On-line verification of initial-state opacity by Petri nets and integer linear programming

ISA Transactions 93 (2019) 108–114

Contents lists available at ScienceDirect

ISA Transactions journal homepage: www.elsevier.com/locate/isatrans

Research article

On-line verification of initial-state opacity by Petri nets and integer linear programming Xuya Cong a,b , Maira Pia Fanti b , Agostino Marcello Mangini b , Zhiwu Li a,c ,

∗

a

School of Electro-Mechanical Engineering, Xidian University No. 2 South Taibai Road, Xi’an 710071, China Department of Electrical and Information Engineering, Polytechnic of Bari, 70125 Bari, Italy c Institute of Systems Engineering, Macau University of Science and Technology, Taipa, Macau b

highlights • • • •

Opacity formalizes the impossibility for an intruder to infer secret information. An on-line algorithm verifies the initial-state opacity for discrete event systems. The intruder actions are based on integer linear programming and labeled Petri nets. The results show that the proposed method is suitable for real-time verification.

article

info

Article history: Received 22 May 2018 Received in revised form 12 December 2018 Accepted 17 January 2019 Available online 13 February 2019 Keywords: Initial-state opacity Petri nets Integer linear programming

a b s t r a c t This paper deals with a problem related to the observability of discrete event systems: the initial-state opacity. Given a set of system states (the secret), a system observation is called initial-state opaque if an agent (named intruder), who can partially observe the system, cannot determine whether the set of initial states consistent with an event sequence is included in the secret. Such a character can describe security problems in cyber-infrastructures, such as Internet and mobile communication networks or national defense service systems. This work presents a novel on-line methodology to verify the notion of initialstate opacity of discrete event systems that are modeled by labeled Petri nets. By working on-line, the intruder records an event and exploits integer linear programming problem for checking the initial-state opacity of the system’s evolution under the given observation. A set of examples are shown to shed light on the efficiency of the presented methodology. © 2019 ISA. Published by Elsevier Ltd. All rights reserved.

1. Introduction With the increasing applications on shared cyber-infrastructures (including but not limited to communication, banking, and defense systems), researchers and practitioners have proposed several notions of security and privacy both in academic and industrial fields. Such kinds of notions take into account the description of the information flow between the system and an external observer that is called intruder. Accordingly, in the field of system control engineering, different properties are based on the (in some cases partial) observation of a system’s behavior [1,2] and opacity problems fall in this research area. In particular, the opacity property is used to infer whether the secret information (the partial behavior of the system modeled as a predicate) remains ∗ Corresponding author at: Institute of Systems Engineering, Macau University of Science and Technology, Taipa, Macau. E-mail addresses: [email protected] (X. Cong), [email protected] (M.P. Fanti), [email protected] (A.M. Mangini), [email protected] (Z. Li). https://doi.org/10.1016/j.isatra.2019.01.023 0019-0578/© 2019 ISA. Published by Elsevier Ltd. All rights reserved.

to be opaque to the intruder. In discrete event systems (DESs), the predicate [3] can be used to represent a subset of the system states or languages that satisfy a particular condition. More precisely, opacity properties refer to state-based (language-based) opacity: this paper deals with a kind of state-based opacity named initial-state opacity. A system is called initial-state opaque (ISO) if, for any observation, the intruder does not have the capability to validate whether the system’s behavior is originated from one of the secret states. In other word, given a set of secret states, if by recording the event sequence of the system the intruder can never confirm that the evolution of the system only originated from the secret states, then the system is ISO. Recently, the initial-state opacity has been widely applied to solve different industrial and real problems in the security context. For example, in an anonymous communication network, a secret state can represent the identity of an information sender that requires to be protected, i.e., the identity of the information sender needs to be hidden from the intruder. In this case, initial-state opacity requires that the intruder should never be certain that the system evolves from the secret state by its partial observation.

X. Cong, M.P. Fanti, A.M. Mangini et al. / ISA Transactions 93 (2019) 108–114

That is to say, the identity of the information sender is never exposed to the intruder by its partial observation. In particular, if the intruder observes an event sequence that is associated with a sequence s starting from a secret state, but there exists another sequence s′ that can start from a non-secret state, then s and s′ are observationally equivalent to the intruder. In such a case the intruder cannot discover the initial state and the observation is ISO. In the related literature, researchers usually investigate initialstate opacity by modeling DESs in the automata framework [4– 6]. Among them, Saboori and Hadjicostis [4] build an initial-state estimator (ISE) for checking the property of a nondeterministic 2 finite automaton (NFA) with the complexity O(2|p| ), in which p represents the number of states in automaton. More precisely, they define an ISE as a deterministic finite automaton (DFA), which consists of state pairs that enumerate all pairs of the initial and current states with respect to (wrt) the observed event sequence. In this way, the set of states that can generate the observed event sequence is obtained for the opacity property analysis. Once the ISE has been constructed, the reconstruction is no longer needed with the changes of the secret. For a given (invariant) secret, a DFA called verifier is presented in [5] for initial-state opacity analysis. Other than estimating the exact set of initial states, the verifier only needs to know whether the current states are originated from the secret/non-secret states, thereby reducing the complexity to O(4|p| ). Moreover, Wu and Lafortune [6] propose a novel method to build the ISE by using the observer of the reverse automaton and the complexity for verifying of initial-state opacity is further reduced to O(2|p| ) accordingly. As for Petri nets (PNs), Bryans et al. [7] define the notion of initial-state opacity and first prove the decidability of verifying initial-state opacity for bounded PNs. Later, Bryans et al. [8] extend the concept of opacity to labeled transition systems. However, the work in [7,8] shows that the complexity for verifying initial-state opacity is extremely high. Particularly, it needs to construct the reachability graph (RG) for bounded PNs, which is an NFA, thus the aforementioned methods in automata are applicable. Obviously, this approach is inevitably confronted with the state explosion problem. To overcome such a restriction, Tong et al. [9] exploit the notion of basis reachability graph (BRG) developed by [10– 13] to handle the problem of fault diagnosis, state estimation, diagnosability and reachability analysis in PNs. Its well-known advantage is that it only enumerates a part of reachable markings called basis markings while the rest ones are represented by state (linear) equations. More in detail, in [9], under the assumption that a secret marking will inevitably remain in the secret set by firing only unobservable transitions, Tong et al. transform the initial-state opacity problem in bounded PNs into the problem of language containment by using its BRG. Furthermore, under the same assumption in [9], Tong et al. [14] propose another efficient BRG-based method for checking initial-state opacity. Meanwhile, for more general situation, a modified BRG (MBRG) is built for checking initial-state opacity in [14] without the aforementioned assumption. However, the methods in [9,14] may still need a large memory because of the building of the ISE of the BRG or MBRG. Moreover, Tong et al. [15] also show that verification of initial-state opacity is undecidable in labeled Petri nets (LPNs). This paper deals with the initial-state opacity in DESs modeled by LPNs. The main idea of this work is to present an on-line verification approach for initial-state opacity by using LPNs and the solution of integer linear programming (ILP) problems. ILP is widely applicable for addressing on-line fault diagnosis [16,17], fault tolerant control [18], and diagnosability verification [19]. In a previous work the authors faced the problem of the currentstate opacity that consists in the estimation of the set of markings consistent with an observation [20]. This paper focuses on the different problem of the estimation of the set of markings that can

109

generate an observation. More in detail, the intruder completely knows the net structure with the initial marking but can partially observe its transitions. The intruder waits for an event and exploits an ILP-based method to infer whether the set of markings that can generate the event sequence is a subset of the secret. According to this definition of initial-state opacity, if there exists at least one observed word such that this intruder deduces all the markings that can generate the observed word belong to a set of secret markings, the system is said to be not ISO wrt the secret. In this work, we use the conjunction of Generalized mutual exclusion constraints (GMECs) [21] to represent the secret. Actually, GMECs provide a description of interesting subsets of reachability set of a net and can model a lot of crucial state-based specifications [14] and control problems [22,23]. Furthermore, we can transform numerous control requirements (specifications) of DESs into GMECs. As a summary, the cores of this work are outlined as follows: 1. An on-line algorithm is proposed to check the initial-state opacity property for each observation of the LPNs wrt a secret by solving ILP problems, thereby preventing complex off-line computation of the BRG or MBRG and its corresponding ISE in [9,14]. 2. By exploiting the on-line technique, there is no need to redesign and redefine the intruder when the net model changes. Actually, if the system structure varies, the proposed algorithm only needs to update the net incidence matrix, the initial marking and the secret set in the ILP formulation. On the contrary, the BRG or MBRG of [9,14] has to be reconstructed when the structure and/or the initial marking of the LPN changes. 3. The initial-state opacity verification methods proposed in [9, 14] are applicable to an arbitrary secret while the presented method in this paper works when the secret is defined by GMECs. 4. The BRG or MBRG based methods in [9,14] can verify the initial-state opacity for the system wrt the secret. The proposed approach can on-line check: if the event sequence of finite length (the LPN) is (is not) ISO wrt the secret. 5. The proposed approach needs to solve ILP problems that are NP-hard in theory. Evolutionary algorithms are metaheuristics that are commonly used to generate high-quality solutions (see for instance [24] and [25]) but they do not guarantee to provide the optimal one. Since, for the opacity verification, it is not sufficient to find a feasible solution of the formulated ILP problems, but it is necessary to determine the optimal solution, the model is exactly solved by a standard solver. The rest of this work is outlined below. Section 2 introduces some basics of the PN formalism. Section 3 describes the intruder, presents the on-line algorithm to check initial-state opacity and the complexity of the algorithm. Two case studies are provided in Section 4 to show the efficiency of the proposed method. Finally, Section 5 concludes this work and refers to some future research. 2. Preliminaries 2.1. Petri nets In this section, we review some basics of PNs [26]. A PN is a net modeled as PN = (P , T , W − , W + ), in which: P represents a place set with b elements, T represents a transition set with c elements, W + : P × T → N and W − : P × T → N represent the post- and pre-incidence matrices assigning the arcs (N represents the non-negative integer set). W = W + − W − reflects the incidence matrix of the PN.

110

X. Cong, M.P. Fanti, A.M. Mangini et al. / ISA Transactions 93 (2019) 108–114

Vector µ : P → N is a marking associating every place a token count, ∑where µ(p) denotes the marking in p. Thus, we also have µ = p∈P µ(p) · p and we call ⟨PN , µ0 ⟩ a net system with an initial marking µ0 . When µ ≥ W − (·, ta ) holds, we say that transition ta is enabled at µ: this is written as µ[ta ⟩. By firing ta , we obtain marking µ′ by state equation µ′ = µ + W · ⃗ta , i.e., µ[ta ⟩µ′ , in which ⃗ta is a firing vector of c-dimensional such that the ath element in the vector is one and others are zero. µk is reachable from µ0 , if there is a transition sequence s = t1 t2 . . . tk satisfying µ0 [t1 ⟩µ1 [t2 ⟩µ2 . . . [tk ⟩µk , and it can be written as µ0 [s⟩µk . The set of sequences that may fire at marking µ is represented by L(PN , µ) = {s ∈ T ∗ |µ[s⟩}. Let R(PN , µ0 ) be the reachability set of ⟨PN , µ0 ⟩. ⟨PN , µ0 ⟩ is bounded if there exists B ∈ N and the cardinality of R(PN , µ0 ) is less than B. A transition t ∈ T is live at µ0 if ∀µ ∈ R(PN , µ0 ), ∃µ′ ∈ R(PN , µ), µ′ [t ⟩. When all the transitions are live at µ0 , the net is live. ‘ Let π : T ∗ → Nc be the function that can associate a sequence s with its firing vector ⃗s. |s| denotes the length of a sequence s. Given s ∈ T ∗ , the 1-norm of ⃗s is the same as the sequence length, i.e., ∥⃗s∥1 = |s|. ⃗ For a net PN, a vector z⃗ ∈ Nc is called a T -invariant if W · z⃗ = 0 ⃗ Given a T -invariant z⃗, Sup(z⃗) = {t |⃗z (t) ̸= 0} is called with z⃗ ̸ = 0. the support of z⃗ that is the set of transitions corresponding to the nonzero elements of z⃗. A T -invariant is said to be minimal if no proper nonempty subset of its support is also a support of any other T -invariant and its elements are mutually prime [27]. Then, let T (PN) be the minimal T -invariant set of a PN. A reversible PN implies that every reachable marking µ can yield µ0 . In addition, an acyclic PN means that the net has no directed cycles. Now, if ⟨PN , µ0 ⟩ is acyclic, then µ0 can lead to µ iff a non-negative integer vector z⃗ satisfies a condition µ0 + W · z⃗ ≥ ⃗ [28]. 0 2.2. Labeled Petri nets An LPN is a quadruple G = (PN , µ0 , Σ , l), in which ⟨PN , µ0 ⟩ represents a PN system, Σ represents a label set and l : T → Σ ∪ {ε} represents a labeling function that associates with each transition t ∈ T either an element in Σ or the empty word ε . As usual, the intruder fully knows the net structure but can partially observe its evolution. Let us divide the set of transitions T into two disjoint sets To (observable transition set) and Tu (unobservable transition set) with |To | = co and |Tu | = cu . Then, we define the labeling function l as: if t ∈ To then l(t) = β ∈ Σ , otherwise l(t) = ε . In LPNs one label can be associated with two or more transitions. In addition, T (β ) = {t ∈ To |l(t) = β} is used to denote the transition set associated with an element in Σ . Furthermore, the labeling function can be extended as l : T ∗ → Σ ∗ such that for a sequence s ∈ T ∗ we have u = l(s). Given an LPN G = (PN , µ0 , Σ , l) and one of its reachable marking µ, µ can generate the language L(PN , µ) = {u ∈ Σ ∗ |∃s ∈ L(PN , µ) and l(s) = u}. Moreover, given ⋃ a set of markings K ∈ R(PN , µ0 ) of G, we define L(PN , K ) = µ∈K L(PN , µ) the language generated from markings in K . In addition, su ∈ s (so ∈ s) denotes the subsequence of s composed of the unobservable (observable) transitions and ⃗su (⃗so ) denotes its corresponding firing vector. Let us consider PN = (P , T , W − , W + ) and TA ⊆ T , the TA induced subnet of PN is defined as PNA = (P , TA , WA− , WA+ ) where WA− and WA+ are the restrictions of W − and W + to TA , respectively. In order word, PNA is derived from PN by eliminating the set of transitions T \TA . In this paper, we use matrices Wu = Wu+ − Wu− and Wo = Wo+ − Wo− to represent the restriction of the incidence matrix W to Tu and To , respectively.

3.1. Modeling of initial-state opacity First, we review some basics about initial-state opacity of LPNs in [9,14], where a secret is a subset of reachable markings S. Suppose that the intruder is aware of the system ⟨PN , µ0 ⟩. Starting from µ0 , the net could have been at an arbitrary reachable marking µ before firing of any observed word. In such a case, µ can be regarded as the initial state of an observation but not µ0 [9,14]. Hence, the notion of the observed word is extended to sequences u ∈ L(PN , R(PN , µ0 )). For an event sequence u, we use I (u) = {µ ∈ R(PN , µ0 )|∃s ∈ T ∗ : µ[s⟩ and l(s) = u} to denote the marking set that can generate u. Definition 1. Given an LPN G = (PN , µ0 , Σ , l) and a secret S. An observed event sequence u ∈ L(PN , R(PN , µ0 )) of G is ISO wrt S if I (u) ⊈ S, otherwise u is not ISO wrt S. Based on Definition 1, a not ISO event sequence u ∈ L(PN , R (PN , µ0 )) means that the intruder can deduce that all markings in R(PN , µ0 ) that can generate u are in the secret. Then, we have the following result about initial-state opacity of a system. Definition 2. Given an LPN G = (PN , µ0 , Σ , l) and a secret S. G is ISO wrt S if all observed event sequences u ∈ L(PN , R(PN , µ0 )) are ISO wrt S, otherwise G is not ISO wrt S. For this paper, we describe the secret by the set of GMECs [21] as follows: S=

r ⋀ {µ ∈ Nb |aTp · µ ≤ jp }, p=1

in which ap ∈ Zb and jp ∈ Z with p = 1, . . . , r. Note that Z represents the integer set. For simplicity, we also denote such a set of GMECs (ap , jp ) by S = {µ ∈ Nb |A · µ ≤ J }, in which A = [a1 , a2 , . . . , ar ]T and J = [j1 , j2 , . . . , jr ]T . 3.2. The on-line intruder description Let us consider an event sequence u, this subsection shows a method to characterize the set I (u) by using a set of integer linear constraints. Moreover, the on-line intruder is specified. Firstly, we provide the two assumptions for the considered system: (A1) the LPN model G is live and bounded. (A2) the acyclicity holds for the Tu -induced and To -induced subnets. Assumption A1 guarantees that a set of linear equations can fully represent all of the reachable markings. By Assumption A2, we can obtain the reachability of the unobservable and observable subnets based on the state equation. Any enabled sequence with finite length at µ should satisfy the following necessary and sufficient condition.

⃗1 , . . . , q⃗d with d ≤ |s| Lemma 1 ([29]). There exist d integer vectors q such that the following set of linear constraints is satisfied

3. Verifying initial-state opacity

⎧ µ ≥ W − · q⃗1 ⎪ ⎪ − ⎪ ⎪ ⎨ µ + W · q⃗1 ≥ W · q⃗2 ··· ∑ ⎪ ⎪ µ + W · di=−11 q⃗i ≥ W − · q⃗d ⎪ ⎪ ∑ ⎩ d ⃗ i=1 qi = π (s)

This section presents an on-line methodology to check initialstate opacity of LPNs.

iff there exists at least one sequence s, which is enabled under the marking µ with π (s) = ⃗s.

(1)

X. Cong, M.P. Fanti, A.M. Mangini et al. / ISA Transactions 93 (2019) 108–114

The intruder has the following inputs: the LPN system G, the secret S formed by GMECs, and the observed event sequence u ∈ L(PN , R(PN , µ0 )). We define the output of the intruder as a function Θ (u). Definition 3. An on-line intruder is a function Θ :L(PN , R(PN , µ0 )) → {1, 0} that assigns to each observed event sequence u ∈ L(PN , R(PN , µ0 )) the following outputs: 1. Θ (u) = {1} if the observed event sequence of the system is ISO wrt S. 2. Θ (u) = {0} otherwise. Based on Lemma 1, for a given observed event sequence u ∈ L(PN , R(PN , µ0 )), we use the following proposition to characterize each transition sequence s ∈ T ∗ such that its firing at any reachable marking µ is consistent with u = l(s). Proposition 1. Consider an LPN G = (PN , µ0 , Σ , l). Given an observed event sequence u = α1 α2 . . . αd ∈ L(PN , R(PN , µ0 )), there exists at least one sequence s = su1 so1 su2 so2 . . . sud sod sud+1 with |sui | ≥ 0 for i = 1, 2, . . . , d + 1 and |soi | = 1 for i = 1, 2, . . . , d enabled under the marking µ with µ0 [q⟩µ such that l(s) = u = α1 α2 . . . αd iff there exist a positive integer F and F + 2d + 1 ⃗1 , q⃗2 , . . . , q⃗F , ⃗su1 , ⃗su2 , . . . , ⃗sud+1 , ⃗so1 , ⃗so2 , . . . , ⃗sod that fulfill vectors q constraints (2) denoted by ζ (µ0 , u, F ):

⎧ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎨

⃗i ∈ Nc , for i = 1, . . . , F q µ0 ≥ W − · q⃗1 µ0 + W · q⃗1 ≥ W − · q⃗2 ··· ∑ µ0 + W · Fi=−11 q⃗i ≥ W − · q⃗F ∑ µ = µ0 + W · Fi=1 q⃗i ⃗sui ∈ Ncu , for i = 1, . . . , d + 1 ⃗soi ∈ Nco , for i = 1, . . . , d

⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎩

Wu

k ∑

⃗sui ≥ Wo− · ⃗sok − µ − Wo

i=1

µ + Wu

(a)

(2)

⃗soi ,

i=1

∑ i=1

∑

∑tk ∈T (αi )

⃗

⃗soi ≥ 0⃗

(b)

i=1

⃗soi (tk ) = 1,

tk ∈ / T (αi ) soi (tk )

∑

= 0,

i = 1, 2, . . . , d i = 1, 2, . . . , d.

z⃗∥1 .

(3)

z⃗∈T (PN)

Remark 2 ([19]). In the case that the reversibility ∑ holds for a net, we have the upper bound of∑ Fmin as ∥µ0 ∥1 · ∥ z⃗∈T (PN) z⃗∥1 , otherwise it becomes 2 · ∥µ0 ∥1 · ∥ z⃗∈T (PN) z⃗∥1 . The next feasibility problem proposed in [19] can check whether F ∈ N ≥ Fmin by using Theorem 1 and the concurrency of PNs. Feasibility Problem 1 ([19]). Given a live and bounded net system ∑ ⃗ ⟨PN , µ0 ⟩ and F ∈ N, let z⃗ˆ = z⃗∈T (PN) z . If the following integer inequalities

µ0 ≥ W − · q⃗1 µ0 + W · q⃗1 ≥ W − · q⃗2 ... F −1 ∑ ⃗i ≥ W − · q⃗F q µ0 + W ·

(a) (b)

(c)

(4)

i=1 F ∑

⃗i ≥ 2 · ∥µ0 ∥1 · z⃗ˆ q

(d)

i=1

⃗1 , q⃗2 , . . . , q⃗F ∈ Nc , then F ≥ Fmin . are solvable by q

∑By Remark 2, if the net is reversible, then we could use ∥µ0 ∥1 · ⃗ z⃗∈T (PN) z ∥1 to replace the right side of inequality (4)(d), which

Proposition 2. Let G = (PN , µ0 , Σ , l) be an LPN system and S be a secret. Given an observed event sequence u = α1 α2 . . . αd ∈ L(PN , R(PN , µ0 )), the following ILP problem is defined as ILPP 1:

{ d

⃗sui + Wo

∑

Fmin ≤ 2 · ∥µ0 ∥1 · ∥

can further reduce the number of firing vectors in the computation. Generally speaking, the solution of constraints ζ (µ0 , u, F ) is not a singleton and it can completely describe the set I (u). In order to verify if all the possible reachable markings that can generate u are in the secret, we use the proposition below to show that such a solution is derived from the ILP problem 1 (ILPP 1).

for k = 1, . . . , d d+1

Theorem 1 ([19]). An upper bound of Fmin of a live and bounded net ⟨PN , µ0 ⟩ is1

∥

k−1 ∑

111

(c)

Proof. From Lemma 1, constraints (2)(a) are fulfilled iff there is an enabled sequence q at µ0 with µ0 [q⟩µ. From the proof of Proposition 1 in [20], we can conclude that constraints (2)(b) and (c) are satisfied iff there exists at least one sequence s = su1 so1 su2 so2 . . . sud sod sud+1 with |sui | ≥ 0 for i = 1, 2, . . . , d + 1 and |soi | = 1 for i = 1, 2, . . . , d enabled under µ such that l(s) = u = α1 α2 . . . αd . Thus, the conclusion holds. □ Remark 1. Note that constraints ζ (µ0 , u, F ) rely on F . The value F can implicitly define the longest sequence q that leads to an arbitrary reachable marking. It is crucial to compute the estimation of the minimum value Fmin allowing to completely represent the sets R(PN , µ0 ) and I (u). Moreover, for unbounded net systems, Fmin could not exist. Thus, in this paper, the considered net system is assumed to be bounded. Let us review some results in [19] to compute the estimation of an upper bound of Fmin .

zp = max aTp · µ s.t . ζ (µ0 , u, F ).

(5)

An observed event sequence u of G is ISO wrt S iff for one GMEC (ap , jp ) in S, we can find a positive integer F ≥ Fmin and F + 2d + 1 vectors ⃗1 , q⃗2 , . . . , q⃗F , ⃗su1 , ⃗su2 , . . . , ⃗sud+1 , ⃗so1 , ⃗so2 , . . ., ⃗sod that are solutions q of ILPP 1 and the optimal value zp > jp holds for ILPP 1. Proof. Since u ∈ L(PN , R(PN , µ0 )), based on Proposition 1 constraints ζ (µ0 , u, F ) can fully represent the set I (u) (the initial-state estimation of the intruder). (If ) If zp > jp for one GMEC (ap , jp ) in S, then we have µ ∈ I (u) with aTp · µ > jp . In other word, µ ∈ / S holds and based on Definition 1, the observed event sequence u is ISO wrt S. (Only if ) By contradiction, we assume that u is ISO wrt S and zp ≤ jp with p = 1, . . . , r fulfills for each GMEC in S. Hence, each marking µ ∈ I (u) satisfies A ·µ ≤ J. It implies that all the markings in the set of I (u) belong to the secret. By Definition 1, u is not ISO wrt S, which contradicts the hypothesis. □ In the following, a sufficient and necessary condition is provided for verifying whether a system G is not ISO. 1 Given a vector z⃗, the 1-norm ∥⃗ z ∥1 means the sum of the absolute values of the elements in the vector.

112

X. Cong, M.P. Fanti, A.M. Mangini et al. / ISA Transactions 93 (2019) 108–114

Fig. 2. LPN system considered in Examples 1 and 2.

Fig. 1. On-line algorithm describing the intruder.

Theorem 2. Let G = (PN , µ0 , Σ , l) be an LPN system and S be a secret. G is not ISO wrt S iff there is at least one observed event sequence u such that the optimal value zp of the ILPP 1 is zp ≤ jp for each GMEC (ap , jp ) of S. Proof. It is obviously true based on Definition 2 and Proposition 2. □ Example 1. Let us take into account an LPN in Fig. 2. This live and bounded net owns six places, seven transitions and three observable events with l(t1 ) = l(t2 ) = l(t4 ) = a, l(t3 ) = l(t5 ) = b, and l(t7 ) = c. Both of the To -induced and Tu -induced subnets are acyclic. Hence this example satisfies Assumptions A1 and A2. For applying Proposition 2, we need the estimation of Fmin based on Feasibility Problem 1. Firstly, we obtain two minimal T invariants of this net using the software in [30] z⃗1 = [1, 1, 0, 0, 1, 1, 1]T , z⃗2 = [0, 0, 1, 1, 1, 1, 1]T . Thanks to the reversibility of this LPN, we use Theorem 1 to generate the following upper bound of Fmin Fmin ≤ ∥µ0 ∥1 · ∥⃗ z1 + z⃗2 ∥1 = 2 · 10 = 20.

∑F

⃗i ≥ ∥µ0 ∥1 ·z⃗ˆ , In addition, we change inequality (4)(d) into i=1 q then Feasibility Problem 1 is solved with F = 10. For verifying initial-state opacity, let S = {µ ∈ N6 |A · µ ≤ J } with A = aT1 = [−1, −1, 0, 0, 0, −1] and J = j1 = −1. Given the observation u = c, an optimal solution with µ = p3 + p5 and z1 = 0 > j1 is found for ILPP 1, according to Proposition 2, the observed event sequence u = c is ISO wrt S. Then, let the observed event sequence u = cabb, an optimal solution with µ = p1 + p5 and z1 = −1 ≤ j1 is found for ILPP 1, according to Proposition 2, u = cabb is not ISO wrt S. □ 3.3. On-line algorithm for verifying initial-state opacity According to the above results, we present the algorithm in Fig. 1 that the intruder can apply for on-line verifying the initialstate opacity of an LPN system. Now, the details of this algorithm are shown as follows. Step 1 estimates Fmin by using Feasibility Problem 1. Step 2 initializes the event sequence u and its length d. Furthermore, Step 3 records the occurrence of an event. Step 4 checks whether u is ISO wrt the secret S: if there exists (ap , jp ) of S such that the optimal solution of ILPP 1 zp > jp , then u is ISO wrt S based on Proposition 2. On this occasion, the algorithm returns to Step 3 to record a novel event. Otherwise, u is not ISO wrt S. Accordingly, based on Theorem 2, G is not ISO wrt S and the algorithm terminates.

Example 2. Let us take into account again the net in Fig. 2 to demonstrate the application of the presented algorithm. For verifying initial-state opacity, let the secret be S = {µ ∈ N6 |A · µ ≤ J } with A = aT1 = [−1, −1, 0, 0, 0, −1] and J = j1 = −1. Assume that the first event c happens. The algorithm outputs Θ (u) = {1}, i.e., the event sequence u = c is ISO wrt S. When the second event a happens, the algorithm outputs Θ (u) = {1}, i.e., the event sequence u = ca is ISO wrt S. When the third event b happens, the algorithm outputs Θ (u) = {1}, i.e., the event sequence u = cab is ISO wrt S. Finally, when event b happens again, the algorithm outputs Θ (u) = {0}, i.e., the event sequence u = cabb is not ISO wrt S. Thus, the LPN is not ISO wrt S based on Theorem 2. □ 3.4. Computational complexity Concerning about the computational complexity of the algorithm in Fig. 1, we can see that it has to solve ILPP for at most r times, which are NP-hard. It is well-known that the computational burden of solving ILPPs mainly relies on variables and constraints counts in them. We can see that the variables and constraints counts of each ILPP are (d + F ) · c + cu + b and b · (d + F ) + 2 · (d + b), respectively, where d is the length of the observed event sequence, c is the count of transitions, cu is the count of unobservable transitions, b is the count of places, and F is the length of the sequence leading to an arbitrary marking in R(PN , µ0 ), which can be obtained by using the solution of Feasibility Problem 1. Hence, if F is given, the constraints and variables counts increase linearly with the length of the observation, the net size, but have no relation with µ0 . In addition, according to Proposition 2 and Theorem 2, F may be changed for the purpose of verifying the initial-state opacity with the ∑changing of the net size. By Theorem 1, it is Fmin ≤ 2 · ∥µ0 ∥1 · ∥ z⃗∈T (PN) z⃗∥1 . Consider that the upper bound of the T -invariants count is as follows [27]2 :

(

) ⌈ nn ⌉ 2

and Fmin is also related to the initial marking, it should be noticed that its complexity grows exponentially wrt the net size and the initial marking in the worst case. However, Feasibility Problem 1 fully exploits the net concurrency and the experimental results in the next section exhibit that the algorithm in Fig. 1 is applicable in the on-line computation. 4. Experimental results In this section, we discuss some experimental results to show the effectiveness of the proposed method. The computational time 2 ⌈a⌉ denotes the ceiling of a.

X. Cong, M.P. Fanti, A.M. Mangini et al. / ISA Transactions 93 (2019) 108–114

113

Fig. 3. LPN system considered in Section 4. Table 1 Performance of the on-line algorithm applied to the LPNs in Fig. 3 with different values of x. x

F

d

Nv ar

Ncon

Time (s)

8 10 20 40 60 80 100 120

18 18 18 18 18 18 18 18

8 10 20 40 60 80 100 120

218 234 314 474 634 794 954 1114

184 200 280 440 600 760 960 1080

1.8×10−2 2.0×10−2 2.4×10−2 3.1×10−2 3.7×10−2 4.2×10−2 4.6×10−2 5.1×10−2

presented below refers to the CPU seconds of a laptop under Windows 7 operating system with Intel CPU Core 2.6 GHz, 8 GB memory and a standard Matlab optimization tool [31]. 4.1. Case study 1 Let us consider the live and bounded LPN system proposed in [14] and shown in Fig. 3. There are six places, eight transitions and two observable events, i.e., Σ = {a, b}. The observable transitions are t2 , t4 , t5 , and t6 such that l(t2 ) = l(t5 ) = a and l(t4 ) = l(t6 ) = b, while the rest transitions are the unobservable ones. And the observable and unobservable subnets are acyclic. For this example, we consider a set of LPNs by varying the initial token count in place p1 with a variable x ∈ {2, 3, . . .}. For each variable x in Table 1, given F = 18 we can solve Feasibility Problem 1 by ∑F ⃗i ≥ ∥µ0 ∥1 · z⃗ˆ . changing inequality (4)(d) into i=1 q To verify initial-state opacity, we assume that the secret is S = {µ ∈ N6 |µ(p3 ) + µ(p5 ) ≤ 0}. Now, by using the presented algorithm, we can see the obtained results in Table 1. Particularly, column three represents the length of the observation in each LPN model, columns four and five are the variables and constraints counts, respectively. Column six shows its computational time to solve each ILPP of the algorithm. We can infer that the time necessary for initial-state opacity is suitable for real-time verification. 4.2. Case study 2 In order to further expose the advantages and the applications of the proposed method, let us consider an anonymous communication system modeled by the LPN shown in Fig. 4. The system has eight channels, each of which has four relay stations and executes four information transmission. For instance, suppose that marking µ(pi ) = 1 (µ(pi ) = 0) for i = (2, 3, . . . , 33) models the active (non-active) status of the relay station. The secret is the status of the relay station: the initial-state opacity requires that the intruder cannot deduce the information sent by some particular stations through its partial observation.

Fig. 4. An LPN of an anonymous communication system. Table 2 Performance of the on-line algorithm applied to the LPNs in Fig. 4 with different values of x. x

F

d

Nv ar

Ncon

Time (s)

1 2 3 4

5 5 5 5

10 20 30 40

429 689 949 1209

571 901 1231 1561

1.6×10−2 2.8×10−2 4.0×10−2 6.0×10−2

Table 3 Number of nodes in BRG (its ISE) and time cost. x

|MB |

TB (s)

|EB |

TE (s)

1 2 3 4

13825 o.t. o.t. o.t.

7.0×102 o.t. o.t. o.t.

972 o.t. o.t. o.t.

1.9×103 o.t. o.t. o.t.

The LPN satisfies Assumptions A1 and A2 and exhibits 33 places, 26 transitions and 7 observable events, i.e., Σ = {a, b, c , d, e, f , g }. Moreover, we consider a set of LPNs by varying the initial token count in p1 with a variable x = {1, 2, . . .}. For each parameter x in Tables 2 and 3, given F = 5 it is possible to solve Feasibility ∑F ⃗i ≥ ∥µ0 ∥1 · z⃗ˆ . Problem 1 by changing inequality (4)(d) into i=1 q Let us assume that the secret is S = {µ ∈ N33 |µ(p2 ) + µ(p5 ) + µ(p14 ) + µ(p23 ) + µ(p33 ) ≥ 1}. Now, by using the algorithm, the results are outlined in Table 2. Particularly, column three represents the length of the event sequence in each LPN model, columns four and five are the variables and constraints counts, respectively. Column six shows its computational time to solve each ILPP of the algorithm. Now, we apply the methods in [9,14] that are based on the computation of the BRG and its corresponding ISE. The experimental results are shown in Table 3, where columns two and four present the numbers of nodes in the BRG and its corresponding ISE, respectively. Columns three and five illustrate the corresponding time costs. Table 3 shows that if µ0 (p1 ) ≥ 2, then the BRG cannot be generated within three hours (note that ‘‘o.t.’’ denotes that the computation is out of time). Thus, in this case, the BRG based methods in [9,14] cannot be applied to verify the initial-state opacity.

114

X. Cong, M.P. Fanti, A.M. Mangini et al. / ISA Transactions 93 (2019) 108–114

5. Conclusion and future research This work presents an on-line intruder for the LPN model. The intruder waits and observes the occurrence of the system event and determines whether the observation is ISO wrt the secret in a form of GMECs. By an ILP problem solution, it is possible to determine whether the LPN is not ISO wrt the secret after each observed event. Compared with the existing methods in [9,14], the proposed method avoids the computation of the BRG or MBRG and its corresponding ISE. Moreover, the on-line method does not need the redesign of the intruder with the change of the system because it is only necessary to update the LPN structure and/or initial marking to the algorithm. Our future work can be concentrated on two sides. First, we intend to extend the proposed approach to be suitable for a more general situation when the secret is modeled by an arbitrary discrete marking set. Second, we plan to study on verifying k-step opacity in the framework of LPN. Declaration of competing interest The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. Acknowledgment This work was supported in part by Fund of China Scholarship Council No. 201806960023. References [1] Renganathan K, Bhaskar V. Observer based on-line fault diagnosis of continuous systems modeled as Petri nets. ISA Trans 2010;29:587–95. [2] Lafortune S, Lin F, Hadjicostis CN. On the history of diagnosability and opacity in discrete event systems. Annu Rev Control 2018;45:257–66. [3] Wonham WM. Supervisory control of discrete-event systems. 2017, [Online] Available: http://www.control.utoronto.ca/people/profs/wonham/wonham. html. [4] Saboori A, Hadjicostis CN. Verification of initial-state opacity in security applications of DES. In: Proceedings of WODES’08. Goteborg, Sweden; 2008. p. 328–33. [5] Saboori A, Hadjicostis CN. Verification of initial-state opacity in security applications of discrete event systems. Inform Sci 2013;246:115–32. [6] Wu Y, Lafortune S. Comparative analysis of related notions of opacity in centralized and coordinated architectures. Discrete Event Dyn Syst 2013;23(3):307–39. [7] Bryans JW, Koutny M, Ryan PY. Modelling opacity using Petri nets. Electron Notes Theor Comp Sci 2005;121:101–15. [8] Bryans JW, Koutny M, Mazaré L, Ryan PY. Opacity generalised to transition systems. Int J Inform Secur 2008;7(6):421–35.

[9] Tong Y, Li ZW, Seatzu C, Giua A. Verfication of initial-state opacity in Petri nets. In: Proceedings of the IEEE 54th annunal conference on decision and control. Osaka, Japan; 2015. p. 344–9. [10] Cabasino MP, Giua A, Seatzu C. Fault detection for discrete event systems using Petri nets with unobservable transitions. Automatica 2010;26(9):1531– 9. [11] Cabasino MP, Giua A, Pocci M, Seatzu C. Discrete event diagnosis using labeled Petri nets. An application to manufacturing systems. Control Eng Pract 2011;19(9):989–01. [12] Cabasino MP, Giua A, Seatzu C. Diagnosability of discrete-event systems using labeled Petri nets. IEEE Trans Autom Sci Eng 2014;11(1):144–53. [13] Ma ZY, Tong Y, Li ZW, Giua A. Basis marking representation of Petri net reachability spaces and its application to the reachability problem. IEEE Trans Automat Control 2017;62(3):1078–93. [14] Tong Y, Li ZW, Seatzu C, Giua A. Verfication of state-based opacity using Petri nets. IEEE Trans Automat Control 2017;62(6):2823–37. [15] Tong Y, Li ZW, Seatzu C, Giua A. Decidability of opacity verification problems in labeled Petri net systems. Automatica 2017;80:48–53. [16] Dotoli M, Fanti MP, Mangini AM, Ukovich W. On-line fault detection in discrete event systems by Petri nets and integer linear programming. Automatica 2009;45:2665–72. [17] Cong XY, Fanti MP, Mangini AM, Li ZW. Decentralized diagnosis by Petri nets and integer linear programming. IEEE Trans Syst Man Cynbern Syst 2018;48(10):1689-00. [18] Renganathan K, Bhaskar V. An observer based approach for achieving fault diagnosis and fault tolerant control of systems modeled as hybrid Petri nets. ISA Trans 2011;50:443–53. [19] Basile F, Chiacchio P, De Tommasi G. On k-diagnosability of Petri nets via integer linear programming. Automatica 2012;48:2047–58. [20] Cong XY, Fanti MP, Mangini AM, Li ZW. On-line verification of currentstate opacity by Petri nets and integer linear programming. Automatica 2018;94:205–13. [21] Giua A, DiCesare F, Silva M. Generalized mutual exclusion contraints on nets with uncontrollable transitions. In: Proceedings of the IEEE international conference on systems, man, and cybernetics, vol. 2. Chicago, IL, USA; 1992. p. 974–9. [22] Ma ZY, Li ZW, Giua A. Design of optimal Petri net controllers for disjunctive generalized mutual exclusion constraints. IEEE Trans Automat Control 2015;60(7):1774–85. [23] Abbas D, Zeraatkar H. Petri net controller synthesis based on decomposed manufacturing models. ISA Trans 2018;77:90–9. [24] Zeng GQ, Chen J, Dai YX, Li LM, Zheng CW, Chen MR. Design of fractional order PID controller for automatic regulator voltage system based on multiobjective extremal optimization. Neurocomputing 2015;160:173–84. [25] Lu KD, Zhou WN, Zeng GQ, Zheng YY. Constrained population extremal optimization-based robust load frequency control of multi-area interconnected power system. Electr Power Energy Syst 2019;105:249–71. [26] Murata T. Petri nets: Properties, analysis and applications. Proc IEEE 1989;77(4):541–80. [27] Silva M, Teruel E, Colom JM. Linear algebraic and linear programming techniques for the analysis of place/transition net systems. Lecture Notes in Comput. Sci. 1998;616:309–73. [28] Corona D, Giua A, Seatzu C. Marking estimation of Petri nets with silent transitions. In: Proceedings of the 43rd IEEE conference on decision and control. Atlantis, Paradise Island, Bahamas; 2004. p. 966–71. [29] García Vallés F. Contributions to the structural and symbolic analysis of place/transition nets with applications to flexible manufacturing systems and asynchronous circuits. [Ph. D. Thesis], Universidad de Zaragoza; 1999. [30] Starke PH. INA: Integrated Net Analyer. 2003. [31] Intlinprog. 2016, Available: http://cn.mathworks.com/help/optim/ug/ intlinprog.html.