Professional Documents
Culture Documents
Ebook Security of Cyber Physical Systems State Estimation and Control 1St Edition Chengwei Wu Online PDF All Chapter
Ebook Security of Cyber Physical Systems State Estimation and Control 1St Edition Chengwei Wu Online PDF All Chapter
https://ebookmeta.com/product/security-and-resilience-in-cyber-
physical-systems-detection-estimation-and-control-masoud-
abbaszadeh/
https://ebookmeta.com/product/security-and-resilience-of-cyber-
physical-systems-1st-edition-krishan-kumar/
https://ebookmeta.com/product/cyber-physical-systems-and-
industry-4-0-practical-applications-and-security-management-1st-
edition-dinesh-goyal-editor/
https://ebookmeta.com/product/merging-optimization-and-control-
in-power-systems-physical-and-cyber-restrictions-in-distributed-
frequency-control-and-beyond-1st-edition-feng-liu/
Safety and Security of Cyber-Physical Systems:
Engineering dependable Software using Principle-based
Development Frank J. Furrer
https://ebookmeta.com/product/safety-and-security-of-cyber-
physical-systems-engineering-dependable-software-using-principle-
based-development-frank-j-furrer/
https://ebookmeta.com/product/networked-and-event-triggered-
control-approaches-in-cyber-physical-systems-1st-edition-jinhui-
zhang-yuanqing-xia-zhongqi-sun-duanduan-chen/
https://ebookmeta.com/product/cyber-physical-iot-and-autonomous-
systems-in-industry-4-0-1st-edition-vikram-bali/
https://ebookmeta.com/product/optimal-state-estimation-for-
process-monitoring-fault-diagnosis-and-control-1st-edition-ch-
venkateswarlu-m-tech-phd/
https://ebookmeta.com/product/innovations-in-cyber-physical-
systems-select-proceedings-of-icicps-2020-1st-edition-jawar-
singh/
Studies in Systems, Decision and Control 396
Chengwei Wu
Weiran Yao
Guanghui Sun
Ligang Wu
Security
of Cyber-Physical
Systems: State
Estimation and
Control
Studies in Systems, Decision and Control
Volume 396
Series Editor
Janusz Kacprzyk, Systems Research Institute, Polish Academy of Sciences,
Warsaw, Poland
The series “Studies in Systems, Decision and Control” (SSDC) covers both new
developments and advances, as well as the state of the art, in the various areas of
broadly perceived systems, decision making and control–quickly, up to date and
with a high quality. The intent is to cover the theory, applications, and perspectives
on the state of the art and future developments relevant to systems, decision
making, control, complex processes and related areas, as embedded in the fields of
engineering, computer science, physics, economics, social and life sciences, as well
as the paradigms and methodologies behind them. The series contains monographs,
textbooks, lecture notes and edited volumes in systems, decision making and
control spanning the areas of Cyber-Physical Systems, Autonomous Systems,
Sensor Networks, Control Systems, Energy Systems, Automotive Systems,
Biological Systems, Vehicular Networking and Connected Vehicles, Aerospace
Systems, Automation, Manufacturing, Smart Grids, Nonlinear Systems, Power
Systems, Robotics, Social Systems, Economic Systems and other. Of particular
value to both the contributors and the readership are the short publication timeframe
and the world-wide distribution and exposure which enable both a wide and rapid
dissemination of research output.
Indexed by SCOPUS, DBLP, WTI Frankfurt eG, zbMATH, SCImago.
All books published in the series are submitted for consideration in Web of Science.
Security of Cyber-Physical
Systems: State Estimation
and Control
Chengwei Wu Weiran Yao
Department of Control Science Department of Control Science
and Engineering and Engineering
Harbin Institute of Technology Harbin Institute of Technology
Harbin, China Harbin, China
© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature
Switzerland AG 2022
This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether
the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse
of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and
transmission or information storage and retrieval, electronic adaptation, computer software, or by similar
or dissimilar methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or
the editors give a warranty, expressed or implied, with respect to the material contained herein or for any
errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
To My Family
C. Wu
To Yang Chen
W. Yao
To My Family
G. Sun
To My Family
L. Wu
Preface
The past decades have witnessed a great development of the control theory, the
communication technology, the computer science, smart devices and so on, which
make it possible to design CPSs. In CPSs, the cyber realm is in charge of gathering,
processing, transmitting data and interacting with human, and the physical system
is used to govern system dynamics. Such systems can integrate the cyber realm and
the physical world into a unified frame, improving the degree of automation and
intelligence of physical systems. CPSs can benefit many fields, for example, the
transportation, the basic infrastructure, robotics, smart building, etc. Due to the inte-
gration of the open and shared cyber layer, CPSs are not closed anymore. CPSs are
vulnerable to adversaries while they improve the performance of systems. Adver-
saries can invade into the cyber layer by using some illegal attacks, example of
which are DoS attacks, false data injection attacks and replay attacks. By imple-
menting these attacks, adversaries can realizing their illegal goals including gaining
benefits, decreasing even destroying the performance of the system. The notorious
case is Stuxnet, which destroys the Iran nuclear devices. Recently, attacks frequently
occur around the world. It is an urgent but challenging task to secure CPSs. Although
researchers have proposed many remarkable secure schemes from the computer and
the communication protocol prospective, the performance of the physical system,
which is fair important for CPSs is excluded. To solve such a problem, this mono-
graph attends to give some novel secure schemes for CPSs from the automation
control prospective.
The problems of secure control, estimation and optimal attack design for CPSs in
the presence of malicious attacks are thoroughly investigated. Both DoS attacks and
false data injection attacks are addressed. By introducing some techniques such as
the game-theoretical approach, moving target defense, reinforcement learning and
optimal control, several novel results are proposed. This monograph includes two
parts. One focuses on the problems of secure estimation and control for CPSs under
DoS attacks. The other is concerned with the problems of secure estimation and
control for CPSs with false data injection attacks. Specifically, the main contents of
the first part are as follows:
vii
viii Preface
There are numerous individuals without whose help this book will not have been
completed. Special thanks go to Prof. Zhong-Ping Jiang from New York University,
Prof. Jianxing Liu from Harbin Institute of Technology, Prof. Xingjian Jing from The
Hong Kong Polytechnic University, Prof. Hongyi Li from Guangdong University of
Technology, Prof. Wei Pan from Delft University of Technology, Dr. Xiaolei Li from
Harbin Institute of Technology, for their valuable suggestions, constructive comments
and support.
The writing of this book was supported in part by the National Key R&D
Program of China (No. 2019YFB1312001), National Natural Science Founda-
tion of China (62033005, 62022030), China Postdoctoral Science Foundation
(2021TQ0091,2020M681098), Heilongjiang Provincial Natural Science Foundation
of China (ZD2021F001).
ix
Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Current Research on Securing CPSs . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.1 Advances in Detecting Attacks . . . . . . . . . . . . . . . . . . . . . 3
1.1.2 Advances in Securing CPSs Under DoS Attacks . . . . . . . 4
1.1.3 Advances in Securing CPSs Under Deception
Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Publication Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3 Publication Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
xi
xii Contents
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Notations and Acronyms
is defined as
∈ belongs to
∀
for all
sum
R field of real numbers
Rn space of n-dimensional real vectors
Rn×m space of n×m real matrices
E{·} mathematical expectation operator
lim limit
max maximum
min minimum
sup supremum
inf infimum
rank(·) rank of a matrix
trace(·) trace of a matrix
λmin (·) minimum eigenvalue of a real symmetric matrix
λmax (·) maximum eigenvalue of a real symmetric matrix
I identity matrix
In n×n identity matrix
0 zero matrix
0n×m zero matrix of dimension n×m
X transpose of matrix X
X∗ conjugate transpose of matrix X
X −1 conjugate transpose of matrix X
X > (<)0 X is real symmetric positive (negative) definite
X ≥ (≤)0 X is real symmetric positive (negative) semi-definite
2 {[0, ∞), [0, ∞)} space of square summable sequences on {[0, ∞); [0, ∞)}
(discrete case)
|·| Euclidean vector norm
· Euclidean matrix norm (spectral norm)
xvii
xviii Notations and Acronyms
∞
· 2 2 − norm : 0 |·|
2
· E E{ · 2 }
Diag block diagonal matrix with blocks {X1 , . . . , Xm }
CPSs cyber-physical systems
DoS denial-of-service attack
MDP Markovian decision process
IT2 interval type-2
FLS fuzzy logic systems
SISO single input single output
SINR signal-to-interference-plus-noise
T−S Takagi-Sugeno
LQG linear quadratic Gaussian
MTD moving target defense
List of Figures
xix
xx List of Figures
Fig. 3.5 Responses of state x2 and its estimation x̂2 under DoS
attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Fig. 3.6 DoS attack frequency and duration . . . . . . . . . . . . . . . . . . . . . . . 45
Fig. 3.7 Responses of states x1 , x2 and x3 . . . . . . . . . . . . . . . . . . . . . . . . . 53
Fig. 3.8 Iterative processes of the game values ϑ0.5 (θ1 ) and ϑ0.5 (θ2 ) . . . 54
Fig. 3.9 Evolution of the policies f (θ1 ) and g(θ1 ) . . . . . . . . . . . . . . . . . . 55
Fig. 3.10 Evolution of the policies f (θ2 ) and g(θ2 ) . . . . . . . . . . . . . . . . . . 55
Fig. 3.11 Trajectories of state x1 and its estimation x̂1 under DoS
attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Fig. 3.12 Trajectories of state x2 and its estimation x̂2 under DoS
attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Fig. 3.13 Trajectories of state x3 and its estimation x̂3 under DoS
attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Fig. 3.14 Trajectories of state x1 and its estimation x̂1 under DoS
attacks in Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Fig. 3.15 Trajectories of state x2 and its estimation x̂2 under DoS
attacks in Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Fig. 3.16 Trajectories of state x3 and its estimation x̂3 under DoS
attacks in Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Fig. 4.1 The system blueprint. The definitions of the symbols
x(k), y(k), u(k) etc. are defined in the chapter . . . . . . . . . . . . . . 62
Fig. 4.2 Tracking performance comparisons under attacks
and without attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Fig. 4.3 Tracking errors under attacks and without attacks . . . . . . . . . . . 75
Fig. 4.4 The error of Qi − Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Fig. 4.5 The error of K̄i − K̄ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Fig. 4.6 The trajectories of the output y(k) and reference signal
r(k) in the learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Fig. 4.7 The response of the added probing noise in the learning . . . . . . 77
Fig. 4.8 The learning times under different probability ᾱ. (“Error”
denotes Qi − Q .) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Fig. 4.9 Responses of the output signal y(k) and reference signal
r(k) under DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Fig. 4.10 Response of K̄i − K̄ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Fig. 5.1 Responses of x1 , x2 and x3 for Case A in Example 1 . . . . . . . . . 101
Fig. 5.2 Response of x4 for Case A in Example 1 . . . . . . . . . . . . . . . . . . . 102
Fig. 5.3 Trajectory of input u for Case A in Example 1 . . . . . . . . . . . . . . 102
Fig. 5.4 Trajectories of θ̂1 , θ̂2 and θ̂3 for Case A in Example 1 . . . . . . . . 103
Fig. 5.5 Trajectories of x1 , x2 and x3 for Case B in Example 1 . . . . . . . . 103
Fig. 5.6 Trajectory of x4 for Case B in Example 1 . . . . . . . . . . . . . . . . . . 104
Fig. 5.7 Trajectory of input u for Case B in Example 1 . . . . . . . . . . . . . . 104
Fig. 5.8 Trajectories of θ̂1 , θ̂2 and θ̂3 for Case B in Example 1 . . . . . . . . 105
Fig. 5.9 One-link manipulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Fig. 5.10 Trajectories of x1 , x2 and x3 for Case A in Example 2 . . . . . . . . 107
Fig. 5.11 Trajectory of x4 for Case A in Example 2 . . . . . . . . . . . . . . . . . . 107
List of Figures xxi
Fig. 8.5 The average of the state x4 (k) and the estimated state
x̂4 (k) of the filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Fig. 8.6 The response of the performance index J with α = 0.6 . . . . . . . 177
Fig. 8.7 The norm of the solution P with different attack probability . . . 177
Fig. 8.8 The errors of Kd ,i − Kd and Ka,i − Ka (i means
the learning times) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Fig. 8.9 The error of H̄i − H̄ (i means the learning times) . . . . . . . . . 178
Fig. 9.1 System blueprint. Here, the “Switch” means
that if the residual signal generated by the detector is
greater than the predefined threshold, the alarm will be
triggered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Fig. 9.2 The flow chart of defense control scheme. Here, MT is
short for moving target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Fig. 9.3 Attack isolation using the parallel unknown input
observers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Fig. 9.4 Setup of a three-tank system . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Fig. 9.5 The moving target switching signal under the probabilities
pl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Fig. 9.6 The levels of tank 1, tank 2 and tank 3 without attacks
using the optimal control gain K3 . . . . . . . . . . . . . . . . . . . . . . . . 205
Fig. 9.7 The levels of tank 1, tank 2 and tank 3 without attacks
using the moving target defense control scheme . . . . . . . . . . . . . 205
Fig. 9.8 Control costs respectively under the optimal control gain
K3 and moving target defense (MTD) control scheme . . . . . . . . 206
Fig. 9.9 The attack alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Fig. 9.10 The estimates of attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Fig. 9.11 Levels of tanks 1, 2, 3 when all actuator signals are
compromised using the control scheme . . . . . . . . . . . . . . . . . . . . 208
Fig. 9.12 Error evolutions of Kli − Kl∗ and Lil − L∗l . . . . . . . . . . . . . . 208
Fig. 9.13 Levels of tanks 1, 2, 3 when all actuator signals are
compromised using the reactive secure control scheme . . . . . . . 209
Fig. 9.14 The attack alarm in Case 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Fig. 9.15 Moving target switching signal in Case 2 . . . . . . . . . . . . . . . . . . 210
Fig. 9.16 Levels of tanks 1, 2 and 3 in Case 2 . . . . . . . . . . . . . . . . . . . . . . . 211
Fig. 9.17 Estimates of attack signals in Case 2 . . . . . . . . . . . . . . . . . . . . . . 211
Fig. 9.18 Levels of tanks 1, 2 and 3 using Algorithm 2 . . . . . . . . . . . . . . . 212
Fig. 9.19 The attack alarm using Algorithm 2 . . . . . . . . . . . . . . . . . . . . . . 212
Fig. 9.20 Estimates of attack signals using Algorithm 2 . . . . . . . . . . . . . . 213
Fig. 10.1 Trajectories of yd and y in Example 1 . . . . . . . . . . . . . . . . . . . . . 230
Fig. 10.2 Trajectories of x1 and x̂1 in Example 1 . . . . . . . . . . . . . . . . . . . . 231
Fig. 10.3 Trajectories of x2 and x̂2 in Example 1 . . . . . . . . . . . . . . . . . . . . 232
Fig. 10.4 Trajectories of x3 and x̂3 in Example 1 . . . . . . . . . . . . . . . . . . . . 233
Fig. 10.5 Trajectory of u1 and u2 in Example 1 . . . . . . . . . . . . . . . . . . . . . 234
Fig. 10.6 One-link manipulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Fig. 10.7 Trajectories of yd and y in Example 2 . . . . . . . . . . . . . . . . . . . . . 235
List of Figures xxiii
xxv
Chapter 1
Introduction
CPSs, whose conceptual model is shown in Fig. 1.1 consist of the cyber realm and
the physical layer. The cyber realm is mainly utilized to be in charge of interactions
between the cyber world and the physical world, and the physical layer governs
the physical dynamics [13, 67, 71]. The increasing development of computer and
communication devices promotes the application of CPSs. The cyber realm ubiqui-
tously embeds such devices to process, exchange, and gather the information and
then directly interacts with the physical components. As promising engineered sys-
tems, CPSs have tremendous economic and societal impact and potential [70]. The
applications of CPSs can range from the military to the civil critical infrastructure,
and more. Antsaklis in [6] has scrutinized the relevant definition, applications, and
challenges of CPSs and pointed out that CPSs would transform the way that human
interacts with the physical environment.
In CPSs, the quality of the cyber realm can affect the performance of the physical
process and vice versa. It is noted that CPSs provide more access to the cyber world,
while adversaries also have the same opportunity to attack the cyber layer. Examples
of attack cases include the worm virus Stuxnet [38], attacking the Maroochy water
services in Australia [137], cutting cities power [42], etc. Specifically, the adversaries
intruded into the Siemens industrial control systems by a USB flash disk, causing
substantial damage to Iran’s nuclear program [38]. The Maroochy Shire Council’s
sewage control systems have been successfully attacked, which led to a flooding
with a million liters of sewage [137]. Some other attack incidents can refer to [14].
As can be seen from the cases mentioned above, malicious attacks can damage even
deteriorate the system performance, leading to economic loss or threading safety. It is
thus extremely urgent to dissuade CPSs from being intruded. Effective mechanisms
for CPSs security need to be designed.
Based on the computer and communication technologies, we can design secure
algorithms, for example, the encryption algorithm, prevent the cyber layer from being
intruded and preserve the CPSs security. It is noted that the potential adversaries can
acquire sufficient knowledge of their targeting systems by long-time monitoring.
They get illegal access to launching their attacks and realizing their objectives. Once
the cyber layer is successfully intruded, the security methods implemented on the
cyber layer is useless. The physical components will be exposed to the attacks. In
such a situation, it is important for the physical system to deal with attacks to maintain
system performance. For physical systems, attacks can be regarded as faults. How to
cope with these special faults and maintain the desired system performance becomes
a control problem. It is thus necessary to design an approach from the control-
theoretical perspective to protect the CPSs.
Different kinds of cyber attacks can be executed to deteriorate the system performance
and realize the adversaries’ illegal objectives. The authors of [144] have discussed
different cyber attacks, for example, denial-of-service (DoS) attack, replay attack,
zero dynamics attack, bias injection attack. Such attacks are often classified into
two categories, namely, the DoS attack and the deception attack (a.k.a., fault data
injection attack). As to the security problem of CPSs under attacks, considerable
results can be found in the literature [35, 102, 116, 132, 182]. The main research
directions on CPSs under attacks are summarized in Fig. 1.2. Several survey papers
have reviewed the recent advances in these directions, see, for example, [27, 62, 98,
133]. In what follows, we will give a concise review of the existing results.
1.1 Current Research on Securing CPSs 3
Weighted
χ2 based Model ing Securi ng Model ing Securi ng
least
Kal man DoS control deception estimation
square
filter attacks approaches attacks approaches
approaches
DoS attacks are often used to occupy the communication resources to prohibit
the transmission of sensing/control signals. The adversaries can deploy them with
many alternative techniques. For instance, it can send superfluous requests to flood
the targeted communication network to attempt to prevent all legitimate requests
from being fulfilled. In existing results, there exist mainly five categories of mod-
els describing DoS attacks, namely, the Bernoulli distribution [136], Markov chain
[9], a signal-to-interference-plus-noise ratio based communication model [123], the
periodic model [184] and the attack frequency and the attack duration approach [21].
For the Bernoulli model, and the Markovian model, they require an attacker to fol-
low a probabilistic packet drop model, but it is hard to justify the incentive. Thus,
the attack frequency and attack duration time model is proposed. In such a model,
no assumption is made regarding the DoS attack underlying strategy. It considers a
general attack model that only constrains the attacker’s action in time by posing lim-
itations on the frequency of DoS attacks and their duration. This makes it possible to
capture many different types of DoS attacks, including trivial, periodic, random and
protocol-aware jamming attacks. As to the SINR-based model, it is different from the
models mentioned above. It can address the interaction between the attacker and the
system defender. In a periodic model, DoS attacks are assumed to occur periodically
in a given time interval. Based on these DoS attack models, researchers have paid
considerable attention to the secure control and the optimal DoS attack scheme.
As shown in Fig. 1.3, adversaries can launch DoS attacks by intruding into the
communication links. Under DoS attacks, data packet dropout occurs, degrading the
system performance. Describing attacks as a Markovian model, the authors of [104]
proposed an LQG control scheme against DoS attacks, and an upper bound on the
attack probability has been derived, beyond which the stability of CPSs cannot be
guaranteed. Based on the attack frequency and the attack duration approach initially
proposed in [21], several interesting results have been reported, for example, the
secure control using the robust design approach [36], secure control under multiple
communication-link attacks [95], a sliding mode control using a switching approach
Controller
[155]. In addition, the event-triggered scheme has been widely designed to reduce the
communication burden, and save limited computing resource in CPSs [31, 39, 117].
Researchers have applied the event-triggered scheme to secure consensus control for
multi-agent systems [37, 160], and power systems [54, 118]. To understand the way
that adversaries attack CPSs, the authors of [122, 171, 174] proposed optimal DoS
attack scheduling to ultimately degrade the system performance from the adversary’s
perspective. In these results, the linear quadratic cost function has been introduced,
and the relation between the attack sequence and the control performance has been
revealed. Using such a relation and optimal theory, the optimal attack sequence can
be designed and the attack energy allocation problem has been also solved. Different
from the above results, both the defender and the adversary are considered in a unified
framework by introducing the game-theoretical approach, and plenty of novel results
have been published, see, for example, [34, 168, 173, 173, 178, 179, 183].
As to deception attacks (a.k.a., false data injection attacks), they are executed to
deteriorate the integrity of transmitted data. These attacks can be designed to pass
the attack detection scheme and affect the system performance [4, 114, 153, 162].
The well-known example of such attacks is the Stuxnet, which tapers the code in
PLCs, causing a deviation from the required behaviors [38]. Several papers have been
published to show the design and detection of such attacks [7, 115, 175]. In CPSs,
deception attacks are injected into the sensing data and the control signal. Under
attacks, they are described as ũ(k) = u(k) + u a (k), ỹ(k) = y(k) + ya (k). The attack
under both single communication link and multiple communication links have been
addressed in literature [52, 84]. Such attacks are common in power systems, and it can
refer to [92] for more discussion on modeling such attacks. Based on these attack
models, considerable results concerning the secure estimation and secure control
have been published.
The secure estimation problem of CPSs under deception attacks has been a hot
topic in CPSs. Figure 1.4 shows the blueprint of secure estimation under deception
attacks. In this figure, we only give the case which uses multiple communication chan-
nels. As shown in Fig. 1.4, the estimator is often designed as a filter or an observer.
By using the optimal theory and linear system theory, the secure estimation scheme
can be designed [44, 103, 116]. For example, the authors of [100] designed a Kalman
filter to estimate the states under bias injection attacks, and a χ2 -based detector has
been adopted to detect the anomalies. In [101], a Kalman filter based secure algorithm
has been designed for stochastic physical plants. The secure estimation performance
was characterized by the upper bound on the number of attacked sensors. Consid-
ering sparse attacks, the authors of [35] derived the upper bound on the number of
attacked sensors, beyond which the secure estimation problem cannot be solved.
Based on the above work, an adaptive observer has been designed in [5]. Regarding
false data injection attacks as unknown input, an unknown input interval observer
6 1 Introduction
Channel 1
Attacker
Channel 2
Channel n
has been designed for smart grids in [154]. Using such an observer, the attacks can
be effectively detected and isolated. Other interesting results can be found in [24,
72, 93, 162] and the references therein.
There exist considerable results about the secure control against deception attacks
in literature. Figure 1.5 depicts the blueprint of secure control for CPSs under decep-
tion attacks. For the blueprint of secure control equipped with an attack detector, it can
refer to [103]. By adopting the linear quadratic control, sliding mode control, fuzzy
control, and adaptive control techniques, secure control schemes can be designed
to maintain system performance. Specifically, the authors of [26] discussed how to
design a secure control scheme using the quadratic cost criterion. Using the linear
quadratic Gaussian control, a two-stage secure control algorithm has been proposed
in [18], in which the worst-case damage that the adversary can cause by introduc-
ing false data was limited. To improve the robustness of the control scheme, sliding
mode controllers have been designed for CPSs under false data injection attacks in
[12, 79]. In [56], both the sensor and actuator attacks have been considered, and
an adaptive fuzzy controller has been designed to preserve the security of CPSs.
In [80], the consensus control problem for multi-agents under false data injection
attacks has been studied. As to the investigation on smart grids under false data injec-
tion attacks, [106] reviewed the recent results. It is noted that the results mentioned
Communication Communication
False data injection attacks
links links
Controller
above are designed by the defender’s perspective. The dynamics of adversaries is not
considered in the design process. To take both sides into a unified framework, the
game-theoretical approach is adopted. The attacker and the defender are modeled as
players in a game, and then secure schemes are proposed [85, 91, 129, 177].
target defense mechanism fails, the zero-sum game based reinforcement learning
secure controller is designed to guarantee that the system performance can be still
preserved.
3. A novel Lyapunov-based soft actor-critic secure control algorithm is proposed
by using the deep reinforcement learning approach. Such an algorithm only uses
data to train the deep neural networks, which are utilized to approximate the value
function and the policy. More importantly, the stability of the physical system
using the learned policy is proved, which is a great progress.
This publication is a timely reflection of the developing new area of secure esti-
mation and control for CPSs under malicious attacks. It is a collection of latest
research results and therefore serves as a useful textbook for senior and/or gradu-
ate students who are interested in knowing recent advances in optimal DoS attack
sequence design, secure estimation and control, learning based secure control, and
proactive defense scheme design problems. It can also be used as a practical research
reference for engineers dealing with securing CPSs.
Generally, this is an advanced publication aimed at 3rd/4th-year undergraduates,
postgraduates and academic researchers. Prerequisite knowledge includes optimal
control, linear algebra, game theory, and reinforcement learning. Expected readers
include (1) control engineers working on secure schemes design for CPSs; (2) system
engineers working on secure control and CPSs; (3) postgraduate students majoring
in control engineering, computer science and cyber security.
The general layout of presentation of this monograph includes two parts, which
investigate secure problems of CPSs under DoS attacks and false data injection
attacks, respectively. The main contents of this monograph are shown in Fig. 1.6.
This chapter presents the research background, recent results, motivations and
research problems, which involve the attack detection, the secure estimation and
control under DoS attacks, the secure estimation and control under false data
injection attacks and optimal attack scheme design. The outline of this monograph
is given in the end of this chapter.
Part One focuses on the secure analysis and design for CPSs in the presence
of DoS attacks. It begins with Chap. 2 and consists of 5 chapters as follows.
Chapter 2 investigates the optimal DoS attack scheduling and the energy allo-
cation problems for CPSs with multiple communication channels. In the attack
process, the adversary is assumed to have limited resources (i.e., the adversary
cannot attack the communication channel all the time nor can he/she attack all
the channels simultaneously). The attacker’s objective is to maximize the terminal
1.3 Publication Outline 9
Secure Problems under DoS Attacks Secure Problems under False Data Injection Attacks
Chapter 2: Optimal DoS Attack Scheduling for CPSs Chapter 7 : Secure Estimation for CPS via Sliding Mode
Chapter 4 : Learning Tracking Control for CPS Chapter 9 : Proactive Secure Control for CPSs
Chapter 5 : I n t e l l i g e n t Control for Nonlinear Networked Chapter 10 : Fault-Tolerant Tracking Control for Nonlinear
Control Systems Nonstrict-Feedback Systems
estimation errors of the remote estimator. To realize the attack objective, the prob-
lem of how to attack which of the multiple communication channels is solved.
This chapter proposes an algorithm to determine how many consecutive attacks
and which channels should be attacked. Based on the proposed optimal attack
sequence, the optimal closed-form solution of how to allocate the limited attack
energy is derived. Finally, simulation results are given to demonstrate the effec-
tiveness of the proposed optimal attack scheme and energy dispatch approach.
Chapter 3 investigates the problem of the resilient control for CPSs in the presence
of malicious sensor DoS attacks, which result in the loss of state information.
The concepts of DoS frequency and DoS duration are introduced to describe
the DoS attacks. According to the attack situation, that is, whether the attack
is successfully implemented or not, the original physical system is rewritten as a
switched version. A resilient sliding mode control scheme is designed to guarantee
that the physical process is exponentially stable, which is a foundation of the main
results. Then, a zero-sum game is employed to establish an effective mixed defense
mechanism. Furthermore, a defense-based resilient sliding mode control scheme
is proposed and the desired control performance is achieved. Compared with the
existing results, the differences mainly lie in two aspects, that is, one is that a
switched model is obtained, based on which the average dwell-time like approach
is utilized to derive the resilient control scheme, and the other is to employ the
zero-sum game to make the attacks satisfy the concepts of DoS frequency and DoS
10 1 Introduction
Chapter 4 investigates the problem of optimal tracking control for CPSs when the
cyber realm is attacked by DoS attacks which can prevent the control signal trans-
mitting to the actuator. Attention is focused on how to design the optimal tracking
control scheme without using the system dynamics and analyze the impact of
DoS attacks on tracking performance. First, a Riccati equation for the augmented
system including the system model and the reference model is derived under the
framework of dynamic programming. The existence and uniqueness of its solu-
tion are proved. Second, the impact of the successful DoS attack probability on
tracking performance is analyzed. A critical value of the probability is given,
beyond which the solution to the Riccati equation cannot converge. The track-
ing controller cannot be designed. Third, reinforcement learning is introduced to
design the optimal tracking control schemes, in which the system dynamics are
not necessary to be known. Finally, both a dc motor and an F16 aircraft are used
to evaluate the proposed control schemes in this chapter.
Chapter 5 studies the problem of adaptive fuzzy control for a category of SISO
nonlinear networked control systems with network-induced delay and data loss
based on adaptive backstepping control approach. Fuzzy logic systems are used to
approximate the unknown nonlinear characteristics existing in the system, while
Pade approximation is introduced to handle network-induced delay. Data loss
occurs intermittently and stochastically in the data transmitting process, which is
regarded as the delay in the controller design. In the framework of adaptive fuzzy
backstepping technique, a novel state-feedback adaptive controller is constructed
to ensure all signals in the resulting closed-loop system to be bounded and the
state variables can be regulated to the origin. Finally, two examples are given to
show the validity of the proposed results.
Chapter 6 studies the problem of reliable filter problem for a category of sensor
networks in the framework of IT2 fuzzy model. In the filter design, the random
link failures, which are caused possibly by missing measurements as well as
by probabilistic communication failures, are considered to illustrate more realis-
tic dynamical behaviors of sensor networks. In order to tackle the uncertainties
existing in systems, IT2 fuzzy approach is utilised to establish the model, wherein
upper and lower membership functions together with weighting coefficients are
employed to express the uncertainties. An distributed IT2 fuzzy filter model is
constructed to estimate system states. Using the Lyapunov theory, sufficient con-
ditions have been given to ensure that the filtering error system is mean-square
asymptotically stable and satisfies the predefined average H∞ performance level.
Moreover, the criteria to design the filter parameters are developed through using
cone complementary linearization approach. Finally, a practical example is given
to validate the proposed method.
1.3 Publication Outline 11
Part Two is concerned with the secure analysis and design for CPSs under
false data injection attacks. It begins with Chap. 7 and consists of 5 chapters
as follows.
Chapter 7 is concerned with the problem of secure state reconstruction for CPSs.
CPSs are more vulnerable to the cyber world, yet to attackers, who can attack any
sensor of the considered systems and modify values of attacked sensors to be arbi-
trary ones. In the design process, both malicious attacks on sensors and unknown
input are taken into consideration. Firstly, a linear discrete-time state space model
is utilized to describe such systems, and then a sparse vector is adopted to model
attacks. By collecting sensor measurements and using an iterative approach, a new
model in descriptor form is obtained, which paves the way for estimating system
states under unknown input situation. Secondly, the problem of secure state esti-
mation is transformed into an optimal version. A novel sliding mode observer
is proposed to estimate system states from collected sensor measurements cor-
rupted by malicious attacks. In order to guarantee the estimations to be sparse, a
projection operator is designed. Thirdly, a projected sliding mode observer-based
estimation algorithm is developed to reconstruct system states, where an event-
triggered scheme is integrated to save limited computational resource. In addition
to proposing such an algorithm, the effectiveness of both projection operator and
sliding mode observer is analyzed. Furthermore, the convergence of the proposed
secure estimation algorithm is proved. Finally, some simulation results are given
to demonstrate the effectiveness of the proposed algorithm.
Chapter 8 investigates the zero-sum game based secure control problem for CPSs
under the actuator false data injection attacks. The physical process is described
as a linear time-invariant discrete-time model. Both the process noise and the
measurement noise are addressed in the design process. An optimal Kalman filter
is given to estimate the system states. The adversary and the defender are mod-
eled as two players. Under the zero-sum game framework, an optimal infinite-
horizon quadratic cost function is defined. Employing the dynamic programming
approach, the optimal defending policy and the attack policy are derived. The
convergence of the cost function is proved. Moreover, the critical attack proba-
bility is derived, beyond which the cost cannot be bounded. Finally, simulation
results are provided to validate the proposed secure scheme.
and isolation schemes are designed to accurately locate and exclude the com-
promised actuators from a switching sequence. Third, a reinforcement learning
algorithm based on the zero-sum game theory is proposed to design the defense
control scheme when there exist no controllable subsystems to switch. To demon-
strate the effectiveness of the defense control scheme, a three-tank system under
unknown cyber attacks is illustrated.
Chapter 12 draws conclusions on the book, and points out some possible research
directions related to the work done in this book.
Part I
Secure Estimation and Control for CPSs
Under DoS Attacks
Chapter 2
Optimal DoS Attack Scheduling for CPSs
2.1 Introduction
This chapter investigates the problem of how to design an optimal DoS attack
sequence to deteriorate the performance of the remote estimator from the attacker’s
perspective. For the system setup, the system designer utilizes multiple communi-
cation channels to transmit data to the remote estimator. In this way, the reliability
of the cyber layer can be improved [28]. The adversary attempts to attack these
channels. Due to the limited energies, the adversary cannot attack the cyber layer
all the time [171]. Besides, not all communication channels can be hijacked at any
given. We assume that the number of channels allowed to be attacked is no greater
than m (m means the total number of channels that can be attacked with limited
resources) [75]. To clearly show the interaction between the system designer and the
attacker, a signal-to-interference-plus-noise ratio (SINR) based model is introduced
to describe the communication channels [83]. The main contributions of this chapter
are as follows:
1. Under the limitation of attack power, this chapter designs an optimal DoS attack
scheme to maximize the terminal estimation error. Compared with the results
in [75], this chapter solves the problem of how to make a tradeoff between the
number of attacked channels and attack times when the adversary destroys the
estimation performance.
2. This chapter provides a brute-force searching algorithm to exactly determine how
to select an optimal attack sequence among the 2m choices.
3. This chapter gives a closed-form solution to allocate the limited attack power.
Although some methods have been proposed to allocate the power among multiple
channels, as opposed to the single channel case considered in [75, 172] and
references therein.
Fig. 2.1 System blueprint. Here, x̂ f,i (k) means the i-th element of x̂ f (k)
Figure 2.1 describes the system set-up, where the smart sensor is utilized to compute
the system states and transmit them to the remote estimator by multiple communi-
cation channels. This section first describes how to model the physical process and
depict communication channels. And then, formulate the problem to be addressed in
the chapter.
The physical process is described as the following discrete-time model [28, 171]
where x(k) ∈ Rn x is the state vector, y(k) ∈ Rn y denotes the measurement output.
ω(k) ∈ Rn x and υ(k) ∈ Rn y respectively mean the unrelated zero mean Gaussian
white noises. The corresponding covariances are Q ω and Q υ . The initial state x(0)
is zero mean Gaussian with the covariance P(0). A is the system matrix and C is the
output matrix. (A, C) and (A, Q υ ) are detectable.
A smart sensor equipped with Kalman filter is used to estimate the states. Define
ȳ(k) = [y(1), y(2), . . . , y(k)] as all the measurement collections up to time k. The
following equations are defined
where
x̂ f (k + 1)|k = A x̂ f (k)
P(k + 1)|k = AP(k)A + Q ω
−1
H (k + 1) = P(k + 1)|k C CP(k + 1)|k C + Q υ
and H (k) is the filter gain, P(k)|k means the estimation error covariance matrix. As
the Riccati equation of the Kalman filter has a unique solution P̄, we assume that the
filter is in a steady state, that is, the covariance matrix P(k)|k = P̄ when k ∈ [1, ∞)
[83]. For the filter in (2.2), the initial condition is set as x̂(0) = 0.
s (k)
RS I N R =
a (k) + ς 2
where s (k) and a (k) mean the power which is dispatched to the system operator
and the attacker at time k. ς 2 is the additive white Gaussian noise power.
The smart sensors send estimations x̂ f (k) to the remote estimator by the cyber
realm with multiple channels. Define Sa as the set of successful attacked chan-
nel indices and Sa ⊂ {1, 2, . . . , n x }. Define θ̃(k) = diag{θ̃1 (k), θ̃2 (k), . . . , θ̃n x (k)}.
Denote θ̃i (k) as the indicator variable to show whether the estimation is successfully
transmitted or not. The expression is as follows
18 2 Optimal DoS Attack Scheduling for CPSs
1, i ∈
/ Sa
θ̃i (k) =
0, i ∈ Sa
In this chapter, we claim that the number of attacked channels is not greater than
m, that is, θ̃(k)0 ≥ n x − m. According to the above discussion, the successful
attack probability can be obtained as
L
ϕs (k)
α = P(θ̃i (k) = 0) = 2Q (2.4)
a (k) + ς 2
For the remote estimator, it has knowledge of the variable θ̃(k). It can determine
which channels are successfully attacked. Define x̂(k) as the minimum square-mean
estimation of the remote estimator and P(k) as the corresponding error covariance
matrix. x̂(k) = E{x(k)|θ̃(k)}, P(k) = E{(x(k) − x̂(k))(x(k) − x̂(k)) |θ̃(k)}.
The remote estimator is constructed as
To clarify the definition of the covariance matrix P(k), a diagonal matrix is defined
as Γ = diag{Γ1 , Γ2 , . . . , Γn x }, where Γi = 1 if θ̃i (k) = 0, otherwise Γi = 0.
By direct computing, the error covariance matrix P(k) of estimations computed
by the remote estimator can be derived as
Γ P̄ + P̄Γ − Γ P̄Γ, if Γ 0 = n x
P(k) =
F (P(k − 1)), otherwise
where F (P(k − 1)) = Γ f (P(k − 1)) + f (P(k − 1))Γ − Γ f (P(k − 1))Γ and
f (P(k − 1)) = A P(k − 1)A + Q ω .
It is noted that the function f l (P̄) possesses the property mentioned in the fol-
lowing lemma whose proof is omitted for want of space; see [75].
2.3 Remote Estimator Design 19
Lemma 2.2 For the given positive integers l1 and l2 , if l1 ≤ l2 , the inequality
f l1 (P̄) ≤ f l2 (P̄) holds
In addition to the average error, the terminal error is also an important performance
index. Define the performance index J = T r (E{PT (k)}) with E{PT (k)} being the
expected terminal error covariance matrix. The problem of interest in this chapter is
to maximize the index J with constrained attack power.
Remark 2.3 To maximize the performance J , the adversary can launch DoS attacks
at the last consecutive time, as observed in [172]. However, in [172], it is assumed
that all data is transmitted using a single channel. New problems occur in the case of
multiple channels, for example, the adversary needs to determine which channels to
be attacked to maximize the impact on system performance. One goal of the chapter is
to address the tradeoff between the attack times and the number of attacked channels.
This section gives the main results of this chapter, including how to design the attack
sequence and dispatch the limited attack power. First, how to determine the attack
sequence is discussed.
If all channels can be attacked at each time, i.e., Γ = I , the following lemma
provides an optimal attack scheme to maximize the trace of the expected terminal
error covariance matrix.
Lemma 2.4 ([172]) If the following N consecutive attacks are successfully launched
⎛ ⎞
⎝0, . . . , 0, 1, . . . , 1⎠
N times
i=0
20 2 Optimal DoS Attack Scheduling for CPSs
Based on the results in [172], the following proposition is given to determine the
attack sequence under multiple communication channels
Proposition 2.5 If the consecutive DoS attack sequence under multiple communi-
cation channels is designed as
⎛ ⎞
⎜ ⎟
θ̃∗ = ⎝0n x , . . . , 0n x , Γ, . . . , Γ ⎠
T −N times N times
the problem of interest in this chapter can be solved. The corresponding J can be
described as
N −1
i
J = Tr α − αi+1 F i (P̄) + α N F N (P̄)
i=0
N −1
i
= Tr α − αi+1 Γ f i (P̄) + α N Γ f N (P̄) (2.6)
i=0
Algorithm 1
1: Input α, N and m
2: Compute n̄ = nmx , define different Γ as Γ1 , Γ2 , . . . , Γn̄ and the corresponding attack sequences
are described as θ̃1∗ , θ̃2∗ , . . . , θ̃n̄∗ .
3: Submitting α, N , m and θ̃1∗ into (2.6) yields J and let θ̃∗ = θ̃1∗ .
4: for j = 2 : n̄ do
5: Submitting α, N , m and θ̃∗j into (2.6) yields J j
6: if J j > J then
7: J = J j and θ̃∗ = θ̃∗j
8: end if
9: j = j + 1,
10: end for
11: Output θ̃∗
2.4 Attack Sequence Design and Energy Allocation 21
Jα = T r (E{PT (k)})
N −1
i
= Tr α − αi+1 Γ f i (P̄) + α N Γ f N (P̄)
i=0
N
= Tr αi Γ F i (P̄) + Γ P̄
i=1
α1 < α2 , it is directly checked that Jα1 − Jα2 < 0 holds, which indicates Jα1 < Jα2 .
The proof is completed.
For the fixed attack sequence, Proposition 2.6 indicates that if the probability α
becomes larger (i.e., more power is allocated to the attacker), the performance of
the remote estimator will be worse. The following proposition shows the relation
between the probability α and different attack sequences.
Proposition 2.7 Define N̄ = /
¯ ˜ , m̄ = /
˜ lower (m̄ < n x ) and assume α ∈
Pm,N , β ∈ Pm+1,N +1 and N ≤ N̄ − 1. For the normal matrix A, if the following
inequality holds
1 ᾱ − α
1 ≤ λi ≤ 1− (2.7)
ᾱ α N̄
then the trace of the expected terminal error covariance matrix satisfies Jα ≤ Jβ ,
where λi (i ∈ Sa ) means the i eigenvalue of the matrix A A , Jα and Jβ are
the expected performance indexes under the corresponding probabilities α and β,
respectively.
22 2 Optimal DoS Attack Scheduling for CPSs
Proof Let the diagonal matrices Γα and Γβ describe the attacked nodes respectively.
According to the proof in Proposition 2.6, we can obtain
N
Jα = T r αi Γα F i (P̄) + Γα P̄
i=1
N +1
Jβ = T r β i Γβ F i (P̄) + Γβ P̄
i=1
N
Jα − Jβ = T r (αi Γα F i (P̄) − β i Γβ F i (P̄))
i=1
−T r β N +1 Γβ F N +1 (P̄)
−T r (Γβ − Γα )P̄
N
Jα − Jβ < T r (αi − β i )Γβ F i (P̄)
i=1
N +1
−β Γβ F N +1 (P̄) (2.8)
N N +1
If i=1 (α − β )Γβ F (P̄) − β
i i i
Γβ F N +1 (P̄) ≤ 0 holds, Jα ≤ Jβ can be
obtained. According to Lemma 2.2, we know that F i (P̄) ≥ 0 holds. Following the
approach in [172], Jα ≤ Jβ holds provided that the following inequality holds
2 N
ᾱ − α Γβ − β N +1 Γβ − αΓβ A A Γβ A A ≤ 0
which equals to
ᾱ − α − β N +1 (1 − αλi )2 λiN ≤ 0 (2.9)
1Here, SΓα SΓβ = SΓα . SΓα and SΓβ respectively means the nonzero element index sets of Γα
and Γβ . Without such a restriction, the proof cannot be completed.
2.4 Attack Sequence Design and Energy Allocation 23
a = arg max{a | /
¯ ˜ = N̄ , /
˜ a = m̄}
a∗ = min{a , upper } (2.10)
and the trace of the expected terminal covariance matrix can be described as
⎛ ⎞
N̄ −1
∗i
J = Tr ⎝ α − α∗i+1 Γ ∗ f i (P̄) + α∗ N̄ Γ ∗ f N̄ (P̄)⎠ (2.11)
i=0
Algorithm 2
1: Set Jmax = 0
2: for m = 1 : length(Sa ) do
3: Compute N = ¯ /lower /m
4: Compute a∗ using Theorem 2.8
5: Based on the SIRN-based model, compute the successful attack probability α∗
6: Determine the optimal attack sequence θ̃∗ with Algorithm 1
7: Compute J using Theorem 2.8
8: if J > Jmax then
9: Jmax = J , N̄ = N and m̄ = m
10: end if
11: m =m+1
12: end for
13: Output Jmax , N̄ and m̄
Parmi les amants les plus fameux qui donnèrent au monde, soit
dans l’infortune, soit dans la prospérité, les meilleures preuves
d’amour et les plus grands exemples de fidélité, je donnerai de
préférence, non pas la seconde, mais la première place à Olympie.
Et si elle ne doit pas être placée avant tous, je tiens à dire que,
parmi les anciens et les modernes, on ne saurait trouver un amour
plus grand que le sien.
Elle avait rendu Birène certain de cet amour, par des
témoignages si nombreux et si évidents, qu’il serait impossible à une
femme de faire plus pour assurer un homme de sa tendresse, même
quand elle lui montrerait sa poitrine et son cœur tout ouverts. Et si
les âmes si fidèles et si dévouées doivent être récompensées d’un
amour réciproque, je dis qu’Olympie était digne d’être aimée par
Birène, non pas autant, mais plus que soi-même ;
Et qu’il ne devait pas l’abandonner jamais pour une autre femme,
fût-ce pour celle qui jeta l’Europe et l’Asie dans tant de malheurs, ou
pour toute autre méritant plus encore le titre de belle ; mais qu’il
aurait dû, plutôt que de la laisser, renoncer à la clarté du jour, à
l’ouïe, au goût, à la parole, à la vie, à la gloire, et à tout ce qu’on
peut dire ou imaginer de plus précieux.
Si Birène l’aima comme elle avait aimé Birène ; s’il lui fut fidèle
comme elle le lui avait été ; si jamais il tourna sa voile pour suivre
une autre voie que la sienne ; ou bien s’il paya tant de services par
son ingratitude, et s’il fut cruel pour celle qui lui avait montré tant de
fidélité, tant d’amour, je vais vous le dire et vous faire, d’étonnement,
serrer les lèvres et froncer les sourcils.
Et quand vous aura été dévoilée l’impitoyable cruauté dont il
paya tant de bontés, ô femmes, aucune de vous ne saura plus si elle
doit ajouter foi aux paroles d’un amant. L’amant, pour avoir ce qu’il
désire, sans songer que Dieu voit et entend tout, entasse les
promesses et les serments, qui tous se dispersent ensuite par les
airs au gré des vents.
Les serments et les promesses s’en vont dans les airs, emportés
et dispersés par les vents, dès que ces amants ont assouvi la soif
qui les embrasait et les brûlait. Soyez, par cet exemple, moins
faciles à croire à leurs prières et à leurs plaintes. Bien avisé et
heureux, ô mes chères dames, celui qui apprend à être prudent aux
dépens d’autrui.
Gardez-vous de ceux qui portent sur leur frais visage la fleur des
belles années ; car, chez eux, tout désir naît et meurt promptement,
semblable à un feu de paille. De même que le chasseur suit le lièvre,
par le froid, par le chaud, sur la montagne, dans la plaine, et n’en fait
plus le moindre cas dès qu’il l’a pris, s’acharnant seulement à
poursuivre ce qui le fuit ;
Ainsi font ces jeunes gens qui, tant que vous vous montrez dures
et hautaines envers eux, vous aiment et vous révèrent avec tout
l’empressement que doit avoir l’esclave fidèle. Mais, aussitôt qu’ils
pourront se vanter de la victoire, de maîtresses il vous faudra
devenir esclaves, et voir s’éloigner de vous leur faux amour qu’ils
porteront à d’autres.
Je ne vous défends pas pour cela — j’aurais tort — de vous
laisser aimer, car, sans amant, vous seriez comme la vigne inculte
au milieu d’un jardin, sans tuteur ou sans arbre auquel elle puisse
s’appuyer. Je vous engage seulement à fuir la jeunesse volage et
inconstante, et à cueillir des fruits qui ne soient pas verts et âcres,
sans les choisir cependant trop mûrs.
Je vous ai dit plus haut qu’on avait trouvé parmi les prisonniers
une fille du roi de Frise, et que Birène parlait, toutes les fois qu’il en
avait l’occasion, de la donner pour femme à son frère. Mais, à dire le
vrai, il en était lui-même affriandé, car c’était un morceau délicat ; et
il eût considéré comme une sottise de se l’enlever de la bouche,
pour le donner à un autre.
La damoiselle n’avait pas encore dépassé quatorze ans ; elle
était belle et fraîche comme une rose qui vient de sortir du bouton et
s’épanouit au soleil levant. Non seulement Birène s’en amouracha,
mais on ne vit jamais un feu pareil consumer les moissons mûres
sur lesquelles des mains envieuses et ennemies ont porté la
flamme,
Aussi vite qu’il en fut embrasé, brûlé jusqu’aux moelles, du jour
où il la vit, pleurant son père mort et son beau visage tout inondé de
pleurs. Et comme l’eau froide tempère celle qui bouillait auparavant
sur le feu, ainsi l’ardeur qu’avait allumée Olympie, vaincue par une
ardeur nouvelle, fut éteinte en lui.
Et il se sentit tellement rassasié, ou pour mieux dire tellement
fatigué d’elle, qu’il pouvait à peine la voir ; tandis que son appétit
pour l’autre était tellement excité, qu’il en serait mort s’il avait trop
tardé à l’assouvir. Pourtant, jusqu’à ce que fût arrivé le jour marqué
par lui pour satisfaire son désir, il le maîtrisa de façon à paraître non
pas aimer, mais adorer Olympie, et à vouloir seulement ce qui
pouvait lui faire plaisir.
Et s’il caressait la jeune fille, — et il ne pouvait se tenir de la
caresser plus qu’il n’aurait dû, — personne ne l’interprétait à mal,
mais bien plutôt comme un témoignage de pitié et de bonté. Car
relever celui que la Fortune a précipité dans l’abîme, et consoler le
malheureux, n’a jamais été blâmé, mais a souvent passé pour un
titre de gloire, surtout quand il s’agit d’une enfant, d’une innocente.
O souverain Dieu, comme les jugements humains sont parfois
obscurcis par un nuage sombre ! Les procédés de Birène, impies et
déshonnêtes, passèrent pour de la pitié et de la bonté. Déjà les
mariniers avaient pris les rames en main, et, quittant le rivage sûr,
emportaient joyeux vers la Zélande, à travers les étangs aux eaux
salées, le duc et ses compagnons.
Déjà ils avaient laissé derrière eux et perdu de vue les rivages de
la Hollande — car, afin de ne pas aborder en Frise, ils s’étaient
tenus sur la gauche, du côté de l’Écosse — lorsqu’ils furent surpris
par un coup de vent qui, pendant trois jours, les fit errer en pleine
mer. Le troisième jour, à l’approche du soir, ils furent poussés sur
une île inculte et déserte.
Dès qu’ils se furent abrités dans une petite anse, Olympie vint à
terre. Contente, heureuse et loin de tout soupçon, elle soupa en
compagnie de l’infidèle Birène ; puis, sous une tente qui leur avait
été dressée dans un lieu agréable, elle se mit au lit avec lui. Tous
leurs autres compagnons retournèrent sur le vaisseau pour s’y
reposer.
La fatigue de la mer, et la peur qui l’avait tenue éveillée pendant
plusieurs jours, le bonheur de se retrouver en sûreté sur le rivage,
loin de toute rumeur, dans une solitude où nulle pensée, nul souci,
puisqu’elle avait son amant avec elle, ne venait la tourmenter,
plongèrent Olympie dans un sommeil si profond, que les ours et les
loirs n’en subissent pas de plus grand.
Son infidèle amant, que la tromperie qu’il médite tient éveillé, la
sent à peine endormie, qu’il sort doucement du lit, fait un paquet de
ses habits et, sans plus se vêtir, abandonne la tente. Comme s’il lui
était poussé des ailes, il vole vers ses gens, les réveille, et sans leur
permettre de pousser un cri, leur fait gagner le large et abandonner
le rivage.