Opacity Of Discrete Event Systems: Analysis And Control

The exchange of sensitive information in many systems over a network can be manipulated by unauthorized access. Opacity is a property to investigate security and privacy problems in such systems. Opacity characterizes whether a secret information of a system can be inferred by an unauthorized user. One approach to verify security and privacy properties using opacity problem is to model the system that may leak confidential information as a discrete event system. The problem that has not investigated intensively is the enforcement of opacity properties by supervisory control. In other words, constructing a minimally restrictive supervisor to limit the system\u27s behavior so an unauthorized user cannot discover or infer the secret information. We describe and analyze the complexity of opacity in systems that are modeled as a discrete event system with partial observation mapping. We define three types of opacity: strong opacity, weak opacity, and no opacity. Strong Opacity describes the inability for the system\u27s observer to know what happened in a system. On the other hand, No-opacity refers to the condition where there is no ambiguity in the system behavior. The definitions introduce properties of opacity and its effects on the system behavior. Strong opacity can be used to study security related problems while no opacity can be used to study fault, detection and diagnosis, among many other applications. In this dissertation, we investigate the largest opaque sublanguages and smallest opaque superlanguages of a language if the language is not opaque. We studied how to ensure strong opacity, weak opacity and no opacity by supervisory control. If strong opacity, weak opacity or no opacity is not satisfied, then we can restrict the system\u27s behavior by a supervisor so that strong opacity, weak opacity or no opacity is satisfied. We investigate the strong opacity control problem (SOCP), the weak opacity control problem (WOCP), and no opacity control problem (NOCP). As illustrated by examples in the dissertation, the above properties of opacity can be used to characterize the security requirements in many applications, as anonymity requirements in protocols for web browsing. Solutions to SOCP in terms of the largest sublanguage that is controllable, observable (or normal), and strongly opaque were characterized. Similar characterization is available for solutions to NOCP

INCREMENTAL FAULT DIAGNOSABILITY AND SECURITY/PRIVACY VERIFICATION

Dynamical systems can be classified into two groups. One group is continuoustime systems that describe the physical system behavior, and therefore are typically modeled by differential equations. The other group is discrete event systems (DES)s that represent the sequential and logical behavior of a system. DESs are therefore modeled by discrete state/event models.DESs are widely used for formal verification and enforcement of desired behaviors in embedded systems. Such systems are naturally prone to faults, and the knowledge about each single fault is crucial from safety and economical point of view. Fault diagnosability verification, which is the ability to deduce about the occurrence of all failures, is one of the problems that is investigated in this thesis. Another verification problem that is addressed in this thesis is security/privacy. The two notions currentstate opacity and current-state anonymity that lie within this category, have attracted great attention in recent years, due to the progress of communication networks and mobile devices.Usually, DESs are modular and consist of interacting subsystems. The interaction is achieved by means of synchronous composition of these components. This synchronization results in large monolithic models of the total DES. Also, the complex computations, related to each specific verification problem, add even more computational complexity, resulting in the well-known state-space explosion problem.To circumvent the state-space explosion problem, one efficient approach is to exploit the modular structure of systems and apply incremental abstraction. In this thesis, a unified abstraction method that preserves temporal logic properties and possible silent loops is presented. The abstraction method is incrementally applied on the local subsystems, and it is proved that this abstraction preserves the main characteristics of the system that needs to be verified.The existence of shared unobservable events means that ordinary incremental abstraction does not work for security/privacy verification of modular DESs. To solve this problem, a combined incremental abstraction and observer generation is proposed and analyzed. Evaluations show the great impact of the proposed incremental abstraction on diagnosability and security/privacy verification, as well as verification of generic safety and liveness properties. Thus, this incremental strategy makes formal verification of large complex systems feasible

Uniform Strategies

We consider turn-based game arenas for which we investigate uniformity properties of strategies. These properties involve bundles of plays, that arise from some semantical motive. Typically, we can represent constraints on allowed strategies, such as being observation-based. We propose a formal language to specify uniformity properties and demonstrate its relevance by rephrasing various known problems from the literature. Note that the ability to correlate different plays cannot be achieved by any branching-time logic if not equipped with an additional modality, so-called R in this contribution. We also study an automated procedure to synthesize strategies subject to a uniformity property, which strictly extends existing results based on, say standard temporal logics. We exhibit a generic solution for the synthesis problem provided the bundles of plays rely on any binary relation definable by a finite state transducer. This solution yields a non-elementary procedure.Comment: (2012

Opacity and Structural Resilience in Cyberphysical Systems

Cyberphysical systems (CPSs) integrate communication, control, and computation with physical processes. Examples include power systems, water distribution networks, and on a smaller scale, medical devices and home control systems. Since these systems are often controlled over a network, the sharing of information among systems and across geographies makes them vulnerable to attacks carried out (possibly remotely) by malicious adversaries. An attack could be carried out on the physical system, on the computer(s) controlling the system, or on the communication links between the system and the computer. Thus, significant material damage can be caused by an attacker who is able to gain access to the system, and such attacks will often have the consequence of causing widespread disruption to everyday life. Therefore, ensuring the safety of information critical to nominal operation of the system is of utmost importance. This dissertation addresses two problems in the broad area of the Control and Security of Cyberphysical Systems. First, we present a framework for opacity in CPSs modeled as a discrete-time linear time-invariant (DT-LTI) system. The current state-of-the-art in this field studies opacity for discrete event systems (DESs) described by regular languages. However, the states in a DES are discrete; in many practical systems, it is common for states (and other system variables) to take continuous values. We define a notion of opacity called k-initial state opacity (k-ISO) for such systems. A set of secret states is said to be k-ISO with respect to a set of nonsecret states if the outputs at time k of every trajectory starting from the set of secret states is indistinguishable from the output at time k of some trajectory starting from the set of nonsecret states. Necessary and sufficient conditions to establish k-ISO are presented in terms of sets of reachable states. Opacity of a given DT-LTI system is shown to be equivalent to the output controllability of a system obeying the same dynamics, but with different initial conditions. We then study the case where there is more than one adversarial observer, and define several notions of decentralized opacity. These notions of decentralized opacity will depend on whether there is a centralized coordinator or not, and the presence or absence of collusion among the adversaries. We establish conditions for decentralized opacity in terms of sets of reachable states. In the case of colluding adversaries, we present a condition for non-opacity in terms of the structure of the communication graph. We extend this work to formulate notions of opacity for discrete-time switched linear systems. A switched system consists of a finite number of subsystems and a rule that orchestrates switching among them. We distinguish between the cases when the secret is specified as a set of initial modes, a set of initial states, or a combination of the two. The novelty of our schemes is in the fact that we place restrictions on: i) the allowed transitions between modes (specified by a directed graph), ii) the number of allowed changes of modes (specified by lengths of paths in the directed graph), and iii) the dwell times in each mode. Each notion of opacity is characterized in terms of allowed switching sequences and sets of reachable states and/ or modes. Finally we present algorithmic procedures to verify these notions, and provide bounds on their computational complexity. Second, we study the resilience of CPSs to denial-of-service (DoS) and integrity attacks. The CPS is modeled as a linear structured system, and its resilience to an attack is interpreted in a graph-theoretic framework. The structural systems approach presumes knowledge of only the positions of zero and nonzero entries in the system matrices to infer system properties. This approach is attractive due to the fact that these properties will hold for almost every admissible numerical realization of the system. The structural resilience of the system is characterized in terms of unmatched vertices in maximum matchings of the bipartite graph and connected components of directed graph representations of the system under attack. Further, we establish a condition based on the zero structure of an input matrix that will ensure that the system is structurally resilient to a state feedback integrity attack if it is also resilient to a DoS attack. Finally, we formulate an extension to the case of switched structured systems, and derive conditions for such systems to be structurally resilient to a DoS attack