1. No category

Verification of Initial-State Opacity in DES

CONFIDENTIAL. Limited circulation. For review only.
Verification of Initial-State Opacity in Petri Nets
Yin Tong1 , Zhiwu Li2 , Carla Seatzu3 and Alessandro Giua4
Abstract— A Petri net system is said to be initial-state opaque
if its initial state remains opaque to an external observer
(called an intruder). In other words, the intruder is never
able to ascertain that the initial state belongs to a given set of
states (called a secret) based of its observation on the system’s
evolution. This paper addresses the problem of verifying initialstate opacity in discrete event systems (DES) modeled by labeled
Petri nets. An efficient approach to verifying initial-state opacity
is proposed based on the notion of basis reachability graphs
(BRG).
I. I NTRODUCTION
Concerns about information security in communication
systems, military defense systems, etc., are increasing. As
a result, security and privacy problems have drawn a lot of
attention from researchers and various notions of information
flow properties have been proposed in literature [1], [2],
[3], [4], [5], [6]. Opacity properties are one of them and
establish if a given system’s secret behavior keeps opaque to
an intruder [7], [8], [9], [10]. In DES models, the secret is
usually defined as a subset of the state space or a language
(thus such opacity properties are called state-based opacity
and language-based opacity, respectively), and the intruder
is modeled as an observer that can only observe the system
through a projection map on events, i.e., the intruder does
not have full knowledge of the system’s evolution. Based on
its observation, the intruder tries to speculate the secret.
Among state-based opacity an important type is initialstate opacity. A system is said to be initial-state opaque if,
given a set of secret states, by observing the word generated
by the system, the intruder will never be able to infer
that the system’s evolution started from one of the secret
states. Therefore, initial-state opacity implies that the intruder
always fail to intercept the initial state information of the
system.
In recent years initial-state opacity has been extensively
studied in the framework of automata [10], [11], [12]. It has
been proved that the verification of initial-state opacity is
PSPACE-complete [12]. Saboori and Hadjicostis [11], [12]
1 Yin Tong is with the School of Electro-Mechanical Engineering, Xidian
University, Xi’an 710071, China [email protected]
2 Zhiwu Li is with the Institute of Systems Engineering, Macau University
of Science and Technology, Taipa, Macau, Faculty of Engineering, King
Abdulaziz University, Jeddah 21589, Saudi Arabia, and also with the School
of Electro-Mechanical Engineering, Xidian University, Xi’an 710071, China
[email protected]
3 Carla Seatzu is with the Department of Electrical and Electronic Engineering, University of Cagliari, 09123 Cagliari, Italy
[email protected]
4 Alessandro Giua is with Aix Marseille Université, CNRS, ENSAM, Université de Toulon, LSIS UMR 7296, Marseille 13397, France
and also with DIEE, University of Cagliari, Cagliari 09124, Italy
[email protected]; [email protected]
have shown that by constructing the initial-state estimator for
a given nondeterministic finite automaton (NFA), initial-state
2
opacity can be verified with complexity O(2|X| ), where X
is the set of states of the automaton. An initial-state estimator
is a deterministic finite automaton (DFA) whose states denote
the set of initial states where an observed word could have
started and the current states that it yields. As long as an
initial-state estimator is built, there is no need to reconstruct
it when the secret is modified. For a specific secret, verifiers
are introduced in [12] to study initial-state opacity. Instead
of precisely estimating the initial state, the verifier only
records if a state is reachable from secret/non-secret states.
Therefore, the verification complexity is reduced to O(4|X| ).
Meanwhile, Wu and Lafortune [10] propose a more efficient
method whose complexity is O(2|X| ). They show that the
observer of the corresponding reverse automaton can be used
to estimate the initial state.
Petri net is a discrete event model that has higher modeling
power than automata. Bryans et al. [7] proved that the
verification of initial-state opacity for bounded Petri nets is
decidable when the initial state is defined as a finite set of
initial markings and the secret is a subset of it. However, in
Petri nets the initial-state opacity problem is very difficult in
general, and so far no efficient method has been proposed
yet. For bounded Petri nets we may construct its reachability
graph (RG), which is identical to an automaton, so that the
aforementioned approaches in automata could be applied.
Nevertheless, this approach will inevitably suffer from the
state explosion problem.
As a compact description of the RG, basis reachability
graphs (BRGs) have been introduced to solve state estimation [13] and the fault diagnosis [14]. The advantages of this
technique are that only part of the reachability space, i.e., the
set of basis markings, has to be enumerated, and all other
reachable markings can be characterized by a linear system
related to those basis markings. The BRG of a Petri net,
in general, is smaller than the RG, but it well characterizes
both the reachable markings and the behavior (language) of
the corresponding Petri net. In earlier work [15], we showed
that current-state opacity of a Petri net can be efficiently
determined by BRG analysis.
In this paper, the verification of initial-state opacity in
bounded labeled Petri nets is addressed. Even though different observation structures have been defined [16] and
their equivalence relations have been studied [17], [18], we
assume that the intruder knows the net structure and the
initial marking, but can only observe a subset of the events.
The secret is defined as a subset of the reachable markings.
A labeled Petri net is initial-state opaque with respect to
Preprint submitted to 54th IEEE Conference on Decision and Control.
Received March 24, 2015.
CONFIDENTIAL. Limited circulation. For review only.
a secret if the intruder can never infer that the observation
must be generated from one of the secret markings. It is
well known that a net is initial-state opaque if and only if
the language generated from secret markings is a subset of
the language generated from non-secret markings. Therefore,
the initial-state opacity problem in bounded labeled Petri nets
is transformed into the language containment problem in its
RG. Considering that the intruder would never distinguish a
possible non-secret marking that is reachable from a secret
initial marking by firing only unobservable transitions, we
make the following reasonable assumption: all markings
reachable from a secret marking by firing only unobservable
transitions belong to the secret. Under this assumption, we
show that the initial-state opacity of a bounded net can
be determined by justifying the language containment in
the corresponding BRG. Therefore, compared with using
RG, the approach proposed in this work is in general more
efficient.
The rest of this work is organized as follows. Some basic
notions on automata and Petri nets are recalled in Section II.
In Section III initial-state opacity in labeled Petri nets is
defined and a general method of verifying it in bounded
Petri nets is presented. Section IV recalls the notion of BRG
and proposes an efficient approach to verifying initial-state
opacity using BRG. To illustrate the efficiency of such an
approach, an example is presented in Section V. Conclusions
and future work are finally presented in the last section.
II. P RELIMINARIES
Automata and Petri nets are the models most used in DES
analysis. In this section we recall notation and basic concepts
about such models. For more details, readers are referred to
[19] and [20].
A. Automata
A non-deterministic finite-state automaton (NFA) is a 4tuple A = (X, E, ∆, x0 ), where X is the finite set of states,
E = {a, b, · · · } is the alphabet, ∆ ⊆ X × Eε × X is
the transition relation with Eε = E ∪ {ε}, where ε is
the empty word describing unobservable events, and x0 ∈
X is the initial state. The transition relation specifies the
dynamics of the NFA: if (x, e, x0 ) ∈ ∆, then from state
x the occurrence of event e ∈ Eε yields state x0 . The
transition relation can be extended to ∆∗ ⊆ X × E ∗ × X:
(xj0 , w, xjk ) ∈ ∆∗ if there exists a sequence of events and
states xj0 ej1 xj1 · · · xjk−1 ejk xjk such that σ = ej1 . . . ejk
generates the word w ∈ E ∗ , xji ∈ X for i = 0, 1, . . . , k,
and eji ∈ Eε , (xji−1 , eji , xji ) ∈ ∆ for i = 1, 2, . . . , k. An
NFA is denoted as A = (X, E, ∆) in the case where the
initial state could be any state from X and the set marked
states is empty.
The generated language of an automaton A = (X, E, ∆)
from a state x ∈ X is defined as
L(A, x) = {w ∈ E ∗ |∃x0 ∈ X : (x, w, x0 ) ∈ ∆∗ }.
Generally, given a set of states Y ⊆ X, we define L(A, Y ) =
S
x∈Y L(A, x) the language generated from the states in Y ,
respectively.
B. Petri nets
A Petri net is a structure N = (P, T, P re, P ost), where
P is a set of m places represented by circles; T is a set of
n transitions represented by bars; P re : P × T → N and
P ost : P × T → N are the pre- and post-incidence functions
that specify the arcs directed from places to transitions, and
vice versa1 . The incidence matrix of a net is denoted by
C = P ost − P re.
A marking is a vector M : P → N that assigns to each
place a non-negative integer number of tokens, represented
by black dots. The marking of place p is denoted by M (p).
For
P economy of space, markings can also be denoted as M =
p∈P M (p) · p. A Petri net system hN, M0 i is a net N with
initial marking M0 .
A transition t is enabled at marking M if M ≥ P re(·, t)
and may fire yielding a new marking M 0 = M + C(·, t).
We write M [σi to denote that the sequence of transitions
σ = tj1 · · · tjk is enabled at M , and M [σiM 0 to denote that
the firing of σ yields M 0 . Given a sequence σ ∈ T ∗ , we call
π : T ∗ → Nn the function that associates with σ the Parikh
vector y = π(σ) ∈ Nn , i.e., y(t) = k if transition t appears
k times in σ.
A marking M is reachable in hN, M0 i if there exists
a sequence σ such that M0 [σiM . The set of all markings
reachable from M0 defines the reachability set of hN, M0 i
and is denoted by R(N, M0 ). A Petri net system is bounded
if there exists a non-negative integer k ∈ N such that for any
place p ∈ P and for any reachable marking M ∈ R(N, M0 ),
M (p) ≤ k holds.
A labeled Petri net (LPN) is a 4-tuple G = (N, M0 , E, `),
where hN, M0 i is the Petri net system, E is the alphabet (a
set of labels) and ` : T → E ∪ {ε} is the labeling function
that assigns to each transition t ∈ T either a symbol from
E or the empty word ε. Therefore, the set of transitions can
be partitioned into two disjoint sets T = To ∪ Tu , where
To = {t ∈ T |`(t) ∈ E} is the set of observable transitions
and Tu = {t ∈ T |`(t) = ε} is the set of unobservable
transitions. The labeling function can be extended to firing
sequences ` : T ∗ → E ∗ , i.e., `(σt) = `(σ)`(t) with σ ∈ T ∗
and t ∈ T .
Given an LPN G = (N, M0 , E, `) and a marking M ∈
R(N, M0 ), we define the language generated from M as
L(N, M ) = {w ∈ E ∗ |∃σ ∈ T ∗ : M [σi and `(σ) = w}.
The generated language of G is L(N, M0 ). Furthermore,
given a set of
S markings Y ⊆ R(N, M0 ) of G, we define
L(N, Y ) = M ∈Y L(N, M ) the language generated from
markings in Y .
Given an LPN G = (N, M0 , E, `) and the set of unobservable transitions Tu , the Tu -induced subnet N 0 = (P, T 0 ,
P re0 , P ost0 ) of N , is the net that removes all transitions in
T \ Tu , where P re0 and P ost0 are the restriction of P re,
P ost to Tu . The incidence matrix of the Tu -induced subnet
is denoted by Cu = P ost0 − P re0 .
1 In
this work, we use N to denote the set of non-negative integers.
Preprint submitted to 54th IEEE Conference on Decision and Control.
Received March 24, 2015.
CONFIDENTIAL. Limited circulation. For review only.
III. I NITIAL -S TATE O PACITY IN P ETRI N ETS
In this section, we define initial-state opacity in labeled
Petri nets and propose a general method for its verification
in bounded Petri nets.
A. Initial-state opacity
Definition 3.1: Given an LPN G = (N, M0 , E, `), a
secret is a set of reachable markings S ⊆ R(N, M0 ). A
marking M ∈ S is said to be a secret marking. Markings in
S = R(N, M0 ) \ S are non-secret markings.
Based on Definition 3.1, initial-state opacity in labeled
Petri nets is defined as follows.
Definition 3.2: Let G = (N, M0 , E, `) be an LPN and
S ⊆ R(N, M0 ) be a secret. LPN G is said to be initial-state
opaque wrt S if ∀M ∈ S and ∀w ∈ L(N, M ) we have
∃M 0 ∈ S : w ∈ L(N, M 0 ).
In simple words, a Petri net is initial-state opaque if
for any word w that can be observed starting from some
secret markings in S, there always exists (at least) one
non-secret marking from which w could also be generated
so that the intruder cannot establish if the system started
its evolution from a secret or a non-secret marking. Note
that Definition 3.2 could be applied to either bounded or
unbounded Petri net systems.
B. Verification of initial-state opacity using RG
Based on the given secret, we define the secret language
and the non-secret language. The secret language is the set
of words generated from secret markings, which may leak
the secret. The non-secret language is the set of words generated from non-secret markings. The following definition
formalizes this.
Definition 3.3: Given an LPN G = (N, M0 , E, `) and a
secret S ⊆ R(N, M0 ), its secret language is defined as
[
L(N, S) =
L(N, M ),
M ∈S
and its non-secret language is defined as
[
L(N, S) =
L(N, M ).
M ∈S
Lemma 3.4: Let G = (N, M0 , E, `) be an LPN and S be
a secret. LPN G is initial-state opaque wrt S if and only if
L(N, S) ⊆ L(N, S).
Proof: Follows from Definitions 3.2 and 3.3.
Lemma 3.4 shows that an LPN is opaque with respect
to a given secret if and only if its secret language is a
subset of the non-secret language. As a result, the initialstate opacity problem in bounded Petri nets is equivalent to
the language containment problem. Therefore, in the case of
bounded nets constructing the RG, all methods of verifying
language containment in automata can be applied to solving
the opacity problem. The complexity of checking language
containment of two NFA having the same number of states
is O(4|X| ), where X is the set of states [19]. Therefore,
the size of the RG mainly affects the efficiency of verifying
initial-state opacity in bounded Petri nets.
IV. V ERIFYING I NITIAL - STATE O PACITY U SING BRG
The result in Section III-B implies that to verify initialstate opacity in bounded Petri nets, the RG needs to be
constructed first and its size decides the complexity. However, the computation of the RG of a bounded Petri net
suffers from the well-known state explosion problem: the
number of reachable states of a bounded Petri net could
grow exponentially with the scale of the net structure as
well as the initial marking. Therefore, for a medium-sized
system the size of its RG may be too large to compute and
the verification of initial-state opacity becomes impossible.
Furthermore, to the best of our knowledge, no alternative
methods to verify initial-state opacity of bounded Petri
nets have been proposed. To overcome the potential state
explosion problem, we propose a new method based on BRG
analysis.
A. Basis reachability graph
In the work of Cabasino et al. [14], [21], a compact way
to represent the reachability set of a Petri net is proposed to
solve the fault diagnosis problem. Under the assumption that
the Tu -induced subnet is acyclic, only part of the reachable
markings of the Petri net, called basis markings, are computed, while, all non-basis markings are characterized by a
set of linear equations associated with each basis marking.
Using the notion of basis markings, the basis reachability
graph (BRG) is defined. It is an NFA in which each state
corresponds to a basis marking and all events are observable.
The BRG well preserves the information on the reachability
set, as well as on the evolution behavior of the Petri net,
while its structure is usually much more compact than the RG
and the state explosion problem may often be avoided. The
BRG as proposed in [14], [21] also includes some diagnosis
information, which are redundant for opacity verification.
Herein we redefine the BRG neglecting such information.
Before providing the algorithm for its construction, let us
recall some key definitions [14].
Definition 4.1: Given a marking M and an observable
transition t ∈ To , we define
Σ(M, t) = {σ ∈ Tu∗ |M [σiM 0 , M 0 ≥ P re(·, t)}
the set of explanations of t at M .
Thus Σ(M, t) is the set of unobservable sequences whose
firing at M enables t. Among all the explanations, we are
interested in finding the minimal ones, i.e., the ones whose
firing vector is minimal.
Definition 4.2: Given a marking M and an observable
transition t ∈ To , we define
Σmin (M, t) = {σ ∈ Σ(M, t)|@σ 0 ∈ Σ(M, t) : π(σ 0 ) π(σ)}
the set of minimal explanations of t at M and Ymin (M, t) =
{yu ∈ Nnu |∃σ ∈ Σmin (M, t) : yu = π(σ)} the corresponding set of minimal e-vectors.
Preprint submitted to 54th IEEE Conference on Decision and Control.
Received March 24, 2015.
p2
p1
p4
p3
CONFIDENTIAL. Limited circulation. For review only.
M0=p1
t4(ε)
t1(a)
t4(ε)
t2(ε) t1(a) t3(b) t2(ε)
t4(ε)
t3(b)
t4(ε)
t1(a)
M1=p2
t2(ε)
M0=p1
t1(a)
M1=p2
t2(ε)
p2
t1(a)
M0=pM1 =p
0
1
t1(a) t1(a) t1(a)
M1=pM2 1=p2
t3(b) t3(b)
M2=p3
p4
p2
M3=p4
p1
p3
Many approaches can be applied
to computing
M2=p3
p
p
M3=p4
p1
p3
t3(b)
Ymin (M, t). In particular,
when 2 the Tu -induced
subnet4
t (b)
is acyclic the approach proposed by Cabasino et al. [14]
p1 3
M3=p4
t2(a)
t1(ε)
only requires algebraic manipulations. Note that since a
M3=p4
p3
given place may have two or more unobservable input
transitions, i.e., the Tu -induced subnet is not backward
Fig. 1. An LPN whose Tu -induced subnet is cyclic.
conflict free, the set of minimal explanations is not
p2
necessarily a singleton.
M0=p1+p2 +p3
M0=p1+p2 +p3
Algorithm 1 that constructs the BRG without diagnoser’s
t2(a)
t2(a)
t1(ε)
p2
M
=p
+p
states is presented. We denote
the
BRG
as
an
NFA
B
=
0
1
2 +p3
M0=p1+p
+p1 3
p1
2 =p
M1=p1
M
M
=2p
+p
1
2
2
3
t
(a)
t
(ε)
2
1
(MB , E, ∆), where MB is the set of basis markings of the
t2(a)
t (a)
t1(ε)
p3
t2(a)
LPN, and all events are observable. The transition
relation 2
M1=p1
∆ ⊆ MB × pE1 × MtB(ε)is determinedt by
the following rule. If M1=p1
M2=2p2+p3 M3=p2
2(a)
1
at marking M there is anp3observable transition t for which
t2(a)of the LPN.
(a) The RG
(b) The BRG of the
an explanation exists, i.e., Σ(M, t) 6= ∅, and the firing of
LPN.
M3=p2
t and one of its minimal explanations lead to M 0 , then an
Fig. 2. The RG and the BRG of the LPN in Fig. 1.
edge from state M to state M 0 labeled by `(t) is added in
the BRG, i.e., (M, `(t), M 0 ) ∈ ∆.
Algorithm 1 Construction of the BRG
Input: A bounded labeled Petri net G = (N, M0 , E, `)
whose Tu -induced subnet is acyclic.
Output: The BRG B = (MB , E, ∆)
1: Let MB = {M0 } and assign no tag to M0 ;
2: while states with no tag exist, do
3:
select a state M ∈ MB with no tag;
4:
for all t s.t. `(t) ∈ E and Ymin (M, t) 6= ∅, do
5:
for all yu ∈ Ymin (M, t), do
6:
M 0 := M + Cu · yu + C(·, t);
7:
if M 0 ∈
/ MB , then
8:
MB := MB ∪ {M 0 };
9:
assign no tag to M 0 ;
10:
end if
11:
∆ = ∆ ∪ {(M, `(t), M 0 )};
12:
end for
13:
tag node M as “old”;
14:
end for
15: end while
16: Remove all tags.
Given a word w ∈ L(B, M0 ), based on Algorithm 1, if
(M0 , w, M ) ∈ ∆∗ then M is the marking reached from M0
by firing an observable sequence σo that produces w and
eventually interleaved with some unobservable transitions
whose firing is necessary to enable σo . Therefore, MB ⊆
R(N, M0 ).
Notice that to apply BRG, two assumptions are made:
A1) the LPN G is bounded, and
A2) the Tu -induced subnet of G is acyclic.
Assumption A1) makes sure that the number of basis markings is finite so that Algorithm 1 can halt, and Assumption A2) is a common technical assumption when partial
observation problems, e.g., fault diagnosis, observability, are
considered. It allows to use the state equation to characterize
the set of markings reached from a basis marking firing
unobservable transitions.
In [14], [21], it has been proved that given an LPN
satisfying Assumptions A1) and A2) and a word w, a
marking M is consistent with w, namely the marking that
may be reached after w is observed, if and only if there
is a basis marking Mb consistent with w and the equation
M = Mb + Cu · yu has a non-negative integer solution
yu ∈ Nnu . However, in this work, we focus on the ability of
BRG to characterize the reachability of a marking and the
language that can be generated from a marking. Therefore,
we rephrase the result in different terms.
Theorem 4.3: [14] Let G = (N, M0 , E, `) be an LPN
whose Tu -induced subnet is acyclic and MB be the set
of basis markings. A marking M is reachable, i.e., M ∈
R(N, M0 ), if and only if there exists a basis marking Mb ∈
MB such that Mb [σu iM with σu ∈ Tu∗ .
Theorem 4.3 shows that for any reachable marking M ,
we can always find a basis marking from which M can be
reached by firing unobservable transitions. On the other hand,
given a basis marking Mb , if M is reachable from Mb by
firing unobservable transitions, it is also reachable from M0 .
In this paper we want to note that the if statement is true,
even if Assumption A2) is removed. A simple example is
presented to show that Assumption A2) is necessary for the
only if statement.
Example 4.4: Consider the LPN in Fig. 1 that does not
satisfy Assumption A2). Transition t1 is unobservable and
forms a cycle with place p3 . The corresponding RG and BRG
are shown in Figs. 2(a) (non-basis markings are illustrated
in dashed boxes) and 2(b), respectively. Marking M3 is
reachable, however, there does not exists a basis marking
from which it can be reached.
As a result of Theorem 4.3, under Assumption A2), a
marking is reachable from M0 if and only if there exists a
basis marking Mb such that M = Mb + Cu · yu allows a
non-negative integer solution yu ∈ Nnu [21]. Let us now
introduce the following definition that is useful to formalize
the main result of the paper.
Definition 4.5: Given an LPN G = (N, M0 , E, `) and a
Preprint submitted to 54th IEEE Conference on Decision and Control.
Received March 24, 2015.
M0=p
t2(a)
M1=p1
t1(a)
t2(ε)
t1(a)
t3(a)
CONFIDENTIAL. Limited circulation. For review only.
p2
p1
p4
p3
t2(ε)
p2
p1
t4(ε)
p2
p1
t1(a)
t3(b)
t1(a)
Fig. 3.
An LPN whose Tu -induced subnet is acyclic..
M3=p2+p4
(M0 ,1)
a
(M1 ,1)
(M2 ,1)
b
b
a
(M3 ,0)
(M4 ,0)
(M5 ,0)
a
b
t1(a)
)
t 1(a
t4(ε)
The BRG of the LPN in Fig. 3.
t4(ε)
t3(b)
t1(a)
M2=p1+p4
M8=2p1
t5(ε)
t1(a)
M7=2p3
t3(b)
t2(ε)
(M2 ,1)
Fig. 5.
M5=p1+p3
M6=p2+p3
t2(ε)
M3=p2+p4
M4=2p4
t1(a)
t2(ε)
t3(b)
M1
t2(ε)
M1=2p2
t5(ε)
b
t1(a) t1(a)
t3(b)
M0=p1+p2
t1(a)
t4(ε)
M0,M1,M
M2=p1+p4
t3(b)
t5(ε)
b
t3(b)
t1(a)
M1=2p2
p4
p3
M0,M1,M
M3,M4
a
M0=p1+p2
t2(ε)
p4
p3
t5(ε)
t5(ε)
t1(a)
t3(b)
t4(ε)
t5(ε)
M9=p3+p4
a
(M4t3,1)
(b)
(M5 ,1)
M4=2p4
5
ε
t5(ε)
b
Fig. 6.
(M0 Fig.
,0) 4. The RG of the LPN in Fig. 3.
b
(M4 ,0)
(M5 ,0)
ε
Relations between secret and non-secret (basis) markings.
0
a
b
{M0 , M3 , M5 , M8 , M9 } and U(M
a 4 ) = {M2 , M4 , M8 }. Finally, the validation of Proposition 4.6 can be easily verified.
2
1
EXAMPLE
marking M ∈ R(N, M0 ),WRONG
the unobservable
reach of M is
defined as U(M ) = {M 0 ∈ Nn |∃σu ∈ Tu∗ : M [σu iM 0 }. a
b
In simple words, the unobservable reach of a marking M is M0=p1
M0=p1
Reduction to the language containment on the BRG
(ε)
the set of markingst3reachable
from M by firing unobservable t B.
(a)
t (ε)
t (ε)
a
transitions.
In this section we show that, when a certain assumption
M
2=p3
M1=p2
3
t1(ε)
t2(a)
According to Algorithm
1 and Theorem 4.3, each state on the secret is satisfied, the language containment problem
t (a)
of the BRG characterizes not only the basis marking but between the secret and non-secret languages can be reduced
p2
p1
p3
M =p3
a in
also its unobservable
reach.
Therefore,
given a2 basis
marking to the corresponding problem of the language b
generated
0
Mb ∈ MB , if ∃(Mb , e, Mb ) ∈ ∆ in the BRG, there exists the BRG. Namely, initial-state opacity of an bounded LPN
a (M
marking
M ∈ U(Mb ) such that M [ti and `(t) = e. can be verified by just analyzing the BRG.
4
(M2,1)
0,1),(M4,0)
M0,1)
Therefore,
Proposition
4.6
is
obtained.
Definition
4.8:
Let
G
=
(N,
M
,
E,
`)
be
an
LPN,
MB
0
(M5,0)
Proposition 4.6: Let G = (N, M0 , E, `) be a bounded be the set of basis markings, and S be a secret. The secret
a
a
M0=p1
b
M0=p1
LPN, and B = (M
basis marking
set SB is defined as SB = MB ∩ S, and the
B , E, ∆) be the BRG. Given a basis
t4(ε)
t1(a)
t1(a)
t1(a)
M1,1)
(M1,1) (M4,0)
t4(ε) Mb ).
marking Mb ∈ MB , we have L(N, U(Mb )) = L(B,
non-secret basis marking
set S B is defined as S B = MB ∩S.
(M2,1) (M5,0)
M2,1)
M1=p2
M
=p
1
2
Proof: Sincet1M
∈
U(M
),
L(N,
U(M
))
=
L(N,
M
).
b
b
b
b
t3(b)
(a)
t2(ε)
t2(ε)
t3(b)
a
Therefore,
L(N, U(Mb )) = L(B, Mb ).
The Venn diagram
depicted in Fig. 6 shows the relation beb
M2=p3
b
a Given an LPN
p
p2
M3=p
p1 Proposition
p3the BRG4 of a Petri net
4
According
to
4.6,
tween
secret
and
non-secret
(basis) markings.
(M0,1),(M4,0) (M2,1)
(b)
t
(M5,0) describes the language generated from reachable markings as 3 G = (N, M0 , E, `), its BRG B and the secret1'S, it always
M3=p4 holds L(B, SB ) ⊆ L(N, S) and L(B, S B ) ⊆ L(N, S), b
well. If a word can be generated from a reachable marking,
since
a
there must exist a basis marking from which the word can SB ⊆ S and S B ⊆ S. Therefore, L(B, SB ) ⊆ L(B, S B ) b
also be generated. In addition, the language generated from a does not necessarily indicate that L(N, S) ⊆ L(N, S), or
b
state Mb in the BRG is a superset of the language generated vice versa. In other words, by just0'constructing the BRG,
2'
from the markingp2 M ∈ U(Mb ) with M 6= Mb in its initial-stateM0opacity
of
the
LPN
cannot
be
decided.
The
=p1+p2 +p3
M0=p1+p2 +p3
unobservable reach.
following assumption
is added:
t (a)
t (a)
t (ε)
0
0
Example
4.7:
Let
us
consider
the
LPN
in
Fig.
3.
TranA3)
∀M
∈
S,
@t
∈
T
/ S.
u : M [tiM and M ∈
p1
M1=p1
M1=p1
M2=2p2+p3
t
(a)
t
(ε)
2
1
sitions t1 and t3 are observable. The labels assigned In other words, for all secret markings there does not exist
p3
t (a)
to them are a and b, respectively. For this net, there an unobservable transition that leads to a non-secret one.
are 10 reachable markings and its RG is shownM3=p
in 2 Therefore, if Assumption A3) is satisfied, all markings
Fig. 4. However, there are only 5 basis markings MB = in the unobservable reach of a secret marking will also
{M0 , . . . , M4 }, and the corresponding BRG is shown in belong to the secret. Note that this assumption can be
Fig. 5. It holds U(M0 ) = {M0 , M5 , M8 }, U(M1 ) = relaxed by considering all unobservable transitions violating
{M1 , M5 , M6 , M7 , M8 }, U(M2 ) = {M2 , M8 }, U(M3 ) = Assumption A3) as observable and then constructing the
1
2
3
2
2
2
1
2
Preprint submitted to 54th IEEE Conference on Decision and Control.
Received March 24, 2015.
4
a
t2(a)
p2
p1
M2=p3
p3
CONFIDENTIAL. Limited circulation. For review only.
M0=p1
M0=p1
M0=p1
t1(ε)
t1(ε)
t3(ε)
M1=p2
p3t2(a)
M0=p1
t2(a)
(ε)
t24(a)
M2=p3
t3(ε)
M1=p2
M0=p1
t4(ε)
M2=p3
t2(a)
t1(a)
M2=p3
M2=p3
t3(b)
t2(ε)
p2
p1
M0=p1
t1(a)
M1=p2
t2a(ε)
0
t3(b)
Fig. 7.
An LPN that is initial-state opaque wrt S = {M0 , M2 }.
t4(ε)
M
0=p1
t3(b)
p3
p4
t4(ε)
p4
t1(a)
t1(a)
a
M1=p2
t2(ε)
t1(a)
M0=p1
0
b
t1(a)
M1=p2 M2=p3
t2(ε)
Fig. 8.
a
b
t3(b)
a0 0
0
0,1,
ε
a
2 2,3
ab
a
0,2
0
a
b
b
a
1,3
bb
1
ε
1
b
3
3
b
b
1
a
ε
(a) bThe reverse automaton Ar .
t3(b)
0,1,
2,3
M2=p3 M3=p4
M3=p4
t1(a)
3
a
M1=p2 M3=p4
t3(b)
t (b)
(a) The 3RG of the LPN.
a
M11=p2
a
a
3
2
ε
t1(a)
ε
ε t3(b)
M3b=p4
M3=p4
aM0=p1
ε
ε
M1=p2
An automaton A.
Fig. 9.
2
M0=p1
t1(a)
1
b
M2=p3
p4
p3
t1(a)
a
2
ε
aM3=p4 b
0,2
a
(b) The BRG of the
a
a
LPN.
b
1,3
a
b
b
0 of the LPN1 in Fig. 7.
The RG and the BRG
a
a
b
0
L(B, SB ) ⊆ L(B, S B ) ⇔ L(N, S) ⊆ L(N, S).
Proof: See Appendix-B
Therefore, under Assumptions A1) to A3), instead of
analyzing the RG, we could verify the language containment
in the BRG to check if a given labeled Petri net is opaque
wrt a secret.
b
b
a
0,2
b
modified BRG (see [22]). However, the number of states
in the modified BRG will increase.
We now prove that if Assumptions A1) to A3) are satisfied,
the non-secret language of a net coincides the non-secret
language of its BRG.
Proposition 4.9: Let G = (N, M0 , E, `) be an LPN and
S be a secret, which satisfy Assumptions A1) to A3). Let
B be the BRG and MB be the set of basis markings of G,
then we have
L(B, S B ) = L(N, S).
Proof: See Appendix-A.
Note that for the secret language it does not necessarily
hold that L(B, SB ) = L(N, S).
Example 4.10: Let us consider the LPN in Fig. 7. Let
S = {M0 , M2 } that satisfies Assumption A3). Based on the
BRG in Fig. 8(b), we have SB = {M0 } and L(N, SB ) =
{ε, an b|n ≥ 1}. However, L(N, S) = {ε, an b|n ≥ 0}, i.e.,
L(N, SB ) ( L(N, S).
However, the following proposition shows that under Assumptions A1) to A3) the language containment between
secret and non-secret languages can be verified by just
analyzing the BRG.
Proposition 4.11: Let G = (N, M0 , E, `) be an LPN and
S be a secret, which satisfy Assumptions A1) to A3). Let B
be the BRG and MB be the set of basis markings of G. It
holds
0,1,
2,3
a
1,3
b
b
1
(b) The initial-state estimator Ae .
Fig. 10.
The reverse automata and the initial-state estimator of the
automaton in Fig. 9.
Corollary 4.12: Let G = (N, M0 , E, `) be an LPN and S
be a secret, which satisfy Assumptions A1) to A3). Let B be
the BRG and MB be the set of basis markings. LPN G is
initial-state opaque wrt S if and only L(B, SB ) ⊆ L(B, S B ).
Proof: It follows from Lemma 3.4 and Proposition 4.11.
In other words, Corollary 4.12 proves that the opacity
problem in Petri nets is equivalent to the language containment problem in the corresponding BRG.
C. Verification of initial-state opacity
In this section we first briefly recall a technique that is used
to verify initial-state opacity in automata [10]. Based on the
result in the previous section, we show that by applying the
technique to the BRG of an LPN, initial-state opacity of the
LPN can be effectively verified.
In [10] an automaton called an initial-state estimator is
proposed based on the reverse automaton. Given an automaton A without specifying its initial state, the corresponding
initial-state estimator Ae is the observer of its reverse automaton Ar , i.e., the automaton is obtained by revising all
arcs in A. In Ae , the state reached by a word w is the set of
states from which the word w0 can be generated in A, where
w0 is the reverse of w.
Example 4.13: Let us consider the automaton A in Fig. 9
presented in [11]. Its reverse automaton Ar and the corresponding observer Ae , i.e., the initial-state estimator, are
Preprint submitted to 54th IEEE Conference on Decision and Control.
Received March 24, 2015.
t1(a)
t2(ε)
p2
p1
3;3
t3(b)
3;4
CONFIDENTIAL.
Limited circulation. For review only.
p4
p3
b
a
t5(ε)
b
t3(b)
1(a)
k
8
10
20
40
60
80
100
120
a
M0,M1,M3
M2=p1+p4
b
t1(a)
a
M1
p2+p4
Fig. 11.
5
ε
0
a
a
1
b
a
b
a
Therefore, the complexity of using BRG to verify initial3
state opacity is O(2|MB | ). In general, given a bounded Petri
net, it is |MB | ≤ |R(N, M0 )|, therefore, the efficiency of
using BRG to verify opacity will not be worse than that
of using RG. In particular, when unobservable transitions
are considered, the BRG will be smaller than the RG.
Meanwhile, to compute the BRG exhaustive enumeration is
not needed. Therefore, BRG brings big advantages over RG
in verifying opacity.
b
a
4
a
Consider again the LPN in Fig. 3. The initial-state
estimator of its BRG is shown in Fig. 11. Let S =
{M0 , M2 , M5 , M8 , M9 }, then SB = {M0 , M2 } and S B =
{M1 , M3 , M4 }. According to Corollary 4.15, G is initialstate opaque wrt S, since no state of the estimator either
coincides with SB or is strictly contained in it.
1'
b
|R(N, M0 )|
220
364
2024
13244
-
T-r
7.2 × 10−1
2.1 × 100
6.3 × 101
1.1 × 103
o.t.
o.t.
o.t.
o.t.
5;0'
k
8
10
20
40
60
80
100
120
ε
ε
|Xr |
10
12
22
42
-
T-reb
1.8 × 100
3.6 × 100
0;0'
6.0 × 101
3.7 × 103
-
T-b
4.1 × 10−2
5.0 × 10−2
8.0 × 10−2
1.1 × 10−1
3.6 × 10−1
5.3 × 10−1
7.6 × 10−1
9.7 × 10−1
a
a
|Xb |
T-be
10
1.1 × 10−1
12
1.1 × 10−1
22
2.8 × 10−1
42
1.7 × 100
62
3.7 × 100
82
6.5 × 100
102 1;1'
9.8 × 100
122
1.4 × 101
a
a
a
b
a
b
a
3;3'
3;2'
b
Let us now consider
the number of tokens
2;0'the case where3;1'
in place p2 is a parameter k ∈ {1, 2, · · · }. Columns 2 and
4 of Table I illustrate the number of reachable markings
|R(N, M0 )| and the number of basis markings |MB | corresponding to different values of k. Columns 3 and 5 show
the time T-r (in seconds) to compute the RG and the time T-b
to compute the BRG using a MATLAB toolbox, respectively.
According to the table, the size of the RG is much larger than
the size of BRG. When the initial marking in p2 is greater
than 60, the toolbox cannot compute the RG within eight
hours, therefore, we use “o.t.” to denote that the computation
is out of time. However, the BRG is obtained in a short time.
Given a secret satisfying Assumption A3), by constructing
the initial-state estimator of the RG or the BRG, initialstate opacity can be verified. Columns 2 and 4 of Table II
present the numbers of states |Xr | and |Xb | of the estimators
corresponding to the RG and the BRG, respectively. Since
the RG is not obtained when k ≥ 60, the corresponding
estimator cannot be further constructed. In this case, initialstate opacity cannot be verified by using RG analysis. On the
other hand, the estimator of the BRG is constructed in a short
time, therefore, initial-state opacity can be verified efficiently.
5
Even though it is shown that the estimators
of the RG and the
BRG have the same number of states when k < 60, which is
polynomial with respect to parameter k, comparing the time
cost T-re and T-be shown in Columns 3 and 5, respectively,
we can conclude that computing the estimator of the RG
has much higher time complexity. Therefore, either from the
aspect of the space complexity or the time complexity, using
BRG to verify opacity is more efficient.
4
a
0
a
a
1
ε
b
ε
b
a
4'
b
a
VI. C ONCLUSIONS AND F UTURE W ORK
In this paper we propose an effective and efficient approach to verifying initial-state opacity in bounded Petri
a
a
a
a
1'
b
2
a
3
ε
Preprint submitted to 54th IEEE Conference on Decision and Control.
Received March 24, 2015.
b
|MB |
19
23
43
83
123
163
203
243
4
V. E XAMPLE
a
1;4
N UMBER OF STATES OF THE ESTIMATORS
AND TIME COST
2;2'
shown in Figs. 10(a) and 10(b), respectively. Let w = ab.
In the estimator, the reached state is {1}, which implies that
the set of states that can generate w0 = ba in A is {1}.
Theorem 4.14: [10] Let A = (X, E, ∆) be an automaton
and Ae = (X , E, ∆e , X0 ) be the corresponding initial-state
estimator. Given a set of states Y ⊆ X, we have L(A, Y ) ⊆
L(A, Y ) if and only if ∀Xe ∈ X , Xe * Y , where Y =
X \Y.
In other words, to verify the language containment the
observer of the reverse automaton needs to be constructed.
The verification of the language containment L(A, Y ) ⊆
L(A, Y ) has the complexity of O(2|X| ). Furthermore, according to Lemma 3.4, initial-state opacity in bounded Petri
nets can be verified by applying Theorem 4.14 to the RG.
Therefore, the complexity of verifying initial-state opacity
in bounded Petri nets is O(2|R(N,M0 )| ). However, if the
Petri net and the secret satisfy Assumptions A1) to A3),
Theorem 4.14 can be directly applied on BRG.
Corollary 4.15: Let G = (N, M0 , E, `) be an LPN and
S be a secret that satisfy Assumptions A1) to A3). Let B
be the BRG of G and MB be the set of basis markings.
LPN G is initial-state opaque wrt S if and only if ∀Xe ∈ X ,
Xe * SB , where Be = (X , 2
E, ∆e , X0 ) is the corresponding
initial-state estimator of B.
Proof: Follows from Corollary 4.12 and Theorem 4.14.
ε
a
I;I
TABLE II
The initial-state estimator of the BRG in Fig. 5.
t1(a)
=2p4
a
TABLE I
N UMBER OF ( BASIS ) MARKINGS AND TIME COST
M0,M1,M2,
M3,M4
a
1;3
a
4;4
p1+p2
b
4'
CONFIDENTIAL. Limited circulation. For review only.
nets. In general, the verification of initial-state opacity is
equivalent to checking the language containment between the
secret language and the non-secret one. However, applying
this method to the RG of a bounded Petri net directly
may cause state explosion problem. We show that under
an appropriate assumption on the secret, advantages can be
obtained in terms of computational complexity if the BRG
is used instead of the RG. This follows from the observation
that the verification of initial-state opacity can be transformed
into a language containment problem in the BRG. Our future
research will be focused on relaxing the assumption on the
secret and extend the use of the BRG to the language-based
opacity analysis.
APPENDIX
A. Proof of Proposition 4.9
Since S B ⊆ S, L(N, S B ) ⊆ L(N, S) holds. Now we
prove that also the converse containment holds.
Let w ∈ L(N, M ) where M ∈ S, i.e., w ∈ L(N, S). If
M ∈ MB , then M belongs to S B and w ∈ L(B, S B ). If
M ∈
/ MB , by Theorem 4.3, there exists a basis markings
Mb ∈ MB such that Mb [σu iM , where σu ∈ Tu∗ and
σu 6= ε. Moreover, by Assumption A3), Mb is not a secret
marking (otherwise it will contradict M ∈
/ S). Therefore,
w ∈ L(B, Mb ) and w ∈ L(B, S B ), which concludes the
proof.
B. Proof of Proposition 4.11
According to Proposition 4.9, L(B, S B ) = L(N, S).
Therefore, we just need to prove
L(B, SB ) ⊆ L(N, S) ⇔ L(N, S) ⊆ L(N, S).
(⇐) Suppose L(B, SB ) ⊆ L(N, S). We prove that ∀w ∈
L(N, S), w ∈ L(N, S) holds. Since w ∈ L(N, S), there
exists at least a marking M ∈ S such that w ∈ L(N, M ).
According to Theorem 4.3, there is a basis marking Mb ∈
MB such that M ∈ U(Mb ). Thus, w ∈ L(N, Mb ) for
some Mb ∈ MB . If Mb ∈ SB , then w ∈ L(N, S), since
L(B, SB ) ⊆ L(N, S). If Mb ∈ S B , then w ∈ L(N, S),
since S B ⊆ S.
(⇒) Since SB ⊆ S, L(B, SB ) ⊆ L(N, S) holds. Therefore, we have
L(B, SB ) ⊆ L(N, S) ⇐ L(N, S) ⊆ L(N, S).
ACKNOWLEDGMENT
R EFERENCES
[1] J. A. Goguen and J. Meseguer. Security policies and security models.
In 2012 IEEE Symposium on Security and Privacy, pages 11–11, 1982.
[2] M. K. Reiter and A. D. Rubin. Crowds: Anonymity for web
transactions. ACM Transactions on Information and System Security,
1(1):66–92, 1998.
[3] N. Busi and R. Gorrieri. A survey on non-interference with Petri nets.
In Lectures on Concurrency and Petri Nets, pages 328–344. Springer,
2004.
[4] V. Shmatikov. Probabilistic analysis of an anonymity system. Journal
of Computer Security, 12(3):355–377, 2004.
[5] N. B. Hadj-Alouane, S. Lafrance, F. Lin, J. Mullins, and M. M.
Yeddes. On the verification of intransitive noninterference in mulitlevel
security. IEEE Transactions on Systems, Man, and Cybernetics, Part
B: Cybernetics, 35(5):948–958, 2005.
[6] J. W. Bryans, M. Koutny, L. Mazaré, and P. Y. Ryan. Opacity
generalised to transition systems. International Journal of Information
Security, 7(6):421–435, 2008.
[7] J. W. Bryans, M. Koutny, and P. Y. Ryan. Modelling opacity using Petri
nets. Electronic Notes in Theoretical Computer Science, 121:101–115,
2005.
[8] A. Saboori and C. N. Hadjicostis. Notions of security and opacity
in discrete event systems. In 46th IEEE Conference on Decision and
Control, pages 5056–5061. IEEE, 2007.
[9] E. Badouel, M. Bednarczyk, A. Borzyszkowski, B. Caillaud, and
P. Darondeau. Concurrent secrets. Discrete Event Dynamic Systems,
17(4):425–446, 2007.
[10] Y. Wu and S. Lafortune. Comparative analysis of related notions of
opacity in centralized and coordinated architectures. Discrete Event
Dynamic Systems, 23(3):307–339, 2013.
[11] A. Saboori and C. N. Hadjicostis. Verification of initial-state opacity
in security applications of DES. In 9th International Workshop on
Discrete Event Systems, pages 328–333, 2008.
[12] A. Saboori and Christoforos. N. Hadjicostis. Verification of initial-state
opacity in security applications of discrete event systems. Information
Sciences, 246:115–132, 2013.
[13] A. Giua, C. Seatzu, and D. Corona. Marking estimation of Petri
nets with silent transitions. IEEE Transactions on Automatic Control,
52(9):1695–1699, Sept 2007.
[14] M. P. Cabasino, A. Giua, M. Pocci, and C. Seatzu. Discrete event
diagnosis using labeled Petri nets. an application to manufacturing
systems. Control Engineering Practice, 19(9):989–1001, 2011.
[15] Y. Tong, Z. W. Li, C. Seatzu, and A. Giua. Verification of currentstate opacity using petri nets. In 2015 American Control Conference
(submitted), 2015.
[16] Y. Tong, Z. W. Li, and A. Giua. General observation structures for
petri nets. In Emerging Technologies & Factory Automation (ETFA),
2013 IEEE 18th Conference on, pages 1–4. IEEE, 2013.
[17] Y. Tong, Z. W. Li, and A. Giua. Observation equivalence of petri net
generators. In Discrete Event Systems, volume 12, pages 338–343,
2014.
[18] Y. Tong, Z. W. Li, and A. Giua. On the equivalence of observation
structures for petri net generators. IEEE Transactions on Automatic
Control (submitted).
[19] C. G. Cassandras and S. Lafortune. Introduction to discrete event
systems. Springer, 2008.
[20] T. Murata. Petri nets: Properties, analysis and applications. Procedings
of the IEEE, 77(4):541–580, April 1989.
[21] M. P. Cabasino, A. Giua, and C. Seatzu. Fault detection for discrete
event systems using Petri nets with unobservable transitions. Automatica, 46(9):1531–1539, 2010.
[22] M. P. Cabasino, A. Giua, and C. Seatzu. Diagnosability of discreteevent systems using labeled petri nets. Automation Science and
Engineering, IEEE Transactions on, 11(1):144–153, 2014.
This work was supported in part by the National Natural
Science Foundation of China under Grant No. 61374068,
61472295, the Recruitment Program of Global Experts,
and the Science and Technology Department Fund, MSAR,
under Grant No. 066/2013/A2, and the Fundamental Research Funds for the Central Universities under Grant No.
JB142001-15, Xidian University.
Preprint submitted to 54th IEEE Conference on Decision and Control.
Received March 24, 2015.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz