Repairing Learning-Enabled Controllers While Preserving What Works

• Pengyuan Lu, University of Pennsylvania
• Matthew Cleaveland, University of Pennsylvania
• Oleg Sokolsky, University of Pennsylvania
• Insup Lee, University of Pennsylvania
• Ivan Ruchkin, University of Florida

Learning-enabled controllers have been adopted in various cyber-physical systems (CPS). When a learning-enabled controller fails to accomplish its task from a set of initial states, researchers leverage repair algorithms to fine-tune the controller’s parameters. However, existing repair techniques do not preserve previously correct behaviors. Specifically, when modifying the parameters to repair trajectories from a subset of initial states, another subset may be compromised. Therefore, the CPS may break previously correct scenarios, introducing new risks that are not taken precautions for. Due to this issue, repairing on entire initial state sets may be hard or even infeasible, and cannot be guaranteed. As a response, we formulate the Repair with Preservation (RwP) problem, which calls for preserving the already-correct scenarios during repair. To tackle this problem, we then design the Incremental Simulated Annealing Repair (ISAR) algorithm, that leverages simulated annealing on a barriered energy function to safeguard the already-correct initial states while repairing as many additional ones as possible. Moreover, formal verification is utilized to guarantee the repair results. Case studies on an Unmanned Underwater Vehicle (UUV) and OpenAI Gym Mountain Car (MC) show that ISAR not only preserves correct behaviors from previously verified initial state regions, but also repairs 81.4% and 23.5% of broken state spaces in the two benchmarks. Moreover, the average STL robustness defeat baseline in both cases.

Zero-One Attack: Degrading Closed-Loop Neural Network Control Systems using State-Time Perturbations

• Stanley Bak, Stony Brook University
• Sergiy Bogomolov, Newcastle University
• Abdelrahman Hekal, Newcastle University
• Veena Krish, Stony Brook University
• Andrew Mata, Stony Brook University
• Amir Rahmati, Stony Brook University

Autonomous cyber-physical systems with deep-learning components have shown great promise but have so far enjoyed limited adoption. Part of the problem is that, beyond average-case analysis, guaranteeing robustness and reasoning about worst-case behaviors in these systems is difficult. Previous research has developed attacks that can degrade a system’s performance using small perturbations on observed states, as well as ways to retrain the networks that appear to make them robust to such attacks. In this work, we advance the state of the art by developing a new method called the Zero-One Attack, which is able to bypass the current strongest defense. The Zero-One Attack minimizes reward by combining an outer loop zeroth-order gradient-free optimization with an inner loop, first-order gradient-based method. This setup both reduces the dimensionality of the zeroth-order optimization problem and leverages efficient gradient-based search methods for neural networks, such as projected gradient descent. In addition to observation noise, we consider a new attack model with bounded perturbations to the execution time instant of the control policy, as real-time schedulers usually guarantee execution once per period, which may not be strictly periodic. On the Mujoco HalfCheetah system with the best current defense, the Zero-One Attack degrades the performance 195% beyond the state-of-the-art, which increases to 522% more degradation when also attacking timing jitter.

Attention-Based Real-Time Defenses for Physical Adversarial Attacks in Vision Applications

• Giulio Rossolini, Scuola Superiore Sant’Anna
• Alessandro Biondi, Scuola Superiore Sant’Anna
• Giogio Buttazzo, Scuola Superiore Sant’Anna

Deep neural networks exhibit excellent performance in computer vision tasks, but their vulnerability to real-world adversarial attacks, achieved through physical objects that can corrupt their predictions, raises serious security concerns for their application in safety-critical domains. Existing defense methods focus on single-frame analysis and are characterized by high computational costs that limit their applicability in multi-frame scenarios, where real-time decisions are crucial. To address this problem, this paper proposes an efficient attention-based defense mechanism that exploits adversarial channel-attention to quickly identify and track malicious objects in shallow network layers and mask their adversarial effects in a multi-frame setting. This work advances the state of the art by enhancing existing over-activation techniques for real-world adversarial attacks to make them usable in real-time applications. It also introduces an efficient multi-frame defense framework, validating its efficacy through extensive experiments aimed at evaluating both defense performance and computational cost.

Thinking beyond bus-off: Targeted Control Falsification in CAN

• Ipsita Koley, IIT Kharagpur
• Sunandan Adhikary, IIT Kharagpur
• Soumyajit Dey, IIT Kharagpur

Controller Area Network (CAN) is considered to be the de facto standard for intra-vehicular communication of modern automobiles. Due to the lack of strong authentication and confidentiality schemes, CAN has been the popular target of a multitude of attacks in the last two decades. Among such attacks, the Bus-off attack (BoA) is considered an important attack vector since it helps the attacker impersonate a trusted safety-critical controller while actually sending false messages. In this paper, we uncover the limitations of classical BoA along with the recent variants in the context of targeting specific automotive safety-critical control loops. In particular, we show that state-of-the-art system-agnostic BoAs are actually futile in the presence of rudimentary range and gradient-based signal monitors that filter out signals exhibiting drastic changes. Instead, we propose a new attack model FalCAN that maximally impacts a given automotive closed-loop while maintaining stealth against monitors. Given the control and bus network specifications, the attack first figures out maximal delays that can be introduced for targeted control loops while attempting BoA. The attack then identifies suitable false data sequences for such delayed actuations that maximize the state error while staying undetected. We implement this attack model on automotive-grade ECUs with benchmark CAN traffic and visualize the impact by real-time emulation of the plant using Hardware-in-loop (HIL) simulation.

Rampo: A CEGAR-based Integration of Binary Code Analysis and System Falsification for Cyber-Kinetic Vulnerability Detection

• Kohei Tsujio, University of California Irvine
• Mohammad Al Faruque, University of California Irvine
• Yasser Shoukry, University of California Irvine

Cyber-physical systems (CPS) play a pivotal role in modern critical infrastructure, spanning sectors such as energy, transportation, healthcare, and manufacturing. These systems combine digital and physical elements, making them susceptible to a new class of threats known as cyber kinetic vulnerabilities. Such vulnerabilities can exploit weaknesses in the cyber world to force physical consequences and pose significant risks to both human safety and infrastructure integrity. This paper presents a novel tool, named Rampo, that can perform binary code analysis to identify cyber kinetic vulnerabilities in CPS. The proposed tool takes as input a Signal Temporal Logic (STL) formula that describes the kinetic effect—i.e., the behavior of the “physical” system—that one wants to avoid. The tool then searches the possible “cyber” trajectories in the binary code that may lead to such “physical” behavior. This search integrates binary code analysis tools and hybrid systems falsification tools using a Counter-Example Guided Abstraction Refinement (CEGAR) approach. In particular, Rampo starts by analyzing the binary code to extract symbolic constraints that represent the different paths in the code. These symbolic constraints are then passed to a Satisfiability Modulo Theories (SMT) solver to extract the range of control signals that can be produced by each of the paths in the code. The next step is to search over possible “physical” trajectories using a hybrid systems falsification tool that adheres to the behavior of the “cyber” paths and yet leads to violations of the STL formula. Since the number of “cyber” paths that need to be explored increases exponentially with the length of “physical” trajectories, we iteratively perform refinement of the “cyber” path constraints based on the previous falsification result and traverse the abstract path tree obtained from the control program to explore the search space of the system.

Enhancing power grid resilience to cyber-physical attacks using distributed retail electricity markets

• Vineet Jagadeesan Nair, Massachusetts Institute of Technology
• Priyank Srivastava, IIT Delhi
• Anuradha Annaswamy, Massachusetts Institute of Technology

We propose using a hierarchical retail market structure to alert and dispatch resources to mitigate cyber-physical attacks on a distribution grid. We simulate attacks where a number of generation nodes in a distribution grid are attacked. We show that the market is able to successfully meet the shortfall between demand and supply by utilizing the flexibility of remaining resources while minimizing any extra power that needs to be imported from the main transmission grid. This includes utilizing upward flexibility or reserves of remaining online generators and some curtailment or shifting of flexible loads, which results in higher costs. Using price signals and market-based coordination, the grid operator can achieve its objectives without direct control over distributed energy resources and is able to accurately compensate prosumers for the grid support they provide.

Vulnerability Analysis for Safe Reinforcement Learning in Cyber-Physical Systems

• Shixiong Jiang, University of Notre Dame
• Mengyu Liu, University of Notre Dame
• Fanxin Kong, University of Notre Dame

Safe reinforcement learning (RL) has been recently employed to train a control policy that maximizes the task reward while satisfying safety constraints in a simulated secure cyber-physical environment. However, the vulnerability of safe RL has been barely studied in an adversarial setting. We argue that understanding the safety vulnerability of learned control policies is essential to achieve true safety in the physical world. To fill this research gap, we first formally define the adversarial safe RL problem and show that the optimal policies are vulnerable under observation perturbations. Then, we propose novel safety violation attacks that induce unsafe behaviors by adversarial models trained using reversed safety constraints. Finally, both theoretically and experimentally, we show that our method is more effective in violating safety than existing adversarial RL works which just seek to decrease the task reward, instead of violating safety constraints.

FAIRO: Fairness-aware Adaptation in Sequential-Decision Making for Human-in-the-Loop Systems

• Tianyu Zhao, University of California, Irvine
• Mojtaba Taherisadr, University of California, Irvine
• Salma Elmalaki, University of California, Irvine

Achieving fairness in sequential-decision making systems within Human-in-the-Loop (HITL) environments is a critical concern, especially when multiple humans with different behavior and expectations are affected by the same adaptation decisions in the system. This human variability factor adds more complexity since policies deemed fair at one point in time may become discriminatory over time due to variations in human preferences resulting from inter- and intra-human variability. This paper addresses the fairness problem from an equity lens, considering human behavior variability, and the changes in human preferences over time. We propose FAIRO, a novel algorithm for fairness-aware sequential-decision making in HITL adaptation, which incorporates these notions into the decision-making process. In particular, FAIRO decomposes this complex fairness task into adaptive sub-tasks based on individual human preferences through leveraging the Options reinforcement learning framework. We design FAIRO to generalize to three types of HITL application setups that have the shared adaptation decision problem. Furthermore, we recognize that fairness-aware policies can sometimes conflict with the application’s utility. To address this challenge, we provide a fairness-utility tradeoff in FAIRO, allowing system designers to balance the objectives of fairness and utility based on specific application requirements. Extensive evaluations of FAIRO on the three HITL applications demonstrate its generalizability and effectiveness in promoting fairness while accounting for human variability. On average, FAIRO can improve fairness compared with other methods across all three applications by 35.36%

Quantitative Safety-Driven Co-Synthesis of Cyber-Physical System Implementations

• Clara Hobbs, University of North Carolina, Chapel Hill
• Shengjie Xu, University of North Carolina, Chapel Hill
• Bineet Ghosh, University of Alabama
• Enrico Fraccaroli, University of North Carolina, Chapel Hill
• Sridhar Duggirala, University of North Carolina, Chapel Hill
• Samarjit Chakraborty, University of North Carolina, Chapel Hill

Feedback controllers form the algorithmic core of many cyber-physical systems (CPSs). They are increasingly becoming computationally expensive for reasons like complex perception processing, and efficiently implementing them on resource constrained platforms-such as those in the automotive domain – while guaranteeing safety is now an important challenge. Current workflows allow control strategies to be designed independently of the implementation environment and require control tasks to meet predetermined deadlines. Embedded systems engineers treat these control tasks as black boxes and focus on meeting all deadlines as the mechanism for ensuring safety. In this paper we argue that deadlines are only a means to an end and should not be treated as “first class citizens.” Instead, the focus should be on high-level safety properties of relevance. Our main technical contribution is a realization of this paradigm shift: given a set of controllers to be implemented on a shared resource, along with their safety properties, we show how to synthesize their implementation that does not necessarily meet all task deadlines, but guarantees all safety specifications. By using quantitative safety properties, we show how multiple controllers sharing a common resource may be co-synthesized, and how to compute the trade-offs on the degree of safety for each controller.

Playground: A Safe Building Operating System

• Xiaohan Fu, University of California, San Diego
• Yihao Liu, Nanyang Technological University
• Jason Koh, Mapped
• Dezhi Hong, Amazon
• Rajesh Gupta, University of California, San Diego
• Gabe Fierro, Colorado School of Mines

Building operating systems are an emerging class of system software that provides services to applications running on commercial buildings. The current state-of-the-art requires applications to be trusted and carefully monitored due to a lack of authorization, access control, and execution isolation mechanisms in existing building operating systems. Proposed solutions do not adequately handle the complexity and scale of modern buildings, therefore impeding the adoption of applications that can enhance energy efficiency, occupant health, comfort, and productivity. This work explores the execution of untrusted user-facing applications in smart building environments with a focus on maintenance and management labor costs, ensuring the practicality and long-term sustainability of adopting such applications. We develop an operating system abstraction for smart buildings, Playground, that incorporates a structured semantic representation of the building to inform the safe, multi-tenant execution of untrusted applications. We use the semantic representation to implement (a) a novel graph-based capability mechanism for fine-grained and expressive access control management, and (b) a resource isolation mechanism with preemptive interventions and passive telemetry-based live resource monitoring. We demonstrate Playground on several real applications in a real building

Formally Verified C Code Generation from Hybrid Communicating Sequential Processes

• Shuling Wang, Chinese Academy of Sciences
• Zekun Ji, Chinese Academy of Sciences
• Bohua Zhan, Chinese Academy of Sciences
• Xiong Xu, Chinese Academy of Sciences
• Qiang Gao, Chinese Academy of Sciences
• Naijun Zhan, Chinese Academy of Sciences

Hybrid Communicating Sequential Processes (HCSP) is a formal model for hybrid systems, including primitives for evolution along an ODE, communication, and parallel composition. Code generation is needed to convert HCSP models into code that can be executed in practice, and the correctness of this conversion is essential to ensure that the generated code accurately reflects the formal model. In this paper, we propose a code generation algorithm from HCSP to C with POSIX library for concurrency. The main difficulties include how to bridge the gap between the synchronized communication model in HCSP and the use of mutexes for synchronization in C, and how to discretize evolution along ODEs and support interrupt of ODE evolution by communication. To prove the correctness of code generation, we define a formal semantics for POSIX C, and build transition system models for both HCSP and C programs. We then define an approximate bisimulation relation between traces of transition systems, and show that under certain robustness conditions for HCSP, the generated C program is approximately bisimilar to the original model. We evaluate the code generation algorithm on a detail model for automatic cruise control, showing its utility on real-world examples.

Sensor Data Transplantation for Redundant Hardware Switchover in Micro Autonomous Vehicles

• Cailani Lemieux Mack, Vanderbilt University
• Kevin Leach, Vanderbilt University
• Kevin Angstadt, St. Lawrence University

As our reliance on micro autonomous vehicles increases, security vulnerabilities and software defects threaten the successful completion of tasks and missions. A recent body of work has developed end-to-end toolchains that provide trusted and resilient operation in the face of defects and attacks. These toolchains enable automatically repairing the control software in the event of a failure. Existing techniques force the subject control software to terminate and the vehicle to be motionless, making the restart or post-repair deployment more complex and slow. There remains a challenge in ensuring that vehicle control software can recover from attacks and defects quickly and safely, even while the target vehicle remains in motion. In this paper, we present a technique for faster, simpler, and seamless hardware switchover that operates while the vehicle is in motion. Our key contribution is the ability to restart the control software post-repair while the vehicle is in motion by transplanting sensor data between onboard control computers to bypass a costly portion of initialization. Although existing checkpoint and restore methods allow software to recover execution at a known-functional state, they are not lightweight enough to support recovery during mission execution. Instead, our approach transplants known-good sensor data from a trusted, isolated execution environment in the onboard computing hardware. Our evaluation successfully reproduces prior simulation results in hardware. Further, sensor transplantation allows for successful initialization while in motion, reduces time-to-ready by 40%, and is robust to variances in sensor readings

A Middle Way to Traffic Enlightenment

• Matthew Nice, Vanderbilt University
• George Gunter, Vanderbilt University
• Junyi Ji, Vanderbilt University
• Yuhang Zhang, Vanderbilt University
• Matthew Bunting, Vanderbilt University
• Will Barbour, Vanderbilt University
• Jonathan Sprinkle, Vanderbilt University
• Dan Work, Vanderbilt University

This paper introduces a novel approach that seeks a middle ground for traffic control in multi-lane congestion, where prevailing traffic speeds are too fast, and speed recommendations designed to dampen traffic waves are too slow. Advanced controllers that modify the speed of an automated car for wave-dampening, eco-driving, or other goals, typically are designed with forward collision safety in mind. Our approach goes further, by considering how dangerous it can be for a controller to drive so slowly relative to prevailing traffic that it creates a significant issue for safety and comfort. This paper explores open-road scenarios where large gaps between prevailing speeds and desired speeds can exist, specifically when infrastructure-based variable speed limit systems are not strictly followed at all times by other drivers. Our designed, implemented, and deployed algorithm is able to follow variable speed limits when others also follow it, avoid collisions with vehicles ahead, and adapt to prevailing traffic when other motorists are traveling well above the posted speeds. The key is to reject unsafe speed recommendations from infrastructure-based traffic smoothing systems, based on real-time local traffic conditions observed by the vehicle under control. This solution is implemented and deployed on two control vehicles in heavy multi-lane highway congestion. The results include analysis from system design, and field tests that validate the system’s performance using an existing Variable Speed Limit system as the external source for speed recommendations, and the on-board sensors of a stock Toyota Rav4 for inputs that estimate the prevailing speed of traffic around the vehicle under control.

An Online Approach to Solving Public Transit Stationing and Dispatch Problem

• Jose Paolo Talusan, Vanderbilt University
• Chaeeun Han, Pennsylvania State University
• Ayan Mukhopadhyay, Vanderbilt University
• Aron Laszka, Pennsylvania State University
• Dan Freudberg, Nashville WeGo
• Abhishek Dubey, Vanderbilt University

Public bus transit systems provide critical transportation services for large sections of modern communities. On-time performance and maintaining the reliable quality of service is therefore very important. Unfortunately, disruptions caused by overcrowding, vehicular failures, and road accidents often lead to service performance degradation. Though transit agencies keep a limited number of vehicles in reserve and dispatch them to relieve the affected routes during disruptions, the procedure is often ad-hoc and has to rely on human experience and intuition to allocate resources (vehicles) to affected trips under uncertainty. In this paper, we describe a principled approach using non-myopic sequential decision procedures to solve the problem and decide (a) if it is advantageous to anticipate problems and proactively station transit buses near areas with high-likelihood of disruptions and (b) decide if and which vehicle to dispatch to a particular problem. Our approach was developed in partnership with Nashville Metropolitan Transportation Authority — WeGo and models the system as a semi-Markov decision problem (solved as a Monte-Carlo tree search procedure) and shows that it is possible to obtain an answer to these two coupled decision problems in a way that maximizes the overall reward (number of people served). We sample many possible futures from generative models, each is assigned to a tree and processed using root parallelization. We validate our approach using 3 years of data from our partner agency. Our experiments show that the proposed framework serves 2% more passengers while reducing deadhead miles by 40%.

Robust Conformal Prediction for STL Runtime Verification under Distribution Shift

• Yiqi Zhao, University of Southern California
• Bardh Hoxha, Toyota
• Georgios Fainekos, Toyota
• Jyotirmoy Deshmukh, University of Southern California
• Lars Lindemann, University of Southern California

Cyber-physical systems (CPS) designed in simulators behave differently in the real-world. We would hence like to predict system failures at runtime, i.e., once they are deployed in the real-world. We propose robust predictive runtime verification (RPRV) algorithms under signal temporal logic (STL) tasks for general stochastic CPS applications. The RPRV problem faces several challenges: (1) there may not be sufficient data of the behavior of the deployed CPS, (2) predictive models are based on a certain distribution over system trajectories encountered during the design phase, i.e., there may be a distribution shift during deployment. To address these challenges, we assume to know the statistical distance (in terms of an f-divergence) between the distributions at the test and design time systems, and we utilize techniques based on robust conformal prediction for uncertainty quantification. Motivated by recent results in [1], we construct a statistically accurate and an interpretable RPRV algorithm. We use a trajectory prediction model to estimate the system behavior at runtime and robust conformal prediction techniques to obtain design-time guarantees and account for distribution shifts at test time. We precisely quantify the relationship between calibration data, desired confidence, and permissible distribution shift. To the best of our knowledge, these are the first statistically valid algorithms under distribution shift in this setting. We empirically validate our algorithms on a Franka manipulator within the NVIDIA Isaac sim environment.

An Online Planning Framework for Heterogeneous Multi-Robot Systems with LTL Specification

• Rohit Singh, IIT Kanpur
• Indranil Saha, IIT Kanpur

We present a framework for deploying a multi-robot system in a dynamic environment where the robots have to react to external events. The specification for the system is given in a sub-class of Linear Temporal Logic (LTL), a widely used logical language for robot motion planning. The LTL specifications capture how the robots should react to different environmental events. We provide a framework for managing the robots through persistent sensing, planning, and monitoring their execution. We formally prove that, under certain assumptions, our framework enables the robots to always satisfy the LTL specifications. Furthermore, we evaluate our technique on two complex use cases using a heterogeneous multi-robot system involving unmanned aerial vehicles (UAVs) and unmanned ground vehicles (UGVs) — one on persistent surveillance of critical infrastructure and the other on production management in a factory. Experimental results establish that our technique is scalable and has the potential to be applicable to diverse applications of heterogeneous multi-robot systems in challenging dynamic environments.

Control over Low-Power Wide-Area Networks

• Aakriti Jain, Wayne State University
• Prashant Modekurthy, University of Nevada, Las Vegas
• Abusayeed Saifullah, Wayne State University

There has been a growing interest to adopt low-power wide-area network technology, especially LoRa, for industrial control applications. Its machine-to-machine communication capabilities can enable management of large-area applications (e.g., oil fields over hundreds of km2) or process plants that are often positioned far from the central operations center, at inconvenient or hazardous locations in difficult terrain or offshore. While recent works have studied real-time communication over LoRa, they have not considered control performance optimization. To optimize control performance, industrial automation needs a co-design of real-time scheduling and control. Such a co-design, in general, is highly challenging due to complex dependencies between control performance, plant dynamics, and real-time communication. Existing co-design approaches for other wireless domains are not applicable to LoRa network. LoRa nodes are extremely power-constrained hindering frequent communication and scale. In this paper, we propose a highly energy-efficient and scalable framework for real-time scheduling and control co-design for a LoRa network. By taking into account LoRa characteristics, the co-design approach entails state-aware communication and control to dynamically update the sampling rates while meeting real-time constraints. To minimize communication and synchronization overhead, the co-design is decomposed through a partitioned scheduling. We consider co-design in each partition of the control loops by developing a new schedulability condition. The co-design solution dynamically determines the sampling rates of the sensors to optimize control performance. Simulations based on NS-3 and a custom control script show that our co-design approach minimizes control cost at least by 80% as compared to the outlined baselines.

FinA: Fairness of Adverse Effects in Decision-Making of Human-Cyber-Physical-System

• Tianyu Zhao, University of California, Irvine
• Salma Elmalaki, University of California, Irvine

Ensuring fairness in decision-making systems within Human-Cyber-Physical-Systems (HCPS) is a pressing concern, particularly when diverse individuals, each with varying behaviors and expectations, coexist within the same application space, influenced by a shared set of control actions in the system. The long-term adverse effects of these actions further pose the challenge, as historical experiences and interactions shape individual perceptions of fairness. This paper addresses the challenge of fairness from an equity perspective of adverse effects, taking into account the dynamic nature of human behavior and evolving preferences while recognizing the lasting impact of adverse effects. We formally introduce the concept of Fairness-in-Adverse-Effects (FinA) within the HCPS context. We put forth a comprehensive set of five formulations for FinA, encompassing both the instantaneous and long-term aspects of adverse effects. To empirically validate the effectiveness of our FinA approach, we conducted an evaluation within the domain of smart homes, a pertinent HCPS application. The outcomes of our evaluation demonstrate that the adoption of FinA significantly enhances the overall perception of fairness among individuals, yielding an average improvement of 66.7% when compared to the state-of-the-art method.

Curating Naturally Adversarial Datasets for Learning-Enabled Medical Cyber-Physical Systems

• Sydney Pugh, University of Pennsylvania
• Ivan Ruchkin, University of Florida
• James Weimer, Vanderbilt University
• Insup Lee, University of Pennsylvania

In medical cyber-physical systems (CPS), where patient safety is a top priority, the robustness of learning-enabled components (LECs) becomes crucial. Therefore, a comprehensive robustness evaluation is necessary for the successful deployment of these systems. Existing research predominantly focuses on robustness to synthetic adversarial examples, crafted by adding imperceptible perturbations to clean input data. However, these synthetic adversarial examples do not accurately reflect the most challenging real-world scenarios, especially in the context of healthcare data. Consequently, robustness to synthetic adversarial examples may not necessarily translate to robustness against naturally occurring adversarial examples. We propose a method to curate datasets comprised of natural adversarial examples to evaluate the robustness of LECs. The method relies on probabilistic labels obtained from automated weakly-supervised labeling that combines noisy and cheap-to-obtain labeling heuristics. Based on these labels, our method adversarially orders the input data and uses this ordering to construct a sequence of increasingly adversarial datasets. Our evaluation on six medical CPS case studies and three non-medical case studies demonstrates the efficacy and statistical validity of our approach to generating naturally adversarial datasets.

ε-Neural Thompson Sampling of Deep Brain Stimulation for Parkinson Disease Treatment

• Hao-Lun Hsu, Duke University
• Qitong Gao, Duke University
• Miroslav Pajic, Duke University

Deep Brain Stimulation (DBS) stands as an effective intervention for alleviating the motor symptoms of Parkinson’s disease (PD). Traditional commercial DBS devices are only able to deliver fixed-frequency periodic pulses to the basal ganglia (BG) regions of the brain, i.e., continuous DBS (cDBS). However, they in general suffer from energy inefficiency and side effects, such as speech impairment. Recent research has focused on adaptive DBS (aDBS) in order to resolve the limitations of cDBS. Specifically, reinforcement learning (RL) based approach has been developed to adapt the frequencies of the stimuli in order to achieve both energy efficiency and treatment efficacy. However, RL approaches in general require significant amount of training data and computational resources, making it intractable to integrate RL policies into real-time embedded systems as needed in aDBS. In contrast, contextual multi-armed bandits (CMAB) in general lead to better sample efficiency compared to RL. In this study, we propose a CMAB solution for aDBS. Specifically, we define the context as the signals capturing irregular neuronal firing activities in the BG regions i.e., beta-band power spectral density), while each `arm’ signifies the (discretized) pulse frequency of the stimulation. Moreover, an ε-greedy strategy is introduced on top of the classic Thompson sampling method, leading to an algorithm called ε-Neural Thompson sampling (ε-NeuralTS), such that the learned CMAB policy can better balance exploration and exploitation of the BG environment. The ε-NeuralTS algorithm is tested over a computation BG model, resembling the neuronal activities in PD patients’ brains. The results show that our method outperforms both existing cDBS methods, as well as the baselines that do not use the ε-greedy strategy as introduced by our method (i.e. the vanilla Thompson sampling method).

Towards Deterministic End-to-end Latency for Medical AI Systems in NVIDIA Holoscan

• Soham Sinha, Nvidia
• Shekhar Dwivedi, Nvidia
• Mahdi Azizian, Nvidia

The introduction of AI and ML technologies into medical devices has revolutionized healthcare diagnostics and treatments. Medical device manufacturers are keen to maximize the advantages afforded by AI and ML by consolidating multiple applications onto a single platform. However, concurrent execution of several AI applications, each with their own visualization components, leads to unpredictable end-to-end latency, primarily due to GPU resource contentions. To mitigate this, manufacturers typically deploy separate workstations for distinct AI applications, thereby increasing financial, energy, and maintenance costs. This paper addresses these challenges within the context of NVIDIA’s Holoscan platform, a real-time AI system for streaming sensor data and images. We propose a system design optimized for partitioning heterogeneous GPU workloads, encompassing both compute and graphics tasks. Our design leverages CUDA MPS for spatial partitioning of compute workloads and isolates compute and graphics processing onto separate GPUs. We demonstrate significant performance improvements across various end-to-end latency determinism metrics through empirical evaluation with real-world Holoscan medical device applications. For instance, the proposed design reduces maximum latency by 21–30\% and improves latency distribution flatness by 17–25% for up to five concurrent endoscopy tool tracking AI applications, compared to a single-GPU baseline. Against a default multi-GPU setup, our optimizations decrease maximum latency by 35% for up to six concurrent applications by improving GPU utilization by 42%. This paper provides clear design insights for AI applications in the edge-computing domain including medical systems, where performance predictability of concurrent and heterogeneous GPU workloads is a critical requirement.

Control Corruption without Firmware Infection: Stealthy Attacks via PLC Hardware Implants

• Mingbo Zhang, Hexin Science And Technology
• Saman Zonouz, Georgia Tech

Critical infrastructures, e.g., power grids, are vital to national security, and their failure would have a significant impact on people’s daily lives on a large scale. They are often automated and computer-controlled and are under emerging advanced persistent threat (APT) attacks. The programmable logic controllers (PLCs) are the neurons that control the physical system. In most APT attacks, usually, a stealthy backdoor is the core that allows the attacker to hide in the dark without being detected and launch remote malicious operations at a particular moment. However, to achieve further stealthiness and bypass existing software mitigations, it needs to evolve from high-level software into low-level hardware. This paper presents MALTAG, a small parasitical hardware implant that attaches to the PLC’s circuit board. Using MALTAG, the attacker can control the PLC remotely by hijacking the various buses on the boards and modifying the digital signal. This attack can be deployed either during the supply chain or stealthily installed in remote plants. The hardware implant contains a cellular chip that provides a remote control channel to allow the attacker to organize a multi-point distributed attack by controlling several PLCs simultaneously on an interconnected physical plant. We have implemented and evaluated MALTAG on popular and widely deployed Allen Bradley PLCs. The results show that such a hardware backdoor does not change the firmware, thus no integrity violation. MALTAG also induces almost no overhead to the system, thus not affecting the runtime of the PLC. It can secretly change the PLC’s outputs to actuators and/or inputs from sensors without leaving any trace. Furthermore, the attacker can even penetrate air-gapped networks communicating with MALTAG and conduct a simultaneous attack with multiple controlled nodes.

Unsafe Events Detection in Smart Water Meter Infrastructure via Noise-Resilient Learning

• Ayanfeoluwa Oluyomi, Missouri S&T
• Sahar Abedzadeh, Western Michigan University
• Shameek Bhattacharjee, Western Michigan University
• Sajal Das, Missouri S&T

Smart water meters (SWM) in residential premises collect real-time water consumption data, enabling automated billing and peak period forecasting. The presence of unsafe events such as SWM malfunctions, intermittent RF connectivity issues, third-party data software issues, and negative values attributed to SWM malfunctions or water flowing backwards, can be detected by understanding deviations of current water usage patterns from the expected ranges of normal water usage within an hour. However profiling the benign behavior of water usage for large scale water metering networks is non-trivial because once deployed, the collected data already contains these events while trying to characterize an invariant that specifies benign behavior. To solve this challenge, this paper proposes a real-time, data-driven event detection framework for city-scale SWM infrastructure. We first proposed a residency similarity recognition framework for optimal temporal clustering of house water meters based on the similarity of water usage between the houses. We then proposed an invariant metric based on the absolute difference between a negative and positive order of the generalized mean. Thirdly, we developed a robust threshold based on Hampel three-part function that is able to establish the expected ranges of benign profile in the presence of unsafe events while training for benign pattern. We observed that the model was able to generalize to unseen events in the test set containing unsafe events, even when learning was from noisy data containing such events. Experimental validation of this approach was conducted using a dataset from Smart Water Meters in Alicante, Spain, demonstrating the effectiveness of the detection model in detecting these events.

Optimal Runtime Assurance via Reinforcement Learning

• Kristina Miller, University of Illinois Urbana-Champaign
• Chris Zeitler RationalCyPhy
• William Shen, University of Illinois Urbana-Champaign
• Kerianne Hobbs, Air Force Research Laboratory
• Sayan Mitra, University of Illinois Urbana-Champaign
• John Schierman, Air Force Research Laboratory
• Mahesh Viswanathan, University of Illinois Urbana-Champaign

AI and Machine Learning could enhance autonomous systems provided the risk of safety violations could be mitigated. Specific instances of runtime assurance (RTA) have been successful in safely testing untrusted, learning-enabled controllers, but, a general design methodology for RTA remains a challenge. The problem is to create a logic that assures safety by switching to a safety (or backup) controller as needed, while maximizing a performance criteria, such as the utilization of the untrusted controller. Existing RTA design strategies are well-known to be overly conservative and can lead to safety violations. In this paper, we formulate the optimal RTA design problem and present an approach for solving it. Our approach relies on reward shaping and reinforcement learning. It can guarantee safety and leverage machine learning technologies for scalability. We have implemented this algorithm and present experimental results on challenging scenarios involving aircraft models in 3D space with complex safety requirements. Our experimental results suggest that this approach can guarantee safety while increasing utilization of the experimental controller over existing approaches.