One of the major challenges about cyber physical systems is how to prevent cyber attacks to ensure system integrity. There has been a large number of different types of attacks discussed in the modern control and computer science communities. In this paper we aim to investigate one special type of attacks in the discrete-event system framework, where an attacker can arbitrarily alter sensor readings after intercepting them from a target system in order to trick a given supervisor to issue control commands improperly, driving the system to an undesirable state. We first consider the cyber attack problem from an attacker point of view, and formulate an attack with bounded sensor reading alterations (ABSRA) problem. We then show that the supremal (or least restrictive) ABSRA exists and can be synthesized, as long as the plant model and the supervisor model are regular, i.e., representable by finite-state automata.
under partial observations. Then we show that the supremal (or least restrictive) ABSRA exists and is computable via a specific synthesis algorithm, as long as both the plant model G and the given supervisor S are finitely representable. Upon this novel ABSRA synthesis algorithm, we present a supervisor synthesis algorithm, which can ensure that a nonempty synthesized supervisor will be "robust" to any ABSRA, in the sense that such an attack will either reveal itself to the supervisor due to abnormal system executions (so that proper contingent actions can be taken by the supervisor, which is nevertheless outside the scope of this paper) or will not be able to lead the system to a bad state (i.e., no damadge will be inflicted).
Our construction of an ABSRA model as a transducer is inspired by some recent work on opacity enforcement [14] , which aims to use observable event insertions to prevent a potential attacker from correctly determining the actual state of a target system. Due to the different objectives of two works, the modeling details and synthesis algorithms are completely different.
There have been some works on cyber attack detection and prevention in the discrete-event community [15] [16] [17] , mainly from an adaptive fault tolerant control point of view, which heavily rely on real-time fault diagnosis to identify the existence of an attack and then take necessary robust or adaptive supervisory control actions. In those works the intelligence of an attacker is not considered, and an attack is treated as a fault. As a contrast, we do not rely on real time attack detection, but rely on prior knowledge of attack models, and simply build attack-robustness features into a supervisor to ensure that the supervisor will not be affected by any ABSRA unnoticeably. It is this robust control nature distinguishes our works from existing DES-based cyber attack detection and prevention approaches, which fall in the adaptive control domain.
The remainder of the paper is organized as follows. In Section II we review the basic concepts and operations of discrete event systems, and formulate an ABSRA synthesis problem, which is then solved in Section III, where we show that the supremal ABSRA exists and computable. In Section IV we present an algorithm to synthesize a supervisor, which is robust to any ABSRA.
A simple yet realistic example runs through the entire paper to illustrate all relevant concepts and algorithms. Conclusions are drawn in Section V. In this section we first recall some standard concepts used in the Ramadge-Wonham supervisory control paradigm. Then we introduce the concept of ABSRA, followed by a concrete ABSRA synthesis algorithm, which reveals that the supremal ABSRA is computable, as long as both the plant model and the given supervisor are regular.
A. Preliminaries on supervisory control
Given an arbitrary finite alphabet Σ, let Σ * be the free monoid with the empty string being the unit element and the string concatenation being the monoid operation. Given two strings s, t ∈ Σ * , s is called a prefix substring of t, written as s ≤ t, if there exists u ∈ Σ * such that su = t, where su denotes the concatenation of s and u. Any subset L ⊆ Σ * is called a language.
Given a language L ⊆ Σ * , P (L) := {P (s) ∈ Σ * |s ∈ L}. The inverse image mapping of P is
We assume that the marker state set X m is partitioned into two disjoint sets
is the set of desirable states and X b,m denotes the set of bad states.
We now recall the concept of supervisors. Let Σ = Σ c∪ Σ uc = Σ o∪ Σ uo , where disjoint Σ c (Σ o ) and Σ uc (Σ uo ) denote respectively the sets of controllable (observable) and uncontrollable (unobservable) events, respectively. Let Γ := {γ ⊆ Σ|Σ uc ⊆ γ} be the collection of all control patterns. A (feasible) supervisory control map of G under partial observation
For each s ∈ L(G), V (s) is interpreted as the set of events allowed to be fired after s. Thus, a supervisory control map will not disable any uncontrollable events, and will impose the same control pattern after strings, which cannot be distinguished based on observations. Let V /G denote the closed-loop system of G under supervision of V , i.e.,
The control map V is finitely representable if V /G can be denoted by a finite-state automaton,
It has been shown that, as long as a closed-loop language K ⊆ L m (G) is controllable [4] and observable [2] , there always exists a finitely-representable supervisory control map V such that
From now on we assume that V /G is finitely representable by S, which is called a supervisor. We assume that S is legal in the sense that 
B. A sensor attack model
We assume that an attacker can intersept each observable event generated by the plant G, and replace it by a sequence of observable events from Σ o in order to "fool" the given supervisor S, whose function is known to the attacker. Considering that in practice any event occurance
takes an unnegligible amount of time, it is impossible for an attacker to insert an arbitrarily long observable sequence to replace a received observable event. For this reason, we assume that there exists a known natural number n ∈ N such that the length of any observable sequence that the attacker can insert is no more than n. Let ∆ n := {s ∈ Σ * o ||s| ≤ n} be the set of all such bounded observable sequences, where |s| denotes the length of s, and by convention, | | = 0. We model a sensor attack as a finite state transducer
where Y is the state set, Σ the input alphabet, ∆ n the output alphabets, y 0 the initial state, Y m the marker state set, which is specifically set as Y m = Y , and η : Y × Σ × ∆ n → Y the (partial) transition map, where for all σ ∈ Σ uo and y ∈ Y , η(y, σ, ) = y, i.e., at each state y all unobservable events are self-looped with as the output. This is natural because an attacker can only observe observable events, thus, will not make any move upon unobservable events. We still keep unobservable events here to make it easy for us for subsequent technical development.
n be the input and output maps, respectively, where for each µ = (
The basic procedure of an attack is to intercept every single observable event σ ∈ Σ o generated by the plant G, replace it with some observable string u ∈ ∆ n , and send u to the supervisor S, in order to trick S to issue a control command γ ∈ Γ that may drive the plant G towards a bad marker state. This attack procedure is depicted in Figure 1 . The sequential composition of the attack A and the supervisor S essentially forms a new supervisor, denoted as A • S, which receives an observable output σ ∈ Σ o and generates a control command γ ∈ Γ. The exact definition of this new supervisor reveals the nature of the attack, which is given below. The sequential composition of A and S is a deterministic finite state transducer
, where d denotes the deadlocking dump state, and for each 
Thus, all transitions that go to the dumpt state d may potentially reveal the attack, which, for an intelligent attack, should be avoided.
The impact of A on the closed-loop system (G, S) is captured by the composition of the plant G and the new supervisor A • S, i.e.,
is also a transducer, and it is not difficult to check that
where "=" is in the sense of DES-isomorphism, and Prefix(·) denotes a function mapping one transducer to another transducer by simply marking every state. In other words, if A is an attack model for the system (G, S),
is also an attack model, which has the same attack effect as that of
we callÂ a canonical attack with respect to (G, S). Since for any attack, there exists a canonical attack, which has the same attack effect, from now on we only focus on canonical attacks. On the other hand, we will see that A usually is stucturally simpler than its canonical oneÂ, whereas the latter is easier to
compute. An interesting question is how to synthesize a simplified attack model A from a given canonical attack modelÂ, which bears some similarity to the problem of supervisor reduction [8] , and will be addressed in our future works.
To illustrate the aforementioned concepts, let us go through a simple single-tank example depicted in Figure 2 , which consists of one water supply source whose supply rate is q i , one tank, and one control valve at the bottom of the tank controlling the outgoing flow rate q o , whose value depends on the valve opening and the water level h. We assume that the valve can only be fully open or fully closed to simplify our illustration, and in case of a full opening, the water level h can only go down. The water level h can be measured, whose value can trigger some predefined events, denoting the water levels: low (h=L), medium (h=M), high (h=H), and extremely high (h=EH). We construct a simple discrete-event model of the system depicted in are controllable, and all water level events are uncontrollable. In the model we use a shaded oval to denote a marker state, i.e., state 5 and state 9 in Figure 3 . Assume that we do not want the water level to be extremely high, i.e., the event h=EH should not occur. Thus, state 9 is a bad marker state, i.e., X d,m = {5} and X b,m = {9}. To prevent state 9 from being reached, we compose a requirement E shown in Figure 4 , whose alphabet is {h=L, h=M, h=H, h=EH}, but the event h=EH is never allowed in the model. A supervisor S can be synthesized by using the standard Ramadge-Wonham supervisory control paradigm, which is also depicted in Figure   4 . It is clear that the supervisor S only opens the valve when the water level is high, i.e., it disables the event q o = 0 at state 6 when the event h=H occurs. Our intuition tells us that if an attack always change events of h=M, h=H, h=EH to the event h=L, then the supervisor will not prevent the water level from reaching the extreme high level, i.e., the event h=EH will happen. For this reason, we conjecture an attack model A shown in Figure 5 , where water levels will be altered to h=L, whereas all other events will remain unchanged. The sequential composition A • S indicates that, no matter which water level is reached, the attack A always sends h=L to the supervisor S, which tricks it to believe that it is safe to allow the valve to be either closed or opened. The impact of A on the closed-loop system (G, S) is depicted in Figure   6 . By marking every state in G×(A•S) we obtain a canonical attack model Prefix(G×(A•S)).
Proof: By the above definition of sequential composition, the proposition follows.
Proposition 2: Given two attacks A 1 and A 2 with the same input alphabet Σ and output Proof: By the above definition of sequential composition, the proposition follows.
Given two attacks A 1 and A 2 with the same input alphabet Σ and output alphabet ∆ n , let A 1 ∪ A 2 be their union, which is a deterministic finite-state transducers. Then by the definition
, by the definition of the sequential composition, we know that µ ∈ L(A 1 ∪ A 2 ).
, which concludes the proof.
So far we have introduced a simple sensor attack model, and explained how this attack affects the closed-loop system. But we have not described what kind of sensor attacks can be considered intelligent. Next, we will introduce the concept of ABSRA.
C. An ABSRA model
o be the natural projection. An intelligent canonical attack needs to possess the following properties: 1) Its insertions must be covert to the given supervisor, i.e.,
namely the supervisor will not see any unexpected observable sequences from the attack.
2) Any of its insertion sequence may potentally cause damages to G, i.e.,
namely any sequence of insertions by the attack will cause G to reach some bad state eventually. A weaker version of this property is described below:
which says that the attack A will tamper the absolute correctness of the supervisor S so that there exists some possibility that the system may reach some bad marker state.
3) A • S forms a standard supervisor for the plant G that enforces normality [2] , i.e.,
and
which denotes that at each state the attack will not intervene the event enablement by the supervisor because we consider only sensor attacks, not actuator attacks.
We call a nonempty model A satisfying the aforementioned four properties (1)- (4) an Attack with Bounded Sensor Reading Alterations (ABSRA) of (G, S).
It is not difficult to check that the attack A shown in Figure 5 does not satisfy Property (1) because S cannot fire q o = 0 before h=L, but A can. Nevertheless, the sequential composition A • S satisfies all three properties, thus, is an ABSRA. By the aforementioned discussions, we know that the canonical attack model Prefix(G × (A • S)) is also an ABSRA.
Theorem 1: Given a plant G and a legal supervisor S, let {A i |i ∈ I} be a (possibly infinite) collection of ABSRA's with respect to (G, S). Then ∪ i∈I A i satisfies properties (1)-(4).
. We now verify that ∪ i∈I A i satisfies all four properties.
(a) Since for each i ∈ I, A i is an ABSRA, we have that
Thus, by Prop. 3 we have that
(b) In addition, we have that for each i ∈ I,
Thus, by Prop. 3 we have
(c) Since for each i ∈ I, we have
we get
The last property (4) can be easily checked. Thus, ∪ i∈I A i satisfies all four properties, and the theorem follows.
Theorem 1 only implies that the least restrictive (or supremal) attack language exists. But it is not clear whether this supremal language is regular, i.e., whether it can be recognized by a finite-state transducer. Therefore, at this moment the existance of the supremal ABSRA is still unknown. We now state our main problem in this paper.
Problem 1: Given a plant G and a legal supervisor S, design an ABSRA A.
In the next section we will show that the supremal attack language is regular, i.e., indeed the supremal ABSRA exists, and is computable.
III. SYNTHESIS OF AN ABSRA
We first recall the concepts of controllability [4] , and normality [2] . Because we deal with both finite-state automata and finite-state transducers, to make notations simple, we introduce a general purpose alphabet Λ, which can be either Λ = Σ or Λ = Σ × ∆ n , depending on a specific application context. Let Λ uc ⊆ Λ and Λ o ⊆ Λ be an uncontrollable alphabet and an observable alphabet respectively, where if
. When we mention a finite-state transitional structure G, we mean that G is either a finite-state automaton or a finite-state transducer.
Given a finite-state transitional structure G, whose alphabet is Λ, and a requirement E ⊆ Λ * , let
∩E|K is controllable w.r.t. G and Λ uc ∧ K is normal w.r.t. G and Λ o }.
By an argument similar to the one used in [4] , we can derive that the supremal controllable and normal sublanguage of L m (G) exists, denoted as supCN (G, E), such that for all K ∈ CN (G, E),
In our setup, an attack is able to arbitrarily alter an observable event. Thus, each event (σ, u) ∈ Σ × ∆ n is considered controllable, as the attack can choose not to use this alteration.
Under this consideration, the uncontrollable alphabet Λ uc is actually empty. Thus, in the following attack model synthesis, we do not explicitly require controllability. This may sound a bit unusual because we do have an uncontrollable alphabet Σ uc for the plant G -how those uncontrollable events affect the attack model synthesis? If we carefully check the properties of an ABSRA, we can see that Property (4) actually implicitly enforces controllability with respect to Σ uc because it requires the attack not to change the event enablement of the supervisor S at the current state, and since by default the supervisor S ensures controllability with respect to Σ uc , and so does the attack model.
Assume that there exists Σ o,p ⊆ Σ o , which denotes a set of protected observable events that cannot be altered by an ABSRA, i.e., given an attack model A = (Y, Σ, ∆ n , η, θ, y 0 , Y m ), for all
We now undertake the following ABSRA synthesis procedure. 
Σ uo × { }, denoting all observable event alterations that the attack wants to consider.
4) Undertake the following iteration on
b) Check property (4) in the definition of ABSRA. If it holds, then go to Step 5).
Otherwise, set
and continue the iteration on k.
5) Output:
A * , which recognizes K k+1 .
Lemma 1: Procedure 1 terminates finitely.
Proof: Assume that E 0 is recognized by a transducer R 0 , whose state set is W 0 . Then K 1 is recognizable by a transducer, say R 1 , whose state set is a subset of X × Y × Z × W 0 . It is not difficult to check that for all µ, µ ∈ K 1 , if they hit the same state in R 1 , then we know that
if and only if
In other words, µ ∈ E 1 if and only if µ ∈ E 1 . Thus, for each state in R 1 , either all strings hitting that state are in E 1 or none of them are in E 1 , namely E 1 is recognized by a sub-transducerR 1 of R 1 . Suppose the state set ofR 1 is
By the property of automaton composition, we know that there exists a transducer R 2 recognizing K 2 such that the state set
DES-isomorphic to a sub-transducer of R 1 . By using the same argument, we can check that each K k is recognized by a transducer, which is DES-isomorphic to a sub-transducer of R 1 . In addition, the state sets of those sub-transducers form a monotonic non-increasing sequence with respect to set inclusion. Thus, in a finite number of iterations, a fixed sub-transducer will be reached, whose language is K k . This means Procedure 1 must terminate finitely.
Lemma 2: Let K k and A * be computed in Procedure 1. Then
Proof: By the proof of Lemma 1 we know that A * is DES-isomorphic to the prefix closure of
Then by the definitions of sequential composition and transducer product, the lemma follows.
Theorem 2: A * obtained in Procedure 1 is the supremal ABSRA of (G, S).
Proof: (a) We first show that A * is an ABSRA, i.e., A * satisfies properties (1)-(4). It is clear that when the algorithm terminates, property (4) must hold. So we only focus on properties (1)-(3).
By the definition of A * and Prop. 1, we know that
By Lemma 2, we have
For the third property, by Lemma 2 we know that
by the definition of normality and the nonblocking property associated with a sub-transducer of
This concludes our proof that A * is an ABSRA.
(b) Next, we show that A * is the supremal ABSRA. LetÂ be an ABSRA of the system.
. Due to the controllability of S and the assumption thatÂ is an ABSRA, i.e., it must satisfy property (4), it is easy to check that
) and Σ uc . SinceÂ must satisfy Property (3), we know that
In addition,Â satisfies property (4). Thus, we can easily detive that
which concludes the proof of the theorem.
As an illustration, we apply Procedure 1 to the plant G shown in Figure 3 and the supervisor S shown in Figure 4 . We can see that the sensor attack model A in Figure 5 is actually A 0 in Procedure 1 because all events in the model are observable. The composition
is shown in Figure 5 . The outcome of G × (A 0 • S) is shown in Figure 6 , which is isomorphic to G. This is not surprising because any string in L(G) may be potentially extended to the bad marker state. The requirement E is simply the same as G × (A 0 • S). Clearly, we know that K k is recognizable by a transducer shown in Figure 7 , which is almost the same as
except that the only marker state is that bad marker state due to the requirement E. Since all that A * is the supremal ABSRA of (G, S).
IV. SYNTHESIS OF AN ABSRA-ROBUST SUPERVISOR
In the previous section we discuss how to design an ABSRA model to interrupt a given system's operations from an attacker's point of view. In this section we present a synthesis approach to design a supervisor, which is "robust" to any ABSRA in the sense that either the attack is not covert or incurs no damage to the system.
Recall that an ABSRA affects a target system (G, S) by altering the sequence of observable events, which tricks S to issue commands improperly. By protecting observable events from being altered unnoticeably can in principle effectively deter an ABSRA. An observable event in this framework denotes a specific set of strongly associated measurements. For example, in the aforementioned single-tank system, the event h=H may either be associated with one simple water level measurement or possibly several sensor measurements such as the actual water level, and the corresponding pressure on the bottom of the tank -the more sensor measurements associated with the event, the harder for an attack to alter the event without being detected.
When applying suitable encryption techniques, it is even more complicated for an attack to complete the job. Thus, it is indeed technically feasible to prevent observable events from being altered by either adopting new secure information transmission technologies or introducing more sensors to significantly increase the complication of altering the corresponding observable event without being detected. Nevertheless, there is always a financial consideration. An attractive solution to a potential industrial user is to identify only critical observable events, which, when being protected from external alterations, will lead to a supervisor robust to any ABSRA.
Problem 2: Given a plant G, a requirement E, and a protected observable alphabet
synthesize a supervisor S such that there is no ARSRA of the closed-loop system (G, S).
With the same notations used in the previous section, let CN (G, E) be the collection of all controllable and normal supervisors [10] . Let S 0 = supCN (G, E), which always exists and computable, as long as E ⊆ Σ * is regular. Our goal is to design a supervisor S ∈ CN (G, E) such that Procedure 1 returns an ampty ABSRA A * with respect to the given protected observable alphabet Σ o,p . To this end, we present the following synthesis procedure:
Procedure 2: (ABSRA-Robust Supervisor Synthesis) 1) Input: a plant G, a requirement E and a protected observable alphabet Σ o,p .
2) ComputeK = supCN (G, E). IfK = ∅, terminate. Otherwise, assumeK is recognized by a finite-state automatonŜ, and continue.
3) Compute A * by using Procedure 1, i.e., computer
5) Output: a recognizer S of K.
Theorem 3: Given a plant G, a requirement E ⊆ Σ * , and a protected observable alphabet
where E k is defined in Procedure 1, i.e., there is no ABSRA A of (G, S).
Proof: Assume that it is not true. Then there exists an ABSRA A such that L(A) =K k , wherẽ
Since S is controllable and normal with respect to G, and
we know thatK ⊆ K k . But on the other hand, we know that
K K k , which leads to a contradiction. Thus, the ABSRA A does not exist.
We would like to emphasize here again that, although Theorem 3 indicates that there is no ABSRA A for the closed-loop system (G,Ŝ), it does not mean that a sensor reading alteration attack will not be carried out by an attacker. But such an attack will either reveal itself to the supervisor before it achieves its attack goal due to abnormal system executions (so that proper contingent actions such as system shutdown can be taken by the supervisor, which is outside the scope of this paper) or will not be able to lead the system to a bad state.
In Theorem 3, if K = ∅, then with the given protected observable alphabet Σ o,p , there does not exist a supervisor S that is ABSRA-robust. We face the following synthesis problem.
Problem 3: Given a plant G and a requirement E, compute a protected observable alphabet The computational complexity of this procedure is certainly high, which is exponential to |Σ o |, but polynomial to the sizes of G and E due to our adoption of normality to handle observability.
If the size of Σ o is big, to find a computationally viable algorithm that can solve Problem 3 becomes important, which will be addressed in our future works.
We now use that simple single-tank system to illustrate how to use Procedure 2 to compute an ABSRA-robust supervisor, and how to determine a minimum protected observable alphabet, which allows the existence of an ABSRA-robust supervisor. Let Σ o,p = {h=H}. The model of A 0 andŜ are shown in Figure 8 . When we run Procedure 1, we first compute G × (A 0 •Ŝ). The outcome is depicted in Figure 9 . We can see that G×(A 0 •Ŝ) contains no bad marker state in X b,m .
Thus, in Procedure 1 we have E 0 = ∅, which returns K 1 = supCN (L m (G × (A 0 •Ŝ)), E 0 ) = ∅.
After that, in Step 4) of Procedure 2, we have that
Thus,Ŝ is an ABSRA-robust supervisor for G with respect to the given Σ o,p . Clearly, it is a solution to Problem 3 because we cannot find any other protected observable alphabet with a size smaller than 1, which can render an ABSRA-robust supervisor. V. CONCLUSIONS
In this paper we have first introduced the concept of ABSRA, upon which we have shown that the supremal ABSRA exists and computable, as long as the plant model G and the supervisor S are finitely representable, i.e., their languages are regular. After that, we have brought in the problem of synthesizing an ABSRA-robust supervisor, and shows that it is possible to find a minimum protected observable sub-alphabet, which may render an ABSRA-robust supervisor.
It is interesting to point out that, if we replace the third property of an ABSRA model with a weaker observability property, e.g., the standard observability [2] , the supremal ABSRA may not exist any more. Nevertheless, the existence of an ABSRA is still decidable and computable (with possibly a higher computational complexity), as this ABSRA synthesis problem is equivalent to a synthesis problem of centralized supervisory control under partial observation, which has been shown solvable [9] . Fortunately, the normality property can be easily satisfied in reality, as it only requires that only observable and controllable events can be disabled in online applications -in real industrial applications, it is typical that all control commands are observable. For this reason, the supervisor synthesis approach proposed in this paper aiming to defy ABSRA is practically feasible.
