Supervisory control of discrete event systems for bisimulation or simulation equivalence

The supervisory control of discrete event systems provides a framework for control of event-driven systems. Applications of supervisory control theory include protocol design for communication processes, control logic synthesis in manufacturing systems, and collision avoidance in human-computer interaction systems.;When designing a system at a certain level of abstraction, lower level details of the system and its specification are normally omitted to obtain higher level models that may be (non-deterministic) event-driven systems. Nondeterministic systems exhibit both branching and sequential behaviors and are captured using bisimulation equivalence (the traditional language equivalence only captures sequential behaviors). Simulation equivalence is more expressive than language equivalence but captures only the universal fragment of branching behaviors.;This dissertation presents supervisory control of discrete event systems for enforcing bisimulation equivalence or simulation equivalence with respect to given specifications. We show that in the general setting of nondeterministic systems and specifications, the complexity for bisimilarity enforcing control is doubly exponential and for similarity enforcing control remains polynomial solvable. So the choice of behavioral equivalence used depends on the application at hand and there is a trade-off between the expressivity and the complexity. We further show that the bisimilarity enforcing control problem becomes polynomially solvable when the system model is deterministic and there is complete observability of events. When the complete observability requirement is relaxed, the control existence problem remains polynomially solvable and the control synthesis problem becomes singly exponential. These complexities are similar to the ones for control under partial observation in completely deterministic setting Tsitsiklis (1989).;We introduce various notions of state-controllability (SC), state-recognizability (SR), state-achievability (SA), state-controllable-similar (SCS), state-controllability-bisimilar (SCB), and state-achievability-bisimilar (SAB) for deterministic system model. SC is a property of a controlled system under complete observation. Under partial observation, an additional property of a controlled system due to the partial observation is SR. The combined property of SC and SR is called SA. We show that properties of SC, SR and SA are not preserved under bisimulation equivalence and therefore cannot be served as a necessary condition for the existence of a bisimilarity enforcing supervisor. We introduce the notions of SCB and SAB, which are preserved under bisimulation, as part of the necessary and sufficient condition for the existence of a supervisor under complete and partial observation, respectively. We show that SC is not preserved under simulation equivalence and introduce SCS as a necessary and sufficient condition for the existence of a similarity enforcing supervisor under complete observation.;The aforementioned results use strict synchronous composition (SSC) of the system and supervisor as a mechanism of control. In SSC, it is required that individual systems synchronously execute all events. Prioritized synchronous composition (PSC) relaxed such synchronization requirements and this has been shown to enrich the control capability when the plant is non-deterministic. (The presence of nondeterminism in a plant model may cause the current state to be known with ambiguity, and allowing the flexibility of not synchronizing an event at all the candidate states that plant may have reached provides for additional benefits.) This dissertation introduces a notion of prioritized synchronous composition under mask (PSCM) to account for partial observation. We study the supervisory control when PSCM is adopted as a mechanism of interaction for both language and bisimulation equivalences. We show that the control & observation-compatibility requirements are removed of a supervisor. For control to achieve a language equivalence, the existence condition is given by achievability that is weaker than controllability and observability combined. (The weaker condition is required since we allow supervisors to be nondeterministic.) This suggests that the notion of PSCM is an appropriate generalization of PSC to account for partial observation

Supervisory Control and Analysis of Partially-observed Discrete Event Systems

Nowadays, a variety of real-world systems fall into discrete event systems (DES). In practical scenarios, due to facts like limited sensor technique, sensor failure, unstable network and even the intrusion of malicious agents, it might occur that some events are unobservable, multiple events are indistinguishable in observations, and observations of some events are nondeterministic. By considering various practical scenarios, increasing attention in the DES community has been paid to partially-observed DES, which in this thesis refer broadly to those DES with partial and/or unreliable observations. In this thesis, we focus on two topics of partially-observed DES, namely, supervisory control and analysis. The first topic includes two research directions in terms of system models. One is the supervisory control of DES with both unobservable and uncontrollable events, focusing on the forbidden state problem; the other is the supervisory control of DES vulnerable to sensor-reading disguising attacks (SD-attacks), which is also interpreted as DES with nondeterministic observations, addressing both the forbidden state problem and the liveness-enforcing problem. Petri nets (PN) are used as a reference formalism in this topic. First, we study the forbidden state problem in the framework of PN with both unobservable and uncontrollable transitions, assuming that unobservable transitions are uncontrollable. For ordinary PN subject to an admissible Generalized Mutual Exclusion Constraint (GMEC), an optimal on-line control policy with polynomial complexity is proposed provided that a particular subnet, called observation subnet, satisfies certain conditions in structure. It is then discussed how to obtain an optimal on-line control policy for PN subject to an arbitrary GMEC. Next, we still consider the forbidden state problem but in PN vulnerable to SD-attacks. Assuming the control specification in terms of a GMEC, we propose three methods to derive on-line control policies. The first two lead to an optimal policy but are computationally inefficient for large-size systems, while the third method computes a policy with timely response even for large-size systems but at the expense of optimality. Finally, we investigate the liveness-enforcing problem still assuming that the system is vulnerable to SD-attacks. In this problem, the plant is modelled as a bounded PN, which allows us to off-line compute a supervisor starting from constructing the reachability graph of the PN. Then, based on repeatedly computing a more restrictive liveness-enforcing supervisor under no attack and constructing a basic supervisor, an off-line method that synthesizes a liveness-enforcing supervisor tolerant to an SD-attack is proposed. In the second topic, we care about the verification of properties related to system security. Two properties are considered, i.e., fault-predictability and event-based opacity. The former is a property in the literature, characterizing the situation that the occurrence of any fault in a system is predictable, while the latter is a newly proposed property in the thesis, which describes the fact that secret events of a system cannot be revealed to an external observer within their critical horizons. In the case of fault-predictability, DES are modeled by labeled PN. A necessary and sufficient condition for fault-predictability is derived by characterizing the structure of the Predictor Graph. Furthermore, two rules are proposed to reduce the size of a PN, which allow us to analyze the fault-predictability of the original net by verifying that of the reduced net. When studying event-based opacity, we use deterministic finite-state automata as the reference formalism. Considering different scenarios, we propose four notions, namely, K-observation event-opacity, infinite-observation event-opacity, event-opacity and combinational event-opacity. Moreover, verifiers are proposed to analyze these properties

Cooperative tasking for multi-agent systems

Ph.DDOCTOR OF PHILOSOPH

Selection of a stealthy and harmful attack function in discrete event systems

In this paper we consider the problem of joint state estimation under attack in partially-observed discrete event systems. An operator observes the evolution of the plant to evaluate its current states. The attacker may tamper with the sensor readings received by the operator inserting dummy events or erasing real events that have occurred in the plant with the goal of preventing the operator from computing the correct state estimation. An attack function is said to be harmful if the state estimation consistent with the correct observation and the state estimation consistent with the corrupted observation satisfy a given misleading relation. On the basis of an automaton called joint estimator, we show how to compute a supremal stealthy joint subestimator that allows the attacker to remain stealthy, no matter what the future evolution of the plant is. Finally, we show how to select a stealthy and harmful attack function based on such a subestimator

On Object Oriented Nondeterministic Supervisory Control

Implementation of complex discrete event fabrication processes can be considerably simplified by use of general reusable software modules representing the physical components. At the same time, construction of the control system can be facilitated by applying the supervisory control theory for the automatic generation of control laws. These two aspects can be joined into a general concept with object-oriented modeling and control law synthesis as foundations. The goal is to allow an operator to specify operation lists describing the required sequences of operations for the manufacturing of the product, independently of constraints given by a specific plant. With a suitable model of the capabilities and constraints of the resources of that plant, a product route can be automatically generated from the operation list. Such a product route describes all available paths through the system, for each type of product, irrespective of any other type of product that may be simultaneously present within the production system. Given a set of product routes and a model of the plant, control laws guaranteeing production according to those product specifications can be synthesized. Based on the supervisory control theory, using interleaved product routes as specification, we show how such control laws can be synthesized. An added complexity is that the specification becomes non-deterministic, in the sense that the same string of events can lead to different system states. We show that the supervisory control theory can be used with non-deterministic specifications assuming certain properties. An algorithm for synthesis of a non-deterministic supervisor is presented. We also describe an object-oriented modeling approach to discrete event fabrication processes. It is shown that the properties that have been defined as necessary for the non-deterministic supervisory approach are immediate by the modeling approach. Thus, we show that the approach to non-deterministic supervisory control can be combined with object-oriented modeling techniques, and so we have a powerful framework for implementing control of large and complex discrete event fabrication processes

Opacity Of Discrete Event Systems: Analysis And Control

The exchange of sensitive information in many systems over a network can be manipulated by unauthorized access. Opacity is a property to investigate security and privacy problems in such systems. Opacity characterizes whether a secret information of a system can be inferred by an unauthorized user. One approach to verify security and privacy properties using opacity problem is to model the system that may leak confidential information as a discrete event system. The problem that has not investigated intensively is the enforcement of opacity properties by supervisory control. In other words, constructing a minimally restrictive supervisor to limit the system\u27s behavior so an unauthorized user cannot discover or infer the secret information. We describe and analyze the complexity of opacity in systems that are modeled as a discrete event system with partial observation mapping. We define three types of opacity: strong opacity, weak opacity, and no opacity. Strong Opacity describes the inability for the system\u27s observer to know what happened in a system. On the other hand, No-opacity refers to the condition where there is no ambiguity in the system behavior. The definitions introduce properties of opacity and its effects on the system behavior. Strong opacity can be used to study security related problems while no opacity can be used to study fault, detection and diagnosis, among many other applications. In this dissertation, we investigate the largest opaque sublanguages and smallest opaque superlanguages of a language if the language is not opaque. We studied how to ensure strong opacity, weak opacity and no opacity by supervisory control. If strong opacity, weak opacity or no opacity is not satisfied, then we can restrict the system\u27s behavior by a supervisor so that strong opacity, weak opacity or no opacity is satisfied. We investigate the strong opacity control problem (SOCP), the weak opacity control problem (WOCP), and no opacity control problem (NOCP). As illustrated by examples in the dissertation, the above properties of opacity can be used to characterize the security requirements in many applications, as anonymity requirements in protocols for web browsing. Solutions to SOCP in terms of the largest sublanguage that is controllable, observable (or normal), and strongly opaque were characterized. Similar characterization is available for solutions to NOCP

Resilience Against Sensor Deception Attacks at the Supervisory Control Layer of Cyber-Physical Systems: A Discrete Event Systems Approach

Cyber-Physical Systems (CPS) are already ubiquitous in our society and include medical devices, (semi-)autonomous vehicles, and smart grids. However, their security aspects were only recently incorporated into their design process, mainly in response to catastrophic incidents caused by cyber-attacks on CPS. The Stuxnet attack that successfully damaged a nuclear facility, the Maroochy water breach that released millions of gallons of untreated water, the assault on power plants in Brazil that disrupted the distribution of energy in many cities, and the intrusion demonstration that stopped the engine of a 2014 Jeep Cherokee in the middle of a highway are examples of well-publicized cyber-attacks on CPS. There is now a critical need to provide techniques for analyzing the behavior of CPS while under attack and to synthesize attack-resilient CPS. In this dissertation, we address CPS under the influence of an important class of attacks called sensor deception attacks, in which an attacker hijacks sensor readings to inflict damage to CPS. The formalism of regular languages and their finite-state automata representations is used to capture the dynamics of CPS and their attackers, thereby allowing us to leverage the theory of supervisory control of discrete event systems to pose our investigations. First, we focus on developing a supervisory control framework under sensor deception attacks. We focus on two questions: (1) Can we automatically find sensor deception attacks that damage a given CPS? and (2) Can we design a secure-by-construction CPS against sensor deception attacks? Answering these two questions is the main contribution of this dissertation. In the first part of the dissertation, using techniques from the fields of graph games and Markov decision processes, we develop algorithms for synthesizing sensor deception attacks in both qualitative and quantitative settings. Graph games provide the means of synthesizing sensor deception attacks that might damage the given CPS. In a second step, equipped with stochastic information about the CPS, we can leverage Markov decision processes to synthesize attacks with the highest likelihood of damage. In the second part of the dissertation, we tackle the problem of designing secure-by-construction CPS. We provide two different methodologies to design such CPS, in which there exists a trade-off between flexibility on selecting different designs and computational complexity of the methods. The first method is developed based on supervisory control theory, and it provides a computationally efficient way of designing secure CPS. Alternatively, a graph-game method is presented as a second solution for this investigated problem. The graph-game method grants flexible selection of the CPS at the cost of computational complexity. The first method finds one robust supervisor, whereas the second method provides a structure in which all robust supervisors are included. Overall, this dissertation provides a comprehensive set of algorithmic techniques to analyze and mitigate sensor deception attacks at the supervisory layer of cyber-physical control systems.PHDElectrical and Computer EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/166117/1/romulo_1.pd