Secure estimator design for Lur'e-type systems with nonuniformly and synchronously sampled measurements under attacks [extended version]

Julian Gootzen; Michelle S. Chong

arxiv: 2604.23217 · v1 · submitted 2026-04-25 · 🧮 math.OC

Secure estimator design for Lur'e-type systems with nonuniformly and synchronously sampled measurements under attacks [extended version]

Julian Gootzen , Michelle S. Chong This is my paper

Pith reviewed 2026-05-08 07:41 UTC · model grok-4.3

classification 🧮 math.OC

keywords secure state estimationLur'e systemssampled-data systemssensor attacksimpulsive systemslinear matrix inequalitiesstate observerspower distribution grids

0 comments

The pith

Secure estimator for Lur'e systems delivers state estimates whose accuracy does not depend on attack signals when fewer than half the sensors are compromised and sampling intervals stay bounded.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper develops a state estimator for continuous-time Lur'e-type systems whose outputs arrive at irregular but synchronous instants and may have been altered by malicious attacks on the sensors. The estimator guarantees that the state estimation error converges to a bound whose size stays independent of the attack signals, provided fewer than half the sensors are attacked and the time between successive samples never exceeds a fixed upper limit. This property supports applications such as real-time monitoring of power distribution grids, where reliable state information is required even when some measurements have been corrupted. The proof embeds the estimation error dynamics in an impulsive system model, derives an explicit error bound, and supplies linear matrix inequality conditions that can be solved to obtain the observer parameters. The design is illustrated on a low-voltage power grid example.

Core claim

The paper claims that for Lur'e-type systems with synchronously sampled outputs, an appropriately designed observer produces state estimates whose error remains bounded by a quantity independent of any attack signals injected into the sensors, as long as the number of attacked sensors is strictly less than half the total and every inter-sample interval is bounded above. Convergence follows from representing the closed-loop error system as an impulsive dynamical system and showing that the resulting trajectories stay within an attack-independent ultimate bound. The observer parameters that achieve this property are found by solving a set of linear matrix inequalities.

What carries the argument

Impulsive system model of the estimation error dynamics, together with linear matrix inequalities that certify stability and yield an explicit attack-independent error bound.

If this is right

The estimation error converges to a ball whose radius does not increase with the magnitude of the attacks.
Observer gains are obtained by solving a finite set of linear matrix inequalities.
The guarantee holds for any sequence of sampling instants whose maximum gap is finite, not only for periodic sampling.
The same estimator can be used for power-grid state monitoring when sensor data arrive at irregular but bounded intervals.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same impulsive-system technique could be applied to other nonlinear classes if their error equations can be written in impulsive form.
In networked control settings the result suggests that attack detection may not be required for keeping estimation error bounded.
One could examine how the allowable attack fraction and the maximum sampling interval trade off against each other in the LMI conditions.
Hardware experiments on actual grid sensors would test whether the derived error bound remains realistic under real sampling jitter.

Load-bearing premise

Strictly fewer than half the sensors are under attack and all intervals between samples are bounded from above by a fixed positive number.

What would settle it

A numerical simulation on a Lur'e system satisfying the LMI conditions in which an attack on 49 percent of the sensors with arbitrary signals causes the estimation error to exceed the predicted bound while all inter-sample times remain below the design limit.

Figures

Figures reproduced from arXiv: 2604.23217 by Julian Gootzen, Michelle S. Chong.

**Figure 1.** Figure 1: A schematic diagram of the plant and communica view at source ↗

**Figure 2.** Figure 2: Schematic diagram of the secure state observer. view at source ↗

**Figure 3.** Figure 3: Radially interconnected distribution network view at source ↗

**Figure 4.** Figure 4: Blue lines indicate the state estimation error ˜x view at source ↗

read the original abstract

Motivated by the need for real-time health monitoring of power distribution grids, we propose a secure state estimator design for continuous time Lur'e type systems with non-uniformly and synchronously sampled outputs which have potentially been maliciously corrupted. The secure state estimator provides state estimates with accuracy independent of the sensor attack, when less than half of the sensors are under attack and when all inter-sample times are upper bounded. We show convergence of the state estimation error under an impulsive system framework and provide an upper bound on the estimation error that is independent of the attack signals. The stability conditions are formulated as linear matrix inequalities, which can be used to design the observer parameters. We demonstrate the capabilities of the proposed secure state estimator on a low-voltage power distribution grid.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper gives LMI-based observer design for Lur'e systems with nonuniform synchronous sampling that claims attack-independent error bounds when fewer than half the sensors are corrupted, but the impulsive jump analysis may not automatically cover every admissible attack subset.

read the letter

The paper designs a secure state estimator for continuous-time Lur'e systems whose outputs are sampled at nonuniform but bounded intervals and can be corrupted by attacks. It models the estimation error as an impulsive system and derives LMI conditions on the observer gains that are supposed to guarantee convergence to an attack-independent bound provided fewer than half the sensors are attacked. The motivating example is real-time monitoring of low-voltage power distribution grids. This is a reasonable incremental extension that combines existing secure-estimation ideas with Lur'e nonlinearities and variable-rate sampling under the impulsive framework. The application focus and the explicit LMI design procedure are the parts that feel useful. The central claim is that the error bound stays independent of the attack signals. The stress-test note correctly flags a possible gap: the jump map at each sampling instant depends on which specific subset of sensors is attacked, so there are combinatorially many possible jump matrices. If the LMIs are written only for the nominal case or a fixed convex combination, they do not automatically certify uniform stability over all admissible attack patterns. The abstract does not indicate an explicit max or relaxation over subsets, so that step in the proof would need verification. The rest of the technical setup looks standard and reproducible once the full derivations are checked. This work is mainly for researchers already working on secure observers or sampled-data control for cyber-physical systems. It is not a broad new paradigm, but the concrete LMI conditions and the grid example give it enough substance that a serious referee should see it. I would send it out for review rather than desk-reject.

Referee Report

2 major / 2 minor

Summary. The paper proposes a secure state estimator for continuous-time Lur'e-type systems subject to nonuniform but synchronously sampled outputs that may be maliciously corrupted. It claims that, provided fewer than half the sensors are attacked and all inter-sample intervals are upper-bounded, the estimation error converges to a bound that is independent of the attack signals. The analysis models the error dynamics as an impulsive system, derives LMI stability conditions for the observer gains, and illustrates the design on a low-voltage power-distribution-grid example.

Significance. If the central claim holds, the work supplies a practical, LMI-based design procedure for attack-resilient observers in sampled-data Lur'e systems, with an explicit attack-independent error bound. This is relevant to cyber-physical applications such as power-grid monitoring. The impulsive-system treatment of nonuniform synchronous sampling is a methodological strength, and the LMI formulation permits direct computation of observer parameters. The grid example provides concrete evidence of applicability.

major comments (2)

[§4] §4 (impulsive error dynamics and LMI derivation): the stability LMIs are stated for the closed-loop error system, yet the jump map at each sampling instant depends on the specific subset of attacked sensors. The manuscript does not indicate that the LMIs (or an equivalent max/relaxation) have been verified to hold uniformly over every admissible attack pattern with cardinality less than half the total sensors. Because the attack-independent error bound is the central claim, this verification is load-bearing; without it the guarantee applies only to the nominal or a fixed convex combination of jump matrices rather than to every possible corrupted measurement vector.
[Theorem 1] Theorem 1 (or equivalent main stability result): the upper bound on the estimation error is asserted to be independent of the attack signals. The proof sketch relies on a common Lyapunov function for the impulsive system, but it is not shown that the decay rate and jump contraction remain uniform when the output injection matrix is replaced by its worst-case attacked version. A concrete counter-example or explicit max-norm argument over the admissible attack sets would be required to close this gap.

minor comments (2)

[§2] Notation for the attack vector and the selection matrix that encodes which sensors are corrupted should be introduced once and used consistently; currently the same symbol appears to be overloaded between the continuous-time plant and the discrete jump map.
[§5] Figure 3 (grid simulation): the legend and axis labels are too small for print; enlarge or add a separate table of numerical error bounds under the two attack scenarios shown.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the careful reading and constructive comments on the stability analysis. We address each major comment below, clarifying the uniformity arguments and indicating where the manuscript will be revised for greater rigor.

read point-by-point responses

Referee: [§4] §4 (impulsive error dynamics and LMI derivation): the stability LMIs are stated for the closed-loop error system, yet the jump map at each sampling instant depends on the specific subset of attacked sensors. The manuscript does not indicate that the LMIs (or an equivalent max/relaxation) have been verified to hold uniformly over every admissible attack pattern with cardinality less than half the total sensors. Because the attack-independent error bound is the central claim, this verification is load-bearing; without it the guarantee applies only to the nominal or a fixed convex combination of jump matrices rather than to every possible corrupted measurement vector.

Authors: We agree that explicit uniformity over all admissible attack patterns (subsets of cardinality less than half the sensors) is essential to support the attack-independent bound. The LMI conditions in §4 were obtained from a common quadratic Lyapunov function for the impulsive error dynamics, with the observer gain L designed so that the jump contraction holds whenever fewer than half the sensors are corrupted. However, the manuscript does not explicitly state or verify that the same LMI remains feasible (or that an equivalent relaxation applies) for every possible attacked output matrix. In the revised version we will add a dedicated remark together with a short supplementary argument showing that the LMI implies a uniform upper bound on the jump operator norm over the admissible attack sets; this follows from the sensor redundancy and the fact that the effective output-injection term can be bounded independently of which specific subset is attacked. revision: yes
Referee: [Theorem 1] Theorem 1 (or equivalent main stability result): the upper bound on the estimation error is asserted to be independent of the attack signals. The proof sketch relies on a common Lyapunov function for the impulsive system, but it is not shown that the decay rate and jump contraction remain uniform when the output injection matrix is replaced by its worst-case attacked version. A concrete counter-example or explicit max-norm argument over the admissible attack sets would be required to close this gap.

Authors: The proof of Theorem 1 employs a single Lyapunov function V(e) = e^T P e whose decrease along flows is attack-independent (attacks affect only the discrete jumps). The continuous-time decay rate is therefore uniform. For the jumps, the contraction factor is controlled by the LMI-derived bound on ||I - L C_S|| for every admissible attack set S. While the manuscript asserts that this contraction is strictly less than one, it does not explicitly invoke a max-norm argument over all possible S. In the revision we will insert a short paragraph that explicitly takes the maximum over the finite collection of admissible jump matrices and shows that the LMI guarantees the same uniform contraction factor for every such matrix; this directly establishes that both the decay rate and the jump contraction (hence the ultimate error bound) are independent of the particular attack signals. revision: yes

Circularity Check

0 steps flagged

No circularity: standard LMI derivation for impulsive error system

full rationale

The paper models the estimation error as an impulsive system with jumps at synchronous sampling instants and derives stability via LMIs to obtain an attack-independent error bound under the < half sensors attacked assumption. No quoted equations or steps reduce the claimed bound or stability condition to a self-definition, fitted input renamed as prediction, or self-citation chain. The LMI conditions are presented as a design tool derived from the impulsive dynamics, keeping the central result independent of its own outputs. This is the expected non-finding for a paper using established Lyapunov/LMI techniques on a well-posed model.

Axiom & Free-Parameter Ledger

1 free parameters · 2 axioms · 0 invented entities

The design rests on standard control-theoretic assumptions and LMI solvability; no new entities are postulated.

free parameters (1)

observer gains
Obtained by solving the formulated LMIs; values depend on system matrices and chosen bounds.

axioms (2)

domain assumption System belongs to the Lur'e class with sector-bounded nonlinearity
Invoked to model the continuous-time dynamics.
domain assumption Sampling is synchronous across sensors with bounded inter-sample times
Required for the impulsive-system representation and error bound.

pith-pipeline@v0.9.0 · 5428 in / 1233 out tokens · 38562 ms · 2026-05-08T07:41:55.373945+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

2 extracted references · 2 canonical work pages

[1]

and Neˇ si´ c, D

Arcak, M. and Neˇ si´ c, D. (2004). A framework for nonlinear sampled-data observer design via approximate discrete-time models and emulation. Automatica, 40(11), 1931–1938. doi: https://doi.org/10.1016/j.automatica.2004.06.004. Baran, M. and Wu, F. (1989). Network reconﬁguration in distribution systems for loss reduction and load balancing. IEEE Transact...

work page doi:10.1016/j.automatica.2004.06.004 2004
[2]

We now show that U (ξ,τ ) is a valid Lyapunov function according to Theorem 1 in Naghshtabrizi et al. (2008). For the constants a U =λ min(P1) and ¯aU = max{λ max(P1), ¯T 2λ max(P2), ¯Tλ max(P3)} it holds that aU |ξ|2 ≤ U (ξ,τ ) ≤ ¯aU |ξ|2, (A.5) which shows that U (ξ,τ ) is positive deﬁnite. Next, we analyze U (ξ,τ ) at sampling times t ∈ D : V1 remains ...

work page 2008

[1] [1]

and Neˇ si´ c, D

Arcak, M. and Neˇ si´ c, D. (2004). A framework for nonlinear sampled-data observer design via approximate discrete-time models and emulation. Automatica, 40(11), 1931–1938. doi: https://doi.org/10.1016/j.automatica.2004.06.004. Baran, M. and Wu, F. (1989). Network reconﬁguration in distribution systems for loss reduction and load balancing. IEEE Transact...

work page doi:10.1016/j.automatica.2004.06.004 2004

[2] [2]

We now show that U (ξ,τ ) is a valid Lyapunov function according to Theorem 1 in Naghshtabrizi et al. (2008). For the constants a U =λ min(P1) and ¯aU = max{λ max(P1), ¯T 2λ max(P2), ¯Tλ max(P3)} it holds that aU |ξ|2 ≤ U (ξ,τ ) ≤ ¯aU |ξ|2, (A.5) which shows that U (ξ,τ ) is positive deﬁnite. Next, we analyze U (ξ,τ ) at sampling times t ∈ D : V1 remains ...

work page 2008