看视频网站| e午夜精品久久久久久久| 国产熟女xx| 国产三级在线视频| АⅤ资源中文在线天堂| 免费观看的影片在线观看| 蜜桃久久精品国产亚洲av| 午夜两性在线视频| 波多野结衣高清作品| 精品熟女少妇八av免费久了| 久久人妻av系列| 国产精品亚洲美女久久久| 美女免费视频网站| 俄罗斯特黄特色一大片| 午夜精品在线福利| 精品午夜福利视频在线观看一区| 熟妇人妻久久中文字幕3abv| 国产精品影院久久| 变态另类丝袜制服| 国产成人一区二区三区免费视频网站| 成人精品一区二区免费| 色在线成人网| 免费搜索国产男女视频| 亚洲精品456在线播放app | 小蜜桃在线观看免费完整版高清| 女人高潮潮喷娇喘18禁视频| 最近视频中文字幕2019在线8| 国产成人一区二区三区免费视频网站| 一个人看视频在线观看www免费 | 欧美三级亚洲精品| 午夜免费观看网址| 午夜激情欧美在线| 亚洲国产精品合色在线| 国产一区在线观看成人免费| 国产成人影院久久av| 99久久精品一区二区三区| 999久久久国产精品视频| 亚洲欧美一区二区三区黑人| 在线看三级毛片| 亚洲无线观看免费| av在线蜜桃| 岛国视频午夜一区免费看| 可以在线观看的亚洲视频| 好看av亚洲va欧美ⅴa在| 99国产极品粉嫩在线观看| 色播亚洲综合网| 色尼玛亚洲综合影院| 日本成人三级电影网站| 天堂动漫精品| 在线免费观看不下载黄p国产 | 日韩欧美国产一区二区入口| 色播亚洲综合网| 欧美大码av| 日本与韩国留学比较| 欧美激情在线99| 桃色一区二区三区在线观看| 中文字幕av在线有码专区| 人人妻人人澡欧美一区二区| 舔av片在线| 级片在线观看| 国产精品综合久久久久久久免费| 久久久久久久精品吃奶| 亚洲在线自拍视频| 欧美+亚洲+日韩+国产| 俄罗斯特黄特色一大片| 级片在线观看| 精品不卡国产一区二区三区| 黑人巨大精品欧美一区二区mp4| 日韩欧美精品v在线| 国产三级黄色录像| 欧美成人性av电影在线观看| 在线看三级毛片| 亚洲欧美日韩东京热| 成人永久免费在线观看视频| 在线观看免费视频日本深夜| 亚洲真实伦在线观看| 少妇熟女aⅴ在线视频| 国产野战对白在线观看| 香蕉丝袜av| 婷婷六月久久综合丁香| 国产精华一区二区三区| 好男人在线观看高清免费视频| 少妇的丰满在线观看| 欧美高清成人免费视频www| 啦啦啦免费观看视频1| 这个男人来自地球电影免费观看| 国产亚洲精品av在线| www日本黄色视频网| 久久久久国内视频| 久久精品91蜜桃| 久久久久国内视频| 不卡一级毛片| 亚洲人与动物交配视频| 97碰自拍视频| 国产亚洲欧美98| 亚洲美女黄片视频| 成人三级做爰电影| 九九久久精品国产亚洲av麻豆 | 18禁观看日本| 国产成人一区二区三区免费视频网站| 男人舔奶头视频| 欧美日韩福利视频一区二区| 又粗又爽又猛毛片免费看| 三级毛片av免费| 免费在线观看影片大全网站| 午夜激情欧美在线| 村上凉子中文字幕在线| 色av中文字幕| 亚洲激情在线av| 最近最新中文字幕大全电影3| 美女黄网站色视频| 窝窝影院91人妻| 久久久久久久午夜电影| 中文字幕av在线有码专区| 国产一区二区三区在线臀色熟女| 韩国av一区二区三区四区| 香蕉丝袜av| 亚洲专区字幕在线| 日日干狠狠操夜夜爽| 曰老女人黄片| 国模一区二区三区四区视频 | 免费在线观看亚洲国产| 91av网一区二区| 欧美丝袜亚洲另类 | 欧美大码av| 美女高潮喷水抽搐中文字幕| 国产精品野战在线观看| 久久中文字幕人妻熟女| 色老头精品视频在线观看| 亚洲国产欧美一区二区综合| 精品国产超薄肉色丝袜足j| 国产亚洲精品久久久com| 999精品在线视频| 欧美日韩福利视频一区二区| 男女午夜视频在线观看| 99热这里只有精品一区 | 精品午夜福利视频在线观看一区| 久久99热这里只有精品18| 制服人妻中文乱码| 久久香蕉国产精品| 亚洲午夜理论影院| 欧美zozozo另类| 久久国产精品影院| av女优亚洲男人天堂 | 99热这里只有精品一区 | 色av中文字幕| 色吧在线观看| 国产1区2区3区精品| 久久久国产精品麻豆| 亚洲一区二区三区不卡视频| 国产精品久久久久久人妻精品电影| 一级黄色大片毛片| 国产淫片久久久久久久久 | 欧美日韩国产亚洲二区| 免费搜索国产男女视频| 国产一级毛片七仙女欲春2| 久9热在线精品视频| 悠悠久久av| 精品一区二区三区四区五区乱码| 欧美在线黄色| 观看免费一级毛片| 欧美性猛交黑人性爽| 成人永久免费在线观看视频| a级毛片在线看网站| 精品国产超薄肉色丝袜足j| 亚洲成人久久爱视频| 国产野战对白在线观看| 日本在线视频免费播放| 久久精品影院6| 久久精品国产综合久久久| 国产男靠女视频免费网站| e午夜精品久久久久久久| 午夜福利欧美成人| 国产精品一区二区免费欧美| 国产一区二区三区在线臀色熟女| 国产毛片a区久久久久| 国产成人影院久久av| ponron亚洲| 欧美丝袜亚洲另类 | 国产探花在线观看一区二区| 亚洲九九香蕉| 在线a可以看的网站| 欧美色视频一区免费| www.自偷自拍.com| 成人亚洲精品av一区二区| 在线永久观看黄色视频| 免费在线观看日本一区| 日本免费a在线| 久久久久国产精品人妻aⅴ院| 性色avwww在线观看| 人妻夜夜爽99麻豆av| 欧美色欧美亚洲另类二区| 日韩 欧美 亚洲 中文字幕| 最新美女视频免费是黄的| 久久精品综合一区二区三区| 一本综合久久免费| 日韩高清综合在线| 日韩免费av在线播放| 成年女人毛片免费观看观看9| 他把我摸到了高潮在线观看| 99国产精品99久久久久| 免费人成视频x8x8入口观看| 我的老师免费观看完整版| 可以在线观看的亚洲视频| 久久人人精品亚洲av| 亚洲国产中文字幕在线视频| 丰满人妻一区二区三区视频av | 国内精品一区二区在线观看| 给我免费播放毛片高清在线观看| 亚洲精品一区av在线观看| 国产v大片淫在线免费观看| 18禁国产床啪视频网站| 欧美高清成人免费视频www| 免费搜索国产男女视频| 一进一出抽搐gif免费好疼| 日本黄色片子视频| 18禁国产床啪视频网站| 91在线观看av| a级毛片在线看网站| 亚洲专区国产一区二区| 最近最新免费中文字幕在线| 精品福利观看| av视频在线观看入口| 中文字幕av在线有码专区| 老汉色av国产亚洲站长工具| 国产综合懂色| 丰满人妻一区二区三区视频av | av女优亚洲男人天堂 | 精品熟女少妇八av免费久了| ponron亚洲| 亚洲成人久久爱视频| 亚洲专区中文字幕在线| 国产麻豆成人av免费视频| 成人国产一区最新在线观看| 在线免费观看不下载黄p国产 | АⅤ资源中文在线天堂| 欧美色欧美亚洲另类二区| 免费无遮挡裸体视频| 日本a在线网址| 99在线视频只有这里精品首页| 国产精品国产高清国产av| 精品久久久久久久末码| 久久香蕉精品热| 国产亚洲精品久久久com| 国产一区二区三区视频了| 在线观看免费午夜福利视频| 亚洲精品456在线播放app | 男人舔奶头视频| 老司机午夜十八禁免费视频| 日本免费一区二区三区高清不卡| 亚洲成av人片免费观看| 欧美日韩综合久久久久久 | 在线观看日韩欧美| 丁香欧美五月| 精品国内亚洲2022精品成人| 亚洲aⅴ乱码一区二区在线播放| 12—13女人毛片做爰片一| 人妻久久中文字幕网| 国产精品一区二区三区四区久久| 亚洲专区字幕在线| 午夜福利视频1000在线观看| 国产三级在线视频| 日本一本二区三区精品| 18禁美女被吸乳视频| 麻豆久久精品国产亚洲av| 欧美成人免费av一区二区三区| 亚洲精品美女久久av网站| 欧美激情久久久久久爽电影| 亚洲人成电影免费在线| 久久精品国产亚洲av香蕉五月| 久久久久久久久中文| 这个男人来自地球电影免费观看| 久久人人精品亚洲av| 亚洲人成网站高清观看| 欧美日韩乱码在线| 免费在线观看影片大全网站| 国产激情久久老熟女| 久久久久久大精品| 亚洲熟女毛片儿| 久久久国产成人精品二区| 亚洲熟妇中文字幕五十中出| 曰老女人黄片| 亚洲人成伊人成综合网2020| 黄片小视频在线播放| 欧美日韩国产亚洲二区| 一本一本综合久久| 男女下面进入的视频免费午夜| 麻豆一二三区av精品| 亚洲精品久久国产高清桃花| 无遮挡黄片免费观看| 免费观看精品视频网站| 母亲3免费完整高清在线观看| 久久久久亚洲av毛片大全| 最近最新中文字幕大全电影3| 国产黄色小视频在线观看| 一区二区三区高清视频在线| 国产精品永久免费网站| 极品教师在线免费播放| 三级国产精品欧美在线观看 | 国产精品一区二区三区四区久久| 色老头精品视频在线观看| 无人区码免费观看不卡| 免费电影在线观看免费观看| 国产伦一二天堂av在线观看| 精品一区二区三区视频在线 | 99riav亚洲国产免费| 91字幕亚洲| 观看免费一级毛片| 两个人视频免费观看高清| 欧美+亚洲+日韩+国产| 九色国产91popny在线| 欧美成人性av电影在线观看| 伊人久久大香线蕉亚洲五| 最近最新中文字幕大全电影3| а√天堂www在线а√下载| 91字幕亚洲| 国产高清三级在线| 亚洲aⅴ乱码一区二区在线播放| 久久欧美精品欧美久久欧美| 亚洲在线自拍视频| 老鸭窝网址在线观看| 亚洲乱码一区二区免费版| 99精品在免费线老司机午夜| 成人无遮挡网站| av国产免费在线观看| 国产成人精品久久二区二区免费| 国产亚洲精品久久久com| 精品国产三级普通话版| 欧美日韩国产亚洲二区| 99精品久久久久人妻精品| 久久天堂一区二区三区四区| 国产精品99久久久久久久久| 欧美日韩一级在线毛片| 色综合亚洲欧美另类图片| 日本熟妇午夜| 亚洲人成伊人成综合网2020| 免费高清视频大片|