Content modification attacks on consensus seeking multi-agent system with double-integrator dynamics Free

The problem of distributed coordination of multi-agent system is significant due to its broad applications, such as robot networks, sensor networks, formation control, flocking, and swarming. The goal of these problems is to generate a desired collective behavior for multi agents only by sharing local information. One of the critical problem is called consensus, which means a group of agents reach an agreement on a common value by interacting with neighbors.

Consensus problem has a historical view presented in Refs. 1–3. A simple discrete time flocking model given by Ref. 4 is theoretically analyzed in Ref. 5. The agreement, consensus, and synchronization problems for networked multi-agent system are extensively studied by Refs. 6–20 and among others, in which different scenarios are considered including directed/undirected graphs, fixed/switching topologies, network effects, deterministic/stochastic topology, uncertainties/disturbances, and linear/nonlinear dynamics. In practice, a broad class of systems can be modeled by a double integrators dynamics model, e.g., certain vehicle dynamics can be feedback linearized as double integrators. Thus, considerable research attention has been paid to the consensus-related problem for MAS with double-integrator dynamics.^21–25 More references on the study of MAS coordination can be found in a recent survey Ref. 26. Common network effects like delays,⁸ noise,¹⁹ quantization¹⁵ and packet drops¹⁷ have been addressed for consensus seeking MAS in the aforementioned works. On the other hand, another malicious and intelligent network factor called cyber attack, which can cause severe disruption or damage to MAS, has begun to receive the attention of the research community.

MAS are a specific form of system commonly known as cyber physical system (CPS). In recent years, the significance of CPS security is being increasingly realized. Since most of the CPS are safety critical, their failure can damage the critical physical system, for instance, stuxnet malware sabotaging Iran's nuclear infrastructure,²⁷ water supervisory control and data acquisition (SCADA) system attack,^28,29 and power transmission network attack.³⁰ Various works have studied different cyber attacks including the denial-of-service (DoS) attack³¹ where the attacker denies data availability in system, the replay attack³² where some normal data is recorded and replayed to avoid being detected, and the content modification attack³³ where the attacker intentionally modifies the transmitted data of the original system. Various approaches are proposed to address these issues including quantitative risk management approach,³⁴ game theoretical methods,^35,36 control theory,³⁷ and physical authentication by watermarked control input.³⁸ 

As one type of CPS, the consensus seeking MAS is also vulnerable to cyber attacks due to the open nature of communication network. Some works concerning the cyber attack on MAS consensus have been reported. In Ref. 39, a consensus problem is considered for a first-order MAS with adversarial agents. It is shown that the consensus can be reached in complete network topologies, whenever there are more cooperative agents than the adversarial agents. Ref. 40 again considers a first-order MAS under a specific attacker with a linear dynamics, which can insert external signals in network to destabilize the consensus dynamics. A hidden network is then designed to maintain the system stability. Similarly, Ref. 41 studies the consensus problem for discrete-time multi-agent systems in the presence of adversarial agents and transmission delays. A sufficient condition for the resilient consensus under the proposed protocol is given. References 39–41 including the references therein only consider MAS consisting agents with single-integrator dynamics, whereas in the work presented in this paper, we have considered agents with double-integrator dynamics.

In a closely related work, Ref. 42 considers MAS consensus of agents with double-integrator dynamics. Ref. 42 proposes a distributed unknown input observer (UIO) based attack detection and isolation scheme, wherein the attacks on both agent and communication link are considered. The shortcomings of this scheme are as follows: the computation burden is too high and the scheme is just semi-distributed. Ref. 43 tries to overcome these limitations, but the assumption that there is no coupling between the dynamics associated to each node limits the application of its scheme. In Ref. 44, a resilient consensus for a MAS with second-order dynamics is studied, in which some malicious nodes prevent the normal nodes to reach consensus and certain conditions on graphs are imposed to ensure the consensus. Whereas in the work presented in this paper, none of the agents participating in the consensus process are malicious, and the attacker can only externally influence the states being exchanged by the agents.

Reference 45 considers a secure consensus tracking problem for general linear MAS with connected and disconnected directed switching topologies caused by two types of attacks. Further, sufficient conditions are derived to ensure a secure consensus. Basically, Ref. 45 suggests that an attacker need not attack the complete network but only few of its edges. In this paper, we have rigorously derived the necessary and sufficient conditions on the edges that should be attacked for maximizing the damage to the MAS system with double-integrator dynamics. Further, we also present a detection mechanism to detect the edges being attacked.

In this paper, we consider a consensus problem for a second order MAS with undirected topology under an edge-bound content modification attack, which can externally intercept the communication links and corrupt the data content. The contributions of current paper are as follows:

• The impact of content modification attack on MAS is rigorously studied by defining and analyzing the MCoMA that can guarantee a storage function V for MAS consensus satisfies $limt→∞V=∞$ with $V̇≥0$⁠;

• An optimal MCoMA that is distributed and compromises the least number of communication links is designed;

• The fast, distributed, model-free, and computationally light attack detection schemes for both the proposed MCoMA and general content modification attack are discussed. An attack mitigation scheme for MCoMA is also proposed.

The rest of the paper is organized as follows. In Section II, mathematical notations used throughout the paper are described. Section III provides a brief review on graph theory and existing consensus algorithm. In Section IV, the main results are presented. Finally, the simulation results are shown in Section V.

Throughout the paper, the symbols $ℝn, ℝn×m$ and $ℝ+$ denote n-dimensional real-valued vectors, n × m matrices with real-valued elements, sets of positive real numbers, respectively. $|·|$ denotes the Euclidean norm for a vector and denotes the cardinality of a set. $||·||0$ denotes the l₀ norm that is a total number of non-zero elements in a vector. $In, 0n, 0n$ and 1_n denotes n × n identity matrix, n × n zero matrix, n-dimensional column vector of zeros and n-dimensional column vector of ones, respectively. For any matrix $A∈ℝn×n, A≻0$ denotes its positive definite, $A ≽ 0$ denotes its positive semidefinite, A^T denotes its transpose, A⁻ denotes generalized inverse, if A is invertible then $A−1$ denotes its inverse and A_i represents its i-th column. diag denotes the diagonal matrix. ⊗ denotes Kronecker product. $N(·)$ denotes the null space of a matrix. $dim(·)$ denotes the dimension of matrix or space.

The MAS can be modeled as graph (Fig. 1). This section reviews some concepts and facts in the graph theory that will be used throughout the paper.

Consider a graph $G={V,E}$ consists of a set of nodes $V={1,2,…,n}$ and a set of edges $E={(i,j)∈V×V|i,j adjacent}$⁠. Nodes i, j are adjacent means there exists an edge (i, j) between two nodes.

The graph $G$ is called undirected if $(i,j)∈E⇔(j,i)∈E$⁠. The adjacency matrix is a square matrix $A∈ℝn×n$ with element a_ij = 1 if i, j are adjacent and a_ij = 0 otherwise. The diagonal elements a_ii are zero since the self-loop case will not be considered. The degree matrix is a diagonal matrix $D∈ℝn×n$ with element d_i equaling the cardinality of the node i's neighbor set $Ni={j∈V|(i,j)∈E}$⁠. The Laplacian matrix $L∈ℝn×n$ is defined as $L=D−A$⁠, which means its elements are

For an undirected graph $G$⁠, L is a symmetric and positive semidefinite. Observing the fact that the row sum of L is zero, the vector $1n=[1,1,…,1]T∈ℝn$ is a right eigenvector of L associated with the eigenvalue λ = 0, i.e., $L1n=0$⁠.

A path from node i to j is a sequence of distinct nodes from i to j, such that each pair of consecutive nodes are adjacent. If there is a path from i to j, then i, j are called connected. If all pairs of nodes in $G$ are connected, then $G$ is called connected. For connected graphs, L has exactly one zero eigenvalue. The eigenvalues of L can be listed in an increasing order as $0=λ1<λ2≤…≤λn$⁠. The second smallest eigenvalue λ₂ is called algebraic connectivity of a graph, which is a measure of performance/speed of consensus algorithm.⁸ 

This section reviews the existing graph-Laplacian based consensus protocol for MAS with double-integrator dynamics presented in Refs. 23–25.

The MAS is modeled by a graph $G={V,E}$ with agents as the nodes and communication links as edges. The following assumptions hold throughout the paper:

• (A1) Graph $G$ is undirected and connected.

• (A2) The communication condition is perfect (network effects are neglected), which can isolate the effect of cyber attack on MAS in Section IV.

Dynamics of each agent in MAS is identical and is given as:

where $qi∈ℝ,i∈V$ and $q̇i∈ℝ,i∈V$ are generalized coordinates and their rate of change, respectively. Henceforth, for simplicity we shall just refer to q_i as position and $q̇i$ as the velocity of any agent $i∈V$⁠. The state $qi,q̇i$ are treated as scalar here, but the results can be extended to higher dimensional case using the concepts of Kronecker product.

Consider the distributed consensus protocol proposed in Ref. 24, where

where $β∈ℝ+$ is referred to as the coupling gain of relative velocities.

Definition 1: Consensus is achieved by the MAS described by (2)–(3), if for any $(i,j)∈V×V$

Let $q=[q1,q2,…,qn]T, q̇=[q̇1,q̇2,…,q̇n]T$ and $x=[qT,q̇T]T$⁠. By applying consensus protocol (3), (2) can be written in compact matrix form as

Following from these notational substitutions, (4) is equivalent to $x(t)→E$ as $t→∞$⁠, where

The convergence analysis of consensus protocol (3) is done by Lyapunov function analysis similar to Theorem 1 of Ref. 25.

Theorem 1: The consensus is achieved by the MAS (2)–(3) for any $β∈ℝ+$⁠.

Proof:

From (A1), both L and L² are positive semidefinite with exactly one zero valued eigenvalue and

Let $q=α1n+δq$ and $q̇=γ1n+δq̇$⁠, where $δq∈span{1n}⊥, δq̇∈span{1n}⊥$ are referred to as position and velocity disagreement vectors.⁴⁶ Real-valued scalars $α=1nqT1n, γ=1nq̇T1n$ are simply the components of q and $q̇$ along 1_n, respectively.

Substituting $q=α1n+δq$ and $q̇=γ1n+δq̇$ in (5) give us the following dynamics of the disagreement vectors:

where $δ=[δqT, δq̇T]T∈Dδ$ and $α̇=γ, γ̇=0$⁠. $Dδ=span{[1nT, 0nT]T, [0nT, 1nT]T}⊥$ is a vector space of dimension 2n – 2. From (7), (8) has a single equilibrium point at the origin in D_δ.

Consider the following storage function of (5)

Since $L ≽ 0$⁠, we have $L2 ≽ 0$⁠, which implies $P ≽ 0$⁠. Thus $V≥0,∀x∈ℝ2n$⁠.

From (9) and (5), we get

Substituting $q=α1n+δq$ and $q̇=γ1n+δq̇$ in (9) gives

From (7), V defined in (11) is positive definite and radially unbounded in $Dδ$⁠. Thus, V is a Lyapunov candidate function for system (8).

Similarly, substituting $q̇=γ1n+δq̇$ in (10) gives

Since V in (11) is radially unbounded and $V̇≤0, ∀δ∈Dδ$⁠, the set $Ωc={δ∈Dδ | V≤c, c>0}$ is a compact, positively invariant set. Let

From (7), $Sδ={δ∈Dδ | δq̇=0n}$⁠. It is easy to verify that $Eδ={δ∈Dδ | δq=0n, δq̇=0n}$ is the largest invariant set in S_δ. Hence, from LaSalle's invariance principle,⁴⁷ the origin of (8) is globally asymptotically stable.

This implies, $x(t)→E$ as t → ∞. ▪

In this section, the concept of edge-bound content modification attacks is first formalized in context of the considered MAS. In Subsection IV A, to better understand the vulnerability of MAS and severity of attack issue, a special edge-bound content modification attack called MCoMA is considered from the attacker's perspective, where the attacker's goal is to ensure unboundedness of the storage function (9). In Subsection IV B, an optimal MCoMA is further proposed. In Subsection IV C, from the defender's perspective, an algorithm to detect and mitigate the MCoMA is studied. In Subsection IV D, beyond the discussion of MCoMA, an attack detection scheme for a general edge-bound content modification attack is proposed.

Definition 2: In this paper, the attacker is a malicious external entity which can execute an edge-bound content modification attack by compromising an edge set $E¯⊆E$ and therefore modifies the information being exchanged in the edge set $E¯$ at will.

The following assumptions hold throughout the paper:

• (A3) The attacker is able to completely hack the communication links represented by the edges in the set $E¯$⁠. Here, completely hack refers to the attacker's capability of breaking both the encryption and message authentication code (MAC) of the communication link.

• (A4) The attack is initiated at t = t_a, and MAS state x does not lie in the consensus set E defined in (6) at t = t_a, i.e., $x(ta)∉E$⁠.

• (A5) The attacker knows the complete graph topology and consensus protocol (3).

Definition 3: MCoMA is referred to as an edge-bound content modification attack with a goal to guarantee the storage function V given in (9) satisfies $limt→∞V=∞$ with $V̇≥0, ∀t≥ta$⁠.

Associate a basis vector e_i with every node $i∈V$⁠, where e_i is the i-th column of I_n. Let $A¯$ and $D¯$ be the adjacency matrix and degree matrix of subgraph $G¯:={V, E¯}$⁠, then the information of node i is available to the attacker if and only if $||A¯ei||0=1nTA¯ei≠0$⁠.

As $A¯=A¯T$ (from (A3)), thus the total number of completely hacked edges associated with node i is given as $1nTA¯ei$⁠. Define $Va={i∈V|1nTA¯ei≠0}⊆V$ as the set of compromised nodes, hence the attack space which is defined as $San=span{ei, i∈{1,…,n}| i∈Va}$ has dimension $|Va|$⁠. For simplifying the attack analysis, let us define an attack operator

which basically maps $ℝn$ to $San$ linearly.

For each node $i∈Va$ and edge $(i, j)∈E¯$⁠, the attacker can modify the information $(qi, q̇i)$ of node i to $(q̃i, q̇̃i)$ being received by node j as

where $Kijp∈ℝ1×2n$ and $Kijv∈ℝ1×2n$ are termed as the position attack gain and velocity attack gain associated with edge $(i, j)∈E¯$⁠, respectively.

Hence, the effective control input of any node $j∈Va$ (refer to (3)) is given as

where $N¯j={i∈V|(i,j)∈E¯}$ and $x=[qT, q̇T]T$⁠.

For uniformity, we associate position attack gains and velocity attack gains with every node $j∈V$ (not necessarily in $Va$⁠) as

where, $Kjp,Kjv∈ℝn×2n$ and $Kjpp,Kjpv,Kjvp,Kjvv∈ℝn×n$ for all $j∈V$⁠. Ideally, if $(i, j)∉E¯$ then $Kijp=Kijv=02nT$⁠. But, even in case these gains are not identically zero, the adjacency vector $A¯j$ associated with $j∈V$ and the attack operator O_a will limit the effect of attack only to the compromised nodes (nodes that belong to $Va$⁠).

Substituting (16) in MAS dynamics (5) gives

where,

are referred to as attack gains throughout the paper.

Next, we give sufficient and necessary conditions for the attack (15) to be MCoMA.

Theorem 2: Consider the dynamics of MAS (5) under edge-bound content modification attack (15), i.e. (18). The content modification attack (15) is a MCoMA according to Definition 3 if and only if

• attack gains Δ_p and Δ_v in (18) satisfies $Δp=0n$ and $R:=−2βL2+LΔv+ΔvTL ≽ 0$⁠,

• set $F\E$ is not positively invariant, where $F:={x∈ℝ2n|q̇TRq̇=0}$⁠.

Proof:

Consider the storage function $V=12xTPx$ in (9). Clearly, $V=0, ∀x∈E$ and $V>0, ∀x∈ℝ2n\E$⁠.

Computing the time derivative of V along the trajectory of (18), we have

1. Sufficiency: From (A4), $x(ta)∉E$⁠, thus $V(ta)$ is positive. Now

If (a) $Δp=0n$ and $R ≽ 0$⁠, then $V̇≥0$⁠. Thus, V > 0 and $x∉E,∀t≥ta$⁠.

For condition (b), we need to first show $E⊂F$⁠. For $x∈E$⁠, we have $q̇∈span(1n)$⁠. We can easily verify that $q̇TRq̇=0$ when $q̇∈span(1n)$⁠. Thus, $x∈F$⁠, which implies $E⊂F$⁠.

If (b) the set $F\E$ is not positively invariant, $V̇$ will not always stay in 0, thus $V→∞$ as $t→∞$⁠.

Hence, by Definition 3, the content modification attack is MCoMA.

2. Necessity: By Definition 3, if the content modification attack is MCoMA, then $V̇≥0$ in (20), which implies $M ≽ 0$⁠. By generalized Schur's complement condition,⁴⁸ for $M ≽ 0$⁠, we should have $R ≽ 0$ and $−ΔpTLR−LΔp ≽ 0$⁠. This can only be satisfied when $Δp=0n$⁠. Further, $V→∞$ as $t→∞$⁠, implies the set $F\E$ should not be positively invariant. Hence, both (a) and (b) are necessary. ▪

Since the attack gains (19) are constant matrices, the proposed MCoMA is referred to as static MCoMA.

Remark 1: Amongst all possible choices for the attacker to modify the data content in the compromised link, the proposed MCoMA guarantees a nonnegative increase rate of the storage function (9) and ensures that $limt→∞V=∞$⁠. This could be catastrophic for the individual agent in the MAS and in some cases, can even cause physical damage to the agents.

Remark 2: Given O_a and $A¯$⁠, the attacker can compute the position attack gains and velocity attack gains by choosing an appropriate $Q=QT≻0$ such that the following feasibility problem has a nonempty solution set. This problem is a linear programming problem as the constraints are all linear matrix inequalities (LMI), which can be solved efficiently.

If there exists $Q=QT≻0$ such that the solution set of (21) is nonempty then clearly $R=Q≻0$ and condition (a) of Theorem 2 holds. $R≻0$ implies $F\E={x∈ℝ2n| q∉span(1n), q̇=0}$ and from (18) we get, $q¨=−Lq≠0$ in $F\E$ which makes $F\E$ a non-invariant set. Hence, the edge-bound content modification attack with position attack gains and velocity attack gains belonging to the solution set of (21) is MCoMA.

In order to maximize the damage and minimize the cost of attack at the same time, it is desirable for a MCoMA to be distributed and compromises the least number of edges possible in any given graph.

A distributed MCoMA means for any $(i, j)∈E¯$⁠, only the i-th and j-th elements of the associated $Kijp$ and $Kijv$ are non-zero. In words, this means that a content modification of states being exchanged on any one completely hacked link is not dependent in any way on the content modification of states being exchanged on any other completely hacked links. Due to this reason, distributed MCoMA is much easier to execute and has higher scalability and lower communication cost.

Definition 4: The optimal MCoMA or OMCoMA is referred to as a MCoMA which is distributed and compromises the least number of edges for any given graph.

Next proposition gives a distributed MCoMA design:

Proposition 1: Consider the dynamics of MAS (5) under edge-bound content modification attack (15), i.e. (18). If

where θ satisfies $θ≥βλn$⁠, where λ_n is the maximum eigenvalue of Laplacian matrix L, then the content modification attack (15) is a MCoMA.

Before the proof is provided, a lemma which will be used in the proof is stated as follows:

Lemma 1: (Theorem 3 in Ref. 49 ) Let A and B be two real positive semidefinite matrices, then $AB ≽ 0$ if and only if AB is normal.

Now the proof of Proposition 1 is given:

Proof:

Choosing $ΔvT=Δv=θIn$⁠, we have

Since $θ≥βλn$⁠, we have $θIn−βL ≽ 0$⁠. Now from Lemma 1, $R=2L(θIn−βL) ≽ 0$ since R is normal and thus condition (a) in Theorem 2 is satisfied.

As $L=TΛT−1$ by a similarity transformation and from (7), we get

where $2θΛ−2βΛ2$ also has exactly one zero eigenvalue, which means $dim(N(R))=1$ and $N(R)=span(1n)$⁠.

This implies

Hence, $F\E={x∈ℝ2n|q̇∈span(1n),q∉span(1n)}$⁠.

With $Δp,Δv$ defined in (22), the velocity dynamics be written as

Multiplying by L on both sides of equation, we get

When the system state is in $F\E, Lq̇=0,L2q̇=0$ and $L2q≠0$⁠, thus $Lq¨≠0$⁠, which implies $q¨∉span(1n)$⁠. Thus, $F\E$ is not a positively invariant set, which satisfies the condition (b) in Theorem 2.

Hence, by Theorem 2, the content modification attack given in the proposition is MCoMA. ▪

Observing the MCoMA injection term $θInq̇$ in (26), it is evident that the proposed static MCoMA in Proposition 1 is in fact distributed, i.e., there is no information exchange required between the attacks targeting different edges.

The result proposed in the following corollary of Theorem 2 is critical for the design of MCoMA with minimum $|E¯|$⁠.

Corollary 1: For a graph $G={V, E}$⁠, suppose the attack space of MCoMA is denoted by $San$ as defined in Subsection IV A and $dim(San)=|Va|$⁠, then we always have $|Va|=|V|$⁠.

Proof: Clearly, for any edge-bound content modification attack, we have $|Va|≤|V|$⁠.

(Proof by Contradiction.) Assume $|Va|<|V|$⁠, which means some of the nodes are not compromised by the MCoMA. This implies, there exists a non-zero number of zero rows in matrix Δ_v, and symmetrically, there exist zero columns in Δ_v Consequently, corresponding diagonal element(s) of $LΔv+ΔvTL$ are zero as well. Hence, the matrix R as defined in (a) of Theorem 2 has a negative diagonal element(s) and hence is not positive semidefinite. However, a necessary condition for a content modification attack to be MCoMA is $R ≽ 0$ (refer to Theorem 2). This contradicts the given fact that the content modification is MCoMA.

Hence, by contradiction $|Va|<|V|$ cannot hold, thus $|Va|=|V|$⁠. ▪

The implications of Corollary 1 are

• None of the diagonal entries of the attack operator O_a is zero for MCoMA.

• The OMCoMA design problem is now reduced to the minimum edge cover problem (given in (28)): finding the least number of compromised edges such that every node of the graph is incident to at least one edge in the set $E¯$

  $minimize (i, j)∈E|E¯|subject to: ∪(i, j)∈E¯{i, j}=V.$

  (28)

Note: The minimum edge cover problem (28) is also known as maximum matching problem. Ref. 50 introduces an algorithm in Section 10.5 to solve this problem for a graph $G={V,E}$ in $O(|V|4)$ time.

To summarize, OMCoMA defined in Definition 4 can be designed as following:

• Firstly, solve the minimum edge cover problem (28) to obtain optimal $E¯$⁠.

• Secondly, implement the distributed attack based on Proposition 1.

In this subsection, an attack detection and mitigation scheme for MAS consensus against the static MCoMA in Theorem 2 is proposed.

Firstly, the attack detection scheme for static MCoMA is presented based on the physical relation of transmitted data, which in this case means that the received velocities and positions should be coherent at all times. To further interpret this, let us consider one compromised edge $(i,j)∈E¯$⁠. Suppose the attacker modifies $(qi,q̇i)$ to $(q̃i,q̇̃i)$⁠, the data will only be accepted by agent j when the following detection condition is satisfied:

The following proposition demonstrates that the proposed static MCoMA can be detected with simple detection condition (29).

Proposition 2: Consider the dynamics of MAS (5) under edge-bound content modification attack (15), i.e. (18). The static MCoMA in Theorem 2 will be detected if the detection condition (29) is checked for received data at all the agents in MAS.

Proof:

For each node $i∈Va$ and edge $(i, j)∈E¯$⁠, consider the attack (15)

where $Kijp=[Kijpp| Kijpv]$ and $Kijv=[Kijvp| Kijvv]$ with $Kijpp,Kijpv,Kijvp,Kijvv∈ℝ1×n$⁠.

Because for a MCoMA, Δ_p and Δ_v in (18) satisfies $Δp=0n$ and $R=−2βL2+LΔv+ΔvTL ≽ 0$ as shown in Theorem 2, which implies $Kijp=[0nT| Kijpv]$ and $Kijv=[0nT| Kijvv]$⁠.

(Proof by Contradiction.) Now assume the MCoMA avoids the detection condition (29) imposed on (30), which means the attacker can make

Substituting (18) into above equation gives

The left hand side of (32) is

The right hand side of (32) is

So (32) is equivalent to

To make the above equality hold, the attacker has to choose $Kijpv=Kijvv=0nT$⁠, which further implies $Δv=0n$ and thereby $R=−2βL2$ is negative semidefinite.

However, the MCoMA requires $R ≽ 0$⁠. Hence, by contradiction, the static MCoMA in Theorem 2 will be detected by the detection condition (29), which completes the proof. ▪

In practice, (29) may be relaxed to

where, $ϵ∈ℝ+$ can be determined empirically.

In this part, a velocity observer from Ref. 24 is used to mitigate the proposed static MCoMA.

Proposition 3: Consider the dynamics of MAS (5) under edge-bound content modification attack (15), i.e. (18). Once the proposed static MCoMA is detected, each agent $i∈V$ transmits (q_i, 0) instead of $(qi,q̇i)$ and switches to the following local observer based consensus algorithm²⁴ for MAS dynamics (2):

where $p,τ∈ℝ+$ and $ẑi∈ℝ$ is the observer state.

With the above attack mitigation scheme, the consensus of MAS defined by Definition 1 is still achieved under the static MCoMA.

Proof:

By (30) and (33), the injection signals are

which are in static feedback form of the velocities.

Since each agent $i∈V$ transmits (q_i, 0) instead of $(qi,q̇i)$ once the MCoMA is detected, thus from (39), the injection signals are zero.

Thus, for each agent $i∈V$⁠, the received position information $qj,j∈Ni$ for consensus algorithm (37) and (38) are not compromised.

For the convergence analysis for local observer based consensus algorithm (37) and (38), the reader is referred to Theorem 4.1 in Ref. 24 and is omitted here. ▪

In Subsection IV C, we have proposed an attack detection and mitigation scheme for static MCoMA, which is a special content modification attack with the goal to blow up the storage function. In other cases, an attacker may not want to launch the MCoMA but may want to launch a general edge-bound content modification attack to just disrupt the MAS consensus. Thus, in this subsection, an attack detection scheme against general edge-bound content modification attack on MAS links will be proposed by relying on the detection condition (29) for MAS consensus.

Consider MAS modeled by a graph $G={V,E}$ satisfying assumptions (A1) and (A2). The implementation details of the proposed attack detection scheme are as follows:

• For $i∈V$⁠, instead of transmitting $(q̇i,qi)$⁠, the encoded data packet of (r_i1, r_i2) is transmitted, where (r_i1, r_i2) are encoded as

  $ri1=q̇i+λ1qi, λ̇1=f1(λ1,t)ri2=q̇i+λ2qi, λ̇2=f2(λ2,t),$

  (40)
  where the functions f₁, f₂ are known to all agents and defined as

  $f1:ℝ×ℝ→ℝ, (λ1,t) ↦ λ̇1;f2:ℝ×ℝ→ℝ, (λ2,t) ↦ λ̇2,$

  such that $λ1≠λ2,∀t≥0$⁠. The scalars $λ1(0),λ2(0)$ are shared securely between the agents when consensus starts, thus the attacker does not know the value of λ₁, λ₂ during consensus.

• After transmission, $q̇i,qi$ are obtained by decoding (r_i1, r_i2) for agent $j∈Ni$ as

  $qi=a(ri1−ri2), q̇i=bri1−cri2,$

  (41)

  where $a=1/(λ1−λ2),b=λ2/(λ2−λ1),c=λ1/(λ2−λ1)$⁠.

• After decoding, the detection condition (29) is checked. If the condition is not violated, $q̇i,qi$ is utilized in the control (3) for agent $j∈Ni$⁠. Otherwise, the attack is detected.

Theorem 3: With the proposed attack detection scheme, for $i∈V$⁠, suppose the attacker modifies (r_i1, r_i2) to $(r̃i1,r̃i2)$ as

where the signals $r¯i1,r¯i2$ constitute the injection attack. The content modification attack will be detected by the detection condition (29) if

where λ₁, λ₂ are encoding coefficients in (40), and T is sufficiently a small sampling period for (5).

Proof:

In practical implementation, the detection condition (29) is checked by $(qi−qip)/T=q̇i$⁠, where q_ip is the position of previous time instance.

Assume the content modification attack is launched as (42). Now by decoding scheme (41)

Now executing (29) and substituting (41)

In order to make $(q̃i−qip)/T=q̇̃i$⁠, it requires $a(r¯i1−r¯i2)/T=br¯i1−cr¯i2$⁠, which is equivalent to