Stealthiness Analysis of the Identified Model-Based Covert Attacks With Unknown Model

Most existing covert attacks are achieved based on a known model, which is, however, impractical for the attacker, leading to the failure of covert attacks. To solve this problem, this article presents a novel covert attack method with an unknown model. First, the negative correlation between the model errors and the stealthiness of traditional covert attacks (TCAs) is quantitatively analyzed, where bigger errors bring worse stealthiness. Second, the subspace identification method is used to obtain the identified model of the plant. Furthermore, a novel identification and adaptive compensation-based covert attacks (IACCAs) method is proposed, which can adaptively compensate the attack signals by adaptive law. Although the identification errors exist, the stealthiness of IACCAs is proven to be similar to TCAs with a known model. Finally, experimental results demonstrate the feasibility and effectiveness of the proposed IACCAs method, which can achieve covert attacks with an unknown model.


Stealthiness Analysis of the Identified Model-Based Covert Attacks With Unknown Model
Dajun Du , Member, IEEE, Changda Zhang , Jin Zhang, Qing Sun , Minrui Fei , and Huiyu Zhou Abstract-Most existing covert attacks are achieved based on a known model, which is, however, impractical for the attacker, leading to the failure of covert attacks.To solve this problem, this article presents a novel covert attack method with an unknown model.First, the negative correlation between the model errors and the stealthiness of traditional covert attacks (TCAs) is quantitatively analyzed, where bigger errors bring worse stealthiness.Second, the subspace identification method is used to obtain the identified model of the plant.Furthermore, a novel identification and adaptive compensation-based covert attacks (IACCAs) method is proposed, which can adaptively compensate the attack signals by adaptive law.Although the identification errors exist, the stealthiness of IACCAs is proven to be similar to TCAs with a known model.Finally, experimental results demonstrate the feasibility and effectiveness of the proposed IACCAs method, which can achieve covert attacks with an unknown model.
However, the introduction and the usage of communication networks make the system closed to open.Once NCSs suffer from cyberattacks, system performance will inevitably deteriorate and even crash, e.g., Stuxnet attacked Iranian nuclear facilities in 2010 [11], Black-Energy-3 destroyed the Ukrainian power grid in 2016 [12], Ransomware Sodinokibi attacked California information technology service provider Synoptek in 2019 [13], and data erasure malware Dustman attacked Bahrain national oil company in 2019 [14].These cases demonstrate that cyberattacks severely destroy the security and stability of control systems.Therefore, it is of great significance to study cyberattacks in NCSs.
There exist a large number of cyberattacks in NCSs, where denial-of-service (DoS) attacks and deception attacks are two kinds of popular cyberattacks.DoS attacks are achieved by occupying the limited network resources, which further destroy system stability.There are many research works on DoS attacks [15], [16], [17], [18], [19], e.g., DoS attacks against linear quadratic regulator control channels [20].Unlike DoS attacks, deception attacks are achieved by destroying data integrity [21], which further decline system performance and even destroy system stability.For instance, a deception attack on self-driving cars is achieved by intelligently and adaptively modifying the camera output [22].When the false data are injected into the controller, an adaptive law is designed to improve system performance under deception attacks [23].
Covert attacks are a typical type of deception attack, which tamper with both control inputs and system outputs.From the perspective of model knowledge, covert attacks can be largely divided into traditional covert attacks (TCAs) and data-driven covert attacks (DDCAs).For the first case, TCAs require perfect model knowledge [24], [25], [26].Especially, the stealthiness of TCAs is experimentally discussed in the absence of perfect model knowledge [26].For the second case, DDCAs adopt data-driven strategies to obtain the imperfect model knowledge, e.g., subspace predictive control method [27], least-squares support vector machine [28], backtracking search optimization algorithm [29], etc.However, to the best of our knowledge, although there are many data-driven strategies used for DDCAs, few studies focus on the theoretical analysis of the stealthiness of DDCAs.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

TABLE I COMPARATIVE ANALYSIS BETWEEN THE CONTRIBUTIONS OF THIS ARTICLE AND THE EXISTING RESULTS IN THE LITERATURE
Motivated by the above observations, this article develops a novel covert attack.Specifically, the challenges will be addressed as follows.
1) TCAs are based on the assumption that the exact model of the plant is known by attackers.However, it is impractical to know exactly the model of the plant for attackers in some industrial fields.What are the limitations of TCAs with an unknown model?2) DDCAs can achieve successful attacks with an unknown model in the experimental results, but there is no quantitative analysis of stealthiness.How can a new DDCAs method be designed to overcome the limitation of TCAs, while the stealthiness of the new DDCAs is theoretically analyzed?3) There exist model errors between the exact and identified models of the plant from the data-driven method, and the model errors could fail the DDCAs.What is the stealthiness of the newly designed DDCAs method?What is the relationship between the stealthiness and the model errors?To deal with these challenges, this article proposes a novel identification and adaptive compensation-based covert attacks (IACCAs) method with unknown models parameters.The comparative analysis of this article and existing results are listed in Table I.It can be clearly seen from Table I that the existing results have only designed TCAs with a theoretical analysis of stealthiness or DDCAs without a theoretical analysis of stealthiness while a novel DDCAs (i.e., IACCAs) method is proposed, and the stealthiness is theoretically analyzed in this article.The main contributions of this article are summarized as follows.
1) The limitations of TCAs with unknown models are found.Specifically, the negative relationship between the model errors and the stealthiness of TCAs with an unknown model are quantified, where the bigger error brings worse stealthiness.

TABLE II TABLE OF NOTATIONS
2) A novel IACCAs method, including two stages, is proposed.The first stage is to obtain the identified system model based on numerical subspace state space system identification (N4SID).The second stage is to design the adaptive law based on the identified system model, where the attack signal is compensated.
3) It is proven that despite the identification errors, the stealthiness of IACCAs is similar to that of TCAs with a known model.Specifically, no matter how big the identification errors are, IACCAs can bypass the detector asymptotically.The rest of this article is organized as follows.Section II is problem formulation, focusing on the performance and limitations of TCAs.Section III presents IACCAs for NCSs, which include the construction of the identified model of the plant, the design of adaptive laws, and performance analysis.A simulation example is given in Section IV.Finally, Section V concludes this article.
Notation: • denotes the Euclidian norm of a vector or the spectral norm of a matrix and tr(•) denotes the trace of a matrix.A positive-definite symmetric matrix P is denoted P > 0. The supremum of x(t) for t ∈ T is denoted sup t∈T x(t) .Table II summarizes the notations most frequently used throughout the rest of this article.

II. PROBLEM FORMULATION
In this section, we mainly analyze the performance of TCAs with exact model parameters and reveal the limitation of TCAs against unknown model parameters.How to solve the limitation and performance of the solution will be discussed in Section III.

A. NCSs Under TCAs With Exact Model Parameters
The configuration of NCSs under TCAs is presented in Fig. 1.First, when being transmitted to the plant via network, the controller output u c (t) is attacked by the attack signal u a (t), which becomes the control input u p (t).Then, u p (t) is used to stabilize the state x p (t) of the plant.Second, to cover up the impact of u a (t) on the plant, x p (t) is attacked by the state x a (t) of the exact model of the plant when it is transmitted to the controller via the network, becoming x c (t).Furthermore, using x c (t), the controller calculates u c (t).Meanwhile, x c (t) is sent to the detector to judge whether or not there is an attack; if yes, the alarm will be triggered; otherwise, the alarm is kept silent.
Consider an n-order continuous linear time-invariant (LTI) plant where x p (t) ∈ R n and u p (t) ∈ R m are system states and control input, respectively; t ∈ T := [t 0 , ∞); t 0 is the initial instant; x p (t 0 ) is the initial state; and x p (t 0 ) < ∞.A p , B p are constant matrices with proper dimensions.Remark 1: The general measured output is y p (t) = C p x p (t).For simplicity, C p = I is considered as [24] and, thus, x p (t) is the measured output.The condition where C p = I will be focused on in future work.
Remark 2 : In an open-network environment, the plant (1) is vulnerable to cyberattacks, such as TCAs and DoS attacks.Since the stealthiness of TCAs can pose a significant threat to NCSs, this article focuses on TCAs.
Under TCAs, x p (t) is injected with x a (t) in the network, so the signal received by the controller is where x a (t) is the state of the exact model of the plant, i.e., Using x c (t), the controller can be designed as where K is the state feedback gain.Under TCAs, u c (t) is injected with the attack signal u a (t), becoming Remark 3: The general controller is u c (t) = Kx c (t) + Nr(t) [30], where N is a gain matrix and r(t) is the reference input.Considering that the aim of the controller in the attack-free case is to bring x p (t) to zero, it is set that r(t) = 0 as [25].Therefore, the controller form ( 4) is adopted in this article.
To detect cyberattacks, x c (t) is also sent to the detector, where the following test is performed as [31]: where η > 0 is a user-defined threshold.We expect that if ( 6) is met, there is no attack alarm; otherwise, the attack alarm will be triggered.
Remark 4: Generally, there are two cases for the detector.In one case [25], when an estimator is used to estimate the real measurement, the detector can compare the norm of the residual (between the real and estimated measurements) with the threshold.In another case [31], when no estimator is used, the detector can compare the norm of the real measurement with a threshold like (6).
The system ( 1)-( 5) can be rewritten as a compact closed-loop form where Â := A p + B p K. With loss of generality, it is considered that Lemma 1 on attack-free closed-loop stability can always be satisfied.
Remark 6: In TCAs, u a (t) and x a (t) have different functions.Considering the dynamics of x c (t), i.e., it can be seen that the function of x a (t) is to compensate x p (t) so that x c (t) is convergent (i.e., lim t→∞ x c (t) = 0).Considering the dynamics of x p (t) under TCAs, i.e., is convergent, it can be seen that the function of u a (t) is driving x p (t) to the attacker's aim of destructiveness.

B. Performance of TCAs With Exact Model Parameters
The configuration of NCSs under TCAs has been described above.Then, the performance of TCAs will be analyzed, where the stealthiness will be provided.
According to the discussion on what attack is stealthy [31, Para. 3 in Sec.2], Definition 1 is first given.

Definition 1 ((T , x c , η)-stealthiness):
A cyberattack is said to be with (T , x c , η)-stealthiness if and only if x c (t) satisfies For simplicity and without loss of generality, it is considered that the initial instants of the system and the attacks are the same, i.e., the attack begins also at t 0 .Remark 7: Note that T = [t 0 , ∞), that is, the attack lasting infinite time is considered herein.The attack lasting a finite time will be focused on in future work.Now, the performance of TCAs will be introduced by Theorem 1.
Theorem 1: Considering the closed-loop system (7) under TCAs with exact model parameters, for some positive constants κ and then TCAs are with (T , x c , η)-stealthiness.
Proof: Considering the closed-loop system (7) under TCAs with exact model parameters, x c (t) can be calculated by with the solution of It follows from ( 12) that: for some positive constants κ and λ.If (10) is true, then (9) will hold.
Remark 8: Theorem 1 reveals that when TCAs with the exact model of the plant (3) enter the system, the state x c (t) will experience an exponential decay [i.e., (12)] to zero, where there exists a maximal x c (t) (i.e., ξ 1 ).A big enough detection threshold η satisfying (10) will provide TCAs with (T , x c , η)-stealthiness, which can be seen from Example 1 in Appendix A. However, it is difficult to obtain (e.g., identify) an exact model of the plant in practice.

C. Limitation of TCAs Against Unknown Model Parameters
The above has analyzed the performance of TCAs, and it is obvious that how to obtain the exact model of the plant (3) with A p and B p is the key issue for the attacker.However, the exact A p and B p are difficult to obtain in some real applications.Thus, the attacker has to obtain the unknown model parameters A a and B a by some other methods, e.g., system identification.However, since there exist errors between the identified and exact model parameters, it will inevitably render TCAs ineffective.The mechanism of TCAs failure will be then revealed.
Considering that the attacker does not know the exact model parameters A p and B p in (3), they only can use the identified model of the plant, i.e., where A a = A p and B a = B p are the identified model parameters.Note that once A a and B a in ( 14) are identified by the attacker, they will remain unchanged due to the LTI plant (1).Moreover, if the attack strategy (i.e., the attack signal u a (t)) is designed before the attack, it remains unchanged during the attack process.Thus, the trajectory of x a will also remain unchanged.As a consequence, the system (1), ( 2), ( 14), (4), and (5) can be rewritten as a compact closed-loop form Now, the limitation of TCAs with the identified model of the plant will be introduced by Theorem 2.
Theorem 2: Considering the closed-loop system (15) under TCAs with identified model parameters, for some positive constants κ and λ, if where ξ 1 is the same as that in (10), , ϕ u a := sup t∈T u a (t) , then TCAs are with (T , x c , η)-stealthiness.
Proof: Considering the closed-loop system (15) under TCAs, x c (t) can be expressed as The solution of ( 17) is It follows from (17) that: If there is (16), then (10) will hold.Remark 9: Comparing ( 17) with (11), (11) is the system state with known models.From ( 17) and (11), the main difference lies in the term ΔAx a (t) + ΔBu a (t).Especially, when the condition ΔA = ΔB = 0 is met, it is not difficult to see that (17) will change to (11).
Remark 10: Theorem 2 reveals that when the attacker uses the identified model of the plant (14) other than the exact model of the plant (3), only a bigger η (than that in Theorem 1) can provide TCAs with (T , x c , η)-stealthiness, where it can be seen from Example 2 in Appendix B.Moreover, unlike Theorem 1, η is positively related to x c (t 0 ) , the identification errors δ A as well as δ B , the state x a (t) of the identified model of the plant, and attack signals u a (t).

III. IDENTIFICATION AND ADAPTIVE COMPENSATION-BASED COVERT ATTACKS
The previous section has analyzed the limitation of TCAs when the identified model of the plant is inaccurate.In this section, to solve this limitation and achieve successful covert Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.attacks, a novel IACCA method is proposed in Figs. 2 and 3. We first formulate two stages of the IACCAs, where the first stage is the identification of the identified model of the plant and the second stage is adaptive compensation.Then, the stealthiness of IACCAs will be analyzed.The simulation of IACCAs will be illustrated in Section IV.

A. First Stage of IACCAs: Acquirement of the Identified Model of the Plant
As shown in Fig. 2(a), the first stage of IACCAs is to obtain the identified model of the plant (14) by system identification based on the N4SID method [33].Since various modes of the system Fig. 3. Configuration of the adaptive controller.x p (t) and x a (t) are used to adjust u a (t) to u a (t) by adaptive law K a (t) and F a (t).cannot be excited only by the control input, u c (t) is injected with a white noise signal v a (t) by a covert attacker, becoming u p (t) = u c (t) + v a (t).Hence, the model to be identified is changed from (1) to Furthermore, u p (t) and x p (t) are used to identify the parameters of (20), i.e., to obtain A a and B a in the identified model of the plant ( 14).
Remark 11: There generally exist errors between the identified and exact models of the plant.If an attacker wants to achieve covert attacks with well stealthiness, one of the solutions is to design an adaptive law to adjust u a (t).Compared with the existing DDCAs with only data-driven strategies, the new proposed DDCAs with data-driven strategy and adaptive compensation can achieve good attack stealthiness that can be theoretically analyzed.

B. Second Stage of IACCAs: Adaptive Compensation
As shown in Fig. 2(b), the second stage of IACCAs is adaptive compensation.First, when the control signal u c (t) is attacked by u a (t), it becomes u p (t).The received control signal u p (t) (i.e., u p (t) = u c (t) + u a (t)) is then operated to the plant; the system state is sampled, i.e., x p (t).The system state x p (t) comes from two parts, i.e., the states are inspired by u c (t) and u a (t), respectively.Second, to eliminate the impact of u a (t) on the plant, the attacker hopes to produce the same state inspired by u a (t), who generate the state x a (t) based on the identified model ( 14) and the attack signal u a (t).However, since there exist errors between the identified model and the exact model of the plant, an adaptive controller is designed by x a (t), x p (t), and u a (t), which is employed to calculate u a (t), as shown in Fig. 3. Furthermore, using x c (t) (i.e., x c (t) = x p (t) − x a (t)), the controller calculates u c (t).Meanwhile, x c (t) is also sent to the detector to judge whether or not there is an attack; if yes, the alarm will be triggered; otherwise, the alarm keeps silence.
To achieve adaptive compensation in the second stage of IACCAs, u c (t) is injected with u a (t), becoming where u a (t) is designed as shown in Fig. 3, i.e., Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
and K a (t), F a (t) are two time-varying adaptive gains.Here, u a (t) is sent to the adaptive controller (22) and become u a (t), which is treated as "u a (t) is compensated."Substituting ( 21) into (1) and considering ( 14), the closed-loop systems under IACCAs is Remark 12: For the above closed-loop system (23) under IACCAs, the differentiation of x c (t) is where Ãa := A a + B p K. By finding proper adaptive law for (22), the goals of IACCAs are as follows.As the first goal, the state x a (t) of the identified model of the plant converges asymptotically into the state x p (t) of the plant, i.e., lim t→∞ x c (t) = 0. Furthermore, the parameters of the identified and exact models of the plant in (24) will satisfy matrix equations in the limit, i.e., As the second goal while holding the above stealthiness (i.e., lim t→∞ x c (t) = 0) and ( 25), ( 23) can be rewritten as where it can be seen that u a (t) can drive x p (t) to the attacker's aim of destructiveness.
Remark 13: To achieve (25), the attack signal u a (t) must be rich enough so that x p (t) and u a (t) are not always equal to 0 and linearly independent.The conditions for linear independence of x p (t) and u a (t) are as follows [35]: u a is a square wave signal with a certain frequency or q piecewise continuous signal composed of q sinusoidal signals with different frequencies, where q > n 2 or q > n−1 2 .For instance, our experiments in Section IV use u a as u a (t) = 9 sin(3πt) + 12 sin(0.01πt)+ 10 sin(2πt) where q = 3.

C. Stealthiness Analysis of IACCAs
Now, the adaptive law used by the IACCAs is designed and the stealthiness of IACCAs is presented in Theorem 3.
Theorem 3: Considering the closed-loop system ( 23) under IACCAs a) The adaptive law K a (t) and F a (t) are selected as i.e., where P satisfies ÃT a P + P Ãa = −Q, Q > 0, R 1 and R 2 are arbitrary matrices.b) Under the adaptive law ( 26) designed for the model of the plant, for some positive constant κ, if where ξ1 = κ x c (t 0 ) , then IACCAs are with (T , x c , η)stealthiness in the limit, i.e., Proof: From ( 25), if the identified and exact models of the plant are fully matched, i.e., F a (t) = F 0 and K a (t) = K 0 , it can be expressed as Substituting ( 29) into (24), it follows that: where Ãa is rewritten as A Lyapunov function is selected as where P ∈ R n×n , P F ∈ R m×m , and P K ∈ R m×m are symmetric positive-definite matrices.
Taking the derivative of both sides of (32) leads to If P satisfies ÃT a P + P Ãa = −Q, then the first term of the right-hand side of (33) is a negative definite.
The adaptive law of F a (t) and K a (t) are designed as (26), where , and taking the derivative of (32) with t leads to Ḟa (t) = Ḟa (t) When (26) holds, the last two terms of ( 33) are equal to 0, and it can be obtained that ( 33) is a negative definite.Recall Lemma 1, and thus, x c (t) is globally asymptotically stable.Moreover, the global stability of x c (t) can be ensured by adaptive law (26), Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
i.e., the convergence of x c (t) is satisfied due to (25).It can be derived from ( 25) that Substituting ( 35) into (24) leads to It follows from (36) that: for some positive constants κ and λ.If there is (27), then (28) will hold.Remark 14: Theorem 1 reveals that the identification errors have no influence on the stealthiness of TCAs with known models.However, Theorem 2 reveals the limitations of TCAs with the unknown model, where the bigger identification errors between the identified model and the exact model bring the worse stealthiness.Unlike Theorems 1, 2, and 3 design an IACCAs method to compensate the attack signals, so that cover attacks can be achieved successfully and stealthiness of IACCAs is similar to that of TCAs with known models.
Remark 16 : The values of F a (t 0 ) and K a (t 0 ) for optimal stealthiness of IACCAs should satisfy However, the attackers do not have the knowledge of A p and B p , and thus, they cannot obtain optimal F a (t 0 ) and K a (t 0 ).Therefore, it is necessary for the attacker to carefully determine initial values F a (t 0 ) and K a (t 0 ), which will be done in Section IV.
Remark 17 : We will analyze the reference input in the following.When the reference input is zero (i.e., r(t) = 0), x c (t) will arrive at 0. Thus, x p (t) comes mainly from x a (t) generated by the attacker.When the reference input is not zero (i.e., r(t) = 0), x p (t) is composed of x c (t) and x a (t).Here, x c (t) will arrive at the reference input r(t), so x p (t) = x a (t).Consequently, the system state x p (t) cannot be directly regarded as the injected attack signal x a (t).Meanwhile, x a (t) is difficult to be separated from x p (t) in practice.Therefore, the proposed IACCAs method is necessary, which can be extended to the case that the reference input is not zero.Specifically, in the case of r(t) = 0, the test x c (t) < η (6) needs to be revised as x c (t) − r(t) < η.According to the idea of the proposed IAC-CAs method, the stealthiness (i.e., x c (t) − r(t) < η, ∀t ∈ T ) will still be guaranteed.
Remark 18: By disclosing the new potential attack strategy (i.e., IACCAs), it is hoped that the research of defending methods will be encouraged and, thus, system security is improved.For instance, now that the IACCAs adopt the plant state x p (t) in the adaptive controller to compensate the attack signal u a (t) so that IACCAs can achieve its stealthiness, the probing signals (e.g., watermarking [36]) into x p (t) can be used to hinder the stealthiness of IACCAs.

IV. SIMULATION AND DISCUSSION
In this section, we report the simulation of IACCAs described in the previous section and TCAs as well as DDCAs in the existing literature.

A. Exact and Identified Model of the Plant
1) Exact Model of the Plant: A continuous LTI system is considered as (1), where The initial state of (1) is 2) Identified Model of the Plant: When the exact model of the plant (1) is unknown for the attacker, it needs to be identified by u p (t) and x p (t).After N4SID is used to identify the model parameters, the accuracy of identification results needs to be verified.The average relative error is defined as where n is the dimension of x p (t), N is the data length, and t i is the time instant.In (39), N is selected as 2000.The uniform distributed white noise (UDWN) and normal distributed white noise (NDWN) signals are used to generate the white noise signal v a (t).The identification errors of UDWN and NDWN signals are shown in Table III , where it can be seen that selecting an appropriate white noise signal is helpful to obtain better identification effect but it is difficult to eliminate the identification error by system identification.Then, the identified model of the plant ( 14) is determined by the identification results, i.e., A a = 0 1 −5.54 −6.5 , B a = 0 7.39 .

3) Comparison of Exact and Identified Models of the
Plant: Fig. 4 shows the comparison of zero input response (i.e., u p (t) = u a (t) = 0) between the exact and identified models of the plant.It can be seen from Fig. 4 that the identified model of the plant is very close to the exact system model and can simulate the exact system model well.Therefore, the identified model of the plant can be used to construct the IACCAs.

B. Attack Signal and Adaptive Controller of IACCAs
1) Construction of Attack Signal: Select the attack signal u a (t) = 9 sin(3πt) + 12 sin(0.01πt)+ 10 sin(2πt) (t 0), and x a (t) is calculated by the identified model of the plant under this u a (t).The curves of u a (t) and x a (t) are shown in Fig. 5, where it can be seen that u a (t) and x a (t) are composed by sinusoidal signals to achieve parameter convergence in (25).Note that x a (t) is used to ensure stealthiness of IACCAs, and it can be clearly seen from the right side of Fig. 5(b) that the trajectory of x a,1 (t) is bounded during 0-100 s.If the parameters between the identified model of the plant and the original system model are closer, then x a (t) and x p (t) will be closer.
2) Construction of Adaptive Controller: Take the parameters R 1 = R 2 = 2, P = [11.5398,0.3693; 0.3693, 0.2386] and Q = [10, 0; 0, 10] in (26).It can be verified that P satisfies ÃT a P + P Ãa = −Q.Chose F a (0) = [0.06,0.06] and K a (0) = 0.85.Fig. 6 shows the deviation of the model match, and it demonstrates that the identified model of the plant and the original system model are matched within a limited time.Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

C. Stealthiness Comparison of TCAs, Robust Stealthy Covert Attacks, and IACCAs
Fig. 7 compares the stealthiness of TCAs and IACCAs, where it can be seen that 1) even though the identification errors are small according to Table III, TCAs still do not well eliminate the effect of u a on the system and are easy to be detected, and 2) the stealthiness of IACCAs is obviously far better than TCAs.Fig. 8 shows the curves of u a (t) and x p (t) under IACCAs, where Fig. 9. Detection results of RSCAs [37] and IACCAs.Fig. 10.Comparison of detection results of TCAs, DDCAs [27], and IACCAs (where all attacks are located in t 5 s).Black dashed line: x c (t) under TCAs.Black solid line: Upper and lower bounds of x c (t) under TCAs.Blue dashed line: x c (t) under DDCAs [26].Blue solid line: upper and lower bounds of x c (t) under DDCAs [26].Red dashed line: x c (t) under IACCAs.Red solid line: upper and lower bounds of x c (t) under IACCAs.
it can see from Fig. 8 that u a (t) can destroy the stability of the system.
The robust stealthy covert attacks (RSCAs) [37] have been designed when the attacker cannot obtain the partial exact model of system.Fig. 9 compares the stealthiness of RSCAs and IACCAs, where it can be seen that the stealthiness of IACCAs is better than RSCAs.The reason could be that [37] requires the exact knowledge of B p , but the proposed IACCAs has no this requirement.

D. Stealthiness Comparison of TCAs, DDCAs, and IACCAs With Noise
Fig. 10 compares the stealthiness of TCAs, DDCAs in [27], and IACCAs when there exists noises.It can be seen from Fig. 10 that the upper bounds of x c (t) under TCAs and DDCAs in [27] are larger than that under IACCAs, so that the stealthiness of the Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
proposed IACCAs are better than that of TCAs and DDCAs in [27].

V. CONCLUSION
This article has studied covert attacks when the parameters of the exact model of the plant are unknown.First, the stealthiness of TCAs with known model parameters is analyzed.Second, the negative relationship between the identification errors and the stealthiness of TCAs is quantified.Third, a novel IACCAs method is presented to solve the problem of poor stealthiness caused by identification errors between the identified and exact models of the plant.Finally, simulation examples are given to verify the effectiveness of IACCAs.(41) It can be seen from Fig. 12 that when the system is attacked, for any η > 0, x c (t) satisfies (6).Therefore, the TCAs with exact model parameters and sinusoidal attack signals are with (T , x c , η)-stealthiness.(42) It can be seen from Fig. 13 that when the system is attacked, for η > 0.4, x c (t) satisfies (6).Therefore, TCAs with unknown model parameters and exponential attack signals are with (T , x c , η > 0.4)-stealthiness.Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.2) Choose u a (t) = 0.8e 0.5t .

Fig. 1 .
Fig. 1.Configuration of NCSs under TCAs.TCAs include two parts: 1) Attack signal and 2) exact model of the plant.u a (t) is the attack signal and x a (t) is the state of the exact model of the plant.

Fig. 2 .
Fig. 2. (a) First stage of IACCAs.(b) Second stage of IACCAs.The IACCAs include three parts: 1) attack signal, 2) identified model of the plant, and 3) adaptive controller.The identified model of the plant is obtained by system identification and the adaptive controller is designed to adjust u a (t) to u a (t).(a) 1st Stage: Acquirement of the Identified model of the plant.(b) 2nd Stage: Adaptive compensation.

Fig. 4 .
Fig.4.Comparison of state of the original system model and identified model of the plant.Blue line: x p,1 (t) and x p,2 (t) of the original system model.Red line: x a,1 (t) and x a,2 (t) of the identified model of the plant.

Fig. 6 .
Fig. 6.(a) Convergence deviation.Blue line: A a − A p − B p F a (t) .Red line: B a − B p K a (t) .(b) Values of K a (t).(c) Values of F a (t).

Fig. 8 .
Fig. 8. (a) Control signal under IACCAs.(b) State x p1 (t) of the exact model of the plant under attack signal u a (t).(c) State x p2 (t) of the exact model of the plant under attack signal u a (t).

Fig. 11 .
Fig. 11.(a) and (b) Systems states under TCAs with exact model parameters and (A.1).(c) Detection results of TCAs with exact model parameters and (A.1).

Fig. 12 .
Fig. 12.(a) and (b) Systems states under TCAs with exact model parameters and (A.2).(c) Detection results of TCAs with exact model parameters and (A.2).

Fig. 13 .
Fig. 13.(a) and (b) Systems states under TCAs with unknown model parameters and (A.3).(c) Detection results of TCAs with unknown model parameters and (A.3).

Fig. 14 .
Fig. 14.(a) and (b) Systems states under TCAs with unknown model parameters and (A.4).(c) Detection results of TCAs with unknown model parameters and (A.4).

TABLE III IDENTIFICATION
ERROR OF UDWN SIGNALS IN DIFFERENT RANGES AND NDWN SIGNALS WITH DIFFERENT VARIANCES