Xiang Yin,Majid Zamani,Siyuan Liu

DOI: https://doi.org/10.1109/tac.2020.2998733

IF: 6.549

2021-04-01

IEEE Transactions on Automatic Control

Abstract:Opacity is an important information-flow security property in the analysis of cyber-physical systems. It captures the plausible deniability of the system's secret behavior in the presence of an intruder that may access the information flow. Existing works on opacity only consider nonmetric systems by assuming that the intruder can always distinguish between two different outputs precisely. In this article, we extend the concept of opacity to systems whose output sets are equipped with metrics. Such systems are widely used in the modeling of many real-world systems whose measurements are physical signals. A new concept called approximate opacity is proposed in order to quantitatively evaluate the security guarantee level with respect to the measurement precision of the intruder. Then, we propose a new simulation-type relation, called approximate opacity-preserving simulation relation, which characterizes how close two systems are in terms of the satisfaction of approximate opacity. This allows us to verify approximate opacity for large-scale, or even infinite, systems using their abstractions. We also discuss how to construct approximate opacity-preserving symbolic models for a class of discrete-time control systems. Our results extend the definitions and analysis techniques for opacity from nonmetric systems to metric systems.

automation & control systems,engineering, electrical & electronic

Chunyan Mu,Jun Pang

2023-10-04

Abstract:In multiagent systems (MASs), agents' observation upon system behaviours may improve the overall team performance, but may also leak sensitive information to an observer. A quantified observability analysis can thus be useful to assist decision-making in MASs by operators seeking to optimise the relationship between performance effectiveness and information exposure through observations in practice. This paper presents a novel approach to quantitatively analysing the observability properties in MASs. The concept of opacity is applied to formally express the characterisation of observability in MASs modelled as partially observable multiagent systems. We propose a temporal logic oPATL to reason about agents' observability with quantitative goals, which capture the probability of information transparency of system behaviours to an observer, and develop verification techniques for quantitatively analysing such properties. We implement the approach as an extension of the PRISM model checker, and illustrate its applicability via several examples.

Artificial Intelligence,Multiagent Systems

Siyuan Liu,Xiang Yin,Dimos V. Dimarogonas,Majid Zamani

2024-01-04

Abstract:This paper investigates an important class of information-flow security property called opacity for stochastic control systems. Opacity captures whether a system's secret behavior (a subset of the system's behavior that is considered to be critical) can be kept from outside observers. Existing works on opacity for control systems only provide a binary characterization of the system's security level by determining whether the system is opaque or not. In this work, we introduce a quantifiable measure of opacity that considers the likelihood of satisfying opacity for stochastic control systems modeled as general Markov decision processes (gMDPs). We also propose verification methods tailored to the new notions of opacity for finite gMDPs by using value iteration techniques. Then, a new notion called approximate opacity-preserving stochastic simulation relation is proposed, which captures the distance between two systems' behaviors in terms of preserving opacity. Based on this new system relation, we show that one can verify opacity for stochastic control systems using their abstractions (modeled as finite gMDPs). We also discuss how to construct such abstractions for a class of gMDPs under certain stability conditions.

Systems and Control

Sahar Mohajerani,Stephane Lafortune

DOI: https://doi.org/10.48550/arXiv.1904.06242

2019-05-13

Abstract:We consider the verification of current-state and K-step opacity for systems modeled as interacting non-deterministic finite-state automata. We describe a new methodology for compositional opacity verification that employs abstraction, in the form of a notion called opaque observation equivalence, and that leverages existing compositional nonblocking verification algorithms. The compositional approach is based on a transformation of the system, where the transformed system is nonblocking if and only if the original one is current-state opaque. Furthermore, we prove that $K$-step opacity can also be inferred if the transformed system is nonblocking. We provide experimental results where current-state opacity is verified efficiently for a large scaled-up system.

Logic in Computer Science,Formal Languages and Automata Theory

Xiaoyan Li,Christoforos N. Hadjicostis,Zhiwu Li

2023-10-18

Abstract:Opacity is a property that captures security concerns in cyber-physical systems and its verification plays a significant role. This paper investigates the verifications of K-step and infinite-step weak and strong opacity for partially observed nondeterministic finite state automata. K-step weak opacity is checked by constructing, for some states in the observer, appropriate state-trees, to propose a necessary and sufficient condition. Based on the relation between K-step weak and infinite-step weak opacity, a condition that determines when a system is not infinite-step weak opaque is presented. Regarding K-step and infinite-step strong opacity, we develop a secret-involved projected automaton, based on which we construct secret-unvisited state trees to derive a necessary and sufficient condition for K-step strong opacity. Furthermore, an algorithm is reported to compute a verifier that can be used to obtain a necessary and sufficient condition for infinite-step strong opacity. It is argued that, in some particular cases, the proposed methods achieve reduced complexity compared with the state of the art.

Formal Languages and Automata Theory

Wei Duan,Ruotian Liu,Maria Pia Fanti,Christoforos N. Hadjicostis,Zhiwu Li

2024-10-11

Abstract:As an information-flow privacy property, opacity characterizes whether a malicious external observer (referred to as an intruder) is able to infer the secret behavior of a system. This paper addresses the problem of opacity enforcement using edit functions in discrete event systems modeled by partially observed deterministic finite automata. A defender uses the edit function as an interface at the output of a system to manipulate actual observations through insertion, substitution, and deletion operations so that the intruder will be prevented from inferring the secret behavior of the system. Unlike existing work which usually assumes that the observation capabilities of the intruder and the defender are identical, we consider a more general setting where they may observe incomparable subsets of events generated by the <a class="link-external link-http" href="http://system.To" rel="external noopener nofollow">this http URL</a> characterize whether the defender has the ability to enforce opacity of the system under this setting, the notion of \emph{$ic$-enforceability} is introduced. Then, the opacity enforcement problem is transformed to a two-player game, with imperfect information between the system and the defender, which can be used to determine a feasible decision-making strategy for the defender. Within the game scheme, an edit mechanism is constructed to enumerate all feasible edit actions following system behavior. We further show that an $ic$-enforcing edit function (if one exists) can be synthesized from the edit mechanism to enforce opacity.

Formal Languages and Automata Theory,Systems and Control

Tareq Ahmad Al-Sarayrah,Zhiwu Li,Li Yin,Almetwally M. Mostafa

DOI: https://doi.org/10.1109/access.2024.3413070

IF: 3.9

2024-06-21

IEEE Access

Abstract:In the context of extended probabilistic automata, this study focuses on an information flow property, called opacity, of discrete event systems. The achievement of this research is the formulation and in-depth analysis of what is termed sequential k-opacity. This metric, through its detailed assessment, marks an explicit and visible advancement beyond the existing paradigms for measuring system opacity. It introduces an improved method for analyzing the probability of event sequences leading to confidential states within a system. An approach of such a comprehensive nature is essential for a detailed analysis of opacity in systems typified by deterministic and stochastic elements. Furthermore, this work incorporates a numerical case study that provides a baseline for further investigations in practical applications, thereby validating the proposed framework's usefulness. The research progresses to explore novel approaches to the reinforcement and persistence of system opacity within extended probabilistic automata. Among these approaches, the strategic use of fake events is critical as it is a fundamental tool for enhancing system security and secrecy, which plays an important role in protecting sensitive and secret data by effectively hiding the real status of the system from outside inspection.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sumukha Udupa,Jie Fu

2024-10-08

Abstract:Qualitative opacity of a secret is a security property, which means that a system trajectory satisfying the secret is observation-equivalent to a trajectory violating the secret. In this paper, we study how to synthesize a control policy that maximizes the probability of a secret being made opaque against an eavesdropping attacker/observer, while subject to other task performance constraints. In contrast to existing belief-based approach for opacity-enforcement, we develop an approach that uses the observation function, the secret, and the model of the dynamical systems to construct a so-called opaque-observations automaton which accepts the exact set of observations that enforce opacity. Leveraging this opaque-observations automaton, we can reduce the optimal planning in Markov decision processes(MDPs) for maximizing probabilistic opacity or its dual notion, transparency, subject to task constraints into a constrained planning problem over an augmented-state MDP. Finally, we illustrate the effectiveness of the developed methods in robot motion planning problems with opacity or transparency requirements.

Formal Languages and Automata Theory

Weiwei Han,Yi Li,Zhipeng Zhang,Chengyi Xia

DOI: https://doi.org/10.1016/j.ins.2023.119130

IF: 8.1

2023-05-12

Information Sciences

Abstract:Finite-state machines are among the most important models for studying the logic dynamic behavior of cyber–physical systems, and their security and privacy are urgent problems to be solved at present. This paper explores state-opacity-based privacy verification and synthesis problems for finite-state machines from an algebraic perspective. First, the dynamics of a finite-state machine can be established as an algebraic expression using the semi-tensor product of matrices. Beginning with this novel representation, we propose an algebraic criterion to verify whether the privacy state is opaque to intruders. Subsequently, we investigate the opacity-enhancement synthesis problem from two perspectives. On one hand, we design a feedback supervisory controller by disabling controllable events such that the closed-loop system is opaque with respect to privacy states; on the other hand, we investigate the editing of an observable function simply by assigning specific events in the observation channel instead of changing the transition behavior of the system. We observe that these synthesis problems can be addressed by calculating a system of algebraic equations, and we further develop two algorithms to obtain the controller or function. Finally, an interesting example is presented to demonstrate the validity of the proposed algebraic method. Taken together, these results are conducive to a systematic understanding of privacy enhancement problems.

computer science, information systems

Xiaoguang Han,Kuize Zhang,Zhiwu Li

2024-01-19

Abstract:In this paper, we investigate the verification and enforcement of strong state-based opacity (SBO) in discrete-event systems modeled as partially-observed (nondeterministic) finite-state automata, including strong K-step opacity (K-SSO), strong current-state opacity (SCSO), strong initial-state opacity (SISO), and strong infinite-step opacity (Inf-SSO). They are stronger versions of four widely-studied standard opacity notions, respectively. We firstly propose a new notion of K-SSO, and then we construct a concurrent-composition structure that is a variant of our previously-proposed one to verify it. Based on this structure, a verification algorithm for the proposed notion of K-SSO is designed. Also, an upper bound on K in the proposed K-SSO is derived. Secondly, we propose a distinctive opacity-enforcement mechanism that has better scalability than the existing ones (such as supervisory control). The basic philosophy of this new mechanism is choosing a subset of controllable transitions to disable before an original system starts to run in order to cut off all its runs that violate a notion of strong SBO of interest. Accordingly, the algorithms for enforcing the above-mentioned four notions of strong SBO are designed using the proposed two concurrent-composition structures. In particular, the designed algorithm for enforcing Inf-SSO has lower time complexity than the existing one in the literature, and does not depend on any assumption. Finally, we illustrate the applications of the designed algorithms using examples.

Formal Languages and Automata Theory

Huawei Xie,Jing Liu,Na Li

DOI: https://doi.org/10.1093/comjnl/bxae077

2024-08-23

The Computer Journal

Abstract:Abstract Opacity is an important system property that is particularly relevant in the context of system security and privacy. A system is considered opaque if the predefined secret behavior of the system is not leaked to an external intruder. In this work, the opacity property is studied in the framework of labeled Petri nets (LPNs). The secret in an LPN system is characterized by a subset of reachable markings. Firstly, an opacity basis reachability graph (OBRG) containing opacity information of the system is developed to denote a system’s reachability set without computing all reachable states. Then the observer of the OBRG is computed, based on which a necessary and sufficient condition is derived to verify the opacity of the LPN system. Finally, given an LPN that does not satisfy the opacity, a maximally permissive supervisor is introduced to guarantee that the controlled system is opaque.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Dong Li,Li Yin,Jianzhou Wang,Naiqi Wu

DOI: https://doi.org/10.1016/j.ins.2022.09.030

IF: 8.1

2022-10-01

Information Sciences

Abstract:We investigate the quantitative current-state opacity problem with resource constraints in the framework of probabilistic resource automata which is partially observed. Resource information states and event payoffs capture the variations of a resource that can be consumed or replenished during a system evolution. There are a number of ways to quantify opacity in discrete event systems, but these quantification methods have certain limitations. This research mitigates this restriction by extending current-state opacity and step-based almost current-state opacity formulations to probabilistic resource automata under partial observation with payoff constraints. We define game current-state opacity with an aim of offering a quantitative measure for opacity. We also construct a game current-state analyzer for the verification of game current-state opacity and prove the decidability of verifying the game current-state opacity problem.

computer science, information systems

Xiaoyan Li,Christoforos N. Hadjicostis,Zhiwu Li

DOI: https://doi.org/10.1109/tac.2021.3121249

IF: 6.549

2021-01-01

IEEE Transactions on Automatic Control

Abstract:Opacity is a confidentiality property that holds if certain secret behavior of a system, typically represented by a predicate, cannot be revealed under any system evolution. Among other proposed methodologies, when opacity is violated, it can be enforced using insertion mechanisms, i.e., by inserting symbols before an actual system output (in real time as the system evolves) in order to replace observation sequences that lead to opacity violations with observation sequences that can be generated by system behavior that does not violate opacity. This article focuses on opacity enforcement in discrete-event systems modeled with finite-state automata and proposes an extended insertion mechanism that can enforce opacity in a practical manner to a wide class of systems by inserting symbols before and after an actual system output. This article also introduces event insertion constraints that require only certain specific symbols to be inserted before and after an actual system output. For each case, we obtain a necessary and sufficient condition (based on the construction of an appropriate verifier) for opacity enforceability using the proposed extended insertion mechanism and devise a pertinent extended insertion strategy.

automation & control systems,engineering, electrical & electronic

Jiří Balun,Tomáš Masopust,Petr Osička

2023-04-20

Abstract:Opacity is a property of privacy and security applications asking whether, given a system model, a passive intruder that makes online observations of system's behaviour can ascertain some "secret" information of the system. Deciding opacity is a PSpace-complete problem, and hence there are no polynomial-time algorithms to verify opacity under the assumption that PSpace differs from PTime. This assumption, however, gives rise to a question whether the existing exponential-time algorithms are the best possible or whether there are faster, sub-exponential-time algorithms. We show that under the (Strong) Exponential Time Hypothesis, there are no algorithms that would be significantly faster than the existing algorithms. As a by-product, we obtained a new conditional lower bound on the time complexity of deciding universality (and therefore also inclusion and equivalence) for nondeterministic finite automata.

Formal Languages and Automata Theory,Systems and Control

Zhenzhong Liu

DOI: https://doi.org/10.1109/access.2024.3390774

IF: 3.9

2024-04-27

IEEE Access

Abstract:Opacity is an essential security indicator in archive systems. There exists a set of secret states and an external intruder who can observe the behavior of the system in the archive system. The intruder can steal private information by observing the behavior of the system. The system is said to be -step opaque when the intruder cannot confirm whether the system has been in a secret state at any time, within the observation of events. In the case where an intruder can never be sure whether the system has ever been in a secret state, the system is referred to be infinite-step opaque. To be realistic, we consider an archive system modeled as a bounded labeled Petri net, and propose an algorithm for constructing a modified state estimator to increase the security of the archive system. Our aim is to verify the two types of opacity of the system by the observer and the modified state estimator. Our new algorithm improves the security of the system so that an intruder cannot easily know whether the system is in a secret state or not, which also improves the previously-known results.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaoyan Li,Christoforos N. Hadjicostis,Zhiwu Li

DOI: https://doi.org/10.1109/tac.2023.3239433

IF: 6.549

2023-01-01

IEEE Transactions on Automatic Control

Abstract:Opacity is a confidentiality property capturing the fact that certain secret behavior of a system cannot be revealed under any system evolution. Current-state opacity can be enforced by using an extended insertion mechanism, which is capable of inserting fake symbols before and after an actual output, in real time as the system evolves. This paper studies the enforcement of current-state opacity for systems modeled by finite state automata using an extended insertion strategy under constraints on the way symbols can be inserted before and after an actual symbol generated by the system (e.g., constraints on the type, order, and number of inserted symbols). More specifically, we consider inserted language constraints captured by the notion of $(L_{b},L_{a})$-enforceability, where $L_{b}$ is the set of strings that can be inserted before, and $L_{a}$ is the set of strings that can be inserted after an observed event. If $L_{b}$ and $L_{a}$ are regular languages, a verifier is constructed to derive a necessary and sufficient condition for opacity enforceability, and also to formulate an extended insertion strategy (if viable).

automation & control systems,engineering, electrical & electronic

Yifan Xie,Xiang Yin,Shaoyuan Li

DOI: https://doi.org/10.48550/arXiv.2102.01402

2021-02-02

Abstract:In this paper, we investigate both qualitative and quantitative synthesis of optimal privacy-enforcing supervisors for partially-observed discrete-event systems. We consider a dynamic system whose information-flow is partially available to an intruder, which is modeled as a passive observer. We assume that the system has a "secret" that does not want to be revealed to the intruder. Our goal is to synthesize a supervisor that controls the system in a least-restrictive manner such that the closed-loop system meets the privacy requirement. For the qualitative case, we adopt the notion of infinite-step opacity as the privacy specification by requiring that the intruder can never determine for sure that the system is/was at a secret state for any specific instant. If the qualitative synthesis problem is not solvable or the synthesized solution is too restrictive, then we further investigate the quantitative synthesis problem so that the secret is revealed (if unavoidable) as late as possible. Effective algorithms are provided to solve both the qualitative and quantitative synthesis problems. Specifically, by building suitable information structures that involve information delays, we show that the optimal qualitative synthesis problem can be solved as a safety-game. The optimal quantitative synthesis problem can also be solved as an optimal total-cost control problem over an augmented information structure. Our work provides a complete solution to the standard infinite-step opacity control problem, which has not been solved without assumption on the relationship between controllable events and observable events. Furthermore, we generalize the opacity enforcement problem to the numerical setting by introducing the secret-revelation-time as a new quantitative measure.

Systems and Control

Zhipeng Zhang,Chengyi Xia,Guoyuan Qi,Jun Fu

DOI: https://doi.org/10.1007/s11432-023-4041-6

2024-10-26

Science China Information Sciences

Abstract:Opacity is a central concept in the issue of privacy security and has been studied extensively in fields such as finite automata, probabilistic automata, and stochastic automata. Here, we investigate the problem of validating multi-step opaque properties through unambiguous weighted machines from the perspective of cyber-physical systems. First, the notion of multi-step state-based opacity for unambiguous weighted machines is presented and defined. It includes two variants of delays with a finite K and infinite steps. Subsequently, the weighted state estimate with K (infinite)-step delay is established by abstracting the possible state set that the system could have through these weighted observations. Meanwhile, to keep the observable weighted sequence consistent between the bidirectional observers, the unobserved weights of the reverse weighted machine are assumed to be reserved. Subsequently, the existence conditions are developed, and the corresponding algorithms, termed the weighted bidirectional observer, are generalized to verify these properties. Finally, several numerical examples are illustrated to demonstrate the effectiveness of the proposed method. Taken together, the current approach will be conducive to a deep understanding of the security and privacy of cyber-physical systems.

computer science, information systems,engineering, electrical & electronic

Weilin Deng,Daowen Qiu,Jingkai Yang

2023-07-08

Abstract:Finite automata (FAs) model is a popular tool to characterize discrete event systems (DESs) due to its succinctness. However, for some complex systems, it is difficult to describe the necessary details by means of FAs model. In this paper, we consider a kind of extended finite automata (EFAs) in which each transition carries a predicate over state and event parameters. We also consider a type of simplified EFAs, called Event-Parameters EFAs (EP-EFAs), where the state parameters are removed. Based upon these two parametric models, we investigate the problem of opacity analysis for parametric DESs. First of all, it is shown that EFAs model is more expressive than EP-EFAs model. Secondly, it is proved that the opacity properties for EFAs are undecidable in general. Moreover, the decidable opacity properties for EP-EFAs are investigated. We present the verification algorithms for current-state opacity, initial-state opacity and infinite-step opacity, and then discuss the complexity. This paper establishes a preliminary theory for the opacity of parametric DESs, which lays a foundation for the opacity analysis of complex systems.

Formal Languages and Automata Theory,Systems and Control

Thomas A. Henzinger,Nicolas Mazzocchi,N. Ege Saraç

DOI: https://doi.org/10.48550/arXiv.2301.11175

2023-07-22

Abstract:Safety and liveness are elementary concepts of computation, and the foundation of many verification paradigms. The safety-liveness classification of boolean properties characterizes whether a given property can be falsified by observing a finite prefix of an infinite computation trace (always for safety, never for liveness). In quantitative specification and verification, properties assign not truth values, but quantitative values to infinite traces (e.g., a cost, or the distance to a boolean property). We introduce quantitative safety and liveness, and we prove that our definitions induce conservative quantitative generalizations of both (1)~the safety-progress hierarchy of boolean properties and (2)~the safety-liveness decomposition of boolean properties. In particular, we show that every quantitative property can be written as the pointwise minimum of a quantitative safety property and a quantitative liveness property. Consequently, like boolean properties, also quantitative properties can be $\min$-decomposed into safety and liveness parts, or alternatively, $\max$-decomposed into co-safety and co-liveness parts. Moreover, quantitative properties can be approximated naturally. We prove that every quantitative property that has both safe and co-safe approximations can be monitored arbitrarily precisely by a monitor that uses only a finite number of states.

Logic in Computer Science