In this paper, vulnerability of a distributed consensus seeking multi-agent system (MAS) with double-integrator dynamics against edge-bound content modification cyber attacks is studied. In particular, we define a specific edge-bound content modification cyber attack called malignant content modification attack (MCoMA), which results in unbounded growth of an appropriately defined group disagreement vector. Properties of MCoMA are utilized to design detection and mitigation algorithms so as to impart resilience in the considered MAS against MCoMA. Additionally, the proposed detection mechanism is extended to detect the general edge-bound content modification attacks (not just MCoMA). Finally, the efficacies of the proposed results are illustrated through numerical simulations.

Due to the open nature of communication channel in networked multi-agent system (MAS), the MAS is vulnerable to various malicious cyber attacks. In this paper, the impact of content modification attack on MAS consensus is rigorously studied by defining and analyzing a specific attack called malignant content modification attack (MCoMA), which results in unbounded growth of an appropriately defined group disagreement vector. Vulnerability of MAS consensus to MCoMA is further demonstrated by design of an optimal MCoMA that is distributed and compromises the least number of communication links. The fast, distributed, model-free, and computationally light attack detection schemes for both MCoMA and general content modification attack are discussed. The paper also studies an attack mitigation scheme for MCoMA.

The problem of distributed coordination of multi-agent system is significant due to its broad applications, such as robot networks, sensor networks, formation control, flocking, and swarming. The goal of these problems is to generate a desired collective behavior for multi agents only by sharing local information. One of the critical problem is called consensus, which means a group of agents reach an agreement on a common value by interacting with neighbors.

Consensus problem has a historical view presented in Refs. 1–3. A simple discrete time flocking model given by Ref. 4 is theoretically analyzed in Ref. 5. The agreement, consensus, and synchronization problems for networked multi-agent system are extensively studied by Refs. 6–20 and among others, in which different scenarios are considered including directed/undirected graphs, fixed/switching topologies, network effects, deterministic/stochastic topology, uncertainties/disturbances, and linear/nonlinear dynamics. In practice, a broad class of systems can be modeled by a double integrators dynamics model, e.g., certain vehicle dynamics can be feedback linearized as double integrators. Thus, considerable research attention has been paid to the consensus-related problem for MAS with double-integrator dynamics.21–25 More references on the study of MAS coordination can be found in a recent survey Ref. 26. Common network effects like delays,8 noise,19 quantization15 and packet drops17 have been addressed for consensus seeking MAS in the aforementioned works. On the other hand, another malicious and intelligent network factor called cyber attack, which can cause severe disruption or damage to MAS, has begun to receive the attention of the research community.

MAS are a specific form of system commonly known as cyber physical system (CPS). In recent years, the significance of CPS security is being increasingly realized. Since most of the CPS are safety critical, their failure can damage the critical physical system, for instance, stuxnet malware sabotaging Iran's nuclear infrastructure,27 water supervisory control and data acquisition (SCADA) system attack,28,29 and power transmission network attack.30 Various works have studied different cyber attacks including the denial-of-service (DoS) attack31 where the attacker denies data availability in system, the replay attack32 where some normal data is recorded and replayed to avoid being detected, and the content modification attack33 where the attacker intentionally modifies the transmitted data of the original system. Various approaches are proposed to address these issues including quantitative risk management approach,34 game theoretical methods,35,36 control theory,37 and physical authentication by watermarked control input.38 

As one type of CPS, the consensus seeking MAS is also vulnerable to cyber attacks due to the open nature of communication network. Some works concerning the cyber attack on MAS consensus have been reported. In Ref. 39, a consensus problem is considered for a first-order MAS with adversarial agents. It is shown that the consensus can be reached in complete network topologies, whenever there are more cooperative agents than the adversarial agents. Ref. 40 again considers a first-order MAS under a specific attacker with a linear dynamics, which can insert external signals in network to destabilize the consensus dynamics. A hidden network is then designed to maintain the system stability. Similarly, Ref. 41 studies the consensus problem for discrete-time multi-agent systems in the presence of adversarial agents and transmission delays. A sufficient condition for the resilient consensus under the proposed protocol is given. References 39–41 including the references therein only consider MAS consisting agents with single-integrator dynamics, whereas in the work presented in this paper, we have considered agents with double-integrator dynamics.

In a closely related work, Ref. 42 considers MAS consensus of agents with double-integrator dynamics. Ref. 42 proposes a distributed unknown input observer (UIO) based attack detection and isolation scheme, wherein the attacks on both agent and communication link are considered. The shortcomings of this scheme are as follows: the computation burden is too high and the scheme is just semi-distributed. Ref. 43 tries to overcome these limitations, but the assumption that there is no coupling between the dynamics associated to each node limits the application of its scheme. In Ref. 44, a resilient consensus for a MAS with second-order dynamics is studied, in which some malicious nodes prevent the normal nodes to reach consensus and certain conditions on graphs are imposed to ensure the consensus. Whereas in the work presented in this paper, none of the agents participating in the consensus process are malicious, and the attacker can only externally influence the states being exchanged by the agents.

Reference 45 considers a secure consensus tracking problem for general linear MAS with connected and disconnected directed switching topologies caused by two types of attacks. Further, sufficient conditions are derived to ensure a secure consensus. Basically, Ref. 45 suggests that an attacker need not attack the complete network but only few of its edges. In this paper, we have rigorously derived the necessary and sufficient conditions on the edges that should be attacked for maximizing the damage to the MAS system with double-integrator dynamics. Further, we also present a detection mechanism to detect the edges being attacked.

In this paper, we consider a consensus problem for a second order MAS with undirected topology under an edge-bound content modification attack, which can externally intercept the communication links and corrupt the data content. The contributions of current paper are as follows:

  • The impact of content modification attack on MAS is rigorously studied by defining and analyzing the MCoMA that can guarantee a storage function V for MAS consensus satisfies limtV= with V̇0;

  • An optimal MCoMA that is distributed and compromises the least number of communication links is designed;

  • The fast, distributed, model-free, and computationally light attack detection schemes for both the proposed MCoMA and general content modification attack are discussed. An attack mitigation scheme for MCoMA is also proposed.

The rest of the paper is organized as follows. In Section II, mathematical notations used throughout the paper are described. Section III provides a brief review on graph theory and existing consensus algorithm. In Section IV, the main results are presented. Finally, the simulation results are shown in Section V.

Throughout the paper, the symbols n,n×m and + denote n-dimensional real-valued vectors, n × m matrices with real-valued elements, sets of positive real numbers, respectively. |·| denotes the Euclidean norm for a vector and denotes the cardinality of a set. ||·||0 denotes the l0 norm that is a total number of non-zero elements in a vector. In,0n,0n and 1n denotes n × n identity matrix, n × n zero matrix, n-dimensional column vector of zeros and n-dimensional column vector of ones, respectively. For any matrix An×n,A0 denotes its positive definite, A0 denotes its positive semidefinite, AT denotes its transpose, A denotes generalized inverse, if A is invertible then A1 denotes its inverse and Ai represents its i-th column. diag denotes the diagonal matrix. ⊗ denotes Kronecker product. N(·) denotes the null space of a matrix. dim(·) denotes the dimension of matrix or space.

The MAS can be modeled as graph (Fig. 1). This section reviews some concepts and facts in the graph theory that will be used throughout the paper.

FIG. 1.

Multi-agent system modeled by undirected graph with agents as the nodes and communication links as edges.

FIG. 1.

Multi-agent system modeled by undirected graph with agents as the nodes and communication links as edges.

Close modal

Consider a graph G={V,E} consists of a set of nodes V={1,2,,n} and a set of edges E={(i,j)V×V|i,jadjacent}. Nodes i, j are adjacent means there exists an edge (i, j) between two nodes.

The graph G is called undirected if (i,j)E(j,i)E. The adjacency matrix is a square matrix An×n with element aij = 1 if i, j are adjacent and aij = 0 otherwise. The diagonal elements aii are zero since the self-loop case will not be considered. The degree matrix is a diagonal matrix Dn×n with element di equaling the cardinality of the node i's neighbor set Ni={jV|(i,j)E}. The Laplacian matrix Ln×n is defined as L=DA, which means its elements are

lii=j=1,jinaij,lij=aij,ij.
(1)

For an undirected graph G, L is a symmetric and positive semidefinite. Observing the fact that the row sum of L is zero, the vector 1n=[1,1,,1]Tn is a right eigenvector of L associated with the eigenvalue λ = 0, i.e., L1n=0.

A path from node i to j is a sequence of distinct nodes from i to j, such that each pair of consecutive nodes are adjacent. If there is a path from i to j, then i, j are called connected. If all pairs of nodes in G are connected, then G is called connected. For connected graphs, L has exactly one zero eigenvalue. The eigenvalues of L can be listed in an increasing order as 0=λ1<λ2λn. The second smallest eigenvalue λ2 is called algebraic connectivity of a graph, which is a measure of performance/speed of consensus algorithm.8 

This section reviews the existing graph-Laplacian based consensus protocol for MAS with double-integrator dynamics presented in Refs. 23–25.

The MAS is modeled by a graph G={V,E} with agents as the nodes and communication links as edges. The following assumptions hold throughout the paper:

  • (A1) Graph G is undirected and connected.

  • (A2) The communication condition is perfect (network effects are neglected), which can isolate the effect of cyber attack on MAS in Section IV.

Dynamics of each agent in MAS is identical and is given as:

[q̇iq¨i]=[0100][qiq̇i]+[01]ui,iV={1,2,,n},
(2)

where qi,iV and q̇i,iV are generalized coordinates and their rate of change, respectively. Henceforth, for simplicity we shall just refer to qi as position and q̇i as the velocity of any agent iV. The state qi,q̇i are treated as scalar here, but the results can be extended to higher dimensional case using the concepts of Kronecker product.

Consider the distributed consensus protocol proposed in Ref. 24, where

ui=jNi[(qiqj)+β(q̇iq̇j)],iV,
(3)

where β+ is referred to as the coupling gain of relative velocities.

Definition 1: Consensus is achieved by the MAS described by (2)–(3), if for any (i,j)V×V

limt(qi(t)qj(t))=0andlimt(q̇i(t)q̇j(t))=0.
(4)

Let q=[q1,q2,,qn]T,q̇=[q̇1,q̇2,,q̇n]T and x=[qT,q̇T]T. By applying consensus protocol (3), (2) can be written in compact matrix form as

ẋ=Γx,Γ=[0nInLβL].
(5)

Following from these notational substitutions, (4) is equivalent to x(t)E as t, where

E:={x2n|qspan(1n),q̇span(1n)}.
(6)

The convergence analysis of consensus protocol (3) is done by Lyapunov function analysis similar to Theorem 1 of Ref. 25.

Theorem 1: The consensus is achieved by the MAS (2)–(3) for any β+.

Proof:

From (A1), both L and L2 are positive semidefinite with exactly one zero valued eigenvalue and

N(L)=N(L2)=span(1n).
(7)

Let q=α1n+δq and q̇=γ1n+δq̇, where δqspan{1n},δq̇span{1n} are referred to as position and velocity disagreement vectors.46 Real-valued scalars α=1nqT1n,γ=1nq̇T1n are simply the components of q and q̇ along 1n, respectively.

Substituting q=α1n+δq and q̇=γ1n+δq̇ in (5) give us the following dynamics of the disagreement vectors:

δ̇=Γδ,Γ=[0nInLβL],
(8)

where δ=[δqT,δq̇T]TDδ and α̇=γ,γ̇=0. Dδ=span{[1nT,0nT]T,[0nT,1nT]T} is a vector space of dimension 2n – 2. From (7), (8) has a single equilibrium point at the origin in Dδ.

Consider the following storage function of (5)

V=12xTPx=12xT[L20n0nL]x=12qTL2q+12q̇TLq̇.
(9)

Since L0, we have L20, which implies P0. Thus V0,x2n.

From (9) and (5), we get

V̇=12xT(ΓTP+PΓ)x=βq̇TL2q̇0.
(10)

Substituting q=α1n+δq and q̇=γ1n+δq̇ in (9) gives

V=12δqTL2δq+12δq̇TLδq̇.
(11)

From (7), V defined in (11) is positive definite and radially unbounded in Dδ. Thus, V is a Lyapunov candidate function for system (8).

Similarly, substituting q̇=γ1n+δq̇ in (10) gives

V̇=βδq̇TL2δq̇0.
(12)

Since V in (11) is radially unbounded and V̇0,δDδ, the set Ωc={δDδ|Vc,c>0} is a compact, positively invariant set. Let

Sδ={δDδ|V̇=0}.
(13)

From (7), Sδ={δDδ|δq̇=0n}. It is easy to verify that Eδ={δDδ|δq=0n,δq̇=0n} is the largest invariant set in Sδ. Hence, from LaSalle's invariance principle,47 the origin of (8) is globally asymptotically stable.

This implies, x(t)E as t. ▪

In this section, the concept of edge-bound content modification attacks is first formalized in context of the considered MAS. In Subsection IV A, to better understand the vulnerability of MAS and severity of attack issue, a special edge-bound content modification attack called MCoMA is considered from the attacker's perspective, where the attacker's goal is to ensure unboundedness of the storage function (9). In Subsection IV B, an optimal MCoMA is further proposed. In Subsection IV C, from the defender's perspective, an algorithm to detect and mitigate the MCoMA is studied. In Subsection IV D, beyond the discussion of MCoMA, an attack detection scheme for a general edge-bound content modification attack is proposed.

Definition 2: In this paper, the attacker is a malicious external entity which can execute an edge-bound content modification attack by compromising an edge set E¯E and therefore modifies the information being exchanged in the edge set E¯ at will.

The following assumptions hold throughout the paper:

  • (A3) The attacker is able to completely hack the communication links represented by the edges in the set E¯. Here, completely hack refers to the attacker's capability of breaking both the encryption and message authentication code (MAC) of the communication link.

  • (A4) The attack is initiated at t = ta, and MAS state x does not lie in the consensus set E defined in (6) at t = ta, i.e., x(ta)E.

  • (A5) The attacker knows the complete graph topology and consensus protocol (3).

Definition 3: MCoMA is referred to as an edge-bound content modification attack with a goal to guarantee the storage function V given in (9) satisfies limtV= with V̇0,tta.

Associate a basis vector ei with every node iV, where ei is the i-th column of In. Let A¯ and D¯ be the adjacency matrix and degree matrix of subgraph G¯:={V,E¯}, then the information of node i is available to the attacker if and only if ||A¯ei||0=1nTA¯ei0.

As A¯=A¯T (from (A3)), thus the total number of completely hacked edges associated with node i is given as 1nTA¯ei. Define Va={iV|1nTA¯ei0}V as the set of compromised nodes, hence the attack space which is defined as San=span{ei,i{1,,n}|iVa} has dimension |Va|. For simplifying the attack analysis, let us define an attack operator

Oa=D¯=diag(A¯1n),
(14)

which basically maps n to San linearly.

For each node iVa and edge (i,j)E¯, the attacker can modify the information (qi,q̇i) of node i to (q̃i,q̇̃i) being received by node j as

q̃i=qi+q¯ij,q¯ij=Kijp[(Oaq)T,(Oaq̇)T]Tq̇̃i=q̇i+q̇¯ij,q̇¯ij=Kijv[(Oaq)T,(Oaq̇)T]T,
(15)

where Kijp1×2n and Kijv1×2n are termed as the position attack gain and velocity attack gain associated with edge (i,j)E¯, respectively.

Hence, the effective control input of any node jVa (refer to (3)) is given as

uj=iNj[(qjqi)+β(q̇jq̇i)]+iN¯j[q¯ij+βq̇¯ij]uj=[LjT,βLjT]x+A¯jT(Kjp+βKjv)(I2Oa)x,
(16)

where N¯j={iV|(i,j)E¯} and x=[qT,q̇T]T.

For uniformity, we associate position attack gains and velocity attack gains with every node jV (not necessarily in Va) as

Kjp=[Kjpp|Kjpv]=[K1jpKnjp]Kjv=[Kjvp|Kjvv]=[K1jvKnjv],
(17)

where, Kjp,Kjvn×2n and Kjpp,Kjpv,Kjvp,Kjvvn×n for all jV. Ideally, if (i,j)E¯ then Kijp=Kijv=02nT. But, even in case these gains are not identically zero, the adjacency vector A¯j associated with jV and the attack operator Oa will limit the effect of attack only to the compromised nodes (nodes that belong to Va).

Substituting (16) in MAS dynamics (5) gives

ẋ=Γx+Δx,Δ=[0n0nΔpΔv],
(18)

where,

Δp=[A¯1(K1pp+βK1vp)A¯n(Knpp+βKnvp)]Oa,Δv=[A¯1(K1pv+βK1vv)A¯n(Knpv+βKnvv)]Oa,
(19)

are referred to as attack gains throughout the paper.

Next, we give sufficient and necessary conditions for the attack (15) to be MCoMA.

Theorem 2: Consider the dynamics of MAS (5) under edge-bound content modification attack(15), i.e. (18). The content modification attack (15) is a MCoMA according to Definition 3 if and only if

  • attack gains Δp and Δv in (18) satisfies Δp=0n and R:=2βL2+LΔv+ΔvTL0,

  • set F\E is not positively invariant, where F:={x2n|q̇TRq̇=0}.

Proof:

Consider the storage function V=12xTPx in (9). Clearly, V=0,xE and V>0,x2n\E.

Computing the time derivative of V along the trajectory of (18), we have

V̇=12xT(ΓTP+PΓ+ΔTP+PΔ)x=12xT[0nΔpTLLΔpR]x:=12xTMx.
(20)

1. Sufficiency: From (A4), x(ta)E, thus V(ta) is positive. Now

If (a)Δp=0n and R0, then V̇0. Thus, V > 0 and xE,tta.

For condition (b), we need to first show EF. For xE, we have q̇span(1n). We can easily verify that q̇TRq̇=0 when q̇span(1n). Thus, xF, which implies EF.

If (b) the set F\E is not positively invariant, V̇ will not always stay in 0, thus V as t.

Hence, by Definition 3, the content modification attack is MCoMA.

2. Necessity: By Definition 3, if the content modification attack is MCoMA, then V̇0 in (20), which implies M0. By generalized Schur's complement condition,48 for M0, we should have R0 and ΔpTLRLΔp0. This can only be satisfied when Δp=0n. Further, V as t, implies the set F\E should not be positively invariant. Hence, both (a) and (b) are necessary. ▪

Since the attack gains(19) are constant matrices, the proposed MCoMA is referred to as static MCoMA.

Remark 1: Amongst all possible choices for the attacker to modify the data content in the compromised link, the proposed MCoMA guarantees a nonnegative increase rate of the storage function (9) and ensures that limtV=. This could be catastrophic for the individual agent in the MAS and in some cases, can even cause physical damage to the agents.

Remark 2: Given Oa and A¯, the attacker can compute the position attack gains and velocity attack gains by choosing an appropriate Q=QT0 such that the following feasibility problem has a nonempty solution set. This problem is a linear programming problem as the constraints are all linear matrix inequalities (LMI), which can be solved efficiently.

minimize1subjectto:(C1)Δp=0n(C2)LΔv+ΔvTL=Q+2βL2.
(21)

If there exists Q=QT0 such that the solution set of (21) is nonempty then clearly R=Q0 and condition (a) of Theorem 2 holds. R0 implies F\E={x2n|qspan(1n),q̇=0} and from (18) we get, q¨=Lq0 in F\E which makes F\E a non-invariant set. Hence, the edge-bound content modification attack with position attack gains and velocity attack gains belonging to the solution set of (21) is MCoMA.

In order to maximize the damage and minimize the cost of attack at the same time, it is desirable for a MCoMA to be distributed and compromises the least number of edges possible in any given graph.

A distributed MCoMA means for any (i,j)E¯, only the i-th and j-th elements of the associated Kijp and Kijv are non-zero. In words, this means that a content modification of states being exchanged on any one completely hacked link is not dependent in any way on the content modification of states being exchanged on any other completely hacked links. Due to this reason, distributed MCoMA is much easier to execute and has higher scalability and lower communication cost.

Definition 4: The optimal MCoMA or OMCoMA is referred to as a MCoMA which is distributed and compromises the least number of edges for any given graph.

Next proposition gives a distributed MCoMA design:

Proposition 1: Consider the dynamics of MAS (5) under edge-bound content modification attack(15), i.e. (18). If

Δp=0n,Δv=ΔvT=θIn,
(22)

where θ satisfies θβλn, where λn is the maximum eigenvalue of Laplacian matrix L, then the content modification attack (15) is a MCoMA.

Before the proof is provided, a lemma which will be used in the proof is stated as follows:

Lemma 1: (Theorem 3 in Ref.49 ) Let A and B be two real positive semidefinite matrices, then AB0 if and only if AB is normal.

Now the proof of Proposition 1 is given:

Proof:

Choosing ΔvT=Δv=θIn, we have

R=2βL2+2LΔv=2L(ΔvβL)=2L(θInβL).
(23)

Since θβλn, we have θInβL0. Now from Lemma 1, R=2L(θInβL)0 since R is normal and thus condition (a) in Theorem 2 is satisfied.

As L=TΛT1 by a similarity transformation and from (7), we get

R=2L(θInβL)=T(2θΛ2βΛ2)T1,
(24)

where 2θΛ2βΛ2 also has exactly one zero eigenvalue, which means dim(N(R))=1 and N(R)=span(1n).

This implies

F={x2n|q̇TRq̇=0}={x2n|q̇span(1n)}.
(25)

Hence, F\E={x2n|q̇span(1n),qspan(1n)}.

With Δp,Δv defined in (22), the velocity dynamics be written as

q¨=LqβLq̇+θInq̇.
(26)

Multiplying by L on both sides of equation, we get

Lq¨=L2qβL2q̇+θLq̇.
(27)

When the system state is in F\E,Lq̇=0,L2q̇=0 and L2q0, thus Lq¨0, which implies q¨span(1n). Thus, F\E is not a positively invariant set, which satisfies the condition (b) in Theorem 2.

Hence, by Theorem 2, the content modification attack given in the proposition is MCoMA. ▪

Observing the MCoMA injection term θInq̇ in (26), it is evident that the proposed static MCoMA in Proposition 1 is in fact distributed, i.e., there is no information exchange required between the attacks targeting different edges.

The result proposed in the following corollary of Theorem 2 is critical for the design of MCoMA with minimum |E¯|.

Corollary 1: For a graph G={V,E}, suppose the attack space of MCoMA is denoted by San as defined in Subsection IV A and dim(San)=|Va|, then we always have |Va|=|V|.

Proof: Clearly, for any edge-bound content modification attack, we have |Va||V|.

(Proof by Contradiction.) Assume |Va|<|V|, which means some of the nodes are not compromised by the MCoMA. This implies, there exists a non-zero number of zero rows in matrix Δv, and symmetrically, there exist zero columns in Δv Consequently, corresponding diagonal element(s) of LΔv+ΔvTL are zero as well. Hence, the matrix R as defined in (a) of Theorem 2 has a negative diagonal element(s) and hence is not positive semidefinite. However, a necessary condition for a content modification attack to be MCoMA is R0 (refer to Theorem 2). This contradicts the given fact that the content modification is MCoMA.

Hence, by contradiction |Va|<|V| cannot hold, thus |Va|=|V|. ▪

The implications of Corollary 1 are

  • None of the diagonal entries of the attack operator Oa is zero for MCoMA.

  • The OMCoMA design problem is now reduced to the minimum edge cover problem (given in (28)): finding the least number of compromised edges such that every node of the graph is incident to at least one edge in the set E¯
    minimize(i,j)E|E¯|subjectto:(i,j)E¯{i,j}=V.
    (28)

Note: The minimum edge cover problem (28) is also known as maximum matching problem. Ref. 50 introduces an algorithm in Section 10.5 to solve this problem for a graph G={V,E} in O(|V|4) time.

To summarize, OMCoMA defined in Definition 4 can be designed as following:

  • Firstly, solve the minimum edge cover problem (28) to obtain optimal E¯.

  • Secondly, implement the distributed attack based on Proposition 1.

In this subsection, an attack detection and mitigation scheme for MAS consensus against the static MCoMA in Theorem 2 is proposed.

1. Attack detection

Firstly, the attack detection scheme for static MCoMA is presented based on the physical relation of transmitted data, which in this case means that the received velocities and positions should be coherent at all times. To further interpret this, let us consider one compromised edge (i,j)E¯. Suppose the attacker modifies (qi,q̇i) to (q̃i,q̇̃i), the data will only be accepted by agent j when the following detection condition is satisfied:

q̇̃i(t)=q̃̇i(t),t0.
(29)

The following proposition demonstrates that the proposed static MCoMA can be detected with simple detection condition (29).

Proposition 2: Consider the dynamics of MAS (5) under edge-bound content modification attack(15), i.e. (18). The static MCoMA in Theorem 2 will be detected if the detection condition (29) is checked for received data at all the agents in MAS.

Proof:

For each node iVa and edge (i,j)E¯, consider the attack (15)

q̃i=qi+q¯i=qi+Kijp(I2Oa)x,q̇̃i=q̇i+q̇¯i=q̇i+Kijv(I2Oa)x,
(30)

where Kijp=[Kijpp|Kijpv] and Kijv=[Kijvp|Kijvv] with Kijpp,Kijpv,Kijvp,Kijvv1×n.

Because for a MCoMA, Δp and Δv in (18) satisfies Δp=0n and R=2βL2+LΔv+ΔvTL0 as shown in Theorem 2, which implies Kijp=[0nT|Kijpv] and Kijv=[0nT|Kijvv].

(Proof by Contradiction.) Now assume the MCoMA avoids the detection condition (29) imposed on (30), which means the attacker can make

Kijv(I2Oa)x=Kijp(I2Oa)ẋ.
(31)

Substituting (18) into above equation gives

Kijv(I2Oa)x=Kijp(I2Oa)(Γ+Δ)x.
(32)

The left hand side of (32) is

Kijv(I2Oa)x=[0nT|Kijvv][Oa0n0aOa]x=[0nT|KijvvOa]x.
(33)

The right hand side of (32) is

Kijp(I2Oa)(Γ+Δ)x=[0nT|Kijpv][Oa0n0nOa][0nInLβL+Δv]x=[0nT|Kijpv][0nOaOaLβOaL+OaΔv]x=[KijpvOaL|Kijpv(βOaL+OaΔv)]x.
(34)

So (32) is equivalent to

[0nT|KijvvOa]x=[KijpvOaL|Kijpv(βOaL+OaΔv)]x.
(35)

To make the above equality hold, the attacker has to choose Kijpv=Kijvv=0nT, which further implies Δv=0n and thereby R=2βL2 is negative semidefinite.

However, the MCoMA requires R0. Hence, by contradiction, the static MCoMA in Theorem 2 will be detected by the detection condition (29), which completes the proof. ▪

In practice, (29) may be relaxed to

|q̇̃iq̃̇i|ϵ,t0,
(36)

where, ϵ+ can be determined empirically.

2. Attack mitigation

In this part, a velocity observer from Ref. 24 is used to mitigate the proposed static MCoMA.

Proposition 3: Consider the dynamics of MAS (5) under edge-bound content modification attack(15), i.e. (18). Once the proposed static MCoMA is detected, each agent iV transmits (qi, 0) instead of (qi,q̇i) and switches to the following local observer based consensus algorithm24 for MAS dynamics (2):

ui=jNi(qiqj)pẑ̇i,
(37)
ẑ̇i=τẑi+jNi(qiqj),iV,
(38)

where p,τ+ and ẑi is the observer state.

With the above attack mitigation scheme, the consensus of MAS defined by Definition 1 is still achieved under the static MCoMA.

Proof:

By (30) and (33), the injection signals are

q¯i=Kijp(I2Oa)x=[0nT|KijpvOa]x=KijpvOaq̇,q̇¯i=Kijv(I2Oa)x=[0nT|KijvvOa]x=KijvvOaq̇,
(39)

which are in static feedback form of the velocities.

Since each agent iV transmits (qi, 0) instead of (qi,q̇i) once the MCoMA is detected, thus from (39), the injection signals are zero.

Thus, for each agent iV, the received position information qj,jNi for consensus algorithm (37) and (38) are not compromised.

For the convergence analysis for local observer based consensus algorithm (37) and (38), the reader is referred to Theorem 4.1 in Ref. 24 and is omitted here. ▪

In Subsection IV C, we have proposed an attack detection and mitigation scheme for static MCoMA, which is a special content modification attack with the goal to blow up the storage function. In other cases, an attacker may not want to launch the MCoMA but may want to launch a general edge-bound content modification attack to just disrupt the MAS consensus. Thus, in this subsection, an attack detection scheme against general edge-bound content modification attack on MAS links will be proposed by relying on the detection condition (29) for MAS consensus.

Consider MAS modeled by a graph G={V,E} satisfying assumptions (A1) and (A2). The implementation details of the proposed attack detection scheme are as follows:

  • For iV, instead of transmitting (q̇i,qi), the encoded data packet of (ri1, ri2) is transmitted, where (ri1, ri2) are encoded as
    ri1=q̇i+λ1qi,λ̇1=f1(λ1,t)ri2=q̇i+λ2qi,λ̇2=f2(λ2,t),
    (40)
    where the functions f1, f2 are known to all agents and defined as
    f1:×,(λ1,t)λ̇1;f2:×,(λ2,t)λ̇2,

    such that λ1λ2,t0. The scalars λ1(0),λ2(0) are shared securely between the agents when consensus starts, thus the attacker does not know the value of λ1, λ2 during consensus.

  • After transmission, q̇i,qi are obtained by decoding (ri1, ri2) for agent jNi as
    qi=a(ri1ri2),q̇i=bri1cri2,
    (41)

    where a=1/(λ1λ2),b=λ2/(λ2λ1),c=λ1/(λ2λ1).

  • After decoding, the detection condition (29) is checked. If the condition is not violated, q̇i,qi is utilized in the control (3) for agent jNi. Otherwise, the attack is detected.

Theorem 3: With the proposed attack detection scheme, for iV, suppose the attacker modifies (ri1, ri2) to (r̃i1,r̃i2) as

r̃i1=ri1+r¯i1,r̃i2=ri2+r¯i2,
(42)

where the signals r¯i1,r¯i2 constitute the injection attack. The content modification attack will be detected by the detection condition (29) if

r¯i1r¯i21+Tλ11+Tλ2,
(43)

where λ1, λ2 are encoding coefficients in (40), and T is sufficiently a small sampling period for (5).

Proof:

In practical implementation, the detection condition (29) is checked by (qiqip)/T=q̇i, where qip is the position of previous time instance.

Assume the content modification attack is launched as (42). Now by decoding scheme (41)

q̃i=a(r̃i1r̃i2),q̇̃i=br̃i1cr̃i2.
(44)

Now executing (29) and substituting (41)

q̃iqipT=qiqipT+a(r¯i1r¯i2)T,q̇̃i=q̇i+br¯i1cr¯i2.
(45)

In order to make (q̃iqip)/T=q̇̃i, it requires a(r¯i1r¯i2)/T=br¯i1cr¯i2, which is equivalent to

r¯i1r¯i2=aTcaTb=1+Tλ11+Tλ2.
(46)

Since λ1 and λ2 are unknown to attacker during the consensus, the content modification attack as (42) will be detected by (29) once (46) is not satisfied. ▪

Remark 3: If the attacker wants to bypass the proposed attack detection scheme, the injection attack signal should satisfy (46). However, as λ1 and λ2 are unknown to the attacker, the general content modification attacks including the proposed MCoMA will be detected by the proposed attack detection scheme with high possibility.

Remark 4: Unlike the model-based attack detection schemes in Refs. 42, 51, and 52, the proposed attack detection scheme has the following advantages: The implementation is model-free, distributed, and computationally light. Being memoryless, the detection response is instantaneous.

The attack mitigation scheme for general content modification on MAS links will be addressed as part of the future work.

Consider a MAS modeled by a graph in Fig. 1 satisfying assumption (A1) and (A2). The Laplacian matrix L of this graph is

L=[210010131010012100001311110130000101].

Firstly, suppose there is no attack and the consensus algorithm (3) with β = 2 is implemented for each agent. The simulation results are shown in Figs. 2 and 3. We can find the consensus is reached after 6 s, and the storage function V in (9) and function rate V̇ converge to zero rapidly. This verifies the efficacy of the existing consensus algorithm as analyzed in Theorem 1.

FIG. 2.

The position and velocity states of MAS under consensus algorithm (3).

FIG. 2.

The position and velocity states of MAS under consensus algorithm (3).

Close modal
FIG. 3.

The storage function V and storage function rate V̇ of MAS under consensus algorithm (3).

FIG. 3.

The storage function V and storage function rate V̇ of MAS under consensus algorithm (3).

Close modal

Secondly, suppose OMCoMA is designed as Proposition 1 with θ = βλn and launched as Fig. 4, wherein the edge (1,5), (2,3), and (4,6) are compromised. The simulation results are shown in Figs. 5 and 6. It is evident that the position and velocity states diverge rapidly, the storage function V in (9) keeps increasing rapidly, and the function rate V̇ is nonnegative. This simply verifies the effect of the proposed OMCoMA as in Definition 2.

FIG. 4.

An instance of minimum edge cover for graph in Fig. 1.

FIG. 4.

An instance of minimum edge cover for graph in Fig. 1.

Close modal
FIG. 5.

The position and velocity states of MAS under OMCoMA.

FIG. 5.

The position and velocity states of MAS under OMCoMA.

Close modal
FIG. 6.

The storage function V and the storage function rate V̇ of MAS under OMCoMA.

FIG. 6.

The storage function V and the storage function rate V̇ of MAS under OMCoMA.

Close modal

Next, suppose the attack detection scheme in Proposition 2 and mitigation scheme in Proposition 3 are implemented in the MAS. The above OMCoMA is launched at ta = 3 s. The parameters for the observer based consensus algorithm (37) and (38) are selected as p=τ=2 and the initial values ẑi,iV are randomly chosen from [−0.2, 0.2]. The simulation results are shown in Figs. 7 and 8. The position and velocity states converge before 3 s. When OMCoMA is launched at 3 s, it is detected by (29). MAS switches the consensus algorithm from (3) to (37) and (38). The consensus is finally reached. Additionally, the storage function V in (9) and the function rate V̇ finally converge to zero. This demonstrates that the proposed attack detection and mitigation method secures the consensus under proposed MCoMA.

FIG. 7.

The position and velocity states of MAS under OMCoMA with attack detection scheme in Proposition 2 and mitigation scheme in Proposition 3.

FIG. 7.

The position and velocity states of MAS under OMCoMA with attack detection scheme in Proposition 2 and mitigation scheme in Proposition 3.

Close modal
FIG. 8.

The storage function V and storage function rate V̇ of MAS under OMCoMA with attack detection scheme in Proposition 2 and mitigation scheme in Proposition 3.

FIG. 8.

The storage function V and storage function rate V̇ of MAS under OMCoMA with attack detection scheme in Proposition 2 and mitigation scheme in Proposition 3.

Close modal

In this paper, the vulnerability of MAS consensus has been demonstrated by designing and analyzing MCoMA that ensures that the storage function V for MAS consensus satisfies limtV= with V̇0. An optimal MCoMA is then designed, an attack detection and mitigation scheme for MCoMA, and an attack detection algorithm for general content modification attacks is also proposed. Future work will focus on designing an efficient attack mitigation method for general content modification attacks.

This work was partially supported by the National Science Foundation under Grant No. ECCS1232127 and by Naval Air Warfare Center Aircraft Division - Pax River, MD under Contract No. N00421132M022.

1.
M. H.
DeGroot
, “
Reaching a consensus
,”
J. Am. Stat. Assoc.
69
,
118
121
(
1974
).
2.
J. N.
Tsitsiklis
,
D. P.
Bertsekas
, and
M.
Athans
, “
Distributed asynchronous deterministic and stochastic gradient optimization algorithms
,” in
1984 American Control Conference
(
1984
), pp.
484
489
.
3.
N. A.
Lynch
,
Distributed Algorithms
(
Morgan Kaufmann
,
1996
).
4.
T.
Vicsek
,
A.
Czirók
,
E.
Ben-Jacob
,
I.
Cohen
, and
O.
Shochet
, “
Novel type of phase transition in a system of self-driven particles
,”
Phys. Rev. Lett.
75
,
1226
(
1995
).
5.
A.
Jadbabaie
,
J.
Lin
, and
A. S.
Morse
, “
Coordination of groups of mobile autonomous agents using nearest neighbor rules
,”
IEEE Trans. Autom. Control
48
,
988
1001
(
2003
).
6.
R.
Olfati-Saber
and
R. M.
Murray
, “
Consensus protocols for networks of dynamic agents
,” in
Proceedings of the 2003 American Controls Conference
(
2003
).
7.
J. A.
Fax
and
R. M.
Murray
, “
Information flow and cooperative control of vehicle formations
,”
IEEE Trans. Autom. Control
49
,
1465
1476
(
2004
).
8.
R.
Olfati-Saber
and
R. M.
Murray
, “
Consensus problems in networks of agents with switching topology and time-delays
,”
IEEE Trans. Autom. Control
49
,
1520
1533
(
2004
).
9.
L.
Moreau
, “
Stability of multiagent systems with time-dependent communication links
,”
IEEE Trans. Autom. Control
50
,
169
182
(
2005
).
10.
W.
Ren
,
R. W.
Beard
 et al, “
Consensus seeking in multiagent systems under dynamically changing interaction topologies
,”
IEEE Trans. Autom. Control
50
,
655
661
(
2005
).
11.
Y.
Hatano
and
M.
Mesbahi
, “
Agreement over random networks
,”
IEEE Trans. Autom. Control
50
,
1867
1872
(
2005
).
12.
N.
Chopra
and
M. W.
Spong
, “
Passivity-based control of multi-agent systems
,” in
Advances in Robot Control
(
Springer
,
2006
), pp.
107
134
.
13.
W.
Wang
and
J.-J. E.
Slotine
, “
Contraction analysis of time-delayed communications and group cooperation
,”
IEEE Trans. Autom. Control
51
,
712
717
(
2006
).
14.
S.
Boyd
,
A.
Ghosh
,
B.
Prabhakar
, and
D.
Shah
, “
Randomized gossip algorithms
,”
IEEE/ACM Trans. Networking
14
,
2508
2530
(
2006
).
15.
A.
Kashyap
,
T.
Başar
, and
R.
Srikant
, “
Quantized consensus
,”
Automatica
43
,
1192
1203
(
2007
).
16.
N.
Chopra
and
M. W.
Spong
, “
Output synchronization of nonlinear systems with relative degree one
,” in
Recent Advances in Learning and Control
(
Springer
,
2008
), pp.
51
64
.
17.
P.
Hovareshti
,
J. S.
Baras
, and
V.
Gupta
, “
Average consensus over small world networks: A probabilistic framework
,” in
47th IEEE Conference on Decision and Control, 2008 (CDC 2008)
(
IEEE
,
2008
), pp.
375
380
.
18.
Y.
Zhang
and
Y.-P.
Tian
, “
Consentability and protocol design of multi-agent systems with stochastic switching topology
,”
Automatica
45
,
1195
1201
(
2009
).
19.
T.
Li
and
J.-F.
Zhang
, “
Mean square average-consensus under measurement noises and fixed topologies: Necessary and sufficient conditions
,”
Automatica
45
,
1929
1936
(
2009
).
20.
H.
Kim
,
H.
Shim
, and
J. H.
Seo
, “
Output consensus of heterogeneous uncertain linear multi-agent systems
,”
IEEE Trans. Autom. Control
56
,
200
206
(
2011
).
21.
H. G.
Tanner
,
A.
Jadbabaie
, and
G. J.
Pappas
, “
Stable flocking of mobile agents, Part I: Fixed topology
,” in
Proceedings of the 42nd IEEE Conference on Decision and Control, 2003
(
IEEE
,
2003
), Vol.
2
, pp.
2010
2015
.
22.
R. O.
Saber
and
R. M.
Murray
, “
Flocking with obstacle avoidance: Cooperation with limited communication in mobile networks
,” in
Proceedings of the 42nd IEEE Conference on Decision and Control, 2003
(
IEEE
,
2003
), Vol.
2
, pp.
2022
2028
.
23.
W.
Ren
and
E.
Atkins
, “
Distributed multi-vehicle coordinated control via local information exchange
,”
Int. J. Robust Nonlinear Control
17
,
1002
1033
(
2007
).
24.
W.
Ren
and
R. W.
Beard
, “
Consensus algorithms for double-integrator dynamics
,” in
Distributed Consensus in Multi-vehicle Cooperative Control: Theory and Applications
(
Springer
,
2008
), pp.
77
104
.
25.
J.
Qin
,
W. X.
Zheng
, and
H.
Gao
, “
Coordination of multiple agents with double-integrator dynamics under generalized interaction topologies
,”
IEEE Trans. Syst., Man, Cybern., Part B: Cybern.
42
,
44
57
(
2012
).
26.
Y.
Cao
,
W.
Yu
,
W.
Ren
, and
G.
Chen
, “
An overview of recent progress in the study of distributed multi-agent coordination
,”
IEEE Trans. Ind. Inf.
9
,
427
438
(
2013
).
27.
N.
Falliere
,
L. O.
Murchu
, and
E.
Chien
, “
W32. Stuxnet Dossier
,” White paper, Symantec Corp., Security Response 5 (
2011
).
28.
S.
Amin
,
X.
Litrico
,
S.
Sastry
, and
A. M.
Bayen
, “
Cyber security of water SCADA systems-Part I: Analysis and experimentation of stealthy deception attacks
,”
IEEE Trans. Control Syst. Technol.
21
,
1963
1970
(
2013
).
29.
S.
Amin
,
X.
Litrico
,
S. S.
Sastry
, and
A. M.
Bayen
, “
Cyber security of water SCADA systems-PART II: Attack detection using enhanced hydrodynamic models
,”
IEEE Trans. Control Syst. Technol.
21
,
1679
1693
(
2013
).
30.
S.
Gorman
, “
Electricity grid in us penetrated by spies
,”
Wall Street J.
8
,
A1
(
2009
).
31.
H. S.
Foroush
and
S.
Martínez
, “
On event-triggered control of linear systems under periodic denial-of-service jamming attacks
,” in
Annual Conference on Decision and Control (CDC)
(
2012
), pp.
2551
2556
.
32.
Y.
Mo
and
B.
Sinopoli
, “
Secure control against replay attacks
,” in
47th Annual Allerton Conference on Communication, Control, and Computing, 2009 (Allerton 2009)
(
IEEE
,
2009
), pp.
911
918
.
33.
Y.
Mo
and
B.
Sinopoli
, “
Integrity attacks on cyber-physical systems
,” in
Proceedings of the 1st International Conference on High Confidence Networked Systems
(
ACM
,
2012
), pp.
47
54
.
34.
A.
Teixeira
,
K. C.
Sou
,
H.
Sandberg
, and
K. H.
Johansson
, “
Secure control systems: A quantitative risk management approach
,”
IEEE Control Syst.
35
,
24
45
(
2015
).
35.
Q.
Zhu
and
T.
Basar
, “
Game-theoretic methods for robustness, security, and resilience of cyberphysical control systems: Games-in-games principle for optimal cross-layer resilient control systems
,”
IEEE Control Syst.
35
,
46
65
(
2015
).
36.
S.
Amin
,
G.
Schwartz
,
A.
Cardenas
,
S. S.
Sastry
 et al, “
Game-theoretic models of electricity theft detection in smart utility networks: Providing new capabilities with advanced metering infrastructure
,”
IEEE Control Syst.
35
,
66
81
(
2015
).
37.
F.
Pasqualetti
,
F.
Dorfler
, and
F.
Bullo
, “
Control-theoretic methods for cyberphysical security: Geometric principles for optimal cross-layer resilient control systems
,”
IEEE Control Syst.
35
,
110
127
(
2015
).
38.
Y.
Mo
,
S.
Weerakkody
, and
B.
Sinopoli
, “
Physical authentication of control systems: Designing watermarked control inputs to detect counterfeit sensor outputs
,”
IEEE Control Syst.
35
,
93
109
(
2015
).
39.
H. J.
LeBlanc
and
X. D.
Koutsoukos
, “
Consensus in networked multi-agent systems with adversaries
,” in
Proceedings of the 14th International Conference on Hybrid Systems: Computation and Control
(
ACM
,
2011
), pp.
281
290
.
40.
A.
Gusrialdi
,
Z.
Qu
, and
M. A.
Simaan
, “
Robust design of cooperative systems against attacks
,” in
2014 American Control Conference
(
IEEE
,
2014
), pp.
1456
1462
.
41.
Y.
Wu
,
X.
He
,
S.
Liu
, and
L.
Xie
, “
Consensus of discrete-time multi-agent systems with adversaries and time delays
,”
Int. J. Gen. Syst.
43
,
402
411
(
2014
).
42.
A.
Teixeira
,
I.
Shames
,
H.
Sandberg
, and
K. H.
Johansson
, “
Distributed fault detection and isolation resilient to network model uncertainties
,”
IEEE Trans. Cybern.
44
,
2024
2037
(
2014
).
43.
M. R.
Davoodi
,
K.
Khorasani
,
H. A.
Talebi
, and
H. R.
Momeni
, “
Distributed fault detection and isolation filter design for a network of heterogeneous multiagent systems
,”
IEEE Trans. Control Syst. Technol.
22
,
1061
1069
(
2014
).
44.
S. M.
Dibaji
and
H.
Ishii
, “
Resilient consensus of double-integrator multi-agent networks with communication delays
,” in
2015 IEEE 54th Annual Conference on Decision and Control (CDC)
(
IEEE
,
2015
), pp.
4290
4295
.
45.
Z.
Feng
and
G.
Hu
, “
Distributed tracking control for multi-agent systems under two types of attacks
,”
IFAC Proc.
47
,
5790
5795
(
2014
).
46.
R.
Olfati-Saber
,
A.
Fax
, and
R. M.
Murray
, “
Consensus and cooperation in networked multi-agent systems
,”
Proc. IEEE
95
,
215
233
(
2007
).
47.
H. K.
Khalil
,
Nonlinear Control
(
Pearson Higher Ed.
,
2014
).
48.
F.
Zhang
,
The Schur Complement and Its Applications
(
Springer Science + Business Media
,
2006
), Vol. 4.
49.
A.
Meenakshi
and
C.
Rajian
, “
On a product of positive semidefinite matrices
,” in
Linear Algebra and Its Applications
(
Elsevier
,
1999
), Vol.
295
, pp.
3
6
.
50.
C. H.
Papadimitriou
and
K.
Steiglitz
,
Combinatorial Optimization: Algorithms and Complexity
(
Courier Corporation
,
1982
).
51.
E.
Eyisi
and
X.
Koutsoukos
, “
Energy-based attack detection in networked control systems
,” in
Proceedings of the 3rd International Conference on High Confidence Networked Systems
(
ACM
,
2014
), pp.
115
124
.
52.
F.
Pasqualetti
,
F.
Dorfler
, and
F.
Bullo
, “
Attack detection and identification in cyber-physical systems
,”
IEEE Trans. Autom. Control
58
,
2715
2729
(
2013
).