Risk Data Analysis Based Anomaly Detection of Ship Information System

Abstract

Due to the vulnerability and high risk of the ship environment, the Ship Information System (SIS) should provide 24 hours of uninterrupted protection against network attacks. Therefore, the corresponding intrusion detection mechanism is proposed for this situation. Based on the collaborative control structure of SIS, this paper proposes an anomaly detection pattern based on risk data analysis. An intrusion detection method based on the critical state is proposed, and the corresponding analysis algorithm is given. In the Industrial State Modeling Language (ISML), risk data are determined by all relevant data, even in different subsystems. In order to verify the attack recognition effect of the intrusion detection mechanism, this paper takes the course/roll collaborative control task as an example to carry out simulation verification of the effectiveness of the intrusion detection mechanism.

1. Introduction

With the constant intellectualization of industrial equipment, the working performance of a Supervisory Control And Data Acquisition (SCADA) system turns out to be highly dependent on the accuracy and security of communication among the units in closed-loops [1]. However, such systems are normally intricate and fragile, and several striking examples have confirmed that even well-protected SCADA systems can be ultimately crashed [2,3,4,5,6]. Therefore, the cyber-physical security of SCADA systems will be more and more important [7], which has been described by IEEE: “In contrast to cyber security, the goal of cyber-physical security is to protect the whole cyber-physical system, which uses widespread sensing, communication and control to operate safely and reliably.” [8]. Normally, according to the different focus points, the study of cyber-physical security can be divided into defense [9,10], detection [11,12], and maintenance(including repair, reconstitution, etc.) [3,13,14]. Here, we mainly focus on the anomaly detection topic in the cyber-physical security of SCADA. Actually, several effective anomaly detection methods have already been proposed in the anomaly detection area such as system modeling [15,16,17,18,19,20] and data-based analysis [20,21,22,23,24,25], which should always accept a compromise in the modeling uncertainty and data complexity. Besides model-based and coupled data-based intrusion detection, some intrinsic properties of SCADA are considered in detection. In [26], a methodology that uses information extracted from Radio Frequency (RF) features to identify changes was proposed. Meanwhile, S.-M.Jung and J.-G. Song et al.presented an idle-time measurement system in data spoofing detection [27]. Actually, these solutions bring a new perspective to anomaly detection, and the applications for these theories are restricted more or less, which cannot be overcome. However, in [28], an innovative approach based on the concept of critical state analysis and state proximity was presented: attacks can be detected by a set of critical rules, which are formulated in the Industrial State Modeling Language (ISML). Such rules are based on all related data that are not confined to the coupled data. Therefore, the anomaly detection mode we propose in this paper is based on the risk data, which are obtained by the analysis of critical data.

2. Model Description

As a typical SCADA system, the Ship Information System (SIS) is widely used in the connection between each ship electronic system, which are spread across the whole ship. As the data in SIS are designed to be closed and inflexible, firewall updating and off-line detection are difficult to implement. Furthermore, for a ship on a long voyage, any physical or informational damage may cause an irreparable breakdown, which leads to a helpless situation.

Although different ships have different functions [29,30,31,32,33,34,35], all definitions found in the literature for SIS have one key feature in common. As shown in Figure 1, this defining feature is that SIS is composed of several independent subnetworks and a total ship communication network, which can exchange information (reference input, plant output, control input, etc.) among subnetworks and systems. The architecture of SIS is similar to each normal SCADA, which is listed in the following.

2.1. Structure

2.1.1. Components

Operational Units

Due to the different command types of the mission and situation, a supervisory control command can be released by a user through the Human Computer Interface (HCI) or SIS core. The SIS core provides a common environment hosting the majority of the ship’s applications on a redundant infrastructure, whose targeted hardware location is designed to be transparent to the applications. Some basic control commands are released by the core automatically and spontaneously, such as fire detection, anti-rolling control, etc. Meanwhile, real-time assistant decision support is also done by the core and submitted to HCI.

Distributed Controller Units

The Distributed Controller Units (DCUs) in SIS are networked and interfaced with the SIS network; their duty is to monitor and control every closed-loop system in the ship by coding predefined sequences and control algorithms.

Remote Terminal Units

The Remote Terminal Units (RTUs) in SIS serve as the interface point to DCUs and a variety of analog and digital sensors and actuators. Every RTU is connected with its closest DCU. The telemetry hardware structure of RTU has the capability of sending digital sensor data to the DCU and receiving digital commands from it.

It should be mentioned that, in order to keep the security and anti-damage capability of SIS, each RTU is connected to two DCUs simultaneously, but only one is activated during the running process; such a dual-station structure is widely used in SCADA. For each $DCUi-1$, its backup DCU is denoted as $DCUi-2$.

2.1.2. Networks

SIS Network

As a backbone network of the ship information system, the fundamental layering rule of the SIS network is to add maximum DCUs in the ship environment, which leads to a dual-ring network being chosen in the design of the SIS network. Every DCU is led into the SIS network proximally.

Subnetworks

As introduced in [35], numerous DCUs are connected in the SIS network; meanwhile, each of them has the responsibility for dozens of RTUs, which constitute an underlying subnetwork.

Due to the limited space, more design details and examples of implementations can be seen in [29,36].

For SIS, due to different emphases, there exist two structures of SIS, which are the cooperative control structure ($St{r}_{CC}$) and the hierarchical task structure ($St{r}_{HT}$). $St{r}_{CC}$ is used to describe the implementation method of task control in SIS, while $St{r}_{HT}$ is for the description of task capabilities.

2.2. Cooperative Control Structure of SIS

As the connection principle between DCU and RTU is mere proximity instead of task relation, which has reduced the difficulty of planning and laying out networks greatly, but has increased the complexity of every control process in SIS, most missions in SIS are designed to be completed by several DCUs cooperatively. For definiteness and without loss of generality, the cooperative control mode of SIS is shown in Figure 2.

As our attention in this paper is the cybersecurity issue in SCADA, to facilitate distinction, all the data in different lines are relabeled, as is listed in

Table 1. Notations of Figure 2.

Annotation	Notations
$e_0$	Control objective
$e_{sr}\left(k\right)$	Data from Sensor 3
$e_{rd}\left(k\right)$	Data sent by RTU 5 according to $e_{sr}\left(k\right)$
$e^{(*)}\left(k\right)$	Data sent by DCU 3-1(2) according to $e_{rd}\left(k\right)$
$y_{sr1}\left(k\right)$	Output of Actuator 1 sampling by Sensor 1
$y_{rd1}\left(k\right)$	Data sent by RTU 1 according to $y_{sr1}\left(k\right)$
$y_{d1/2}^{(*)}\left(k\right)$	Data sent by DCU 1-1(2) according to $y_{rd1}\left(k\right)$
$y_{sr2}\left(k\right)$	Output of Actuator 2 sampling by Sensor 2
$y_{rd2}\left(k\right)$	Data sent by RTU 3 according to $y_{sr2}\left(k\right)$
$y_{d2/1}\left(k\right)$	Data sent by DCU 2-1 according to $y_{rd2}\left(k\right)$
$y_{d2/1}^{(*)}\left(k\right)$	Data sent by DCU 2-1(2) according to $y_{rd2}\left(k\right)$
$u_{dr1}^{(*)}\left(k\right)$	Control command for Actuator 1 by DCU 1-1(2)
$u_{ra1}^{(*)}\left(k\right)$	Data sent by RTU 2 according to $u_{dr1}^{(*)}\left(k\right)$
$u_{dr2}^{(*)}\left(k\right)$	Control command for Actuator 2 by DCU 2-1(2)
$u_{ra2}^{(*)}\left(k\right)$	Data sent by RTU 4 according to $u_{dr2}^{(*)}\left(k\right)$

.

The control objective $e_0$ should be performed by Actuator 1 and Actuator 2 cooperatively. $e_{sr}\left(k\right)$ is the control feedback of the control objective at step k, and these data are sampled by a global sensor, Sensor 3. Here, Sensor 1 and Sensor 2 are regarded as local sensors, which are used to sample the running conditions of Actuator 1 and Actuator 2, respectively, and these data are finally received by DCU2-1(2)and DCU1-1(2). Taking DCU1-1 as an example, due to the cooperative structure with the coupling relationship with DCU2-1(2), the control output $u_{dr1}$ is determined by the preset distributed control algorithm based on e, $y_{d2/1}^{*}$, and $y_{rd1}$. As shown in Table 1, if the data are related to a backup DCU, they would be marked with superscript “${}^{*}$”, such as $e^{*}\left(k\right)$, $y_{d1/2}^{*}\left(k\right)$, $y_{d2/1}^{*}\left(k\right)$, etc.

In this paper, taking DCU1 for example, we propose a cooperative state space control model, which is established in Equations (1) and (2).

$$\begin{array}{c}X(k+1)=AX\left(k\right)+B{M}_{\sigma 1}\left(k\right)\left[\begin{array}{c}{\widehat{u}}_{dr1}^{(*)}\left(k\right)\\ {\widehat{y}}_{d2/1}^{(*)}\left(k\right)\end{array}\right]\hfill \\ M_{\omega 1}\left(k\right)\left[\begin{array}{c}{e}^{(*)}\left(k\right)\\ y_{rd1}\left(k\right)\\ y_{d2/1}^{(*)}\left(k\right)\end{array}\right]=CX\left(k\right)\hfill \end{array}$$

(1)

$$u_{dr1}^{(*)}\left(k\right)=F_{dr1}({\widehat{u}}_{dr1}^{(*)}\left(k\right),{\widehat{y}}_{d2/1}^{(*)}\left(k\right),y_{d2/1}^{(*)}\left(k\right))$$

(2)

where $X\left(k\right)$ is the quantity of state and ${\widehat{u}}_{dr1}^{(*)}\left(k\right)$ and ${\widehat{y}}_{d1/2}^{(*)}\left(k\right)$ are the obtained output for Actuator 1 and 2 from numerical calculation, respectively. As DCU 1 only focuses on the control of Actuator 1, ${\widehat{y}}_{d1/2}^{(*)}\left(k\right)$ has no physical application, but is only used in the revision of ${\widehat{u}}_{dr1}^{(*)}\left(k\right)$ obtained by amending function $F_{dr1}(*)$. Meanwhile, the communication access of $DCUi$ at step k is denoted as $M_{\sigma i}\left(k\right)$ and $M_{\omega i}\left(k\right)$. As the communication between DCU and RTU belongs to a kind of multi-channel real-time mechanism, the access is granted constantly. However, the communication among DCUs and the HCI/CCIcore should follow an access specification. For example, if DCU1-1 gains access to publish data $y_{d1/2}^{*}$ at step k, we have:

$$M_{\omega 2}\left(k\right)=\left[\begin{array}{ccc}0& 0& 0\\ 0& 1& 0\\ 0& 0& 1\end{array}\right]$$

(3)

Equation (1) provides a new model to analyze the control progress of cooperative control mode based on data, and the control output of one actuator would be corrected by the execution conditions of its collaborators. $F_{dr1}(*)$ can be determined by a neural network, fuzzy, or linear regression algorithm, etc, and as a representative example in [37], we propose a variable universe fuzzy algorithm to correct the deviation between two cooperative rudders.

As our research interest in this paper is cybersecurity, the transmission process of a data is worth more serious study than its solution process. The optimization of $F_{dr1}\left(\right)$ will be researched in the future; in this paper, we assume that each DCU in the cooperative control mode would figure out a suitable control output for the corresponding actuator, giving sufficient thought about its collaborators.

More details about communication access research can been seen in [29,36]. Ideally (without considering congestion, lost packets, electromagnetic interference, etc.), if there is no evidence of attack in this system, all data remain intact, which means there are $y_{sr1}=y_{rd1}=y_{d1/2}^{(*)}$, $u_{dr1}^{(*)}=u_{ra1}^{(*)}$, $y_{sr2}=y_{rd2}=y_{d2/1}^{(*)}$, $u_{dr2}^{(*)}=u_{ra2}^{(*)}$, and $e_{sr}=e_{rd}=e^{(*)}$.

3. Signal Attack in SIS

Due to the structure analysis above, two types of attacks are proposed and researched in this paper, which are Signal Attack $SA$ and Mode Attack $MA$. Ultimately, the core objective of all the attacks intruded in a SIS is to cause a risk. For an $SA$, it has the ability to modify a regular signal into a dangerous one, while $MA$ can create a risky task. In this paper, our attention is mainly focused on $SA$.

3.1. Signal Attack Form

It should be mentioned that there are some differences between the signal attack and jamming attack. The signal attack can modify the content of the data flow, but keep the format and reachability. The data flow would be blocked by the jamming attack.

Equation (4) is a typical form of $SA$, which has the ability to denote almost all of inside attacks existing in SCADA except the Denial of Service (DoS) attack.

$$q\left(k\right)=f_{Ni-p}(P[k,n],q(k-1),{\Delta }_p)$$

(4)

where $P[k,n]$ is a set of input data $p\left(k\right)$, $P[k,n]=\left[p\right(k),p(k-1),\cdots ,p(k-n\left)\right]$, $q\left(k\right)$ is the output of $p\left(k\right)$ modified by the attack at step k, and ${\Delta }_p$ is a threshold of max(min)variation between $p(k_i-1)$ and $p\left(k_i\right)$. The subscript $Ni$ is the label of the device (including DCUs and RTUs), which is planned to handle $p\left(k\right)$.

It should be mentioned briefly that the DoS attack on a controlled closed-loop in SCADA is an attempt to make the network resource unavailable, against its requirements of reachability and observability. Based on the research results, we proposed in [38,39] that if a DCU has sent $w_{\rho j}$-data in one data flow by $DCUi$ to keep the closed-loop system $Q_j$$l_j$-step observable, $Q_j$ is considered to be attacked on $DCUi$, if for each $M_{\omega 1}\left(k_m\right)$ where $m\in [0,l_j-1]$, we have $\left|M_{\omega 1}\left(k_m\right)\right|\ge w_{\rho j}+1$. That means the DoS attack has the ability to modify the DCU’s predefined sequences. A DoS attack on $DCUi$ can be detected by a related $DCUj$ or CCI, intuitively, if they fail to receive scheduled and planned data from $DCUi$.

3.1.1. An Example of the Signal Attack Algorithm

Based on the definition of the signal attack, an example of the insertion attack algorithm is given in Algorithm 1, which operates as follows.

Algorithm 1 Signal attack algorithm.

Require: Original input data $p\left(k\right)$

1: remark $P[k,n]=[p_0,p_1,\cdots ,p_n]$;

2: initialize $P_{\Delta }=[p_{\Delta 0},p_{\Delta 1},\cdots ,p_{\Delta n}]$;

3: $p_0=p\left(k\right)$;

4: for $i=0$ to n do

5:   $p_{\Delta i}=p_i-p_{i+1}$;

6: end for

7: $j=intRNG::uniform(0,n)$;

8: $\tilde{p}=p_j$;

9: if $p\left(k\right)>p(k-1)$ then

10:  ${\Delta }_p=max{P}_{\Delta }$;

11:  $r=floatRNG::uniform(0,{\Delta }_p)$;

12: else

13:  ${\Delta }_p=min{P}_{\Delta }$;

14:  $r=floatRNG::uniform({\Delta }_p,0)$;

15: end if;

16: $\widehat{p}\left(k\right)=\tilde{p}+r$;

17: ${\Delta }_p=abs\left({\Delta }_p\right)$;

18: $q\left(k\right)=min(q(k-1)+{\Delta }_p,max(\widehat{p}\left(k\right),q(k-1)-{\Delta }_p))$;

19: for $i=n$ to 1 do

20:  $q\left(n\right)=q(n-1)$;

21: end for

22: $q(k-1)=q\left(k\right)$;

23: return $q\left(k\right)$;

It takes as input original input data $p\left(k\right)$. Line 1 of the algorithm denotes each element in set $P[k,n]$ as $[p_0,p_1,\cdots ,p_n]$. After that, a set $P_{\Delta }=[p_{\Delta 0},p_{\Delta 1},\cdots ,p_{\Delta n}]$ is initialized in Line 2 to store the variation between each $p_i$ and $p_{i+1}$ (Lines 4–6). Basic modified data are stated by choosing data in $P[k,n]$ (Lines 7–8) randomly. Here, $RNG::uniform(a,b)$ is a typical way to select a uniformly-distributed random number, which is from the range $[a,b)$ by using the MWCalgorithm. In addition, from Lines 9–16, a further modification is executed to confuse the IDSaimed at replay attack. The addition value denoted as r is based on the maximum or minimum of $P_{\Delta }$, which is determined by the numerical relationship between $p\left(k\right)$ and $p(k-1)$. Lines 11 and 14 can keep r from the IDS based on data. What is more, the detection by the threshold would also be invalid by the restraint in Line 18. The output of the insertion attack algorithm is given in Line 23.

3.1.2. The Form of the Hazard Factor-Based Signal Attack

According to the form of the basic signal attack, in order to find the balance between the hazard and invisibility requirements of signal attack, a new type of signal attack is presented in this paper. This has an additional parameter named hazard factor (denoted as ${\eta }_i$). For the given original data signal $p_i\left(k\right)$ and the corresponding typical signal attack $q_i\left(k\right)$, we have:

$$q_{i-HAZ}\left(k\right)=p_i\left(k\right)+{\eta }_i[q_i\left(k\right)-p_i\left(k\right)]$$

(5)

where $q_{i-HAZ}\left(k\right)$ is the output of the hazard factor-based signal attack. According to the different values of ${\eta }_i$, $q_{i-HAZ}\left(k\right)$ can be further classified as:

$q_{i-HAZ}\left(k\right)=p_i\left(k\right)$; if we have ${\eta }_i=0$, the signal attack does not exist;

$q_{i-HAZ}\left(k\right)$ is the lower hazard, if ${\eta }_i\in (0,1)$;

$q_{i-HAZ}\left(k\right)$ is equivalent to $q_i\left(k\right)$, if${\eta }_i=1$;

$q_{i-HAZ}\left(k\right)$ would be the higher hazard, if ${\eta }_i\in (1,{\eta }_{i-max})$, and here, ${\eta }_{i-max}$ is the maximum allowed hazard factor of $q_{i-HAZ}\left(k\right)$, which can be hidden from the IDS.

3.1.3. Signal Attack Zone

As shown in Figure 2, according to the refined model of SIS, there exist several point-to-point communication lines that make up a closed-loop system. The insertion attack may happen in any node between two lines. Here, we defined each probable attack zone in a cooperative SCADA, which are listed as follows.

Attack on Local Sensor Data

A local sensor is used to sample the running status of one actuator, which is activated by the cooperative control mission. Normally, for local sensor data (Sensor 1 as an example), without being attacked, we have $y_{sr1}=y_{rd1}=y_{d1/2}^{(*)}$. Such data may be attacked on RTU1, which leads to $y_{rd1}\ne y_{sr1}$ or $y_{d1/2}^{(*)}\ne y_{rd1}$ if DCU1-1(2) is attacked.

Attack on Global Sensor Data

As shown in Figure 2, for the global Sensor 3, in an ideal case, we have $e_{sr}=e_{rd}=e^{(*)}$. An insertion attack may tamper with the data as a result of $e_{rd}\ne e_{sr}$ or $e^{(*)}\ne e_{rd}$ if the attack is embedded in RTU3 or DCU3-1(2).

Attack on Actuator Control Data

Finally, an actuator also can be attacked in SCADA by causing an undetected misoperation $u_{ra1}^{(*)}\ne u_{dr1}^{(*)}$ in RTU2. Meanwhile, if the calculational result of the control algorithm in DCU1-1(1) is attacked, $u_{dr1}^{(*)}$ would be an incorrect output, which means $u_{dr1}^{(*)}\ne {\widehat{u}}^{(*)}$, where ${\widehat{u}}^{(*)}$ is denoted as the calculational result.

4. Critical State Analysis

4.1. Critical State Estimation

In this paper, the Critical State Estimation (CSE) algorithm we propose is based on the Industrial State Modeling Language (ISML), which was first proposed by A. Carcano et al. in [28]. The rules in the ISML are formulized as $condition\to action$ where $condition$ is a Boolean formula composed of several predicates, which are used to indicate the values that are assumed by critical components. The definition of ISML is listed in the following.

$$\begin{array}{cccc}\hfill \langle rule\rangle ::=& \multicolumn{3}{c}{\langle condition\rangle \to \langle action\rangle :\langle l_t\rangle }\\ \hfill \langle action\rangle ::=& \langle Alert\rangle |Log\hfill & \hfill \langle l_t\rangle ::=& 1|\dots |5\hfill \\ \hfill \langle condition\rangle ::=& \multicolumn{3}{c}{\langle predicate\rangle |\langle predicate\rangle ,\langle condition\rangle }\\ \hfill \langle objec{t}_{bin}\rangle ::=& \multicolumn{3}{c}{DCU\langle ID\rangle .\langle bincomp\rangle .\langle index\rangle }\\ \hfill \langle object\rangle ::=& \multicolumn{3}{c}{DCU\langle ID\rangle .\langle comp\rangle .\langle index\rangle }\\ \hfill \langle predicate\rangle ::=& \multicolumn{3}{c}{\langle object\rangle .\langle rel\rangle \langle val\rangle }\\ & \multicolumn{3}{c}{|\langle objec{t}_{bin}\rangle .\langle binrel\rangle \langle binval\rangle }\\ \hfill \langle ID\rangle ::=& \multicolumn{3}{c}{IPaddress:Port}\\ \hfill \langle val\rangle ::=& 0|\dots |2^{16}-1\hfill & \hfill \langle comp\rangle ::=& HR|IR\hfill \\ \hfill \langle index\rangle ::=& 0|\dots |2^{16}-1\hfill & \hfill \langle binrel\rangle ::=& =|\ne \hfill \\ \hfill \langle rel\rangle ::=& \multicolumn{3}{c}{\le |\ge |<|>|=|\ne }\\ \hfill \langle bincomp\rangle ::=& CO|DI\hfill & \hfill \langle binval\rangle ::=& 0|1\hfill \end{array}$$

where $\langle comp\rangle$ is a register; Discrete Input, Coli, Input Register, and Holding Register are denoted as $DI,CO,IR,HR$, respectively. The ISML is used to describe a particular class of system states called critical states that correspond to dangerous or unwanted situations in SIS. Here, the risk level of each state is reversed by its confidence. The risk level $l_t$ is considered to be in the critical state, where a value of one means low risk, while five is a surely dangerous critical state of SIS. Here, $object|objec{t}_{bin}$ denotes one kind of data in SIS, and $\langle object\rangle :\langle condition\rangle \to \langle Alert\rangle :\langle l_t\rangle ::=\langle rel\rangle \langle val\rangle$ means the critical state value ($\langle rel\rangle \langle val\rangle$) of $object$ when the risk level reaches $l_t$ by $\langle condition\rangle$, for example if such a rule is set in SIS:

$$\left(\begin{array}{c}DCU[10.0.0.001:502].HR\left[1\right]>3000\\ DCU[10.0.0.002:502].IR\left[2\right]>2500\end{array}\right)\to Alert:5$$

(6)

We have $\langle DCU[10.0.0.002:502].IR\left[2\right]\rangle :\langle DCU[10.0.0.$$001:502].HR[1]>3000\rangle \to \langle Alert:5\rangle ::=\langle >2500\rangle$, which means for $DCU[10.0.0.002:502].IR\left[2\right]$, the critical state value is >2500 (with risk of $l_t=5$), when its related data $DCU[10.0.0.001:502].HR\left[1\right]>3000$.

Therefore, the anomaly detection and critical state estimation algorithm is given in Algorithm 2, which operates as follows.

Algorithm 2 Critical state estimation algorithm.

Require:$y_i\left(k\right)$, $p_i$ ($RT$ level of $y_i\left(k\right)$), $y_i\left(k\right)$-related rule set $R\left[y_i\right]$, $R\left[y_i\right]$-related dataset ${\mathsf{y}}_i\left(\mathsf{k}\right)$

1: reorder and remark $R\left[y_i\right]=R_1\left[1\right],R_1\left[2\right],···,R_1\left[m_1\right],R_2\left[1\right],$ $R_2\left[2\right],···,R_2\left[m_2\right],···,R_5\left[m_5\right]$;

2: for $p=p_i$ to 5 do

3:   for $q=1$ to $m_p$ do

4:    Initialize interval $I_p=[y_{i-min},y_{i-max}]$

5:    remark the $R_p\left[q\right]$-related subset of ${\mathsf{y}}_i\left(\mathsf{k}\right)$ as $y_{i-pq}\left(k\right)$;

6:    Set subinterval $I_{pq}=\mathsf{Q}-\langle re{l}_{pq}\rangle \langle va{l}_{pq}\rangle =\mathsf{Q}-\langle y_i\rangle :$ $\langle y_{i-pq}\left(k\right)\rangle \to \langle Alert\rangle :\langle p\rangle$

7:    $y_{i-pq}^{sup}\left(k\right)=sup\left\{I_{pq}\right\}$

8:    $y_{i-pq}^{inf}\left(k\right)=inf\left\{I_{pq}\right\}$

9:    Set interval $I_p=I_p\cap I_{pq}$

10:   $y_{i-p}^{sup}\left(k\right)=sup\left\{I_p\right\}$

11:   $y_{i-p}^{inf}\left(k\right)=inf\left\{I_p\right\}$

12:   if $y_{i-pq}^{sup}\left(k\right)=y_{i-p}^{sup}\left(k\right)$ then

13:    $y_{i-p}^{ssup}\left(k\right)=y_{i-pq}\left(k\right)$;

14:   end if;

15:   if $y_{i-pq}^{inf}\left(k\right)=y_{i-p}^{inf}\left(k\right)$ then

16:    $y_{i-p}^{sinf}\left(k\right)=y_{i-pq}\left(k\right)$;

17:   end if;

18:   if $y_{i-pq}^{sup}\left(k\right)=y_{i-max}$ then

19:    $y_{i-p}^{ssup}\left(k\right)=null$;

20:   end if;

21:   if $y_{i-pq}^{inf}\left(k\right)=y_{i-min}$ then

22:    $y_{i-p}^{sinf}\left(k\right)=null$;

23:   end if;

24:  end for

25:  if $I_p=\varnothing$ or $y_i\left(k\right)\notin I_p$ then

26:   $y_i\left(k\right)$ is beyond p-level risk;

27:  else

28:   $y_i\left(k\right)$ is p-level non-risk;

29:  end if;

30: end for

31: return ${\mathsf{y}}_{\mathsf{i}-\mathsf{sd}}\left(\mathsf{k}\right)=[y_{i-5}^{inf}\left(k\right),y_{i-5}^{sup}\left(k\right),y_{i-4}^{inf}\left(k\right),y_{i-4}^{sup}\left(k\right),\cdots ,$ $y_{i-p_i}^{inf}\left(k\right),y_{i-p_i}^{sup}\left(k\right)]$ and ${\mathsf{y}}_{\mathsf{i}-\mathsf{ps}}\left(\mathsf{k}\right)=[y_{i-p_i}^{ssup}\left(k\right),y_{i-p_i}^{sinf}\left(k\right)]$

It takes as input original input data $y_i\left(k\right)$, where the physical meaning of $y_i$ is determined by its $object$; meanwhile, the $y_i\left(k\right)$-related rule set $R\left[y_i\right]$ is needed, as well. According to $R\left[y_i\right]$, all related $objects$ are necessary and stored in dataset ${\mathsf{y}}_i\left(\mathsf{k}\right)$. It should be mentioned that ${\mathsf{y}}_i\left(\mathsf{k}\right)$ is not equivalent to the set of all $y_i\left(k\right)$ coupling data. Line 1 of the algorithm restores each rule of $R\left[y_i\right]$ by its risk level and denotes these rules as $R_p\left[q\right]$ where p is the risk level. Lines 2–30 show the critical state estimation method, for each rule $R_p\left[q\right]$ and its related dataset ${\mathsf{y}}_{i-pq}\left(\mathsf{k}\right)$; a critical state of $y_i$ is determined. Line 6 creates a safe subinterval for $y_i$ under rule $R_p\left[q\right]$, and the interval is shrunk during each loop computation in Line 9. Lines 10–11 show the upper and lower bound of $I_p$, denoted as $y_{i-p}^{sup}\left(k\right)$ and $y_{i-p}^{inf}\left(k\right)$, respectively. Lines 12–23 show the way to find the determinant factors (denoted as $y_{i-p}^{ssup}$ and $y_{i-p}^{sinf}$), which leads to $y_i\left(k\right)$ being risk data or not. Lines 25–29 shows the anomaly detection method, if $y_i\left(k\right)\in I_p$, $y_i\left(k\right)$ is the p level risk of non-arrival or it is called beyond the p level risk. Due to the different importance of each $y_i\left(k\right)$, its Risk Tolerance $RT$ is different. For four-level $RT$ data $y_i\left(k\right)$, if the judgment result is beyond four levels of risk, $y_i\left(k\right)$ is anomalous data. Line 31 returns all upper and lower bounds of each risk level for $y_i\left(k\right)$, which is $y_{i-sd}\left(k\right)=[y_{i-5}^{inf}\left(k\right),y_{i-4}^{inf}\left(k\right),y_{i-3}^{inf}\left(k\right),y_{i-2}^{inf}\left(k\right),y_{i-1}^{inf}\left(k\right),$ $y_{i-1}^{sup}\left(k\right),y_{i-2}^{sup}\left(k\right),y_{i-3}^{sup}\left(k\right),y_{i-4}^{sup}\left(k\right),y_{i-5}^{sup}\left(k\right)]$. Meanwhile, the the determinant factors (denoted as $y_{i-p}^{ssup}$ and $y_{i-p}^{sinf}$) are uploaded, as well.

4.2. Bi-Critical Data Analysis

According to Algorithm 2, such data, the value of which is beyond the critical state, are determined; however, there exists the possibility that one normal datum is miscalculated, caused by a related datum, which is actually anomalous. Here, we propose the definition of bi-critical data to identify the true abnormal data from two related data.

Definition 1 (Bi-critical Data $BD$): Two critical data $p_a-RT$, data $y_a\left(k\right)$, and $p_b-RT$, data $y_b\left(k\right)$, in SIS are regarded as a pair of $BD$, if $y_b\left(k\right)\in {\mathsf{y}}_{\mathsf{a}-{\mathsf{p}}_{\mathsf{a}}\mathsf{s}}\left(\mathsf{k}\right)$ or $y_a\left(k\right)\in {\mathsf{y}}_{\mathsf{b}-{\mathsf{p}}_{\mathsf{b}}\mathsf{s}}\left(\mathsf{k}\right)$.

According to Definition 1, a further analysis of critical state discrimination is proposed in Algorithm 3. Here, we assume that $y_b\left(k\right)\in {\mathsf{y}}_{\mathsf{a}-{\mathsf{p}}_{\mathsf{a}}\mathsf{s}}\left(\mathsf{k}\right)$.

Algorithm 3 Critical data discrimination algorithm for a pair of $BD$.

Require:$y_a\left(k\right)$, $y_b\left(k\right)$, $y_b(k-1)$, $p_a$, $y_a\left(k\right)$-related rule set $R\left[y_a\right]$, $R\left[y_a\right]$-related dataset ${\mathsf{y}}_a\left(\mathsf{k}\right)$  initialize a $R\left[y_a\right]$-related dataset ${\mathsf{y}}_{a/b}\left(\mathsf{k}\right)$, which includes every type of data belong to ${\mathsf{y}}_a\left(\mathsf{k}\right)$, except $y_b\left(k\right)$  initialize a $y_a\left(k\right)$-related, but $y_b\left(k\right)$ non-related rule set $R\left[y_{a/b}\right]$  choose $y_a\left(k\right)$, $p_a$, $R\left[y_{a/b}\right]$, ${\mathsf{y}}_{a/b}\left(\mathsf{k}\right)$ as inputs, and run Algorithm 2  if the result of Algorithm 2 shows that $y_a\left(k\right)$ is beyond $p_a$-level risk then   return $y_a\left(k\right)$ is a definitely beyond $p_a$-level risk ($DRD$)  else   reset $y_b\left(k\right)=y_b(k-1)$   choose $y_a\left(k\right)$, $p_a$, $R\left[y_a\right]$, ${\mathsf{y}}_b\left(\mathsf{k}\right)$ as inputs, and rerun Algorithm 2   if the result of Algorithm 2 shows that $y_a\left(k\right)$ is beyond $p_a$-level risk data then    return $y_a\left(k\right)$ is definitely beyond $p_a$-level risk data ($DRD$)   else    return $y_a\left(k\right)$ is potentially beyond $p_a$-level risk data ($PRD$)   end if  end if

Here, in Algorithm 3, we propose a two-layer discrimination mode. It takes as input original input data $y_a\left(k\right)$, $y_b\left(k\right)$, $p_a$, $y_a\left(k\right)$-related rule set $R\left[y_a\right]$, and $R\left[y_a\right]$-related dataset ${\mathsf{y}}_a\left(\mathsf{k}\right)$. In Lines 2–3, two subsets of ${\mathsf{y}}_a\left(\mathsf{k}\right)$ and $R\left[y_a\right]$, which exclude the factor of $y_b\left(k\right)$, are denoted as ${\mathsf{y}}_{a/b}\left(\mathsf{k}\right)$ and $R\left[y_{a/b}\right]$, respectively. In Line 4, Algorithm 2 is called to calculate the critical data situation of $y_a\left(k\right)$ without considering the existence of $y_b\left(k\right)$. If the result shows that $y_a\left(k\right)$ is still a beyond $p_a$-level risk, that means $y_a\left(k\right)$ is Definitely Risk Data ($DRD$) whatever the value of $y_b\left(k\right)$. If $y_a\left(k\right)$ is a $p_a$-level non-risk by the analysis based on Algorithm 2, further discrimination is presented in Lines 7–13. As the data sampling mode of SIS is based on the zero-order holder (ZOH), here we treat $y_b\left(k\right)$ as unadopted data and reset $y_b$’s value at step k as $y_b(k-1)$. Then, Algorithm 2 is called again at Line 8. If $y_a\left(k\right)$ is still a $p_a$-level risk, it means $y_a\left(k\right)$ is a $DRD$, while $y_b$ is a core determinant of $y_a\left(k\right)$’s riskiness. If $y_a\left(k\right)$ is not a $p_a$-level risk according to the modified result of $y_b\left(k\right)$, such a possibility should exist that $y_a\left(k\right)$ is non-risk data, but it should be marked in a miscalculation caused by the risk data $y_b\left(k\right)$. Due to the nondeterminacy of risk level, this kind of $y_a\left(k\right)$ is named as Potentially Beyond $p_a$-level risk Data ($PRD$). In this paper, due to the uncertainty of the risk level, a $DRD$ issue in SIS would be considered as a higher priority than a $PRD$.

5. Simulation

5.1. Modeling of the Ship Cooperative Motion Control System

Due to the complexity of ship motion, it has six Degrees Of Freedom (DOF) as a general rule, which can be described as u (surge velocity), v (sway velocity), w (heave velocity), r (yaw rate), p (rolling rate), and q (pitching rate). In this paper, we mainly focus on three motions: ship surging, ship heading, and ship rolling, and the ship motion model we chose in this paper is in Equation (7).

$$\left\{\begin{array}{c}{X}_{\sum }=m[\dot{u}-vr+wq-x_G(q^2+r^2)+y_G(pq-\dot{r})+z_G(pr+\dot{q})]\hfill \\ N_{\sum }=J_{zx}\dot{p}+J_{yz}\dot{q}+J_z\dot{r}+(J_{xy}p+J_{y}q+J_{yz}r)p-(J_{x}p+J_{xy}q\hfill \\ +J_{zx}r)q+m[x_G(\dot{v}+ur-wp)+y_G(-\dot{u}-vp+uq)]\hfill \\ K_{\sum }=J_x\dot{p}+J_{xy}\dot{q}+J_{zz}\dot{r}+(J_{zx}p+J_{zy}q+J_{z}r)q-(J_{xy}p+J_{y}q\hfill \\ +J_{yz}r)r+m[y_G(\dot{w}+vp-uq)+z_G(-\dot{v}-ur+wp)]\hfill \end{array}\right.$$

(7)

where m is the mass of the ship and $\dot{p}$, $\dot{q}$, $\dot{r}$ are respectively denoted as the rolling, pitching, and yawing angular acceleration. $R_G={\left(x_G{y}_G{z}_G\right)}^T$ is the coordinates of the position vector about the center of the ship’s gravity in the moving coordinate system. $X_{\sum }$, $N_{\sum }$, and $K_{\sum }$ are respectively denoted as the longitudinal force, heading resultant moment, and rolling resultant moment. J is the inertia matrix of the ship, when the origin of the coordinate system is not the center of the ship’s gravity, as Equation (8) shows.

$$J=\left[\begin{array}{ccc}{J}_x& J_{xy}& J_{zx}\\ J_{yx}& J_y& J_{yz}\\ J_{zx}& J_{zy}& J_z\end{array}\right]$$

(8)

As the system is constituted by two rudders, two propellers, and a pair of fins, the compositions of $X_{\sum }$,$N_{\sum }$, and $K_{\sum }$ are shown in Equation (9):

$$\left\{\begin{array}{c}{X}_{\sum }=X_I+X_H+X_{RP}+X_{LP}+X_{RR}+X_{LR}+X_F+X_D\hfill \\ N_{\sum }=N_I+N_H+N_{RP}+N_{LP}+N_{RR}+N_{LR}+N_F+N_D\hfill \\ K_{\sum }=K_I+K_H+K_{RP}+K_{LP}+K_{RR}+K_{LR}+K_F+K_D\hfill \end{array}\right.$$

(9)

where $I,H,RP,LP,RR,LR,RF,F,D$ are respectively denoted as fluid inertia, fluid viscosity, right propeller, left propeller, right rudder, left rudder, fins, and disturbances. As is shown, every plant working in the system has the ability to change the ship’s surging, heading, and rolling more or less, which depends on the moment it produced in different DOF. This behavior increases the importance of cooperative control algorithms, which means we also need a real-time communication environment.

Of many possible external disturbances acting on the ship motion process, the waves are the most important external disturbances and dominantly influence the control performance. As the wave disturbance can be treated as a typical stationary random process satisfying a Gaussian distribution, the spectrum of the random ocean wave is given in Equation (10):

$$S_{\xi }\left({\omega }_e\right)=\frac{S_{\xi }\left(\omega \right)}{1-2\omega /\phantom{2\omega g}gVcos\mu }$$

(10)

where P-Mspectrum $S_{\xi }\left(\omega \right)$ is chosen as the initial spectrum, V is the ship speed, and $\mu$ is the wave angle.

Therefore, the interfering moment of wave disturbance $N_{wave}$ can be determined as:

$$\begin{array}{c}{N}_{wave}=\sum _{i=1}^M{R}_1[B_m^{2}sin{R}_2(R_{3}cos{R}_3-sin{R}_3)/\phantom{B_m^{2}sin{R}_2(R_{3}cos{R}_3-sin{R}_3)R_3^2-}{R}_3^2-\hfill \\ L^{2}sin{R}_3(R_{2}cos{R}_2-sin{R}_2)/\phantom{L^{2}sin{R}_3(R_{2}cos{R}_2-sin{R}_2)R_2^2}{R}_2^2]\times \hfill \\ {\zeta }_{ai}cos({\omega }_{ei}t+{\epsilon }_{ni})\hfill \end{array}$$

(11)

where $R_1=\rho g(1-e^{-k_1{d}_m})/\phantom{\rho g(1-e^{-k_1{d}_m})k_1}{k}_1$, $R_2=\left(k_{1}L/\phantom{L2}2\right)cos{\mu }_e$, $R_3=\left(k_1{B}_m/\phantom{B_{m}2}2\right)sin{\mu }_e$, ${\zeta }_{ai}$ is the amplitude of each harmonic, M is the number of energy partitions, $B_m$ is the beam, L is the length, and $d_m$ is the average draft.

In this paper, the ship chosen in the simulation has a displacement of 2500 tons, and we have $B_m=14$, $L_m=115$, $d_m=3.8$.

According to the wave disturbance model above, in such conditions in which significant wave height is four meters and the wave angle is ${30}^{\circ }$, the force and moment of sea wave disturbance are shown in Figure 3.

In addition, Figure 4 shows the heading and rolling angles of the ship without any control commands under wave disturbance. The test platform in this paper is based on a semi-physical simulation platform, which was introduced in [36].

5.2. Influence of Signal Attack in SCMCS

Under the simulation results of ship dynamics, in this subsection, the influence of signal attack in the Ship Cooperative Motion Control System (SCMCS) is researched and analyzed. In order to establish the closed loop, the distributed collaborative control algorithm of ship heading and rolling we adopt here is based on a PID-fuzzy fusion control law, which was proposed in [40]. This fuzzy PID fusion controller was designed through continuous updating of its output scaling factor. Instead of using a unitary fuzzy or PID algorithm, the fusion weighted summation rule bases are used in parallel, which improved the performance of the proposed fuzzy PID controllers compared to others. The fusion FPID parameter is calculated as:

$$u=\sum _{i=1}^n{\alpha }_i\times u_i$$

(12)

where $u_i$ is the output by each control algorithm (the fuzzy controller and PID controller are treated as subprograms of the fusion algorithm), ${\alpha }_i$ is the fusion factor of each subprograms, and n is the number of total subprograms in a fusion algorithm; normally, there are $n=2$. In this paper, the fusion factor is chosen as:

$${\alpha }_i=\left[1-exp\left(-\left|u_i\right|/\phantom{\left|u_i\right|{\sum }_{i=1}^n\left|u_i\right|}{\sum }_{i=1}^n\left|u_i\right|\right.\right)\times \frac{1}{n\times (1-exp(-1/n))}$$

(13)

Due to the space limitation, the working principle and application effect of this algorithm will not be introduced in this paper. The simulation results of ship heading and rolling based on this control algorithm are shown by dotted lines in Figure 5A,B, respectively. Meanwhile the solid line in Figure 5A,B depicts the heading and rolling output of the ship while the signal attack acted on the heading data signal. Here, the signal attack first happened at 80 seconds, and we have ${\eta }_i=0.5$. In addition, the operation states of main (flap) rudder and main (flap) fin are shown by solid (dotted) lines in Figure 5C,D, respectively. Due to the coupling relationship between ship heading and rolling, the manipulation of heading sensor data can also change the effect of the rolling control system, and the mathematical statistics results are listed in

Table 2. Influence of rolling mission by heading signal attack.

	Non-Attack		With-Attack
	Mean	Variance	Mean	Variance
Ship rolling	$-0.{019}^{\circ }$	7.95	$0.{040}^{\circ }$	10.01
Fin angle	$-0.{165}^{\circ }$	45.71	$-0.{181}^{\circ }$	54.37
Flap fin angle	$0.{771}^{\circ }$	164.05	$1.{12}^{\circ }$	184.35

.

5.3. Anomaly Detection Analysis of SCMCS

In this paper, based on the running effect in the semi-physical simulation platform, which was introduced in [36], the risk data rule is set as follows:

$Rule1:\langle \left|DCU[10.0.0.001:502].IR\left[2\right]\right|\rangle :\langle \left|DCU[10.0.0.004:502].HR\left[1\right]\right|<8\rangle \to \langle Alert:5\rangle ::=\langle >10\rangle$

$Rule2:\langle \left|DCU[10.0.0.001:502].IR\left[2\right]\right|\rangle :\langle \left|DCU[10.0.0.004:502].HR\left[1\right]\right|<8\rangle \to \langle Alert:4\rangle ::=\langle >8\rangle$

$Rule3:\langle \left|DCU[10.0.0.001:502].IR\left[2\right]\right|\rangle :\langle \left|DCU[10.0.0.004:502].HR\left[1\right]\right|<6\rangle \to \langle Alert:3\rangle ::=\langle >6.5\rangle$

$Rule4:\langle \left|DCU[10.0.0.001:502].IR\left[2\right]\right|\rangle :\langle \left|DCU[10.0.0.004:502].HR\left[1\right]\right|<6\rangle \to \langle Alert:2\rangle ::=\langle >4\rangle$

$Rule5:\langle \left|DCU[10.0.0.001:502].IR\left[1\right]\right|\rangle :\langle \left|DCU[10.0.0.004:502].HR\left[1\right]\right|<8\rangle \to \langle Alert:5\rangle ::=\langle >2\rangle$

$Rule6:\langle \left|DCU[10.0.0.001:502].IR\left[1\right]\right|\rangle :\langle \left|DCU[10.0.0.004:502].HR\left[1\right]\right|<6\rangle \to \langle Alert:4\rangle ::=\langle >1\rangle$

$Rule7:\langle \left|DCU[10.0.0.001:502].IR\left[1\right]\right|\rangle :\langle \left|E_0-DCU[10.0.0.003:502].HR\left[1\right]\right|<8\rangle \to \langle Alert:3\rangle ::=\langle >2\rangle$

$Rule8:\langle \left|DCU[10.0.0.001:502].IR\left[1\right]\right|\rangle :\langle \left|E_0-DCU[10.0.0.003:502].HR\left[1\right]\right|<5\rangle \to \langle Alert:4\rangle ::=\langle >2\rangle$

$Rule9:\langle \left|DCU[10.0.0.001:502].IR\left[2\right]\right|\rangle :\langle \left|E_0-DCU[10.0.0.003:502].HR\left[1\right]\right|<5\rangle \to \langle Alert:4\rangle ::=\langle >15\rangle$

$Rule10:\langle \left|DCU[10.0.0.001:502].IR\left[2\right]\right|\rangle :\langle \left|E_0-DCU[10.0.0.003:502].HR\left[1\right]\right|<8\rangle \to \langle Alert:5\rangle ::=\langle >15\rangle$

The notations of each rule are listed in

Table 3. Notations of rules.

Annotation	Notations
$DCU[10.0.0.001:502]$	DCU for ship rudders
$DCU[10.0.0.002:502]$	DCU for ship fins
$DCU[10.0.0.003:502]$	DCU for heading sensor
$DCU[10.0.0.004:502]$	DCU for rolling sensor
$DCU[10.0.0.001:502]IR\left[1\right]$	Input register for rudder command
$DCU[10.0.0.001:502]IR\left[2\right]$	Input register for flap rudder command
$DCU[10.0.0.002:502]IR\left[1\right]$	Input register for fin command
$DCU[10.0.0.002:502]IR\left[2\right]$	Input register for flap fin command
$DCU[10.0.0.003:502]HR\left[1\right]$	Holding register for heading sensor
$DCU[10.0.0.004:502]HR\left[1\right]$	Holding register for rolling sensor
$E_0$	Set value of ship heading

.

Here, we assume that the Risk Tolerance of SCMCS in SIS is 4, which means only Rule 1, 2, 5, 6, 8, 9 and 10 need to be taken into account. And these rules are used to limit the data in $DCU[10.0.0.001:502]IR\left[1\right]$ and $DCU[10.0.0.001:502]IR\left[2\right]$. As shown in in Figure 6, according to Algorithm 3, the abnormal data of ship rudder and flap rudder are first detected at 81.7 s and 80.4 s, respectively.

6. Discussions and Conclusions

In this paper, the basic structure of the ship information system and its typical cooperative control mode were formulated. According to such structure, a signal attack detection method was proposed. Under the consideration of coupling data flow, we improved the Critical State Estimation (CSE) algorithm proposed in [28] by setting new sentence patterns of the Industrial State Modeling Language (ISML). Therefore, such risk data can be determined by the related data and a set of predefined rules. The simulation result shows that wherever the data are attacked by the signal attack in the cooperative control loop, this can always be detected. We have to point out that we did not focus on the prevention of signal attack in the paper. For now, waking up a related spare DCU is the typical reconstitution strategy when the signal attack is detected. More intelligent solutions can be researched in the future.