Wei Duan,Christoforos N. Hadjicostis,Zhiwu Li

DOI: https://doi.org/10.1016/j.ins.2024.121554

IF: 8.1

2024-10-20

Information Sciences

Abstract:In this paper, we study the problem of simultaneous public event information release and private event information hiding in discrete event systems modeled by partially observed non-deterministic finite automata, where the public and private event information is respectively defined as unobservable fault and secret events. The notion of D-C-compossibility is introduced to characterize whether a system simultaneously conceals the occurrences of secret events while releasing the occurrences of fault events. When such a property does not hold, we investigate its enforcement through a defensive function. This function takes each observable event of a system as input and generates a suitably modified event sequence at the system's output using event deletion, insertion, or substitution. Specifically, our focus is on prioritizing the concealment of the secret events while maximizing the detection of the fault events through the use of defensive functions. The notion of D-C-enforceability that refers to the capability of a defensive function to employ a strategy for manipulating observations of a system to enforce D - C -compossibility is proposed. That is, a D - C -enforcing defensive function ensures that all occurrences of fault events can be revealed while concealing all occurrences of secret events. A D - C -diagnoser construction is proposed to enumerate all feasible defensive actions following system behavior. By taking advantage of the D - C -diagnoser, we obtain a necessary and sufficient condition for D - C -enforceability, along with a corresponding obfuscation strategy for defensive functions.

computer science, information systems

Wei Duan,Ruotian Liu,Maria Pia Fanti,Christoforos N. Hadjicostis,Zhiwu Li

2024-10-11

Abstract:As an information-flow privacy property, opacity characterizes whether a malicious external observer (referred to as an intruder) is able to infer the secret behavior of a system. This paper addresses the problem of opacity enforcement using edit functions in discrete event systems modeled by partially observed deterministic finite automata. A defender uses the edit function as an interface at the output of a system to manipulate actual observations through insertion, substitution, and deletion operations so that the intruder will be prevented from inferring the secret behavior of the system. Unlike existing work which usually assumes that the observation capabilities of the intruder and the defender are identical, we consider a more general setting where they may observe incomparable subsets of events generated by the <a class="link-external link-http" href="http://system.To" rel="external noopener nofollow">this http URL</a> characterize whether the defender has the ability to enforce opacity of the system under this setting, the notion of \emph{$ic$-enforceability} is introduced. Then, the opacity enforcement problem is transformed to a two-player game, with imperfect information between the system and the defender, which can be used to determine a feasible decision-making strategy for the defender. Within the game scheme, an edit mechanism is constructed to enumerate all feasible edit actions following system behavior. We further show that an $ic$-enforcing edit function (if one exists) can be synthesized from the edit mechanism to enforce opacity.

Formal Languages and Automata Theory,Systems and Control

Kuize Zhang

DOI: https://doi.org/10.48550/arXiv.2111.02824

2021-11-23

Abstract:Discrete-event systems usually consist of discrete states and transitions between them caused by spontaneous occurrences of labelled (aka partially-observed) events. Due to the partially-observed feature, fundamental properties therein could be classified into two categories: state/event-inference-based properties (e.g., strong detectability, diagnosability, and predictability) and state-concealment-based properties (e.g., opacity). Intuitively, the former category describes whether one can use observed output sequences to infer the current and subsequent states, past occurrences of faulty events, or future certain occurrences of faulty events; while the latter describes whether one cannot use observed output sequences to infer whether some secret states have been visited (that is, whether the DES can conceal the status that its secret states have been visited). Over the past two decades these properties were studied separately using different methods. In this review article, for labeled finite-state automata, a unified concurrent-composition method is shown to verify all above inference-based properties and concealment-based properties, resulting in a unified mathematical framework for the two categories of properties. In addition, compared with the previous methods in the literature, the concurrent-composition method does not depend on assumptions and is more efficient.

Systems and Control,Cryptography and Security

Qi Zhang,Zhiwu Li,Carla Seatzu,Alessandro Giua

DOI: https://doi.org/10.1109/etfa.2018.8502501

2018-01-01

Abstract:The problem of stealthy attacks for partially-observed discrete event systems is considered. An operator observes the plant through an observation mask that does not allow him to detect the occurrence of certain events (silent events). The observation is corrupted by an intruder who can insert and erase some sensor readings. We construct an attack structure A which guarantees that, when the plant reaches an unsafe state, A can make the operator think that the plant is in a safe state. Based on A, we can obtain a stealthy attack structure As by simply removing from A all the exposing states, all the weakly exposing states and their input and output arcs. The stealthy attack structure As only contains the possible attacks that can not be detected by the operator.

Xiaoyan Li,Christoforos N. Hadjicostis,Zhiwu Li

DOI: https://doi.org/10.1109/tac.2021.3121249

IF: 6.549

2021-01-01

IEEE Transactions on Automatic Control

Abstract:Opacity is a confidentiality property that holds if certain secret behavior of a system, typically represented by a predicate, cannot be revealed under any system evolution. Among other proposed methodologies, when opacity is violated, it can be enforced using insertion mechanisms, i.e., by inserting symbols before an actual system output (in real time as the system evolves) in order to replace observation sequences that lead to opacity violations with observation sequences that can be generated by system behavior that does not violate opacity. This article focuses on opacity enforcement in discrete-event systems modeled with finite-state automata and proposes an extended insertion mechanism that can enforce opacity in a practical manner to a wide class of systems by inserting symbols before and after an actual system output. This article also introduces event insertion constraints that require only certain specific symbols to be inserted before and after an actual system output. For each case, we obtain a necessary and sufficient condition (based on the construction of an appropriate verifier) for opacity enforceability using the proposed extended insertion mechanism and devise a pertinent extended insertion strategy.

automation & control systems,engineering, electrical & electronic

Bohan Cui,Ziyue Ma,Shaoyuan Li,Xiang Yin

2024-09-10

Abstract:In this paper, we investigate the property verification problem for partially-observed DES from a new perspective. Specifically, we consider the problem setting where the system is observed by two agents independently, each with its own observation. The purpose of the first agent, referred to as the low-level observer, is to infer the actual behavior of the system, while the second, referred to as the high-level observer, aims to infer the knowledge of Agent 1 regarding the system. We present a general notion called the epistemic property capturing the inference from the high-level observer to the low-level observer. A typical instance of this definition is the notion of high-order opacity, which specifies that the intruder does not know that the system knows some critical information. This formalization is very general and supports any user-defined information-state-based knowledge between the two observers. We demonstrate how the general definition of epistemic properties can be applied in different problem settings such as information leakage diagnosis or tactical cooperation without explicit communications. Finally, we provide a systematic approach for the verification of epistemic properties. Particularly, we identify some fragments of epistemic properties that can be verified more efficiently.

Systems and Control

Xiaoyan Li,Christoforos N. Hadjicostis,Zhiwu Li

DOI: https://doi.org/10.1109/tac.2023.3239433

IF: 6.549

2023-01-01

IEEE Transactions on Automatic Control

Abstract:Opacity is a confidentiality property capturing the fact that certain secret behavior of a system cannot be revealed under any system evolution. Current-state opacity can be enforced by using an extended insertion mechanism, which is capable of inserting fake symbols before and after an actual output, in real time as the system evolves. This paper studies the enforcement of current-state opacity for systems modeled by finite state automata using an extended insertion strategy under constraints on the way symbols can be inserted before and after an actual symbol generated by the system (e.g., constraints on the type, order, and number of inserted symbols). More specifically, we consider inserted language constraints captured by the notion of $(L_{b},L_{a})$-enforceability, where $L_{b}$ is the set of strings that can be inserted before, and $L_{a}$ is the set of strings that can be inserted after an observed event. If $L_{b}$ and $L_{a}$ are regular languages, a verifier is constructed to derive a necessary and sufficient condition for opacity enforceability, and also to formulate an extended insertion strategy (if viable).

automation & control systems,engineering, electrical & electronic

Jie Zhang,Zhiwu Li

DOI: https://doi.org/10.3390/math12233842

IF: 2.4

2024-12-07

Mathematics

Abstract:In the context of discrete event systems (DESs), critical states usually refer to a system configuration of interest, describing certain important system properties, e.g., fault diagnosability, state/language opacity, and state/event concealment. Technically, a DES is critically observable if an intruder can always unambiguously infer, by observing the system output, whether the plant is currently in a predefined set of critical states or the current state set is disjointed with the critical states. In this paper, given a partially observable DES modeled with a finite-state automaton that is not critically observable, we focus on how to make it critically observable, which is achieved by proposing a novel enforcement mechanism based on differential privacy (DP). Specifically, we consider two observations where one observation cannot determine whether a system is currently in the predefined critical states (i.e., the observation violating the critical observability) while the other is randomly generated by the system. When these two observations are processed separately by the differential privacy mechanism (DPM), the system generates an output, exposed to the intruder, that is randomly modified such that its probability approximates the two observations. In other words, the intruder cannot determine the original input of a system by observing its output. In this way, even if the utilized DPM is published to the intruder, they are unable to identify whether critical observability is violated.

mathematics

Kuize Zhang

DOI: https://doi.org/10.48550/arXiv.2001.04729

2020-01-14

Optimization and Control

Abstract:The state inference problem and fault diagnosis/prediction problem are fundamental topics in many areas. In this paper, we consider discrete-event systems (DESs) modeled by finite-state automata (FSAs). There exist results for decentralized versions of the latter problem but there is almost no result for a decentralized version of the former problem. We propose a decentralized version of strong detectability called co-detectability which implies that once a system satisfies this property, for each generated infinite-length event sequence, at least one local observer can determine the current and subsequent states after a common observation time delay. We prove that the problem of verifying co-detectability of FSAs is coNP-hard. Moreover, we use a unified concurrent-composition method to give PSPACE verification algorithms for co-detectability, co-diagnosability, and co-predictability of FSAs, without any assumption or modifying the FSAs under consideration, where co-diagnosability is firstly studied by [Debouk & Lafortune & Teneketzis 2000], while co-predictability is firstly studied by [Kumar \& Takai 2010]. By our proposed unified method, one can see that in order to verify co-detectability, more technical difficulties will be met compared to verifying the other two properties, because in co-detectability, generated outputs are counted, but in the latter two properties, only occurrences of events are counted. For example, when one output was generated, any number of unobservable events could have occurred. The PSPACE-hardness of verifying co-diagnosability is already known in the literature. In this paper, we prove the PSPACE-hardness of verifying co-predictability.

Yuting Li,Christoforos N. Hadjicostis,Naiqi Wu,Zhiwu Li

DOI: https://doi.org/10.48550/arXiv.2011.01371

2020-11-03

Abstract:This paper deals with the state estimation problem in discrete-event systems modeled with nondeterministic finite automata, partially observed via a sensor measuring unit whose measurements (reported observations) may be vitiated by a malicious attacker. The attacks considered in this paper include arbitrary deletions, insertions, or substitutions of observed symbols by taking into account a bounded number of attacks or, more generally, a total cost constraint (assuming that each deletion, insertion, or substitution bears a positive cost to the attacker). An efficient approach is proposed to describe possible sequences of observations that match the one received by the measuring unit, as well as their corresponding state estimates and associated total costs. We develop an algorithm to obtain the least-cost matching sequences by reconstructing only a finite number of possible sequences, which we subsequently use to efficiently perform state estimation. We also develop a technique for verifying tamper-tolerant diagnosability under attacks that involve a bounded number of deletions, insertions, and substitutions (or, more generally, under attacks of bounded total cost) by using a novel structure obtained by attaching attacks and costs to the original plant. The overall construction and verification procedure have complexity that is of O(|X|^2 C^2),where |X| is the number of states of the given finite automaton and C is the maximum total cost that is allowed for all the deletions, insertions, and substitutions. We determine the minimum value of C such that the attacker can coordinate its tampering action to keep the observer indefinitely confused while utilizing a finite number of attacks. Several examples are presented to demonstrate the proposed methods.

Information Theory

Weilin Deng,Daowen Qiu,Jingkai Yang

2023-07-08

Abstract:Finite automata (FAs) model is a popular tool to characterize discrete event systems (DESs) due to its succinctness. However, for some complex systems, it is difficult to describe the necessary details by means of FAs model. In this paper, we consider a kind of extended finite automata (EFAs) in which each transition carries a predicate over state and event parameters. We also consider a type of simplified EFAs, called Event-Parameters EFAs (EP-EFAs), where the state parameters are removed. Based upon these two parametric models, we investigate the problem of opacity analysis for parametric DESs. First of all, it is shown that EFAs model is more expressive than EP-EFAs model. Secondly, it is proved that the opacity properties for EFAs are undecidable in general. Moreover, the decidable opacity properties for EP-EFAs are investigated. We present the verification algorithms for current-state opacity, initial-state opacity and infinite-step opacity, and then discuss the complexity. This paper establishes a preliminary theory for the opacity of parametric DESs, which lays a foundation for the opacity analysis of complex systems.

Formal Languages and Automata Theory,Systems and Control

Shoma Matsui,Kai Cai,Karen Rudie

2024-02-14

Abstract:In this paper, we study a security problem of protecting secrets in distributed systems. Specifically, we employ discrete-event systems to describe the structure and behaviour of distributed systems, in which global secret information is separated into pieces and stored in local component agents. The goal is to prevent such secrets from being exposed to intruders by imposing appropriate protection measures. This problem is formulated as to ensure that at least one piece of every distributed global secret is secured by a required number of protections, while the overall cost to apply protections is minimum. We first characterize the solvability of this security problem by providing a necessary and sufficient condition, and then develop an algorithm to compute a solution based on the supervisory control theory of discrete-event systems. Finally, we illustrate the effectiveness of our solution with an example system comprising distributed databases.

Systems and Control

Ruochen Tai,Liyong Lin,Yuting Zhu,Rong Su

DOI: https://doi.org/10.48550/arXiv.2104.04299

2021-04-09

Systems and Control

Abstract:This paper investigates the problem of co-synthesis of edit function and supervisor for opacity enforcement in the supervisory control of discrete-event systems (DES), assuming the presence of an external (passive) intruder, where the following goals need to be achieved: 1) the external intruder should never infer the system secret, i.e., the system is opaque, and never be sure about the existence of the edit function, i.e., the edit function remains covert; 2) the controlled plant behaviors should satisfy some safety and nonblockingness requirements, in the presence of the edit function. We focus on the class of edit functions that satisfy the following properties: 1) the observation capability of the edit function in general can be different from those of the supervisor and the intruder; 2) the edit function can implement insertion, deletion, and replacement operations; 3) the edit function performs bounded edit operations, i.e., the length of each string output of the edit function is upper bounded by a given constant. We propose an approach to solve this co-synthesis problem by modeling it as a distributed supervisor synthesis problem in the Ramadge-Wonham supervisory control framework. By taking the special structure of this distributed supervisor synthesis problem into consideration and to improve the possibility of finding a non-empty distributed supervisor, we propose two novel synthesis heuristics that incrementally synthesize the supervisor and the edit function. The effectiveness of our approach is illustrated on an example in the enforcement of the location privacy.

Bohan Cui,Xiang Yin,Shaoyuan Li,Alessandro Giua

DOI: https://doi.org/10.1016/j.ifacol.2022.10.335

2022-01-01

Abstract:In this paper, we investigate a class of information-flow security properties called opacity in partial-observed discrete-event systems. Roughly speaking, a system is said to be opaque if the intruder, which is modeled by a passive observer, can never determine the “secret” of the system for sure. Most of the existing notions of opacity consider secrets related to the actual behaviors of the system. In this paper, we consider a new type of secret related to the knowledge of the system user. Specifically, we assume that the system user also only has partial observation of the system and has to reason the actual behavior of the system. We say a system is high-order opaque if the intruder can never determine that the system user knows some information of importance based on its own incomparable information. We provide the formal definition of high-order opacity. Two algorithms are provided for the verification of this new notion: one with doubly-exponential complexity for the worst case and the other with single-exponential complexity. Illustrative examples are provided for the new notion of high-order opacity.

Ziteng Yang,Xiang Yin,Shaoyuan Li

DOI: https://doi.org/10.1016/j.ifacol.2020.12.2318

2020-01-01

Abstract:In this paper, we investigate the supervisory control problem for timed discrete-event systems (TDES) under partial observation. In the timed setting, the system consists of both standard logical events and time event, where the former can be disabled directly by the supervisor if it is controllable while the latter can only be preempted by forcing the occurrences of forcible events. We consider a general control mechanism where the supervisor can choose which events to force dynamically online at each instant. The design objective is to synthesize a maximally-permissive supervisor to restrict the behavior of the system such that the closed-loop language is within a safe specification language. Effective procedure is presented to synthesize such a supervisor. To our knowledge, how to synthesize a maximally-permissive partial-observation supervisor has not been solved for timed DES. We provide a solution to this problem under a general control mechanism.

Achour, Z.,Rezg, N.,Xie, X.

DOI: https://doi.org/10.1109/ICNSC.2004.1297521

2004-01-01

Abstract:In this paper, we propose a control policy for discrete event systems based on a structural approach. The proposed method allows to solve the forbidden state problems characterized by a set of general mutual exclusion constraints (GMEC) with of unobservable events. We propose a supervisory control approach based on two steps: observation and control. The proposed approach is illustrated on a real example.

Xiang Yin

DOI: https://doi.org/10.48550/arXiv.1903.11413

2019-03-27

Abstract:This article considers state estimation and veri cation problems for an important class of man-made cyber-physical systems called Discrete-Event Systems (DES).

Systems and Control

Yang Yu,Yuan

DOI: https://doi.org/10.1002/rnc.6563

IF: 3.8973

2023-01-01

International Journal of Robust and Nonlinear Control

Abstract:In this article, the estimation problem is investigated for a class of continuous-time networked nonlinear systems under both deception attacks and external disturbances. A novel adaptive extended state observer is adopted to estimate the states and disturbance under random deception attacks. The dynamic event-triggered mechanism (ETM) is adopted so as to save the communication resource. Meanwhile, the inter-sample output predictor is proposed to estimate the state between two consecutive triggering instants. The main purpose of the addressed problem is to design the adaptive gain parameters of the novel extended state observer such that the estimation error dynamics is mean-square exponentially bounded stable. Sufficient conditions are first established to ensure the existence of the desired adaptive extended state observer. In addition, it is proven that the Zeno behavior can be avoided when the dynamic ETM is utilized. Finally, a simulation example is provided to verify the effectiveness of the proposed design method.

Xiaoshan Wang,Tan F. Wong

2023-12-02

Abstract:This paper presents a privacy-preserving event detection scheme based on measurements made by a network of sensors. A diameter-like decision statistic made up of the marginal types of the measurements observed by the sensors is employed. The proposed detection scheme can achieve the best type-I error exponent as the type-II error rate is required to be negligible. Detection performance with finite-length observations is also demonstrated through a simulation example of spectrum sensing. Privacy protection is achieved by obfuscating the type data with random zero-modulo-sum numbers that are generated and distributed via the exchange of encrypted messages among the sensors. The privacy-preserving performance against ``honest but curious'' adversaries, including colluding sensors, the fusion center, and external eavesdroppers, is analyzed through a series of cryptographic games. It is shown that the probability that any probabilistic polynomial time adversary successfully estimates the sensors' measured types can not be much better than independent guessing, when there are at least two non-colluding sensors.

Information Theory

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/infcomw.2011.5928777

2011-01-01

Abstract:Language-based information flow security aims to decide whether an action-observable program can unintentionally leak confidential information if it has the authority to access confidential data. Recent concerns about declassification polices have provided many choices for practical intended information release, but more precise enforcement mechanism for these policies is insufficiently studied. In this paper, we propose a security property on the where-dimension of declassification and present an enforcement based on automated verification. The approach automatically transforms the abstract model with a variant of self-composition, and checks the reachability of illegal-flow state of the model after transformation. The self-composition is equipped with a store-match pattern to reduce the state space and to model the equivalence of declassified expressions in the premise of property. The evaluation shows that our approach is more precise than type-based enforcement.