Observability Decomposition-Based Decentralized Kalman Filter and Its Application to Resilient State Estimation under Sensor Attacks

Abstract

This paper considers a discrete-time linear time invariant system in the presence of Gaussian disturbances/noises and sparse sensor attacks. First, we propose an optimal decentralized multi-sensor information fusion Kalman filter based on the observability decomposition when there is no sensor attack. The proposed decentralized Kalman filter deploys a bank of local observers who utilize their own single sensor information and generate the state estimate for the observable subspace. In the absence of an attack, the state estimate achieves the minimum variance, and the computational process does not suffer from the divergent error covariance matrix. Second, the decentralized Kalman filter method is applied in the presence of sparse sensor attacks as well as Gaussian disturbances/noises. Based on the redundant observability, an attack detection scheme by the ${\chi }^2$ test and a resilient state estimation algorithm by the maximum likelihood decision rule among multiple hypotheses, are presented. The secure state estimation algorithm finally produces a state estimate that is most likely to have minimum variance with an unbiased mean. Simulation results on a motor controlled multiple torsion system are provided to validate the effectiveness of the proposed algorithm.

1. Introduction

As control systems operate through network communication and become more complex due to increased connectivity, security against adversarial attacks is becoming more important and receiving attention [1,2,3,4]. In fact, attacks on control systems took place in reality [5,6,7,8], and many studies have been conducted on the security issues of systems whose measurements have been compromised by adversaries because sensors are one of the vulnerable points to malicious attackers in dynamical systems [9,10,11,12,13,14,15].

Among them, the state estimation problem when some of sensors are corrupted by attackers, often called a sparse sensor attack, has been investigated, and several solutions have been recently proposed [10,11,12,13,14,15]. The reference [10] introduces the basic concepts of the secure state estimation problem and formulates it as a non-convex combinatorial optimization problem. The problem is shown to be transformed into a convex optimization problem by using the results developed in the field of compressed sensing [16,17] under additional limiting assumptions. The relationship between this resilient state estimation problem and the notion of strong observability was revealed in [11]. A necessary and sufficient condition for the solvability of this problem is derived in [12,15] with the notion of redundant observability, more specifically, it requires the redundancy of observability twice as much as the sparsity of sensor attacks. A method to alleviate the computational complexity of the logic for finding a combination of non-attacked sensors, is proposed in [13,14]. In [15], the estimator is designed by a set of local observers with only a single sensor, and the decoder uses an error correction algorithm to generate a final state estimate based on the data collected from each local observer.

In addition to sparse sensor attacks, disturbances and noises are considered to enhance the robustness. First, bounded disturbances and noises are considered in [13,15,18], and in particular, the reference [15] explicitly derives the estimation error with the system parameters to provide an analysis of robustness. Second, zero-mean Gaussian white noises and disturbances rather than bounded ones were considered in [19,20,21], and Kalman filters were used to guarantee the state-estimation performance in a probabilistic manner. The reference [19] proposed an estimator with Kalman filters that searches a reliable subset of sensors and operates on the identified subset. A method of combining a secure state estimator and the standard Kalman filter by using the secure state estimator as a pre-filter for the Kalman filter when the set of attacked sensors changes over time, is proposed in [20]. It was shown in [21] that the optimal Kalman estimate can be decomposed into a weighted sum of local estimates, where each estimate uses only a single sensor measurement and that a secure state estimation can be achieved by a convex optimization under some additional assumptions.

This paper considers a general discrete-time linear dynamical system that is corrupted by sparse sensor attacks and Gaussian disturbances/noises. First, we construct local observers on each single sensor and design those local observers with Kalman filters using their own sensor data to cope with Gaussian disturbances/noises. The design of local observers is fully decentralized since it does not utilize any information including Kalman gains or error covariance matrices from other sensors as well as the sensor readings. Furthermore, the local observer’s error covariance is guaranteed not to diverge since it is constructed in the observable subspace based on the observability decomposition, and thus, there is no numerical computational error in practice. Second, a novel information fusion scheme is developed to counteract sparse sensor attacks while maintaining the minimum variance properties. The information fusion center detects the presence of sensor attack in the selected subset of sensors by the ${\chi }^2$ test, which is typically used in the area of fault detection [22,23]. If the ${\chi }^2$ test concludes that there is an attack in the selected subset, a search algorithm is launched to choose a new index set of sensors that is most likely to be unattacked by the multiple hypothesis test. Each hypothesis produces a state estimate with minimum variance, assuming that the index set is attack-free so that each estimate is unbiased. Therefore, the information fusion scheme finally produces a state estimate that is most likely to have the minimum variance and to be unbiased.

Assuming that there exist only Gaussian disturbances/noises without any attacks, a basic information fusion Kalman filter scheme was proposed in [24,25]. The local observers in [24,25] were designed using a Kalman filter for the entire state variable with a single sensor, and a fusion algorithm generates the optimal state estimate with the minimum variance. However, as highlighted in [26], some components of the error covariance may diverge if a single-sensor system is not observable, and this can induce numerical computation problems in practice. This problem can be solved by reducing the target state space to an observable subspace and designing a Kalman filter for the reduced observable subsystem. The idea of decomposing a single-sensor system into the observable subsystem and the unobservable subsystem was proposed in [15] for the secure state estimator design under bounded disturbances/noises, and in [27] for the distributed Luenberger observer design of sensor networks. Hence, adopting this idea and designing the Kalman filter for the observable subsystem, the problem of divergent error covariance does not occur, and we derive the optimal information fusion algorithm even when the size of the local information is different each other.

The contributions of this paper can be summarized as follows:

• (1)The proposed algorithm successfully estimates the state variable under sparse sensor attacks as well as Gaussian disturbances/noises. Our algorithm ensures the minimum variance, while [19] simply guarantees that its covariance is no worse than the worst case scenario with high probability;
• (2)We only assume that the system is redundant observable, which is known as an equivalent condition for the secure state estimation to be solvable under sparse sensor attacks. Note that [20] requires additional assumptions to reformulate the problem as a convex problem, and further, the combination of Kalman filter and the secure estimator implicitly supposes that the estimation error for the attack signal follows a zero-mean Gaussian distribution, which may not be true when the attack signal is intelligently designed in a coordinated way. The reference [21] needs the system matrix to be nonsingular, and both references [20] and [21] have additional assumptions about the closed-loop system;
• (3)The construction of the local observer is completely decentralized, and the overall size of the observer is relatively small. As the combinatorial logic is embedded in the fusion center, we do not have to prepare all possible combinations of observers. Note that [19] does not utilize any decomposition, and thus, it asks for all combinations of observers. The local decomposition presented in [21] is not fully decentralized because the decomposition is performed using the global information of the output matrix and the Kalman gain;
• (4)As a by-product obtained during the derivation process, the optimal decentralized information fusion Kalman filter scheme is developed based on the observability decomposition. Compared with the results in [24,25], the proposed scheme does not suffer from the numerical computational errors resulting from the diverging error covariance matrix. The algorithm in this paper guarantees that each error covariance matrix in the local observer converges by the observability decomposition, and this method can also be widely used for the multi-sensor information fusion Kalman filters that do not consider any attacks.

The rest of the paper is organized as follows. The remaining of this section introduces the notation used throughout the paper. The system model and problem formulation are given in Section 2. Section 3 presents the optimal multi-sensor information fusion Kalman filter based on the observability decomposition. We then give the attack detection algorithm by ${\chi }^2$ test and the attack-resilient state estimation scheme by the multiple hypothesis test in Section 4. Finally, simulation results with a servo motor system are given in Section 5, and we provide our concluding remarks in Section 6. The preliminary results of this paper were studied in [28].

Notation: Throughout this paper, the following notations are adopted. For a set S, the number of elements in the set S is denoted by $\left|S\right|$. For a column vector $y\in {\mathbb{R}}^{\mathrm{p}}$ and its $\mathsf{i}$-th element $y_{\mathsf{i}}$, $\mathsf{supp}\left(y\right)$ denotes the number of nonzero elements of the vector y, that is, $\mathsf{supp}\left(y\right):=\left\{\mathsf{i}\in \left[\mathrm{p}\right]:y_{\mathsf{i}}\ne 0\right\}$ where the symbol $\left[\mathrm{p}\right]$ is used to represent the subset of natural numbers $\left\{1,2,\cdots ,\mathrm{p}\right\}\subset \mathbb{N}$. The number of nonzero elements of a vector y is defined by the ${\ell }_0$ norm, and it is written as ${\parallel y\parallel }_0:=\left|\mathsf{supp}\left(y\right)\right|$. We say that the vector y is $\mathsf{q}$-sparse if its ${\ell }_0$ norm is less than or equal to $\mathsf{q}$, that is, ${\parallel y\parallel }_0\le \mathsf{q}$.

For an index set $\mathcal{I}\subset \left[\mathrm{p}\right]$ and a vector $y\in {\mathbb{R}}^{\mathrm{p}}$ (or a matrix $C\in {\mathbb{R}}^{\mathrm{p}\times \mathrm{n}}$), $y_{\mathcal{I}}\in {\mathbb{R}}^{\left|\mathcal{I}\right|}$ (or $C_{\mathcal{I}}\in {\mathbb{R}}^{\left|\mathcal{I}\right|\times \mathrm{n}}$) denotes the vector (or the matrix) obtained from y (or C) by eliminating all $\mathsf{i}$-th rows such that $\mathsf{i}\in {\mathcal{I}}^c$. Similarly, for two index sets $\mathcal{I},\mathcal{J}\subset \left[\mathrm{p}\right]$ and a matrix $P\in {\mathbb{R}}^{\mathrm{p}\times \mathrm{p}}$, $P_{\mathcal{I},\mathcal{J}}\in {\mathbb{R}}^{\left|\mathcal{I}\right|\times \left|\mathcal{J}\right|}$ denotes the matrix obtained from P by eliminating all $\mathsf{i}$-th rows and all $\mathsf{j}$-th columns such that $\mathsf{i}\in {\mathcal{I}}^c$ and $\mathsf{j}\in {\mathcal{J}}^c$.

Let a finite sequence $\left\{{\mu }_{\mathsf{i}}\right\}=\left\{{\mu }_1,{\mu }_2,\cdots ,{\mu }_{\mathrm{p}}\right\}$ with $\mu ={\sum }_{\mathsf{i}=1}^{\mathrm{p}}{\mu }_{\mathsf{i}}$ given. A stacked vector $z={\left[z_1^{\top }{z}_2^{\top }\cdots z_{\mathrm{p}}^{\top }\right]}^{\top }\in {\mathbb{R}}^{\mu }$ is said to be partitioned by the sequence $\left\{{\mu }_{\mathsf{i}}\right\}$ if $z_{\mathsf{i}}\in {\mathbb{R}}^{{\mu }_{\mathsf{i}}}$ for all $\mathsf{i}\in \left[\mathrm{p}\right]$. For $\mathsf{j}\in \left[\mathrm{p}\right]$, an index set ${\mathcal{I}}_{\mathsf{j}}^{\left\{{\mu }_{\mathsf{i}}\right\}}:=\left\{\left({\sum }_{\mathsf{i}=1}^{\mathsf{j}-1}{\mu }_{\mathsf{i}}\right)+1,\left({\sum }_{\mathsf{i}=1}^{\mathsf{j}-1}{\mu }_{\mathsf{i}}\right)+2,\cdots ,{\sum }_{\mathsf{i}=1}^{\mathsf{j}}{\mu }_{\mathsf{i}}\right\}\subset \left[\mu \right]$ represents the $\mathsf{j}$-th partition among total p partitions when a vector $z\in {\mathbb{R}}^{\mu }$ is partitioned by the sequence $\left\{{\mu }_{\mathsf{i}}\right\}$. This notation is extended to a subset $\mathcal{J}\subset \left[\mathrm{p}\right]$ where ${\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}$ denotes ${\bigcup }_{\mathsf{j}\in \mathcal{J}}^{}{\mathcal{I}}_{\mathsf{j}}^{\left\{{\mu }_{\mathsf{i}}\right\}}$. A vector $z\in {\mathbb{R}}^{\mu }$ partitioned by the sequence $\left\{{\mu }_{\mathsf{i}}\right\}$, is said to be ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse if $\left|\left\{\mathsf{j}\in \left[\mathrm{p}\right]:z_{{\mathcal{I}}_{\mathsf{j}}^{\left\{{\mu }_{\mathsf{i}}\right\}}}\ne 0_{{\mu }_{\mathsf{j}}\times 1}\right\}\right|\le \mathsf{q}$.

2. System Modeling and Problem Formulation

The plant and the attack model under consideration are presented, and the problem formulation is given in this section.

2.1. Plant Modeling with Gaussian Disturbances and Noises

A discrete-time linear time invariant (LTI) system under Gaussian disturbances and noises given by

$$\mathcal{P}:\left\{\begin{array}{c}x(k+1)=Ax\left(k\right)+Bu\left(k\right)+d\left(k\right)\hfill \\ y\left(k\right)=Cx\left(k\right)+n\left(k\right)\hfill \end{array}\right.$$ (1)

is considered. In the plant dynamics of (1), $x\in {\mathbb{R}}^{\mathrm{n}}$ is the state variable vector, $u\in {\mathbb{R}}^{\mathsf{m}}$ is the control input vector, and $y\in {\mathbb{R}}^{\mathrm{p}}$ is the sensor output vector. Furthermore, the dynamics is disrupted by the process disturbance $d\in {\mathbb{R}}^{\mathrm{n}}$, and the sensors are corrupted by the measurement noise $n\in {\mathbb{R}}^{\mathrm{p}}$. There are a total of p sensors that measure the system outputs, and the $\mathsf{i}$-th sensor’s measurement at time k is denoted by

$$y_{\mathsf{i}}\left(k\right)=c_{\mathsf{i}}x\left(k\right)+n_{\mathsf{i}}\left(k\right)$$

where $c_{\mathsf{i}}$ is the $\mathsf{i}$-th row of the output matrix C, which implies that $C={[c_1^{\top }{c}_2^{\top }\cdots c_{\mathrm{p}}^{\top }]}^{\top }$. Here, stochastic assumptions on the disturbance $d\left(k\right)$, the noise $n\left(k\right)$ and the initial state $x\left(0\right)$ of the system (1) are formally stated as follows.

Assumption 1.

The disturbance $d\left(k\right)$ and measurement noise $n\left(k\right)$ are independent and identically distributed (i.i.d.) white Gaussian process with zero-mean and covariance matrices Q and R, respectively. More specifically,

$$\begin{array}{cccccc}\hfill d\left(k\right)& \sim N(0_{\mathrm{n}\times 1},\hfill & & Q),\hfill & & \\ \hfill n\left(k\right)& \sim N(0_{\mathrm{p}\times 1},\hfill & & R),\hfill & & \\ \hfill \mathbf{E}\left[d\right(k\left)\right]& =0_{\mathrm{n}\times 1},\hfill & & \mathbf{E}\left[d\left(k\right)d^{\top }\left(t\right)\right]\hfill & & =Q{\delta }_{kt},\hfill \\ \hfill \mathbf{E}\left[n\right(k\left)\right]& =0_{\mathrm{p}\times 1},\hfill & & \mathbf{E}\left[n\left(k\right)n^{\top }\left(t\right)\right]\hfill & & =R{\delta }_{kt},\hfill \\ & & & \mathbf{E}\left[n\left(k\right)d^{\top }\left(t\right)\right]\hfill & & =O_{\mathrm{p}\times \mathrm{n}},\hfill \end{array}$$

where the symbol $\mathbf{E}[·]$ represents the expected value of a random variable and ${\delta }_{kt}$ is the Kronecker delta function. Furthermore, the initial state $x\left(0\right)$ is a Gaussian distributed random variable with the mean ${\overline{x}}_0$ and covariance matrix $P_0$,

$$\begin{array}{cc}\hfill x\left(0\right)& \sim N({\overline{x}}_0,P_0),\hfill \\ \hfill \mathbf{E}\left[x\right(0\left)\right]& ={\overline{x}}_0,\mathbf{E}\left[(x\left(0\right)-{\overline{x}}_0){(x\left(0\right)-{\overline{x}}_0)}^{\top }\right]=P_0,\hfill \end{array}$$

and is independent of $d\left(k\right)$ and $n\left(k\right)$.

2.2. Attack Modeling with Sparse Sensor Attacks

Among various attack scenarios [3], we consider false data injection attacks on sensors. Adversarial attackers can inject arbitrary inputs to some (not all) sensors so that a part of the measurements is compromised. Some additive inputs may be induced by cyber or physical tampering with the sensors, or adversaries may penetrate into the communication network on the output side of the plant because those communication links are not secure. In both cases, the attack is characterized by the attack vector $a\in {\mathbb{R}}^{\mathrm{p}}$ as in

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill y^a\left(k\right)& =y\left(k\right)+a\left(k\right)\hfill \\ \hfill & =Cx\left(k\right)+n\left(k\right)+a\left(k\right)\hfill \\ \hfill & =Cx\left(k\right)+n^a\left(k\right)\hfill \end{array}\end{array}$$ (2)

where $y^a\in {\mathbb{R}}^{\mathrm{p}}$ denotes sensor readings with a potential attack, while $y\in {\mathbb{R}}^{\mathrm{p}}$ is the original healthy sensor data affected by the measurement noise only. Similarly, $n^a\in {\mathbb{R}}^{\mathrm{p}}$ represents the total sensor contamination signal including both the noise n and the attack a.

Here, it is assumed that the adversaries can compromise only a part of the sensors, not all of them. Assuming that the attacker’s resources are limited, we suppose that the attacker can contaminate up to $\mathsf{q}$ out of p measurement outputs. Therefore, a formal condition on the sparsity of the attack vector a can be given as follows.

Assumption 2.

The sensor attack vector $a\left(k\right)$ is $\mathsf{q}$-sparse for all $k\ge 0$, that is, ${\parallel a\left(k\right)\parallel }_0\le \mathsf{q},{}^{\forall }k\ge 0$. Moreover, it holds that

$$\left|\left\{\mathsf{i}\in \left[\mathrm{p}\right]:a_{\mathsf{i}}\left(k\right)\ne 0\mathit{for}\mathit{some}k\ge 0\right\}\right|\le \mathsf{q}.$$

This assumption tells more than ${\parallel a\left(k\right)\parallel }_0\le \mathsf{q}$ for all $k\ge 0$, in the sense that the compromised sensor channels are not altered for all time. In practice, this may be the case because it takes quite a long time and much effort to infiltrate into a new sensor from a malicious attacker’s point of view. Thus, without loss of generality, it can be assumed that the attack channels remain the same in the long term although it is not revealed to the controller which channels are attacked. However, if the attacked sensor channel changes but does not change frequently, the resilient state estimation scheme to be presented is still applicable. We will simply refer to this assumption as a “$\mathsf{q}$-sparse sensor attack”.

2.3. Problem Formulation

For the given discrete-time LTI system (1) under Assumptions 1 and 2, this paper investigates how to design an estimator that can recover the state variable x correctly. First, the Gaussian distributed disturbances/noises are handled appropriately, and the optimality in the sense of minimum variance should be recovered. Second, the security against the sparse sensor attack is enhanced, and the attack-resilient estimation with the unbiased state estimate should be achieved. More specifically, this paper considers the problem of proposing a secure and robust state estimation algorithm that generates the estimate that is most likely to have the minimum variance and to be unbiased. In this process, the concept of “redundant observability”, which characterizes the ability of coping with the sparse sensor attack, is utilized to ensure successful state estimation.

The basic condition for the observability of the system (1) with the attack model (2) satisfying Assumption 2, is given in the following assumption. Note that the assumption of “$2\mathsf{q}$ redundant observability” is an equivalent condition for the system to be observable under $\mathsf{q}$-sparse sensor attacks ([15], Proposition 2,3,6). Here, the state estimation problem becomes challenging because this redundant observability does not guarantee for the entire states to be recovered with only a single sensor.

Assumption 3.

The system (1), or the pair $(A,C)$, is $2\mathsf{q}$ redundant observable. In other words, each pair $(A,C_{\mathcal{I}})$ is observable for any $\mathcal{I}\subset \left[\mathrm{p}\right]$ satisfying $\left|\mathcal{I}\right|\ge \mathrm{p}-2\mathsf{q}$.

3. Optimal Information Fusion Kalman Filter Based on Observability Decomposition

3.1. Kalman Observability Decomposition with Single Sensor

Since conventional Luenburger observers or Kalman filters typically have the form of

$$\widehat{x}(k+1)=(A-KC)\widehat{x}\left(k\right)+Bu\left(k\right)+K{y}^a\left(k\right),$$

the whole state estimates $\widehat{x}$ are affected by the single sensor attack signal due to the observer gain K. In other words, any single non-zero component of a can alter all components of the state estimate $\widehat{x}$. Hence, we design a collection of observers where each local observer utilizes only a single sensor information so that an attack signal for one sensor channel only interferes with the corresponding local observer and leaves other local observers unaffected.

Consider a single-output system

$$\begin{array}{c}\hfill {\mathcal{P}}_{\mathsf{i}}:\left\{\begin{array}{c}x(k+1)=Ax\left(k\right)+Bu\left(k\right)+d\left(k\right)\hfill \\ y_{\mathsf{i}}^a\left(k\right)=c_{\mathsf{i}}x\left(k\right)+n_{\mathsf{i}}^a\left(k\right).\hfill \end{array}\right.\end{array}$$ (3)

where the $\mathsf{i}$-th component of $y^a\left(k\right)$ in (2), $y_{\mathsf{i}}^a\left(k\right)$, is the output and the dynamics is given by (1). Since the pair $(A,c_{\mathsf{i}})$ is not necessarily observable, an estimator of the system (3) generally recovers only an (observable) portion of the full state x. The Kalman observability decomposition, which clearly describes the observable portion of the system, is now briefly introduced. For the single-output system (3), the observability matrix is written as

$$\begin{array}{c}\hfill \begin{array}{c}\hfill G_{\mathsf{i}}:=\left[\begin{array}{c}{c}_{\mathsf{i}}\\ c_{\mathsf{i}}A\\ c_{\mathsf{i}}{A}^2\\ ⋮\\ c_{\mathsf{i}}{A}^{\mathrm{n}-1}\end{array}\right],\end{array}\end{array}$$ (4)

and we denote ${\mu }_{\mathsf{i}}$ as the rank of the observability matrix $G_{\mathsf{i}}$. The null space of $G_{\mathsf{i}}$, $\mathcal{N}\left(G_{\mathsf{i}}\right)$, is the so-called unobservable subspace, and the column range space of $G_{\mathsf{i}}^{\top }$, $\mathcal{R}\left(G_{\mathsf{i}}^{\top }\right)$, is often called the observable subspace.

One can define the similarity transformation as

$$\begin{array}{c}\hfill \left[\begin{array}{c}{z}_{\mathsf{i}}\\ w_{\mathsf{i}}\end{array}\right]=\left[\begin{array}{c}{Z_{\mathsf{i}}}^{\top }\\ W_{\mathsf{i}}^{\top }\end{array}\right]x\end{array}$$ (5)

where $Z_{\mathsf{i}}\in {\mathbb{R}}^{\mathrm{n}\times {\mu }_{\mathsf{i}}}$ is the matrix whose columns are th orthonormal basis of $\mathcal{R}\left(G_{\mathsf{i}}^{\top }\right)$ and $W_{\mathsf{i}}\in {\mathbb{R}}^{\mathrm{n}\times (\mathrm{n}-{\mu }_{\mathsf{i}})}$ is the matrix whose columns are the orthonormal basis of $\mathcal{N}\left(G_{\mathsf{i}}\right)$. Here, the size of those matrices is determined by

$${\mu }_{\mathsf{i}}=\mathsf{rank}\left(G_{\mathsf{i}}\right)=\mathsf{dim}\left(\mathcal{R}\left(G_{\mathsf{i}}^{\top }\right)\right)\mathrm{and}\mathrm{n}-{\mu }_{\mathsf{i}}=\mathsf{nullity}\left(G_{\mathsf{i}}\right)=\mathsf{dim}\left(\mathcal{N}\left(G_{\mathsf{i}}\right)\right).$$

Note that the observable subspace $\mathcal{R}\left(G_{\mathsf{i}}^{\top }\right)$ is the span of column vectors in $Z_{\mathsf{i}}$ and the unobservable subspace $\mathcal{N}\left(G_{\mathsf{i}}\right)$ is the span of column vectors in $W_{\mathsf{i}}$. Since the matrix $\left[Z_{\mathsf{i}}{W}_{\mathsf{i}}\right]$ is orthogonal, we have

$$\left[\begin{array}{c}{Z_{\mathsf{i}}}^{\top }\\ W_{\mathsf{i}}^{\top }\end{array}\right]\left[\begin{array}{cc}{Z}_{\mathsf{i}}& W_{\mathsf{i}}\end{array}\right]=\left[\begin{array}{cc}{Z_{\mathsf{i}}}^{\top }{Z}_{\mathsf{i}}& {Z_{\mathsf{i}}}^{\top }{W}_{\mathsf{i}}\\ W_{\mathsf{i}}^{\top }{Z}_{\mathsf{i}}& W_{\mathsf{i}}^{\top }{W}_{\mathsf{i}}\end{array}\right]=\left[\begin{array}{cc}{I}_{{\mu }_{\mathsf{i}}\times {\mu }_{\mathsf{i}}}& O_{{\mu }_{\mathsf{i}}\times (\mathrm{n}-{\mu }_{\mathsf{i}})}\\ O_{(\mathrm{n}-{\mu }_{\mathsf{i}})\times {\mu }_{\mathsf{i}}}& I_{(\mathrm{n}-{\mu }_{\mathsf{i}})\times (\mathrm{n}-{\mu }_{\mathsf{i}})}\end{array}\right].$$

Moreover, because the unobservable subspace is A-invariant, any columns of $A{W}_{\mathsf{i}}$ belong to $\mathcal{N}\left(G_{\mathsf{i}}\right)=\mathcal{R}\left(W_{\mathsf{i}}\right)$. Therefore, the Kalman observability decomposition of the system (3) is obtained by the transformation (5) as

$$\begin{array}{c}\hfill {\mathcal{P}}_{\mathsf{i}}^{\prime }:\left\{\begin{array}{c}\left[\begin{array}{c}{z}_{\mathsf{i}}(k+1)\\ w_{\mathsf{i}}(k+1)\end{array}\right]=\left[\begin{array}{cc}{Z_{\mathsf{i}}}^{\top }A{Z}_{\mathsf{i}}& O_{{\mu }_{\mathsf{i}}\times (\mathrm{n}-{\mu }_{\mathsf{i}})}\\ W_{\mathsf{i}}^{\top }A{Z}_{\mathsf{i}}& W_{\mathsf{i}}^{\top }A{W}_{\mathsf{i}}\end{array}\right]\left[\begin{array}{c}{z}_{\mathsf{i}}\left(k\right)\\ w_{\mathsf{i}}\left(k\right)\end{array}\right]+\left[\begin{array}{c}{Z_{\mathsf{i}}}^{\top }B\\ W_{\mathsf{i}}^{\top }B\end{array}\right]u\left(k\right)+\left[\begin{array}{c}{Z_{\mathsf{i}}}^{\top }\\ W_{\mathsf{i}}^{\top }\end{array}\right]d\left(k\right)\hfill \\ y_{\mathsf{i}}^a\left(k\right)=\left[\begin{array}{cc}{c}_{\mathsf{i}}{Z}_{\mathsf{i}}& 0_{1\times (\mathrm{n}-{\mu }_{\mathsf{i}})}\end{array}\right]\left[\begin{array}{c}{z}_{\mathsf{i}}\left(k\right)\\ w_{\mathsf{i}}\left(k\right)\end{array}\right]+n_{\mathsf{i}}^a\left(k\right).\hfill \end{array}\right.\end{array}$$ (6)

Finally, the state $x\in {\mathbb{R}}^{\mathrm{n}}$ is decomposed into the observable sub-state $z_{\mathsf{i}}\in {\mathbb{R}}^{{\mu }_{\mathsf{i}}}$ and the unobservable sub-state $w_{\mathsf{i}}\in {\mathbb{R}}^{\mathrm{n}-{\mu }_{\mathsf{i}}}$. Further, the observable part of (6) can simply be written as

$$\begin{array}{c}\hfill {\mathcal{P}}_{\mathsf{i}}^o:\left\{\begin{array}{c}{z}_{\mathsf{i}}(k+1)=S_{\mathsf{i}}{z}_{\mathsf{i}}\left(k\right)+Z_{\mathsf{i}}^{\top }Bu\left(k\right)+Z_{\mathsf{i}}^{\top }d\left(k\right)\hfill \\ y_{\mathsf{i}}^a\left(k\right)=t_{\mathsf{i}}{z}_{\mathsf{i}}\left(k\right)+n_{\mathsf{i}}^a\left(k\right)\hfill \end{array}\right.\end{array}$$ (7)

where $S_{\mathsf{i}}:=Z_{\mathsf{i}}^{\top }A{Z}_{\mathsf{i}}$ and $t_{\mathsf{i}}:=c_{\mathsf{i}}{Z}_{\mathsf{i}}$.

3.2. Decentralized Multi-Sensor Kalman Filter

Even though the Kalman filter can be applied to unobservable linear systems, the error covariance matrix may not converge in that case. According to ([29], Theorem 26), the detectability of the system is a sufficient condition for the convergence of the error covariance matrix in Kalman filtering. Since detectability is a slightly weaker concept than observability, the results in this paper dealing with observability can be generalized to the concept of detectability with slight modifications. The design of local state estimators for the observable subsystem (7) in the form of Kalman filters using only single sensor information, is derived in this subsection. By its construction, the pair $(Z_{\mathsf{i}}^{\top }A{Z}_{\mathsf{i}},c_{\mathsf{i}}{Z}_{\mathsf{i}})$, or simply denoted as $(S_{\mathsf{i}},t_{\mathsf{i}})$, is observable, and thus, the error covariance matrix of the Kalman filter designed for the system (7) converges to a positive semidefinite matrix ([29], Theorem 26).

Now, we design a decentralized Kalman filter with each single sensor output, which constitutes the local observer. Then, the design of an information fusion scheme, which collects all the information on state estimates and error covariance matrices from the decentralized Kalman filters, will be discussed in the next subsection. For the simplicity of the derivation, we assume that there are no attacks at this time, that is, $a\left(k\right)\equiv 0$. Thus, $n^a\left(k\right)$ and $y^a\left(k\right)$ are interpreted as $n\left(k\right)$ and $y\left(k\right)$, respectively, in this section.

Stochastic assumptions on the disturbance $d\left(k\right)$ and the noise $n\left(k\right)$ of the system (1) are formally stated in Assumption 1 where the covariance matrix R of the measurement noise $n\left(k\right)$ is partitioned as

$$R=\left[\begin{array}{cccc}{R}_1& R_{12}& \cdots & R_{1\mathrm{p}}\\ R_{21}& R_2& \cdots & R_{2\mathrm{p}}\\ ⋮& ⋮& \ddots & ⋮\\ R_{\mathrm{p}1}& R_{\mathrm{p}2}& \cdots & R_{\mathrm{p}}\end{array}\right].$$

Finally, the assumption for each measurement noise $n_{\mathsf{i}}\left(k\right)$ (which is the same as $n_{\mathsf{i}}^a\left(k\right)$ in this section) of the system (3) can be written as follows:

$$\begin{array}{cccc}\hfill n_{\mathsf{i}}\left(k\right)& \sim N(0,R_{\mathsf{i}}),\hfill & & \\ \hfill \mathbf{E}\left[n_{\mathsf{i}}\left(k\right)\right]& =0,\mathbf{E}\left[n_{\mathsf{i}}\left(k\right)n_{\mathsf{i}}^{\top }\left(t\right)\right]\hfill & & =R_{\mathsf{i}}{\delta }_{kt},\hfill \\ & \mathbf{E}\left[n_{\mathsf{i}}\left(k\right)n_{\mathsf{j}}^{\top }\left(t\right)\right]\hfill & & =R_{\mathsf{i}\mathsf{j}}{\delta }_{kt},\mathrm{if}\mathsf{i}\ne \mathsf{j},\hfill \\ & \mathbf{E}\left[n_{\mathsf{i}}\left(k\right)d^{\top }\left(t\right)\right]\hfill & & =0_{1\times \mathrm{n}}.\hfill \end{array}$$

The local observer is designed by a Kalman filter for the observable subsystem (7). To this end, let ${\widehat{z}}_{\mathsf{i}}\left(k\right|k-1)$ be the estimate of $z_{\mathsf{i}}\left(k\right)$ based on observations from $y^a\left(0\right)$ to $y^a(k-1)$. Similarly, ${\widehat{z}}_{\mathsf{i}}\left(k\right|k)$ is the estimate of $z_{\mathsf{i}}\left(k\right)$ after we process the measurement $y^a\left(k\right)$ at time k. Following the conventional notations in a Kalman filter, we use the terms $P_{\mathsf{i}}\left(k\right|k-1)$ and $P_{\mathsf{i}}\left(k\right|k)$ to denote the estimation error covariance of ${\widehat{z}}_{\mathsf{i}}\left(k\right|k-1)$ and ${\widehat{z}}_{\mathsf{i}}\left(k\right|k)$, respectively. Thus, We have

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill P_{\mathsf{i}}\left(k\right|k-1)& =\mathbf{E}\left[({\widehat{z}}_{\mathsf{i}}\left(k\right|k-1)-z_{\mathsf{i}}\left(k\right)){({\widehat{z}}_{\mathsf{i}}\left(k\right|k-1)-z_{\mathsf{i}}\left(k\right))}^{\top }\right],\hfill \\ \hfill P_{\mathsf{i}}\left(k\right|k)& =\mathbf{E}\left[({\widehat{z}}_{\mathsf{i}}\left(k\right|k)-z_{\mathsf{i}}\left(k\right)){({\widehat{z}}_{\mathsf{i}}\left(k\right|k)-z_{\mathsf{i}}\left(k\right))}^{\top }\right].\hfill \end{array}\end{array}$$ (8)

Then, the Kalman filter has the following form of

$$\begin{array}{cc}\hfill {\mathcal{O}}_{\mathsf{i}}:& {\widehat{z}}_{\mathsf{i}}(k+1|k+1)\hfill \\ \hfill =& S_{\mathsf{i}}{\widehat{z}}_{\mathsf{i}}\left(k\right|k)+Z_{\mathsf{i}}^{\top }Bu\left(k\right)+K_{\mathsf{i}}(k+1)\left(y_{\mathsf{i}}^a(k+1)-t_{\mathsf{i}}\left(S_{\mathsf{i}}{\widehat{z}}_{\mathsf{i}}\left(k\right|k)+Z_{\mathsf{i}}^{\top }Bu\left(k\right)\right)\right)\hfill \\ \hfill =& (I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})\left(S_{\mathsf{i}}{\widehat{z}}_{\mathsf{i}}\left(k\right|k)+Z_{\mathsf{i}}^{\top }Bu\left(k\right)\right)+K_{\mathsf{i}}(k+1)y_{\mathsf{i}}^a(k+1),\hfill \end{array}$$ (9)

where

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill {\widehat{z}}_{\mathsf{i}}(k+1|k+1)& ={\widehat{z}}_{\mathsf{i}}(k+1|k)+K_{\mathsf{i}}(k+1)\left(y_{\mathsf{i}}^a(k+1)-t_{\mathsf{i}}{\widehat{z}}_{\mathsf{i}}(k+1|k)\right)\hfill \end{array}\end{array}$$ (10a)

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill {\widehat{z}}_{\mathsf{i}}(k+1|k)& =S_{\mathsf{i}}{\widehat{z}}_{\mathsf{i}}\left(k\right|k)+Z_{\mathsf{i}}^{\top }Bu\left(k\right)\hfill \end{array}\end{array}$$ (10b)

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill K_{\mathsf{i}}(k+1)& =P_{\mathsf{i}}(k+1|k)t_{\mathsf{i}}^{\top }{\left(t_{\mathsf{i}}{P}_{\mathsf{i}}(k+1|k)t_{\mathsf{i}}^{\top }+R_{\mathsf{i}}\right)}^{-1}\hfill \end{array}\end{array}$$ (10c)

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill P_{\mathsf{i}}(k+1|k)& =S_{\mathsf{i}}{P}_{\mathsf{i}}\left(k\right|k)S_{\mathsf{i}}^{\top }+Z_{\mathsf{i}}^{\top }Q{Z}_{\mathsf{i}}\hfill \end{array}\end{array}$$ (10d)

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill P_{\mathsf{i}}(k+1|k+1)& =(I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})P_{\mathsf{i}}(k+1|k)\hfill \end{array}\end{array}$$ (10e)

with initial value of

$$\begin{array}{c}\hfill \begin{array}{c}\hfill {\widehat{z}}_{\mathsf{i}}\left(0\right|0)=Z_{\mathsf{i}}^{\top }{\overline{x}}_0,P_{\mathsf{i}}\left(0\right|0)=Z_{\mathsf{i}}^{\top }{P}_0{Z}_{\mathsf{i}}.\end{array}\end{array}$$

The above Equations (10) describe the recursive form of how the state estimate ${\widehat{z}}_{\mathsf{i}}$, the Kalman gain $K_{\mathsf{i}}$, and the error covariance matrix $P_{\mathsf{i}}$ evolve. The error covariance $P_{\mathsf{i}}$ of the $\mathsf{i}$-th local observer defined in (8), is governed by Equations (10d) and (10e), which ensure that the covariance matrix $P_{\mathsf{i}}\left(k\right|k)$ can be calculated by the following recursive form:

$$\begin{array}{cc}\hfill {\mathcal{L}}_{\mathsf{i}}:P_{\mathsf{i}}(k+1|k+1)& =(I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})(S_{\mathsf{i}}{P}_{\mathsf{i}}\left(k\right|k)S_{\mathsf{i}}^{\top }+Z_{\mathsf{i}}^{\top }Q{Z}_{\mathsf{i}})\hfill \end{array}$$ (11)

with the initial value of

$$P_{\mathsf{i}}\left(0\right|0)=Z_{\mathsf{i}}^{\top }{P}_0{Z}_{\mathsf{i}}.$$

Similarly, the error cross covariance $P_{\mathsf{i}\mathsf{j}}$ of the $\mathsf{i}$-th and $\mathsf{j}$-th local observers can be defined by

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill P_{\mathsf{i}\mathsf{j}}\left(k\right|k-1)& =\mathbf{E}\left[({\widehat{z}}_{\mathsf{i}}\left(k\right|k-1)-z_{\mathsf{i}}\left(k\right)){({\widehat{z}}_{\mathsf{j}}\left(k\right|k-1)-z_{\mathsf{j}}\left(k\right))}^{\top }\right],\hfill \\ \hfill P_{\mathsf{i}\mathsf{j}}\left(k\right|k)& =\mathbf{E}\left[({\widehat{z}}_{\mathsf{i}}\left(k\right|k)-z_{\mathsf{i}}\left(k\right)){({\widehat{z}}_{\mathsf{j}}\left(k\right|k)-z_{\mathsf{j}}\left(k\right))}^{\top }\right],\hfill \end{array}\end{array}$$ (12)

and the recursive formula for $P_{\mathsf{i}\mathsf{j}}$ is derived here. To this end, define the estimation error

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill {\tilde{z}}_{\mathsf{i}}(k+1|k)& :={\widehat{z}}_{\mathsf{i}}(k+1|k)-z_{\mathsf{i}}(k+1)\hfill \\ \hfill {\tilde{z}}_{\mathsf{i}}(k+1|k+1)& :={\widehat{z}}_{\mathsf{i}}(k+1|k+1)-z_{\mathsf{i}}(k+1),\hfill \end{array}\end{array}$$ (13)

and we have that

$$\begin{array}{cc}\hfill {\tilde{z}}_{\mathsf{i}}(k+1|k)& =\left(S_{\mathsf{i}}{\widehat{z}}_{\mathsf{i}}\left(k\right|k)+Z_{\mathsf{i}}^{\top }Bu\left(k\right)\right)-\left(S_{\mathsf{i}}{z}_{\mathsf{i}}\left(k\right)+Z_{\mathsf{i}}^{\top }Bu\left(k\right)+Z_{\mathsf{i}}^{\top }d\left(k\right)\right)\hfill \\ \hfill & =S_{\mathsf{i}}{\tilde{z}}_{\mathsf{i}}\left(k\right|k)-Z_{\mathsf{i}}^{\top }d\left(k\right)\hfill \end{array}$$ (14a)

$$\begin{array}{cc}\hfill {\tilde{z}}_{\mathsf{i}}(k+1|k+1)& =\left({\widehat{z}}_{\mathsf{i}}(k+1|k)+K_{\mathsf{i}}(k+1)(y_{\mathsf{i}}^a(k+1)-t_{\mathsf{i}}{\widehat{z}}_{\mathsf{i}}(k+1|k))\right)-z_{\mathsf{i}}(k+1)\hfill \\ \hfill & =(I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}}){\tilde{z}}_{\mathsf{i}}(k+1|k)+K_{\mathsf{i}}(k+1)n_{\mathsf{i}}^a(k+1).\hfill \end{array}$$ (14b)

By substituting (14a) into (14b), the dynamics of the error ${\tilde{z}}_{\mathsf{i}}\left(k\right|k)$ is obtained as

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill {\mathcal{F}}_{\mathsf{i}}:{\tilde{z}}_{\mathsf{i}}(k+1|k+1)& =(I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})S_{\mathsf{i}}{\tilde{z}}_{\mathsf{i}}\left(k\right|k)-(I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})Z_{\mathsf{i}}^{\top }d\left(k\right)\hfill \\ \hfill & +K_{\mathsf{i}}(k+1)n_{\mathsf{i}}^a(k+1).\hfill \end{array}\end{array}$$ (15)

The errors ${\tilde{z}}_{\mathsf{i}}\left(k\right|k)$ and ${\tilde{z}}_{\mathsf{j}}\left(k\right|k)$ for $\mathsf{i}\ne \mathsf{j}$ may be correlated; thus, by using (15), the error cross covariance between ${\tilde{z}}_{\mathsf{i}}\left(k\right|k)$ and ${\tilde{z}}_{\mathsf{j}}\left(k\right|k)$ can be computed recursively. From the recursive form of (15), note that ${\tilde{z}}_{\mathsf{i}}\left(k\right|k)$ is a linear combination of elements in

$$\begin{array}{c}\hfill \{{\tilde{z}}_{\mathsf{i}}\left(0\right|0),d\left(0\right),\cdots ,d(k-1),n_{\mathsf{i}}^a\left(0\right),\cdots ,n_{\mathsf{i}}^a\left(k\right)\}.\end{array}$$ (16)

Therefore, by Assumption 1, we have (i) $n_{\mathsf{i}}^a(k+1)$ and $d\left(k\right)$ are orthogonal, (ii) ${\tilde{z}}_{\mathsf{i}}\left(k\right|k)$ and $d\left(k\right)$ are orthogonal, and (iii) ${\tilde{z}}_{\mathsf{i}}\left(k\right|k)$ and $n_{\mathsf{j}}^a(k+1)$ are orthogonal. Using these facts, one can derive the recursive form of the error cross covariance between ${\tilde{z}}_{\mathsf{i}}\left(k\right|k)$ and ${\tilde{z}}_{\mathsf{j}}\left(k\right|k)$ as follows:

$$\begin{array}{cc}\hfill {\mathcal{L}}_{\mathsf{i}\mathsf{j}}:& P_{\mathsf{i}\mathsf{j}}(k+1|k+1)=\mathbf{E}\left[{\tilde{z}}_{\mathsf{i}}(k+1|k+1){\tilde{z}}_{\mathsf{j}}^{\top }(k+1|k+1)\right]\hfill \\ \hfill =& (I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})\left(S_{\mathsf{i}}\mathbf{E}\left[{\tilde{z}}_{\mathsf{i}}\left(k\right|k){\tilde{z}}_{\mathsf{j}}^{\top }\left(k\right|k)\right]S_{\mathsf{j}}^{\top }+Z_{\mathsf{i}}^{\top }Q{Z}_{\mathsf{j}}\right){(I-K_{\mathsf{j}}(k+1)t_{\mathsf{j}})}^{\top }\hfill \\ \hfill & +K_{\mathsf{i}}(k+1)\mathbf{E}\left[n_{\mathsf{i}}^a(k+1){n_{\mathsf{j}}^a}^{\top }(k+1)\right]K_{\mathsf{j}}^{\top }(k+1)\hfill \\ \hfill =& (I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})\left(S_{\mathsf{i}}{P}_{\mathsf{i}\mathsf{j}}\left(k\right|k)S_{\mathsf{j}}^{\top }+Z_{\mathsf{i}}^{\top }Q{Z}_{\mathsf{j}}\right){(I-K_{\mathsf{j}}(k+1)t_{\mathsf{j}})}^{\top }\hfill \\ \hfill & +K_{\mathsf{i}}(k+1)R_{\mathsf{i}\mathsf{j}}{K}_{\mathsf{j}}^{\top }(k+1),\hfill \end{array}$$ (17)

with the initial value of

$$P_{\mathsf{i}\mathsf{j}}\left(0\right|0)=Z_{\mathsf{i}}^{\top }{P}_0{Z}_{\mathsf{j}}.$$

3.3. Optimal Information Fusion Based on Observability Decomposition

Based on the equivalence $Z_{\mathsf{i}}^{\top }x=z_{\mathsf{i}}$ in (5) and the definition ${\tilde{z}}_{\mathsf{i}}={\widehat{z}}_{\mathsf{i}}-z_{\mathsf{i}}$ in (13), we have

$${\widehat{z}}_{\mathsf{i}}=z_{\mathsf{i}}+{\tilde{z}}_{\mathsf{i}}=Z_{\mathsf{i}}^{\top }x+{\tilde{z}}_{\mathsf{i}}.$$ (18)

Stacking Equations (18) for all $\mathsf{i}\in \left[\mathrm{p}\right]$ leads to the following equation of

$$\left[\begin{array}{c}{\widehat{z}}_1\left(k\right|k)\\ ⋮\\ {\widehat{z}}_{\mathrm{p}}\left(k\right|k)\end{array}\right]=\left[\begin{array}{c}{z}_1\left(k\right)\\ ⋮\\ z_{\mathrm{p}}\left(k\right)\end{array}\right]+\left[\begin{array}{c}{\tilde{z}}_1\left(k\right|k)\\ ⋮\\ {\tilde{z}}_{\mathrm{p}}\left(k\right|k)\end{array}\right]=\left[\begin{array}{c}{Z_1}^{\top }\\ ⋮\\ {Z_{\mathrm{p}}}^{\top }\end{array}\right]x\left(k\right)+\left[\begin{array}{c}{\tilde{z}}_1\left(k\right|k)\\ ⋮\\ {\tilde{z}}_{\mathrm{p}}\left(k\right|k)\end{array}\right].$$ (19)

Finally, (19) is written in a compact form as

$$\begin{array}{c}\hfill \widehat{z}\left(k\right|k)=\Phi x\left(k\right)+\tilde{z}\left(k\right|k)=\Phi x\left(k\right)+v^a\left(k\right)\in {\mathbb{R}}^{\mu },\end{array}$$ (20)

where the matrix

$$\Phi :=\left[\begin{array}{c}{Z_1}^{\top }\\ ⋮\\ {Z_{\mathrm{p}}}^{\top }\end{array}\right]\in {\mathbb{R}}^{\mu \times \mathrm{n}}$$ (21)

is composed of the similarity transformation matrices $Z_{\mathsf{i}}$’s and $v^a\left(k\right)$ is used for a simple notation of $\tilde{z}\left(k\right|k)$. In Equation (20),

$$\mu :=\sum _{\mathsf{i}=1}^{\mathrm{p}}{\mu }_{\mathsf{i}}$$

denotes the size of the stacked vector.

It should be noted that all the information in (20) except the actual state $x\left(k\right)$, are known or accessible to us. In Section 3.1, the matrix $\Phi$ is generated from the orthonormal basis of the observable subspace $\mathcal{R}\left(G_{\mathsf{i}}^{\top }\right)$ where $G_{\mathsf{i}}$ is the observability matrix given by (4). In Section 3.2, each local observer ${\mathcal{O}}_{\mathsf{i}}$ in (9) provides the state estimate ${\widehat{z}}_{\mathsf{i}}$ for the observable sub-state $z_{\mathsf{i}}$. Now, the stochastic properties of the last term

$$v^a\left(k\right)=\tilde{z}\left(k\right|k)=\left[\begin{array}{c}{\tilde{z}}_1\left(k\right|k)\\ {\tilde{z}}_2\left(k\right|k)\\ ⋮\\ {\tilde{z}}_{\mathrm{p}}\left(k\right|k)\end{array}\right]$$

are analyzed. First, its mean is zero because ${\tilde{z}}_{\mathsf{i}}\left(k\right|k)$ is a linear combination of elements in (16) by the Formula (15), and Assumption 1 ensures that every component in (16) has a zero mean. Second, the covariance matrix of $v^a\left(k\right)$ can be obtained since the error covariance matrix $P_{\mathsf{i}}$ is computed by each local observer ${\mathcal{L}}_{\mathsf{i}}$ in (11), and the error cross covariance matrix $P_{\mathsf{i}\mathsf{j}}$ is generated by the second layer of the multi-sensor Kalman filter ${\mathcal{L}}_{\mathsf{i}\mathsf{j}}$ in (17) with collected information from local observers (see Figure 1 for the structure of the proposed Kalman filter). In summary, we have

$$v^a\left(k\right)\sim N\left(0_{\mu \times 1},P\left(k\right|k)\right),$$ (22)

where

$$P\left(k\right|k)=\left[\begin{array}{cccc}{P}_1\left(k\right|k)& P_{12}\left(k\right|k)& \cdots & P_{1\mathrm{p}}\left(k\right|k)\\ P_{21}\left(k\right|k)& P_2\left(k\right|k)& \cdots & P_{2\mathrm{p}}\left(k\right|k)\\ ⋮& ⋮& \ddots & ⋮\\ P_{\mathrm{p}1}\left(k\right|k)& P_{\mathrm{p}2}\left(k\right|k)& \cdots & P_{\mathrm{p}}\left(k\right|k)\end{array}\right],$$ (23)

which can be recursively computed by (11) and (17). Finally, Equation (20) depicts a linear model with the measured data vector $\widehat{z}$, the known matrix $\Phi$, the noise vector $v^a$ with a zero-mean Gaussian distribution, and the unknown vector x to be estimated.

Figure 1.

Structure of decentralized multi-sensor information fusion Kalman filter.

Based on the statistical estimation and detection theory [30,31], an elaborate derivation process to recover the optimal estimate of x in (20), is now presented. The minimum variance unbiased estimator (MVUE) for the data model (20) with $v^a$ satisfying $v^a\sim N(0_{\mu \times 1},P)$ is introduced as follows.

Theorem 1

([30], Theorem 4.2). For the measurement $\widehat{z}=\Phi x+v^a\in {\mathbb{R}}^{\mu }$ with $x\in {\mathbb{R}}^{\mathrm{n}}$ and $v^a\in {\mathbb{R}}^{\mu }$ such that $v^a\sim N(0_{\mu \times 1},P)$ for some $P>0$, the minimum variance unbiased estimator (MVUE) of x is

$$\mathcal{D}:{\widehat{x}}_{\mathrm{MVUE}}={\left({\Phi }^{\top }{P}^{-1}\Phi \right)}^{-1}{\Phi }^{\top }{P}^{-1}\widehat{z}$$ (24)

and the corresponding covariance matrix of ${\widehat{x}}_{\mathrm{MVUE}}$ is

$$P_{{\widehat{x}}_{\mathrm{MVUE}}}={\left({\Phi }^{\top }{P}^{-1}\Phi \right)}^{-1},$$ (25)

which achieves the minimum covariance in the sense that $P_{{\widehat{x}}_{\mathrm{MVUE}}}\le P_{\widehat{x}}$ for any type of estimator $\widehat{x}$.

Proof. 

The results directly follows from the Gauss–Markov Theorem ([30], Theorem 6.1). However, we provide a direct proof for the readers convenience, and it follows the procedure in the proof of ([24], Theorem 1) or ([25], Theorem 1). We introduce a linear unbiased estimator

$$\widehat{x}=\Omega \widehat{z}$$

and, from the unbiased assumption, it follows that

$$\mathbf{E}\left[\widehat{x}\right]=\mathbf{E}[\Omega \widehat{z}]=\Omega \mathbf{E}[\Phi x+v^a]=\Omega \Phi \mathbf{E}\left[x\right]=\mathbf{E}\left[x\right].$$

Thus, we have

$$\Omega \Phi =I_{\mathrm{n}\times \mathrm{n}}.$$ (26)

Let the covariance matrix of the estimation error $\tilde{x}:=\widehat{x}-x$ be $P_x$. Then, the estimation error $\tilde{x}$ is obtained that

$$\tilde{x}=\widehat{x}-x=\Omega \widehat{z}-x=\Omega \widehat{z}-\Omega \Phi x=\Omega (\widehat{z}-\Phi x)=\Omega v^a,$$

and the covariance matrix $P_x$ can be computed as

$$P_x=\mathbf{E}\left[\tilde{x}{\tilde{x}}^{\top }\right]=\mathbf{E}\left[\Omega v^a{v^a}^{\top }{\Omega }^{\top }\right]=\Omega \mathbf{E}\left[v^a{v^a}^{\top }\right]{\Omega }^{\top }=\Omega P{\Omega }^{\top }.$$

In order to find the minimum variance estimator, set the trace of the covariance matrix $P_x$ as the performance index

$$J:=\mathsf{tr}\left(P_x\right)=\mathsf{tr}\left(\Omega P{\Omega }^{\top }\right).$$

The Lagrangian [32] associated with J becomes

$$L=J+2\mathsf{tr}\left(\Lambda \left(\Omega \Phi -I_{\mathrm{n}\times \mathrm{n}}\right)\right)$$

where $\Lambda \in {\mathbb{R}}^{\mathrm{n}\times \mathrm{n}}$ is a matrix representing the Lagrange multipliers. By solving

$$\frac{\partial L}{\partial \Omega }=O_{\mathrm{n}\times \mu },$$

we have

$$\Omega P+{\Lambda }^{\top }{\Phi }^{\top }=O_{\mathrm{n}\times \mu }.$$ (27)

Combining (26) and (27) results in the following equation of

$$\left[\begin{array}{cc}\Omega & {\Lambda }^{\top }\end{array}\right]\left[\begin{array}{cc}P& \Phi \\ {\Phi }^{\top }& O_{\mathrm{n}\times \mathrm{n}}\end{array}\right]=\left[\begin{array}{cc}{O}_{\mathrm{n}\times \mu }& I_{\mathrm{n}\times \mathrm{n}}\end{array}\right].$$

Therefore, the matrix inversion lemma ([33], Section 2.3) yields the solution as

$$\left[\begin{array}{cc}\Omega & {\Lambda }^{\top }\end{array}\right]=\left[\begin{array}{cc}{O}_{\mathrm{n}\times \mu }& I_{\mathrm{n}\times \mathrm{n}}\end{array}\right]{\left[\begin{array}{cc}P& \Phi \\ {\Phi }^{\top }& O_{\mathrm{n}\times \mathrm{n}}\end{array}\right]}^{-1}=\left[\begin{array}{cc}{\left({\Phi }^{\top }{P}^{-1}\Phi \right)}^{-1}{\Phi }^{\top }{P}^{-1}& -{\left({\Phi }^{\top }{P}^{-1}\Phi \right)}^{-1}\end{array}\right].$$

Thus, we have $\Omega ={\left({\Phi }^{\top }{P}^{-1}\Phi \right)}^{-1}{\Phi }^{\top }{P}^{-1}$. Finally, the MVUE of x in (24), is obtained from ${\widehat{x}}_{\mathrm{MVUE}}=\Omega \widehat{z}={\left({\Phi }^{\top }{P}^{-1}\Phi \right)}^{-1}{\Phi }^{\top }{P}^{-1}\widehat{z}$, and the corresponding covariance matrix in (25) is computed by $P_{{\widehat{x}}_{\mathrm{MVUE}}}=\Omega P{\Omega }^{\top }={\left({\Phi }^{\top }{P}^{-1}\Phi \right)}^{-1}$.    □

Theorem 1 explains how the optimal estimate is computed. The information fusion center $\mathcal{D}$ calculates the MVUE by (24) and its covariance by (25). In summary, the whole structure of the decentralized multi-sensor information fusion Kalman filter is shown in Figure 1. The first layer is composed of the local observer ${\mathcal{O}}_{\mathsf{i}}$, which generates the estimate ${\widehat{z}}_{\mathsf{i}}$ and the Kalman gains $K_{\mathsf{i}}$ as given in (9) and (10). A part of the local observer ${\mathcal{O}}_{\mathsf{i}}$, denoted as ${\mathcal{L}}_{\mathsf{i}}$, provides the error covariance matrix $P_{\mathsf{i}}$. The second layer ${\mathcal{L}}_{\mathsf{i}\mathsf{j}}$ collects the Kalman gain $K_{\mathsf{i}}$’s from the first layer and gives the error cross covariance matrix $P_{\mathsf{i}\mathsf{j}}$ by (17). Finally, the third layer operates as an optimal information fusion center $\mathcal{D}$ as described in Theorem 1 and computes the optimal estimate with the minimum covariance.

Remark 1.

Note that Gauss–Markov Theorem ([30], Theorem 6.1) gives the best linear unbiased estimator (BLUE) for the measurement $\widehat{z}=\Phi x+v^a$ where $v^a$ is a random variable, whose probability density function (PDF) is not restricted to a Gaussian distribution, with a zero mean and covariance P. Since the BLUE is also the MVUE for Gaussian data, the results of Theorem 1 also follow directly from the Gauss–Markov Theorem. The state estimate ${\widehat{x}}_{\mathrm{MVUE}}$ given in Theorem 1 is the optimal estimate since it achieves the minimum variance with an unbiased mean. A special case of Theorem 1 is considered in ([24], Theorem 1) and ([25], Theorem 1) for an information fusion scheme; however, the scheme in [24,25] may not be successful for a system whose local systems with a single sensor are not observable because the covariance matrix P could diverge in that case, whereas the covariance matrix P does not diverge in our scheme due to the Kalman observability decomposition.

4. Attack Resilient and Secure State Estimation by Decentralized Kalman Filter

4.1. Effect of Sparse Sensor Attack on Information Fusion Kalman FIlter

In the previous section, we assumed that all sensors were attack-free, that is, $a\left(k\right)\equiv 0$. Hence, $n_{\mathsf{i}}^a\left(k\right)$ and $y_{\mathsf{i}}^a\left(k\right)$ in (3) and (7) were regarded as non-attacked noise $n_{\mathsf{i}}\left(k\right)$ and output $y_{\mathsf{i}}\left(k\right)$, respectively. The effects of a sparse sensor attack satisfying Assumption 2 on the information fusion Kalman filter developed in Section 3 are investigated in this subsection.

By linearity, the Kalman filter in (10) can be divided into two parts with ${\widehat{z}}_{\mathsf{i}}=:g_{\mathsf{i}}+e_{\mathsf{i}}$ as in

$$\begin{array}{cc}\hfill g_{\mathsf{i}}(k+1|k+1)& :=g_{\mathsf{i}}(k+1|k)+K_{\mathsf{i}}(k+1)\left(y_{\mathsf{i}}(k+1)-t_{\mathsf{i}}{g}_{\mathsf{i}}(k+1|k)\right),\hfill \end{array}$$ (28a)

$$\begin{array}{cc}\hfill e_{\mathsf{i}}(k+1|k+1)& :=e_{\mathsf{i}}(k+1|k)+K_{\mathsf{i}}(k+1)\left(a_{\mathsf{i}}(k+1)-t_{\mathsf{i}}{e}_{\mathsf{i}}(k+1|k)\right),\hfill \end{array}$$ (28b)

$$\begin{array}{cc}\hfill g_{\mathsf{i}}(k+1|k)& :=S_{\mathsf{i}}{g}_{\mathsf{i}}\left(k\right|k)+Z_{\mathsf{i}}^{\top }Bu\left(k\right),\hfill \end{array}$$ (28c)

$$\begin{array}{cc}\hfill e_{\mathsf{i}}(k+1|k)& :=S_{\mathsf{i}}{e}_{\mathsf{i}}\left(k\right|k).\hfill \end{array}$$ (28d)

Note that $g_{\mathsf{i}}(k+1|k+1)$ and $e_{\mathsf{i}}(k+1|k+1)$ have the same dynamics with (10a), while the incoming signal $y_{\mathsf{i}}^a(k+1)$ is divided into two parts with $y_{\mathsf{i}}(k+1)$ and $a_{\mathsf{i}}(k+1)$ assigned to the dynamics of $g_{\mathsf{i}}(k+1|k+1)$ and $e_{\mathsf{i}}(k+1|k+1)$, respectively. Similarly, $g_{\mathsf{i}}(k+1|k)$ and $e_{\mathsf{i}}(k+1|k)$ have the same dynamics with (10b), whereas the incoming signal $u\left(k\right)$ is solely assigned to the dynamics of $g_{\mathsf{i}}(k+1|k)$. By setting the initial conditions as

$$g_{\mathsf{i}}\left(0\right|0)={\widehat{z}}_{\mathsf{i}}\left(0\right|0)=Z_{\mathsf{i}}^{\top }{\overline{x}}_0\mathrm{and}{e}_{\mathsf{i}}\left(0\right|0)=0_{{\mu }_{\mathsf{i}}\times 1},$$

it easily follows from (10a) and (10b) that

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill {\widehat{z}}_{\mathsf{i}}(k+1|k+1)& =g_{\mathsf{i}}(k+1|k+1)+e_{\mathsf{i}}(k+1|k+1),\hfill \\ \hfill {\widehat{z}}_{\mathsf{i}}(k+1|k)& =g_{\mathsf{i}}(k+1|k)+e_{\mathsf{i}}(k+1|k).\hfill \end{array}\end{array}$$ (29)

Finally, the local observer ${\mathcal{O}}_{\mathsf{i}}$ in (9) is divided into ${\mathcal{O}}_{\mathsf{i}}^y$ and ${\mathcal{O}}_{\mathsf{i}}^a$, as follows:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill {\mathcal{O}}_{\mathsf{i}}^y:g_{\mathsf{i}}(k+1|k+1)& =(I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})\left(S_{\mathsf{i}}{g}_{\mathsf{i}}\left(k\right|k)+Z_{\mathsf{i}}^{\top }Bu\left(k\right)\right)+K_{\mathsf{i}}(k+1)y_{\mathsf{i}}(k+1),\hfill \end{array}\end{array}$$ (30a)

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill {\mathcal{O}}_{\mathsf{i}}^a:e_{\mathsf{i}}(k+1|k+1)& =(I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})S_{\mathsf{i}}{e}_{\mathsf{i}}\left(k\right|k)+K_{\mathsf{i}}(k+1)a_{\mathsf{i}}(k+1).\hfill \end{array}\end{array}$$ (30b)

Now, define the attack-free estimation error

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill v_{\mathsf{i}}(k+1|k+1)& :=g_{\mathsf{i}}(k+1|k+1)-z_{\mathsf{i}}(k+1),\hfill \\ \hfill v_{\mathsf{i}}(k+1|k)& :=g_{\mathsf{i}}(k+1|k)-z_{\mathsf{i}}(k+1),\hfill \end{array}\end{array}$$ (31)

and we have that

$$\begin{array}{cc}\hfill v_{\mathsf{i}}(k+1|k)& =\left(S_{\mathsf{i}}{g}_{\mathsf{i}}\left(k\right|k)+Z_{\mathsf{i}}^{\top }Bu\left(k\right)\right)-\left(S_{\mathsf{i}}{z}_{\mathsf{i}}\left(k\right)+Z_{\mathsf{i}}^{\top }Bu\left(k\right)+Z_{\mathsf{i}}^{\top }d\left(k\right)\right)\hfill \\ \hfill & =S_{\mathsf{i}}{v}_{\mathsf{i}}\left(k\right|k)-Z_{\mathsf{i}}^{\top }d\left(k\right)\hfill \end{array}$$ (32a)

$$\begin{array}{}\mathrm{(32b)}& \begin{array}{cc}\hfill v_{\mathsf{i}}(k+1|k+1)& =\left(g_{\mathsf{i}}(k+1|k)+K_{\mathsf{i}}(k+1)(y_{\mathsf{i}}(k+1)-t_{\mathsf{i}}{g}_{\mathsf{i}}(k+1|k))\right)-z_{\mathsf{i}}(k+1)\hfill \\ \hfill & =(I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})v_{\mathsf{i}}(k+1|k)+K_{\mathsf{i}}(k+1)n_{\mathsf{i}}(k+1)\hfill \\ \hfill & =(I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})S_{\mathsf{i}}{v}_{\mathsf{i}}\left(k\right|k)-(I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})Z_{\mathsf{i}}^{\top }d\left(k\right)\hfill \end{array}\mathrm{(32c)}& \begin{array}{cc}\hfill & \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}+K_{\mathsf{i}}(k+1)n_{\mathsf{i}}(k+1),\hfill \end{array}\end{array}$$

which is the same as (14) and (15) with $n_{\mathsf{i}}^a$ replaced by $n_{\mathsf{i}}$. By (29) and (31), the total state-estimation error defined in (13) satisfies

$${\tilde{z}}_{\mathsf{i}}(k+1|k+1)=v_{\mathsf{i}}(k+1|k+1)+e_{\mathsf{i}}(k+1|k+1),$$ (33)

and, from (30b) and (32c), its dynamic equation is given as follows:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill {\mathcal{F}}_{\mathsf{i}}:{\tilde{z}}_{\mathsf{i}}(k+1|k+1)& =(I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})S_{\mathsf{i}}{\tilde{z}}_{\mathsf{i}}\left(k\right|k)-(I-K_{\mathsf{i}}(k+1)t_{\mathsf{i}})Z_{\mathsf{i}}^{\top }d\left(k\right)\hfill \\ \hfill & +K_{\mathsf{i}}(k+1)n_{\mathsf{i}}(k+1)+K_{\mathsf{i}}(k+1)a_{\mathsf{i}}(k+1),\hfill \end{array}\end{array}$$ (34)

which is a rewrite of (15) using the fact $n_{\mathsf{i}}^a=n_{\mathsf{i}}+a_{\mathsf{i}}$.

For notational simplicity, ${\widehat{z}}_{\mathsf{i}}\left(k\right|k)$, $v_{\mathsf{i}}\left(k\right|k)$, and $e_{\mathsf{i}}\left(k\right|k)$ are denoted by ${\widehat{z}}_{\mathsf{i}}\left(k\right)$, $v_{\mathsf{i}}\left(k\right)$, and $e_{\mathsf{i}}\left(k\right)$, respectively. Then, Equation (19) becomes

$$\left[\begin{array}{c}{\widehat{z}}_1\left(k\right)\\ ⋮\\ {\widehat{z}}_{\mathrm{p}}\left(k\right)\end{array}\right]=\left[\begin{array}{c}{Z_1}^{\top }\\ ⋮\\ {Z_{\mathrm{p}}}^{\top }\end{array}\right]x\left(k\right)+\left[\begin{array}{c}{v}_1\left(k\right)\\ ⋮\\ v_{\mathrm{p}}\left(k\right)\end{array}\right]+\left[\begin{array}{c}{e}_1\left(k\right)\\ ⋮\\ e_{\mathrm{p}}\left(k\right)\end{array}\right],$$ (35)

which can be written in a compact form as

$$\begin{array}{c}\hfill \widehat{z}\left(k\right)=\Phi x\left(k\right)+v\left(k\right)+e\left(k\right)\in {\mathbb{R}}^{\mu }.\end{array}$$ (36)

The above Equation (36) is nothing but (20) with $v^a$ replaced by $v+e$. The properties of v are exactly identical with those of $v^a$ in (22) because the derivation in (22) is under the assumption of $a\equiv 0$ meaning $e\equiv 0$ in this case. Thus, we have

$$v\left(k\right)\sim N\left(0_{\mu \times 1},P\left(k\right)\right),$$ (37)

where $P\left(k\right)$ simply denotes $P\left(k\right|k)$ in (23). The attack-induced signal $e\left(k\right)={[e_1^{\top }\left(k\right),\cdots ,e_{\mathrm{p}}^{\top }\left(k\right)]}^{\top }$ evolves according to Equation (30b) (or equivalently (28b) and (28d)) with an initial value of $e_{\mathsf{i}}\left(0\right)=e_{\mathsf{i}}\left(0\right|0)=0_{{\mu }_{\mathsf{i}}\times 1}$. Therefore, we have $e_{\mathsf{i}}\equiv 0_{{\mu }_{\mathsf{i}}\times 1}$ for the healthy sensor with $a_{\mathsf{i}}\equiv 0$, while $e_{\mathsf{i}}\not\equiv 0_{{\mu }_{\mathsf{i}}\times 1}$ generally holds for the attacked sensor with $a_{\mathsf{i}}\not\equiv 0$. Finally, the stacked error vector $e\in {\mathbb{R}}^{\mu }$ partitioned by the sequence $\left\{{\mu }_{\mathsf{i}}\right\}$, is ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse by Assumption 2.

4.2. Detection of Sparse Sensor Attack

In the previous subsection, the measurement data have the form $\widehat{z}=\Phi x+v+e\in {\mathbb{R}}^{\mu }$ with unknown signals x, v, and e where the noise-induced signal v can be considered as a random variable whose distribution is $N(0_{\mu \times 1},P)$ and the attack-induced signal e is ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse. To investigate the properties of the matrix $\Phi$ in the measurement data, we borrow the definition of ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-error detectability and its characterization from [15]. There is a slight modification in the following Definition 1 and Lemma 1 from [15]. They do not append any additional zeros, whereas [15] adds additional zeros to match the size of all partitioned vectors and matrices.

Definition 1

([15], Definition 1). For a finite sequence $\left\{{\mu }_{\mathsf{i}}\right\}=\left\{{\mu }_1,{\mu }_2,\cdots ,{\mu }_{\mathrm{p}}\right\}$ with $\mu ={\sum }_{\mathsf{i}=1}^{\mathrm{p}}{\mu }_{\mathsf{i}}$, a coding matrix $\Phi \in {\mathbb{R}}^{\mu \times \mathrm{n}}$ is said to be ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-error detectable  if, for all $x,x^{\prime }\in {\mathbb{R}}^{\mathrm{n}}$ and ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse $e\in {\mathbb{R}}^{\mu }$ such that $\Phi x+e=\Phi x^{\prime }$, it holds that $x=x^{\prime }$.

Accordingly, the matrix $\Phi \in {\mathbb{R}}^{\mu \times \mathrm{n}}$ is not ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-error detectable if and only if there exist $x,x^{\prime }\in {\mathbb{R}}^{\mathrm{n}}$ satisfying $x\ne x^{\prime }$, and ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse $e\in {\mathbb{R}}^{\mu }$ such that $\Phi x+e=\Phi x^{\prime }$. In other words, the matrix $\Phi \in {\mathbb{R}}^{\mu \times \mathrm{n}}$ is ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-error undetectable if and only if there exist a non-zero $x_e\in {\mathbb{R}}^{\mathrm{n}}$ and ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse $e\in {\mathbb{R}}^{\mu }$ such that $\Phi x_e=e$. Typically, in terms of vectors, the vector $e\in {\mathbb{R}}^{\mu }$ is said to be undetectable with respect to $\Phi \in {\mathbb{R}}^{\mu \times \mathrm{n}}$ if $e=\Phi x_e\in {\mathbb{R}}^{\mu }$ for some $x_e\in {\mathbb{R}}^{\mathrm{n}}$.

Lemma 1

([15], Proposition 1). For a finite sequence $\left\{{\mu }_{\mathsf{i}}\right\}=\left\{{\mu }_1,{\mu }_2,\cdots ,{\mu }_{\mathrm{p}}\right\}$ with $\mu ={\sum }_{\mathsf{i}=1}^{\mathrm{p}}{\mu }_{\mathsf{i}}$ and a matrix $\Phi \in {\mathbb{R}}^{\mu \times \mathrm{n}}$, the followings are equivalent:

• (i) The matrix $\Phi \in {\mathbb{R}}^{\mu \times \mathrm{n}}$ is ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-error detectable.
• (ii) For every set $\mathcal{J}\subset \left[\mathrm{p}\right]$ satisfying $\left|\mathcal{J}\right|\ge \mathrm{p}-\mathsf{q}$, ${\Phi }_{{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}}$ has full column rank.
• (iii)  For any $x\in {\mathbb{R}}^{\mathrm{n}}$ where $x\ne 0_{\mathrm{n}\times 1}$, the vector $\Phi x\in {\mathbb{R}}^{\mu }$ is not ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse.

With the estimate $\widehat{x}$ of x obtained by MVUE of (24) in Theorem 1, we can calculate the estimated output $\Phi \widehat{x}$ and generate a residual signal r, which is a difference between the real measurement and the estimated output, that is, $r:=\widehat{z}-\Phi \widehat{x}$. Then, the residual r becomes another random variable whose distribution is also Gaussian. Finally, the mean and covariance of the Gaussian distributed random variable r is computed in the following theorem.

Theorem 2.

For the measurement $\widehat{z}=\Phi x+v+e\in {\mathbb{R}}^{\mu }$ where $\Phi \in {\mathbb{R}}^{\mu \times \mathrm{n}}$ has full column rank and v satisfies $v\sim N(0_{\mu \times 1},P)$ with $P>0$, let $\widehat{x}=\Psi \widehat{z}={\left({\Phi }^{\top }{P}^{-1}\Phi \right)}^{-1}{\Phi }^{\top }{P}^{-1}\widehat{z}$ and

$$\begin{array}{c}\hfill \begin{array}{c}\hfill r:=\widehat{z}-\Phi \widehat{x}=(I_{\mu \times \mu }-\Phi \Psi )\widehat{z}=(I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})\widehat{z},\end{array}\end{array}$$ (38)

where $\Psi :={({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1}$. Then, the residual r is Gaussian distributed with mean $(I_{\mu \times \mu }-\Phi \Psi )e$ and covariance $(I_{\mu \times \mu }-\Phi \Psi )P$,

$$r\sim N\left((I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})e,P-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }\right).$$ (39)

Furthermore, $e=\Phi x_e\in {\mathbb{R}}^{\mu }$ for some $x_e\in {\mathbb{R}}^{\mathrm{n}}$ if and only if the mean of r, $\mathbf{E}\left[r\right](=(I_{\mu \times \mu }-\Phi \Psi )e)$, satisfies $\mathbf{E}\left[r\right]=0_{\mu \times 1}$. In other words, e is undetectable with respect to Φ if and only if $\mathbf{E}\left[r\right]=0_{\mu \times 1}$.

Proof. 

First, the mean of r is computed as follows.

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill \mathbf{E}\left[r\right]& =\mathbf{E}\left[(I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})\widehat{z}\right]\hfill \\ & =(I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})\mathbf{E}[\Phi x+v+e]\hfill \\ & =(I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})(\Phi x+e)\hfill \\ & =(I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})e=(I_{\mu \times \mu }-\Phi \Psi )e\hfill \end{array}\end{array}$$ (40)

Second, because it easily follows that

$$\begin{array}{cc}\hfill r-\mathbf{E}\left[r\right]& =(I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})(\widehat{z}-e)\hfill \\ \hfill & =(I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})(\Phi x+v)\hfill \\ \hfill & =(I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})v=(I_{\mu \times \mu }-\Phi \Psi )v,\hfill \end{array}$$

the covariance matrix is calculated as

$$\begin{array}{cc}\hfill & \mathbf{E}\left[(r-\mathbf{E}\left[r\right]){(r-\mathbf{E}\left[r\right])}^{\top }\right]=\mathbf{E}\left[(I_{\mu \times \mu }-\Phi \Psi )v{v}^{\top }{(I_{\mu \times \mu }-\Phi \Psi )}^{\top }\right]\hfill \\ \hfill & =(I_{\mu \times \mu }-\Phi \Psi )\mathbf{E}\left[v{v}^{\top }\right]{(I_{\mu \times \mu }-\Phi \Psi )}^{\top }=(I_{\mu \times \mu }-\Phi \Psi )P{(I_{\mu \times \mu }-\Phi \Psi )}^{\top }\hfill \\ \hfill & =(I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})P{(I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})}^{\top }\hfill \\ \hfill & =P-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }=(I_{\mu \times \mu }-\Phi \Psi )P.\hfill \end{array}$$

Moreover, note that

$$\begin{array}{cc}\hfill \mathbf{E}\left[r\right]& =(I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})\mathbf{E}\left[\widehat{z}\right]\hfill \end{array}$$

because of (40), and

$$\begin{array}{cc}\hfill \mathbf{E}\left[\widehat{z}\right]& =\mathbf{E}[\Phi x+v+e]=\Phi x+e.\hfill \end{array}$$

Since $\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1}$ is a projection matrix and it projects $\mathbf{E}\left[\widehat{z}\right]$ onto the range space of $\Phi$, $\mathcal{R}(\Phi )$, we have $\mathbf{E}\left[\widehat{z}\right]=\Phi x+e\notin \mathcal{R}(\Phi )$ if and only if $\mathbf{E}\left[\widehat{z}\right]\ne \Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1}\mathbf{E}\left[\widehat{z}\right]$. This implies that $e\notin \mathcal{R}(\Phi )$ if and only if $(I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})\mathbf{E}\left[\widehat{z}\right]\ne 0_{\mu \times 1}$. This completes the proof.    □

Theorem 2 clarifies the mean and covariance of the Gaussian random variable r, and further, characterization of undetectable attacks with statistical analysis is also given. Now, one can derive a detection criterion of ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse errors based on the property of the residual signal r, assuming that $\Phi \in {\mathbb{R}}^{\mu \times \mathrm{n}}$ is ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-error detectable and that $e\in {\mathbb{R}}^{\mu }$ is actually ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse. This detection strategy is summarized in the following theorem.

Theorem 3.

For a finite sequence $\left\{{\mu }_{\mathsf{i}}\right\}=\left\{{\mu }_1,{\mu }_2,\cdots ,{\mu }_{\mathrm{p}}\right\}$ with $\mu ={\sum }_{\mathsf{i}=1}^{\mathrm{p}}{\mu }_{\mathsf{i}}$ and the measurement $\widehat{z}=\Phi x+v+e\in {\mathbb{R}}^{\mu }$ where $\Phi \in {\mathbb{R}}^{\mu \times \mathrm{n}}$ is ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-error detectable, $e\in {\mathbb{R}}^{\mu }$ is ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse, and $v\in {\mathbb{R}}^{\mu }$ satisfies $v\sim N(0_{\mu \times 1},P)$ with $P>0$, let

$$r=\widehat{z}-\Phi \widehat{x}=\widehat{z}-\Phi \Psi \widehat{z}=(I_{\mu \times \mu }-\Phi \Psi )\widehat{z}=(I_{\mu \times \mu }-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1})\widehat{z}$$

be given. Then, $e=0_{\mu \times 1}$ if and only if $\mathbf{E}\left[r\right]=0_{\mu \times 1}$. Moreover, when $e=0_{\mu \times 1}$, the vector x is exactly recovered by the expectation value of $\widehat{x}=\Psi \widehat{z}={({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1}\widehat{z}$, that is, $x=\mathbf{E}\left[\widehat{x}\right]$, which means that $\widehat{x}$ is an unbiased estimate of x.

Proof. 

From Theorem 2, the ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse e satisfies $e=\Phi x_e\in {\mathbb{R}}^{\mu }$ for some $x_e\in {\mathbb{R}}^{\mathrm{n}}$ if and only if $\mathbf{E}\left[r\right]=0_{\mu \times 1}$. However, any non-zero $e=\Phi x_e\in {\mathbb{R}}^{\mu }$ for some $x_e\in {\mathbb{R}}^{\mathrm{n}}$ is not ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse by Lemma 1. (iii) since $\Phi \in {\mathbb{R}}^{\mu \times \mathrm{n}}$ is ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-error detectable. Therefore, the ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse $e=\Phi x_e\in {\mathbb{R}}^{\mu }$ should be zero, and the result directly follows. Furthermore, the property of an unbiased estimate (with minimum variance) is easily obtained from Theorem 1.    □

From the observation of Theorems 2 and 3, the problem of detecting a non-zero ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-sparse error signal e with a ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-error detectable coding matrix $\Phi \in {\mathbb{R}}^{\mu \times \mathrm{n}}$ can be rephrased as: Given the residual signal r, which comes from the Gaussian distribution $N(\mathbf{E}\left[r\right],P-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top })$, determine if $\mathbf{E}\left[r\right]=0_{\mu \times 1}$ or $\mathbf{E}\left[r\right]\ne 0_{\mu \times 1}$. Therefore, the statistical decision theory [31] is helpful in this situation. More precisely, the ${\chi }^2$ test for fault detection [22,23], which is widely used to detect unwanted error signals, such as faults or attacks, can be applied.

One can simply apply the ${\chi }^2$ test to detect the presence of error signals in the ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) measurement $\widehat{z}$ given by (36), and its operating scheme is summarized in Algorithm 1. Initially, the attack detection alarm indicator f is set to 0, and then the residual r is computed according to Equation (38). Without any error signal (that is, $e=0_{\mu \times 1}$), the residual r follows a Gaussian distribution $N(0,P-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top })$, which is shown in (39). Now, define the standardized residual $\zeta :={\left(P-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top })\right)}^{-\frac{1}{2}}r$ whose distribution becomes $N(0_{\mu \times 1},I_{\mu \times \mu })$. Thus, the 2-norm of $\zeta$ denoted by $g:={\zeta }^{\top }\zeta$ is an observation from a random variable $\mathbf{g}$, which satisfies a ${\chi }^2$ distribution with $\mu$ degrees of freedom (DOF),

$$\mathbf{g}\sim {\chi }_{\mu }^2.$$

This means that g cannot be far away from zero. Finally, when g is greater than a threshold ${\Delta }_{TH}$, the attack detection alarm is triggered by setting $f=1$. Here, ${\Delta }_{TH}$ is the predetermined threshold value, and it decides the probability of false alarm and the probability of error detection. For example, when the threshold ${\Delta }_{TH}$ is chosen such that

$${\int }_0^{{\Delta }_{TH}}{p}_{\mathbf{g}}\left(x\right)dx=1-\delta ,$$ (41)

where $p_{\mathbf{g}}\left(x\right)$ denotes the PDF of the ${\chi }_{\mu }^2$ distribution, the probability of false alarm becomes $\delta$. As the probability of false alarm $\delta$ becomes smaller, the probability of error detection also decreases, which implies that there is a trade-off between the small false alarm and the high error detection ratio. Thus, one needs to choose ${\Delta }_{TH}$ as a good compromise between these two conflicting requirements.

Algorithm 1  Detection scheme based on the ${\chi }^2$ test

Input: $\widehat{z}$ Output: f Initialization: $f=0$  1: ${\widehat{x}}_{\mathrm{MVUE}}={({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1}\widehat{z}$  2: $r=\widehat{z}-\Phi {\widehat{x}}_{\mathrm{MVUE}}$  3: $\zeta ={\left(P-\Phi {({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top })\right)}^{-\frac{1}{2}}r$  4: $g={\zeta }^{\top }\zeta$  5: if $g\le {\Delta }_{TH}$then  6:    $f=0$  7: else if  $g>{\Delta }_{TH}$ then  8:    $f=1$  9: end if

4.3. Secure State Estimation under a Sparse Sensor Attack

In this subsection, an attack-resilient and secure state estimation scheme, which reconstructs the optimal estimate for the state x under Assumptions 1–3, is developed. First, characterization of the matrix $\Phi$ defined in (21) under Assumption 3 is given as follows.

Lemma 2

([15], Proposition 1,2,3,6). For a finite sequence $\left\{{\mu }_{\mathsf{i}}\right\}=\left\{{\mu }_1,{\mu }_2,\cdots ,{\mu }_{\mathrm{p}}\right\}$ with ${\mu }_{\mathsf{i}}=\mathsf{rank}\left(G_{\mathsf{i}}\right)$ for $\mathsf{i}\in \left[\mathrm{p}\right]$ where $G_{\mathsf{i}}$ is the observability matrix given in (4), the followings are equivalent:

• (i) The pair $(A,C)$ is $2\mathsf{q}$ redundant observable.
• (ii) The matrix Φ is ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $2\mathsf{q}$-error detectable.
• (iii)  For every set $\mathcal{J}\subset \left[\mathrm{p}\right]$ satisfying $\left|\mathcal{J}\right|\ge \mathrm{p}-2\mathsf{q}$, ${\Phi }_{{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}}$ has full column rank.
• (iv)  The pair $(A,C)$ is observable under $\mathsf{q}$-sparse sensor attacks.

Note that the redundancy for observability is $2\mathsf{q}$, which is twice the sparsity of the attack signal. This is the key point of constructing the state estimation algorithm. We can examine each subset ${\mathcal{J}}_{\mathsf{k}}\subset \left[\mathrm{p}\right]$ of sensors whose size is $\mathrm{p}-\mathsf{q}$. In other words, we have $\left(\genfrac{}{}{0pt}{}{\mathrm{p}}{\mathsf{q}}\right)$ number of subsets ${\mathcal{J}}_1,{\mathcal{J}}_2,\cdots ,{\mathcal{J}}_{\left(\genfrac{}{}{0pt}{}{\mathrm{p}}{\mathsf{q}}\right)}$ where ${\mathcal{J}}_{\mathsf{k}}\subset \left[\mathrm{p}\right]$ and $|{\mathcal{J}}_{\mathsf{k}}|=\mathrm{p}-\mathsf{q}$ for $\mathsf{k}=1,2,\cdots ,\left(\genfrac{}{}{0pt}{}{\mathrm{p}}{\mathsf{q}}\right)$. Since $\Phi$ is ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $2\mathsf{q}$-error detectable by Assumption 3 and Lemma 2.(ii), it easily follows that ${\Phi }_{{\mathcal{I}}_{{\mathcal{J}}_{\mathsf{k}}}^{\left\{{\mu }_{\mathsf{i}}\right\}}}$ is $\mathsf{q}$-error detectable for ${\mathcal{J}}_{\mathsf{k}}$ with $|{\mathcal{J}}_{\mathsf{k}}|=\mathrm{p}-\mathsf{q}$. This means that, even after removing any $\mathsf{q}$ sensors, the remaining outputs still have $\mathsf{q}$ redundancy for observability. Therefore, the detection scheme of Theorem 3, which relies on the ($\left\{{\mu }_{\mathsf{i}}\right\}$-stacked) $\mathsf{q}$-error detectability of the coding matrix, can be applied for each subset ${\mathcal{J}}_{\mathsf{k}}\subset \left[\mathrm{p}\right]$ satisfying $|{\mathcal{J}}_{\mathsf{k}}|=\mathrm{p}-\mathsf{q}$.

The configuration of the secure state estimator, which replaces the information fusion center $\mathcal{D}$ in Figure 1, is sketched in Figure 2, and its operation is described in Algorithm 2. Before explaining the operation, let $\Psi$ denote ${({\Phi }^{\top }{P}^{-1}\Phi )}^{-1}{\Phi }^{\top }{P}^{-1}$ where $\Phi$ and P are given in (21) and (23), respectively. Furthermore, the notation for a sub-matrix is slightly abused for simplicity. For example, $P_{\mathcal{J}}$, ${\Phi }_{\mathcal{J}}$, and ${\Psi }_{\mathcal{J}}$ denote

$$P_{{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}},{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}},{\Phi }_{{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}},\mathrm{and}{\left({\Phi }_{{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}}^{\top }{\left(P_{{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}},{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}}\right)}^{-1}{\Phi }_{{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}}\right)}^{-1}{\Phi }_{{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}}^{\top }{\left(P_{{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}},{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}}\right)}^{-1},$$

respectively, where ${\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}:={\bigcup }_{\mathsf{j}\in \mathcal{J}}^{}\left\{\left({\sum }_{\mathsf{i}=1}^{\mathsf{j}-1}{\mu }_{\mathsf{i}}\right)+1,\left({\sum }_{\mathsf{i}=1}^{\mathsf{j}-1}{\mu }_{\mathsf{i}}\right)+2,\cdots ,{\sum }_{\mathsf{i}=1}^{\mathsf{j}}{\mu }_{\mathsf{i}}\right\}$. Recall that $P_{{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}},{\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}}$ denotes the matrix obtained from P by eliminating all $\mathsf{i}$-th rows and all $\mathsf{j}$-th columns such that $\mathsf{i}\notin {\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}$ and $\mathsf{j}\notin {\mathcal{I}}_{\mathcal{J}}^{\left\{{\mu }_{\mathsf{i}}\right\}}$.

Figure 2.

Configuration of the resilient estimation scheme with Gaussian disturbance/noise.

Initially, an attack-free index set ${\mathcal{J}}^{*}$, a state estimate $\widehat{x}$, a standardized residual’s norm g, and a fault alarm signal f, are set to $\left[\mathrm{p}\right]$, $\Psi \widehat{z}$, 0, and 0, respectively. The algorithm continually checks if there is any attack in the index set ${\mathcal{J}}^{*}$ based on Algorithm 1. For the given index set ${\mathcal{J}}^{*}$, the algorithm essentially calculates the MVUE $\widehat{x}={\Psi }_{{\mathcal{J}}^{*}}{\widehat{z}}_{{\mathcal{J}}^{*}}$, the residual $r={\widehat{z}}_{{\mathcal{J}}^{*}}-{\Phi }_{{\mathcal{J}}^{*}}\widehat{x}$, the standardized residual $\zeta ={\left(P_{{\mathcal{J}}^{*}}-{\Phi }_{{\mathcal{J}}^{*}}{\Psi }_{{\mathcal{J}}^{*}}{P}_{{\mathcal{J}}^{*}}\right)}^{-\frac{1}{2}}r$, and its 2-norm $g={\zeta }^{\top }\zeta$ only with the measurement and covariance data from the subset ${\mathcal{J}}^{*}\subset \left[\mathrm{p}\right]$. Recall from Theorem 2 that, if $e_{\mathsf{j}}=e_{{\mathcal{I}}_{\mathsf{j}}^{\left\{{\mu }_{\mathsf{i}}\right\}}}=0_{{\mu }_{\mathsf{j}}\times 1}$ for all $\mathsf{j}\in {\mathcal{J}}^{*}$, we have $r\sim N(0_{{\mu }_{{\mathcal{J}}^{*}}\times 1},P_{{\mathcal{J}}^{*}}-{\Phi }_{{\mathcal{J}}^{*}}{\Psi }_{{\mathcal{J}}^{*}}{P}_{{\mathcal{J}}^{*}})$ where ${\mu }_{{\mathcal{J}}^{*}}:={\sum }_{\mathsf{j}\in {\mathcal{J}}^{*}}{\mu }_{\mathsf{j}}=\left|{\mathcal{I}}_{{\mathcal{J}}^{*}}^{\left\{{\mu }_{\mathsf{i}}\right\}}\right|$, and thus, $g={\zeta }^{\top }\zeta$ is an observation from a random variable ${\mathbf{g}}_{{\mathcal{J}}^{*}}$, which satisfies a ${\chi }^2$ distribution with ${\mu }_{{\mathcal{J}}^{*}}$ DOF,

$${\mathbf{g}}_{{\mathcal{J}}^{*}}\sim {\chi }_{{\mu }_{{\mathcal{J}}^{*}}}^2.$$ (42)

Therefore, g is used to detect the presence of attack in the subset ${\mathcal{J}}^{*}$ by the ${\chi }^2$ test. We compare g with the threshold ${\Delta }_{TH}^{{\mathcal{J}}^{*}}$, which is designed before running the algorithm and determines the probability of false alarm and the probability of error detection. If $g\le {\Delta }_{TH}^{{\mathcal{J}}^{*}}$, the index set ${\mathcal{J}}^{*}$ is declared to be attack-free by setting $f=0$ and the algorithm simply maintains the selected optimal index set ${\mathcal{J}}^{*}$. Otherwise, when g is greater than the threshold ${\Delta }_{TH}^{{\mathcal{J}}^{*}}$, the attack detection alarm is triggered by setting $f=1$, and the algorithm starts the process of searching new attack-free index set.

Algorithm 2 Operation of the resilient estimation with Gaussian disturbance/noise

Input: ${\widehat{z}}_1$, ${\widehat{z}}_2$, ⋯, ${\widehat{z}}_{\mathrm{p}}$, $P_1$, $P_{12}$, ⋯, $P_{\mathrm{p}(\mathrm{p}-1)}$, $P_{\mathrm{p}}$ Output: ${\mathcal{J}}^{*}$, $\widehat{x}$, g, f Initialization: ${\mathcal{J}}^{*}=\left[\mathrm{p}\right]$, $\widehat{x}=\Psi \widehat{z}$, $g=0$, $f=0$  1: while system (1) is running do  2:    $\widehat{x}={\Psi }_{{\mathcal{J}}^{*}}{\widehat{z}}_{{\mathcal{J}}^{*}}$  3:    $r={\widehat{z}}_{{\mathcal{J}}^{*}}-{\Phi }_{{\mathcal{J}}^{*}}\widehat{x}$  4:    $\zeta ={\left(P_{{\mathcal{J}}^{*}}-{\Phi }_{{\mathcal{J}}^{*}}{\Psi }_{{\mathcal{J}}^{*}}{P}_{{\mathcal{J}}^{*}}\right)}^{-\frac{1}{2}}r$  5:    $g={\zeta }^{\top }\zeta$  6:    if $g\le {\Delta }_{TH}^{{\mathcal{J}}^{*}}$ then  7:       $f=0$  8:    else if $g>{\Delta }_{TH}^{{\mathcal{J}}^{*}}$ then  9:       $f=1$  10:       for $\mathcal{J}\subset \left[\mathrm{p}\right]$ satisfying $\left|\mathcal{J}\right|=\mathrm{p}-\mathsf{q}$ do  11:          ${\widehat{x}}^{\mathcal{J}}={\Psi }_{\mathcal{J}}{\widehat{z}}_{\mathcal{J}}$  12:          $r^{\mathcal{J}}={\widehat{z}}_{\mathcal{J}}-{\Phi }_{\mathcal{J}}{\widehat{x}}^{\mathcal{J}}$  13:          ${\zeta }^{\mathcal{J}}={\left(P_{\mathcal{J}}-{\Phi }_{\mathcal{J}}{\Psi }_{\mathcal{J}}{P}_{\mathcal{J}}\right)}^{-\frac{1}{2}}{r}^{\mathcal{J}}$  14:          $g^{\mathcal{J}}={{\zeta }^{\mathcal{J}}}^{\top }{\zeta }^{\mathcal{J}}$  15:       end for  16:       ${\displaystyle {\mathcal{J}}^{*}=\underset{\begin{array}{c}\mathcal{J}\subset \left[\mathrm{p}\right]\\ \left|\mathcal{J}\right|=\mathrm{p}-\mathsf{q}\end{array}}{arg\; max}{p}_{{\mathbf{g}}_{\mathcal{J}}}\left(g^{\mathcal{J}}\right)}$  17:    end if  18: end while

In order to find a new attack-free index set and, consequently, to recover the state x from the new index set, we search all subsets ${\mathcal{J}}_{\mathsf{k}}$’s in $\left[\mathrm{p}\right]$ whose size is $\mathrm{p}-\mathsf{q}$. For a detailed explanation, let

$$\left\{{\mathcal{J}}_1,{\mathcal{J}}_2,\cdots ,{\mathcal{J}}_{\left(\genfrac{}{}{0pt}{}{\mathrm{p}}{\mathsf{q}}\right)}\right\}$$

be the set $\left\{\mathcal{J}\subset \left[\mathrm{p}\right]:\left|\mathcal{J}\right|=\mathrm{p}-\mathsf{q}\right\}$. For each subset ${\mathcal{J}}_{\mathsf{k}}$ where $\mathsf{k}\in \left[\left(\genfrac{}{}{0pt}{}{\mathrm{p}}{\mathsf{q}}\right)\right]$, the computing module ${\mathcal{C}}_{\mathsf{k}}$ calculates the MVUE ${\widehat{x}}^{{\mathcal{J}}_{\mathsf{k}}}={\Psi }_{{\mathcal{J}}_{\mathsf{k}}}{\widehat{z}}_{{\mathcal{J}}_{\mathsf{k}}}$, the residual $r^{{\mathcal{J}}_{\mathsf{k}}}={\widehat{z}}_{{\mathcal{J}}_{\mathsf{k}}}-{\Phi }_{{\mathcal{J}}_{\mathsf{k}}}{\widehat{x}}^{{\mathcal{J}}_{\mathsf{k}}}$, the standardized residual ${\zeta }^{{\mathcal{J}}_{\mathsf{k}}}={\left(P_{{\mathcal{J}}_{\mathsf{k}}}-{\Phi }_{{\mathcal{J}}_{\mathsf{k}}}{\Psi }_{{\mathcal{J}}_{\mathsf{k}}}{P}_{{\mathcal{J}}_{\mathsf{k}}}\right)}^{-\frac{1}{2}}{r}^{{\mathcal{J}}_{\mathsf{k}}}$, and its 2-norm $g^{{\mathcal{J}}_{\mathsf{k}}}={{\zeta }^{{\mathcal{J}}_{\mathsf{k}}}}^{\top }{\zeta }^{{\mathcal{J}}_{\mathsf{k}}}$ only with the measurement and covariance data from the subset ${\mathcal{J}}_{\mathsf{k}}$. Now, the new optimal subset ${\mathcal{J}}^{*}$ is decided by the maximum likelihood (ML) decision rule with the values of $g^{{\mathcal{J}}_{\mathsf{k}}}$’s, and the selector $\mathcal{S}$ chooses the optimal index set ${\mathcal{J}}^{*}$ by the ML decision rule. To this end, we wish to distinguish between $\left(\genfrac{}{}{0pt}{}{\mathrm{p}}{\mathsf{q}}\right)$ hypotheses, ${\mathcal{H}}_1,{\mathcal{H}}_2,\cdots ,{\mathcal{H}}_{\left(\genfrac{}{}{0pt}{}{\mathrm{p}}{\mathsf{q}}\right)}$, which are given as follows:

$${\mathcal{H}}_{\mathsf{k}}:\mathrm{the}\mathrm{set}{\mathcal{J}}_{\mathsf{k}}\mathrm{is}\mathrm{attack}-\mathrm{free},\mathrm{i}.\mathrm{e}.,e_{\mathsf{j}}=e_{{\mathcal{I}}_{\mathsf{j}}^{\left\{{\mu }_{\mathsf{i}}\right\}}}=0_{{\mu }_{\mathsf{j}}\times 1}\mathrm{for}\mathrm{all}\mathsf{j}\in {\mathcal{J}}_{\mathsf{k}}.$$

Let us denote ${\mathbf{g}}_{\mathsf{k}}$ as a random variable such that $g^{{\mathcal{J}}_{\mathsf{k}}}$ is a single observation from ${\mathbf{g}}_{\mathsf{k}}$, whereas ${\mathbf{g}}_{{\mathcal{J}}_{\mathsf{k}}}$ denotes a random variable such that

$${\mathbf{g}}_{{\mathcal{J}}_{\mathsf{k}}}\sim {\chi }_{{\mu }_{{\mathcal{J}}_{\mathsf{k}}}}^2$$

with ${\mu }_{{\mathcal{J}}_{\mathsf{k}}}:={\sum }_{\mathsf{j}\in {\mathcal{J}}_{\mathsf{k}}}{\mu }_{\mathsf{j}}=\left|{\mathcal{I}}_{{\mathcal{J}}_{\mathsf{k}}}^{\left\{{\mu }_{\mathsf{i}}\right\}}\right|$ and $p_{{\mathbf{g}}_{{\mathcal{J}}_{\mathsf{k}}}}$ is the PDF of the ${\chi }_{{\mu }_{{\mathcal{J}}_{\mathsf{k}}}}^2$ distribution. Note that, if the sensors indexed by ${\mathcal{J}}_{\mathsf{k}}$ are attack-free, then the random variable ${\mathbf{g}}_{\mathsf{k}}$ as well as ${\mathbf{g}}_{{\mathcal{J}}_{\mathsf{k}}}$ follows the ${\chi }^2$ distribution with ${\mu }_{{\mathcal{J}}_{\mathsf{k}}}$ DOF. The ML decision rule choose the hypothesis ${\mathcal{H}}_{{\mathsf{k}}^{*}}$ and the corresponding optimal index set ${\mathcal{J}}_{{\mathsf{k}}^{*}}$ that maximize the likelihood $p_{{\mathbf{g}}_{\mathsf{k}}}\left(g^{{\mathcal{J}}_{\mathsf{k}}};{\mathcal{H}}_{\mathsf{k}}\right)$, which is the PDF of ${\mathbf{g}}_{\mathsf{k}}$ being equal to the observation $g^{{\mathcal{J}}_{\mathsf{k}}}$ under the hypothesis ${\mathcal{H}}_{\mathsf{k}}$ (that is, under the condition that there is no attack signal in the measurements indexed by ${\mathcal{J}}_{\mathsf{k}}$). Therefore, we have

$$\begin{array}{cc}\hfill {\mathcal{J}}^{*}={\mathcal{J}}_{{\mathsf{k}}^{*}}& =\underset{\mathsf{k}\in \left[\left(\genfrac{}{}{0pt}{}{\mathrm{p}}{\mathsf{q}}\right)\right]}{arg\; max}{p}_{{\mathbf{g}}_{\mathsf{k}}}\left(g^{{\mathcal{J}}_{\mathsf{k}}};{\mathcal{H}}_{\mathsf{k}}\right)=\underset{\begin{array}{c}\mathcal{J}\subset \left[\mathrm{p}\right]\\ \left|\mathcal{J}\right|=\mathrm{p}-\mathsf{q}\end{array}}{arg\; max}{p}_{{\mathbf{g}}_{\mathcal{J}}}\left(g^{\mathcal{J}}\right),\hfill \end{array}$$

where the last equality comes from the fact that ${\mathbf{g}}_{\mathsf{k}}\sim {\chi }_{{\mu }_{{\mathcal{J}}_{\mathsf{k}}}}^2$ under the hypothesis ${\mathcal{H}}_{\mathsf{k}}$ so that it follows the PDF of the ${\chi }^2$ distribution. Therefore, from the index set ${\mathcal{J}}_{{\mathsf{k}}^{*}}$ corresponding to the ML hypothesis ${\mathcal{H}}_{{\mathsf{k}}^{*}}$, the MVUE of the newly selected optimal index set ${\mathcal{J}}^{*}(={\mathcal{J}}_{{\mathsf{k}}^{*}})$, ${\widehat{x}}^{{\mathcal{J}}^{*}}$, becomes the final suboptimal estimate of x.

Remark 2.

The proposed algorithm selects the subset of sensors ${\mathcal{J}}^{*}\subset \left[\mathrm{p}\right]$, which is most likely to be attack-free with $|{\mathcal{J}}^{*}|=\mathrm{p}-\mathsf{q}$. Moreover, if the selected set ${\mathcal{J}}^{*}$ is actually attack-free, it gives the minimum variance with unbiased estimation. In short, Algorithm 2 generates a state estimate, which is most likely to have minimum variance with unbiased mean. However, we say that it is a suboptimal estimate of x instead of the optimal estimate because the decentralized multi-sensor information fusion Kalman filter cannot ensure to achieve the centralized optimal covariance even without attack as illustrated in ([24], Section 5).

Remark 3.

Note that Algorithm 2 needs to prepare $\left(\genfrac{}{}{0pt}{}{\mathrm{p}}{\mathsf{q}}\right)$ candidates and compare all those candidates. The time complexity of the error correction algorithm depends on the number of combinations $\left(\genfrac{}{}{0pt}{}{\mathrm{p}}{\mathsf{q}}\right)$, and thus, it has the polynomial time complexity of $\mathcal{O}\left({\mathrm{p}}^{min\{\mathsf{q},\mathrm{p}-\mathsf{q}\}}\right)$. Therefore, the proposed algorithm may not be scalable for very large p with $\mathsf{q}\approx \mathrm{p}/2$ due to the combinatorial nature of the algorithm. The time complexity could be reduced by imposing additional restrictive assumptions as done in [20,21] which reformulate the problem into a convex optimization problem. However, in our scheme demanding minimal assumptions, the comibinatorial algorithm only needs to operate when an attack is detected. In addition, most of the time, only the attack detection algorithm requiring a small amount of computation, is executed. Another advantage of the proposed algorithm is that its space complexity is linear with the number of sensors p, that is, $\mathcal{O}\left(\mathrm{p}\right)$. The total memory size required for local observers is ${\sum }_{\mathsf{i}=1}^{\mathrm{p}}{\mu }_{\mathsf{i}}\le \mathrm{n}\mathrm{p}$, whereas if all possible combinations of estimator candidates are configured as real observers, the observer’s size becomes $\mathrm{n}\left(\genfrac{}{}{0pt}{}{\mathrm{p}}{\mathsf{q}}\right)$.

5. Simulation Results

We consider a motor-controlled multi-DOF torsion system [34] as depicted in Figure 3. A continuous-time state-space model of the system when the control input is the torque $\tau$ ($\mathrm{N}·\mathrm{m}$) generated by the servo motor is given by

$$\begin{array}{c}\hfill {\mathcal{P}}_c^{\prime }:\left\{\begin{array}{c}\dot{x}\left(t\right)=A_c^{\prime }x\left(t\right)+B_c^{\prime }\tau \left(t\right)+d\left(t\right)\hfill \\ y\left(t\right)=C_{c}x\left(t\right)+n\left(t\right)\hfill \end{array}\right.\end{array}$$ (43)

with the matrices

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill A_c^{\prime }& =\left[\begin{array}{cccccc}0& 1& 0& 0& 0& 0\\ -\frac{k_1}{J_1}& -\frac{b_1}{J_1}& \frac{k_1}{J_1}& 0& 0& 0\\ 0& 0& 0& 1& 0& 0\\ \frac{k_1}{J_2}& 0& -\frac{k_1+k_2}{J_2}& -\frac{b_2}{J_2}& \frac{k_2}{J_2}& 0\\ 0& 0& 0& 0& 0& 1\\ 0& 0& \frac{k_2}{J_3}& 0& -\frac{k_2}{J_3}& -\frac{b_3}{J_3}\end{array}\right],B_c^{\prime }=\left[\begin{array}{c}0\\ \frac{1}{J_1}\\ 0\\ 0\\ 0\\ 0\end{array}\right],\hfill \\ \hfill C_c& =\left[\begin{array}{cccccc}1& 0& 0& 0& 0& 0\\ 0& 0& 1& 0& 0& 0\\ 0& 0& 0& 0& 1& 0\\ 1& 0& -1& 0& 0& 0\\ 0& 0& 1& 0& -1& 0\end{array}\right],\hfill \end{array}\end{array}$$ (44)

where

$$\begin{array}{c}\hfill x:=\left[\begin{array}{c}{\theta }_1\\ {\dot{\theta }}_1\\ {\theta }_2\\ {\dot{\theta }}_2\\ {\theta }_3\\ {\dot{\theta }}_3\end{array}\right]\mathrm{and}y:=\left[\begin{array}{c}{\theta }_1\\ {\theta }_2\\ {\theta }_3\\ {\theta }_1-{\theta }_2\\ {\theta }_2-{\theta }_3\end{array}\right]\end{array}$$

are the state variable and the output measurement, respectively. Here, the unit for angular positions $\theta$’s and the unit for angular velocities $\dot{\theta }$’s are ($\mathrm{rad}$) and ($\mathrm{rad}/\mathrm{s}$), respectively. The parameters are borrowed from [34], and we have that $J_1=0.0022$, $J_2=J_3=0.000545$ ($\mathrm{kg}·{\mathrm{m}}^2$) for the moment of inertia, $b_1=0.015$, $b_2=b_3=0.0015$ ($\mathrm{N}·\mathrm{m}/(\mathrm{rad}/\mathrm{s})$) for the viscous damping ratio, and $k_1=k_2=1$ ($\mathrm{N}·\mathrm{m}/\mathrm{rad})$ for the flexible stiffness.

Figure 3.

Motor control system of multi-DOF torsion modules.

Note that the dynamics are the same as those of the three inertia system considered in [15]; however, Figure 3 additionally considers the servo motor system given as follows:

$$\begin{array}{c}\hfill \begin{array}{c}\hfill \tau =\frac{{\eta }_g{K}_g{\eta }_m{k}_t(u-K_g{k}_m{\dot{\theta }}_1)}{R_m},\end{array}\end{array}$$ (45)

which generates the torque $\tau$ ($\mathrm{N}·\mathrm{m}$) from the input voltage of u ($\mathrm{V}$). The parameters for the servo system are also borrowed from [34], and we have that ${\eta }_g=0.9$ for the gearbox efficiency, $K_g=70$ for the total gear ratio, ${\eta }_m=0.69$ for the motor efficiency, $k_t=0.00768$ ($\mathrm{N}·\mathrm{m}/\mathrm{A}$) for the motor current torque constant, $k_m=0.00768$ ($\mathrm{V}/(\mathrm{rad}/\mathrm{s})$) for the motor back electromotive force (EMF) constant, and $R_m=2.6$ ($\Omega$) for the motor armature resistance. Thus, the final continuous-time plant with the voltage u ($\mathrm{V}$) as an input signal is obtained as

$$\begin{array}{c}\hfill {\mathcal{P}}_c:\left\{\begin{array}{c}\dot{x}\left(t\right)=A_{c}x\left(t\right)+B_{c}u\left(t\right)+d\left(t\right)\hfill \\ y\left(t\right)=C_{c}x\left(t\right)+n\left(t\right)\hfill \end{array}\right.\end{array}$$ (46)

with the matrices

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill A_c& =\left[\begin{array}{cccccc}0& 1& 0& 0& 0& 0\\ -\frac{k_1}{J_1}& -\frac{b_1}{J_1}-\frac{{\eta }_g{K}_g^2{\eta }_m{k}_t{k}_m}{R_m}\frac{1}{J_1}& \frac{k_1}{J_1}& 0& 0& 0\\ 0& 0& 0& 1& 0& 0\\ \frac{k_1}{J_2}& 0& -\frac{k_1+k_2}{J_2}& -\frac{b_2}{J_2}& \frac{k_2}{J_2}& 0\\ 0& 0& 0& 0& 0& 1\\ 0& 0& \frac{k_2}{J_3}& 0& -\frac{k_2}{J_3}& -\frac{b_3}{J_3}\end{array}\right],B_c=\left[\begin{array}{c}0\\ \frac{{\eta }_g{K}_g{\eta }_m{k}_t}{R_m}\frac{1}{J_1}\\ 0\\ 0\\ 0\\ 0\end{array}\right],\hfill \end{array}\end{array}$$ (47)

and the same $C_c$ as in (44). Finally, the zero-order hold equivalent model of (46) is used for the discrete-time model $\mathcal{P}$ in (1), and the matrices are calculated by

$$\begin{array}{c}\hfill A:=e^{A_c{T}_s},B:=\left({\int }_0^{T_s}{e}^{A_c\tau }d\tau \right)B_c,C:=C_c\end{array}$$ (48)

with the sampling time of $T_s=0.002$ ($\mathrm{s}$). By examining all possible combinations of sensors, it follows that the system $\mathcal{P}$ in (1) with A and C given in (48) is 2-redundant observable, and hence it is observable under 1-sparse sensor attack by Lemma 2.

In addition, the disturbance d and the noise n are assumed to satisfy Assumption 1 with

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill Q& =0.{001}^2\times \left[\begin{array}{cccccc}1& 0& 0& 0& 0& 0\\ 0& 9& 0& 0& 0& 0\\ 0& 0& 1& 0& 0& 0\\ 0& 0& 0& 1& 0& 0\\ 0& 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 0& 1\end{array}\right],R=0.{001}^2\times \left[\begin{array}{ccccc}1& 0& 0& 1& 0\\ 0& 1& 0& -1& 1\\ 0& 0& 1& 0& -1\\ 1& -1& 0& 3& -1\\ 0& 1& -1& -1& 3\end{array}\right],\hfill \end{array}\end{array}$$

and the initial state $x\left(0\right)$ of the system (46) satisfies $x\left(0\right)\sim N({\overline{x}}_0,P_0)$ as stated in Assumption 1 with the mean ${\overline{x}}_0$ and the covariance $P_0$ given by

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill {\overline{x}}_0& =\left[\begin{array}{c}0\\ 0\\ 0\\ 0\\ 0\\ 0\end{array}\right],P_0=\left[\begin{array}{cccccc}1& 0& 0& 0& 0& 0\\ 0& 1& 0& 0& 0& 0\\ 0& 0& 1& 0& 0& 0\\ 0& 0& 0& 1& 0& 0\\ 0& 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 0& 1\end{array}\right].\hfill \end{array}\end{array}$$

The simulation is performed under 1-sparse sensor attack on the third sensor with the signal shown in Figure 4b, which is made to mimic the motion pattern by the natural frequency as observed in Figure 4c,d. Moreover, the attack starts at 2 second, which is the same time when the square pulse input u is injected into the system as described in Figure 4a. Even under the attack signal, the resilient state estimation with multi-sensor information fusion Kalman filter based on the observability decomposition developed in Section 3 and Section 4 works well. The states are recovered with a small error as demonstrated in Figure 4c,d, which are the state estimation results for ${\theta }_3$ and ${\dot{\theta }}_3$, respectively.

Figure 4.

Plot of signals in a multi-DOF torsion system.

In this simulation, the threshold ${\Delta }_{TH}$ for the attack detection is chosen by $\delta =0.05$ in (41) so that the cumulative density function (CDF) satisfies ${\int }_0^{{\Delta }_{TH}}{p}_{{\mathbf{g}}_{{\mathcal{J}}^{*}}}\left(x\right)dx=0.95$ where $p_{{\mathbf{g}}_{{\mathcal{J}}^{*}}}$ is the PDF of a random variable ${\mathbf{g}}_{{\mathcal{J}}^{*}}$, which satisfies a ${\chi }^2$ distribution with ${\mu }_{{\mathcal{J}}^{*}}$ DOF, as stated in (42). Since Figure 4e shows that the 2-norm of the standardized residual, g, exceeds the threshold ${\Delta }_{TH}$ at the instant of 2 second, which is the initiation time of the attack, it is judged that there is an attack (the lines from 8 to 9 in Algorithm 2) and the estimation scheme begins to search the indices of attack-free sensors (the lines from 10 to 16 in Algorithm 2). As a result of the search algorithm, a new set of sensor indices is found by the ML decision rule (the line 16 in Algorithm 2), and the attacked third senor is excluded from 2 second as depicted in Figure 4f.

6. Conclusions

In this paper, the multi-sensor information fusion Kalman filter proposed in [24,25] was improved using the observability decomposition to ensure the convergence of the error covariance matrix of each local observer. The local observer of a decentralized Kalman filter with only a single sensor was designed for an observable subspace instead of the entire n-dimensional state vector without any global information. Then, the proposed decentralized information fusion Kalman filter was applied to the secure state estimation problem where some of sensors were compromised by a malicious attacker.

To cope with the zero-mean Gaussian distributed disturbances/noises, a local Kalman filter replaced the partial Luenberger observer designed in [15], where bounded disturbances/noises were considered in the state estimation problem under sparse sensor attacks. When there was no attack, the proposed algorithm guaranteed an optimal state estimate in the sense of minimum variance, and it generated a state estimate that was most likely to have the minimum variance with an unbiased mean in the presence of sparse sensor attacks.

The proposed algorithm can be applied to cyber-physical systems, including complex sensor networks operating based on linear dynamics under sparse sensor attacks as well as Gaussian disturbances/noises. We imposed the minimal assumption of the redundant observability, which is known to be the equivalent condition to solve the problem. Furthermore, the computational time was alleviated by running only a relatively light attack detection scheme for most of the execution time, and the memory size of the observer was reduced by constructing local observers only for observable subspaces.

One possible direction of future research is to develop a distributed attack-resilient state estimator. While this paper proposed a decentralized Kalman filter scheme, the fusion center collects all the data from each sensors. Although the construction of local Kalman filters is decentralized, the information fusion method is still centralized. Therefore, it is necessary to develop a fully distributed attack-resilient state estimation technique for a general sensor network without any central information fusion center.

Abbreviations

The following abbreviations are used in this manuscript:

LTI	Linear Time Invariant
i.i.d.	independent and identically distributed
MVUE	Minimum Variance Unbiased Estimator
BLUE	Best Linear Unbiased Estimator
PDF	Probability Density Function
DOF	Degrees Of Freedom
ML	Maximum Likelihood
EMF	ElectroMotive Force
CDF	Cumulative Density Function

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

Funding Statement

This work was supported by the Materials & Components Technology Development Program (20017351, Development of Servo System Technology with a Current Response of 6.2 kHz and Power Regeneration for Automated Manufacturing Equipment Application) funded by the Ministry of Trade, Industry & Energy (MOTIE, Korea).