In this paper, vulnerability of a distributed consensus seeking multi-agent system (MAS) with double-integrator dynamics against edge-bound content modification cyber attacks is studied. In particular, we define a specific edge-bound content modification cyber attack called malignant content modification attack (MCoMA), which results in unbounded growth of an appropriately defined group disagreement vector. Properties of MCoMA are utilized to design detection and mitigation algorithms so as to impart resilience in the considered MAS against MCoMA. Additionally, the proposed detection mechanism is extended to detect the general edge-bound content modification attacks (not just MCoMA). Finally, the efficacies of the proposed results are illustrated through numerical simulations.

Due to the open nature of communication channel in networked multi-agent system (MAS), the MAS is vulnerable to various malicious cyber attacks. In this paper, the impact of content modification attack on MAS consensus is rigorously studied by defining and analyzing a specific attack called malignant content modification attack (MCoMA), which results in unbounded growth of an appropriately defined group disagreement vector. Vulnerability of MAS consensus to MCoMA is further demonstrated by design of an optimal MCoMA that is distributed and compromises the least number of communication links. The fast, distributed, model-free, and computationally light attack detection schemes for both MCoMA and general content modification attack are discussed. The paper also studies an attack mitigation scheme for MCoMA.

## I. INTRODUCTION

The problem of distributed coordination of multi-agent system is significant due to its broad applications, such as robot networks, sensor networks, formation control, flocking, and swarming. The goal of these problems is to generate a desired collective behavior for multi agents only by sharing local information. One of the critical problem is called consensus, which means a group of agents reach an agreement on a common value by interacting with neighbors.

Consensus problem has a historical view presented in Refs. 1–3. A simple discrete time flocking model given by Ref. 4 is theoretically analyzed in Ref. 5. The agreement, consensus, and synchronization problems for networked multi-agent system are extensively studied by Refs. 6–20 and among others, in which different scenarios are considered including directed/undirected graphs, fixed/switching topologies, network effects, deterministic/stochastic topology, uncertainties/disturbances, and linear/nonlinear dynamics. In practice, a broad class of systems can be modeled by a double integrators dynamics model, e.g., certain vehicle dynamics can be feedback linearized as double integrators. Thus, considerable research attention has been paid to the consensus-related problem for MAS with double-integrator dynamics.^{21–25} More references on the study of MAS coordination can be found in a recent survey Ref. 26. Common network effects like delays,^{8} noise,^{19} quantization^{15} and packet drops^{17} have been addressed for consensus seeking MAS in the aforementioned works. On the other hand, another malicious and intelligent network factor called cyber attack, which can cause severe disruption or damage to MAS, has begun to receive the attention of the research community.

MAS are a specific form of system commonly known as cyber physical system (CPS). In recent years, the significance of CPS security is being increasingly realized. Since most of the CPS are safety critical, their failure can damage the critical physical system, for instance, stuxnet malware sabotaging Iran's nuclear infrastructure,^{27} water supervisory control and data acquisition (SCADA) system attack,^{28,29} and power transmission network attack.^{30} Various works have studied different cyber attacks including the denial-of-service (DoS) attack^{31} where the *attacker* denies data availability in system, the replay attack^{32} where some normal data is recorded and replayed to avoid being detected, and the content modification attack^{33} where the *attacker* intentionally modifies the transmitted data of the original system. Various approaches are proposed to address these issues including quantitative risk management approach,^{34} game theoretical methods,^{35,36} control theory,^{37} and physical authentication by watermarked control input.^{38}

As one type of CPS, the consensus seeking MAS is also vulnerable to cyber attacks due to the open nature of communication network. Some works concerning the cyber attack on MAS consensus have been reported. In Ref. 39, a consensus problem is considered for a first-order MAS with adversarial agents. It is shown that the consensus can be reached in complete network topologies, whenever there are more cooperative agents than the adversarial agents. Ref. 40 again considers a first-order MAS under a specific attacker with a linear dynamics, which can insert external signals in network to destabilize the consensus dynamics. A hidden network is then designed to maintain the system stability. Similarly, Ref. 41 studies the consensus problem for discrete-time multi-agent systems in the presence of adversarial agents and transmission delays. A sufficient condition for the resilient consensus under the proposed protocol is given. References 39–41 including the references therein only consider MAS consisting agents with single-integrator dynamics, whereas in the work presented in this paper, we have considered agents with double-integrator dynamics.

In a closely related work, Ref. 42 considers MAS consensus of agents with double-integrator dynamics. Ref. 42 proposes a distributed unknown input observer (UIO) based attack detection and isolation scheme, wherein the attacks on both agent and communication link are considered. The shortcomings of this scheme are as follows: the computation burden is too high and the scheme is just semi-distributed. Ref. 43 tries to overcome these limitations, but the assumption that there is no coupling between the dynamics associated to each node limits the application of its scheme. In Ref. 44, a resilient consensus for a MAS with second-order dynamics is studied, in which some malicious nodes prevent the normal nodes to reach consensus and certain conditions on graphs are imposed to ensure the consensus. Whereas in the work presented in this paper, none of the agents participating in the consensus process are malicious, and the attacker can only externally influence the states being exchanged by the agents.

Reference 45 considers a secure consensus tracking problem for general linear MAS with connected and disconnected directed switching topologies caused by two types of attacks. Further, sufficient conditions are derived to ensure a secure consensus. Basically, Ref. 45 suggests that an attacker need not attack the complete network but only few of its edges. In this paper, we have rigorously derived the necessary and sufficient conditions on the edges that should be attacked for maximizing the damage to the MAS system with double-integrator dynamics. Further, we also present a detection mechanism to detect the edges being attacked.

In this paper, we consider a consensus problem for a second order MAS with undirected topology under an edge-bound content modification attack, which can externally intercept the communication links and corrupt the data content. The contributions of current paper are as follows:

The impact of content modification attack on MAS is rigorously studied by defining and analyzing the MCoMA that can guarantee a storage function V for MAS consensus satisfies $limt\u2192\u221eV=\u221e$ with $V\u0307\u22650$;

An optimal MCoMA that is distributed and compromises the least number of communication links is designed;

The fast, distributed, model-free, and computationally light attack detection schemes for both the proposed MCoMA and general content modification attack are discussed. An attack mitigation scheme for MCoMA is also proposed.

The rest of the paper is organized as follows. In Section II, mathematical notations used throughout the paper are described. Section III provides a brief review on graph theory and existing consensus algorithm. In Section IV, the main results are presented. Finally, the simulation results are shown in Section V.

## II. NOTATIONS

Throughout the paper, the symbols $\mathbb{R}n,\u2009\mathbb{R}n\xd7m$ and $\mathbb{R}+$ denote *n*-dimensional real-valued vectors, *n* × *m* matrices with real-valued elements, sets of positive real numbers, respectively. $|\xb7|$ denotes the Euclidean norm for a vector and denotes the cardinality of a set. $||\xb7||0$ denotes the *l*_{0} norm that is a total number of non-zero elements in a vector. $In,\u20090n,\u20090n$ and 1_{n} denotes *n* × *n* identity matrix, *n* × *n* zero matrix, *n*-dimensional column vector of zeros and *n*-dimensional column vector of ones, respectively. For any matrix $A\u2208\mathbb{R}n\xd7n,\u2009A\u227b0$ denotes its positive definite, $A\u2009\u227d\u20090$ denotes its positive semidefinite, *A ^{T}* denotes its transpose,

*A*

^{−}denotes generalized inverse, if

*A*is invertible then $A\u22121$ denotes its inverse and

*A*represents its

_{i}*i*-th column.

*diag*denotes the diagonal matrix. ⊗ denotes Kronecker product. $N(\xb7)$ denotes the null space of a matrix. $dim(\xb7)$ denotes the dimension of matrix or space.

## III. PRELIMINARIES

### A. Graph theory

The MAS can be modeled as graph (Fig. 1). This section reviews some concepts and facts in the graph theory that will be used throughout the paper.

Consider a graph $G={V,E}$ consists of a set of nodes $V={1,2,\u2026,n}$ and a set of edges $E={(i,j)\u2208V\xd7V|i,j\u2009adjacent}$. Nodes *i*, *j* are adjacent means there exists an edge (*i*, *j*) between two nodes.

The graph $G$ is called undirected if $(i,j)\u2208E\u21d4(j,i)\u2208E$. The adjacency matrix is a square matrix $A\u2208\mathbb{R}n\xd7n$ with element *a _{ij}* = 1 if

*i*,

*j*are adjacent and

*a*= 0 otherwise. The diagonal elements

_{ij}*a*are zero since the self-loop case will not be considered. The degree matrix is a diagonal matrix $D\u2208\mathbb{R}n\xd7n$ with element

_{ii}*d*equaling the cardinality of the node

_{i}*i*'s neighbor set $Ni={j\u2208V|(i,j)\u2208E}$. The Laplacian matrix $L\u2208\mathbb{R}n\xd7n$ is defined as $L=D\u2212A$, which means its elements are

For an undirected graph $G$, *L* is a symmetric and positive semidefinite. Observing the fact that the row sum of *L* is zero, the vector $1n=[1,1,\u2026,1]T\u2208\mathbb{R}n$ is a right eigenvector of *L* associated with the eigenvalue *λ* = 0, i.e., $L1n=0$.

A path from node *i* to *j* is a sequence of distinct nodes from *i* to *j*, such that each pair of consecutive nodes are adjacent. If there is a path from *i* to *j*, then *i*, *j* are called connected. If all pairs of nodes in $G$ are connected, then $G$ is called connected. For connected graphs, *L* has exactly one zero eigenvalue. The eigenvalues of *L* can be listed in an increasing order as $0=\lambda 1<\lambda 2\u2264\u2026\u2264\lambda n$. The second smallest eigenvalue *λ*_{2} is called algebraic connectivity of a graph, which is a measure of performance/speed of consensus algorithm.^{8}

### B. Existing consensus protocol

This section reviews the existing graph-Laplacian based consensus protocol for MAS with double-integrator dynamics presented in Refs. 23–25.

The MAS is modeled by a graph $G={V,E}$ with agents as the nodes and communication links as edges. The following assumptions hold throughout the paper:

**(A1)**Graph $G$ is undirected and connected.**(A2)**The communication condition is perfect (network effects are neglected), which can isolate the effect of cyber attack on MAS in Section IV.

Dynamics of each agent in MAS is identical and is given as:

where $qi\u2208\mathbb{R},i\u2208V$ and $q\u0307i\u2208\mathbb{R},i\u2208V$ are generalized coordinates and their rate of change, respectively. Henceforth, for simplicity we shall just refer to *q _{i}* as position and $q\u0307i$ as the velocity of any agent $i\u2208V$. The state $qi,q\u0307i$ are treated as scalar here, but the results can be extended to higher dimensional case using the concepts of Kronecker product.

Consider the distributed consensus protocol proposed in Ref. 24, where

where $\beta \u2208\mathbb{R}+$ is referred to as the coupling gain of relative velocities.

**Definition 1:** Consensus is achieved by the MAS described by (2)–(3), if for any $(i,j)\u2208V\xd7V$

Let $q=[q1,q2,\u2026,qn]T,\u2009q\u0307=[q\u03071,q\u03072,\u2026,q\u0307n]T$ and $x=[qT,q\u0307T]T$. By applying consensus protocol (3), (2) can be written in compact matrix form as

Following from these notational substitutions, (4) is equivalent to $x(t)\u2192E$ as $t\u2192\u221e$, where

The convergence analysis of consensus protocol (3) is done by Lyapunov function analysis similar to Theorem 1 of Ref. 25.

**Theorem 1:** The consensus is achieved by the MAS (2)–(3) for any $\beta \u2208\mathbb{R}+$.

**Proof:**

From **(A1)**, both *L* and *L*^{2} are positive semidefinite with exactly one zero valued eigenvalue and

Let $q=\alpha 1n+\delta q$ and $q\u0307=\gamma 1n+\delta q\u0307$, where $\delta q\u2208span{1n}\u22a5,\u2009\delta q\u0307\u2208span{1n}\u22a5$ are referred to as position and velocity disagreement vectors.^{46} Real-valued scalars $\alpha =1nqT1n,\u2009\gamma =1nq\u0307T1n$ are simply the components of *q* and $q\u0307$ along 1_{n}, respectively.

Substituting $q=\alpha 1n+\delta q$ and $q\u0307=\gamma 1n+\delta q\u0307$ in (5) give us the following dynamics of the disagreement vectors:

where $\delta =[\delta qT,\u2009\delta q\u0307T]T\u2208D\delta $ and $\alpha \u0307=\gamma ,\u2009\gamma \u0307=0$. $D\delta =span{[1nT,\u20090nT]T,\u2009[0nT,\u20091nT]T}\u22a5$ is a vector space of dimension 2*n* – 2. From (7), (8) has a single equilibrium point at the origin in *D _{δ}*.

Consider the following storage function of (5)

Since $L\u2009\u227d\u20090$, we have $L2\u2009\u227d\u20090$, which implies $P\u2009\u227d\u20090$. Thus $V\u22650,\u2200x\u2208\mathbb{R}2n$.

Substituting $q=\alpha 1n+\delta q$ and $q\u0307=\gamma 1n+\delta q\u0307$ in (9) gives

From (7), *V* defined in (11) is positive definite and radially unbounded in $D\delta $. Thus, *V* is a Lyapunov candidate function for system (8).

Similarly, substituting $q\u0307=\gamma 1n+\delta q\u0307$ in (10) gives

Since *V* in (11) is radially unbounded and $V\u0307\u22640,\u2009\u2200\delta \u2208D\delta $, the set $\Omega c={\delta \u2208D\delta \u2009|\u2009V\u2264c,\u2009c>0}$ is a compact, positively invariant set. Let

From (7), $S\delta ={\delta \u2208D\delta \u2009|\u2009\delta q\u0307=0n}$. It is easy to verify that $E\delta ={\delta \u2208D\delta \u2009|\u2009\delta q=0n,\u2009\delta q\u0307=0n}$ is the largest invariant set in **S**_{δ}. Hence, from LaSalle's invariance principle,^{47} the origin of (8) is globally asymptotically stable.

This implies, $x(t)\u2192E$ as *t* → *∞*. ▪

## IV. MAIN RESULTS

In this section, the concept of *edge-bound content modification attacks* is first formalized in context of the considered MAS. In Subsection IV A, to better understand the vulnerability of MAS and severity of attack issue, a special edge-bound content modification attack called MCoMA is considered from the attacker's perspective, where the attacker's goal is to ensure unboundedness of the storage function (9). In Subsection IV B, an optimal MCoMA is further proposed. In Subsection IV C, from the defender's perspective, an algorithm to detect and mitigate the MCoMA is studied. In Subsection IV D, beyond the discussion of MCoMA, an attack detection scheme for a general edge-bound content modification attack is proposed.

**Definition 2:** In this paper, the *attacker* is a malicious external entity which can execute an *edge-bound content modification attack* by compromising an edge set $E\xaf\u2286E$ and therefore modifies the information being exchanged in the edge set $E\xaf$ at will.

The following assumptions hold throughout the paper:

**(A3)**The*attacker*is able to*completely hack*the communication links represented by the edges in the set $E\xaf$. Here,*completely hack*refers to the attacker's capability of breaking both the encryption and message authentication code (MAC) of the communication link.**(A4)**The attack is initiated at*t*=*t*, and MAS state_{a}*x*does not lie in the consensus set**E**defined in (6) at*t*=*t*, i.e., $x(ta)\u2209E$._{a}**(A5)**The*attacker*knows the complete graph topology and consensus protocol (3).

### A. Vulnerability of MAS to MCoMA

**Definition 3:** MCoMA is referred to as an *edge-bound content modification attack* with a goal to guarantee the storage function *V* given in (9) satisfies $limt\u2192\u221eV=\u221e$ with $V\u0307\u22650,\u2009\u2200t\u2265ta$.

Associate a basis vector *e _{i}* with every node $i\u2208V$, where

*e*is the

_{i}*i*-th column of

*I*. Let $A\xaf$ and $D\xaf$ be the adjacency matrix and degree matrix of subgraph $G\xaf:={V,\u2009E\xaf}$, then the information of node

_{n}*i*is available to the

*attacker*if and only if $||A\xafei||0=1nTA\xafei\u22600$.

As $A\xaf=A\xafT$ (from **(A3)**), thus the total number of *completely hacked* edges associated with node *i* is given as $1nTA\xafei$. Define $Va={i\u2208V|1nTA\xafei\u22600}\u2286V$ as the set of compromised nodes, hence the *attack space* which is defined as $San=span{ei,\u2009i\u2208{1,\u2026,n}|\u2009i\u2208Va}$ has dimension $|Va|$. For simplifying the attack analysis, let us define an *attack operator*

which basically maps $\mathbb{R}n$ to $San$ linearly.

For each node $i\u2208Va$ and edge $(i,\u2009j)\u2208E\xaf$, the *attacker* can modify the information $(qi,\u2009q\u0307i)$ of node *i* to $(q\u0303i,\u2009q\u0307\u0303i)$ being received by node *j* as

where $Kijp\u2208\mathbb{R}1\xd72n$ and $Kijv\u2208\mathbb{R}1\xd72n$ are termed as the *position attack gain* and *velocity attack gain* associated with edge $(i,\u2009j)\u2208E\xaf$, respectively.

Hence, the effective control input of any node $j\u2208Va$ (refer to (3)) is given as

where $N\xafj={i\u2208V|(i,j)\u2208E\xaf}$ and $x=[qT,\u2009q\u0307T]T$.

For uniformity, we associate *position attack gains* and *velocity attack gains* with every node $j\u2208V$ (not necessarily in $Va$) as

where, $Kjp,Kjv\u2208\mathbb{R}n\xd72n$ and $Kjpp,Kjpv,Kjvp,Kjvv\u2208\mathbb{R}n\xd7n$ for all $j\u2208V$. Ideally, if $(i,\u2009j)\u2209E\xaf$ then $Kijp=Kijv=02nT$. But, even in case these gains are not identically zero, the adjacency vector $A\xafj$ associated with $j\u2208V$ and the *attack operator O _{a}* will limit the effect of attack only to the compromised nodes (nodes that belong to $Va$).

where,

are referred to as *attack gains* throughout the paper.

Next, we give sufficient and necessary conditions for the attack (15) to be MCoMA.

**Theorem 2:** Consider the dynamics of MAS (5) under *edge-bound content modification attack* (15), i.e. (18). The content modification attack (15) is a MCoMA according to Definition 3 if and only if

*attack gains*Δ_{p}and Δ_{v}in (18) satisfies $\Delta p=0n$ and $R:=\u22122\beta L2+L\Delta v+\Delta vTL\u2009\u227d\u20090$,set $F\E$ is not positively invariant, where $F:={x\u2208\mathbb{R}2n|q\u0307TRq\u0307=0}$.

**Proof:**

Consider the storage function $V=12xTPx$ in (9). Clearly, $V=0,\u2009\u2200x\u2208E$ and $V>0,\u2009\u2200x\u2208\mathbb{R}2n\E$.

Computing the time derivative of *V* along the trajectory of (18), we have

1. Sufficiency: From **(A4)**, $x(ta)\u2209E$, thus $V(ta)$ is positive. Now

If **(a)** $\Delta p=0n$ and $R\u2009\u227d\u20090$, then $V\u0307\u22650$. Thus, *V* > 0 and $x\u2209E,\u2200t\u2265ta$.

For condition **(b)**, we need to first show $E\u2282F$. For $x\u2208E$, we have $q\u0307\u2208span(1n)$. We can easily verify that $q\u0307TRq\u0307=0$ when $q\u0307\u2208span(1n)$. Thus, $x\u2208F$, which implies $E\u2282F$.

If **(b)** the set $F\E$ is not positively invariant, $V\u0307$ will not always stay in 0, thus $V\u2192\u221e$ as $t\u2192\u221e$.

Hence, by Definition 3, the content modification attack is MCoMA.

2. Necessity: By Definition 3, if the content modification attack is MCoMA, then $V\u0307\u22650$ in (20), which implies $M\u2009\u227d\u20090$. By generalized Schur's complement condition,^{48} for $M\u2009\u227d\u20090$, we should have $R\u2009\u227d\u20090$ and $\u2212\Delta pTLR\u2212L\Delta p\u2009\u227d\u20090$. This can only be satisfied when $\Delta p=0n$. Further, $V\u2192\u221e$ as $t\u2192\u221e$, implies the set $F\E$ should not be positively invariant. Hence, both **(a)** and **(b)** are necessary. ▪

Since the *attack gains* (19) are constant matrices, the proposed MCoMA is referred to as static MCoMA.

**Remark 1:** Amongst all possible choices for the *attacker* to modify the data content in the compromised link, the proposed MCoMA guarantees a nonnegative increase rate of the storage function (9) and ensures that $limt\u2192\u221eV=\u221e$. This could be catastrophic for the individual agent in the MAS and in some cases, can even cause physical damage to the agents.

**Remark 2:** Given *O _{a}* and $A\xaf$, the

*attacker*can compute the

*position attack gains*and

*velocity attack gains*by choosing an appropriate $Q=QT\u227b0$ such that the following feasibility problem has a nonempty solution set. This problem is a linear programming problem as the constraints are all linear matrix inequalities (LMI), which can be solved efficiently.

If there exists $Q=QT\u227b0$ such that the solution set of (21) is nonempty then clearly $R=Q\u227b0$ and condition **(a)** of **Theorem 2** holds. $R\u227b0$ implies $F\E={x\u2208\mathbb{R}2n|\u2009q\u2209span(1n),\u2009q\u0307=0}$ and from (18) we get, $q\xa8=\u2212Lq\u22600$ in $F\E$ which makes $F\E$ a non-invariant set. Hence, the *edge-bound content modification attack* with *position attack gains* and *velocity attack gains* belonging to the solution set of (21) is MCoMA.

### B. Optimal static MCoMA design

In order to maximize the damage and minimize the cost of attack at the same time, it is desirable for a MCoMA to be distributed and compromises the least number of edges possible in any given graph.

A distributed MCoMA means for any $(i,\u2009j)\u2208E\xaf$, only the *i*-th and *j*-th elements of the associated $Kijp$ and $Kijv$ are non-zero. In words, this means that a content modification of states being exchanged on any one *completely hacked* link is not dependent in any way on the content modification of states being exchanged on any other *completely hacked* links. Due to this reason, distributed MCoMA is much easier to execute and has higher scalability and lower communication cost.

**Definition 4:** The optimal MCoMA or OMCoMA is referred to as a MCoMA which is distributed and compromises the least number of edges for any given graph.

Next proposition gives a distributed MCoMA design:

**Proposition 1:** Consider the dynamics of MAS (5) under *edge-bound content modification attack* (15), i.e. (18). If

where *θ* satisfies $\theta \u2265\beta \lambda n$, where *λ _{n}* is the maximum eigenvalue of Laplacian matrix

*L*, then the content modification attack (15) is a MCoMA.

Before the proof is provided, a lemma which will be used in the proof is stated as follows:

**Lemma 1: (Theorem 3 in Ref.** 49 **)** Let *A* and *B* be two real positive semidefinite matrices, then $AB\u2009\u227d\u20090$ if and only if *AB* is normal.

Now the proof of Proposition 1 is given:

**Proof:**

Choosing $\Delta vT=\Delta v=\theta In$, we have

Since $\theta \u2265\beta \lambda n$, we have $\theta In\u2212\beta L\u2009\u227d\u20090$. Now from **Lemma 1**, $R=2L(\theta In\u2212\beta L)\u2009\u227d\u20090$ since *R* is normal and thus condition (a) in Theorem 2 is satisfied.

As $L=T\Lambda T\u22121$ by a similarity transformation and from (7), we get

where $2\theta \Lambda \u22122\beta \Lambda 2$ also has exactly one zero eigenvalue, which means $dim(N(R))=1$ and $N(R)=span(1n)$.

This implies

Hence, $F\E={x\u2208\mathbb{R}2n|q\u0307\u2208span(1n),q\u2209span(1n)}$.

With $\Delta p,\Delta v$ defined in (22), the velocity dynamics be written as

Multiplying by *L* on both sides of equation, we get

When the system state is in $F\E,\u2009Lq\u0307=0,L2q\u0307=0$ and $L2q\u22600$, thus $Lq\xa8\u22600$, which implies $q\xa8\u2209span(1n)$. Thus, $F\E$ is not a positively invariant set, which satisfies the condition (b) in Theorem 2.

Hence, by Theorem 2, the content modification attack given in the proposition is MCoMA. ▪

Observing the MCoMA injection term $\theta Inq\u0307$ in (26), it is evident that the proposed static MCoMA in Proposition 1 is in fact distributed, i.e., there is no information exchange required between the attacks targeting different edges.

The result proposed in the following corollary of Theorem 2 is critical for the design of MCoMA with minimum $|E\xaf|$.

**Corollary 1:** For a graph $G={V,\u2009E}$, suppose the *attack space* of MCoMA is denoted by $San$ as defined in Subsection IV A and $dim(San)=|Va|$, then we always have $|Va|=|V|$.

**Proof:** Clearly, for any *edge-bound content modification attack*, we have $|Va|\u2264|V|$.

(Proof by Contradiction.) Assume $|Va|<|V|$, which means some of the nodes are not compromised by the MCoMA. This implies, there exists a non-zero number of zero rows in matrix Δ_{v}, and symmetrically, there exist zero columns in Δ_{v} Consequently, corresponding diagonal element(s) of $L\Delta v+\Delta vTL$ are zero as well. Hence, the matrix *R* as defined in (a) of Theorem 2 has a negative diagonal element(s) and hence is not positive semidefinite. However, a necessary condition for a content modification attack to be MCoMA is $R\u2009\u227d\u20090$ (refer to Theorem 2). This contradicts the given fact that the content modification is MCoMA.

Hence, by contradiction $|Va|<|V|$ cannot hold, thus $|Va|=|V|$. ▪

The implications of Corollary 1 are

None of the diagonal entries of the attack operator

*O*is zero for MCoMA._{a}- The OMCoMA design problem is now reduced to the minimum edge cover problem (given in (28)): finding the least number of compromised edges such that every node of the graph is incident to at least one edge in the set $E\xaf$(28)$minimize\u2009(i,\u200aj)\u2208E|E\xaf|subject\u2009to:\u2009\u222a(i,\u200aj)\u2208E\xaf{i,\u2009j}=V.$

**Note:** The minimum edge cover problem (28) is also known as maximum matching problem. Ref. 50 introduces an algorithm in Section 10.5 to solve this problem for a graph $G={V,E}$ in $O(|V|4)$ time.

To summarize, OMCoMA defined in Definition 4 can be designed as following:

Firstly, solve the minimum edge cover problem (28) to obtain optimal $E\xaf$.

Secondly, implement the distributed attack based on Proposition 1.

### C. Attack detection and mitigation for static MCoMA

In this subsection, an attack detection and mitigation scheme for MAS consensus against the static MCoMA in Theorem 2 is proposed.

#### 1. Attack detection

Firstly, the attack detection scheme for static MCoMA is presented based on the physical relation of transmitted data, which in this case means that the received velocities and positions should be coherent at all times. To further interpret this, let us consider one compromised edge $(i,j)\u2208E\xaf$. Suppose the *attacker* modifies $(qi,q\u0307i)$ to $(q\u0303i,q\u0307\u0303i)$, the data will only be accepted by agent *j* when the following detection condition is satisfied:

The following proposition demonstrates that the proposed static MCoMA can be detected with simple detection condition (29).

**Proposition 2:** Consider the dynamics of MAS (5) under *edge-bound content modification attack* (15), i.e. (18). The static MCoMA in Theorem 2 will be detected if the detection condition (29) is checked for received data at all the agents in MAS.

**Proof:**

For each node $i\u2208Va$ and edge $(i,\u2009j)\u2208E\xaf$, consider the attack (15)

where $Kijp=[Kijpp|\u2009Kijpv]$ and $Kijv=[Kijvp|\u2009Kijvv]$ with $Kijpp,Kijpv,Kijvp,Kijvv\u2208\mathbb{R}1\xd7n$.

Because for a MCoMA, Δ_{p} and Δ_{v} in (18) satisfies $\Delta p=0n$ and $R=\u22122\beta L2+L\Delta v+\Delta vTL\u2009\u227d\u20090$ as shown in Theorem 2, which implies $Kijp=[0nT|\u2009Kijpv]$ and $Kijv=[0nT|\u2009Kijvv]$.

(Proof by Contradiction.) Now assume the MCoMA avoids the detection condition (29) imposed on (30), which means the *attacker* can make

Substituting (18) into above equation gives

The left hand side of (32) is

The right hand side of (32) is

So (32) is equivalent to

To make the above equality hold, the *attacker* has to choose $Kijpv=Kijvv=0nT$, which further implies $\Delta v=0n$ and thereby $R=\u22122\beta L2$ is negative semidefinite.

However, the MCoMA requires $R\u2009\u227d\u20090$. Hence, by contradiction, the static MCoMA in Theorem 2 will be detected by the detection condition (29), which completes the proof. ▪

In practice, (29) may be relaxed to

where, $\u03f5\u2208\mathbb{R}+$ can be determined empirically.

#### 2. Attack mitigation

In this part, a velocity observer from Ref. 24 is used to mitigate the proposed static MCoMA.

**Proposition 3:** Consider the dynamics of MAS (5) under *edge-bound content modification attack* (15), i.e. (18). Once the proposed static MCoMA is detected, each agent $i\u2208V$ transmits (*q _{i}*, 0) instead of $(qi,q\u0307i)$ and switches to the following local observer based consensus algorithm

^{24}for MAS dynamics (2):

where $p,\tau \u2208\mathbb{R}+$ and $z\u0302i\u2208\mathbb{R}$ is the observer state.

With the above attack mitigation scheme, the consensus of MAS defined by Definition 1 is still achieved under the static MCoMA.

**Proof:**

which are in static feedback form of the velocities.

Since each agent $i\u2208V$ transmits (*q _{i}*, 0) instead of $(qi,q\u0307i)$ once the MCoMA is detected, thus from (39), the injection signals are zero.

### D. Attack detection for general content modification attack

In Subsection IV C, we have proposed an attack detection and mitigation scheme for static MCoMA, which is a special content modification attack with the goal to blow up the storage function. In other cases, an attacker may not want to launch the MCoMA but may want to launch a general edge-bound content modification attack to just disrupt the MAS consensus. Thus, in this subsection, an attack detection scheme against general edge-bound content modification attack on MAS links will be proposed by relying on the detection condition (29) for MAS consensus.

Consider MAS modeled by a graph $G={V,E}$ satisfying assumptions **(A1)** and **(A2)**. The implementation details of the proposed attack detection scheme are as follows:

- For $i\u2208V$, instead of transmitting $(q\u0307i,qi)$, the encoded data packet of (
*r*_{i}_{1},*r*_{i}_{2}) is transmitted, where (*r*_{i}_{1},*r*_{i}_{2}) are encoded as(40)$ri1=q\u0307i+\lambda 1qi,\u2003\lambda \u03071=f1(\lambda 1,t)ri2=q\u0307i+\lambda 2qi,\u2003\lambda \u03072=f2(\lambda 2,t),$where the functions*f*_{1},*f*_{2}are known to all agents and defined as$f1:\mathbb{R}\xd7\mathbb{R}\u2192\mathbb{R},\u2003(\lambda 1,t)\u2009\u21a6\u2009\lambda \u03071;f2:\mathbb{R}\xd7\mathbb{R}\u2192\mathbb{R},\u2003(\lambda 2,t)\u2009\u21a6\u2009\lambda \u03072,$such that $\lambda 1\u2260\lambda 2,\u2200t\u22650$. The scalars $\lambda 1(0),\lambda 2(0)$ are shared securely between the agents when consensus starts, thus the

*attacker*does not know the value of*λ*_{1},*λ*_{2}during consensus. - After transmission, $q\u0307i,qi$ are obtained by decoding (
*r*_{i}_{1},*r*_{i}_{2}) for agent $j\u2208Ni$ as(41)$qi=a(ri1\u2212ri2),\u2003q\u0307i=bri1\u2212cri2,$where $a=1/(\lambda 1\u2212\lambda 2),b=\lambda 2/(\lambda 2\u2212\lambda 1),c=\lambda 1/(\lambda 2\u2212\lambda 1)$.

After decoding, the detection condition (29) is checked. If the condition is not violated, $q\u0307i,qi$ is utilized in the control (3) for agent $j\u2208Ni$. Otherwise, the attack is detected.

**Theorem 3:** With the proposed attack detection scheme, for $i\u2208V$, suppose the *attacker* modifies (*r _{i}*

_{1},

*r*

_{i}_{2}) to $(r\u0303i1,r\u0303i2)$ as

where the signals $r\xafi1,r\xafi2$ constitute the injection attack. The content modification attack will be detected by the detection condition (29) if

where *λ*_{1}, *λ*_{2} are encoding coefficients in (40), and *T* is sufficiently a small sampling period for (5).

**Proof:**

In practical implementation, the detection condition (29) is checked by $(qi\u2212qip)/T=q\u0307i$, where *q _{ip}* is the position of previous time instance.

In order to make $(q\u0303i\u2212qip)/T=q\u0307\u0303i$, it requires $a(r\xafi1\u2212r\xafi2)/T=br\xafi1\u2212cr\xafi2$, which is equivalent to

Since *λ*_{1} and *λ*_{2} are unknown to *attacker* during the consensus, the content modification attack as (42) will be detected by (29) once (46) is not satisfied. ▪

**Remark 3:** If the *attacker* wants to bypass the proposed attack detection scheme, the injection attack signal should satisfy (46). However, as *λ*_{1} and *λ*_{2} are unknown to the *attacker*, the general content modification attacks including the proposed MCoMA will be detected by the proposed attack detection scheme with high possibility.

**Remark 4:** Unlike the model-based attack detection schemes in Refs. 42, 51, and 52, the proposed attack detection scheme has the following advantages: The implementation is model-free, distributed, and computationally light. Being memoryless, the detection response is instantaneous.

The attack mitigation scheme for general content modification on MAS links will be addressed as part of the future work.

## V. SIMULATION EXAMPLES

Consider a MAS modeled by a graph in Fig. 1 satisfying assumption **(A1)** and **(A2)**. The Laplacian matrix *L* of this graph is

Firstly, suppose there is no attack and the consensus algorithm (3) with *β* = 2 is implemented for each agent. The simulation results are shown in Figs. 2 and 3. We can find the consensus is reached after 6 s, and the storage function *V* in (9) and function rate $V\u0307$ converge to zero rapidly. This verifies the efficacy of the existing consensus algorithm as analyzed in Theorem 1.

Secondly, suppose OMCoMA is designed as Proposition 1 with *θ* = *βλ _{n}* and launched as Fig. 4, wherein the edge (1,5), (2,3), and (4,6) are compromised. The simulation results are shown in Figs. 5 and 6. It is evident that the position and velocity states diverge rapidly, the storage function

*V*in (9) keeps increasing rapidly, and the function rate $V\u0307$ is nonnegative. This simply verifies the effect of the proposed OMCoMA as in Definition 2.

Next, suppose the attack detection scheme in Proposition 2 and mitigation scheme in Proposition 3 are implemented in the MAS. The above OMCoMA is launched at *t _{a}* = 3 s. The parameters for the observer based consensus algorithm (37) and (38) are selected as $p=\tau =2$ and the initial values $z\u0302i,\u2200i\u2208V$ are randomly chosen from [−0.2, 0.2]. The simulation results are shown in Figs. 7 and 8. The position and velocity states converge before 3 s. When OMCoMA is launched at 3 s, it is detected by (29). MAS switches the consensus algorithm from (3) to (37) and (38). The consensus is finally reached. Additionally, the storage function

*V*in (9) and the function rate $V\u0307$ finally converge to zero. This demonstrates that the proposed attack detection and mitigation method secures the consensus under proposed MCoMA.

## VI. CONCLUSIONS

In this paper, the vulnerability of MAS consensus has been demonstrated by designing and analyzing MCoMA that ensures that the storage function *V* for MAS consensus satisfies $limt\u2192\u221eV=\u221e$ with $V\u0307\u22650$. An optimal MCoMA is then designed, an attack detection and mitigation scheme for MCoMA, and an attack detection algorithm for general content modification attacks is also proposed. Future work will focus on designing an efficient attack mitigation method for general content modification attacks.

## ACKNOWLEDGMENTS

This work was partially supported by the National Science Foundation under Grant No. ECCS1232127 and by Naval Air Warfare Center Aircraft Division - Pax River, MD under Contract No. N00421132M022.