Sensor Switching Control Under Attacks Detectable by Finite Sample Dynamic Watermarking Tests

Control system security is enhanced by the ability to detect malicious attacks on sensor measurements. Dynamic watermarking can detect such attacks on linear time-invariant (LTI) systems. However, existing theory focuses on attack detection and not on the use of watermarking in conjunction with attack mitigation strategies. In this paper, we study the problem of switching between two sets of sensors: One set of sensors has high accuracy but is vulnerable to attack, while the second set of sensors has low accuracy but cannot be attacked. The problem is to design a sensor switching strategy based on attack detection by dynamic watermarking. This requires new theory because existing results are not adequate to control or bound the behavior of sensor switching strategies that use finite data. To overcome this, we develop new finite sample hypothesis tests for dynamic watermarking in the case of bounded disturbances, using the modern theory of concentration of measure for random matrices. Our resulting switching strategy is validated with a simulation analysis in an autonomous driving setting, which demonstrates the strong performance of our proposed policy.