IMHOTEP-SMT: A Satisfiability Modulo Theory Solver For Secure State - - PowerPoint PPT Presentation
IMHOTEP-SMT: A Satisfiability Modulo Theory Solver For Secure State Estimation Yasser Shoukry 1 Pierluigi Nuzzo 2 , Alberto Puggelli 2 , Alberto Sangiovani-Vincentelli 2 , Sanjit A. Seshia 2 , Mani Srivastava 1 , and Paulo Tabuada 1 1 EE Department
Yasser Shoukry1 Pierluigi Nuzzo2, Alberto Puggelli2, Alberto Sangiovani-Vincentelli2, Sanjit A. Seshia2, Mani Srivastava1, and Paulo Tabuada1
1EE Department University of California Los Angeles 2EECS Department, University of California Berkeley Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 1 / 30
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 2 / 30
. D. Martin, P . Tabuada, and M. B. Srivastava, “Noninvasive Spoofing Attacks for Anti-Lock Braking Systems,” in Workshop on Cryptographic Hardware and Embedded Systems 2013. Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 3 / 30
. D. Martin, P . Tabuada, and M. B. Srivastava, “Noninvasive Spoofing Attacks for Anti-Lock Braking Systems,” in Workshop on Cryptographic Hardware and Embedded Systems 2013. Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 3 / 30
. D. Martin, P . Tabuada, and M. B. Srivastava, “Noninvasive Spoofing Attacks for Anti-Lock Braking Systems,” in Workshop on Cryptographic Hardware and Embedded Systems 2013. Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 3 / 30
. D. Martin, P . Tabuada, and M. B. Srivastava, “Noninvasive Spoofing Attacks for Anti-Lock Braking Systems,” in Workshop on Cryptographic Hardware and Embedded Systems 2013. Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 4 / 30
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 5 / 30
A total of p sensors monitor the state of the physical system (y(t) ∈ Rp): y(t) = Cx(t) + ψ(t)
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 6 / 30
A total of p sensors monitor the state of the physical system (y(t) ∈ Rp): y(t) = Cx(t) + ψ(t)
+ a(t)
vector
. Some sensors are attacked: ai(t) = 0 − → sensor i is attacked at time t ∈ N;
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 6 / 30
A total of p sensors monitor the state of the physical system (y(t) ∈ Rp): y(t) = Cx(t) + ψ(t)
+ a(t)
vector
. Some sensors are attacked: ai(t) = 0 − → sensor i is attacked at time t ∈ N; If sensor i is attacked, ai(t) can be arbitrary (no boundedness assumption, no stochastic model, etc.).
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 6 / 30
A total of p sensors monitor the state of the physical system (y(t) ∈ Rp): y(t) = Cx(t) + ψ(t)
+ a(t)
vector
. Some sensors are attacked: ai(t) = 0 − → sensor i is attacked at time t ∈ N; If sensor i is attacked, ai(t) can be arbitrary (no boundedness assumption, no stochastic model, etc.). Set of attacked sensors is unknown and has cardinality s.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 6 / 30
A total of p sensors monitor the state of the physical system (y(t) ∈ Rp): y(t) = Cx(t) + ψ(t)
+ a(t)
vector
. Some sensors are attacked: ai(t) = 0 − → sensor i is attacked at time t ∈ N; If sensor i is attacked, ai(t) can be arbitrary (no boundedness assumption, no stochastic model, etc.). Set of attacked sensors is unknown and has cardinality s. The value of s is also unknown although we assume the knowledge of an upper bound s.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 6 / 30
A total of p sensors monitor the state of the physical system (y(t) ∈ Rp): y(t) = Cx(t) + ψ(t)
+ a(t)
vector
. Some sensors are attacked: ai(t) = 0 − → sensor i is attacked at time t ∈ N; If sensor i is attacked, ai(t) can be arbitrary (no boundedness assumption, no stochastic model, etc.). Set of attacked sensors is unknown and has cardinality s. The value of s is also unknown although we assume the knowledge of an upper bound s. Objective: estimate the state of the physical system x(t) ∈ Rn.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 6 / 30
A total of p sensors monitor the state of the physical system (y(t) ∈ Rp): y(t) = Cx(t) + ψ(t)
+ a(t)
vector
. Some sensors are attacked: ai(t) = 0 − → sensor i is attacked at time t ∈ N; If sensor i is attacked, ai(t) can be arbitrary (no boundedness assumption, no stochastic model, etc.). Set of attacked sensors is unknown and has cardinality s. The value of s is also unknown although we assume the knowledge of an upper bound s. Objective: estimate the state of the physical system x(t) ∈ Rn. Example: a car with two states position, velocity and three sensors: yGPS(t) yodometer(t) yIMU(t) = 1 1 1 p(t) v(t)
ψGPS(t) ψodometer(t) ψIMU(t) + aodometer(t) s = 1
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 6 / 30
A total of p sensors monitor the state of the physical system (y(t) ∈ Rp): y(t) = Cx(t) + ψ(t)
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 7 / 30
A total of p sensors monitor the state of the physical system (y(t) ∈ Rp): y(t) = Cx(t) + ψ(t)
+ a(t)
vector
. Although sensors are heterogeneous, the physical quantities they measure are correlated.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 7 / 30
A total of p sensors monitor the state of the physical system (y(t) ∈ Rp): y(t) = Cx(t) + ψ(t)
+ a(t)
vector
. Although sensors are heterogeneous, the physical quantities they measure are correlated. Example: a car with two states position, velocity and three sensors: yGPS(t) yodometer(t) yIMU(t) = 1 1 1 p(t) v(t)
ψGPS(t) ψodometer(t) ψIMU(t) + aodometer(t) s = 1 v(t) ≃ (p(t) − p(t − 1))/(Ts)
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 7 / 30
A total of p sensors monitor the state of the physical system (y(t) ∈ Rp): y(t) = Cx(t) + ψ(t)
+ a(t)
vector
. Although sensors are heterogeneous, the physical quantities they measure are correlated. Physical system modeled as a discrete-time linear dynamical system: x(t + 1) = Ax(t) + Bu(t) + µ(t).
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 7 / 30
A total of p sensors monitor the state of the physical system (y(t) ∈ Rp): y(t) = Cx(t) + ψ(t)
+ a(t)
vector
. Although sensors are heterogeneous, the physical quantities they measure are correlated. Physical system modeled as a discrete-time linear dynamical system: x(t + 1) = Ax(t) + Bu(t) + µ(t). This model: Captures adversarial attacks, non-adversarial faults, cooperative and non-cooperative attacks, ... Does not depend on how the sensor measurements are corrupted (e.g. sensor-level spoofing, spoofing communication channel, ...).
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 7 / 30
A total of p sensors monitor the state of the physical system (y(t) ∈ Rp): y(t) = Cx(t) + ψ(t)
+ a(t)
vector
. Although sensors are heterogeneous, the physical quantities they measure are correlated. Physical system modeled as a discrete-time linear dynamical system: x(t + 1) = Ax(t) + Bu(t) + µ(t). This model: Captures adversarial attacks, non-adversarial faults, cooperative and non-cooperative attacks, ... Does not depend on how the sensor measurements are corrupted (e.g. sensor-level spoofing, spoofing communication channel, ...). For sake of simplicity, in this talk, I will consider the noise-free case (ψ(t) = µ(t) = 0 ).
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 7 / 30
Optimization Based Techniques
. Tabuada, and S. Diggavi, “Secure estimation and control for cyber-physical systems under adversarial attacks,” TAC, 2014.
. Tabuada, O. Sokolsky,
state estimators,” ICCPS, 2014.
in adversarial environment,” CCC 2015.
and identification in cyber-physical systems,” TAC, 2013.
. Tabuada, “Event-Triggered State Observers for Sparse Sensor Noise/Attacks,” ArXiv, 2013.
Because of the combinatorial nature
resulting problem is non-convex. Option 1: Solve via brute force. Scales poorly with number of sensors. Option 2: Relax the problem. Results in unsound algorithms.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 8 / 30
Optimization Based Techniques
. Tabuada, and S. Diggavi, “Secure estimation and control for cyber-physical systems under adversarial attacks,” TAC, 2014.
. Tabuada, O. Sokolsky,
state estimators,” ICCPS, 2014.
in adversarial environment,” CCC 2015.
and identification in cyber-physical systems,” TAC, 2013.
. Tabuada, “Event-Triggered State Observers for Sparse Sensor Noise/Attacks,” ArXiv, 2013.
Because of the combinatorial nature
resulting problem is non-convex. Option 1: Solve via brute force. Scales poorly with number of sensors. Option 2: Relax the problem. Results in unsound algorithms. Satisfiability Based Techniques
model for verifying the impact of stealthy attacks on
Use a Satisfiability Modulo Theory (SMT) solver (e.g. Z3, UCLID, ..). SMT solvers handle combinatorial problems more favorably. But, SMT solvers do not handle real-valued variables well.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 8 / 30
Neither optimization “alone” nor satisfiability “alone” scales well.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 9 / 30
Neither optimization “alone” nor satisfiability “alone” scales well. In this work: Split the reasoning between the two domains (Booleans and Reals). Use the best tool from each domain.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 9 / 30
Neither optimization “alone” nor satisfiability “alone” scales well. In this work: Split the reasoning between the two domains (Booleans and Reals). Use the best tool from each domain. SAT/SMT + Convex optimization
?
= New tool.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 9 / 30
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 10 / 30
System Dynamics: Σa
= Ax(t) + Bu(t), y(t) = Cx(t) + a(t)
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 11 / 30
System Dynamics: Σa
= Ax(t) + Bu(t), y(t) = Cx(t) + a(t) Collect τ measurements: yi(t − τ + 1) yi(t − τ) . . . yi(t) − F u(t − τ + 1) u(t − τ) . . . u(t)
= Ci CiA . . . CiAτ−1
x + ai(t − τ + 1) ai(t − τ) . . . ai(t)
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 11 / 30
System Dynamics: Σa
= Ax(t) + Bu(t), y(t) = Cx(t) + a(t) Collect τ measurements: Yi =
if sensor i is under attack, Oix if sensor i is attack-free
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 11 / 30
System Dynamics: Σa
= Ax(t) + Bu(t), y(t) = Cx(t) + a(t) Collect τ measurements: Yi =
if sensor i is under attack, Oix if sensor i is attack-free For each individual sensor, we define a binary indicator variable bi ∈ B such that bi = 1 when the ith sensor is under attack and bi = 0 otherwise.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 11 / 30
System Dynamics: Σa
= Ax(t) + Bu(t), y(t) = Cx(t) + a(t) Collect τ measurements: Yi =
if sensor i is under attack, Oix if sensor i is attack-free For each individual sensor, we define a binary indicator variable bi ∈ B such that bi = 1 when the ith sensor is under attack and bi = 0 otherwise.
Problem
(Secure State Estimation) For the linear control system under attack Σa, construct an estimate η = (x, b) ∈ Rn × Bp such that η | = φ, i.e., η satisfies φ, where φ is defined as: φ ::=
p
bi ≤ s
s is the maximum number of sensors under attack.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 11 / 30
System Dynamics: Σa
= Ax(t) + Bu(t), y(t) = Cx(t) + a(t) Collect τ measurements: Yi =
if sensor i is under attack, Oix if sensor i is attack-free For each individual sensor, we define a binary indicator variable bi ∈ B such that bi = 1 when the ith sensor is under attack and bi = 0 otherwise.
Problem
(Secure State Estimation) For the linear control system under attack Σa, construct an estimate η = (x, b) ∈ Rn × Bp such that η | = φ, i.e., η satisfies φ, where φ is defined as: φ ::=
p
2 ≤ 0
bi ≤ s
s is the maximum number of sensors under attack.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 11 / 30
System Dynamics: Σa
= Ax(t) + Bu(t), y(t) = Cx(t) + a(t) Collect τ measurements: Yi =
if sensor i is under attack, Oix if sensor i is attack-free For each individual sensor, we define a binary indicator variable bi ∈ B such that bi = 1 when the ith sensor is under attack and bi = 0 otherwise. In the context of decision procedures on the reals, we resort to the notion of δ-completeness, i.e., we understand the inequality as follows Yi − Oix2
2 ≤ δ.
Problem
(Secure State Estimation) For the linear control system under attack Σa, construct an estimate η = (x, b) ∈ Rn × Bp such that η | = φ, i.e., η satisfies φ, where φ is defined as: φ ::=
p
2 ≤ 0
bi ≤ s
s is the maximum number of sensors under attack.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 11 / 30
Imhotep “emmo-tep” (meaning: the
peace) was an Egyptian mathematician, engineer, architect and physician. He was the designer of the first pyramid in Egypt.
. Nuzzo, A. Sangiovanni-Vincentelli, S. Seshia, and P . Tabuada, “IMHOTEP-SMT: Sound and Complete State Estimation for Linear Dynamical Systems Under Sensor Attacks Using Satisfiability Modulo Theory Solving,” ACC 2015, to appear.
. Nuzzo, A. Puggelli, A. Sangiovanni-Vincentelli, S. Seshia, M. Srivastava, and P . Tabuada, “IMHOTEP-SMT: A Satisfiability Modulo Theory Solver For Secure State Estimation,” SMT 2015, submitted. Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 12 / 30
SMT = pB-SAT solver + T -Solver.
pseudo Boolean (pB) SAT-solver T -SOLVE IMHOTEP-SMT
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 13 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem.
pseudo Boolean (pB) SAT-solver T -SOLVE IMHOTEP-SMT
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 13 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem. Original formula:
φ ::=
p
2 ≤ 0
bi ≤ s
pseudo Boolean (pB) SAT-solver T -SOLVE IMHOTEP-SMT
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 13 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem. Original formula:
φ ::=
p
2 ≤ 0
bi ≤ s
Replace non-boolean variables with boolean ones
φinitial ::=
p
p
bi ≤ s
Boolean (pB) SAT-solver T -SOLVE IMHOTEP-SMT
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 13 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem. Original formula:
φ ::=
p
2 ≤ 0
bi ≤ s
Replace non-boolean variables with boolean ones
φinitial ::=
p
p
bi ≤ s
pseudo Boolean (pB) SAT-solver T -SOLVE IMHOTEP-SMT φinitial
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 13 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem.
pseudo Boolean (pB) SAT-solver T -SOLVE IMHOTEP-SMT φinitial
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 14 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem. pB-SAT solver returns an assignment for the variable b. We extract which sensors are “hypothesized” to be attack free. Denote this set as I.
pseudo Boolean (pB) SAT-solver T -SOLVE IMHOTEP-SMT φinitial b, I = supp(b)
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 14 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem. pB-SAT solver returns an assignment for the variable b. We extract which sensors are “hypothesized” to be attack free. Denote this set as I. Check this assignment.
pseudo Boolean (pB) SAT-solver T -SOLVE.CHECK T -SOLVE IMHOTEP-SMT φinitial {(Y1, O1) . . . (Yp, Op)} b, I = supp(b)
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 14 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem. pB-SAT solver returns an assignment for the variable b. We extract which sensors are “hypothesized” to be attack free. Denote this set as I. Check this assignment. 1: Solve: x := arg minx∈Rn YI − OIx2
2
pseudo Boolean (pB) SAT-solver T -SOLVE.CHECK T -SOLVE IMHOTEP-SMT φinitial {(Y1, O1) . . . (Yp, Op)} b, I = supp(b)
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 14 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem. pB-SAT solver returns an assignment for the variable b. We extract which sensors are “hypothesized” to be attack free. Denote this set as I. Check this assignment. 1: Solve: x := arg minx∈Rn YI − OIx2
2
2: if YI − OIx2
2 = 0 then
3: status = SAT;
7: return (status, x);
pseudo Boolean (pB) SAT-solver T -SOLVE.CHECK T -SOLVE IMHOTEP-SMT φinitial {(Y1, O1) . . . (Yp, Op)} b, I = supp(b) η = (x, b)
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 14 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem. pB-SAT solver returns an assignment for the variable b. We extract which sensors are “hypothesized” to be attack free. Denote this set as I. Check this assignment. 1: Solve: x := arg minx∈Rn YI − OIx2
2
2: if YI − OIx2
2 = 0 then
3: status = SAT;
5: status = UNSAT;
7: return (status, x);
pseudo Boolean (pB) SAT-solver T -SOLVE.CHECK T -SOLVE IMHOTEP-SMT φinitial {(Y1, O1) . . . (Yp, Op)} b, I = supp(b) η = (x, b)
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 14 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem. pB-SAT solver returns an assignment for the variable b. We extract which sensors are “hypothesized” to be attack free. Denote this set as I. Check this assignment.
pseudo Boolean (pB) SAT-solver T -SOLVE.CHECK T -SOLVE IMHOTEP-SMT φinitial {(Y1, O1) . . . (Yp, Op)} b, I = supp(b) η = (x, b)
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 15 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem. pB-SAT solver returns an assignment for the variable b. We extract which sensors are “hypothesized” to be attack free. Denote this set as I. Check this assignment. Generate “Theory lemma” / “counter examples” / “UNSAT certificate”.
pseudo Boolean (pB) SAT-solver T -SOLVE.CHECK T -SOLVE.CERTIFICATE T -SOLVE IMHOTEP-SMT φinitial {(Y1, O1) . . . (Yp, Op)} b, I = supp(b) η = (x, b) I
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 15 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem. pB-SAT solver returns an assignment for the variable b. We extract which sensors are “hypothesized” to be attack free. Denote this set as I. Check this assignment. Generate “Theory lemma” / “counter examples” / “UNSAT certificate”. φtriv-cert =
bi ≥ 1
pseudo Boolean (pB) SAT-solver T -SOLVE.CHECK T -SOLVE.CERTIFICATE T -SOLVE IMHOTEP-SMT φinitial {(Y1, O1) . . . (Yp, Op)} b, I = supp(b) η = (x, b) I
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 15 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem. pB-SAT solver returns an assignment for the variable b. We extract which sensors are “hypothesized” to be attack free. Denote this set as I. Check this assignment. Generate “Theory lemma” / “counter examples” / “UNSAT certificate”. φtriv-cert =
bi ≥ 1 Add this “certificate” to the original constraints: φ := φinitial ∧ φtriv-cert
pseudo Boolean (pB) SAT-solver T -SOLVE.CHECK T -SOLVE.CERTIFICATE T -SOLVE IMHOTEP-SMT φinitial {(Y1, O1) . . . (Yp, Op)} b, I = supp(b) η = (x, b) I φcert
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 15 / 30
SMT = pB-SAT solver + T -Solver. pB-SAT solver: solves the “boolean version” of the problem. pB-SAT solver returns an assignment for the variable b. We extract which sensors are “hypothesized” to be attack free. Denote this set as I. Check this assignment. Generate “Theory lemma” / “counter examples” / “UNSAT certificate”. φtriv-cert =
bi ≥ 1 Add this “certificate” to the original constraints: φ := φinitial ∧ φtriv-cert
pseudo Boolean (pB) SAT-solver T -SOLVE.CHECK T -SOLVE.CERTIFICATE T -SOLVE IMHOTEP-SMT φinitial {(Y1, O1) . . . (Yp, Op)} b, I = supp(b) η = (x, b) I φcert
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 15 / 30
System Dynamics: Σa
= Ax(t) + Bu(t), y(t) = Cx(t) + a(t)
pseudo Boolean (pB) SAT-solver T -SOLVE.CHECK T -SOLVE.CERTIFICATE T -SOLVE IMHOTEP-SMT φinitial {(Y1, O1) , . . . , (Yp, Op)} η = (x, b) b, I = supp(b) I φcert
Proposition
Let the linear dynamical system Σa be 2s-sparse observable. Then, IMHOTEP-SMT terminates with: supp(b∗) ⊆ supp(b). . x∗ − x2
2 = 0.
s=0
p
s
supp(b∗) is the index of the sensors under attack.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 16 / 30
To enhance the performance, we need to generate more compact certificates.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 17 / 30
To enhance the performance, we need to generate more compact certificates. Why?
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 17 / 30
To enhance the performance, we need to generate more compact certificates. Why? b1 b2 b3 {1, 1, 1} {1, 1, 0} b3 {1, 0, 1} {1, 0, 0} b2 b3 {0, 1, 1} {0, 1, 0} b3 {0, 0, 1} {0, 0, 0}
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 17 / 30
To enhance the performance, we need to generate more compact certificates. Why? Example: φcert = b1 + b2 + b3 ≥ 1 b1 b2 b3 {1, 1, 1} {1, 1, 0} b3 {1, 0, 1} {1, 0, 0} b2 b3 {0, 1, 1} {0, 1, 0} b3 {0, 0, 1} {0, 0, 0}
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 17 / 30
To enhance the performance, we need to generate more compact certificates. Why? Example: φcert = b1 + b2 + b3 ≥ 1 Example: φcert = b2 + b3 ≥ 1 b1 b2 b3 {1, 1, 1} {1, 1, 0} b3 {1, 0, 1} {1, 0, 0} b2 b3 {0, 1, 1} {0, 1, 0} b3 {0, 0, 1} {0, 0, 0}
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 17 / 30
To enhance the performance, we need to generate more compact certificates. Why? Example: φcert = b1 + b2 + b3 ≥ 1 Example: φcert = b2 + b3 ≥ 1 Example: φcert = b3 ≥ 1 b1 b2 b3 {1, 1, 1} {1, 1, 0} b3 {1, 0, 1} {1, 0, 0} b2 b3 {0, 1, 1} {0, 1, 0} b3 {0, 0, 1} {0, 0, 0}
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 17 / 30
Existence of compact certificates is always guaranteed by the following result.
Lemma
Let the linear dynamical system Σa be 2s-sparse observable. If T -SOLVE.CHECK(I) is UNSAT then there exists a subset I ⊂ supp(b) with |I| ≤ p − 2s + 1 such that T -SOLVE.CHECK(Itemp) is also UNSAT.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 18 / 30
Existence of compact certificates is always guaranteed by the following result.
Lemma
Let the linear dynamical system Σa be 2s-sparse observable. If T -SOLVE.CHECK(I) is UNSAT then there exists a subset I ⊂ supp(b) with |I| ≤ p − 2s + 1 such that T -SOLVE.CHECK(Itemp) is also UNSAT. Trivial certificates have p − s sensors.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 18 / 30
Existence of compact certificates is always guaranteed by the following result.
Lemma
Let the linear dynamical system Σa be 2s-sparse observable. If T -SOLVE.CHECK(I) is UNSAT then there exists a subset I ⊂ supp(b) with |I| ≤ p − 2s + 1 such that T -SOLVE.CHECK(Itemp) is also UNSAT. Trivial certificates have p − s sensors. The proof of this lemma is constructive. It shows how to find such certificates.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 18 / 30
Existence of compact certificates is always guaranteed by the following result.
Lemma
Let the linear dynamical system Σa be 2s-sparse observable. If T -SOLVE.CHECK(I) is UNSAT then there exists a subset I ⊂ supp(b) with |I| ≤ p − 2s + 1 such that T -SOLVE.CHECK(Itemp) is also UNSAT. Trivial certificates have p − s sensors. The proof of this lemma is constructive. It shows how to find such certificates. We still can do better.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 18 / 30
Existence of compact certificates is always guaranteed by the following result.
Lemma
Let the linear dynamical system Σa be 2s-sparse observable. If T -SOLVE.CHECK(I) is UNSAT then there exists a subset I ⊂ supp(b) with |I| ≤ p − 2s + 1 such that T -SOLVE.CHECK(Itemp) is also UNSAT. Trivial certificates have p − s sensors. The proof of this lemma is constructive. It shows how to find such certificates. We still can do better. By exploiting the convex geometry.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 18 / 30
Geometry: Measurements of each sensor Yi = Oix define an affine subspace.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 19 / 30
1 2 3 4 5 4 6 8 10 x1 x2
Geometry: Measurements of each sensor Yi = Oix define an affine subspace. If all sensors are attack-free, then all these affine subspaces intersect in one point.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 19 / 30
1 2 3 4 5 4 6 8 10 x1 x2 1 2 3 4 5 4 6 8 10 x1 x2
Geometry: Measurements of each sensor Yi = Oix define an affine subspace. If all sensors are attack-free, then all these affine subspaces intersect in one point. If one sensor is under attack Yi = Oix + Ei, these affine subspaces do not intersect.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 19 / 30
1 2 3 4 5 4 6 8 10 x1 x2 1 2 3 4 5 4 6 8 10 x1 x2
Geometry: Measurements of each sensor Yi = Oix define an affine subspace. If all sensors are attack-free, then all these affine subspaces intersect in one point. If one sensor is under attack Yi = Oix + Ei, these affine subspaces do not intersect. The least squares finds a point that minimizes the residuals. x := arg min
x∈Rn YI − OIx2 2 Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 19 / 30
1 2 3 4 5 4 6 8 10 x1 x2
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 20 / 30
1 2 3 4 5 4 6 8 10 x1 x2
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 21 / 30
1 2 3 4 5 4 6 8 10 x1 x2
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 22 / 30
1 2 3 4 5 4 6 8 10 x1 x2 1 2 3 4 5 4 6 8 10 x1 x2 1 2 3 4 5 4 6 8 10 x1 x2
How to use this geometry to obtain a smaller set of conflicting sensors (cont’d)?
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 23 / 30
1 2 3 4 5 4 6 8 10 x1 x2 1 2 3 4 5 4 6 8 10 x1 x2 1 2 3 4 5 4 6 8 10 x1 x2
How to use this geometry to obtain a smaller set of conflicting sensors (cont’d)? Step 5: For all sensors in I, calculate the dimension of the kernel of Oi.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 23 / 30
1 2 3 4 5 4 6 8 10 x1 x2 1 2 3 4 5 4 6 8 10 x1 x2 1 2 3 4 5 4 6 8 10 x1 x2
How to use this geometry to obtain a smaller set of conflicting sensors (cont’d)? Step 5: For all sensors in I, calculate the dimension of the kernel of Oi. Step 6: Sort all sensors in I according to dim(ker(Oi)) . Recall from geometry that the smaller the dimension of the kernel, the more information this sensor provides.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 23 / 30
1 2 3 4 5 4 6 8 10 x1 x2 1 2 3 4 5 4 6 8 10 x1 x2 1 2 3 4 5 4 6 8 10 x1 x2
How to use this geometry to obtain a smaller set of conflicting sensors (cont’d)? Step 5: For all sensors in I, calculate the dimension of the kernel of Oi. Step 6: Sort all sensors in I according to dim(ker(Oi)) . Recall from geometry that the smaller the dimension of the kernel, the more information this sensor provides. Step 7: Start removing the sensors with large dim(ker(Oi)), one at a time.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 23 / 30
1 2 3 4 5 4 6 8 10 x1 x2 1 2 3 4 5 4 6 8 10 x1 x2 1 2 3 4 5 4 6 8 10 x1 x2
How to use this geometry to obtain a smaller set of conflicting sensors (cont’d)? Step 5: For all sensors in I, calculate the dimension of the kernel of Oi. Step 6: Sort all sensors in I according to dim(ker(Oi)) . Recall from geometry that the smaller the dimension of the kernel, the more information this sensor provides. Step 7: Start removing the sensors with large dim(ker(Oi)), one at a time. Stop when conflict no longer hold.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 23 / 30
We can add other certificates which find sensor sets that agree on a specific solution.
pseudo Boolean (pB) SAT-solver T -SOLVE.CHECK T -SOLVE.CERTIFICATE T -SOLVE IMHOTEP-SMT φinitial {(Y1, O1) , . . . , (Yp, Op)} η = (x, b) b, I = supp(b) I φcert
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 24 / 30
We can add other certificates which find sensor sets that agree on a specific solution.
pseudo Boolean (pB) SAT-solver T -SOLVE.CHECK T -SOLVE.CERTIFICATE T -SOLVE IMHOTEP-SMT φinitial {(Y1, O1) , . . . , (Yp, Op)} η = (x, b) b, I = supp(b) I φcert
Theorem
Let the linear dynamical system Σa be 2s-sparse observable. Then, IMHOTEP-SMT terminates with: supp(b∗) ⊆ supp(b). . x∗ − x2 ≤ 0.
p−2s+1
s
s=0
p
s
IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 24 / 30
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 25 / 30
For a fixed system (n = 25, p = 60, s = 20), increase the number of attacked sensors.
1 5 10 15 20 100 200 300 400 500 Guaranteed upper bound Number of attacked sensors s Number of iterations φtriv-cert φconf-cert φconf-cert ∧ φagree-cert
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 26 / 30
For a fixed system (n = 25, p = 60, s = 20), increase the number of attacked sensors.
1 5 10 15 20 100 200 300 400 500 Guaranteed upper bound Number of attacked sensors s Number of iterations φtriv-cert φconf-cert φconf-cert ∧ φagree-cert
Increase the number of sensors from 3 to 60. One third of sensors is under attack.
3 15 30 45 60 100 200 300 400 500 Guaranteed upper bound Number of sensors p Number of iterations φtriv-cert φconf-cert φconf-cert ∧ φagree-cert
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 26 / 30
Comparison against 2 convex-relaxation algorithms and 2 logic-based encodings.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 27 / 30
Comparison against 2 convex-relaxation algorithms and 2 logic-based encodings. Fix the number of sensors p = 60, s = 20 and increase the number of system states from 10 to 150.
10 25 50 75 100 150 50 100 150 200 Number of states n Execution time (sec) SMT ETPG Lr/L2 dReal Z3
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 27 / 30
Comparison against 2 convex-relaxation algorithms and 2 logic-based encodings. Fix the number of sensors p = 60, s = 20 and increase the number of system states from 10 to 150.
10 25 50 75 100 150 50 100 150 200 Number of states n Execution time (sec) SMT ETPG Lr/L2 dReal Z3
Fix the number of states n = 50 and increase the number of sensors from 3 to 150 (s = p/3).
3 30 60 90 120 150 10 20 30 Number of sensors p Execution time (sec) SMT ETPG Lr/L2 dReal Z3
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 27 / 30
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 28 / 30
Download the source code of IMHOTEP-SMT solver and all examples from http://nesl.github.io/Imhotep-smt/
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 29 / 30
Download the source code of IMHOTEP-SMT solver and all examples from http://nesl.github.io/Imhotep-smt/ The tool is implemented using SAT4J and Matlab.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 29 / 30
Download the source code of IMHOTEP-SMT solver and all examples from http://nesl.github.io/Imhotep-smt/ The tool is implemented using SAT4J and Matlab. The new version handles some nonlinear dynamics.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 29 / 30
Download the source code of IMHOTEP-SMT solver and all examples from http://nesl.github.io/Imhotep-smt/ The tool is implemented using SAT4J and Matlab. The new version handles some nonlinear dynamics. Currently implemented on real robotic and automotive vehicles.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 29 / 30
Download the source code of IMHOTEP-SMT solver and all examples from http://nesl.github.io/Imhotep-smt/ The tool is implemented using SAT4J and Matlab. The new version handles some nonlinear dynamics. Currently implemented on real robotic and automotive vehicles. We are working on generalizing the tool to handle more generic formulas.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 29 / 30
Download the source code of IMHOTEP-SMT solver and all examples from http://nesl.github.io/Imhotep-smt/ In this work: Split the reasoning between the two domains (Booleans and Reals). Use the best tool from each domain. SAT/SMT + Convex optimization
?
= New tools for CPS.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 30 / 30
Download the source code of IMHOTEP-SMT solver and all examples from http://nesl.github.io/Imhotep-smt/ In this work: Split the reasoning between the two domains (Booleans and Reals). Use the best tool from each domain. SAT/SMT + Convex optimization
?
= New tools for CPS. Secure state estimation is one problem that benefited from mixing SAT/SMTsolvers with convex optimization.
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 30 / 30
Download the source code of IMHOTEP-SMT solver and all examples from http://nesl.github.io/Imhotep-smt/ In this work: Split the reasoning between the two domains (Booleans and Reals). Use the best tool from each domain. SAT/SMT + Convex optimization
?
= New tools for CPS. Secure state estimation is one problem that benefited from mixing SAT/SMTsolvers with convex optimization. Are there other problems ?
Yasser Shoukry IMHOTEP-SMT - SMT Workshop’15 July 19, 2015 30 / 30