No Arabic abstract
Opacity, as an important property in information-flow security, characterizes the ability of a system to keep some secret information from an intruder. In discrete-event systems, based on a standard setting in which an intruder has the complete knowledge of the systems structure, the standa
The problem of state estimation in the setting of partially-observed discrete event systems subject to cyber attacks is considered. An operator observes a plant through a natural projection that hides the occurrence of certain events. The objective of the operator is that of estimating the current state of the system. The observation is corrupted by an attacker which can insert and erase some sensor readings with the aim of altering the state estimation of the operator. Furthermore, the attacker wants to remain stealthy, namely the operator should not realize that its observation has been corrupted. An automaton, called attack structure, is defined to describe the set of all possible attacks. In more details, first, an unbounded attack structure is obtained by concurrent composition of two state observers, the attacker observer and the operator observer. Then, the attack structure is refined to obtain a supremal stealthy attack substructure. An attack function may be selected from the supremal stealthy attack substructure and it is said harmful when some malicious goal of the attacker is reached, namely if the set of states consistent with the observation produced by the system and the set of states consistent with the corrupted observation belong to a given relation. The proposed approach can be dually used to verify if there exists a harmful attack for the given system: this allows one to establish if the system is safe under attack.
The security in information-flow has become a major concern for cyber-physical systems (CPSs). In this work, we focus on the analysis of an information-flow security property, called opacity. Opacity characterizes the plausible deniability of a systems secret in the presence of a malicious outside intruder. We propose a methodology of checking a notion of opacity, called approximate initial-state opacity, for networks of discrete-time switched systems. Our framework relies on compositional constructions of finite abstractions for networks of switched systems and their so-called approximate initial-state opacity-preserving simulation functions (InitSOPSFs). Those functions characterize how close concrete networks and their finite abstractions are in terms of the satisfaction of approximate initial-state opacity. We show that such InitSOPSFs can be obtained compositionally by assuming some small-gain type conditions and composing so-called local InitSOPSFs constructed for each subsystem separately. Additionally, assuming certain stability property of switched systems, we also provide a technique on constructing their finite abstractions together with the corresponding local InitSOPSFs. Finally, we illustrate the effectiveness of our results through an example.
Recently we developed supervisor localization, a top-down approach to distributed control of discrete-event systems in the Ramadge-Wonham supervisory control framework. Its essence is the decomposition of monolithic (global) control action into local control strategies for the individual agents. In this paper, we establish a counterpart supervisor localization theory in the framework of State Tree Structures, known to be efficient for control design of very large systems. In the new framework, we introduce the new concepts of local state tracker, local control function, and state-based local-global control equivalence. As before, we prove that the collective localized control behavior is identical to the monolithic optimal (i.e. maximally permissive) and nonblocking controlled behavior. In addition, we propose a new and more efficient localization algorithm which exploits BDD computation. Finally we demonstrate our localization approach on a model for a complex semiconductor manufacturing system.
Among notions of detectability for a discrete-event system (DES), strong detectability implies that after a finite number of observations to every output/label sequence generated by the DES, the current state can be uniquely determined. This notion is strong so that by using it the current state can be easily determined. In order to keep the advantage of strong detectability and weaken its disadvantage, we can additionally take some subsequent outputs into account in order to determine the current state. Such a modified observation will make some DES that is not strongly detectable become strongly detectable in a weaker sense, which we call {it $K$-delayed strong detectability} if we observe at least $K$ outputs after the time at which the state need to be determined. In this paper, we study $K$-delayed strong detectability for DESs modeled by finite-state automata (FSAs), and give a polynomial-time verification algorithm by using a novel concurrent-composition method. Note that the algorithm applies to all FSAs. Also by the method, an upper bound for $K$ has been found, and we also obtain polynomial-time verification algorithms for $(k_1,k_2)$-detectability and $(k_1,k_2)$-D-detectability of FSAs firstly studied by [Shu and Lin, 2013]. Our algorithms run in quartic polynomial time and apply to all FSAs, are more effective than the sextic polynomial-time verification algorithms given by [Shu and Lin 2013] based on the usual assumptions of deadlock-freeness and having no unobservable reachable cycle. Finally, we obtain polynomial-time synthesis algorithms for enforcing delayed strong detectability, which are more effective than the exponential-time synthesis algorithms in the supervisory control framework in the literature.
This paper deals with the state estimation problem in discrete-event systems modeled with nondeterministic finite automata, partially observed via a sensor measuring unit whose measurements (reported observations) may be vitiated by a malicious attacker. The attacks considered in this paper include arbitrary deletions, insertions, or substitutions of observed symbols by taking into account a bounded number of attacks or, more generally, a total cost constraint (assuming that each deletion, insertion, or substitution bears a positive cost to the attacker). An efficient approach is proposed to describe possible sequences of observations that match the one received by the measuring unit, as well as their corresponding state estimates and associated total costs. We develop an algorithm to obtain the least-cost matching sequences by reconstructing only a finite number of possible sequences, which we subsequently use to efficiently perform state estimation. We also develop a technique for verifying tamper-tolerant diagnosability under attacks that involve a bounded number of deletions, insertions, and substitutions (or, more generally, under attacks of bounded total cost) by using a novel structure obtained by attaching attacks and costs to the original plant. The overall construction and verification procedure have complexity that is of O(|X|^2 C^2),where |X| is the number of states of the given finite automaton and C is the maximum total cost that is allowed for all the deletions, insertions, and substitutions. We determine the minimum value of C such that the attacker can coordinate its tampering action to keep the observer indefinitely confused while utilizing a finite number of attacks. Several examples are presented to demonstrate the proposed methods.