Arbitrarily Fast Switched Distributed Stabilization of Partially Unknown Interconnected Multiagent Systems: A Proactive Cyber Defense Perspective

by   Vahid Rezaei, et al.
University of Colorado Denver

A design framework recently has been developed to stabilize interconnected multiagent systems in a distributed manner, and systematically capture the architectural aspect of cyber-physical systems. Such a control theoretic framework, however, results in a stabilization protocol which is passive with respect to the cyber attacks and conservative regarding the guaranteed level of resiliency. We treat the control layer topology and stabilization gains as the degrees of freedom, and develop a mixed control and cybersecurity design framework to address the above concerns. From a control perspective, despite the agent layer modeling uncertainties and perturbations, we propose a new step-by-step procedure to design a set of control sublayers for an arbitrarily fast switching of the control layer topology. From a proactive cyber defense perspective, we propose a satisfiability modulo theory formulation to obtain a set of control sublayer structures with security considerations, and offer a frequent and fast mutation of these sublayers such that the control layer topology will remain unpredictable for the adversaries. We prove the robust input-to-state stability of the two-layer interconnected multiagent system, and validate the proposed ideas in simulation.



There are no comments yet.


page 1

page 2

page 3

page 4


Control Challenges for Resilient Control Systems

In this chapter, we introduce methods to address resiliency issues for c...

Cyber-Physical Defense in the Quantum Era

Networked-Control Systems (NCSs), a type of cyber-physical systems, cons...

Deception-As-Defense Framework for Cyber-Physical Systems

We introduce deceptive signaling framework as a new defense measure agai...

Dynamic Games for Secure and Resilient Control System Design

Modern control systems are featured by their hierarchical structure comp...

Distortion based Light-weight Security for Cyber-Physical Systems

In Cyber-Physical Systems (CPS), inference based on communicated data is...

Novel Stealthy Attack and Defense Strategies for Networked Control Systems

This paper studies novel attack and defense strategies, based on a class...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

In response to the advances in embedded sensing, computation, and wireless communication, multiagent and cyber-physical systems (MASs and CPSs) have attracted significant attention during the past two decades. The preliminary studies in the literature of MASs were mainly focused on the simple integrator or linear time-invariant (LTI) agent models in order to achieve consensus in MASs, by creating a meaningful connection between control and graph theories [1]. Later, this attention was shifted toward more complicated models, e.g., with (completely known) interconnected LTI agents [2], and noninterconnected agents subject to local (agent-level) modeling uncertainties [3].

In parallel to the above studies, [4] articulated the concept of a multilayer control structure according to a graph theoretic consensus viewpoint. It provides an appropriate foundation to study the control aspects of the increasingly important CPSs [5]. Based on a completely known MAS of interconnected single integrators, [6] reported a graph theoretic formulation to capture the architectural aspect of CPSs. Nevertheless, a CPS might be subject to various cyber and physical abnormalities to be addressed using a mixed control and cybersecurity framework (e.g., see [7] and [8]).

From a control perspective, after a few preliminary studies, [9] proposed a mixed control and graph theoretic framework to stabilize an interconnected MAS in a distributed manner. That design framework, in particular, enables a designer to capture the architectural aspect of (single or multiagent) CPSs with separate agent (physical) and control (cyber) layers. Nevertheless, while robust with respect to the modeling uncertainties, that approach does not guarantee the stability of interconnected MAS in the presence of cyber attacks.

Reference [10] developed another distributed stabilization protocol to simultaneously guarantee a level of resiliency against the denial of service (DoS) attacks over the control layer, and robustness with respect to the modeling uncertainties over the agent layer. That method is based on the concept of average dwell time, which is known to be conservative, e.g., according to section IV in [11]. Moreover, it is not straightforward to expand the theoretical side of that work to a distributed DoS scenario, when an attacker persistently blocks (multiple) individual communication links, instead of blocking the control layer communications for short periods of time in a centralized manner [10]. It is possible to reduce the conservatism using a mode-dependent average dwell time formulation [12] and expand that to a distributed DoS attack scenario. Nevertheless, such purely control-oriented viewpoints mainly are suitable for the resiliency analysis of a readily compromised systems, or are passive or reactive with respect to the attacks (with no reaction to the attacks, or with a conservative reaction only after the time that an attack is detected).

In the literature of computer science, the above issues have been addressed by cyber resilience or agility techniques, which proactively (without any indication of the attack) change the network communication paths in order to make the routing topology unpredictable and, therefore, rescue the attacked traffic [13]-[15]. Via such route randomization or multipath routing, it is shown that the these cyber agility techniques raise the network infrastructures’ bar against attacks, such as the distributed DoS attack, which is the focus of this paper. Such a moving target defense concept recently has attracted interest in the control systems community. We refer to [16] and [17] for single dynamical systems. In particular, focusing on a control design problem, [17] relies on the redundancy in the physical components of the underlying system and its moving target defense idea is based on an average dwell time condition, which would be conservative (see the previous paragraph). Also, [18] relies on the closed-loop system matrices of the completely known LTI (single dynamical) systems, and its MAS-related analysis is based on the decoupled second-order agents, which will not be applicable to the design problem for a more general MAS in Section 3 (with high-order interconnected agents subject to the nonlinear modeling uncertainties).

We propose a new design framework that synergistically combine the cybersecurity and control algorithms in order to effectively handle the multitude of cyber and physical challenges for interconnected MASs. Namely, for a fully heterogeneous interconnected MAS, we consider the modeling uncertainties and nonvanishing perturbations over the agent layer, and distributed DoS attacks over the control layer. From a control viewpoint, we broaden the design aspect to an arbitrarily fast switched distributed stabilization protocol, while capturing the architectural aspect of CPSs (to separately study the cybersecurity concerns). From a cybersecurity viewpoint, we propose a control-aware satisfiability modulo theory (SMT) formulation to develop a set of control layer (communication) subgraphs that satisfy multiple security constraints. We further rely on the arbitrarily fast switching capability of our design in order to secure the control layer communication against distributed DoS attacks, via a highly frequent mutation between the alternative control sublayers. In particular, unlike [10] and [19], we do not restrict the class of (persistent) DoS attacks by any average dwell time means. To validate the feasibility of the proposed proactive cyber defense strategy, we theoretically prove the robust input-to-state stability (ISS) of the two-layer interconnected MAS (with its cybersecurity-aware control sublayer topologies) and, in simulation, discuss its effectiveness in the presence of the distributed DoS attacks.

In the rest of this paper, we overview a few definitions (Section 2), propose the main results (Section 3), discuss a simulation study (Section 4), and summarize the paper (Section 5).

2 Preliminaries

We use 0 to denote a matrix of all zeros with compatible dimension, a (block) diagonal matrix of the elements in ,

an ordered column vector of

for a set of , the (induced) 2-norm of its input vector (matrix), Kronecker product, and () a positive definite matrix (scalar function ). Also, indicates positive semi-definiteness. We propose two graph topologies and which admit selfloops (i.e., an edge that goes out and returns to the same node without passing others), unlike traditional cases [20], and can be disconnected.

An agent layer digraph with nodes represents the physical interaction of agents’ dynamics. It is characterized by a modified adjacency matrix where is the total number of agents, if the agent is affected by the agent’s dynamics for , and otherwise. Compared to the standard definition, selfloops are admitted, and both positive and negative signs are acceptable for . Information about all agent-layer neighbors of an agent , including the agent if there is a selfloop, is given by a set . Only a scalar is shared with the control layer designer, such that the interconnection topology (structure and edge weights) remains confidential. It enables a designer to eliminate the predictability of the control layer topology, to be discussed in the first paragraph of Subsection 3.2.

A control layer is built by control sublayer(s), to be determined by a piecewise constant switching signal . Each control sublayer’s undirected graph is represented by a modified Laplacian matrix where , , and , denotes the neighbor set of the control node (without selfloops), edge weights, and selfloop weights of control node ( if there is not a selfloop). Each (fixed) control sublayer topology can be disconnected; however, there is at least one selfloop in each connected component of

. Consequently, all eigenvalues of

are real-valued positive scalars to be sorted as [9]. We use both structure and weights (i.e., topology) of each subgraph as the design degrees of freedom in Subsections 3.2 and 3.3. In particular, abstracts the structure of , to be determined using the cybersecurity Algorithms 1 and 2.

We let be the switching time sequence for , and assume that there exists a dwell time such that multiple switchings will not happen at the same time: , the adjacent switching intervals do not have overlaps, and the control sublayer remains fix during each switching time interval. Unlike [11] and [12], we neither restrict the length of by any means nor use it in the derivations of this paper.

Over a control layer, selfloops determine the control layer configuration (see subsection 3.1 in [21]). Over an agent layer, selfloops model local or agent-level modeling uncertainty when an agent’s modeling uncertainty depends on its own state variables (see the description of agents (1)).

3 Main Results

In this section, we lay the foundation of this paper (Subsection 3.1), develop a new framework to design and validate a control layer (Subsections 3.2 and 3.3), and provide a theoretical analysis for the proposed two-layer (closed-loop) interconnected MAS (Subsection 3.4).

3.1 Problem Foundation

We consider an MAS of interconnected agents:


where denotes the agent number; state variable of agent ; control input; nonmeasurable, nonvanishing, external perturbation (disturbance or process noise); and interconnection variable. The known is the agent’s system matrix, control allocation matrix, perturbation allocation matrix, and uncertainty allocation matrix. Each pair represents a stabilizable system, and and can be in the range space of (matched scenario) or not (unmatched scenario). This enables a designer to model an MAS subject to the mixed matched and unmatched modeling uncertainties.

The unknown interconnection matrices satisfy the norm conditions . The nonlinear functions satisfy Lipschitz condition to ensure the existence and uniqueness of the solutions to the nonlinear differential equations (1) [22]. To avoid a conservative Lipschitz-based stabilization approach, we assume that each nonlinear function satisfies a norm condition . We also assume that only two constants, and , are known to the control layer designer. (A Lipschitz constant satisfies this norm condition; however, it would end in a larger (more conservative) constant compared to .)

Model (1) enables us to consider an interconnected MAS subject to both agent-level modeling uncertainties (via selfloops with unknown over the agent layer: ) and MAS-level modeling uncertainties (via non-selfloop edges with unknown : and ), because the agents’ neighbor sets (over agent layer) are unknown.

We propose the following communication-based, switched distributed stabilization protocol:


in which each virtual stabilization signal is locally computed by the associated agent :


where denotes the agent’s stabilization gain, to be designed.

We aggregate the interconnected agents (1) for all to find a model of the agent layer:


where , , , , , , , , , and . We also aggregate the distributed stabilization protocols (2) for all , and reach to the following model of the switched control layer (with multiple sublayers):


where , and . Now we are ready to articulate the main objective of this paper. (See [23] for the definitions of comparison functions and ISS.)

  Objective: In the presence of modeling uncertainties and nonvanishing perturbations (over agent layer) and distributed DoS attacks (over control layer), design a distributed protocol to guarantee both robust ISS and proactive security for a two-layer (closed-loop) interconnected MAS (4) and (5): rcl ∥x(t)∥ ≤β(∥x(0)∥,t) + κ(∥d(t)∥_∞) for -function , -function , and .


Modified based on [23] and [24], we also define a common ISS Lyapunov function to prove robust distributed ISS in Subsection 3.4.

Definition 1

A function is a smooth, common ISS Lyapunov function for the two-layer interconnected MAS (4) and (5) if the following inequalities are satisfied: rLL κ_1(x) ≤¯V(x) & κ_2(x)
˙¯V(x) &
- κ_3(x) + γ(d) for all , and for functions , , , and .

3.2 Control Layer Design Framework: Stabilization

In order to go beyond the ideas of [10] and establish proactive cyber defense, we propose a design procedure to simultaneously:

  1. make the control layer (communication) topology independent of the agent layer (interconnection) topology, i.e., to capture the architectural aspect of CPSs, and

  2. reconfigure the control layer topology in an arbitrarily fast manner.

Note that at least a subset of communication links would be predictable when a known agent layer topology is included in the control layer topology [19], or if we follow the (average dwell time-based) resiliency bounds in [10] and create a slow-varying switching signal. Instead, we propose the following design procedure to develop a control layer with an arbitrarily fast switching of multiple sublayers (Modified from [12] and [25] to develop a “common” ISS Lyapunov function in Subsection 3.4).


Design Procedure 1

(A mixed optimal control and graph theoretic formulation) 

  1. For each control sublayer , develop a control layer graph topology based on a cooperative configuration: Set a few to define selfloops, and assign and to a graph in which each connected component has a control node with a selfloop. Let where is the smallest (positive) eigenvalue of associated to each .

  2. For each agent , design a candidate robust ISS gain as follows:

    1. Let and be two positive definite design matrices, and a modified state weighting matrix where for two positive design scalars and .

    2. Find the optimal solution of the following modified linear quadratic regulator (LQR) problem:

      in which is the set of all static linear state feedback stabilizing signals for the networked nominal dynamics .

  3. and build a set of valid control sublayers if the following condition is satisfied: rll ¯Q_v σ := ¯Q + ¯K^T ( ¯R + 2¯R ¯E_c σ ) ¯K - 1af ¯P ¯B_f ¯B_f^T ¯P 0       and , , , and . The matrices are the unique positive definite solutions of the following algebraic Riccati equations (AREs):



The term “modified” highlights the required modifications to obtain a state weighting matrix and the presence of in the networked nominal dynamics of the modified LQR formulation. The existence and uniqueness of the solutions are guaranteed by the stabilizability and observability of the triple where , pointing out that each is stabilizable due to that of and positiveness of . We recommend to develop a set of control sublayers (or ) with sufficiently positive in order to avoid controllability issues in the modified LQR problems (or, equivalently, singularity in AREs (6)).

Remark 1

Arbitrarily fast switching has already been used in the literature of MASs. However, to the best of our knowledge, the existing studies should be limited to the consensus (vs. stabilization) problem for completely known, homogeneous, or purely LTI MASs with noninterconnected dynamics (e.g., see [26]). Such developments are not necessarily applicable to the considered problem in this paper.

3.3 Control Layer Design Framework: Cybersecurity

In the previous subsections, we proposed a switched distributed stabilization protocol (2) with all stabilization gains and control sublayer topologies as the design degrees of freedom, and developed a step-by-step procedure to design and validate a set of control sublayers for the robust ISS of a two-layer interconnected MAS (4) and (5) with an arbitrarily fast switching. Together with a control-oriented recommendation at the end of the previous subsection, the Step 1 of that procedure gives insights to determine a control layer configuration from a large-scale system viewpoint [27]. To better leverage the power of the proposed distributed stabilization protocol (2), along the Step 1 of Design Procedure 1, we propose a new formulation to determine a set of candidate control sublayer structures that simultaneously satisfy multiple cybersecurity and distributed control constrains:

  1. Full connectivity: To ensure that the conditions of the control subgraphs in Section 2 are satisfied, while taking into account the agents’ capability or willingness to provide their absolute measurements to the control layer (e.g., see subsection 3.1 and section 5 in [21]).

  2. Centrality distribution: To have a sufficient number of active selfloops to reduce attack vulnerability by avoiding a single point of failure over the control layer.

  3. Non-overlapping paths: To ensure that an attacker will not be able to compromise multiple control sublayers by a single attack on a common inter-controller communication link (i.e., to increase the cost of attack).

  4. Low risk: By excluding the high risk communication links that have been compromised in the recent past.

Note that these conditions would naturally disqualify centralized (with all-to-all) and decentralized (with only selfloops) configurations from the Step 1 of Design Procedure 1. Further, the above planning is a generalization of the 0-1 knapsack problem [28], which is NP-hard. Therefore, we reformulate it as a satisfiability problem using a generalized Boolean/arithmetic logic of SMT [29]. (While satisfiability problems are NP-complete in general, the recent advances in SMT solvers have made them scalable to the problems with millions of variables [30].)

In conjunction with the Step 1 of Design Procedure 1, we propose Algorithm 1 to generate a set of control sublayer structures , where denotes the node set and edge set over each . The edge weights of this outcome graph are either when an edge is determined by the proposed algorithms, or otherwise. Further, to introduce fewer parameters in this subsection, we use to denote the existence of a selfloop around any node . These two points are unlike the definitions of (real-valued) and for the final (see Section 2). An integer-valued denotes the number of the nodes that are required to have selfloops (i.e., for the centrality distribution). Each integer-valued scalar determines whether we can add a selfloop to a node and use the absolute measurement of that agent, or not. Each integer-valued scalar indicates whether a link (therefore, ) is a high risk link or not. Further, each integer-valued scalar memorizes whether a link (therefore, ) has been inactive in all prior control sublayer graphs or not, i.e., an means that link has not been used previously.

Inputs: , , , ,
for every  do
%Generate all (sub) graphs for  to  do
       = generateOneGraph() for every  do
Algorithm 1

Based on a logic (notation) similar to the standard SMT references, e.g., [29], Algorithm 2 describes the proposed SMT formulation to generate a candidate control sublayer structure that satisfies the aforementioned user-defined conditions 1 to 4. In particular, we first consider a directed (sub) graph design problem, in order to determine the communication paths over each control sublayer. Constraint (7) ensures the soundness of the resulting control layer subgraphs, by limiting all integer-valued to either or . Constraint (8) ensures only the nodes with selfloop capability will be asked to share their absolute measurements over the control sublayers (see subsection 3.1 in [21]). Constraint (9) ensures that nodes in the outcome sublayer graph will have active selfloops (to avoid a single point of failure). Constraint (10) ensures that all the high-risk, recently compromised communication links (known based on the history of the underlying two-layer interconnected MAS) will be excluded from the control layer. Constraint (11) ensures that any link which has been used in the prior control sublayers (developed by the proposed algorithm) will not be used in the new sublayer graph. Constraint (12) ensures that any node without an active selfloop will be connected to a node with an active selfloop (either directly or via an intermediary node). Constraint (13) ensures that every node has either an active selfloop or has a path to (receive information from) exactly one node with an active selfloop. A solver (e.g., see [29]) determines the satisfiable assignments to the unknown variables for an SMT model , in order to obtain the active communication links. Finally, an edge set is built, in order to offer the structure of a symmetric control sublayer with undirected communication links.

%Define SMT model , with following constraints
%Solve the SMT model = solveSMTModel %Build a symmetric (sub) graph structure
Algorithm 2

The exclusion of high risk links enhances the resilience of the control layer to the potential distributed DoS attacks. However, we ensure the cyber agility via a consistent mutation of the control sublayers (see Design Procedure 1, and Algorithms 1 and 2) based on an arbitrarily fast switching strategy. Such an arbitrarily fast and unordered switching would turn a control layer’s communication links (or topology) into a set of unpredictable moving targets. Next to the fact that the candidate sublayers have no common inter-controller communication link, 1) it would be hard(er) for an attacker to study the underlying two-layer interconnected MAS in order to plan and execute a distributed DoS attack, and 2) a distributed DoS attack that targets a specific set of inter-controller communications in any one of these candidate sublayers, will not be effective against others.

We need to mention that the proposed SMT formulation is based on the notion of directed subgraphs, which would end in the structurally nonsymmetric control sublayers (see [11] and [21]). We manually set if the SMT solver assigns to a pair , in order to build a control sublayer graph with undirected communication links. This viewpoint is along the practices in computer science, where the computer networks’ communication links are full-duplex. We also need to mention that the proposed SMT formulation determines the structure of a control sublayer topology . We manually select the weights of edges and selfloops, and design a set of distributed stabilization gains, such that the validation condition (3) is satisfied. Expanding the high-dimension approach in [31] (limited to the first and second order agents) to the agent model (1), an interested reader might be able to combine that high-dimension modified LQR formulation with the low-dimension one in Step 2 of Design Procedure 1 in order to automatically determine a set of robust edge weights and selfloops based on the subgraph structures of Algorithms 1 and 2.

3.4 Theoretical Analysis

In this subsection, we derive a few key properties of the proposed design framework, and analyze ISS for the resulting two-layer interconnected MAS (4) and (5) with a security-oriented, arbitrarily fast switching of the control sublayers.

Analytically, we know that the stabilization gains are characterized as follows [32]: rll K_i= -μ_min R_i^-1 B_u_i^T P_i.

We aggregate each (6) and (3.4), and further find and where . We postmultiply both of the above equalities by , premultiply the second one by , and after a few manipulations find the following design properties for each fixed control sublayer (known as the optimality conditions in the literature of optimal control for single dynamical systems [32]).

Design Properties 1

The following equalities hold for each control sublayer of Design Procedure 1 and Algorithms 1 and 2, to be used in a two-layer interconnected MAS (4) and (5): rll 2 v^T ¯R + μ_min ¯V_x^T ¯B_u = & 0
x^T ¯Q_f x + v^T ¯R v + ¯V_x^T (¯A x + μ_min ¯B_u v) = & 0. where and .

Now we propose the main result of this subsection.

Theorem 1

If and are developed according to Subsections 3.2 and 3.3, robust ISS is guaranteed for the interconnected MAS (4) and (5) despite the modeling uncertainties and nonvanishing perturbations over the agent layer, and arbitrarily fast switching of the control layer (communication) topology.

Proof: To facilitate the derivations of this proof, we first substitute the control layer (5) in the agent layer dynamics (4), add and subtract , and rewrite the two-layer interconnected MAS of this paper as follows:


in which represents the nonvanishing perturbations and the actual modeling uncertainties over the agent layer, and a fictitious uncertainty over the control layer, that is introduced to formulate a low-dimension modified LQR problem in Design Procedure 1, despite the fact that we are dealing with a high-dimension (or MAS-level) robust ISS problem.

We define a candidate common ISS Lyapunov function: rll ¯V(x) = x^T ¯P x ≻0 which is the same as that of Design Properties 1 (a consequence of the mixed optimal and graph theoretic formulation in Design Procedure 1). As a key point, unlike the multiple Lyapunov functions in [11] and [12], we point out that this does not vary depending on the active control sublayer (or switching mode ).

Along the uncertain trajectories of the two-layer interconnected MAS (14) and based on Design Properties 1, we find:

We use Young’s inequality as follows:

where , and for all . Since the characteristics of the candidate common ISS Lyapunov function (or the matrix ) and its decay rate along the uncertain trajectories (or and ) are independent of , we find that is a valid common ISS Lyapunov function (see Definition 1). Thus, we conclude robust ISS for the two-layer interconnected MAS of this paper under an arbitrarily fast switching of the control layer topology.

Remark 2

In the absence of perturbations, i.e., when , we find (asymptotic convergence of all state trajectories to the origin). Using Rayleigh-Ritz inequality, we reach to and , which guarantee the robust exponential convergence of all state trajectories to the origin: where and [22].

Remark 3

As an alternative to the proposed Design Procedure 1, an interested reader can restrict the design to with for all agents, or to a set of and that satisfy for all , in order to remove from the validation matrix in (3). Consequently, that high-dimension validation matrix will turn into a set of low-dimension conditions (one for each control node), and a -independent will directly appear (instead of ) in the proof of Theorem 1.

4 Simulation Verification

Now we demonstrate the feasibility of the proposed ideas for an interconnected MAS (1), with an (unknown) interconnection topology shown over the agent layer in Fig. 1, where each black arrow represents an edge weight equal to  and orange arrow . Together with the agent dynamics in Appendix I, this builds an unstable (open-loop) agent layer with divergent trajectories.

Agent layer

Control sublayer 1

Control sublayer 2

Control sublayer 3

Control sublayer 4

Control sublayer 5

Figure 1: A two-layer interconnected MAS with five control sublayers, where denotes the agent and the stabilization gains associated to each node according to (3). is the same for each control node, to be found by following the dashed vertical lines. In simulation of Fig. 2, only control sublayer 1 is active. In simulation of Fig. 3, all control sublayers are frequently active, one at each time, according to subplot (a) in that figure. For the sake of visibility, the color of each control sublayer’s frame is the same as its nodes. The dotted horizontal arrows denote the compromised (blocked) communication links by distributed DoS attacks.

We follow the steps of the proposed Design Procedure 1 and SMT-based Algorithms 1 and 2, and develop a control layer with sublayers as depicted in Fig. 1. In particular, as a few conditions in the proposed cybersecurity Algorithms 1 and 2, we set , , and (other parameters are relatively evident). Each edge with a cyan color represents a weight equal to 2, and black equal to 4. We obtain the robust distributed ISS gains , , , , , , , and such that the validation condition (3) is satisfied.

It is a common practice to assume that an attacker does not have unlimited resources [33]. Thus, we assume three communication links (including one selfloop) can be compromised per each sublayer (see dotted arrows over the control sublayers in Fig. 1). Despite this assumption, the divergent trajectories in Fig. 2 demonstrate that a smart attacker can easily compromise the underlying two-layer interconnected MAS if its control layer topology is fixed.

To examine the power of the proposed proactive cyber defense strategy, we consider an attack scenario where the attacker (persistently) attacks on (the dotted edges of) the control sublayer 5 over , 4 over , 3 over , 2 over , and 1 over , in addition to the permanently compromised (potential) communication capabilities between the control nodes and , and , and and . Note that the two-layer interconnected MAS starts under a DoS attack, and persistently remains under attack. This is different from the existing switching-based studies [10] and [19], where the attack frequently goes off and, in average, the system has (enough) time to recover after each DoS. As shown in Fig. 3, via an arbitrarily fast switching of the control sublayers, the proposed distributed protocol ensures ISS for the two-layer interconnected MAS in the presence of various abnormalities.

Figure 2: Compromised system: Divergent trajectories show that a smart attacker, with limited resources, can easily compromise a fixed (predictable) control sublayer 1.
(a) The switching signal indicates the number of an active control sublayer to for an arbitrarily fast switching.
(b) Robust ISS behavior under the distributed DoS, modeling uncertainties, nonvanishing perturbations, and very fast switching.
Figure 3: Proactive cyber defense: Robust ISS for the two-layer interconnected MAS in Fig. 1 under a (time-varying) persistent, distributed DoS attack, as explained in Section 4.

All individual subsystems should be asymptotically stable in order to guarantee the asymptotic stability of an arbitrarily fast switched system (subsection 2.1.1, [24]). In the ISS simulation results of this section, the two-layer interconnected MAS may temporarily face an attack on a few of its communication links, which violates such a condition. This could be problematic pointing to the fact that the underlying agent layer is unstable. However, due to the “non-overlapping paths” and “centrality distribution” conditions in the developments of Subsection 3.3, a fast mutation among the control sublayers ensures that the final moving target defense strategy will end in a two-layer interconnected MAS that (with an abuse of the words) is “more (input-to-state) stable than unstable.” Indeed, over a time interval, the agent layer dynamics see a (time varying) control layer topology for which the conditions of Section 2 are satisfied by the union of the activated control sublayers. Further computer science-oriented investigation on this subject is left for the future. However, without any technical modifications, we need to mention that an increase in the number of nodes (in simulation) will increase the power of the proposed moving target defense strategy to handle the (unmeasured) cyber attacks in a proactive manner, because it will increase the number of possible control sublayer structures that would satisfy the conditions of Subsection 3.3.

5 Summary

We systematically study the robust input-to-state stability and proactive security in an interconnected multiagent system (subject to multiple cyber and physical abnormalities), based on a synergistic combination of various concepts from the literature of controls, graph theory, and computer science. In particular, we design a set of cybersecurity-aware, robust control sublayers based on a mixed optimal control, graph, and satisfiability modulo theory formulation. Then, relying on the arbitrarily fast switching capability of the proposed distributed stabilization protocol and the designed cybersecurity-aware control sublayers, we offer a moving target defense strategy, and enhance the cybersecurity aspect of the two-layer interconnected multiagent system in a proactive manner. The proposed systematic framework may pave the way for an effective and comprehensive study of the cyber-physical multiagent systems from both control and cybersecurity viewpoints [8], with an application to power systems (with their inherently interconnected dynamics) [34].

Appendix I

In Fig. 1, according to model (1), the (unstable) nominal part of interconnected MAS is characterized by the following matrices for and :

and the modeling uncertainty and perturbation matrices are:

Also, the (unknown) nonlinearities and interconnection matrices are , , , , , , , and , as well as for , and for . The nonmeasurable, nonvanishing, external perturbations are , and for and .


  • [1] Knorn S., Chen Z., Middleton R., “Overview: Collective Control of Multiagent Systems,” IEEE Transactions on Control of Network Systems, 3(4):334–347, 2015.
  • [2] Oh K.-K., Moore K., Ahn H.-S., “Disturbance Attenuation in a Consensus Network of Identical Linear Systems: An Approach”, IEEE Transactions on Automatic Control, 59(8):2164-2169, 2014.
  • [3] Ai X., Yu J., Jia Z., Shen Y., Ma P., Yang D., “Adaptive Robust Consensus Tracking for Nonlinear Second-Order Multi-Agent Systems with Heterogeneous Uncertainties,” International Journal of Robust and Nonlinear Control, 27:5082–5096, 2017.
  • [4] Rieger C., Moore K., Baldwin T., “Resilient Control Systems: A Multi-Agent Dynamic Systems Perspective,” IEEE International Conference on Electro-Information Technology, USA, 2013.
  • [5] Antsaklis P., “Goals and Challenges in Cyber-Physical Systems Research: Editorial of the Editor in Chief,” IEEE Transactions on Automatic Control, 59(12):3117–3119, 2014.
  • [6] Egerstedt M., “From Algorithms to Architectures in Cyber-Physical Networks,” Cyber-Physical Systems, 1(2-4):67–75, 2015.
  • [7] Cardenas A., Amin S., Sastry S. “Research Challenges for the Security of Control Systems,” Workshop on Hot Topics in Security, USA, 2008.
  • [8] Chong M., Sandberg H., and Teixeira A., “A Tutorial Introduction to Security and Privacy for Cyber-Physical Systems,” European Control Conference, Italy, 2019.
  • [9] Rezaei V., Stefanovic M., “Event-Triggered Cooperative Stabilization of Multiagent Systems with Partially Unknown Interconnected Dynamics,” Automatica, 130:109657, Aug 2021.
  • [10] Rezaei V., “Event-Triggered Distributed Stabilization of Partially Unknown Interconnected Multiagent Systems with Abnormal Agent and Control Layers,” IEEE Conference on Decision and Control, USA, 2021.
  • [11] Rezaei V., “Robust Distributed Stabilization of Interconnected Multiagent Systems with Switched Control Sublayers,” AIAA Science and Technology Forum and Exposition, USA, 2021.
  • [12] Rezaei V., Stefanovic M., “Mode-Dependent Switched Distributed Stabilization of Partially Unknown Interconnected Multiagent Systems,” American Control Conference, USA, 2021.
  • [13] Jafarian J.H., Al-Shaer E., Duan Q., “Formal Approach for Route Agility Against Persistent Attackers,” European Symposium on Research in Computer Security, pp. 237-254, Springer, 2013.
  • [14] Zhou Z., Xu C., Kuang X., Zhang T., Sun L., “An Efficient and Agile Spatio-Temporal Route Mutation Moving Target Defense Mechanism,” IEEE International Conference on Communications, China, 2019.
  • [15]

    Bhardwaj A., El-Ocla H., “Multipath Routing Protocol Using Genetic Algorithm in Mobile Ad Hoc Networks,”

    IEEE Access, 8:177534-177548, 2020.
  • [16] Griffioen P., Weerakkody S., Sinopoli B., “A Moving Target Defense for Securing Cyber-Physical Systems,” IEEE Transactions on Automatic Control, 66(5):2016-2031, 2021.
  • [17] Kanellopoulos A., Vamvoudakis K., “A Moving Target Defense Control Framework for Cyber-Physical Systems,” IEEE Transactions on Automatic Control, 65(3):1029-1043, 2020.
  • [18] Giraldo J., Cardenas A., Moving Target Defense for Attack Mitigation in Multi-Vehicle Systems, In Proactive and dynamic Network Defense, pp. 163-190, Springer, 2019.
  • [19] Feng S., Tesi P., De Persis C., “Towards Stabilization of Distributed Systems under Denial-of-Service,” IEEE Conference on Decision and Control, Australia, 2017.
  • [20] Mesbahi M., Egerstedt M., Graph Theoretic Methods in Multiagent Networks, Princeton, 2010.
  • [21] Rezaei V., Stefanovic M., “Distributed Stabilization of Interconnected Multiagent Systems using Structurally Nonsymmetric Control Layers,” IFAC World Congress, Germany, 2020.
  • [22] Khalil H., Nonlinear Systems, Prentice-Hall, 2003.
  • [23] Sontag, E., Input to State Stability: Basic Concepts and Results, In: Nistri P., Stefani G. (eds) Nonlinear and Optimal Control Theory. Lecture Notes in Mathematics, Vol 1932, Springer, 2008.
  • [24] Liberzon D., Switching in Systems and Control, Springer, 2003.
  • [25] Rezaei V., Stefanovic M., “Distributed Input-to-State Stabilization of Heterogeneous Interconnected Multiagent Systems with Partially Unknown Dynamics,” Mediterranean Conference on Control and Automation, Italy, 2021.
  • [26] Valcher M., Zorzan I., “On the Consensus of Homogeneous Multi-Agent Systems with Arbitrarily Switching Topology,” Automatica, 84:79-85, 2017.
  • [27] Lunze J., Feedback Control of Large-Scale Systems, Prentice-Hall, 1992.
  • [28] Sahni S., “Approximate Algorithms for the 0/1 Knapsack Problem,” Journal of the ACM, 22(1):115-124, 1975.
  • [29] Bjørner N., de Moura L., “: Applications, Enablers, Challenges and Directions,” Sixth International Workshop on Constraints in Formal Verification, 2009.
  • [30] de Moura L., Bjørner N., Formal Methods: Foundations and Applications, In: Satisfiability Modulo Theories: An Appetizer, Springer, 2009.
  • [31] Rezaei V., Stefanovic M., “Multi-Layer Distributed Protocols for Robust Cooperative Tracking in Interconnected Nonlinear Multiagent Systems,” International Journal of Robust and Nonlinear Control, 29(12):3859–3891, 2019.
  • [32] Lin F., Robust Control Design: An Optimal Control Approach, Wiley, 2007.
  • [33] Jajodia S., Ghosh A., Swarup V., Wang C., Wang X., Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, Springer Science & Business Media, 2011.
  • [34] Zhou Q., Shahidehpour M., Paaso A., Bahramirad S., Alabdulwahab A., Abusorrah A., “Distributed Control and Communication Strategies in Networked Microgrids,” IEEE Communications Surveys and Tutorials, 22(4):2586-2633, 2020.